# Flog Txt Version 1
# Analyzer Version: 4.6.0
# Analyzer Build Date: Jul 8 2022 06:26:21
# Log Creation Date: 05.08.2022 20:04:15.466
Process:
id = "1"
image_name = "da6abb6f3aae250d50ed09b6eacc267c33e50895e3ebd7e6ba800ab018351ec5.exe"
filename = "c:\\users\\rdhj0cnfevzx\\desktop\\da6abb6f3aae250d50ed09b6eacc267c33e50895e3ebd7e6ba800ab018351ec5.exe"
page_root = "0x388c3000"
os_pid = "0x138c"
os_integrity_level = "0x3000"
os_privileges = "0x60800000"
monitor_reason = "analysis_target"
parent_id = "0"
os_parent_pid = "0x7b4"
cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\da6abb6f3aae250d50ed09b6eacc267c33e50895e3ebd7e6ba800ab018351ec5.exe\" "
cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
os_username = "XC64ZB\\RDhJ0CNFevzX"
bitness = "32"
os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fa87" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 117
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 118
start_va = 0x30000
end_va = 0x31fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000030000"
filename = ""
Region:
id = 119
start_va = 0x40000
end_va = 0x54fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 120
start_va = 0x60000
end_va = 0x9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000060000"
filename = ""
Region:
id = 121
start_va = 0xa0000
end_va = 0x19ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000a0000"
filename = ""
Region:
id = 122
start_va = 0x1a0000
end_va = 0x1a3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001a0000"
filename = ""
Region:
id = 123
start_va = 0x1b0000
end_va = 0x1b1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001b0000"
filename = ""
Region:
id = 124
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 125
start_va = 0x400000
end_va = 0x49dfff
monitored = 1
entry_point = 0x499162
region_type = mapped_file
name = "da6abb6f3aae250d50ed09b6eacc267c33e50895e3ebd7e6ba800ab018351ec5.exe"
filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\da6abb6f3aae250d50ed09b6eacc267c33e50895e3ebd7e6ba800ab018351ec5.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\da6abb6f3aae250d50ed09b6eacc267c33e50895e3ebd7e6ba800ab018351ec5.exe")
Region:
id = 126
start_va = 0x771d0000
end_va = 0x7734afff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")
Region:
id = 127
start_va = 0x7ffb0000
end_va = 0x7ffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007ffb0000"
filename = ""
Region:
id = 128
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 129
start_va = 0x7fff0000
end_va = 0x7ffa1676ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007fff0000"
filename = ""
Region:
id = 130
start_va = 0x7ffa16770000
end_va = 0x7ffa16930fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 131
start_va = 0x7ffa16931000
end_va = 0x7ffffffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00007ffa16931000"
filename = ""
Region:
id = 270
start_va = 0x4a0000
end_va = 0x61ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000004a0000"
filename = ""
Region:
id = 271
start_va = 0x640d0000
end_va = 0x6411ffff
monitored = 0
entry_point = 0x640e8180
region_type = mapped_file
name = "wow64.dll"
filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")
Region:
id = 272
start_va = 0x64050000
end_va = 0x640c9fff
monitored = 0
entry_point = 0x64063290
region_type = mapped_file
name = "wow64win.dll"
filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")
Region:
id = 273
start_va = 0x76720000
end_va = 0x767fffff
monitored = 0
entry_point = 0x76733980
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 274
start_va = 0x64120000
end_va = 0x64127fff
monitored = 0
entry_point = 0x641217c0
region_type = mapped_file
name = "wow64cpu.dll"
filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")
Region:
id = 275
start_va = 0x4a0000
end_va = 0x59ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000004a0000"
filename = ""
Region:
id = 276
start_va = 0x610000
end_va = 0x61ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000610000"
filename = ""
Region:
id = 277
start_va = 0x6f8e0000
end_va = 0x6f938fff
monitored = 1
entry_point = 0x6f8f0780
region_type = mapped_file
name = "mscoree.dll"
filename = "\\Windows\\SysWOW64\\mscoree.dll" (normalized: "c:\\windows\\syswow64\\mscoree.dll")
Region:
id = 278
start_va = 0x76720000
end_va = 0x767fffff
monitored = 0
entry_point = 0x76733980
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 279
start_va = 0x76910000
end_va = 0x76a8dfff
monitored = 0
entry_point = 0x769c1b90
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")
Region:
id = 280
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 281
start_va = 0x7feb0000
end_va = 0x7ffaffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007feb0000"
filename = ""
Region:
id = 282
start_va = 0x620000
end_va = 0x6ddfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 283
start_va = 0x6e0000
end_va = 0x88ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000006e0000"
filename = ""
Region:
id = 284
start_va = 0x73e50000
end_va = 0x73ee1fff
monitored = 0
entry_point = 0x73e90380
region_type = mapped_file
name = "apphelp.dll"
filename = "\\Windows\\SysWOW64\\apphelp.dll" (normalized: "c:\\windows\\syswow64\\apphelp.dll")
Region:
id = 285
start_va = 0x7fb00000
end_va = 0x7fea0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sysmain.sdb"
filename = "\\Windows\\AppPatch\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\sysmain.sdb")
Region:
id = 286
start_va = 0x20000
end_va = 0x23fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 287
start_va = 0x76600000
end_va = 0x7667afff
monitored = 0
entry_point = 0x7661e970
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")
Region:
id = 288
start_va = 0x76a90000
end_va = 0x76b4dfff
monitored = 0
entry_point = 0x76ac5630
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")
Region:
id = 289
start_va = 0x1c0000
end_va = 0x1fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001c0000"
filename = ""
Region:
id = 290
start_va = 0x6e0000
end_va = 0x7dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000006e0000"
filename = ""
Region:
id = 291
start_va = 0x880000
end_va = 0x88ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000880000"
filename = ""
Region:
id = 292
start_va = 0x76cb0000
end_va = 0x76cf3fff
monitored = 0
entry_point = 0x76cc9d80
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")
Region:
id = 293
start_va = 0x76c00000
end_va = 0x76cacfff
monitored = 0
entry_point = 0x76c14f00
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")
Region:
id = 294
start_va = 0x73f00000
end_va = 0x73f1dfff
monitored = 0
entry_point = 0x73f0b640
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")
Region:
id = 295
start_va = 0x73ef0000
end_va = 0x73ef9fff
monitored = 0
entry_point = 0x73ef2a00
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")
Region:
id = 296
start_va = 0x76840000
end_va = 0x76897fff
monitored = 0
entry_point = 0x768825c0
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")
Region:
id = 297
start_va = 0x890000
end_va = 0x93ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000890000"
filename = ""
Region:
id = 298
start_va = 0x6f860000
end_va = 0x6f8dcfff
monitored = 1
entry_point = 0x6f870db0
region_type = mapped_file
name = "mscoreei.dll"
filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscoreei.dll")
Region:
id = 299
start_va = 0x76d00000
end_va = 0x76d44fff
monitored = 0
entry_point = 0x76d1de90
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll")
Region:
id = 300
start_va = 0x762b0000
end_va = 0x7646cfff
monitored = 0
entry_point = 0x76392a10
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll")
Region:
id = 301
start_va = 0x74ab0000
end_va = 0x74bfefff
monitored = 0
entry_point = 0x74b66820
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll")
Region:
id = 302
start_va = 0x743d0000
end_va = 0x74516fff
monitored = 0
entry_point = 0x743e1cf0
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")
Region:
id = 303
start_va = 0x5a0000
end_va = 0x5c9fff
monitored = 0
entry_point = 0x5a5680
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")
Region:
id = 304
start_va = 0x940000
end_va = 0xac7fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000940000"
filename = ""
Region:
id = 305
start_va = 0x741b0000
end_va = 0x741dafff
monitored = 0
entry_point = 0x741b5680
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")
Region:
id = 306
start_va = 0x30000
end_va = 0x30fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000030000"
filename = ""
Region:
id = 307
start_va = 0x5a0000
end_va = 0x5a0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005a0000"
filename = ""
Region:
id = 308
start_va = 0xad0000
end_va = 0xc50fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000ad0000"
filename = ""
Region:
id = 309
start_va = 0xc60000
end_va = 0x205ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000c60000"
filename = ""
Region:
id = 310
start_va = 0x7e0000
end_va = 0x877fff
monitored = 1
entry_point = 0x879162
region_type = mapped_file
name = "da6abb6f3aae250d50ed09b6eacc267c33e50895e3ebd7e6ba800ab018351ec5.exe"
filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\da6abb6f3aae250d50ed09b6eacc267c33e50895e3ebd7e6ba800ab018351ec5.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\da6abb6f3aae250d50ed09b6eacc267c33e50895e3ebd7e6ba800ab018351ec5.exe")
Region:
id = 311
start_va = 0x76d50000
end_va = 0x76d5bfff
monitored = 0
entry_point = 0x76d53930
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll")
Region:
id = 312
start_va = 0x6f980000
end_va = 0x6f987fff
monitored = 0
entry_point = 0x6f9817b0
region_type = mapped_file
name = "version.dll"
filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll")
Region:
id = 313
start_va = 0x6f170000
end_va = 0x6f850fff
monitored = 1
entry_point = 0x6f19cd70
region_type = mapped_file
name = "clr.dll"
filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll")
Region:
id = 314
start_va = 0x6f070000
end_va = 0x6f164fff
monitored = 0
entry_point = 0x6f0c4160
region_type = mapped_file
name = "msvcr120_clr0400.dll"
filename = "\\Windows\\SysWOW64\\msvcr120_clr0400.dll" (normalized: "c:\\windows\\syswow64\\msvcr120_clr0400.dll")
Region:
id = 315
start_va = 0x5b0000
end_va = 0x5b0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000005b0000"
filename = ""
Region:
id = 316
start_va = 0x5c0000
end_va = 0x5cffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000005c0000"
filename = ""
Region:
id = 317
start_va = 0x5d0000
end_va = 0x5dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005d0000"
filename = ""
Region:
id = 318
start_va = 0x5e0000
end_va = 0x5effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005e0000"
filename = ""
Region:
id = 319
start_va = 0x5f0000
end_va = 0x5fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005f0000"
filename = ""
Region:
id = 320
start_va = 0x600000
end_va = 0x60ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000600000"
filename = ""
Region:
id = 321
start_va = 0x7e0000
end_va = 0x7effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000007e0000"
filename = ""
Region:
id = 322
start_va = 0x7f0000
end_va = 0x7f0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000007f0000"
filename = ""
Region:
id = 323
start_va = 0x800000
end_va = 0x800fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000800000"
filename = ""
Region:
id = 324
start_va = 0x810000
end_va = 0x83ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000810000"
filename = ""
Region:
id = 325
start_va = 0x890000
end_va = 0x91ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000890000"
filename = ""
Region:
id = 326
start_va = 0x930000
end_va = 0x93ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000930000"
filename = ""
Region:
id = 327
start_va = 0x840000
end_va = 0x87ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000840000"
filename = ""
Region:
id = 328
start_va = 0x2060000
end_va = 0x215ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002060000"
filename = ""
Region:
id = 329
start_va = 0x810000
end_va = 0x81ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000810000"
filename = ""
Region:
id = 330
start_va = 0x830000
end_va = 0x83ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000830000"
filename = ""
Region:
id = 331
start_va = 0x2160000
end_va = 0x415ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002160000"
filename = ""
Region:
id = 332
start_va = 0x4160000
end_va = 0x41fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004160000"
filename = ""
Region:
id = 333
start_va = 0x890000
end_va = 0x8cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000890000"
filename = ""
Region:
id = 334
start_va = 0x910000
end_va = 0x91ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000910000"
filename = ""
Region:
id = 335
start_va = 0x4200000
end_va = 0x42fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004200000"
filename = ""
Region:
id = 336
start_va = 0x4300000
end_va = 0x4636fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 337
start_va = 0x6d430000
end_va = 0x6e6e1fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "mscorlib.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\mscorlib\\7582400666d289c016013ad0f6e0e3e6\\mscorlib.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\mscorlib\\7582400666d289c016013ad0f6e0e3e6\\mscorlib.ni.dll")
Region:
id = 338
start_va = 0x74dc0000
end_va = 0x74eaafff
monitored = 0
entry_point = 0x74dfd650
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")
Region:
id = 339
start_va = 0x4640000
end_va = 0x46d0fff
monitored = 0
entry_point = 0x4678cf0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")
Region:
id = 340
start_va = 0x72cb0000
end_va = 0x72d24fff
monitored = 0
entry_point = 0x72ce9a60
region_type = mapped_file
name = "uxtheme.dll"
filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll")
Region:
id = 341
start_va = 0x4640000
end_va = 0x476ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004640000"
filename = ""
Region:
id = 342
start_va = 0x810000
end_va = 0x81ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000810000"
filename = ""
Region:
id = 343
start_va = 0x6eff0000
end_va = 0x6f06ffff
monitored = 1
entry_point = 0x6eff1180
region_type = mapped_file
name = "clrjit.dll"
filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clrjit.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clrjit.dll")
Region:
id = 344
start_va = 0x76680000
end_va = 0x76711fff
monitored = 0
entry_point = 0x766b8cf0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")
Region:
id = 345
start_va = 0x820000
end_va = 0x82ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000820000"
filename = ""
Region:
id = 346
start_va = 0x6ca60000
end_va = 0x6d42bfff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System\\1be7a15b1f33bf22e4f53aaf45518c77\\System.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system\\1be7a15b1f33bf22e4f53aaf45518c77\\system.ni.dll")
Region:
id = 347
start_va = 0x6ee60000
end_va = 0x6efeefff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.drawing.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Drawing\\1d52bd4ac5e0a6422058a5d62c9f6d9d\\System.Drawing.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.drawing\\1d52bd4ac5e0a6422058a5d62c9f6d9d\\system.drawing.ni.dll")
Region:
id = 348
start_va = 0x6bdf0000
end_va = 0x6ca56fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.windows.forms.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Windows.Forms\\fb06ad4bc55b9c3ca68a3f9259d826cd\\System.Windows.Forms.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.windows.forms\\fb06ad4bc55b9c3ca68a3f9259d826cd\\system.windows.forms.ni.dll")
Region:
id = 349
start_va = 0x6b6c0000
end_va = 0x6bde0fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.core.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Core\\eb4cca4f06a15158c3f7e2c56516729b\\System.Core.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.core\\eb4cca4f06a15158c3f7e2c56516729b\\system.core.ni.dll")
Region:
id = 350
start_va = 0x6af30000
end_va = 0x6b6b6fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.data.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Data\\6e322d1b2e3358fa90494bffbe32cbf2\\System.Data.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.data\\6e322d1b2e3358fa90494bffbe32cbf2\\system.data.ni.dll")
Region:
id = 351
start_va = 0x6eb20000
end_va = 0x6ee5efff
monitored = 1
entry_point = 0x6ee45696
region_type = mapped_file
name = "system.data.dll"
filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Data\\v4.0_4.0.0.0__b77a5c561934e089\\System.Data.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.data\\v4.0_4.0.0.0__b77a5c561934e089\\system.data.dll")
Region:
id = 352
start_va = 0x73f30000
end_va = 0x73f8efff
monitored = 0
entry_point = 0x73f34af0
region_type = mapped_file
name = "ws2_32.dll"
filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll")
Region:
id = 353
start_va = 0x73f90000
end_va = 0x74107fff
monitored = 0
entry_point = 0x73fe8a90
region_type = mapped_file
name = "crypt32.dll"
filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll")
Region:
id = 354
start_va = 0x764c0000
end_va = 0x764cdfff
monitored = 0
entry_point = 0x764c5410
region_type = mapped_file
name = "msasn1.dll"
filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll")
Region:
id = 355
start_va = 0x4770000
end_va = 0x4aabfff
monitored = 1
entry_point = 0x4a95696
region_type = mapped_file
name = "system.data.dll"
filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Data\\v4.0_4.0.0.0__b77a5c561934e089\\System.Data.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.data\\v4.0_4.0.0.0__b77a5c561934e089\\system.data.dll")
Region:
id = 356
start_va = 0x8d0000
end_va = 0x90ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000008d0000"
filename = ""
Region:
id = 357
start_va = 0x8d0000
end_va = 0x8dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000008d0000"
filename = ""
Region:
id = 358
start_va = 0x900000
end_va = 0x90ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000900000"
filename = ""
Region:
id = 359
start_va = 0x8e0000
end_va = 0x8effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000008e0000"
filename = ""
Region:
id = 360
start_va = 0x8f0000
end_va = 0x8f0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000008f0000"
filename = ""
Region:
id = 361
start_va = 0x8f0000
end_va = 0x8f1fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000008f0000"
filename = ""
Region:
id = 362
start_va = 0x4640000
end_va = 0x46cefff
monitored = 0
entry_point = 0x464dd60
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll")
Region:
id = 363
start_va = 0x4760000
end_va = 0x476ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004760000"
filename = ""
Region:
id = 364
start_va = 0x6ea80000
end_va = 0x6eb11fff
monitored = 0
entry_point = 0x6ea8dd60
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll")
Region:
id = 365
start_va = 0x4640000
end_va = 0x467ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004640000"
filename = ""
Region:
id = 366
start_va = 0x920000
end_va = 0x920fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000920000"
filename = ""
Region:
id = 367
start_va = 0x4680000
end_va = 0x473bfff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000004680000"
filename = ""
Region:
id = 368
start_va = 0x920000
end_va = 0x923fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000920000"
filename = ""
Region:
id = 369
start_va = 0x4640000
end_va = 0x4643fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004640000"
filename = ""
Region:
id = 370
start_va = 0x4670000
end_va = 0x467ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004670000"
filename = ""
Region:
id = 371
start_va = 0x4770000
end_va = 0x497afff
monitored = 0
entry_point = 0x481b0a0
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll")
Region:
id = 372
start_va = 0x72dd0000
end_va = 0x72fdefff
monitored = 0
entry_point = 0x72e7b0a0
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll")
Region:
id = 373
start_va = 0x4650000
end_va = 0x4650fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "windowsshell.manifest"
filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")
Region:
id = 374
start_va = 0x4660000
end_va = 0x4661fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000004660000"
filename = ""
Region:
id = 375
start_va = 0x713a0000
end_va = 0x713bcfff
monitored = 0
entry_point = 0x713a3b10
region_type = mapped_file
name = "dwmapi.dll"
filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll")
Region:
id = 376
start_va = 0x4650000
end_va = 0x465ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004650000"
filename = ""
Region:
id = 377
start_va = 0x6e910000
end_va = 0x6ea7afff
monitored = 0
entry_point = 0x6e97e360
region_type = mapped_file
name = "gdiplus.dll"
filename = "\\Windows\\WinSxS\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10586.0_none_538a540779726150\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10586.0_none_538a540779726150\\gdiplus.dll")
Region:
id = 378
start_va = 0x4770000
end_va = 0x493ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004770000"
filename = ""
Region:
id = 379
start_va = 0x4770000
end_va = 0x47affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004770000"
filename = ""
Region:
id = 380
start_va = 0x47b0000
end_va = 0x48affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000047b0000"
filename = ""
Region:
id = 381
start_va = 0x4930000
end_va = 0x493ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004930000"
filename = ""
Region:
id = 382
start_va = 0x764e0000
end_va = 0x765fefff
monitored = 0
entry_point = 0x76525980
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll")
Region:
id = 383
start_va = 0x70b70000
end_va = 0x70d60fff
monitored = 0
entry_point = 0x70c53cd0
region_type = mapped_file
name = "dwrite.dll"
filename = "\\Windows\\SysWOW64\\DWrite.dll" (normalized: "c:\\windows\\syswow64\\dwrite.dll")
Region:
id = 384
start_va = 0x48b0000
end_va = 0x48f8fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "~fontcache-system.dat"
filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-System.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-system.dat")
Region:
id = 385
start_va = 0x4650000
end_va = 0x4653fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004650000"
filename = ""
Region:
id = 386
start_va = 0x4940000
end_va = 0x593ffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "~fontcache-fontface.dat"
filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-FontFace.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-fontface.dat")
Region:
id = 387
start_va = 0x4740000
end_va = 0x4743fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004740000"
filename = ""
Region:
id = 388
start_va = 0x5940000
end_va = 0x5a3ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005940000"
filename = ""
Region:
id = 389
start_va = 0x5a40000
end_va = 0x5b3ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005a40000"
filename = ""
Region:
id = 390
start_va = 0x5b40000
end_va = 0x6031fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000005b40000"
filename = ""
Region:
id = 391
start_va = 0x6040000
end_va = 0x60fcfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "micross.ttf"
filename = "\\Windows\\Fonts\\micross.ttf" (normalized: "c:\\windows\\fonts\\micross.ttf")
Region:
id = 392
start_va = 0x6100000
end_va = 0x64fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006100000"
filename = ""
Region:
id = 393
start_va = 0x6500000
end_va = 0x6561fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "mscorrc.dll"
filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorrc.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscorrc.dll")
Region:
id = 394
start_va = 0x71560000
end_va = 0x7157afff
monitored = 0
entry_point = 0x71569050
region_type = mapped_file
name = "bcrypt.dll"
filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll")
Region:
id = 395
start_va = 0x71200000
end_va = 0x71212fff
monitored = 0
entry_point = 0x71209950
region_type = mapped_file
name = "cryptsp.dll"
filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll")
Region:
id = 396
start_va = 0x70230000
end_va = 0x7025efff
monitored = 0
entry_point = 0x702495e0
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll")
Region:
id = 397
start_va = 0x4750000
end_va = 0x475ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000004750000"
filename = ""
Region:
id = 398
start_va = 0x6570000
end_va = 0x75affff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "staticcache.dat"
filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat")
Region:
id = 399
start_va = 0x4900000
end_va = 0x4900fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004900000"
filename = ""
Region:
id = 400
start_va = 0x4910000
end_va = 0x491ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004910000"
filename = ""
Region:
id = 401
start_va = 0x4920000
end_va = 0x492ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004920000"
filename = ""
Region:
id = 402
start_va = 0x4910000
end_va = 0x491ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004910000"
filename = ""
Region:
id = 403
start_va = 0x4920000
end_va = 0x492ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004920000"
filename = ""
Region:
id = 404
start_va = 0x75b0000
end_va = 0x75bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000075b0000"
filename = ""
Region:
id = 405
start_va = 0x75c0000
end_va = 0x75cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000075c0000"
filename = ""
Region:
id = 406
start_va = 0x4920000
end_va = 0x492ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004920000"
filename = ""
Region:
id = 407
start_va = 0x75b0000
end_va = 0x75effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000075b0000"
filename = ""
Region:
id = 408
start_va = 0x75f0000
end_va = 0x76effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000075f0000"
filename = ""
Region:
id = 409
start_va = 0x76f0000
end_va = 0x86effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000076f0000"
filename = ""
Region:
id = 410
start_va = 0x86f0000
end_va = 0x88bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000086f0000"
filename = ""
Region:
id = 411
start_va = 0x88c0000
end_va = 0x98bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000088c0000"
filename = ""
Region:
id = 412
start_va = 0x98c0000
end_va = 0x9c5ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000098c0000"
filename = ""
Region:
id = 413
start_va = 0x4920000
end_va = 0x492ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004920000"
filename = ""
Region:
id = 414
start_va = 0x4920000
end_va = 0x492ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004920000"
filename = ""
Region:
id = 415
start_va = 0x4920000
end_va = 0x492ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004920000"
filename = ""
Region:
id = 416
start_va = 0x9c60000
end_va = 0x9c9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000009c60000"
filename = ""
Region:
id = 417
start_va = 0x9ca0000
end_va = 0x9d9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000009ca0000"
filename = ""
Region:
id = 418
start_va = 0x9da0000
end_va = 0x9ddffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000009da0000"
filename = ""
Region:
id = 419
start_va = 0x9de0000
end_va = 0x9edffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000009de0000"
filename = ""
Region:
id = 420
start_va = 0x4920000
end_va = 0x492ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004920000"
filename = ""
Region:
id = 421
start_va = 0x4920000
end_va = 0x4922fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000004920000"
filename = ""
Region:
id = 422
start_va = 0x75b0000
end_va = 0x75bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000075b0000"
filename = ""
Region:
id = 423
start_va = 0x75b0000
end_va = 0x75bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000075b0000"
filename = ""
Region:
id = 424
start_va = 0x75b0000
end_va = 0x75bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000075b0000"
filename = ""
Region:
id = 425
start_va = 0x75c0000
end_va = 0x763ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000075c0000"
filename = ""
Region:
id = 426
start_va = 0x6adb0000
end_va = 0x6af22fff
monitored = 0
entry_point = 0x6ae5d220
region_type = mapped_file
name = "windowscodecs.dll"
filename = "\\Windows\\SysWOW64\\WindowsCodecs.dll" (normalized: "c:\\windows\\syswow64\\windowscodecs.dll")
Region:
id = 427
start_va = 0x7640000
end_va = 0x769bfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007640000"
filename = ""
Region:
id = 428
start_va = 0x76a0000
end_va = 0x76cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000076a0000"
filename = ""
Region:
id = 429
start_va = 0x76a0000
end_va = 0x76affff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000076a0000"
filename = ""
Region:
id = 430
start_va = 0x76b0000
end_va = 0x76bffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000076b0000"
filename = ""
Region:
id = 431
start_va = 0x76c0000
end_va = 0x76cffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000076c0000"
filename = ""
Region:
id = 432
start_va = 0x9ee0000
end_va = 0x9f3afff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000009ee0000"
filename = ""
Region:
id = 433
start_va = 0x76d0000
end_va = 0x76dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000076d0000"
filename = ""
Region:
id = 434
start_va = 0x6a690000
end_va = 0x6adadfff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.xml.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Xml\\4fbda26d781323081b45526da6e87b35\\System.Xml.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.xml\\4fbda26d781323081b45526da6e87b35\\system.xml.ni.dll")
Region:
id = 435
start_va = 0x76e0000
end_va = 0x76effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000076e0000"
filename = ""
Region:
id = 436
start_va = 0x5e430000
end_va = 0x5e4cbfff
monitored = 1
entry_point = 0x5e4be9a6
region_type = mapped_file
name = "microsoft.visualbasic.dll"
filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL\\Microsoft.VisualBasic\\v4.0_10.0.0.0__b03f5f7f11d50a3a\\Microsoft.VisualBasic.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_msil\\microsoft.visualbasic\\v4.0_10.0.0.0__b03f5f7f11d50a3a\\microsoft.visualbasic.dll")
Region:
id = 437
start_va = 0x9f40000
end_va = 0x9fdbfff
monitored = 1
entry_point = 0x9fce9a6
region_type = mapped_file
name = "microsoft.visualbasic.dll"
filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL\\Microsoft.VisualBasic\\v4.0_10.0.0.0__b03f5f7f11d50a3a\\Microsoft.VisualBasic.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_msil\\microsoft.visualbasic\\v4.0_10.0.0.0__b03f5f7f11d50a3a\\microsoft.visualbasic.dll")
Region:
id = 438
start_va = 0x9fe0000
end_va = 0x9feffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000009fe0000"
filename = ""
Region:
id = 439
start_va = 0x9ff0000
end_va = 0x9ffffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000009ff0000"
filename = ""
Region:
id = 440
start_va = 0xa000000
end_va = 0xa00ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a000000"
filename = ""
Region:
id = 441
start_va = 0xa010000
end_va = 0xa01ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a010000"
filename = ""
Region:
id = 442
start_va = 0xa020000
end_va = 0xa02ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a020000"
filename = ""
Region:
id = 443
start_va = 0xa030000
end_va = 0xa03ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a030000"
filename = ""
Region:
id = 444
start_va = 0xa040000
end_va = 0xa04ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a040000"
filename = ""
Region:
id = 445
start_va = 0xa050000
end_va = 0xa05ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a050000"
filename = ""
Region:
id = 446
start_va = 0xa060000
end_va = 0xa06ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a060000"
filename = ""
Region:
id = 447
start_va = 0xa070000
end_va = 0xa07ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a070000"
filename = ""
Region:
id = 448
start_va = 0xa080000
end_va = 0xa08ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a080000"
filename = ""
Region:
id = 449
start_va = 0xa090000
end_va = 0xa09ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a090000"
filename = ""
Region:
id = 450
start_va = 0xa0a0000
end_va = 0xa0affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a0a0000"
filename = ""
Region:
id = 451
start_va = 0xa0b0000
end_va = 0xa0bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a0b0000"
filename = ""
Region:
id = 452
start_va = 0xa0c0000
end_va = 0xa0cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a0c0000"
filename = ""
Region:
id = 453
start_va = 0xa0d0000
end_va = 0xa0dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a0d0000"
filename = ""
Region:
id = 454
start_va = 0xa0e0000
end_va = 0xa0effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a0e0000"
filename = ""
Region:
id = 455
start_va = 0xa0f0000
end_va = 0xa0fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a0f0000"
filename = ""
Region:
id = 456
start_va = 0xa100000
end_va = 0xa10ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a100000"
filename = ""
Region:
id = 457
start_va = 0xa110000
end_va = 0xa11ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a110000"
filename = ""
Region:
id = 458
start_va = 0xa120000
end_va = 0xa12ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a120000"
filename = ""
Region:
id = 459
start_va = 0x9ff0000
end_va = 0x9ffffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000009ff0000"
filename = ""
Region:
id = 460
start_va = 0xa000000
end_va = 0xa00ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a000000"
filename = ""
Region:
id = 461
start_va = 0xa010000
end_va = 0xa01ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a010000"
filename = ""
Region:
id = 462
start_va = 0x9ff0000
end_va = 0x9ffffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000009ff0000"
filename = ""
Region:
id = 463
start_va = 0xa000000
end_va = 0xa00ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a000000"
filename = ""
Region:
id = 464
start_va = 0xa010000
end_va = 0xa01ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a010000"
filename = ""
Region:
id = 465
start_va = 0x9ff0000
end_va = 0x9ffffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000009ff0000"
filename = ""
Region:
id = 466
start_va = 0xa000000
end_va = 0xa00ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a000000"
filename = ""
Region:
id = 467
start_va = 0xa010000
end_va = 0xa01ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a010000"
filename = ""
Region:
id = 468
start_va = 0xa020000
end_va = 0xa02ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a020000"
filename = ""
Region:
id = 469
start_va = 0xa030000
end_va = 0xa03ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a030000"
filename = ""
Region:
id = 470
start_va = 0xa040000
end_va = 0xa04ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a040000"
filename = ""
Region:
id = 471
start_va = 0xa050000
end_va = 0xa05ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a050000"
filename = ""
Region:
id = 472
start_va = 0xa060000
end_va = 0xa06ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a060000"
filename = ""
Region:
id = 473
start_va = 0xa070000
end_va = 0xa07ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a070000"
filename = ""
Region:
id = 474
start_va = 0xa080000
end_va = 0xa08ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a080000"
filename = ""
Region:
id = 475
start_va = 0xa090000
end_va = 0xa09ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a090000"
filename = ""
Region:
id = 476
start_va = 0xa0a0000
end_va = 0xa0affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a0a0000"
filename = ""
Region:
id = 477
start_va = 0xa0b0000
end_va = 0xa0bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a0b0000"
filename = ""
Region:
id = 478
start_va = 0xa0c0000
end_va = 0xa0cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a0c0000"
filename = ""
Region:
id = 479
start_va = 0xa0d0000
end_va = 0xa0dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a0d0000"
filename = ""
Region:
id = 480
start_va = 0xa0e0000
end_va = 0xa0effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a0e0000"
filename = ""
Region:
id = 481
start_va = 0xa0f0000
end_va = 0xa0fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a0f0000"
filename = ""
Region:
id = 482
start_va = 0x9ff0000
end_va = 0xa0effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000009ff0000"
filename = ""
Region:
id = 483
start_va = 0xa0f0000
end_va = 0xa0fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a0f0000"
filename = ""
Region:
id = 484
start_va = 0xa0f0000
end_va = 0xa0fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a0f0000"
filename = ""
Region:
id = 485
start_va = 0xa0f0000
end_va = 0xa0fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a0f0000"
filename = ""
Region:
id = 486
start_va = 0xa0f0000
end_va = 0xa0fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a0f0000"
filename = ""
Region:
id = 487
start_va = 0xa0f0000
end_va = 0xa0fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a0f0000"
filename = ""
Region:
id = 488
start_va = 0xa0f0000
end_va = 0xa0fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a0f0000"
filename = ""
Region:
id = 489
start_va = 0xa0f0000
end_va = 0xa0fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a0f0000"
filename = ""
Region:
id = 490
start_va = 0xa0f0000
end_va = 0xa0fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a0f0000"
filename = ""
Region:
id = 491
start_va = 0xa0f0000
end_va = 0xa0fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a0f0000"
filename = ""
Region:
id = 492
start_va = 0xa0f0000
end_va = 0xa0fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a0f0000"
filename = ""
Region:
id = 493
start_va = 0xa100000
end_va = 0xa10ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a100000"
filename = ""
Region:
id = 494
start_va = 0xa100000
end_va = 0xa10ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a100000"
filename = ""
Region:
id = 495
start_va = 0xa100000
end_va = 0xa10ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a100000"
filename = ""
Region:
id = 496
start_va = 0xa100000
end_va = 0xa10ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a100000"
filename = ""
Region:
id = 497
start_va = 0xa110000
end_va = 0xa11ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a110000"
filename = ""
Region:
id = 498
start_va = 0xa100000
end_va = 0xa10ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a100000"
filename = ""
Region:
id = 499
start_va = 0x74eb0000
end_va = 0x762aefff
monitored = 0
entry_point = 0x7506b990
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll")
Region:
id = 500
start_va = 0x76800000
end_va = 0x76836fff
monitored = 0
entry_point = 0x76803b50
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll")
Region:
id = 501
start_va = 0x1c0000
end_va = 0x1fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001c0000"
filename = ""
Region:
id = 502
start_va = 0x6e0000
end_va = 0x7dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000006e0000"
filename = ""
Region:
id = 503
start_va = 0x745b0000
end_va = 0x74aa8fff
monitored = 0
entry_point = 0x747b7610
region_type = mapped_file
name = "windows.storage.dll"
filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll")
Region:
id = 504
start_va = 0x74520000
end_va = 0x745acfff
monitored = 0
entry_point = 0x74569b90
region_type = mapped_file
name = "shcore.dll"
filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll")
Region:
id = 505
start_va = 0x76470000
end_va = 0x764b3fff
monitored = 0
entry_point = 0x76477410
region_type = mapped_file
name = "powrprof.dll"
filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll")
Region:
id = 506
start_va = 0x73f20000
end_va = 0x73f2efff
monitored = 0
entry_point = 0x73f22e40
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll")
Region:
id = 507
start_va = 0xa110000
end_va = 0xa110fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000000a110000"
filename = ""
Region:
id = 508
start_va = 0x6e8e0000
end_va = 0x6e907fff
monitored = 0
entry_point = 0x6e8e7820
region_type = mapped_file
name = "ntmarta.dll"
filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll")
Region:
id = 509
start_va = 0x4160000
end_va = 0x416ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004160000"
filename = ""
Region:
id = 510
start_va = 0x4160000
end_va = 0x416ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004160000"
filename = ""
Region:
id = 511
start_va = 0x4160000
end_va = 0x416ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004160000"
filename = ""
Region:
id = 512
start_va = 0x4160000
end_va = 0x416ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004160000"
filename = ""
Region:
id = 513
start_va = 0x4160000
end_va = 0x416ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004160000"
filename = ""
Region:
id = 514
start_va = 0x6e860000
end_va = 0x6e8d0fff
monitored = 0
entry_point = 0x6e8b69e0
region_type = mapped_file
name = "efswrt.dll"
filename = "\\Windows\\SysWOW64\\efswrt.dll" (normalized: "c:\\windows\\syswow64\\efswrt.dll")
Region:
id = 515
start_va = 0x6fd40000
end_va = 0x6fe07fff
monitored = 0
entry_point = 0x6fdaae90
region_type = mapped_file
name = "wintypes.dll"
filename = "\\Windows\\SysWOW64\\WinTypes.dll" (normalized: "c:\\windows\\syswow64\\wintypes.dll")
Region:
id = 516
start_va = 0x6e810000
end_va = 0x6e858fff
monitored = 0
entry_point = 0x6e816450
region_type = mapped_file
name = "edputil.dll"
filename = "\\Windows\\SysWOW64\\edputil.dll" (normalized: "c:\\windows\\syswow64\\edputil.dll")
Region:
id = 517
start_va = 0x4160000
end_va = 0x416ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004160000"
filename = ""
Region:
id = 518
start_va = 0x4160000
end_va = 0x416ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004160000"
filename = ""
Region:
id = 519
start_va = 0x6a570000
end_va = 0x6a68cfff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.management.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Management\\98d3949f9ba1a384939805aa5e47e933\\System.Management.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.management\\98d3949f9ba1a384939805aa5e47e933\\system.management.ni.dll")
Region:
id = 520
start_va = 0x4160000
end_va = 0x419ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004160000"
filename = ""
Region:
id = 521
start_va = 0xa130000
end_va = 0xa22ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a130000"
filename = ""
Region:
id = 522
start_va = 0x6fbb0000
end_va = 0x6fcfafff
monitored = 0
entry_point = 0x6fc11660
region_type = mapped_file
name = "propsys.dll"
filename = "\\Windows\\SysWOW64\\propsys.dll" (normalized: "c:\\windows\\syswow64\\propsys.dll")
Region:
id = 523
start_va = 0x41a0000
end_va = 0x41dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000041a0000"
filename = ""
Region:
id = 524
start_va = 0x41e0000
end_va = 0x41e0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000041e0000"
filename = ""
Region:
id = 525
start_va = 0xa230000
end_va = 0xa32ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a230000"
filename = ""
Region:
id = 526
start_va = 0x74340000
end_va = 0x743c3fff
monitored = 0
entry_point = 0x74366220
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll")
Region:
id = 527
start_va = 0x6f990000
end_va = 0x6fbabfff
monitored = 0
entry_point = 0x6fb5bc40
region_type = mapped_file
name = "actxprxy.dll"
filename = "\\Windows\\SysWOW64\\actxprxy.dll" (normalized: "c:\\windows\\syswow64\\actxprxy.dll")
Region:
id = 528
start_va = 0x41f0000
end_va = 0x41f0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000041f0000"
filename = ""
Region:
id = 529
start_va = 0xa330000
end_va = 0xa36ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a330000"
filename = ""
Region:
id = 530
start_va = 0xa370000
end_va = 0xa46ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a370000"
filename = ""
Region:
id = 531
start_va = 0xa470000
end_va = 0xa473fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.1.db"
filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db")
Region:
id = 532
start_va = 0xa480000
end_va = 0xa493fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000016.db"
filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000016.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000016.db")
Region:
id = 533
start_va = 0xa4a0000
end_va = 0xa4a0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000000a4a0000"
filename = ""
Region:
id = 534
start_va = 0xa470000
end_va = 0xa473fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 535
start_va = 0xa4b0000
end_va = 0xa4f4fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000c.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db")
Region:
id = 536
start_va = 0xa500000
end_va = 0xa503fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 537
start_va = 0xa510000
end_va = 0xa59dfff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db")
Region:
id = 538
start_va = 0xa5a0000
end_va = 0xa5b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "propsys.dll.mui"
filename = "\\Windows\\SysWOW64\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\propsys.dll.mui")
Region:
id = 539
start_va = 0xa5c0000
end_va = 0xa5fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a5c0000"
filename = ""
Region:
id = 540
start_va = 0xa600000
end_va = 0xa6fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a600000"
filename = ""
Region:
id = 541
start_va = 0x717a0000
end_va = 0x7191dfff
monitored = 0
entry_point = 0x7181c630
region_type = mapped_file
name = "urlmon.dll"
filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll")
Region:
id = 542
start_va = 0x73b80000
end_va = 0x73e4afff
monitored = 0
entry_point = 0x73dbc4c0
region_type = mapped_file
name = "iertutil.dll"
filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll")
Region:
id = 543
start_va = 0xa700000
end_va = 0xa700fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000000a700000"
filename = ""
Region:
id = 1190
start_va = 0x4160000
end_va = 0x416ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004160000"
filename = ""
Region:
id = 1191
start_va = 0x4170000
end_va = 0x417ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004170000"
filename = ""
Region:
id = 1192
start_va = 0x4180000
end_va = 0x418ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004180000"
filename = ""
Region:
id = 1193
start_va = 0x4190000
end_va = 0x419ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004190000"
filename = ""
Region:
id = 1194
start_va = 0xa130000
end_va = 0xa13ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a130000"
filename = ""
Region:
id = 1195
start_va = 0xa140000
end_va = 0xa14ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a140000"
filename = ""
Region:
id = 1196
start_va = 0xa150000
end_va = 0xa15ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a150000"
filename = ""
Region:
id = 1197
start_va = 0xa160000
end_va = 0xa16ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a160000"
filename = ""
Region:
id = 1198
start_va = 0xa170000
end_va = 0xa17ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a170000"
filename = ""
Region:
id = 1199
start_va = 0xa180000
end_va = 0xa18ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a180000"
filename = ""
Region:
id = 1200
start_va = 0xa190000
end_va = 0xa19ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a190000"
filename = ""
Region:
id = 1201
start_va = 0xa1a0000
end_va = 0xa1affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a1a0000"
filename = ""
Region:
id = 1202
start_va = 0xa1b0000
end_va = 0xa1bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a1b0000"
filename = ""
Region:
id = 1203
start_va = 0xa1c0000
end_va = 0xa1cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a1c0000"
filename = ""
Region:
id = 1204
start_va = 0xa1d0000
end_va = 0xa1dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a1d0000"
filename = ""
Region:
id = 1205
start_va = 0xa1e0000
end_va = 0xa1effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a1e0000"
filename = ""
Region:
id = 1206
start_va = 0xa1f0000
end_va = 0xa1fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a1f0000"
filename = ""
Region:
id = 1207
start_va = 0xa200000
end_va = 0xa20ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a200000"
filename = ""
Region:
id = 1208
start_va = 0xa210000
end_va = 0xa21ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a210000"
filename = ""
Region:
id = 1210
start_va = 0x4170000
end_va = 0x417dfff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000004170000"
filename = ""
Region:
id = 1211
start_va = 0x4180000
end_va = 0x418ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004180000"
filename = ""
Region:
id = 1213
start_va = 0x4190000
end_va = 0x419ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004190000"
filename = ""
Region:
id = 1214
start_va = 0x4190000
end_va = 0x419ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004190000"
filename = ""
Region:
id = 1215
start_va = 0xa130000
end_va = 0xa13ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a130000"
filename = ""
Region:
id = 1216
start_va = 0xa140000
end_va = 0xa14ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a140000"
filename = ""
Region:
id = 1217
start_va = 0xa150000
end_va = 0xa15ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a150000"
filename = ""
Region:
id = 1263
start_va = 0xa130000
end_va = 0xa16ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a130000"
filename = ""
Region:
id = 1264
start_va = 0xa710000
end_va = 0xa80ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a710000"
filename = ""
Thread:
id = 1
os_tid = 0x1390
[0102.465] CoInitializeEx (pvReserved=0x0, dwCoInit=0x2) returned 0x0
[0103.340] RoInitialize () returned 0x1
[0103.341] RoUninitialize () returned 0x0
[0109.756] LocalAlloc (uFlags=0x0, uBytes=0x80) returned 0x5030a0
[0109.758] LocalAlloc (uFlags=0x0, uBytes=0x80) returned 0x503458
[0110.644] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\AppContext", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ddf0 | out: phkResult=0x19ddf0*=0x0) returned 0x2
[0110.670] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Windows.Forms\\v4.0_4.0.0.0__b77a5c561934e089\\System.Windows.Forms.dll", nBufferLength=0x105, lpBuffer=0x19ee68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Windows.Forms\\v4.0_4.0.0.0__b77a5c561934e089\\System.Windows.Forms.dll", lpFilePart=0x0) returned 0x77
[0110.742] IsAppThemed () returned 0x1
[0110.747] CoTaskMemAlloc (cb=0xf0) returned 0x4f3b70
[0110.747] CreateActCtxA (pActCtx=0x19f3ac) returned 0x506a6c
[0111.154] CoTaskMemFree (pv=0x4f3b70)
[0111.177] RegisterClipboardFormatW (lpszFormat="WM_GETCONTROLNAME") returned 0xc1de
[0111.178] RegisterClipboardFormatW (lpszFormat="WM_GETCONTROLTYPE") returned 0xc1dd
[0111.221] GetSystemMetrics (nIndex=75) returned 1
[0111.253] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x0
[0112.081] LoadLibraryW (lpLibFileName="comctl32.dll") returned 0x6ea80000
[0112.378] AdjustWindowRectEx (in: lpRect=0x19f3ec, dwStyle=0x56cf0000, bMenu=0, dwExStyle=0x50001 | out: lpRect=0x19f3ec) returned 1
[0112.381] GetCurrentProcess () returned 0xffffffff
[0112.381] GetCurrentThread () returned 0xfffffffe
[0112.381] GetCurrentProcess () returned 0xffffffff
[0112.381] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x19f304, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x19f304*=0x280) returned 1
[0112.384] GetCurrentThreadId () returned 0x1390
[0112.421] GetCurrentActCtx (in: lphActCtx=0x19f264 | out: lphActCtx=0x19f264*=0x0) returned 1
[0112.421] ActivateActCtx (in: hActCtx=0x506a6c, lpCookie=0x19f274 | out: hActCtx=0x506a6c, lpCookie=0x19f274) returned 1
[0112.421] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x0
[0114.012] LoadLibraryW (lpLibFileName="comctl32.dll") returned 0x72dd0000
[0114.179] GetModuleHandleW (lpModuleName="user32.dll") returned 0x743d0000
[0114.180] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="DefWindowProcW", cchWideChar=14, lpMultiByteStr=0x19f128, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DefWindowProcWÿkÑ°\\{(ú\x17ohö\x19", lpUsedDefaultChar=0x0) returned 14
[0114.180] GetProcAddress (hModule=0x743d0000, lpProcName="DefWindowProcW") returned 0x73e807e0
[0114.181] GetStockObject (i=5) returned 0x1900015
[0114.185] GetModuleHandleW (lpModuleName=0x0) returned 0x400000
[0114.188] CoTaskMemAlloc (cb=0x5c) returned 0x4fb148
[0114.188] RegisterClassW (lpWndClass=0x19f118) returned 0xc1d9
[0114.189] CoTaskMemFree (pv=0x4fb148)
[0114.189] GetModuleHandleW (lpModuleName=0x0) returned 0x400000
[0114.190] CreateWindowExW (dwExStyle=0x0, lpClassName="WindowsForms10.Window.8.app.0.141b42a_r10_ad1", lpWindowName=0x0, dwStyle=0x2010000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0xfffffffd, hMenu=0x0, hInstance=0x400000, lpParam=0x0) returned 0x502aa
[0114.192] SetWindowLongW (hWnd=0x502aa, nIndex=-4, dwNewLong=1944586208) returned 9438710
[0114.201] GetWindowLongW (hWnd=0x502aa, nIndex=-4) returned 1944586208
[0114.202] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\.NETFramework", ulOptions=0x0, samDesired=0x20019, phkResult=0x19e97c | out: phkResult=0x19e97c*=0x29c) returned 0x0
[0114.203] RegQueryValueExW (in: hKey=0x29c, lpValueName="DbgJITDebugLaunchSetting", lpReserved=0x0, lpType=0x19e99c, lpData=0x0, lpcbData=0x19e998*=0x0 | out: lpType=0x19e99c*=0x0, lpData=0x0, lpcbData=0x19e998*=0x0) returned 0x2
[0114.203] RegQueryValueExW (in: hKey=0x29c, lpValueName="DbgManagedDebugger", lpReserved=0x0, lpType=0x19e99c, lpData=0x0, lpcbData=0x19e998*=0x0 | out: lpType=0x19e99c*=0x0, lpData=0x0, lpcbData=0x19e998*=0x0) returned 0x2
[0114.203] RegCloseKey (hKey=0x29c) returned 0x0
[0114.210] SetWindowLongW (hWnd=0x502aa, nIndex=-4, dwNewLong=9438750) returned 1944586208
[0114.210] GetWindowLongW (hWnd=0x502aa, nIndex=-4) returned 9438750
[0114.210] GetWindowLongW (hWnd=0x502aa, nIndex=-16) returned 113311744
[0114.211] RegisterClipboardFormatW (lpszFormat="WinFormsMouseEnter") returned 0xc14b
[0114.211] CallWindowProcW (lpPrevWndFunc=0x73e807e0, hWnd=0x502aa, Msg=0x24, wParam=0x0, lParam=0x19ec94) returned 0x0
[0114.212] RegisterClipboardFormatW (lpszFormat="WinFormsUnSubclass") returned 0xc1d7
[0114.212] CallWindowProcW (lpPrevWndFunc=0x73e807e0, hWnd=0x502aa, Msg=0x81, wParam=0x0, lParam=0x19ec88) returned 0x1
[0114.213] CallWindowProcW (lpPrevWndFunc=0x73e807e0, hWnd=0x502aa, Msg=0x83, wParam=0x0, lParam=0x19ec74) returned 0x0
[0114.531] CallWindowProcW (lpPrevWndFunc=0x73e807e0, hWnd=0x502aa, Msg=0x1, wParam=0x0, lParam=0x19ec88) returned 0x0
[0114.532] GetClientRect (in: hWnd=0x502aa, lpRect=0x19e9b4 | out: lpRect=0x19e9b4) returned 1
[0114.532] GetWindowRect (in: hWnd=0x502aa, lpRect=0x19e9b4 | out: lpRect=0x19e9b4) returned 1
[0114.535] GetParent (hWnd=0x502aa) returned 0x0
[0114.535] DeactivateActCtx (dwFlags=0x0, ulCookie=0x1aee0001) returned 1
[0114.687] GetSystemDefaultLCID () returned 0x409
[0114.687] GetStockObject (i=17) returned 0x10a0047
[0114.689] GetObjectW (in: h=0x10a0047, c=92, pv=0x19f0e0 | out: pv=0x19f0e0) returned 92
[0114.690] GetDC (hWnd=0x0) returned 0xc0100ae
[0115.564] GdiplusStartup (in: token=0x5f5ef0, input=0x19e698, output=0x19e6e8 | out: token=0x5f5ef0, output=0x19e6e8) returned 0x0
[0115.574] CoTaskMemAlloc (cb=0x5c) returned 0x4fb148
[0116.292] GdipCreateFontFromLogfontW (hdc=0xc0100ae, logfont=0x4fb148, font=0x19f1a8) returned 0x0
[0117.072] CoTaskMemFree (pv=0x4fb148)
[0117.073] CoTaskMemAlloc (cb=0x5c) returned 0x4fafa8
[0117.073] CoTaskMemFree (pv=0x4fafa8)
[0117.073] CoTaskMemAlloc (cb=0x5c) returned 0x4fb280
[0117.073] CoTaskMemFree (pv=0x4fb280)
[0117.074] GdipGetFontUnit (font=0x4931f08, unit=0x19f174) returned 0x0
[0117.074] GdipGetFontSize (font=0x4931f08, size=0x19f178) returned 0x0
[0117.074] GdipGetFontStyle (font=0x4931f08, style=0x19f170) returned 0x0
[0117.075] GdipGetFamily (font=0x4931f08, family=0x19f16c) returned 0x0
[0117.075] GdipGetFontSize (font=0x4931f08, size=0x2169878) returned 0x0
[0117.076] ReleaseDC (hWnd=0x0, hDC=0xc0100ae) returned 1
[0117.076] GetDC (hWnd=0x0) returned 0x12010942
[0117.076] GdipCreateFromHDC (hdc=0x12010942, graphics=0x19f190) returned 0x0
[0117.091] GdipGetDpiY (graphics=0x5a4f268, dpi=0x2169980) returned 0x0
[0117.091] GdipGetFontHeight (font=0x4931f08, graphics=0x5a4f268, height=0x19f188) returned 0x0
[0117.092] GdipGetEmHeight (family=0x5a44f48, style=0, EmHeight=0x19f190) returned 0x0
[0117.092] GdipGetLineSpacing (family=0x5a44f48, style=0, LineSpacing=0x19f190) returned 0x0
[0117.092] GdipDeleteGraphics (graphics=0x5a4f268) returned 0x0
[0117.093] ReleaseDC (hWnd=0x0, hDC=0x12010942) returned 1
[0117.094] GdipCreateFont (fontFamily=0x5a44f48, emSize=0x41040000, style=0, unit=0x3, font=0x2169940) returned 0x0
[0117.094] GdipGetFontSize (font=0x493efc0, size=0x2169944) returned 0x0
[0117.094] GdipDeleteFont (font=0x4931f08) returned 0x0
[0117.094] GetDC (hWnd=0x0) returned 0x12010942
[0117.094] GdipCreateFromHDC (hdc=0x12010942, graphics=0x19f1f8) returned 0x0
[0117.094] GdipGetFontHeight (font=0x493efc0, graphics=0x5a4f268, height=0x19f1f0) returned 0x0
[0117.094] GdipDeleteGraphics (graphics=0x5a4f268) returned 0x0
[0117.095] ReleaseDC (hWnd=0x0, hDC=0x12010942) returned 1
[0117.096] GetSystemMetrics (nIndex=5) returned 1
[0117.096] GetSystemMetrics (nIndex=6) returned 1
[0117.097] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ea80000
[0117.098] AdjustWindowRectEx (in: lpRect=0x19f320, dwStyle=0x560101c0, bMenu=0, dwExStyle=0x200 | out: lpRect=0x19f320) returned 1
[0117.098] GetDC (hWnd=0x0) returned 0x12010942
[0117.098] GdipCreateFromHDC (hdc=0x12010942, graphics=0x19f1f8) returned 0x0
[0117.098] GdipGetFontHeight (font=0x493efc0, graphics=0x5a4f268, height=0x19f1f0) returned 0x0
[0117.098] GdipDeleteGraphics (graphics=0x5a4f268) returned 0x0
[0117.098] ReleaseDC (hWnd=0x0, hDC=0x12010942) returned 1
[0117.098] GetSystemMetrics (nIndex=5) returned 1
[0117.098] GetSystemMetrics (nIndex=6) returned 1
[0117.099] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ea80000
[0117.099] AdjustWindowRectEx (in: lpRect=0x19f320, dwStyle=0x560101c0, bMenu=0, dwExStyle=0x200 | out: lpRect=0x19f320) returned 1
[0117.099] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ea80000
[0117.099] AdjustWindowRectEx (in: lpRect=0x19f320, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f320) returned 1
[0117.100] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ea80000
[0117.101] AdjustWindowRectEx (in: lpRect=0x19f324, dwStyle=0x5601008d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f324) returned 1
[0117.101] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ea80000
[0117.101] AdjustWindowRectEx (in: lpRect=0x19f324, dwStyle=0x5601008d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f324) returned 1
[0117.102] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ea80000
[0117.102] AdjustWindowRectEx (in: lpRect=0x19f320, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f320) returned 1
[0117.102] GetSystemMetrics (nIndex=5) returned 1
[0117.102] GetSystemMetrics (nIndex=6) returned 1
[0117.103] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ea80000
[0117.103] AdjustWindowRectEx (in: lpRect=0x19f284, dwStyle=0x560100c0, bMenu=0, dwExStyle=0x200 | out: lpRect=0x19f284) returned 1
[0117.103] GetSystemMetrics (nIndex=5) returned 1
[0117.103] GetSystemMetrics (nIndex=6) returned 1
[0117.103] GetSystemMetrics (nIndex=5) returned 1
[0117.103] GetSystemMetrics (nIndex=6) returned 1
[0117.103] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ea80000
[0117.103] AdjustWindowRectEx (in: lpRect=0x19f284, dwStyle=0x560100c0, bMenu=0, dwExStyle=0x200 | out: lpRect=0x19f284) returned 1
[0117.278] GetSystemMetrics (nIndex=5) returned 1
[0117.278] GetSystemMetrics (nIndex=6) returned 1
[0117.279] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ea80000
[0117.279] AdjustWindowRectEx (in: lpRect=0x19f2b0, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f2b0) returned 1
[0117.291] GetProcessWindowStation () returned 0xf0
[0117.295] GetUserObjectInformationA (in: hObj=0xf0, nIndex=1, pvInfo=0x216aa0c, nLength=0xc, lpnLengthNeeded=0x19f18c | out: pvInfo=0x216aa0c, lpnLengthNeeded=0x19f18c) returned 1
[0117.304] SetConsoleCtrlHandler (HandlerRoutine=0x900646, Add=1) returned 1
[0117.305] GetModuleHandleW (lpModuleName=0x0) returned 0x400000
[0117.305] GetModuleHandleW (lpModuleName=0x0) returned 0x400000
[0117.307] GetClassInfoW (in: hInstance=0x400000, lpClassName=".NET-BroadcastEventWindow.4.0.0.0.141b42a.0", lpWndClass=0x216aa70 | out: lpWndClass=0x216aa70) returned 0
[0117.309] CoTaskMemAlloc (cb=0x58) returned 0x4f4550
[0117.309] RegisterClassW (lpWndClass=0x19f0dc) returned 0xc1d6
[0117.310] CoTaskMemFree (pv=0x4f4550)
[0117.310] CreateWindowExW (dwExStyle=0x0, lpClassName=".NET-BroadcastEventWindow.4.0.0.0.141b42a.0", lpWindowName=".NET-BroadcastEventWindow.4.0.0.0.141b42a.0", dwStyle=0x80000000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x400000, lpParam=0x0) returned 0x60046
[0117.311] NtdllDefWindowProc_W (hWnd=0x60046, Msg=0x81, wParam=0x0, lParam=0x19ec18) returned 0x1
[0117.314] NtdllDefWindowProc_W (hWnd=0x60046, Msg=0x83, wParam=0x0, lParam=0x19ec04) returned 0x0
[0117.314] NtdllDefWindowProc_W (hWnd=0x60046, Msg=0x1, wParam=0x0, lParam=0x19ec18) returned 0x0
[0117.315] NtdllDefWindowProc_W (hWnd=0x60046, Msg=0x5, wParam=0x0, lParam=0x0) returned 0x0
[0117.315] NtdllDefWindowProc_W (hWnd=0x60046, Msg=0x3, wParam=0x0, lParam=0x0) returned 0x0
[0117.325] GetSysColor (nIndex=10) returned 0xb4b4b4
[0117.326] GetSysColor (nIndex=2) returned 0xd1b499
[0117.326] GetSysColor (nIndex=9) returned 0x0
[0117.326] GetSysColor (nIndex=12) returned 0xababab
[0117.326] GetSysColor (nIndex=15) returned 0xf0f0f0
[0117.326] GetSysColor (nIndex=20) returned 0xffffff
[0117.326] GetSysColor (nIndex=16) returned 0xa0a0a0
[0117.326] GetSysColor (nIndex=15) returned 0xf0f0f0
[0117.326] GetSysColor (nIndex=16) returned 0xa0a0a0
[0117.326] GetSysColor (nIndex=21) returned 0x696969
[0117.326] GetSysColor (nIndex=22) returned 0xe3e3e3
[0117.326] GetSysColor (nIndex=20) returned 0xffffff
[0117.326] GetSysColor (nIndex=18) returned 0x0
[0117.326] GetSysColor (nIndex=1) returned 0x0
[0117.326] GetSysColor (nIndex=27) returned 0xead1b9
[0117.326] GetSysColor (nIndex=28) returned 0xf2e4d7
[0117.326] GetSysColor (nIndex=17) returned 0x6d6d6d
[0117.326] GetSysColor (nIndex=13) returned 0xff9933
[0117.326] GetSysColor (nIndex=14) returned 0xffffff
[0117.326] GetSysColor (nIndex=26) returned 0xcc6600
[0117.326] GetSysColor (nIndex=11) returned 0xfcf7f4
[0117.326] GetSysColor (nIndex=3) returned 0xdbcdbf
[0117.326] GetSysColor (nIndex=19) returned 0x0
[0117.326] GetSysColor (nIndex=24) returned 0xe1ffff
[0117.326] GetSysColor (nIndex=23) returned 0x0
[0117.327] GetSysColor (nIndex=4) returned 0xf0f0f0
[0117.327] GetSysColor (nIndex=30) returned 0xf0f0f0
[0117.327] GetSysColor (nIndex=29) returned 0xff9933
[0117.327] GetSysColor (nIndex=7) returned 0x0
[0117.327] GetSysColor (nIndex=0) returned 0xc8c8c8
[0117.327] GetSysColor (nIndex=5) returned 0xffffff
[0117.327] GetSysColor (nIndex=6) returned 0x646464
[0117.327] GetSysColor (nIndex=8) returned 0x0
[0117.327] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ea80000
[0117.327] AdjustWindowRectEx (in: lpRect=0x19f2b0, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f2b0) returned 1
[0117.334] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ea80000
[0117.334] AdjustWindowRectEx (in: lpRect=0x19f284, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f284) returned 1
[0117.334] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ea80000
[0117.334] AdjustWindowRectEx (in: lpRect=0x19f284, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f284) returned 1
[0117.334] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ea80000
[0117.335] AdjustWindowRectEx (in: lpRect=0x19f284, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f284) returned 1
[0117.335] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ea80000
[0117.335] AdjustWindowRectEx (in: lpRect=0x19f284, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f284) returned 1
[0117.335] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ea80000
[0117.335] AdjustWindowRectEx (in: lpRect=0x19f2b0, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f2b0) returned 1
[0117.335] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ea80000
[0117.335] AdjustWindowRectEx (in: lpRect=0x19f2b0, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f2b0) returned 1
[0117.421] EtwEventRegister (in: ProviderId=0x216b4b8, EnableCallback=0x900696, CallbackContext=0x0, RegHandle=0x216b494 | out: RegHandle=0x216b494) returned 0x0
[0117.424] EtwEventSetInformation (RegHandle=0x50de80, InformationClass=0x30, EventInformation=0x2, InformationLength=0x216b428) returned 0x0
[0117.431] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x19f00c) returned 1
[0117.431] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\da6abb6f3aae250d50ed09b6eacc267c33e50895e3ebd7e6ba800ab018351ec5.exe.config" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\da6abb6f3aae250d50ed09b6eacc267c33e50895e3ebd7e6ba800ab018351ec5.exe.config"), fInfoLevelId=0x0, lpFileInformation=0x19f088 | out: lpFileInformation=0x19f088*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0
[0117.432] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x19f008) returned 1
[0118.187] BCryptGetFipsAlgorithmMode (in: pfEnabled=0x19f2c4 | out: pfEnabled=0x19f2c4) returned 0x0
[0119.810] CreateFileMappingW (hFile=0xffffffff, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xfa00, lpName=0x0) returned 0x2e8
[0119.810] memcpy (in: _Dst=0x4750000, _Src=0x217dccc, _Size=0xfa00 | out: _Dst=0x4750000) returned 0x4750000
[0119.811] CloseHandle (hObject=0x2e8) returned 1
[0120.060] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ea80000
[0120.061] AdjustWindowRectEx (in: lpRect=0x19f2e4, dwStyle=0x2cf0000, bMenu=0, dwExStyle=0x50000 | out: lpRect=0x19f2e4) returned 1
[0120.061] GetSystemMetrics (nIndex=59) returned 1456
[0120.061] GetSystemMetrics (nIndex=60) returned 916
[0120.061] GetSystemMetrics (nIndex=34) returned 136
[0120.061] GetSystemMetrics (nIndex=35) returned 39
[0120.061] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ea80000
[0120.062] AdjustWindowRectEx (in: lpRect=0x19f1e4, dwStyle=0x2cf0000, bMenu=0, dwExStyle=0x50000 | out: lpRect=0x19f1e4) returned 1
[0120.062] GetCurrentThreadId () returned 0x1390
[0120.062] GetCurrentThreadId () returned 0x1390
[0120.062] GetCurrentThreadId () returned 0x1390
[0120.062] GetCurrentThreadId () returned 0x1390
[0120.063] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ea80000
[0120.063] AdjustWindowRectEx (in: lpRect=0x19f0e0, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f0e0) returned 1
[0120.098] GdipGetFamilyName (in: family=0x5a44f48, name=0x19efd0, language=0x409 | out: name="Microsoft Sans Serif") returned 0x0
[0120.099] CreateCompatibleDC (hdc=0x0) returned 0x6d01066d
[0120.102] GetCurrentObject (hdc=0x6d01066d, type=0x1) returned 0x1b00017
[0120.102] GetCurrentObject (hdc=0x6d01066d, type=0x2) returned 0x1900010
[0120.102] GetCurrentObject (hdc=0x6d01066d, type=0x7) returned 0x185000f
[0120.102] GetCurrentObject (hdc=0x6d01066d, type=0x6) returned 0x18a0048
[0120.103] SaveDC (hdc=0x6d01066d) returned 1
[0120.103] GetDeviceCaps (hdc=0x6d01066d, index=90) returned 96
[0120.104] CoTaskMemAlloc (cb=0x5c) returned 0x4fad38
[0120.104] CreateFontIndirectW (lplf=0x4fad38) returned 0x1c0a06b5
[0120.105] CoTaskMemFree (pv=0x4fad38)
[0120.105] GetObjectW (in: h=0x1c0a06b5, c=92, pv=0x19ef94 | out: pv=0x19ef94) returned 92
[0120.105] GetCurrentObject (hdc=0x6d01066d, type=0x6) returned 0x18a0048
[0120.106] GetObjectW (in: h=0x18a0048, c=92, pv=0x19eef4 | out: pv=0x19eef4) returned 92
[0120.106] SelectObject (hdc=0x6d01066d, h=0x1c0a06b5) returned 0x18a0048
[0120.106] GetMapMode (hdc=0x6d01066d) returned 1
[0120.106] GetTextMetricsW (in: hdc=0x6d01066d, lptm=0x19efbc | out: lptm=0x19efbc) returned 1
[0120.108] DrawTextExW (in: hdc=0x6d01066d, lpchText="PASSWORD", cchText=8, lprc=0x19f0c8, format=0x2400, lpdtp=0x218e250 | out: lpchText="PASSWORD", lprc=0x19f0c8) returned 13
[0120.390] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ea80000
[0120.390] AdjustWindowRectEx (in: lpRect=0x19f1b4, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f1b4) returned 1
[0120.392] GetCurrentThreadId () returned 0x1390
[0120.392] GetCurrentThreadId () returned 0x1390
[0120.392] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ea80000
[0120.392] AdjustWindowRectEx (in: lpRect=0x19f0e0, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f0e0) returned 1
[0120.393] DrawTextExW (in: hdc=0x6d01066d, lpchText="ID", cchText=2, lprc=0x19f0c8, format=0x2400, lpdtp=0x218e368 | out: lpchText="ID", lprc=0x19f0c8) returned 13
[0120.393] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ea80000
[0120.393] AdjustWindowRectEx (in: lpRect=0x19f1b4, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f1b4) returned 1
[0120.393] GetCurrentThreadId () returned 0x1390
[0120.393] GetCurrentThreadId () returned 0x1390
[0120.393] GetCurrentThreadId () returned 0x1390
[0120.393] GetCurrentThreadId () returned 0x1390
[0120.393] GetCurrentThreadId () returned 0x1390
[0120.393] GetCurrentThreadId () returned 0x1390
[0120.398] CreateCompatibleDC (hdc=0x0) returned 0x84010689
[0120.399] GetDC (hWnd=0x0) returned 0x12010942
[0120.399] GdipCreateFromHDC (hdc=0x12010942, graphics=0x19f120) returned 0x0
[0120.400] CoTaskMemAlloc (cb=0x5c) returned 0x4fb0e0
[0120.400] GdipGetLogFontW (font=0x493efc0, graphics=0x5a4f268, logfontW=0x4fb0e0) returned 0x0
[0120.403] CoTaskMemFree (pv=0x4fb0e0)
[0120.403] CoTaskMemAlloc (cb=0x5c) returned 0x4fada0
[0120.403] CoTaskMemFree (pv=0x4fada0)
[0120.403] CoTaskMemAlloc (cb=0x5c) returned 0x4fb148
[0120.404] CoTaskMemFree (pv=0x4fb148)
[0120.404] GdipDeleteGraphics (graphics=0x5a4f268) returned 0x0
[0120.404] ReleaseDC (hWnd=0x0, hDC=0x12010942) returned 1
[0120.404] CoTaskMemAlloc (cb=0x5c) returned 0x4fafa8
[0120.404] CreateFontIndirectW (lplf=0x4fafa8) returned 0x4c0a092e
[0120.404] CoTaskMemFree (pv=0x4fafa8)
[0120.405] SelectObject (hdc=0x84010689, h=0x4c0a092e) returned 0x18a0048
[0120.405] GetTextMetricsW (in: hdc=0x84010689, lptm=0x19f22c | out: lptm=0x19f22c) returned 1
[0120.406] GetTextExtentPoint32W (in: hdc=0x84010689, lpString="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ", c=52, psizl=0x218eb68 | out: psizl=0x218eb68) returned 1
[0120.406] SelectObject (hdc=0x84010689, h=0x18a0048) returned 0x4c0a092e
[0120.409] DeleteDC (hdc=0x84010689) returned 1
[0120.410] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ea80000
[0120.410] AdjustWindowRectEx (in: lpRect=0x19ef98, dwStyle=0x2ce0000, bMenu=0, dwExStyle=0x50000 | out: lpRect=0x19ef98) returned 1
[0120.410] AdjustWindowRectEx (in: lpRect=0x19f1b8, dwStyle=0x2ce0000, bMenu=0, dwExStyle=0x50000 | out: lpRect=0x19f1b8) returned 1
[0120.411] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ea80000
[0120.411] AdjustWindowRectEx (in: lpRect=0x19ef10, dwStyle=0x2ce0000, bMenu=0, dwExStyle=0x50000 | out: lpRect=0x19ef10) returned 1
[0120.411] AdjustWindowRectEx (in: lpRect=0x19eff0, dwStyle=0x2ce0000, bMenu=0, dwExStyle=0x50000 | out: lpRect=0x19eff0) returned 1
[0120.414] GetSystemMetrics (nIndex=59) returned 1456
[0120.414] GetSystemMetrics (nIndex=60) returned 916
[0120.414] GetSystemMetrics (nIndex=34) returned 136
[0120.414] GetSystemMetrics (nIndex=35) returned 39
[0120.414] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ea80000
[0120.414] AdjustWindowRectEx (in: lpRect=0x19eea0, dwStyle=0x2ce0000, bMenu=0, dwExStyle=0x50000 | out: lpRect=0x19eea0) returned 1
[0120.414] AdjustWindowRectEx (in: lpRect=0x19ef64, dwStyle=0x2ce0000, bMenu=0, dwExStyle=0x50000 | out: lpRect=0x19ef64) returned 1
[0120.414] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ea80000
[0120.414] AdjustWindowRectEx (in: lpRect=0x19f1b0, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f1b0) returned 1
[0120.415] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ea80000
[0120.415] AdjustWindowRectEx (in: lpRect=0x19f014, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f014) returned 1
[0120.415] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ea80000
[0120.415] AdjustWindowRectEx (in: lpRect=0x19efd0, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19efd0) returned 1
[0120.415] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ea80000
[0120.416] AdjustWindowRectEx (in: lpRect=0x19f1b0, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f1b0) returned 1
[0120.416] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ea80000
[0120.416] AdjustWindowRectEx (in: lpRect=0x19f014, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f014) returned 1
[0120.416] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ea80000
[0120.416] AdjustWindowRectEx (in: lpRect=0x19ee70, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19ee70) returned 1
[0120.416] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ea80000
[0120.416] AdjustWindowRectEx (in: lpRect=0x19efa4, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19efa4) returned 1
[0120.416] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ea80000
[0120.416] AdjustWindowRectEx (in: lpRect=0x19f1b0, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f1b0) returned 1
[0120.417] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ea80000
[0120.421] AdjustWindowRectEx (in: lpRect=0x19f014, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f014) returned 1
[0120.421] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ea80000
[0120.421] AdjustWindowRectEx (in: lpRect=0x19ee70, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19ee70) returned 1
[0120.422] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ea80000
[0120.422] AdjustWindowRectEx (in: lpRect=0x19efa4, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19efa4) returned 1
[0120.422] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ea80000
[0120.422] AdjustWindowRectEx (in: lpRect=0x19f1b0, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f1b0) returned 1
[0120.422] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ea80000
[0120.422] AdjustWindowRectEx (in: lpRect=0x19f014, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f014) returned 1
[0120.422] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ea80000
[0120.422] AdjustWindowRectEx (in: lpRect=0x19efd0, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19efd0) returned 1
[0120.423] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ea80000
[0120.423] AdjustWindowRectEx (in: lpRect=0x19f1b0, dwStyle=0x560100c0, bMenu=0, dwExStyle=0x200 | out: lpRect=0x19f1b0) returned 1
[0120.423] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ea80000
[0120.423] AdjustWindowRectEx (in: lpRect=0x19f014, dwStyle=0x560100c0, bMenu=0, dwExStyle=0x200 | out: lpRect=0x19f014) returned 1
[0120.423] GetSystemMetrics (nIndex=5) returned 1
[0120.423] GetSystemMetrics (nIndex=6) returned 1
[0120.423] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ea80000
[0120.424] AdjustWindowRectEx (in: lpRect=0x19efa4, dwStyle=0x560100c0, bMenu=0, dwExStyle=0x200 | out: lpRect=0x19efa4) returned 1
[0120.424] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ea80000
[0120.424] AdjustWindowRectEx (in: lpRect=0x19f1b0, dwStyle=0x560100c0, bMenu=0, dwExStyle=0x200 | out: lpRect=0x19f1b0) returned 1
[0120.424] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ea80000
[0120.424] AdjustWindowRectEx (in: lpRect=0x19f014, dwStyle=0x560100c0, bMenu=0, dwExStyle=0x200 | out: lpRect=0x19f014) returned 1
[0120.424] GetSystemMetrics (nIndex=5) returned 1
[0120.424] GetSystemMetrics (nIndex=6) returned 1
[0120.425] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ea80000
[0120.425] AdjustWindowRectEx (in: lpRect=0x19efa4, dwStyle=0x560100c0, bMenu=0, dwExStyle=0x200 | out: lpRect=0x19efa4) returned 1
[0167.773] CreateFileMappingW (hFile=0xffffffff, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2e00, lpName=0x0) returned 0x308
[0167.775] memcpy (in: _Dst=0x4920000, _Src=0x218578c, _Size=0x2e00 | out: _Dst=0x4920000) returned 0x4920000
[0167.775] CloseHandle (hObject=0x308) returned 1
[0167.825] CoTaskMemAlloc (cb=0x20c) returned 0x522d08
[0167.825] GetTempPathW (in: nBufferLength=0x104, lpBuffer=0x522d08 | out: lpBuffer="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\") returned 0x25
[0167.826] CoTaskMemFree (pv=0x522d08)
[0167.828] GetLongPathNameW (in: lpszShortPath="C:\\Users\\RDHJ0C~1\\", lpszLongPath=0x19de98, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\RDhJ0CNFevzX\\") returned 0x16
[0167.831] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\", nBufferLength=0x105, lpBuffer=0x19deac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\", lpFilePart=0x0) returned 0x29
[0168.189] GdipLoadImageFromStream (stream=0x75b0030, image=0x19e900) returned 0x0
[0168.549] GdipImageForceValidation (image=0x5a4f268) returned 0x0
[0168.563] GdipGetImageType (image=0x5a4f268, type=0x19e8fc) returned 0x0
[0168.563] GdipGetImageRawFormat (image=0x5a4f268, format=0x19e870*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0))) returned 0x0
[0168.588] GdipGetImageWidth (image=0x5a4f268, width=0x19ee88) returned 0x0
[0168.589] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.590] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.590] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=0, color=0x19ee74) returned 0x0
[0168.592] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.592] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.592] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=1, color=0x19ee74) returned 0x0
[0168.592] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.592] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.592] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=2, color=0x19ee74) returned 0x0
[0168.592] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.593] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.593] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=3, color=0x19ee74) returned 0x0
[0168.593] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.593] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.593] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=4, color=0x19ee74) returned 0x0
[0168.593] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.593] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.593] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=5, color=0x19ee74) returned 0x0
[0168.593] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.593] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.593] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=6, color=0x19ee74) returned 0x0
[0168.593] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.593] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.593] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=7, color=0x19ee74) returned 0x0
[0168.593] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.593] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.593] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=8, color=0x19ee74) returned 0x0
[0168.593] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.594] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.594] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=9, color=0x19ee74) returned 0x0
[0168.594] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.594] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.594] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=10, color=0x19ee74) returned 0x0
[0168.594] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.594] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.594] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=11, color=0x19ee74) returned 0x0
[0168.594] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.594] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.594] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=12, color=0x19ee74) returned 0x0
[0168.594] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.594] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.594] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=13, color=0x19ee74) returned 0x0
[0168.594] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.594] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.594] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=14, color=0x19ee74) returned 0x0
[0168.594] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.595] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.595] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=15, color=0x19ee74) returned 0x0
[0168.595] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.595] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.595] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=16, color=0x19ee74) returned 0x0
[0168.595] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.595] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.595] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=17, color=0x19ee74) returned 0x0
[0168.595] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.595] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.595] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=18, color=0x19ee74) returned 0x0
[0168.595] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.595] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.595] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=19, color=0x19ee74) returned 0x0
[0168.595] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.595] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.595] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=20, color=0x19ee74) returned 0x0
[0168.595] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.595] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.596] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=21, color=0x19ee74) returned 0x0
[0168.596] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.596] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.596] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=22, color=0x19ee74) returned 0x0
[0168.596] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.596] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.596] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=23, color=0x19ee74) returned 0x0
[0168.596] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.596] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.596] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=24, color=0x19ee74) returned 0x0
[0168.596] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.596] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.596] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=25, color=0x19ee74) returned 0x0
[0168.596] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.596] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.596] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=26, color=0x19ee74) returned 0x0
[0168.596] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.596] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.597] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=27, color=0x19ee74) returned 0x0
[0168.597] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.597] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.597] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=28, color=0x19ee74) returned 0x0
[0168.597] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.597] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.597] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=29, color=0x19ee74) returned 0x0
[0168.597] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.597] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.597] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=30, color=0x19ee74) returned 0x0
[0168.597] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.597] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.597] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=31, color=0x19ee74) returned 0x0
[0168.597] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.597] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.597] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=32, color=0x19ee74) returned 0x0
[0168.597] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.598] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.598] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=33, color=0x19ee74) returned 0x0
[0168.598] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.598] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.598] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=34, color=0x19ee74) returned 0x0
[0168.598] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.598] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.598] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=35, color=0x19ee74) returned 0x0
[0168.598] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.598] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.598] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=36, color=0x19ee74) returned 0x0
[0168.598] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.598] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.599] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=37, color=0x19ee74) returned 0x0
[0168.599] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.599] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.599] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=38, color=0x19ee74) returned 0x0
[0168.599] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.599] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.599] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=39, color=0x19ee74) returned 0x0
[0168.599] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.599] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.599] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=40, color=0x19ee74) returned 0x0
[0168.599] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.599] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.599] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=41, color=0x19ee74) returned 0x0
[0168.599] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.599] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.600] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=42, color=0x19ee74) returned 0x0
[0168.600] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.600] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.600] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=43, color=0x19ee74) returned 0x0
[0168.600] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.600] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.600] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=44, color=0x19ee74) returned 0x0
[0168.600] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.600] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.600] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=45, color=0x19ee74) returned 0x0
[0168.600] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.600] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.600] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=46, color=0x19ee74) returned 0x0
[0168.600] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.600] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.600] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=47, color=0x19ee74) returned 0x0
[0168.600] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.600] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.600] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=48, color=0x19ee74) returned 0x0
[0168.601] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.601] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.601] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=49, color=0x19ee74) returned 0x0
[0168.601] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.601] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.601] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=50, color=0x19ee74) returned 0x0
[0168.601] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.601] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.601] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=51, color=0x19ee74) returned 0x0
[0168.601] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.601] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.601] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=52, color=0x19ee74) returned 0x0
[0168.601] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.601] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.601] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=53, color=0x19ee74) returned 0x0
[0168.601] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.601] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.601] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=54, color=0x19ee74) returned 0x0
[0168.602] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.602] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.602] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=55, color=0x19ee74) returned 0x0
[0168.602] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.602] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.602] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=56, color=0x19ee74) returned 0x0
[0168.602] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.602] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.602] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=57, color=0x19ee74) returned 0x0
[0168.602] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.602] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.602] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=58, color=0x19ee74) returned 0x0
[0168.602] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.602] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.602] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=59, color=0x19ee74) returned 0x0
[0168.602] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.603] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.603] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=60, color=0x19ee74) returned 0x0
[0168.603] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.603] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.603] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=61, color=0x19ee74) returned 0x0
[0168.603] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.603] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.603] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=62, color=0x19ee74) returned 0x0
[0168.603] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.603] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.603] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=63, color=0x19ee74) returned 0x0
[0168.603] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.603] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.603] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=64, color=0x19ee74) returned 0x0
[0168.603] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.603] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.604] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=65, color=0x19ee74) returned 0x0
[0168.604] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.604] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.604] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=66, color=0x19ee74) returned 0x0
[0168.604] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.604] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.604] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=67, color=0x19ee74) returned 0x0
[0168.604] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.604] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.604] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=68, color=0x19ee74) returned 0x0
[0168.604] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.604] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.604] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=69, color=0x19ee74) returned 0x0
[0168.604] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.604] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.604] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=70, color=0x19ee74) returned 0x0
[0168.604] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.605] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.605] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=71, color=0x19ee74) returned 0x0
[0168.605] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.605] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.605] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=72, color=0x19ee74) returned 0x0
[0168.605] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.605] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.605] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=73, color=0x19ee74) returned 0x0
[0168.605] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.605] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.605] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=74, color=0x19ee74) returned 0x0
[0168.605] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.605] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.605] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=75, color=0x19ee74) returned 0x0
[0168.605] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.606] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.606] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=76, color=0x19ee74) returned 0x0
[0168.606] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.606] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.606] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=77, color=0x19ee74) returned 0x0
[0168.606] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.606] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.606] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=78, color=0x19ee74) returned 0x0
[0168.606] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.606] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.606] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=79, color=0x19ee74) returned 0x0
[0168.606] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.606] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.606] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=80, color=0x19ee74) returned 0x0
[0168.606] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.606] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.607] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=81, color=0x19ee74) returned 0x0
[0168.607] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.607] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.607] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=82, color=0x19ee74) returned 0x0
[0168.607] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.607] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.607] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=83, color=0x19ee74) returned 0x0
[0168.607] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.607] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.607] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=84, color=0x19ee74) returned 0x0
[0168.607] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.607] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.607] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=85, color=0x19ee74) returned 0x0
[0168.607] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.607] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.607] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=86, color=0x19ee74) returned 0x0
[0168.607] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.608] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.608] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=87, color=0x19ee74) returned 0x0
[0168.608] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.608] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.608] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=88, color=0x19ee74) returned 0x0
[0168.608] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.608] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.608] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=89, color=0x19ee74) returned 0x0
[0168.608] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.608] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.608] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=90, color=0x19ee74) returned 0x0
[0168.608] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.608] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.608] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=91, color=0x19ee74) returned 0x0
[0168.608] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.608] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.608] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=92, color=0x19ee74) returned 0x0
[0168.608] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.608] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.609] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=93, color=0x19ee74) returned 0x0
[0168.609] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.609] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.609] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=94, color=0x19ee74) returned 0x0
[0168.609] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.609] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.609] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=95, color=0x19ee74) returned 0x0
[0168.609] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.609] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.609] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=96, color=0x19ee74) returned 0x0
[0168.609] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.609] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.609] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=97, color=0x19ee74) returned 0x0
[0168.609] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.609] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.609] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=98, color=0x19ee74) returned 0x0
[0168.609] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.609] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.609] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=99, color=0x19ee74) returned 0x0
[0168.610] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.610] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.610] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=100, color=0x19ee74) returned 0x0
[0168.610] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.610] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.610] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=101, color=0x19ee74) returned 0x0
[0168.610] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.610] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.610] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=102, color=0x19ee74) returned 0x0
[0168.610] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.610] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.610] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=103, color=0x19ee74) returned 0x0
[0168.610] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.610] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.610] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=104, color=0x19ee74) returned 0x0
[0168.610] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.610] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.610] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=105, color=0x19ee74) returned 0x0
[0168.611] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.611] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.611] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=106, color=0x19ee74) returned 0x0
[0168.611] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.611] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.611] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=107, color=0x19ee74) returned 0x0
[0168.611] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.611] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.611] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=108, color=0x19ee74) returned 0x0
[0168.611] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.611] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.611] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=109, color=0x19ee74) returned 0x0
[0168.611] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.611] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.611] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=110, color=0x19ee74) returned 0x0
[0168.611] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.611] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.611] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=111, color=0x19ee74) returned 0x0
[0168.611] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.611] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.612] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=112, color=0x19ee74) returned 0x0
[0168.612] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.612] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.612] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=113, color=0x19ee74) returned 0x0
[0168.612] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.612] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.612] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=114, color=0x19ee74) returned 0x0
[0168.612] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.612] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.612] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=115, color=0x19ee74) returned 0x0
[0168.612] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.612] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.612] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=116, color=0x19ee74) returned 0x0
[0168.612] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.612] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.612] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=117, color=0x19ee74) returned 0x0
[0168.612] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.612] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.613] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=118, color=0x19ee74) returned 0x0
[0168.613] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.613] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.613] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=119, color=0x19ee74) returned 0x0
[0168.613] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.613] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.613] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=120, color=0x19ee74) returned 0x0
[0168.613] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.613] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.613] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=121, color=0x19ee74) returned 0x0
[0168.613] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.613] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.613] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=122, color=0x19ee74) returned 0x0
[0168.613] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.613] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.613] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=123, color=0x19ee74) returned 0x0
[0168.613] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.613] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.613] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=124, color=0x19ee74) returned 0x0
[0168.614] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.614] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.614] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=125, color=0x19ee74) returned 0x0
[0168.614] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.632] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.632] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=126, color=0x19ee74) returned 0x0
[0168.632] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.632] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.632] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=127, color=0x19ee74) returned 0x0
[0168.632] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.632] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.632] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=128, color=0x19ee74) returned 0x0
[0168.632] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.632] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.632] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=129, color=0x19ee74) returned 0x0
[0168.632] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.632] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.632] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=130, color=0x19ee74) returned 0x0
[0168.632] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.632] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.632] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=131, color=0x19ee74) returned 0x0
[0168.632] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.632] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.633] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=132, color=0x19ee74) returned 0x0
[0168.633] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.633] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.633] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=133, color=0x19ee74) returned 0x0
[0168.633] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.633] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.633] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=134, color=0x19ee74) returned 0x0
[0168.633] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.633] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.633] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=135, color=0x19ee74) returned 0x0
[0168.633] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.633] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.633] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=136, color=0x19ee74) returned 0x0
[0168.633] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.633] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.633] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=137, color=0x19ee74) returned 0x0
[0168.633] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.633] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.633] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=138, color=0x19ee74) returned 0x0
[0168.633] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.634] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.634] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=139, color=0x19ee74) returned 0x0
[0168.634] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.634] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.634] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=140, color=0x19ee74) returned 0x0
[0168.634] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.634] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.634] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=141, color=0x19ee74) returned 0x0
[0168.634] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.634] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.634] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=142, color=0x19ee74) returned 0x0
[0168.634] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.634] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.634] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=143, color=0x19ee74) returned 0x0
[0168.634] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.634] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.634] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=144, color=0x19ee74) returned 0x0
[0168.634] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.635] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.635] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=145, color=0x19ee74) returned 0x0
[0168.635] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.635] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.635] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=146, color=0x19ee74) returned 0x0
[0168.635] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.635] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.635] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=147, color=0x19ee74) returned 0x0
[0168.635] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.635] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.635] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=148, color=0x19ee74) returned 0x0
[0168.635] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.635] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.635] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=149, color=0x19ee74) returned 0x0
[0168.635] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.635] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.635] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=150, color=0x19ee74) returned 0x0
[0168.635] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.635] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.635] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=151, color=0x19ee74) returned 0x0
[0168.635] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.635] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.635] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=152, color=0x19ee74) returned 0x0
[0168.636] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.636] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.636] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=153, color=0x19ee74) returned 0x0
[0168.636] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.636] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.636] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=154, color=0x19ee74) returned 0x0
[0168.636] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.636] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.636] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=155, color=0x19ee74) returned 0x0
[0168.636] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.636] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.636] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=156, color=0x19ee74) returned 0x0
[0168.636] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.636] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.636] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=157, color=0x19ee74) returned 0x0
[0168.636] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.636] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.636] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=158, color=0x19ee74) returned 0x0
[0168.637] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.637] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.637] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=159, color=0x19ee74) returned 0x0
[0168.637] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.637] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.637] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=160, color=0x19ee74) returned 0x0
[0168.637] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.637] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.637] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=161, color=0x19ee74) returned 0x0
[0168.637] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.637] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.637] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=162, color=0x19ee74) returned 0x0
[0168.637] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.637] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.637] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=163, color=0x19ee74) returned 0x0
[0168.637] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.637] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.637] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=164, color=0x19ee74) returned 0x0
[0168.638] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.638] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.638] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=165, color=0x19ee74) returned 0x0
[0168.638] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.638] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.638] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=166, color=0x19ee74) returned 0x0
[0168.638] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.638] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.638] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=167, color=0x19ee74) returned 0x0
[0168.638] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.638] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.638] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=168, color=0x19ee74) returned 0x0
[0168.638] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.638] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.638] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=169, color=0x19ee74) returned 0x0
[0168.638] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.638] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.638] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=170, color=0x19ee74) returned 0x0
[0168.638] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.638] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.638] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=171, color=0x19ee74) returned 0x0
[0168.639] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.639] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.639] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=172, color=0x19ee74) returned 0x0
[0168.639] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.639] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.639] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=173, color=0x19ee74) returned 0x0
[0168.639] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.639] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.639] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=174, color=0x19ee74) returned 0x0
[0168.639] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.639] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.639] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=175, color=0x19ee74) returned 0x0
[0168.639] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.639] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.639] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=176, color=0x19ee74) returned 0x0
[0168.639] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.639] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.639] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=177, color=0x19ee74) returned 0x0
[0168.640] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.640] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.640] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=178, color=0x19ee74) returned 0x0
[0168.640] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.640] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.640] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=179, color=0x19ee74) returned 0x0
[0168.640] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.640] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.640] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=180, color=0x19ee74) returned 0x0
[0168.640] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.640] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.640] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=181, color=0x19ee74) returned 0x0
[0168.640] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.640] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.640] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=182, color=0x19ee74) returned 0x0
[0168.640] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.640] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.640] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=183, color=0x19ee74) returned 0x0
[0168.640] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.640] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.641] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=184, color=0x19ee74) returned 0x0
[0168.641] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.641] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.641] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=185, color=0x19ee74) returned 0x0
[0168.641] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.641] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.641] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=186, color=0x19ee74) returned 0x0
[0168.641] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.641] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.641] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=187, color=0x19ee74) returned 0x0
[0168.641] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.641] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.641] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=188, color=0x19ee74) returned 0x0
[0168.641] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.641] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.641] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=189, color=0x19ee74) returned 0x0
[0168.641] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.641] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.642] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=190, color=0x19ee74) returned 0x0
[0168.642] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.642] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.642] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=191, color=0x19ee74) returned 0x0
[0168.642] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.642] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.642] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=192, color=0x19ee74) returned 0x0
[0168.642] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.642] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.642] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=193, color=0x19ee74) returned 0x0
[0168.642] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.642] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.642] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=194, color=0x19ee74) returned 0x0
[0168.642] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.642] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.642] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=195, color=0x19ee74) returned 0x0
[0168.642] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.642] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.643] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=196, color=0x19ee74) returned 0x0
[0168.643] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.643] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.643] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=197, color=0x19ee74) returned 0x0
[0168.643] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.643] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.643] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=198, color=0x19ee74) returned 0x0
[0168.643] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.643] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.643] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=199, color=0x19ee74) returned 0x0
[0168.643] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.643] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.643] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=200, color=0x19ee74) returned 0x0
[0168.643] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.643] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.643] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=201, color=0x19ee74) returned 0x0
[0168.643] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.643] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.644] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=202, color=0x19ee74) returned 0x0
[0168.644] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.644] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.644] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=203, color=0x19ee74) returned 0x0
[0168.644] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.644] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.644] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=204, color=0x19ee74) returned 0x0
[0168.644] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.644] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.644] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=205, color=0x19ee74) returned 0x0
[0168.644] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.644] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.644] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=206, color=0x19ee74) returned 0x0
[0168.644] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.644] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.644] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=207, color=0x19ee74) returned 0x0
[0168.644] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.644] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.644] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=208, color=0x19ee74) returned 0x0
[0168.645] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.645] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.645] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=209, color=0x19ee74) returned 0x0
[0168.645] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.645] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.645] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=210, color=0x19ee74) returned 0x0
[0168.645] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.645] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.645] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=211, color=0x19ee74) returned 0x0
[0168.645] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.645] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.645] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=212, color=0x19ee74) returned 0x0
[0168.646] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.646] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.646] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=213, color=0x19ee74) returned 0x0
[0168.646] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.646] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.646] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=214, color=0x19ee74) returned 0x0
[0168.646] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.646] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.646] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=215, color=0x19ee74) returned 0x0
[0168.646] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.646] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.646] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=216, color=0x19ee74) returned 0x0
[0168.646] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.646] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.646] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=217, color=0x19ee74) returned 0x0
[0168.646] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.646] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.646] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=218, color=0x19ee74) returned 0x0
[0168.646] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.646] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.647] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=219, color=0x19ee74) returned 0x0
[0168.647] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.647] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.647] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=220, color=0x19ee74) returned 0x0
[0168.647] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.647] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.647] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=221, color=0x19ee74) returned 0x0
[0168.647] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.647] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.647] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=222, color=0x19ee74) returned 0x0
[0168.647] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.647] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.647] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=223, color=0x19ee74) returned 0x0
[0168.647] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.647] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.647] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=224, color=0x19ee74) returned 0x0
[0168.647] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.647] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.647] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=225, color=0x19ee74) returned 0x0
[0168.647] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.647] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.648] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=226, color=0x19ee74) returned 0x0
[0168.648] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.648] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.648] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=227, color=0x19ee74) returned 0x0
[0168.648] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.648] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.648] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=228, color=0x19ee74) returned 0x0
[0168.648] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.648] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.648] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=229, color=0x19ee74) returned 0x0
[0168.648] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.648] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.648] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=230, color=0x19ee74) returned 0x0
[0168.648] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.648] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.648] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=231, color=0x19ee74) returned 0x0
[0168.648] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.648] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.648] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=232, color=0x19ee74) returned 0x0
[0168.648] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.649] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.649] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=233, color=0x19ee74) returned 0x0
[0168.649] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.649] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.649] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=234, color=0x19ee74) returned 0x0
[0168.649] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.649] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.649] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=235, color=0x19ee74) returned 0x0
[0168.649] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.649] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.649] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=236, color=0x19ee74) returned 0x0
[0168.649] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.649] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.649] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=237, color=0x19ee74) returned 0x0
[0168.649] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.649] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.649] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=238, color=0x19ee74) returned 0x0
[0168.649] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.649] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.649] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=239, color=0x19ee74) returned 0x0
[0168.649] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.649] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.650] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=240, color=0x19ee74) returned 0x0
[0168.650] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.650] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.650] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=241, color=0x19ee74) returned 0x0
[0168.650] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.650] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.650] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=242, color=0x19ee74) returned 0x0
[0168.650] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.650] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.650] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=243, color=0x19ee74) returned 0x0
[0168.650] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.650] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.650] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=244, color=0x19ee74) returned 0x0
[0168.650] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.650] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.650] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=245, color=0x19ee74) returned 0x0
[0168.650] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.650] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.650] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=246, color=0x19ee74) returned 0x0
[0168.650] GdipGetImageWidth (image=0x5a4f268, width=0x19ee64) returned 0x0
[0168.650] GdipGetImageHeight (image=0x5a4f268, height=0x19ee64) returned 0x0
[0168.650] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=247, color=0x19ee74) returned 0x0
[0168.651] GdipBitmapGetPixel (bitmap=0x5a4f268, x=0, y=248, color=0x19ee74) returned 0x0
[0168.787] CreateFileMappingW (hFile=0xffffffff, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5b000, lpName=0x0) returned 0x300
[0168.788] memcpy (in: _Dst=0x9ee0000, _Src=0x3b0ebb0, _Size=0x5b000 | out: _Dst=0x9ee0000) returned 0x9ee0000
[0168.793] CloseHandle (hObject=0x300) returned 1
[0170.663] CoTaskMemAlloc (cb=0xd) returned 0x56e460
[0170.663] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kernel32", cchWideChar=8, lpMultiByteStr=0x2333864, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kernel32", lpUsedDefaultChar=0x0) returned 8
[0170.663] LoadLibraryA (lpLibFileName="kernel32") returned 0x76720000
[0170.664] CoTaskMemFree (pv=0x56e460)
[0170.681] CoTaskMemAlloc (cb=0x11) returned 0x56f610
[0170.681] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ResumeThread", cchWideChar=12, lpMultiByteStr=0x2333ba0, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ResumeThread", lpUsedDefaultChar=0x0) returned 12
[0170.681] GetProcAddress (hModule=0x76720000, lpProcName="ResumeThread") returned 0x7673a800
[0170.682] CoTaskMemFree (pv=0x56f610)
[0170.700] CoTaskMemAlloc (cb=0xd) returned 0x56e460
[0170.700] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kernel32", cchWideChar=8, lpMultiByteStr=0x2334378, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kernel32", lpUsedDefaultChar=0x0) returned 8
[0170.700] LoadLibraryA (lpLibFileName="kernel32") returned 0x76720000
[0170.701] CoTaskMemFree (pv=0x56e460)
[0170.701] CoTaskMemAlloc (cb=0x1a) returned 0x5772e8
[0170.701] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Wow64SetThreadContext", cchWideChar=21, lpMultiByteStr=0x23343b0, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Wow64SetThreadContext", lpUsedDefaultChar=0x0) returned 21
[0170.701] GetProcAddress (hModule=0x76720000, lpProcName="Wow64SetThreadContext") returned 0x76763e60
[0170.701] CoTaskMemFree (pv=0x5772e8)
[0170.710] CoTaskMemAlloc (cb=0xd) returned 0x56e4a8
[0170.711] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kernel32", cchWideChar=8, lpMultiByteStr=0x233447c, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kernel32", lpUsedDefaultChar=0x0) returned 8
[0170.711] LoadLibraryA (lpLibFileName="kernel32") returned 0x76720000
[0170.712] CoTaskMemFree (pv=0x56e4a8)
[0170.712] CoTaskMemAlloc (cb=0x15) returned 0x56f6d0
[0170.712] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="SetThreadContext", cchWideChar=16, lpMultiByteStr=0x23344b4, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetThreadContext", lpUsedDefaultChar=0x0) returned 16
[0170.712] GetProcAddress (hModule=0x76720000, lpProcName="SetThreadContext") returned 0x76762490
[0170.713] CoTaskMemFree (pv=0x56f6d0)
[0170.717] CoTaskMemAlloc (cb=0xd) returned 0x56e538
[0170.718] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kernel32", cchWideChar=8, lpMultiByteStr=0x233457c, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kernel32", lpUsedDefaultChar=0x0) returned 8
[0170.718] LoadLibraryA (lpLibFileName="kernel32") returned 0x76720000
[0170.718] CoTaskMemFree (pv=0x56e538)
[0170.718] CoTaskMemAlloc (cb=0x1a) returned 0x5772e8
[0170.718] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Wow64GetThreadContext", cchWideChar=21, lpMultiByteStr=0x23345b4, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Wow64GetThreadContext", lpUsedDefaultChar=0x0) returned 21
[0170.718] GetProcAddress (hModule=0x76720000, lpProcName="Wow64GetThreadContext") returned 0x76763e30
[0170.719] CoTaskMemFree (pv=0x5772e8)
[0170.721] CoTaskMemAlloc (cb=0xd) returned 0x56e490
[0170.721] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kernel32", cchWideChar=8, lpMultiByteStr=0x2334680, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kernel32", lpUsedDefaultChar=0x0) returned 8
[0170.721] LoadLibraryA (lpLibFileName="kernel32") returned 0x76720000
[0170.722] CoTaskMemFree (pv=0x56e490)
[0170.722] CoTaskMemAlloc (cb=0x15) returned 0x56f3f0
[0170.722] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="GetThreadContext", cchWideChar=16, lpMultiByteStr=0x23346b8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetThreadContext", lpUsedDefaultChar=0x0) returned 16
[0170.722] GetProcAddress (hModule=0x76720000, lpProcName="GetThreadContext") returned 0x7673ec60
[0170.722] CoTaskMemFree (pv=0x56f3f0)
[0170.724] CoTaskMemAlloc (cb=0xd) returned 0x56e460
[0170.724] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kernel32", cchWideChar=8, lpMultiByteStr=0x2334774, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kernel32", lpUsedDefaultChar=0x0) returned 8
[0170.724] LoadLibraryA (lpLibFileName="kernel32") returned 0x76720000
[0170.725] CoTaskMemFree (pv=0x56e460)
[0170.725] CoTaskMemAlloc (cb=0x13) returned 0x56f450
[0170.725] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="VirtualAllocEx", cchWideChar=14, lpMultiByteStr=0x23347ac, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VirtualAllocEx", lpUsedDefaultChar=0x0) returned 14
[0170.725] GetProcAddress (hModule=0x76720000, lpProcName="VirtualAllocEx") returned 0x76762730
[0170.725] CoTaskMemFree (pv=0x56f450)
[0170.733] CoTaskMemAlloc (cb=0xd) returned 0x56e460
[0170.733] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kernel32", cchWideChar=8, lpMultiByteStr=0x2334868, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kernel32", lpUsedDefaultChar=0x0) returned 8
[0170.733] LoadLibraryA (lpLibFileName="kernel32") returned 0x76720000
[0170.733] CoTaskMemFree (pv=0x56e460)
[0170.733] CoTaskMemAlloc (cb=0x17) returned 0x56f5d0
[0170.733] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="WriteProcessMemory", cchWideChar=18, lpMultiByteStr=0x23348a0, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WriteProcessMemory", lpUsedDefaultChar=0x0) returned 18
[0170.734] GetProcAddress (hModule=0x76720000, lpProcName="WriteProcessMemory") returned 0x76762850
[0170.734] CoTaskMemFree (pv=0x56f5d0)
[0170.740] CoTaskMemAlloc (cb=0xd) returned 0x56e460
[0170.740] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kernel32", cchWideChar=8, lpMultiByteStr=0x2334964, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kernel32", lpUsedDefaultChar=0x0) returned 8
[0170.740] LoadLibraryA (lpLibFileName="kernel32") returned 0x76720000
[0170.740] CoTaskMemFree (pv=0x56e460)
[0170.740] CoTaskMemAlloc (cb=0x16) returned 0x56f4d0
[0170.740] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ReadProcessMemory", cchWideChar=17, lpMultiByteStr=0x233499c, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ReadProcessMemory", lpUsedDefaultChar=0x0) returned 17
[0170.741] GetProcAddress (hModule=0x76720000, lpProcName="ReadProcessMemory") returned 0x76761c80
[0170.741] CoTaskMemFree (pv=0x56f4d0)
[0170.759] CoTaskMemAlloc (cb=0xa) returned 0x56e490
[0170.759] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ntdll", cchWideChar=5, lpMultiByteStr=0x2334a5c, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ntdll", lpUsedDefaultChar=0x0) returned 5
[0170.759] LoadLibraryA (lpLibFileName="ntdll") returned 0x771d0000
[0170.759] CoTaskMemFree (pv=0x56e490)
[0170.759] CoTaskMemAlloc (cb=0x19) returned 0x5773b0
[0170.759] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ZwUnmapViewOfSection", cchWideChar=20, lpMultiByteStr=0x2334a88, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZwUnmapViewOfSection", lpUsedDefaultChar=0x0) returned 20
[0170.760] GetProcAddress (hModule=0x771d0000, lpProcName="ZwUnmapViewOfSection") returned 0x77246f40
[0170.760] CoTaskMemFree (pv=0x5773b0)
[0170.765] CoTaskMemAlloc (cb=0xd) returned 0x56e4d8
[0170.765] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kernel32", cchWideChar=8, lpMultiByteStr=0x2334b50, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kernel32", lpUsedDefaultChar=0x0) returned 8
[0170.765] LoadLibraryA (lpLibFileName="kernel32") returned 0x76720000
[0170.766] CoTaskMemFree (pv=0x56e4d8)
[0170.766] CoTaskMemAlloc (cb=0x13) returned 0x56f450
[0170.766] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CreateProcessA", cchWideChar=14, lpMultiByteStr=0x2334b88, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CreateProcessA", lpUsedDefaultChar=0x0) returned 14
[0170.766] GetProcAddress (hModule=0x76720000, lpProcName="CreateProcessA") returned 0x76760750
[0170.766] CoTaskMemFree (pv=0x56f450)
[0170.816] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\da6abb6f3aae250d50ed09b6eacc267c33e50895e3ebd7e6ba800ab018351ec5.exe", nBufferLength=0x105, lpBuffer=0x19e3cc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\da6abb6f3aae250d50ed09b6eacc267c33e50895e3ebd7e6ba800ab018351ec5.exe", lpFilePart=0x0) returned 0x62
[0178.531] CoTaskMemAlloc (cb=0x20c) returned 0x577458
[0178.531] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x577458 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming") returned 0x0
[0178.539] CoTaskMemFree (pv=0x577458)
[0178.539] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0x19e3b4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming", lpFilePart=0x0) returned 0x25
[0178.568] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\RhFYnHFgJ.exe", nBufferLength=0x105, lpBuffer=0x19e444, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\RhFYnHFgJ.exe", lpFilePart=0x0) returned 0x33
[0178.568] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x19e8ec) returned 1
[0178.568] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\RhFYnHFgJ.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\rhfynhfgj.exe"), fInfoLevelId=0x0, lpFileInformation=0x19e968 | out: lpFileInformation=0x19e968*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0
[0178.569] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x19e8e8) returned 1
[0178.586] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\RhFYnHFgJ.exe", nBufferLength=0x105, lpBuffer=0x19e3c4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\RhFYnHFgJ.exe", lpFilePart=0x0) returned 0x33
[0178.642] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\RhFYnHFgJ.exe", nBufferLength=0x105, lpBuffer=0x19e3c4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\RhFYnHFgJ.exe", lpFilePart=0x0) returned 0x33
[0178.667] SetNamedSecurityInfoW () returned 0x2
[0179.214] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\da6abb6f3aae250d50ed09b6eacc267c33e50895e3ebd7e6ba800ab018351ec5.exe", nBufferLength=0x105, lpBuffer=0x19e3fc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\da6abb6f3aae250d50ed09b6eacc267c33e50895e3ebd7e6ba800ab018351ec5.exe", lpFilePart=0x0) returned 0x62
[0179.214] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\RhFYnHFgJ.exe", nBufferLength=0x105, lpBuffer=0x19e3fc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\RhFYnHFgJ.exe", lpFilePart=0x0) returned 0x33
[0179.214] CopyFileW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\da6abb6f3aae250d50ed09b6eacc267c33e50895e3ebd7e6ba800ab018351ec5.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\da6abb6f3aae250d50ed09b6eacc267c33e50895e3ebd7e6ba800ab018351ec5.exe"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\RhFYnHFgJ.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\rhfynhfgj.exe"), bFailIfExists=1) returned 1
[0180.973] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\RhFYnHFgJ.exe", nBufferLength=0x105, lpBuffer=0x19e39c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\RhFYnHFgJ.exe", lpFilePart=0x0) returned 0x33
[0180.985] GetUserNameW (in: lpBuffer=0x19e67c, pcbBuffer=0x19e8f4 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x19e8f4) returned 1
[0181.016] SetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\RhFYnHFgJ.exe", dwFileAttributes=0x2007) returned 1
[0181.037] LsaOpenPolicy (in: SystemName=0x0, ObjectAttributes=0x19e704, DesiredAccess=0x800, PolicyHandle=0x19e6c4 | out: PolicyHandle=0x19e6c4) returned 0x0
[0181.040] CoTaskMemAlloc (cb=0x8) returned 0x573a30
[0181.042] CoTaskMemAlloc (cb=0x1a) returned 0x57b7e8
[0181.045] LsaLookupNames2 (in: PolicyHandle=0x56f5f0, Flags=0x0, Count=0x1, Names="RDhJ0CNFevzX", ReferencedDomains=0x19e6d8, Sids=0x19e6cc | out: ReferencedDomains=0x19e6d8, Sids=0x19e6cc) returned 0x0
[0181.050] CoTaskMemFree (pv=0x57b7e8)
[0181.050] CoTaskMemFree (pv=0x573a30)
[0181.213] LsaClose (ObjectHandle=0x56f5f0) returned 0x0
[0181.213] LsaFreeMemory (Buffer=0x4fab98) returned 0x0
[0181.213] LsaFreeMemory (Buffer=0x579970) returned 0x0
[0181.214] LsaOpenPolicy (in: SystemName=0x0, ObjectAttributes=0x19e704, DesiredAccess=0x800, PolicyHandle=0x19e6c4 | out: PolicyHandle=0x19e6c4) returned 0x0
[0181.214] CoTaskMemAlloc (cb=0x8) returned 0x5738d0
[0181.214] CoTaskMemAlloc (cb=0x1a) returned 0x57b798
[0181.214] LsaLookupNames2 (in: PolicyHandle=0x56f690, Flags=0x0, Count=0x1, Names="RDhJ0CNFevzX", ReferencedDomains=0x19e6d8, Sids=0x19e6cc | out: ReferencedDomains=0x19e6d8, Sids=0x19e6cc) returned 0x0
[0181.215] CoTaskMemFree (pv=0x57b798)
[0181.215] CoTaskMemFree (pv=0x5738d0)
[0181.216] LsaClose (ObjectHandle=0x56f690) returned 0x0
[0181.216] LsaFreeMemory (Buffer=0x4fac68) returned 0x0
[0181.216] LsaFreeMemory (Buffer=0x579a20) returned 0x0
[0181.340] LsaOpenPolicy (in: SystemName=0x0, ObjectAttributes=0x19e704, DesiredAccess=0x800, PolicyHandle=0x19e6c4 | out: PolicyHandle=0x19e6c4) returned 0x0
[0181.340] CoTaskMemAlloc (cb=0x8) returned 0x573860
[0181.340] CoTaskMemAlloc (cb=0x1a) returned 0x57b630
[0181.341] LsaLookupNames2 (in: PolicyHandle=0x56f650, Flags=0x0, Count=0x1, Names="RDhJ0CNFevzX", ReferencedDomains=0x19e6d8, Sids=0x19e6cc | out: ReferencedDomains=0x19e6d8, Sids=0x19e6cc) returned 0x0
[0181.341] CoTaskMemFree (pv=0x57b630)
[0181.342] CoTaskMemFree (pv=0x573860)
[0181.342] LsaClose (ObjectHandle=0x56f650) returned 0x0
[0181.342] LsaFreeMemory (Buffer=0x4fab98) returned 0x0
[0181.342] LsaFreeMemory (Buffer=0x579a20) returned 0x0
[0181.342] LsaOpenPolicy (in: SystemName=0x0, ObjectAttributes=0x19e704, DesiredAccess=0x800, PolicyHandle=0x19e6c4 | out: PolicyHandle=0x19e6c4) returned 0x0
[0181.343] CoTaskMemAlloc (cb=0x8) returned 0x573970
[0181.343] CoTaskMemAlloc (cb=0x1a) returned 0x57b720
[0181.343] LsaLookupNames2 (in: PolicyHandle=0x56f5f0, Flags=0x0, Count=0x1, Names="RDhJ0CNFevzX", ReferencedDomains=0x19e6d8, Sids=0x19e6cc | out: ReferencedDomains=0x19e6d8, Sids=0x19e6cc) returned 0x0
[0181.344] CoTaskMemFree (pv=0x57b720)
[0181.344] CoTaskMemFree (pv=0x573970)
[0181.344] LsaClose (ObjectHandle=0x56f5f0) returned 0x0
[0181.347] LsaFreeMemory (Buffer=0x4fad38) returned 0x0
[0181.347] LsaFreeMemory (Buffer=0x5790d8) returned 0x0
[0181.347] LsaOpenPolicy (in: SystemName=0x0, ObjectAttributes=0x19e704, DesiredAccess=0x800, PolicyHandle=0x19e6c4 | out: PolicyHandle=0x19e6c4) returned 0x0
[0181.348] CoTaskMemAlloc (cb=0x8) returned 0x5738f0
[0181.348] CoTaskMemAlloc (cb=0x1a) returned 0x57b5e0
[0181.348] LsaLookupNames2 (in: PolicyHandle=0x56f5f0, Flags=0x0, Count=0x1, Names="RDhJ0CNFevzX", ReferencedDomains=0x19e6d8, Sids=0x19e6cc | out: ReferencedDomains=0x19e6d8, Sids=0x19e6cc) returned 0x0
[0181.349] CoTaskMemFree (pv=0x57b5e0)
[0181.349] CoTaskMemFree (pv=0x5738f0)
[0181.349] LsaClose (ObjectHandle=0x56f5f0) returned 0x0
[0181.349] LsaFreeMemory (Buffer=0x4fab98) returned 0x0
[0181.349] LsaFreeMemory (Buffer=0x579868) returned 0x0
[0181.350] LsaOpenPolicy (in: SystemName=0x0, ObjectAttributes=0x19e704, DesiredAccess=0x800, PolicyHandle=0x19e6c4 | out: PolicyHandle=0x19e6c4) returned 0x0
[0181.350] CoTaskMemAlloc (cb=0x8) returned 0x573990
[0181.350] CoTaskMemAlloc (cb=0x1a) returned 0x57b770
[0181.350] LsaLookupNames2 (in: PolicyHandle=0x56f610, Flags=0x0, Count=0x1, Names="RDhJ0CNFevzX", ReferencedDomains=0x19e6d8, Sids=0x19e6cc | out: ReferencedDomains=0x19e6d8, Sids=0x19e6cc) returned 0x0
[0181.351] CoTaskMemFree (pv=0x57b770)
[0181.351] CoTaskMemFree (pv=0x573990)
[0181.351] LsaClose (ObjectHandle=0x56f610) returned 0x0
[0181.351] LsaFreeMemory (Buffer=0x4fac68) returned 0x0
[0181.351] LsaFreeMemory (Buffer=0x579188) returned 0x0
[0181.352] LsaOpenPolicy (in: SystemName=0x0, ObjectAttributes=0x19e704, DesiredAccess=0x800, PolicyHandle=0x19e6c4 | out: PolicyHandle=0x19e6c4) returned 0x0
[0181.352] CoTaskMemAlloc (cb=0x8) returned 0x5738f0
[0181.352] CoTaskMemAlloc (cb=0x1a) returned 0x57b770
[0181.352] LsaLookupNames2 (in: PolicyHandle=0x56f5f0, Flags=0x0, Count=0x1, Names="RDhJ0CNFevzX", ReferencedDomains=0x19e6d8, Sids=0x19e6cc | out: ReferencedDomains=0x19e6d8, Sids=0x19e6cc) returned 0x0
[0181.353] CoTaskMemFree (pv=0x57b770)
[0181.353] CoTaskMemFree (pv=0x5738f0)
[0181.353] LsaClose (ObjectHandle=0x56f5f0) returned 0x0
[0181.354] LsaFreeMemory (Buffer=0x4fab98) returned 0x0
[0181.354] LsaFreeMemory (Buffer=0x579658) returned 0x0
[0181.354] LsaOpenPolicy (in: SystemName=0x0, ObjectAttributes=0x19e704, DesiredAccess=0x800, PolicyHandle=0x19e6c4 | out: PolicyHandle=0x19e6c4) returned 0x0
[0181.354] CoTaskMemAlloc (cb=0x8) returned 0x5737e0
[0181.354] CoTaskMemAlloc (cb=0x1a) returned 0x57b8b0
[0181.354] LsaLookupNames2 (in: PolicyHandle=0x56f6f0, Flags=0x0, Count=0x1, Names="RDhJ0CNFevzX", ReferencedDomains=0x19e6d8, Sids=0x19e6cc | out: ReferencedDomains=0x19e6d8, Sids=0x19e6cc) returned 0x0
[0181.355] CoTaskMemFree (pv=0x57b8b0)
[0181.355] CoTaskMemFree (pv=0x5737e0)
[0181.355] LsaClose (ObjectHandle=0x56f6f0) returned 0x0
[0181.356] LsaFreeMemory (Buffer=0x4fab98) returned 0x0
[0181.356] LsaFreeMemory (Buffer=0x579028) returned 0x0
[0181.356] LsaOpenPolicy (in: SystemName=0x0, ObjectAttributes=0x19e704, DesiredAccess=0x800, PolicyHandle=0x19e6c4 | out: PolicyHandle=0x19e6c4) returned 0x0
[0181.356] CoTaskMemAlloc (cb=0x8) returned 0x573960
[0181.356] CoTaskMemAlloc (cb=0x1a) returned 0x57b798
[0181.356] LsaLookupNames2 (in: PolicyHandle=0x56f790, Flags=0x0, Count=0x1, Names="RDhJ0CNFevzX", ReferencedDomains=0x19e6d8, Sids=0x19e6cc | out: ReferencedDomains=0x19e6d8, Sids=0x19e6cc) returned 0x0
[0181.357] CoTaskMemFree (pv=0x57b798)
[0181.357] CoTaskMemFree (pv=0x573960)
[0181.357] LsaClose (ObjectHandle=0x56f790) returned 0x0
[0181.358] LsaFreeMemory (Buffer=0x4fac68) returned 0x0
[0181.358] LsaFreeMemory (Buffer=0x579398) returned 0x0
[0181.358] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\RhFYnHFgJ.exe", nBufferLength=0x105, lpBuffer=0x19e39c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\RhFYnHFgJ.exe", lpFilePart=0x0) returned 0x33
[0181.358] SetNamedSecurityInfoW () returned 0x0
[0181.468] GetCurrentProcess () returned 0xffffffff
[0181.468] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19e7d8 | out: TokenHandle=0x19e7d8*=0x3c8) returned 1
[0181.527] GetTokenInformation (in: TokenHandle=0x3c8, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x19e7d0 | out: TokenInformation=0x0, ReturnLength=0x19e7d0) returned 0
[0181.527] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x573910
[0181.527] GetTokenInformation (in: TokenHandle=0x3c8, TokenInformationClass=0x8, TokenInformation=0x573910, TokenInformationLength=0x4, ReturnLength=0x19e7d0 | out: TokenInformation=0x573910, ReturnLength=0x19e7d0) returned 1
[0181.527] LocalFree (hMem=0x573910) returned 0x0
[0181.528] DuplicateTokenEx (in: hExistingToken=0x3c8, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0x19e7d8 | out: phNewToken=0x19e7d8*=0x3cc) returned 1
[0181.528] CheckTokenMembership (in: TokenHandle=0x3cc, SidToCheck=0x21aa810*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x19e7e8 | out: IsMember=0x19e7e8) returned 1
[0181.528] CloseHandle (hObject=0x3cc) returned 1
[0181.851] LocalAlloc (uFlags=0x0, uBytes=0x16) returned 0x56f5f0
[0181.851] LocalAlloc (uFlags=0x0, uBytes=0xac) returned 0x575f50
[0181.855] ShellExecuteExW (in: pExecInfo=0x21b3dec*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="powershell", lpParameters="Add-MpPreference -ExclusionPath \"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\RhFYnHFgJ.exe\"", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x21b3dec*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="powershell", lpParameters="Add-MpPreference -ExclusionPath \"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\RhFYnHFgJ.exe\"", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x50c)) returned 1
[0185.938] LocalFree (hMem=0x56f5f0) returned 0x0
[0185.939] LocalFree (hMem=0x575f50) returned 0x0
[0185.942] GetCurrentProcess () returned 0xffffffff
[0185.942] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19e878 | out: TokenHandle=0x19e878*=0x3cc) returned 1
[0185.946] GetCurrentProcess () returned 0xffffffff
[0185.946] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19e848 | out: TokenHandle=0x19e848*=0x3d4) returned 1
[0185.948] GetTokenInformation (in: TokenHandle=0x3cc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x19e87c | out: TokenInformation=0x0, ReturnLength=0x19e87c) returned 0
[0185.948] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0xa0388b0
[0185.948] GetTokenInformation (in: TokenHandle=0x3cc, TokenInformationClass=0x1, TokenInformation=0xa0388b0, TokenInformationLength=0x24, ReturnLength=0x19e87c | out: TokenInformation=0xa0388b0, ReturnLength=0x19e87c) returned 1
[0185.949] LocalFree (hMem=0xa0388b0) returned 0x0
[0185.949] LsaOpenPolicy (in: SystemName=0x0, ObjectAttributes=0x19e798, DesiredAccess=0x800, PolicyHandle=0x19e758 | out: PolicyHandle=0x19e758) returned 0x0
[0185.950] LsaLookupSids (in: PolicyHandle=0xa02e408, Count=0x1, Sids=0x21b40dc*=0x21b4080*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), ReferencedDomains=0x19e774, Names=0x19e768 | out: ReferencedDomains=0x19e774, Names=0x19e768) returned 0x0
[0185.952] LsaClose (ObjectHandle=0xa02e408) returned 0x0
[0185.952] LsaFreeMemory (Buffer=0xa019d40) returned 0x0
[0185.952] LsaFreeMemory (Buffer=0xa037af8) returned 0x0
[0185.953] CoTaskMemAlloc (cb=0x20c) returned 0xa018ae0
[0185.953] GetTempPathW (in: nBufferLength=0x104, lpBuffer=0xa018ae0 | out: lpBuffer="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\") returned 0x25
[0185.953] CoTaskMemFree (pv=0xa018ae0)
[0185.953] GetLongPathNameW (in: lpszShortPath="C:\\Users\\RDHJ0C~1\\", lpszLongPath=0x19e374, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\RDhJ0CNFevzX\\") returned 0x16
[0185.954] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\", nBufferLength=0x105, lpBuffer=0x19e388, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\", lpFilePart=0x0) returned 0x29
[0185.955] CoTaskMemAlloc (cb=0x20c) returned 0xa018ae0
[0185.955] GetTempFileNameW (in: lpPathName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\", lpPrefixString="tmp", uUnique=0x0, lpTempFileName=0xa018ae0 | out: lpTempFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpF9CA.tmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmpf9ca.tmp")) returned 0xf9ca
[0185.957] CoTaskMemFree (pv=0xa018ae0)
[0186.022] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpF9CA.tmp", nBufferLength=0x105, lpBuffer=0x19e238, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpF9CA.tmp", lpFilePart=0x0) returned 0x34
[0186.022] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x19e770) returned 1
[0186.022] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpF9CA.tmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmpf9ca.tmp"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x3d0
[0186.023] GetFileType (hFile=0x3d0) returned 0x1
[0186.023] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x19e76c) returned 1
[0186.023] GetFileType (hFile=0x3d0) returned 0x1
[0186.024] WriteFile (in: hFile=0x3d0, lpBuffer=0x21b86a8*, nNumberOfBytesToWrite=0x63d, lpNumberOfBytesWritten=0x19e7fc, lpOverlapped=0x0 | out: lpBuffer=0x21b86a8*, lpNumberOfBytesWritten=0x19e7fc*=0x63d, lpOverlapped=0x0) returned 1
[0186.025] CloseHandle (hObject=0x3d0) returned 1
[0186.043] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x57b798
[0186.043] LocalAlloc (uFlags=0x0, uBytes=0xb8) returned 0xa02ac60
[0186.043] ShellExecuteExW (in: pExecInfo=0x21b9f4c*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="schtasks.exe", lpParameters="/Create /TN \"Updates\\RhFYnHFgJ\" /XML \"C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpF9CA.tmp\"", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x21b9f4c*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="schtasks.exe", lpParameters="/Create /TN \"Updates\\RhFYnHFgJ\" /XML \"C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpF9CA.tmp\"", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x4f8)) returned 1
[0190.509] LocalFree (hMem=0x57b798) returned 0x0
[0190.509] LocalFree (hMem=0xa02ac60) returned 0x0
[0190.540] GetCurrentProcess () returned 0xffffffff
[0190.540] GetCurrentProcess () returned 0xffffffff
[0190.540] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x4f8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x19e860, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x19e860*=0x494) returned 1
[0190.543] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x19e858*=0x494, lpdwindex=0x19e674 | out: lpdwindex=0x19e674) returned 0x0
[0205.216] CloseHandle (hObject=0x494) returned 1
[0205.217] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpF9CA.tmp", nBufferLength=0x105, lpBuffer=0x19e398, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpF9CA.tmp", lpFilePart=0x0) returned 0x34
[0205.218] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpF9CA.tmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmpf9ca.tmp")) returned 1
[0205.731] CreateFileMappingW (hFile=0xffffffff, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xdc00, lpName=0x0) returned 0x494
[0205.732] memcpy (in: _Dst=0x4170000, _Src=0x2215678, _Size=0xdc00 | out: _Dst=0x4170000) returned 0x4170000
[0205.732] CloseHandle (hObject=0x494) returned 1
[0205.848] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\da6abb6f3aae250d50ed09b6eacc267c33e50895e3ebd7e6ba800ab018351ec5.exe", nBufferLength=0x105, lpBuffer=0x19e2e4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\da6abb6f3aae250d50ed09b6eacc267c33e50895e3ebd7e6ba800ab018351ec5.exe", lpFilePart=0x0) returned 0x62
[0205.911] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\", nBufferLength=0x105, lpBuffer=0x19dd7c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\", lpFilePart=0x0) returned 0x2e
[0205.993] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\RDhJ0CNFevzX\\Desktop\\da6abb6f3aae250d50ed09b6eacc267c33e50895e3ebd7e6ba800ab018351ec5.exe", cchWideChar=98, lpMultiByteStr=0x19e51c, cbMultiByte=100, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\RDhJ0CNFevzX\\Desktop\\da6abb6f3aae250d50ed09b6eacc267c33e50895e3ebd7e6ba800ab018351ec5.exe\x0f\nÑ°\\{(ú\x17oüí\x19", lpUsedDefaultChar=0x0) returned 98
[0205.993] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="", cchWideChar=0, lpMultiByteStr=0x19e518, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="t\x16\x0f\nC:\\Users\\RDhJ0CNFevzX\\Desktop\\da6abb6f3aae250d50ed09b6eacc267c33e50895e3ebd7e6ba800ab018351ec5.exe", lpUsedDefaultChar=0x0) returned 0
[0205.994] CreateProcessA (in: lpApplicationName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\da6abb6f3aae250d50ed09b6eacc267c33e50895e3ebd7e6ba800ab018351ec5.exe", lpCommandLine="", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000004, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x19e5dc*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19e938 | out: lpCommandLine="", lpProcessInformation=0x19e938*(hProcess=0x42c, hThread=0x494, dwProcessId=0x109c, dwThreadId=0x10c4)) returned 1
[0206.018] CoTaskMemFree (pv=0x0)
[0206.137] GetThreadContext (in: hThread=0x494, lpContext=0x223fe60 | out: lpContext=0x223fe60*(ContextFlags=0x10002, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x0, SegEs=0x0, SegDs=0x0, Edi=0x0, Esi=0x0, Ebx=0x39d000, Edx=0x0, Ecx=0x0, Eax=0x499162, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1
[0206.138] ReadProcessMemory (in: hProcess=0x42c, lpBaseAddress=0x39d008, lpBuffer=0x19e928, nSize=0x4, lpNumberOfBytesRead=0x19e96c | out: lpBuffer=0x19e928*, lpNumberOfBytesRead=0x19e96c*=0x4) returned 1
[0206.139] NtUnmapViewOfSection (ProcessHandle=0x42c, BaseAddress=0x400000) returned 0x0
[0206.151] VirtualAllocEx (hProcess=0x42c, lpAddress=0x400000, dwSize=0x12000, flAllocationType=0x3000, flProtect=0x40) returned 0x400000
[0206.152] WriteProcessMemory (in: hProcess=0x42c, lpBaseAddress=0x400000, lpBuffer=0x2231e7c*, nSize=0x200, lpNumberOfBytesWritten=0x19e96c | out: lpBuffer=0x2231e7c*, lpNumberOfBytesWritten=0x19e96c*=0x200) returned 1
[0206.172] WriteProcessMemory (in: hProcess=0x42c, lpBaseAddress=0x402000, lpBuffer=0x22407c4*, nSize=0xb200, lpNumberOfBytesWritten=0x19e96c | out: lpBuffer=0x22407c4*, lpNumberOfBytesWritten=0x19e96c*=0xb200) returned 1
[0206.179] WriteProcessMemory (in: hProcess=0x42c, lpBaseAddress=0x40e000, lpBuffer=0x224bf6c*, nSize=0x800, lpNumberOfBytesWritten=0x19e96c | out: lpBuffer=0x224bf6c*, lpNumberOfBytesWritten=0x19e96c*=0x800) returned 1
[0206.183] WriteProcessMemory (in: hProcess=0x42c, lpBaseAddress=0x410000, lpBuffer=0x224c778*, nSize=0x200, lpNumberOfBytesWritten=0x19e96c | out: lpBuffer=0x224c778*, lpNumberOfBytesWritten=0x19e96c*=0x200) returned 1
[0206.189] WriteProcessMemory (in: hProcess=0x42c, lpBaseAddress=0x39d008, lpBuffer=0x224cc84*, nSize=0x4, lpNumberOfBytesWritten=0x19e96c | out: lpBuffer=0x224cc84*, lpNumberOfBytesWritten=0x19e96c*=0x4) returned 1
[0206.278] SetThreadContext (hThread=0x494, lpContext=0x223fe60*(ContextFlags=0x10002, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x0, SegEs=0x0, SegDs=0x0, Edi=0x0, Esi=0x0, Ebx=0x39d000, Edx=0x0, Ecx=0x0, Eax=0x40d02e, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1
[0206.279] ResumeThread (hThread=0x494) returned 0x1
[0206.345] CoGetContextToken (in: pToken=0x19eda0 | out: pToken=0x19eda0) returned 0x0
[0206.345] CObjectContext::QueryInterface () returned 0x0
[0206.345] CObjectContext::GetCurrentThreadType () returned 0x0
[0206.345] Release () returned 0x3
[0206.346] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x13880, cHandles=0x1, pHandles=0x4b8368*=0x14c, lpdwindex=0x19ec44 | out: lpdwindex=0x19ec44) returned 0x0
Thread:
id = 2
os_tid = 0x13b0
Thread:
id = 3
os_tid = 0x13d4
Thread:
id = 4
os_tid = 0x13d8
[0103.346] CoGetContextToken (in: pToken=0x42ffc74 | out: pToken=0x42ffc74) returned 0x800401f0
[0103.346] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
[0103.346] RoInitialize () returned 0x1
[0103.346] RoUninitialize () returned 0x0
[0206.563] LocalFree (hMem=0x503458) returned 0x0
[0206.564] LocalFree (hMem=0x5030a0) returned 0x0
[0206.565] SetWindowLongW (hWnd=0x502aa, nIndex=-4, dwNewLong=1944586208) returned 9438750
[0206.566] SetClassLongW (hWnd=0x502aa, nIndex=-24, dwNewLong=1944586208) returned 0x9005f6
[0206.566] PostMessageW (hWnd=0x502aa, Msg=0x10, wParam=0x0, lParam=0x0) returned 1
[0206.567] GetModuleHandleW (lpModuleName=0x0) returned 0x400000
[0206.568] UnregisterClassW (lpClassName="WindowsForms10.Window.8.app.0.141b42a_r10_ad1", hInstance=0x400000) returned 0
[0206.571] IsWindow (hWnd=0x60046) returned 1
[0206.574] GetModuleHandleW (lpModuleName="user32.dll") returned 0x743d0000
[0206.574] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x400, lpWideCharStr="DefWindowProcW", cchWideChar=14, lpMultiByteStr=0x42ffa14, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DefWindowProcWÇlÑ°\\{(ú\x17o\x98ü/\x04\x01", lpUsedDefaultChar=0x0) returned 14
[0206.575] GetProcAddress (hModule=0x743d0000, lpProcName="DefWindowProcW") returned 0x73e807e0
[0206.575] SetWindowLongW (hWnd=0x60046, nIndex=-4, dwNewLong=1944586208) returned 9438830
[0206.576] SetClassLongW (hWnd=0x60046, nIndex=-24, dwNewLong=1944586208) returned 0x90066e
[0206.576] IsWindow (hWnd=0x60046) returned 1
[0206.576] DestroyWindow (hWnd=0x60046) returned 0
[0206.576] PostMessageW (hWnd=0x60046, Msg=0x10, wParam=0x0, lParam=0x0) returned 1
[0206.576] SetConsoleCtrlHandler (HandlerRoutine=0x900646, Add=0) returned 1
[0206.577] EtwEventUnregister (RegHandle=0x50de80) returned 0x0
[0206.605] CloseHandle (hObject=0x280) returned 1
[0206.606] DeleteObject (ho=0x4c0a092e) returned 1
[0206.607] RestoreDC (hdc=0x6d01066d, nSavedDC=-1) returned 1
[0206.608] DeleteDC (hdc=0x6d01066d) returned 1
[0206.609] GdipDeleteFont (font=0x493efc0) returned 0x0
[0206.610] DeleteObject (ho=0x1c0a06b5) returned 1
[0206.614] GdipDisposeImage (image=0x5a4f268) returned 0x0
[0206.943] CloseHandle (hObject=0x4f8) returned 1
[0206.944] CloseHandle (hObject=0x3d4) returned 1
[0206.945] CloseHandle (hObject=0x3cc) returned 1
[0206.945] CloseHandle (hObject=0x3c8) returned 1
[0206.946] CloseHandle (hObject=0x50c) returned 1
[0206.949] RegCloseKey (hKey=0x80000004) returned 0x0
Thread:
id = 5
os_tid = 0xd04
Thread:
id = 6
os_tid = 0x660
[0140.792] CoGetContextToken (in: pToken=0x76efd0c | out: pToken=0x76efd0c) returned 0x0
[0140.793] CObjectContext::QueryInterface () returned 0x0
[0140.793] CObjectContext::GetCurrentThreadType () returned 0x0
[0140.794] Release () returned 0x0
Thread:
id = 7
os_tid = 0xd20
Thread:
id = 8
os_tid = 0xcbc
Thread:
id = 9
os_tid = 0xde0
Thread:
id = 10
os_tid = 0xe04
Thread:
id = 11
os_tid = 0x10e4
Thread:
id = 12
os_tid = 0x654
Thread:
id = 13
os_tid = 0x6fc
Thread:
id = 101
os_tid = 0x10dc
Process:
id = "2"
image_name = "powershell.exe"
filename = "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe"
page_root = "0x7322a000"
os_pid = "0xe24"
os_integrity_level = "0x3000"
os_privileges = "0x60800000"
monitor_reason = "child_process"
parent_id = "1"
os_parent_pid = "0x138c"
cmd_line = "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" Add-MpPreference -ExclusionPath \"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\RhFYnHFgJ.exe\""
cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
os_username = "XC64ZB\\RDhJ0CNFevzX"
bitness = "32"
os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fa87" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 544
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 545
start_va = 0x30000
end_va = 0x31fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000030000"
filename = ""
Region:
id = 546
start_va = 0x40000
end_va = 0x54fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 547
start_va = 0x60000
end_va = 0x9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000060000"
filename = ""
Region:
id = 548
start_va = 0xa0000
end_va = 0xdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000a0000"
filename = ""
Region:
id = 549
start_va = 0xe0000
end_va = 0xe3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000e0000"
filename = ""
Region:
id = 550
start_va = 0xf0000
end_va = 0xf0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000f0000"
filename = ""
Region:
id = 551
start_va = 0x100000
end_va = 0x101fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000100000"
filename = ""
Region:
id = 552
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 553
start_va = 0xc00000
end_va = 0xc70fff
monitored = 0
entry_point = 0xc09c00
region_type = mapped_file
name = "powershell.exe"
filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe")
Region:
id = 554
start_va = 0xc80000
end_va = 0x4c7ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000c80000"
filename = ""
Region:
id = 555
start_va = 0x771d0000
end_va = 0x7734afff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")
Region:
id = 556
start_va = 0x7ffb0000
end_va = 0x7ffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007ffb0000"
filename = ""
Region:
id = 557
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 558
start_va = 0x7fff0000
end_va = 0x7dfa1676ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007fff0000"
filename = ""
Region:
id = 559
start_va = 0x7dfa16770000
end_va = 0x7ffa1676ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007dfa16770000"
filename = ""
Region:
id = 560
start_va = 0x7ffa16770000
end_va = 0x7ffa16930fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 561
start_va = 0x7ffa16931000
end_va = 0x7ffffffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00007ffa16931000"
filename = ""
Region:
id = 562
start_va = 0x110000
end_va = 0x14ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000110000"
filename = ""
Region:
id = 563
start_va = 0x640d0000
end_va = 0x6411ffff
monitored = 0
entry_point = 0x640e8180
region_type = mapped_file
name = "wow64.dll"
filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")
Region:
id = 564
start_va = 0x64050000
end_va = 0x640c9fff
monitored = 0
entry_point = 0x64063290
region_type = mapped_file
name = "wow64win.dll"
filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")
Region:
id = 565
start_va = 0x76720000
end_va = 0x767fffff
monitored = 0
entry_point = 0x76733980
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 566
start_va = 0x64120000
end_va = 0x64127fff
monitored = 0
entry_point = 0x641217c0
region_type = mapped_file
name = "wow64cpu.dll"
filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")
Region:
id = 567
start_va = 0x400000
end_va = 0x62ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 568
start_va = 0x76720000
end_va = 0x767fffff
monitored = 0
entry_point = 0x76733980
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 569
start_va = 0x76910000
end_va = 0x76a8dfff
monitored = 0
entry_point = 0x769c1b90
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")
Region:
id = 570
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 571
start_va = 0x7feb0000
end_va = 0x7ffaffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007feb0000"
filename = ""
Region:
id = 755
start_va = 0x400000
end_va = 0x4bdfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 756
start_va = 0x530000
end_va = 0x62ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000530000"
filename = ""
Region:
id = 757
start_va = 0x20000
end_va = 0x23fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 758
start_va = 0x76600000
end_va = 0x7667afff
monitored = 0
entry_point = 0x7661e970
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")
Region:
id = 759
start_va = 0x76a90000
end_va = 0x76b4dfff
monitored = 0
entry_point = 0x76ac5630
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")
Region:
id = 760
start_va = 0x150000
end_va = 0x18ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000150000"
filename = ""
Region:
id = 761
start_va = 0x190000
end_va = 0x1cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000190000"
filename = ""
Region:
id = 762
start_va = 0x76cb0000
end_va = 0x76cf3fff
monitored = 0
entry_point = 0x76cc9d80
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")
Region:
id = 763
start_va = 0x76c00000
end_va = 0x76cacfff
monitored = 0
entry_point = 0x76c14f00
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")
Region:
id = 764
start_va = 0x73f00000
end_va = 0x73f1dfff
monitored = 0
entry_point = 0x73f0b640
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")
Region:
id = 765
start_va = 0x73ef0000
end_va = 0x73ef9fff
monitored = 0
entry_point = 0x73ef2a00
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")
Region:
id = 766
start_va = 0x76840000
end_va = 0x76897fff
monitored = 0
entry_point = 0x768825c0
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")
Region:
id = 767
start_va = 0x74dc0000
end_va = 0x74eaafff
monitored = 0
entry_point = 0x74dfd650
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")
Region:
id = 768
start_va = 0x762b0000
end_va = 0x7646cfff
monitored = 0
entry_point = 0x76392a10
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll")
Region:
id = 783
start_va = 0x74ab0000
end_va = 0x74bfefff
monitored = 0
entry_point = 0x74b66820
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll")
Region:
id = 785
start_va = 0x743d0000
end_va = 0x74516fff
monitored = 0
entry_point = 0x743e1cf0
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")
Region:
id = 786
start_va = 0x76680000
end_va = 0x76711fff
monitored = 0
entry_point = 0x766b8cf0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")
Region:
id = 787
start_va = 0x6e7f0000
end_va = 0x6e807fff
monitored = 0
entry_point = 0x6e7f4820
region_type = mapped_file
name = "atl.dll"
filename = "\\Windows\\SysWOW64\\atl.dll" (normalized: "c:\\windows\\syswow64\\atl.dll")
Region:
id = 788
start_va = 0x6f8e0000
end_va = 0x6f938fff
monitored = 1
entry_point = 0x6f8f0780
region_type = mapped_file
name = "mscoree.dll"
filename = "\\Windows\\SysWOW64\\mscoree.dll" (normalized: "c:\\windows\\syswow64\\mscoree.dll")
Region:
id = 789
start_va = 0x630000
end_va = 0x6affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000630000"
filename = ""
Region:
id = 790
start_va = 0x110000
end_va = 0x139fff
monitored = 0
entry_point = 0x115680
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")
Region:
id = 791
start_va = 0x140000
end_va = 0x14ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000140000"
filename = ""
Region:
id = 792
start_va = 0x6b0000
end_va = 0x837fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000006b0000"
filename = ""
Region:
id = 793
start_va = 0x741b0000
end_va = 0x741dafff
monitored = 0
entry_point = 0x741b5680
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")
Region:
id = 794
start_va = 0x840000
end_va = 0x9c0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000840000"
filename = ""
Region:
id = 795
start_va = 0x4c80000
end_va = 0x607ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000004c80000"
filename = ""
Region:
id = 796
start_va = 0x30000
end_va = 0x32fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "powershell.exe.mui"
filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\powershell.exe.mui" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\en-us\\powershell.exe.mui")
Region:
id = 798
start_va = 0x110000
end_va = 0x110fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000110000"
filename = ""
Region:
id = 799
start_va = 0x120000
end_va = 0x120fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000120000"
filename = ""
Region:
id = 800
start_va = 0x9d0000
end_va = 0xbaffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000009d0000"
filename = ""
Region:
id = 806
start_va = 0x6f860000
end_va = 0x6f8dcfff
monitored = 1
entry_point = 0x6f870db0
region_type = mapped_file
name = "mscoreei.dll"
filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscoreei.dll")
Region:
id = 808
start_va = 0x76d00000
end_va = 0x76d44fff
monitored = 0
entry_point = 0x76d1de90
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll")
Region:
id = 809
start_va = 0x76d50000
end_va = 0x76d5bfff
monitored = 0
entry_point = 0x76d53930
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll")
Region:
id = 810
start_va = 0x6f980000
end_va = 0x6f987fff
monitored = 0
entry_point = 0x6f9817b0
region_type = mapped_file
name = "version.dll"
filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll")
Region:
id = 811
start_va = 0x6f170000
end_va = 0x6f850fff
monitored = 1
entry_point = 0x6f19cd70
region_type = mapped_file
name = "clr.dll"
filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll")
Region:
id = 812
start_va = 0x6f070000
end_va = 0x6f164fff
monitored = 0
entry_point = 0x6f0c4160
region_type = mapped_file
name = "msvcr120_clr0400.dll"
filename = "\\Windows\\SysWOW64\\msvcr120_clr0400.dll" (normalized: "c:\\windows\\syswow64\\msvcr120_clr0400.dll")
Region:
id = 1169
start_va = 0x130000
end_va = 0x130fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000130000"
filename = ""
Region:
id = 1170
start_va = 0x1d0000
end_va = 0x1dffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001d0000"
filename = ""
Region:
id = 1171
start_va = 0x1e0000
end_va = 0x1effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001e0000"
filename = ""
Region:
id = 1172
start_va = 0x1f0000
end_va = 0x1fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001f0000"
filename = ""
Region:
id = 1173
start_va = 0x4c0000
end_va = 0x4cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000004c0000"
filename = ""
Region:
id = 1174
start_va = 0x4d0000
end_va = 0x4dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000004d0000"
filename = ""
Region:
id = 1175
start_va = 0x4e0000
end_va = 0x4effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000004e0000"
filename = ""
Region:
id = 1176
start_va = 0x4f0000
end_va = 0x4f0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000004f0000"
filename = ""
Region:
id = 1177
start_va = 0x500000
end_va = 0x500fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000500000"
filename = ""
Region:
id = 1178
start_va = 0x9d0000
end_va = 0xa6ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000009d0000"
filename = ""
Region:
id = 1179
start_va = 0xba0000
end_va = 0xbaffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000ba0000"
filename = ""
Region:
id = 1180
start_va = 0x6080000
end_va = 0x61dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006080000"
filename = ""
Region:
id = 1181
start_va = 0x630000
end_va = 0x66ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000630000"
filename = ""
Region:
id = 1182
start_va = 0x6a0000
end_va = 0x6affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000006a0000"
filename = ""
Region:
id = 1183
start_va = 0x9d0000
end_va = 0xa0ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000009d0000"
filename = ""
Region:
id = 1184
start_va = 0xa60000
end_va = 0xa6ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000a60000"
filename = ""
Region:
id = 1185
start_va = 0x510000
end_va = 0x51ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000510000"
filename = ""
Region:
id = 1186
start_va = 0x61e0000
end_va = 0x81dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000061e0000"
filename = ""
Region:
id = 1187
start_va = 0x510000
end_va = 0x52ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000510000"
filename = ""
Region:
id = 1188
start_va = 0xa10000
end_va = 0xa4ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000a10000"
filename = ""
Region:
id = 1189
start_va = 0xa70000
end_va = 0xaaffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000a70000"
filename = ""
Region:
id = 1209
start_va = 0x81e0000
end_va = 0x8516fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 1212
start_va = 0x6d430000
end_va = 0x6e6e1fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "mscorlib.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\mscorlib\\7582400666d289c016013ad0f6e0e3e6\\mscorlib.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\mscorlib\\7582400666d289c016013ad0f6e0e3e6\\mscorlib.ni.dll")
Region:
id = 1233
start_va = 0x8520000
end_va = 0x86bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008520000"
filename = ""
Region:
id = 1235
start_va = 0x670000
end_va = 0x67ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000670000"
filename = ""
Region:
id = 1313
start_va = 0x6ca60000
end_va = 0x6d42bfff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System\\1be7a15b1f33bf22e4f53aaf45518c77\\System.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system\\1be7a15b1f33bf22e4f53aaf45518c77\\system.ni.dll")
Region:
id = 1314
start_va = 0x6e8c0000
end_va = 0x6efe0fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.core.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Core\\eb4cca4f06a15158c3f7e2c56516729b\\System.Core.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.core\\eb4cca4f06a15158c3f7e2c56516729b\\system.core.ni.dll")
Region:
id = 1315
start_va = 0x6e830000
end_va = 0x6e8b2fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "microsoft.powershell.consolehost.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Microsoft.Pb378ec07#\\c3373939e7c94b541b901780981fd0cc\\Microsoft.PowerShell.ConsoleHost.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\microsoft.pb378ec07#\\c3373939e7c94b541b901780981fd0cc\\microsoft.powershell.consolehost.ni.dll")
Region:
id = 1316
start_va = 0x71200000
end_va = 0x71212fff
monitored = 0
entry_point = 0x71209950
region_type = mapped_file
name = "cryptsp.dll"
filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll")
Region:
id = 1317
start_va = 0x70230000
end_va = 0x7025efff
monitored = 0
entry_point = 0x702495e0
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll")
Region:
id = 1318
start_va = 0x71560000
end_va = 0x7157afff
monitored = 0
entry_point = 0x71569050
region_type = mapped_file
name = "bcrypt.dll"
filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll")
Region:
id = 1325
start_va = 0x6b1a0000
end_va = 0x6ca55fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.management.automation.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Manaa57fc8cc#\\ac360ee7d819131e00d9de15ca78e746\\System.Management.Automation.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.manaa57fc8cc#\\ac360ee7d819131e00d9de15ca78e746\\system.management.automation.ni.dll")
Region:
id = 1344
start_va = 0xab0000
end_va = 0xb11fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "mscorrc.dll"
filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorrc.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscorrc.dll")
Region:
id = 1347
start_va = 0x680000
end_va = 0x684fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "winnlsres.dll"
filename = "\\Windows\\SysWOW64\\winnlsres.dll" (normalized: "c:\\windows\\syswow64\\winnlsres.dll")
Region:
id = 1348
start_va = 0x690000
end_va = 0x69ffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "winnlsres.dll.mui"
filename = "\\Windows\\SysWOW64\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\winnlsres.dll.mui")
Region:
id = 1349
start_va = 0x764d0000
end_va = 0x764d5fff
monitored = 0
entry_point = 0x764d1460
region_type = mapped_file
name = "psapi.dll"
filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll")
Region:
id = 1350
start_va = 0x6080000
end_va = 0x617ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006080000"
filename = ""
Region:
id = 1351
start_va = 0x61d0000
end_va = 0x61dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000061d0000"
filename = ""
Region:
id = 1352
start_va = 0x6e7a0000
end_va = 0x6e7e4fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.numerics.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Numerics\\d3d95e1e349be37505587e7fee918881\\System.Numerics.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.numerics\\d3d95e1e349be37505587e7fee918881\\system.numerics.ni.dll")
Region:
id = 1353
start_va = 0xa50000
end_va = 0xa5ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000a50000"
filename = ""
Region:
id = 1356
start_va = 0x6a900000
end_va = 0x6a979fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "microsoft.management.infrastructure.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Microsoft.Mf49f6405#\\5edeb849552a1a53cfc131825d3f494c\\Microsoft.Management.Infrastructure.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\microsoft.mf49f6405#\\5edeb849552a1a53cfc131825d3f494c\\microsoft.management.infrastructure.ni.dll")
Region:
id = 1357
start_va = 0x6a980000
end_va = 0x6b09dfff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.xml.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Xml\\4fbda26d781323081b45526da6e87b35\\System.Xml.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.xml\\4fbda26d781323081b45526da6e87b35\\system.xml.ni.dll")
Region:
id = 1358
start_va = 0xb20000
end_va = 0xb2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000b20000"
filename = ""
Region:
id = 1359
start_va = 0x6a7e0000
end_va = 0x6a8fcfff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.directoryservices.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Dired13b18a9#\\883582fb4e073bf0dfad214569e4200f\\System.DirectoryServices.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.dired13b18a9#\\883582fb4e073bf0dfad214569e4200f\\system.directoryservices.ni.dll")
Region:
id = 1360
start_va = 0x6a6c0000
end_va = 0x6a7dcfff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.management.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Management\\98d3949f9ba1a384939805aa5e47e933\\System.Management.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.management\\98d3949f9ba1a384939805aa5e47e933\\system.management.ni.dll")
Region:
id = 1361
start_va = 0xb30000
end_va = 0xb3ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000b30000"
filename = ""
Region:
id = 1362
start_va = 0xb40000
end_va = 0xb4ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000b40000"
filename = ""
Region:
id = 1363
start_va = 0xb50000
end_va = 0xb5ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000b50000"
filename = ""
Region:
id = 1364
start_va = 0xb60000
end_va = 0xb6ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000b60000"
filename = ""
Region:
id = 1365
start_va = 0xb70000
end_va = 0xb7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000b70000"
filename = ""
Region:
id = 1367
start_va = 0xb80000
end_va = 0xb8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000b80000"
filename = ""
Thread:
id = 14
os_tid = 0xe20
Thread:
id = 24
os_tid = 0xe18
Thread:
id = 98
os_tid = 0xba0
Thread:
id = 99
os_tid = 0x10cc
Process:
id = "3"
image_name = "conhost.exe"
filename = "c:\\windows\\system32\\conhost.exe"
page_root = "0xf1f9000"
os_pid = "0xaf8"
os_integrity_level = "0x3000"
os_privileges = "0x60800000"
monitor_reason = "child_process"
parent_id = "2"
os_parent_pid = "0xe24"
cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1"
cur_dir = "C:\\Windows"
os_username = "XC64ZB\\RDhJ0CNFevzX"
bitness = "32"
os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fa87" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 594
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 595
start_va = 0x30000
end_va = 0x44fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 596
start_va = 0x50000
end_va = 0x8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 597
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 598
start_va = 0x400000
end_va = 0x5fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 599
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 600
start_va = 0x7df5fffc0000
end_va = 0x7df5fffe2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5fffc0000"
filename = ""
Region:
id = 601
start_va = 0x7df5ffff0000
end_va = 0x7ff5fffeffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffff0000"
filename = ""
Region:
id = 602
start_va = 0x7ff637930000
end_va = 0x7ff637940fff
monitored = 0
entry_point = 0x7ff6379316b0
region_type = mapped_file
name = "conhost.exe"
filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")
Region:
id = 603
start_va = 0x7ffa16770000
end_va = 0x7ffa16930fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 604
start_va = 0x90000
end_va = 0x18ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000090000"
filename = ""
Region:
id = 605
start_va = 0x7ffa15160000
end_va = 0x7ffa1520cfff
monitored = 0
entry_point = 0x7ffa151781a0
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 606
start_va = 0x7ffa13130000
end_va = 0x7ffa13317fff
monitored = 0
entry_point = 0x7ffa1315ba70
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 607
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 608
start_va = 0x7df5ffec0000
end_va = 0x7df5fffbffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffec0000"
filename = ""
Region:
id = 609
start_va = 0x600000
end_va = 0x6bdfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 610
start_va = 0x7ffa13cc0000
end_va = 0x7ffa13d5cfff
monitored = 0
entry_point = 0x7ffa13cc78a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 611
start_va = 0x190000
end_va = 0x1cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000190000"
filename = ""
Region:
id = 612
start_va = 0x6c0000
end_va = 0x84ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000006c0000"
filename = ""
Region:
id = 613
start_va = 0x20000
end_va = 0x26fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 614
start_va = 0x7ffa0abf0000
end_va = 0x7ffa0ac48fff
monitored = 0
entry_point = 0x7ffa0abffbf0
region_type = mapped_file
name = "conhostv2.dll"
filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll")
Region:
id = 615
start_va = 0x1d0000
end_va = 0x1d0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001d0000"
filename = ""
Region:
id = 616
start_va = 0x7ffa14340000
end_va = 0x7ffa145bcfff
monitored = 0
entry_point = 0x7ffa14414970
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")
Region:
id = 617
start_va = 0x7ffa145c0000
end_va = 0x7ffa146dbfff
monitored = 0
entry_point = 0x7ffa146002b0
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 618
start_va = 0x7ffa13320000
end_va = 0x7ffa13389fff
monitored = 0
entry_point = 0x7ffa13356d50
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")
Region:
id = 619
start_va = 0x7ffa13d80000
end_va = 0x7ffa13ed5fff
monitored = 0
entry_point = 0x7ffa13d8a8d0
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 620
start_va = 0x7ffa13ee0000
end_va = 0x7ffa14065fff
monitored = 0
entry_point = 0x7ffa13f2ffc0
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 621
start_va = 0x1e0000
end_va = 0x1e6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001e0000"
filename = ""
Region:
id = 622
start_va = 0x7ffa13b70000
end_va = 0x7ffa13cb2fff
monitored = 0
entry_point = 0x7ffa13b98210
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 623
start_va = 0x7ffa14070000
end_va = 0x7ffa140cafff
monitored = 0
entry_point = 0x7ffa140838b0
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 624
start_va = 0x7ffa141e0000
end_va = 0x7ffa1421afff
monitored = 0
entry_point = 0x7ffa141e12f0
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 625
start_va = 0x7ffa147c0000
end_va = 0x7ffa14880fff
monitored = 0
entry_point = 0x7ffa147e0da0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 626
start_va = 0x7ffa11220000
end_va = 0x7ffa113a5fff
monitored = 0
entry_point = 0x7ffa1126d700
region_type = mapped_file
name = "propsys.dll"
filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")
Region:
id = 633
start_va = 0x1f0000
end_va = 0x1f0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001f0000"
filename = ""
Region:
id = 634
start_va = 0x6c0000
end_va = 0x6c0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000006c0000"
filename = ""
Region:
id = 635
start_va = 0x840000
end_va = 0x84ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000840000"
filename = ""
Region:
id = 636
start_va = 0x850000
end_va = 0x9d7fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000850000"
filename = ""
Region:
id = 637
start_va = 0x9e0000
end_va = 0xb60fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000009e0000"
filename = ""
Region:
id = 638
start_va = 0xb70000
end_va = 0x1f6ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000b70000"
filename = ""
Region:
id = 639
start_va = 0x1f70000
end_va = 0x213ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001f70000"
filename = ""
Region:
id = 644
start_va = 0x6d0000
end_va = 0x70ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000006d0000"
filename = ""
Region:
id = 645
start_va = 0x7ffa15210000
end_va = 0x7ffa1676efff
monitored = 0
entry_point = 0x7ffa153711f0
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")
Region:
id = 674
start_va = 0x7ffa13390000
end_va = 0x7ffa133d2fff
monitored = 0
entry_point = 0x7ffa133a4b50
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")
Region:
id = 675
start_va = 0x7ffa13520000
end_va = 0x7ffa13b63fff
monitored = 0
entry_point = 0x7ffa136e64b0
region_type = mapped_file
name = "windows.storage.dll"
filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll")
Region:
id = 682
start_va = 0x7ffa15090000
end_va = 0x7ffa15136fff
monitored = 0
entry_point = 0x7ffa150a58d0
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 683
start_va = 0x7ffa14ba0000
end_va = 0x7ffa14bf1fff
monitored = 0
entry_point = 0x7ffa14baf530
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")
Region:
id = 684
start_va = 0x7ffa12e10000
end_va = 0x7ffa12e1efff
monitored = 0
entry_point = 0x7ffa12e13210
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")
Region:
id = 691
start_va = 0x7ffa12e80000
end_va = 0x7ffa12f34fff
monitored = 0
entry_point = 0x7ffa12ec22e0
region_type = mapped_file
name = "shcore.dll"
filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")
Region:
id = 703
start_va = 0x7ffa12dc0000
end_va = 0x7ffa12e0afff
monitored = 0
entry_point = 0x7ffa12dc35f0
region_type = mapped_file
name = "powrprof.dll"
filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")
Region:
id = 704
start_va = 0x7ffa12d90000
end_va = 0x7ffa12da3fff
monitored = 0
entry_point = 0x7ffa12d952e0
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")
Region:
id = 705
start_va = 0x7ffa11710000
end_va = 0x7ffa117a5fff
monitored = 0
entry_point = 0x7ffa11735570
region_type = mapped_file
name = "uxtheme.dll"
filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")
Region:
id = 708
start_va = 0x1f70000
end_va = 0x20cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001f70000"
filename = ""
Region:
id = 709
start_va = 0x2130000
end_va = 0x213ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002130000"
filename = ""
Region:
id = 710
start_va = 0x2140000
end_va = 0x2476fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 711
start_va = 0x710000
end_va = 0x80ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000710000"
filename = ""
Region:
id = 712
start_va = 0x2480000
end_va = 0x267ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002480000"
filename = ""
Region:
id = 720
start_va = 0x1f70000
end_va = 0x1faffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001f70000"
filename = ""
Region:
id = 721
start_va = 0x20c0000
end_va = 0x20cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000020c0000"
filename = ""
Region:
id = 722
start_va = 0x7ffa14a40000
end_va = 0x7ffa14b99fff
monitored = 0
entry_point = 0x7ffa14a838e0
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 729
start_va = 0x50000
end_va = 0x50fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000050000"
filename = ""
Region:
id = 730
start_va = 0x1fb0000
end_va = 0x206bfff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001fb0000"
filename = ""
Region:
id = 731
start_va = 0x50000
end_va = 0x53fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000050000"
filename = ""
Region:
id = 732
start_va = 0x7ffa10610000
end_va = 0x7ffa10631fff
monitored = 0
entry_point = 0x7ffa10611a40
region_type = mapped_file
name = "dwmapi.dll"
filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll")
Region:
id = 733
start_va = 0x7ffa11410000
end_va = 0x7ffa11422fff
monitored = 0
entry_point = 0x7ffa11412760
region_type = mapped_file
name = "wtsapi32.dll"
filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")
Region:
id = 740
start_va = 0x7ffa12ba0000
end_va = 0x7ffa12bf5fff
monitored = 0
entry_point = 0x7ffa12bb0bf0
region_type = mapped_file
name = "winsta.dll"
filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")
Region:
id = 746
start_va = 0x60000
end_va = 0x66fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000060000"
filename = ""
Region:
id = 747
start_va = 0x70000
end_va = 0x70fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000070000"
filename = ""
Region:
id = 748
start_va = 0x80000
end_va = 0x80fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000080000"
filename = ""
Region:
id = 749
start_va = 0x810000
end_va = 0x814fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "user32.dll.mui"
filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui")
Region:
id = 750
start_va = 0x820000
end_va = 0x820fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "conhostv2.dll.mui"
filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui")
Region:
id = 751
start_va = 0x830000
end_va = 0x831fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000830000"
filename = ""
Region:
id = 752
start_va = 0x7ffa080f0000
end_va = 0x7ffa08363fff
monitored = 0
entry_point = 0x7ffa08160400
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll")
Region:
id = 753
start_va = 0x2070000
end_va = 0x2070fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "windowsshell.manifest"
filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")
Region:
id = 754
start_va = 0x2080000
end_va = 0x2081fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002080000"
filename = ""
Thread:
id = 15
os_tid = 0xe14
Thread:
id = 17
os_tid = 0x300
Thread:
id = 18
os_tid = 0xe50
Thread:
id = 22
os_tid = 0xba8
Process:
id = "4"
image_name = "schtasks.exe"
filename = "c:\\windows\\syswow64\\schtasks.exe"
page_root = "0x7303d000"
os_pid = "0xe1c"
os_integrity_level = "0x3000"
os_privileges = "0x60800000"
monitor_reason = "child_process"
parent_id = "1"
os_parent_pid = "0x138c"
cmd_line = "\"C:\\Windows\\System32\\schtasks.exe\" /Create /TN \"Updates\\RhFYnHFgJ\" /XML \"C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpF9CA.tmp\""
cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
os_username = "XC64ZB\\RDhJ0CNFevzX"
bitness = "32"
os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fa87" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 572
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 573
start_va = 0x30000
end_va = 0x31fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000030000"
filename = ""
Region:
id = 574
start_va = 0x40000
end_va = 0x54fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 575
start_va = 0x60000
end_va = 0x9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000060000"
filename = ""
Region:
id = 576
start_va = 0xa0000
end_va = 0xdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000a0000"
filename = ""
Region:
id = 577
start_va = 0xe0000
end_va = 0xe3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000e0000"
filename = ""
Region:
id = 578
start_va = 0xf0000
end_va = 0xf0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000f0000"
filename = ""
Region:
id = 579
start_va = 0x100000
end_va = 0x101fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000100000"
filename = ""
Region:
id = 580
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 581
start_va = 0x1100000
end_va = 0x1131fff
monitored = 1
entry_point = 0x11205b0
region_type = mapped_file
name = "schtasks.exe"
filename = "\\Windows\\SysWOW64\\schtasks.exe" (normalized: "c:\\windows\\syswow64\\schtasks.exe")
Region:
id = 582
start_va = 0x1140000
end_va = 0x513ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001140000"
filename = ""
Region:
id = 583
start_va = 0x771d0000
end_va = 0x7734afff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")
Region:
id = 584
start_va = 0x7ffb0000
end_va = 0x7ffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007ffb0000"
filename = ""
Region:
id = 585
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 586
start_va = 0x7fff0000
end_va = 0x7dfa1676ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007fff0000"
filename = ""
Region:
id = 587
start_va = 0x7dfa16770000
end_va = 0x7ffa1676ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007dfa16770000"
filename = ""
Region:
id = 588
start_va = 0x7ffa16770000
end_va = 0x7ffa16930fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 589
start_va = 0x7ffa16931000
end_va = 0x7ffffffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00007ffa16931000"
filename = ""
Region:
id = 627
start_va = 0x400000
end_va = 0x58ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 628
start_va = 0x640d0000
end_va = 0x6411ffff
monitored = 0
entry_point = 0x640e8180
region_type = mapped_file
name = "wow64.dll"
filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")
Region:
id = 629
start_va = 0x64050000
end_va = 0x640c9fff
monitored = 0
entry_point = 0x64063290
region_type = mapped_file
name = "wow64win.dll"
filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")
Region:
id = 630
start_va = 0x76720000
end_va = 0x767fffff
monitored = 0
entry_point = 0x76733980
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 631
start_va = 0x64120000
end_va = 0x64127fff
monitored = 0
entry_point = 0x641217c0
region_type = mapped_file
name = "wow64cpu.dll"
filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")
Region:
id = 632
start_va = 0x590000
end_va = 0x76ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000590000"
filename = ""
Region:
id = 640
start_va = 0x76720000
end_va = 0x767fffff
monitored = 0
entry_point = 0x76733980
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 641
start_va = 0x76910000
end_va = 0x76a8dfff
monitored = 0
entry_point = 0x769c1b90
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")
Region:
id = 642
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 643
start_va = 0x7feb0000
end_va = 0x7ffaffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007feb0000"
filename = ""
Region:
id = 769
start_va = 0x110000
end_va = 0x1cdfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 770
start_va = 0x20000
end_va = 0x23fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 771
start_va = 0x76a90000
end_va = 0x76b4dfff
monitored = 0
entry_point = 0x76ac5630
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")
Region:
id = 772
start_va = 0x400000
end_va = 0x43ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 773
start_va = 0x440000
end_va = 0x47ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000440000"
filename = ""
Region:
id = 774
start_va = 0x580000
end_va = 0x58ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000580000"
filename = ""
Region:
id = 775
start_va = 0x76680000
end_va = 0x76711fff
monitored = 0
entry_point = 0x766b8cf0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")
Region:
id = 776
start_va = 0x762b0000
end_va = 0x7646cfff
monitored = 0
entry_point = 0x76392a10
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll")
Region:
id = 777
start_va = 0x76c00000
end_va = 0x76cacfff
monitored = 0
entry_point = 0x76c14f00
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")
Region:
id = 778
start_va = 0x73f00000
end_va = 0x73f1dfff
monitored = 0
entry_point = 0x73f0b640
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")
Region:
id = 779
start_va = 0x73ef0000
end_va = 0x73ef9fff
monitored = 0
entry_point = 0x73ef2a00
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")
Region:
id = 780
start_va = 0x76840000
end_va = 0x76897fff
monitored = 0
entry_point = 0x768825c0
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")
Region:
id = 781
start_va = 0x76cb0000
end_va = 0x76cf3fff
monitored = 0
entry_point = 0x76cc9d80
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")
Region:
id = 782
start_va = 0x770000
end_va = 0x89ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000770000"
filename = ""
Region:
id = 784
start_va = 0x480000
end_va = 0x569fff
monitored = 0
entry_point = 0x4bd650
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")
Region:
id = 797
start_va = 0x1d0000
end_va = 0x1e2fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "schtasks.exe.mui"
filename = "\\Windows\\SysWOW64\\en-US\\schtasks.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\schtasks.exe.mui")
Region:
id = 801
start_va = 0x8a0000
end_va = 0xbd6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 802
start_va = 0x76d50000
end_va = 0x76d5bfff
monitored = 0
entry_point = 0x76d53930
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll")
Region:
id = 803
start_va = 0x30000
end_va = 0x30fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 804
start_va = 0x74340000
end_va = 0x743c3fff
monitored = 0
entry_point = 0x74366220
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll")
Region:
id = 805
start_va = 0x1f0000
end_va = 0x1f0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001f0000"
filename = ""
Region:
id = 807
start_va = 0x6a4e0000
end_va = 0x6a56bfff
monitored = 0
entry_point = 0x6a51a6c0
region_type = mapped_file
name = "taskschd.dll"
filename = "\\Windows\\SysWOW64\\taskschd.dll" (normalized: "c:\\windows\\syswow64\\taskschd.dll")
Thread:
id = 16
os_tid = 0xe30
[0202.334] GetModuleHandleA (lpModuleName=0x0) returned 0x1100000
[0202.334] __set_app_type (_Type=0x1)
[0202.334] __p__fmode () returned 0x76b44d6c
[0202.334] __p__commode () returned 0x76b45b1c
[0202.334] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1120840) returned 0x0
[0202.335] __wgetmainargs (in: _Argc=0x112ade0, _Argv=0x112ade4, _Env=0x112ade8, _DoWildCard=0, _StartInfo=0x112adf4 | out: _Argc=0x112ade0, _Argv=0x112ade4, _Env=0x112ade8) returned 0
[0202.335] _onexit (_Func=0x1122bc0) returned 0x1122bc0
[0202.336] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
[0202.336] WinSqmIsOptedIn () returned 0x0
[0202.336] GetProcessHeap () returned 0x670000
[0202.336] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x10) returned 0x6774c0
[0202.336] RtlRestoreLastWin32Error () returned 0x0
[0202.336] VerSetConditionMask (ConditionMask=0x0, TypeMask=0x0, Condition=0x2) returned 0x18
[0202.336] VerSetConditionMask (ConditionMask=0x18, TypeMask=0x80000000, Condition=0x1) returned 0x1b
[0202.336] VerSetConditionMask (ConditionMask=0x1b, TypeMask=0x80000000, Condition=0x20) returned 0x1801b
[0202.336] RtlVerifyVersionInfo (VersionInfo=0xdf9f8, TypeMask=0x3, ConditionMask=0x1801b) returned 0x0
[0202.336] GetProcessHeap () returned 0x670000
[0202.337] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x10) returned 0x677310
[0202.337] lstrlenW (lpString="") returned 0
[0202.337] GetProcessHeap () returned 0x670000
[0202.337] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x2) returned 0x670598
[0202.337] GetProcessHeap () returned 0x670000
[0202.337] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x14) returned 0x676e40
[0202.337] GetProcessHeap () returned 0x670000
[0202.337] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x10) returned 0x677328
[0202.337] GetProcessHeap () returned 0x670000
[0202.337] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x14) returned 0x676c08
[0202.337] GetProcessHeap () returned 0x670000
[0202.337] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x14) returned 0x676c28
[0202.337] GetProcessHeap () returned 0x670000
[0202.337] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x14) returned 0x676c48
[0202.337] GetProcessHeap () returned 0x670000
[0202.337] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x14) returned 0x676838
[0202.337] GetProcessHeap () returned 0x670000
[0202.337] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x10) returned 0x6774d8
[0202.337] GetProcessHeap () returned 0x670000
[0202.337] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x14) returned 0x676858
[0202.337] GetProcessHeap () returned 0x670000
[0202.337] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x14) returned 0x676878
[0202.338] GetProcessHeap () returned 0x670000
[0202.338] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x14) returned 0x6765d0
[0202.338] GetProcessHeap () returned 0x670000
[0202.338] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x14) returned 0x6765f0
[0202.338] GetProcessHeap () returned 0x670000
[0202.338] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x10) returned 0x677340
[0202.338] GetProcessHeap () returned 0x670000
[0202.338] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x14) returned 0x676610
[0202.338] GetProcessHeap () returned 0x670000
[0202.338] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x14) returned 0x672780
[0202.338] GetProcessHeap () returned 0x670000
[0202.338] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x14) returned 0x6727a0
[0202.338] GetProcessHeap () returned 0x670000
[0202.338] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x14) returned 0x6727c0
[0202.338] SetThreadUILanguage (LangId=0x0) returned 0x409
[0202.706] RtlRestoreLastWin32Error () returned 0x0
[0202.706] GetProcessHeap () returned 0x670000
[0202.706] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x14) returned 0x679460
[0202.706] GetProcessHeap () returned 0x670000
[0202.706] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x14) returned 0x679640
[0202.706] GetProcessHeap () returned 0x670000
[0202.707] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x14) returned 0x679500
[0202.707] GetProcessHeap () returned 0x670000
[0202.707] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x14) returned 0x679600
[0202.707] GetProcessHeap () returned 0x670000
[0202.707] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x14) returned 0x6793a0
[0202.707] GetProcessHeap () returned 0x670000
[0202.707] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x10) returned 0x677358
[0202.707] _memicmp (_Buf1=0x677358, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.707] GetProcessHeap () returned 0x670000
[0202.707] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x208) returned 0x678cd8
[0202.707] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x678cd8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\schtasks.exe" (normalized: "c:\\windows\\syswow64\\schtasks.exe")) returned 0x20
[0202.707] GetFileVersionInfoSizeExW (in: dwFlags=0x1, lpwstrFilename="C:\\Windows\\SysWOW64\\schtasks.exe", lpdwHandle=0xdfb04 | out: lpdwHandle=0xdfb04) returned 0x76c
[0202.795] GetProcessHeap () returned 0x670000
[0202.795] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x776) returned 0x679db0
[0202.795] GetFileVersionInfoExW (in: dwFlags=0x3, lpwstrFilename="C:\\Windows\\SysWOW64\\schtasks.exe", dwHandle=0x0, dwLen=0x776, lpData=0x679db0 | out: lpData=0x679db0) returned 1
[0202.795] VerQueryValueW (in: pBlock=0x679db0, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0xdfb0c, puLen=0xdfb10 | out: lplpBuffer=0xdfb0c*=0x67a160, puLen=0xdfb10) returned 1
[0202.798] _memicmp (_Buf1=0x677358, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.798] _vsnwprintf (in: _Buffer=0x678cd8, _BufferCount=0x3f, _Format="\\StringFileInfo\\%04x%04x\\InternalName", _ArgList=0xdfaf0 | out: _Buffer="\\StringFileInfo\\040904b0\\InternalName") returned 37
[0202.798] VerQueryValueW (in: pBlock=0x679db0, lpSubBlock="\\StringFileInfo\\040904b0\\InternalName", lplpBuffer=0xdfb1c, puLen=0xdfb18 | out: lplpBuffer=0xdfb1c*=0x679f90, puLen=0xdfb18) returned 1
[0202.799] lstrlenW (lpString="schtasks.exe") returned 12
[0202.799] lstrlenW (lpString="schtasks.exe") returned 12
[0202.799] lstrlenW (lpString=".EXE") returned 4
[0202.799] StrStrIW (lpFirst="schtasks.exe", lpSrch=".EXE") returned=".exe"
[0202.799] lstrlenW (lpString="schtasks.exe") returned 12
[0202.799] lstrlenW (lpString=".EXE") returned 4
[0202.799] _memicmp (_Buf1=0x677358, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.800] lstrlenW (lpString="schtasks") returned 8
[0202.800] GetProcessHeap () returned 0x670000
[0202.800] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x14) returned 0x679480
[0202.800] GetProcessHeap () returned 0x670000
[0202.800] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x14) returned 0x679520
[0202.800] GetProcessHeap () returned 0x670000
[0202.800] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x14) returned 0x679400
[0202.800] GetProcessHeap () returned 0x670000
[0202.800] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x14) returned 0x6795a0
[0202.800] GetProcessHeap () returned 0x670000
[0202.800] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x10) returned 0x677388
[0202.800] _memicmp (_Buf1=0x677388, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.800] GetProcessHeap () returned 0x670000
[0202.800] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0xa0) returned 0x678ee8
[0202.800] GetProcessHeap () returned 0x670000
[0202.800] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x14) returned 0x679420
[0202.800] GetProcessHeap () returned 0x670000
[0202.800] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x14) returned 0x679540
[0202.800] GetProcessHeap () returned 0x670000
[0202.800] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x14) returned 0x679560
[0202.800] GetProcessHeap () returned 0x670000
[0202.800] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x10) returned 0x6773e8
[0202.800] _memicmp (_Buf1=0x6773e8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.800] GetProcessHeap () returned 0x670000
[0202.800] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x200) returned 0x67a790
[0202.800] LoadStringW (in: hInstance=0x0, uID=0x15ed, lpBuffer=0x67a790, cchBufferMax=256 | out: lpBuffer="Type \"%s /?\" for usage.") returned 0x17
[0202.801] lstrlenW (lpString="Type \"%s /?\" for usage.") returned 23
[0202.801] GetProcessHeap () returned 0x670000
[0202.801] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x30) returned 0x672588
[0202.801] _vsnwprintf (in: _Buffer=0x678ee8, _BufferCount=0x4f, _Format="Type \"%s /?\" for usage.", _ArgList=0xdfaf4 | out: _Buffer="Type \"SCHTASKS /?\" for usage.") returned 29
[0202.801] GetProcessHeap () returned 0x670000
[0202.801] GetProcessHeap () returned 0x670000
[0202.801] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x679db0) returned 1
[0202.801] GetProcessHeap () returned 0x670000
[0202.801] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x679db0) returned 0x776
[0202.802] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x679db0) returned 1
[0202.802] RtlRestoreLastWin32Error () returned 0x0
[0202.802] GetThreadLocale () returned 0x409
[0202.802] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.802] lstrlenW (lpString="?") returned 1
[0202.802] GetThreadLocale () returned 0x409
[0202.802] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.802] lstrlenW (lpString="create") returned 6
[0202.802] GetThreadLocale () returned 0x409
[0202.802] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.802] lstrlenW (lpString="delete") returned 6
[0202.802] GetThreadLocale () returned 0x409
[0202.802] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.802] lstrlenW (lpString="query") returned 5
[0202.802] GetThreadLocale () returned 0x409
[0202.802] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.802] lstrlenW (lpString="change") returned 6
[0202.802] GetThreadLocale () returned 0x409
[0202.802] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.802] lstrlenW (lpString="run") returned 3
[0202.802] GetThreadLocale () returned 0x409
[0202.802] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.802] lstrlenW (lpString="end") returned 3
[0202.802] GetThreadLocale () returned 0x409
[0202.802] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.802] lstrlenW (lpString="showsid") returned 7
[0202.802] GetThreadLocale () returned 0x409
[0202.803] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.803] RtlRestoreLastWin32Error () returned 0x0
[0202.803] RtlRestoreLastWin32Error () returned 0x0
[0202.803] lstrlenW (lpString="/Create") returned 7
[0202.803] lstrlenW (lpString="-/") returned 2
[0202.803] StrChrIW (lpStart="-/", wMatch=0x89002f) returned="/"
[0202.803] lstrlenW (lpString="?") returned 1
[0202.803] lstrlenW (lpString="?") returned 1
[0202.803] GetProcessHeap () returned 0x670000
[0202.803] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x10) returned 0x677400
[0202.803] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.803] GetProcessHeap () returned 0x670000
[0202.803] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0xa) returned 0x677460
[0202.803] lstrlenW (lpString="Create") returned 6
[0202.803] GetProcessHeap () returned 0x670000
[0202.803] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x10) returned 0x6773b8
[0202.803] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.803] GetProcessHeap () returned 0x670000
[0202.803] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x14) returned 0x6794a0
[0202.803] _vsnwprintf (in: _Buffer=0x677460, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|?|") returned 3
[0202.803] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|Create|") returned 8
[0202.803] lstrlenW (lpString="|?|") returned 3
[0202.803] lstrlenW (lpString="|Create|") returned 8
[0202.803] RtlRestoreLastWin32Error () returned 0x490
[0202.803] lstrlenW (lpString="create") returned 6
[0202.803] lstrlenW (lpString="create") returned 6
[0202.803] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.803] GetProcessHeap () returned 0x670000
[0202.803] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x677460) returned 1
[0202.803] GetProcessHeap () returned 0x670000
[0202.804] RtlReAllocateHeap (Heap=0x670000, Flags=0xc, Ptr=0x677460, Size=0x14) returned 0x679620
[0202.804] lstrlenW (lpString="Create") returned 6
[0202.804] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.804] _vsnwprintf (in: _Buffer=0x679620, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|create|") returned 8
[0202.804] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|Create|") returned 8
[0202.804] lstrlenW (lpString="|create|") returned 8
[0202.804] lstrlenW (lpString="|Create|") returned 8
[0202.804] StrStrIW (lpFirst="|create|", lpSrch="|Create|") returned="|create|"
[0202.804] RtlRestoreLastWin32Error () returned 0x0
[0202.804] RtlRestoreLastWin32Error () returned 0x0
[0202.804] RtlRestoreLastWin32Error () returned 0x0
[0202.804] lstrlenW (lpString="/TN") returned 3
[0202.804] lstrlenW (lpString="-/") returned 2
[0202.804] StrChrIW (lpStart="-/", wMatch=0x89002f) returned="/"
[0202.804] lstrlenW (lpString="?") returned 1
[0202.804] lstrlenW (lpString="?") returned 1
[0202.804] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.804] lstrlenW (lpString="TN") returned 2
[0202.804] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.804] _vsnwprintf (in: _Buffer=0x679620, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|?|") returned 3
[0202.804] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|TN|") returned 4
[0202.804] lstrlenW (lpString="|?|") returned 3
[0202.804] lstrlenW (lpString="|TN|") returned 4
[0202.804] RtlRestoreLastWin32Error () returned 0x490
[0202.804] lstrlenW (lpString="create") returned 6
[0202.804] lstrlenW (lpString="create") returned 6
[0202.804] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.804] lstrlenW (lpString="TN") returned 2
[0202.804] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.805] _vsnwprintf (in: _Buffer=0x679620, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|create|") returned 8
[0202.805] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|TN|") returned 4
[0202.805] lstrlenW (lpString="|create|") returned 8
[0202.805] lstrlenW (lpString="|TN|") returned 4
[0202.805] StrStrIW (lpFirst="|create|", lpSrch="|TN|") returned 0x0
[0202.805] RtlRestoreLastWin32Error () returned 0x490
[0202.805] lstrlenW (lpString="delete") returned 6
[0202.805] lstrlenW (lpString="delete") returned 6
[0202.805] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.805] lstrlenW (lpString="TN") returned 2
[0202.805] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.805] _vsnwprintf (in: _Buffer=0x679620, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|delete|") returned 8
[0202.805] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|TN|") returned 4
[0202.805] lstrlenW (lpString="|delete|") returned 8
[0202.805] lstrlenW (lpString="|TN|") returned 4
[0202.805] StrStrIW (lpFirst="|delete|", lpSrch="|TN|") returned 0x0
[0202.805] RtlRestoreLastWin32Error () returned 0x490
[0202.805] lstrlenW (lpString="query") returned 5
[0202.805] lstrlenW (lpString="query") returned 5
[0202.805] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.805] lstrlenW (lpString="TN") returned 2
[0202.805] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.805] _vsnwprintf (in: _Buffer=0x679620, _BufferCount=0x8, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|query|") returned 7
[0202.805] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|TN|") returned 4
[0202.805] lstrlenW (lpString="|query|") returned 7
[0202.805] lstrlenW (lpString="|TN|") returned 4
[0202.805] StrStrIW (lpFirst="|query|", lpSrch="|TN|") returned 0x0
[0202.805] RtlRestoreLastWin32Error () returned 0x490
[0202.805] lstrlenW (lpString="change") returned 6
[0202.805] lstrlenW (lpString="change") returned 6
[0202.805] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.806] lstrlenW (lpString="TN") returned 2
[0202.806] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.806] _vsnwprintf (in: _Buffer=0x679620, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|change|") returned 8
[0202.806] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|TN|") returned 4
[0202.806] lstrlenW (lpString="|change|") returned 8
[0202.806] lstrlenW (lpString="|TN|") returned 4
[0202.806] StrStrIW (lpFirst="|change|", lpSrch="|TN|") returned 0x0
[0202.806] RtlRestoreLastWin32Error () returned 0x490
[0202.806] lstrlenW (lpString="run") returned 3
[0202.806] lstrlenW (lpString="run") returned 3
[0202.806] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.806] lstrlenW (lpString="TN") returned 2
[0202.806] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.806] _vsnwprintf (in: _Buffer=0x679620, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|run|") returned 5
[0202.806] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|TN|") returned 4
[0202.806] lstrlenW (lpString="|run|") returned 5
[0202.806] lstrlenW (lpString="|TN|") returned 4
[0202.806] StrStrIW (lpFirst="|run|", lpSrch="|TN|") returned 0x0
[0202.806] RtlRestoreLastWin32Error () returned 0x490
[0202.810] lstrlenW (lpString="end") returned 3
[0202.810] lstrlenW (lpString="end") returned 3
[0202.810] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.810] lstrlenW (lpString="TN") returned 2
[0202.810] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.810] _vsnwprintf (in: _Buffer=0x679620, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|end|") returned 5
[0202.810] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|TN|") returned 4
[0202.810] lstrlenW (lpString="|end|") returned 5
[0202.810] lstrlenW (lpString="|TN|") returned 4
[0202.810] StrStrIW (lpFirst="|end|", lpSrch="|TN|") returned 0x0
[0202.810] RtlRestoreLastWin32Error () returned 0x490
[0202.810] lstrlenW (lpString="showsid") returned 7
[0202.810] lstrlenW (lpString="showsid") returned 7
[0202.810] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.810] GetProcessHeap () returned 0x670000
[0202.810] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x679620) returned 1
[0202.810] GetProcessHeap () returned 0x670000
[0202.811] RtlReAllocateHeap (Heap=0x670000, Flags=0xc, Ptr=0x679620, Size=0x16) returned 0x679660
[0202.811] lstrlenW (lpString="TN") returned 2
[0202.811] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.811] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0xa, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|showsid|") returned 9
[0202.811] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|TN|") returned 4
[0202.811] lstrlenW (lpString="|showsid|") returned 9
[0202.811] lstrlenW (lpString="|TN|") returned 4
[0202.811] StrStrIW (lpFirst="|showsid|", lpSrch="|TN|") returned 0x0
[0202.811] RtlRestoreLastWin32Error () returned 0x490
[0202.811] RtlRestoreLastWin32Error () returned 0x490
[0202.811] RtlRestoreLastWin32Error () returned 0x0
[0202.811] lstrlenW (lpString="/TN") returned 3
[0202.811] StrChrIW (lpStart="/TN", wMatch=0x3a) returned 0x0
[0202.811] RtlRestoreLastWin32Error () returned 0x490
[0202.811] RtlRestoreLastWin32Error () returned 0x0
[0202.811] lstrlenW (lpString="/TN") returned 3
[0202.811] GetProcessHeap () returned 0x670000
[0202.811] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x8) returned 0x676c68
[0202.811] GetProcessHeap () returned 0x670000
[0202.811] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x14) returned 0x679580
[0202.811] RtlRestoreLastWin32Error () returned 0x0
[0202.811] RtlRestoreLastWin32Error () returned 0x0
[0202.811] lstrlenW (lpString="Updates\\RhFYnHFgJ") returned 17
[0202.811] lstrlenW (lpString="-/") returned 2
[0202.811] StrChrIW (lpStart="-/", wMatch=0x890055) returned 0x0
[0202.811] RtlRestoreLastWin32Error () returned 0x490
[0202.811] RtlRestoreLastWin32Error () returned 0x490
[0202.812] RtlRestoreLastWin32Error () returned 0x0
[0202.812] lstrlenW (lpString="Updates\\RhFYnHFgJ") returned 17
[0202.812] StrChrIW (lpStart="Updates\\RhFYnHFgJ", wMatch=0x3a) returned 0x0
[0202.812] RtlRestoreLastWin32Error () returned 0x490
[0202.812] RtlRestoreLastWin32Error () returned 0x0
[0202.812] lstrlenW (lpString="Updates\\RhFYnHFgJ") returned 17
[0202.812] GetProcessHeap () returned 0x670000
[0202.812] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x24) returned 0x678f90
[0202.812] GetProcessHeap () returned 0x670000
[0202.812] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x14) returned 0x6794c0
[0202.812] RtlRestoreLastWin32Error () returned 0x0
[0202.812] RtlRestoreLastWin32Error () returned 0x0
[0202.812] lstrlenW (lpString="/XML") returned 4
[0202.812] lstrlenW (lpString="-/") returned 2
[0202.812] StrChrIW (lpStart="-/", wMatch=0x89002f) returned="/"
[0202.812] lstrlenW (lpString="?") returned 1
[0202.812] lstrlenW (lpString="?") returned 1
[0202.812] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.812] lstrlenW (lpString="XML") returned 3
[0202.812] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.812] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|?|") returned 3
[0202.812] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|XML|") returned 5
[0202.812] lstrlenW (lpString="|?|") returned 3
[0202.812] lstrlenW (lpString="|XML|") returned 5
[0202.812] RtlRestoreLastWin32Error () returned 0x490
[0202.812] lstrlenW (lpString="create") returned 6
[0202.812] lstrlenW (lpString="create") returned 6
[0202.812] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.813] lstrlenW (lpString="XML") returned 3
[0202.813] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.813] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|create|") returned 8
[0202.813] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|XML|") returned 5
[0202.813] lstrlenW (lpString="|create|") returned 8
[0202.813] lstrlenW (lpString="|XML|") returned 5
[0202.813] StrStrIW (lpFirst="|create|", lpSrch="|XML|") returned 0x0
[0202.813] RtlRestoreLastWin32Error () returned 0x490
[0202.813] lstrlenW (lpString="delete") returned 6
[0202.813] lstrlenW (lpString="delete") returned 6
[0202.813] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.813] lstrlenW (lpString="XML") returned 3
[0202.813] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.813] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|delete|") returned 8
[0202.813] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|XML|") returned 5
[0202.813] lstrlenW (lpString="|delete|") returned 8
[0202.813] lstrlenW (lpString="|XML|") returned 5
[0202.813] StrStrIW (lpFirst="|delete|", lpSrch="|XML|") returned 0x0
[0202.813] RtlRestoreLastWin32Error () returned 0x490
[0202.813] lstrlenW (lpString="query") returned 5
[0202.813] lstrlenW (lpString="query") returned 5
[0202.813] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.813] lstrlenW (lpString="XML") returned 3
[0202.813] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.814] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x8, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|query|") returned 7
[0202.814] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|XML|") returned 5
[0202.814] lstrlenW (lpString="|query|") returned 7
[0202.814] lstrlenW (lpString="|XML|") returned 5
[0202.814] StrStrIW (lpFirst="|query|", lpSrch="|XML|") returned 0x0
[0202.814] RtlRestoreLastWin32Error () returned 0x490
[0202.814] lstrlenW (lpString="change") returned 6
[0202.814] lstrlenW (lpString="change") returned 6
[0202.814] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.814] lstrlenW (lpString="XML") returned 3
[0202.814] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.814] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|change|") returned 8
[0202.814] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|XML|") returned 5
[0202.814] lstrlenW (lpString="|change|") returned 8
[0202.814] lstrlenW (lpString="|XML|") returned 5
[0202.814] StrStrIW (lpFirst="|change|", lpSrch="|XML|") returned 0x0
[0202.814] RtlRestoreLastWin32Error () returned 0x490
[0202.814] lstrlenW (lpString="run") returned 3
[0202.814] lstrlenW (lpString="run") returned 3
[0202.814] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.814] lstrlenW (lpString="XML") returned 3
[0202.814] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.814] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|run|") returned 5
[0202.814] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|XML|") returned 5
[0202.814] lstrlenW (lpString="|run|") returned 5
[0202.815] lstrlenW (lpString="|XML|") returned 5
[0202.815] StrStrIW (lpFirst="|run|", lpSrch="|XML|") returned 0x0
[0202.815] RtlRestoreLastWin32Error () returned 0x490
[0202.815] lstrlenW (lpString="end") returned 3
[0202.815] lstrlenW (lpString="end") returned 3
[0202.815] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.815] lstrlenW (lpString="XML") returned 3
[0202.815] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.815] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|end|") returned 5
[0202.815] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|XML|") returned 5
[0202.815] lstrlenW (lpString="|end|") returned 5
[0202.815] lstrlenW (lpString="|XML|") returned 5
[0202.815] StrStrIW (lpFirst="|end|", lpSrch="|XML|") returned 0x0
[0202.815] RtlRestoreLastWin32Error () returned 0x490
[0202.815] lstrlenW (lpString="showsid") returned 7
[0202.815] lstrlenW (lpString="showsid") returned 7
[0202.815] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.815] lstrlenW (lpString="XML") returned 3
[0202.815] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.815] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0xa, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|showsid|") returned 9
[0202.815] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|XML|") returned 5
[0202.815] lstrlenW (lpString="|showsid|") returned 9
[0202.815] lstrlenW (lpString="|XML|") returned 5
[0202.815] StrStrIW (lpFirst="|showsid|", lpSrch="|XML|") returned 0x0
[0202.815] RtlRestoreLastWin32Error () returned 0x490
[0202.815] RtlRestoreLastWin32Error () returned 0x490
[0202.816] RtlRestoreLastWin32Error () returned 0x0
[0202.816] lstrlenW (lpString="/XML") returned 4
[0202.816] StrChrIW (lpStart="/XML", wMatch=0x3a) returned 0x0
[0202.816] RtlRestoreLastWin32Error () returned 0x490
[0202.816] RtlRestoreLastWin32Error () returned 0x0
[0202.816] lstrlenW (lpString="/XML") returned 4
[0202.816] GetProcessHeap () returned 0x670000
[0202.816] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0xa) returned 0x677418
[0202.816] GetProcessHeap () returned 0x670000
[0202.816] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x14) returned 0x679360
[0202.816] RtlRestoreLastWin32Error () returned 0x0
[0202.816] RtlRestoreLastWin32Error () returned 0x0
[0202.816] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpF9CA.tmp") returned 52
[0202.816] lstrlenW (lpString="-/") returned 2
[0202.816] StrChrIW (lpStart="-/", wMatch=0x890043) returned 0x0
[0202.816] RtlRestoreLastWin32Error () returned 0x490
[0202.816] RtlRestoreLastWin32Error () returned 0x490
[0202.816] RtlRestoreLastWin32Error () returned 0x0
[0202.816] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpF9CA.tmp") returned 52
[0202.816] StrChrIW (lpStart="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpF9CA.tmp", wMatch=0x3a) returned=":\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpF9CA.tmp"
[0202.816] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpF9CA.tmp") returned 52
[0202.816] GetProcessHeap () returned 0x670000
[0202.816] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x10) returned 0x677430
[0202.816] _memicmp (_Buf1=0x677430, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.816] GetProcessHeap () returned 0x670000
[0202.816] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0xc) returned 0x677460
[0202.816] GetProcessHeap () returned 0x670000
[0202.816] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x10) returned 0x67a9c8
[0202.816] _memicmp (_Buf1=0x67a9c8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.817] GetProcessHeap () returned 0x670000
[0202.817] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x6e) returned 0x6769d8
[0202.817] RtlRestoreLastWin32Error () returned 0x7a
[0202.817] RtlRestoreLastWin32Error () returned 0x0
[0202.817] RtlRestoreLastWin32Error () returned 0x0
[0202.817] lstrlenW (lpString="C") returned 1
[0202.817] RtlRestoreLastWin32Error () returned 0x490
[0202.817] RtlRestoreLastWin32Error () returned 0x0
[0202.817] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpF9CA.tmp") returned 52
[0202.817] GetProcessHeap () returned 0x670000
[0202.817] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x6a) returned 0x676a50
[0202.817] GetProcessHeap () returned 0x670000
[0202.817] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x14) returned 0x6796e0
[0202.817] RtlRestoreLastWin32Error () returned 0x0
[0202.817] GetProcessHeap () returned 0x670000
[0202.817] GetProcessHeap () returned 0x670000
[0202.817] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x676c68) returned 1
[0202.817] GetProcessHeap () returned 0x670000
[0202.817] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x676c68) returned 0x8
[0202.817] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x676c68) returned 1
[0202.817] GetProcessHeap () returned 0x670000
[0202.817] GetProcessHeap () returned 0x670000
[0202.817] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x679580) returned 1
[0202.817] GetProcessHeap () returned 0x670000
[0202.817] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x679580) returned 0x14
[0202.817] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x679580) returned 1
[0202.817] GetProcessHeap () returned 0x670000
[0202.817] GetProcessHeap () returned 0x670000
[0202.818] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x678f90) returned 1
[0202.818] GetProcessHeap () returned 0x670000
[0202.818] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x678f90) returned 0x24
[0202.818] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x678f90) returned 1
[0202.818] GetProcessHeap () returned 0x670000
[0202.818] GetProcessHeap () returned 0x670000
[0202.818] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x6794c0) returned 1
[0202.818] GetProcessHeap () returned 0x670000
[0202.818] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x6794c0) returned 0x14
[0202.818] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6794c0) returned 1
[0202.818] GetProcessHeap () returned 0x670000
[0202.818] GetProcessHeap () returned 0x670000
[0202.818] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x677418) returned 1
[0202.818] GetProcessHeap () returned 0x670000
[0202.818] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x677418) returned 0xa
[0202.818] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x677418) returned 1
[0202.819] GetProcessHeap () returned 0x670000
[0202.819] GetProcessHeap () returned 0x670000
[0202.819] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x679360) returned 1
[0202.819] GetProcessHeap () returned 0x670000
[0202.819] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x679360) returned 0x14
[0202.819] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x679360) returned 1
[0202.819] GetProcessHeap () returned 0x670000
[0202.819] GetProcessHeap () returned 0x670000
[0202.819] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x676a50) returned 1
[0202.819] GetProcessHeap () returned 0x670000
[0202.819] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x676a50) returned 0x6a
[0202.819] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x676a50) returned 1
[0202.819] GetProcessHeap () returned 0x670000
[0202.819] GetProcessHeap () returned 0x670000
[0202.819] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x6796e0) returned 1
[0202.819] GetProcessHeap () returned 0x670000
[0202.819] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x6796e0) returned 0x14
[0202.819] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6796e0) returned 1
[0202.819] GetProcessHeap () returned 0x670000
[0202.819] GetProcessHeap () returned 0x670000
[0202.820] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x6774c0) returned 1
[0202.820] GetProcessHeap () returned 0x670000
[0202.820] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x6774c0) returned 0x10
[0202.820] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6774c0) returned 1
[0202.820] RtlRestoreLastWin32Error () returned 0x0
[0202.820] VerSetConditionMask (ConditionMask=0x0, TypeMask=0x0, Condition=0x2) returned 0x18
[0202.820] VerSetConditionMask (ConditionMask=0x18, TypeMask=0x80000000, Condition=0x1) returned 0x1b
[0202.820] VerSetConditionMask (ConditionMask=0x1b, TypeMask=0x80000000, Condition=0x20) returned 0x1801b
[0202.820] RtlVerifyVersionInfo (VersionInfo=0xdce60, TypeMask=0x3, ConditionMask=0x1801b) returned 0x0
[0202.820] RtlRestoreLastWin32Error () returned 0x0
[0202.820] lstrlenW (lpString="create") returned 6
[0202.821] StrChrIW (lpStart="create", wMatch=0x7c) returned 0x0
[0202.821] RtlRestoreLastWin32Error () returned 0x490
[0202.821] RtlRestoreLastWin32Error () returned 0x0
[0202.821] lstrlenW (lpString="create") returned 6
[0202.821] GetProcessHeap () returned 0x670000
[0202.821] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x14) returned 0x679620
[0202.821] GetProcessHeap () returned 0x670000
[0202.821] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x10) returned 0x67aa58
[0202.821] _memicmp (_Buf1=0x67aa58, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.821] GetProcessHeap () returned 0x670000
[0202.821] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x16) returned 0x679320
[0202.821] RtlRestoreLastWin32Error () returned 0x0
[0202.821] _memicmp (_Buf1=0x677358, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.821] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x678cd8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\schtasks.exe" (normalized: "c:\\windows\\syswow64\\schtasks.exe")) returned 0x20
[0202.821] GetFileVersionInfoSizeExW (in: dwFlags=0x1, lpwstrFilename="C:\\Windows\\SysWOW64\\schtasks.exe", lpdwHandle=0xdcf6c | out: lpdwHandle=0xdcf6c) returned 0x76c
[0202.821] GetProcessHeap () returned 0x670000
[0202.821] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x776) returned 0x679db0
[0202.821] GetFileVersionInfoExW (in: dwFlags=0x3, lpwstrFilename="C:\\Windows\\SysWOW64\\schtasks.exe", dwHandle=0x0, dwLen=0x776, lpData=0x679db0 | out: lpData=0x679db0) returned 1
[0202.822] VerQueryValueW (in: pBlock=0x679db0, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0xdcf74, puLen=0xdcf78 | out: lplpBuffer=0xdcf74*=0x67a160, puLen=0xdcf78) returned 1
[0202.822] _memicmp (_Buf1=0x677358, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.822] _vsnwprintf (in: _Buffer=0x678cd8, _BufferCount=0x3f, _Format="\\StringFileInfo\\%04x%04x\\InternalName", _ArgList=0xdcf58 | out: _Buffer="\\StringFileInfo\\040904b0\\InternalName") returned 37
[0202.836] VerQueryValueW (in: pBlock=0x679db0, lpSubBlock="\\StringFileInfo\\040904b0\\InternalName", lplpBuffer=0xdcf84, puLen=0xdcf80 | out: lplpBuffer=0xdcf84*=0x679f90, puLen=0xdcf80) returned 1
[0202.836] lstrlenW (lpString="schtasks.exe") returned 12
[0202.836] lstrlenW (lpString="schtasks.exe") returned 12
[0202.836] lstrlenW (lpString=".EXE") returned 4
[0202.836] StrStrIW (lpFirst="schtasks.exe", lpSrch=".EXE") returned=".exe"
[0202.836] lstrlenW (lpString="schtasks.exe") returned 12
[0202.836] lstrlenW (lpString=".EXE") returned 4
[0202.836] lstrlenW (lpString="schtasks") returned 8
[0202.836] lstrlenW (lpString="/create") returned 7
[0202.836] _memicmp (_Buf1=0x677358, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.836] _vsnwprintf (in: _Buffer=0x678cd8, _BufferCount=0x19, _Format="%s %s", _ArgList=0xdcf58 | out: _Buffer="schtasks /create") returned 16
[0202.837] _memicmp (_Buf1=0x677388, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.837] GetProcessHeap () returned 0x670000
[0202.837] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x14) returned 0x679580
[0202.837] _memicmp (_Buf1=0x6773e8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.837] LoadStringW (in: hInstance=0x0, uID=0x15ed, lpBuffer=0x67a790, cchBufferMax=256 | out: lpBuffer="Type \"%s /?\" for usage.") returned 0x17
[0202.837] lstrlenW (lpString="Type \"%s /?\" for usage.") returned 23
[0202.837] GetProcessHeap () returned 0x670000
[0202.837] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x30) returned 0x678f90
[0202.837] _vsnwprintf (in: _Buffer=0x678ee8, _BufferCount=0x4f, _Format="Type \"%s /?\" for usage.", _ArgList=0xdcf5c | out: _Buffer="Type \"SCHTASKS /CREATE /?\" for usage.") returned 37
[0202.837] GetProcessHeap () returned 0x670000
[0202.837] GetProcessHeap () returned 0x670000
[0202.837] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x679db0) returned 1
[0202.837] GetProcessHeap () returned 0x670000
[0202.837] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x679db0) returned 0x776
[0202.838] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x679db0) returned 1
[0202.838] RtlRestoreLastWin32Error () returned 0x0
[0202.838] GetThreadLocale () returned 0x409
[0202.838] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.838] lstrlenW (lpString="create") returned 6
[0202.838] GetThreadLocale () returned 0x409
[0202.838] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.838] lstrlenW (lpString="?") returned 1
[0202.838] GetThreadLocale () returned 0x409
[0202.838] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.838] lstrlenW (lpString="s") returned 1
[0202.838] GetThreadLocale () returned 0x409
[0202.838] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.838] lstrlenW (lpString="u") returned 1
[0202.838] GetThreadLocale () returned 0x409
[0202.838] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.838] lstrlenW (lpString="p") returned 1
[0202.838] GetThreadLocale () returned 0x409
[0202.838] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.839] lstrlenW (lpString="ru") returned 2
[0202.839] GetThreadLocale () returned 0x409
[0202.839] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.839] lstrlenW (lpString="rp") returned 2
[0202.839] GetThreadLocale () returned 0x409
[0202.839] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.839] lstrlenW (lpString="sc") returned 2
[0202.839] GetThreadLocale () returned 0x409
[0202.839] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.839] lstrlenW (lpString="mo") returned 2
[0202.839] GetThreadLocale () returned 0x409
[0202.839] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.839] lstrlenW (lpString="d") returned 1
[0202.839] GetThreadLocale () returned 0x409
[0202.839] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.839] lstrlenW (lpString="m") returned 1
[0202.839] GetThreadLocale () returned 0x409
[0202.839] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.839] lstrlenW (lpString="i") returned 1
[0202.839] GetThreadLocale () returned 0x409
[0202.839] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.839] lstrlenW (lpString="tn") returned 2
[0202.839] GetThreadLocale () returned 0x409
[0202.839] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.839] lstrlenW (lpString="tr") returned 2
[0202.839] GetThreadLocale () returned 0x409
[0202.839] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.839] lstrlenW (lpString="st") returned 2
[0202.839] GetThreadLocale () returned 0x409
[0202.840] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.840] lstrlenW (lpString="sd") returned 2
[0202.840] GetThreadLocale () returned 0x409
[0202.840] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.840] lstrlenW (lpString="ed") returned 2
[0202.840] GetThreadLocale () returned 0x409
[0202.840] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.840] lstrlenW (lpString="it") returned 2
[0202.840] GetThreadLocale () returned 0x409
[0202.840] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.840] lstrlenW (lpString="et") returned 2
[0202.840] GetThreadLocale () returned 0x409
[0202.840] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.840] lstrlenW (lpString="k") returned 1
[0202.840] GetThreadLocale () returned 0x409
[0202.840] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.840] lstrlenW (lpString="du") returned 2
[0202.840] GetThreadLocale () returned 0x409
[0202.840] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.840] lstrlenW (lpString="ri") returned 2
[0202.840] GetThreadLocale () returned 0x409
[0202.840] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.840] lstrlenW (lpString="z") returned 1
[0202.840] GetThreadLocale () returned 0x409
[0202.840] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.840] lstrlenW (lpString="f") returned 1
[0202.840] GetThreadLocale () returned 0x409
[0202.840] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.840] lstrlenW (lpString="v1") returned 2
[0202.841] GetThreadLocale () returned 0x409
[0202.841] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.841] lstrlenW (lpString="xml") returned 3
[0202.841] GetThreadLocale () returned 0x409
[0202.841] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.841] lstrlenW (lpString="ec") returned 2
[0202.841] GetThreadLocale () returned 0x409
[0202.841] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.841] lstrlenW (lpString="rl") returned 2
[0202.841] GetThreadLocale () returned 0x409
[0202.841] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.841] lstrlenW (lpString="delay") returned 5
[0202.841] GetThreadLocale () returned 0x409
[0202.841] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.841] lstrlenW (lpString="np") returned 2
[0202.841] GetThreadLocale () returned 0x409
[0202.841] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.841] lstrlenW (lpString="hresult") returned 7
[0202.841] RtlRestoreLastWin32Error () returned 0x0
[0202.841] RtlRestoreLastWin32Error () returned 0x0
[0202.841] lstrlenW (lpString="/Create") returned 7
[0202.841] lstrlenW (lpString="-/") returned 2
[0202.841] StrChrIW (lpStart="-/", wMatch=0x89002f) returned="/"
[0202.841] lstrlenW (lpString="create") returned 6
[0202.841] lstrlenW (lpString="create") returned 6
[0202.841] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.841] lstrlenW (lpString="Create") returned 6
[0202.841] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.842] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|create|") returned 8
[0202.842] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|Create|") returned 8
[0202.842] lstrlenW (lpString="|create|") returned 8
[0202.842] lstrlenW (lpString="|Create|") returned 8
[0202.842] StrStrIW (lpFirst="|create|", lpSrch="|Create|") returned="|create|"
[0202.842] RtlRestoreLastWin32Error () returned 0x0
[0202.842] RtlRestoreLastWin32Error () returned 0x0
[0202.842] RtlRestoreLastWin32Error () returned 0x0
[0202.842] lstrlenW (lpString="/TN") returned 3
[0202.842] lstrlenW (lpString="-/") returned 2
[0202.842] StrChrIW (lpStart="-/", wMatch=0x89002f) returned="/"
[0202.842] lstrlenW (lpString="create") returned 6
[0202.842] lstrlenW (lpString="create") returned 6
[0202.842] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.842] lstrlenW (lpString="TN") returned 2
[0202.842] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.842] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|create|") returned 8
[0202.842] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0202.842] lstrlenW (lpString="|create|") returned 8
[0202.842] lstrlenW (lpString="|TN|") returned 4
[0202.842] StrStrIW (lpFirst="|create|", lpSrch="|TN|") returned 0x0
[0202.842] RtlRestoreLastWin32Error () returned 0x490
[0202.842] lstrlenW (lpString="?") returned 1
[0202.842] lstrlenW (lpString="?") returned 1
[0202.842] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.842] lstrlenW (lpString="TN") returned 2
[0202.843] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.843] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|?|") returned 3
[0202.843] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0202.843] lstrlenW (lpString="|?|") returned 3
[0202.843] lstrlenW (lpString="|TN|") returned 4
[0202.843] RtlRestoreLastWin32Error () returned 0x490
[0202.843] lstrlenW (lpString="s") returned 1
[0202.843] lstrlenW (lpString="s") returned 1
[0202.843] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.843] lstrlenW (lpString="TN") returned 2
[0202.843] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.843] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|s|") returned 3
[0202.843] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0202.843] lstrlenW (lpString="|s|") returned 3
[0202.843] lstrlenW (lpString="|TN|") returned 4
[0202.843] RtlRestoreLastWin32Error () returned 0x490
[0202.843] lstrlenW (lpString="u") returned 1
[0202.843] lstrlenW (lpString="u") returned 1
[0202.843] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.843] lstrlenW (lpString="TN") returned 2
[0202.843] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.843] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|u|") returned 3
[0202.843] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0202.843] lstrlenW (lpString="|u|") returned 3
[0202.844] lstrlenW (lpString="|TN|") returned 4
[0202.844] RtlRestoreLastWin32Error () returned 0x490
[0202.844] lstrlenW (lpString="p") returned 1
[0202.844] lstrlenW (lpString="p") returned 1
[0202.844] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.844] lstrlenW (lpString="TN") returned 2
[0202.844] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.844] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|p|") returned 3
[0202.844] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0202.844] lstrlenW (lpString="|p|") returned 3
[0202.844] lstrlenW (lpString="|TN|") returned 4
[0202.844] RtlRestoreLastWin32Error () returned 0x490
[0202.844] lstrlenW (lpString="ru") returned 2
[0202.844] lstrlenW (lpString="ru") returned 2
[0202.844] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.844] lstrlenW (lpString="TN") returned 2
[0202.844] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.844] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|ru|") returned 4
[0202.844] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0202.844] lstrlenW (lpString="|ru|") returned 4
[0202.844] lstrlenW (lpString="|TN|") returned 4
[0202.844] StrStrIW (lpFirst="|ru|", lpSrch="|TN|") returned 0x0
[0202.844] RtlRestoreLastWin32Error () returned 0x490
[0202.844] lstrlenW (lpString="rp") returned 2
[0202.844] lstrlenW (lpString="rp") returned 2
[0202.845] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.845] lstrlenW (lpString="TN") returned 2
[0202.845] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.845] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rp|") returned 4
[0202.845] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0202.845] lstrlenW (lpString="|rp|") returned 4
[0202.845] lstrlenW (lpString="|TN|") returned 4
[0202.845] StrStrIW (lpFirst="|rp|", lpSrch="|TN|") returned 0x0
[0202.845] RtlRestoreLastWin32Error () returned 0x490
[0202.845] lstrlenW (lpString="sc") returned 2
[0202.845] lstrlenW (lpString="sc") returned 2
[0202.845] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.845] lstrlenW (lpString="TN") returned 2
[0202.845] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.845] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|sc|") returned 4
[0202.845] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0202.845] lstrlenW (lpString="|sc|") returned 4
[0202.845] lstrlenW (lpString="|TN|") returned 4
[0202.845] StrStrIW (lpFirst="|sc|", lpSrch="|TN|") returned 0x0
[0202.845] RtlRestoreLastWin32Error () returned 0x490
[0202.845] lstrlenW (lpString="mo") returned 2
[0202.845] lstrlenW (lpString="mo") returned 2
[0202.845] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.845] lstrlenW (lpString="TN") returned 2
[0202.845] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.846] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|mo|") returned 4
[0202.846] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0202.846] lstrlenW (lpString="|mo|") returned 4
[0202.846] lstrlenW (lpString="|TN|") returned 4
[0202.846] StrStrIW (lpFirst="|mo|", lpSrch="|TN|") returned 0x0
[0202.846] RtlRestoreLastWin32Error () returned 0x490
[0202.846] lstrlenW (lpString="d") returned 1
[0202.846] lstrlenW (lpString="d") returned 1
[0202.846] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.846] lstrlenW (lpString="TN") returned 2
[0202.846] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.846] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|d|") returned 3
[0202.846] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0202.846] lstrlenW (lpString="|d|") returned 3
[0202.846] lstrlenW (lpString="|TN|") returned 4
[0202.846] RtlRestoreLastWin32Error () returned 0x490
[0202.846] lstrlenW (lpString="m") returned 1
[0202.846] lstrlenW (lpString="m") returned 1
[0202.846] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.846] lstrlenW (lpString="TN") returned 2
[0202.846] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.846] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|m|") returned 3
[0202.846] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0202.846] lstrlenW (lpString="|m|") returned 3
[0202.846] lstrlenW (lpString="|TN|") returned 4
[0202.846] RtlRestoreLastWin32Error () returned 0x490
[0202.847] lstrlenW (lpString="i") returned 1
[0202.847] lstrlenW (lpString="i") returned 1
[0202.847] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.847] lstrlenW (lpString="TN") returned 2
[0202.847] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.847] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|i|") returned 3
[0202.847] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0202.847] lstrlenW (lpString="|i|") returned 3
[0202.847] lstrlenW (lpString="|TN|") returned 4
[0202.847] RtlRestoreLastWin32Error () returned 0x490
[0202.847] lstrlenW (lpString="tn") returned 2
[0202.847] lstrlenW (lpString="tn") returned 2
[0202.847] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.847] lstrlenW (lpString="TN") returned 2
[0202.847] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.847] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tn|") returned 4
[0202.847] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0202.847] lstrlenW (lpString="|tn|") returned 4
[0202.847] lstrlenW (lpString="|TN|") returned 4
[0202.847] StrStrIW (lpFirst="|tn|", lpSrch="|TN|") returned="|tn|"
[0202.847] RtlRestoreLastWin32Error () returned 0x0
[0202.847] RtlRestoreLastWin32Error () returned 0x0
[0202.847] lstrlenW (lpString="Updates\\RhFYnHFgJ") returned 17
[0202.847] lstrlenW (lpString="-/") returned 2
[0202.847] StrChrIW (lpStart="-/", wMatch=0x890055) returned 0x0
[0202.848] RtlRestoreLastWin32Error () returned 0x490
[0202.848] RtlRestoreLastWin32Error () returned 0x490
[0202.848] RtlRestoreLastWin32Error () returned 0x0
[0202.848] lstrlenW (lpString="Updates\\RhFYnHFgJ") returned 17
[0202.848] StrChrIW (lpStart="Updates\\RhFYnHFgJ", wMatch=0x3a) returned 0x0
[0202.848] RtlRestoreLastWin32Error () returned 0x490
[0202.848] RtlRestoreLastWin32Error () returned 0x0
[0202.848] lstrlenW (lpString="Updates\\RhFYnHFgJ") returned 17
[0202.848] RtlRestoreLastWin32Error () returned 0x0
[0202.848] RtlRestoreLastWin32Error () returned 0x0
[0202.848] lstrlenW (lpString="/XML") returned 4
[0202.848] lstrlenW (lpString="-/") returned 2
[0202.848] StrChrIW (lpStart="-/", wMatch=0x89002f) returned="/"
[0202.848] lstrlenW (lpString="create") returned 6
[0202.848] lstrlenW (lpString="create") returned 6
[0202.848] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.848] lstrlenW (lpString="XML") returned 3
[0202.848] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.848] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|create|") returned 8
[0202.848] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.848] lstrlenW (lpString="|create|") returned 8
[0202.848] lstrlenW (lpString="|XML|") returned 5
[0202.848] StrStrIW (lpFirst="|create|", lpSrch="|XML|") returned 0x0
[0202.848] RtlRestoreLastWin32Error () returned 0x490
[0202.848] lstrlenW (lpString="?") returned 1
[0202.848] lstrlenW (lpString="?") returned 1
[0202.848] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.848] lstrlenW (lpString="XML") returned 3
[0202.849] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.849] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|?|") returned 3
[0202.849] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.849] lstrlenW (lpString="|?|") returned 3
[0202.849] lstrlenW (lpString="|XML|") returned 5
[0202.849] RtlRestoreLastWin32Error () returned 0x490
[0202.849] lstrlenW (lpString="s") returned 1
[0202.849] lstrlenW (lpString="s") returned 1
[0202.849] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.849] lstrlenW (lpString="XML") returned 3
[0202.849] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.849] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|s|") returned 3
[0202.849] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.849] lstrlenW (lpString="|s|") returned 3
[0202.849] lstrlenW (lpString="|XML|") returned 5
[0202.849] RtlRestoreLastWin32Error () returned 0x490
[0202.849] lstrlenW (lpString="u") returned 1
[0202.849] lstrlenW (lpString="u") returned 1
[0202.849] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.849] lstrlenW (lpString="XML") returned 3
[0202.849] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.849] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|u|") returned 3
[0202.849] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.849] lstrlenW (lpString="|u|") returned 3
[0202.850] lstrlenW (lpString="|XML|") returned 5
[0202.850] RtlRestoreLastWin32Error () returned 0x490
[0202.850] lstrlenW (lpString="p") returned 1
[0202.850] lstrlenW (lpString="p") returned 1
[0202.850] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.850] lstrlenW (lpString="XML") returned 3
[0202.850] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.850] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|p|") returned 3
[0202.850] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.850] lstrlenW (lpString="|p|") returned 3
[0202.850] lstrlenW (lpString="|XML|") returned 5
[0202.850] RtlRestoreLastWin32Error () returned 0x490
[0202.850] lstrlenW (lpString="ru") returned 2
[0202.850] lstrlenW (lpString="ru") returned 2
[0202.850] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.850] lstrlenW (lpString="XML") returned 3
[0202.850] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.850] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|ru|") returned 4
[0202.850] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.850] lstrlenW (lpString="|ru|") returned 4
[0202.850] lstrlenW (lpString="|XML|") returned 5
[0202.850] RtlRestoreLastWin32Error () returned 0x490
[0202.850] lstrlenW (lpString="rp") returned 2
[0202.850] lstrlenW (lpString="rp") returned 2
[0202.850] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.851] lstrlenW (lpString="XML") returned 3
[0202.851] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.851] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rp|") returned 4
[0202.851] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.851] lstrlenW (lpString="|rp|") returned 4
[0202.851] lstrlenW (lpString="|XML|") returned 5
[0202.851] RtlRestoreLastWin32Error () returned 0x490
[0202.851] lstrlenW (lpString="sc") returned 2
[0202.851] lstrlenW (lpString="sc") returned 2
[0202.851] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.851] lstrlenW (lpString="XML") returned 3
[0202.851] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.851] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|sc|") returned 4
[0202.851] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.851] lstrlenW (lpString="|sc|") returned 4
[0202.851] lstrlenW (lpString="|XML|") returned 5
[0202.851] RtlRestoreLastWin32Error () returned 0x490
[0202.851] lstrlenW (lpString="mo") returned 2
[0202.851] lstrlenW (lpString="mo") returned 2
[0202.851] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.851] lstrlenW (lpString="XML") returned 3
[0202.851] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.851] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|mo|") returned 4
[0202.851] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.851] lstrlenW (lpString="|mo|") returned 4
[0202.852] lstrlenW (lpString="|XML|") returned 5
[0202.852] RtlRestoreLastWin32Error () returned 0x490
[0202.852] lstrlenW (lpString="d") returned 1
[0202.852] lstrlenW (lpString="d") returned 1
[0202.852] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.852] lstrlenW (lpString="XML") returned 3
[0202.852] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.852] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|d|") returned 3
[0202.852] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.852] lstrlenW (lpString="|d|") returned 3
[0202.852] lstrlenW (lpString="|XML|") returned 5
[0202.852] RtlRestoreLastWin32Error () returned 0x490
[0202.852] lstrlenW (lpString="m") returned 1
[0202.852] lstrlenW (lpString="m") returned 1
[0202.852] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.852] lstrlenW (lpString="XML") returned 3
[0202.852] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.852] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|m|") returned 3
[0202.852] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.852] lstrlenW (lpString="|m|") returned 3
[0202.852] lstrlenW (lpString="|XML|") returned 5
[0202.852] RtlRestoreLastWin32Error () returned 0x490
[0202.852] lstrlenW (lpString="i") returned 1
[0202.852] lstrlenW (lpString="i") returned 1
[0202.852] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.853] lstrlenW (lpString="XML") returned 3
[0202.853] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.853] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|i|") returned 3
[0202.853] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.853] lstrlenW (lpString="|i|") returned 3
[0202.853] lstrlenW (lpString="|XML|") returned 5
[0202.853] RtlRestoreLastWin32Error () returned 0x490
[0202.853] lstrlenW (lpString="tn") returned 2
[0202.853] lstrlenW (lpString="tn") returned 2
[0202.853] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.853] lstrlenW (lpString="XML") returned 3
[0202.853] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.882] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tn|") returned 4
[0202.882] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.882] lstrlenW (lpString="|tn|") returned 4
[0202.882] lstrlenW (lpString="|XML|") returned 5
[0202.882] RtlRestoreLastWin32Error () returned 0x490
[0202.882] lstrlenW (lpString="tr") returned 2
[0202.882] lstrlenW (lpString="tr") returned 2
[0202.882] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.882] lstrlenW (lpString="XML") returned 3
[0202.882] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.882] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tr|") returned 4
[0202.882] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.883] lstrlenW (lpString="|tr|") returned 4
[0202.883] lstrlenW (lpString="|XML|") returned 5
[0202.883] RtlRestoreLastWin32Error () returned 0x490
[0202.883] lstrlenW (lpString="st") returned 2
[0202.883] lstrlenW (lpString="st") returned 2
[0202.885] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.885] lstrlenW (lpString="XML") returned 3
[0202.885] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.886] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|st|") returned 4
[0202.886] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.886] lstrlenW (lpString="|st|") returned 4
[0202.886] lstrlenW (lpString="|XML|") returned 5
[0202.886] RtlRestoreLastWin32Error () returned 0x490
[0202.886] lstrlenW (lpString="sd") returned 2
[0202.886] lstrlenW (lpString="sd") returned 2
[0202.886] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.886] lstrlenW (lpString="XML") returned 3
[0202.886] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.886] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|sd|") returned 4
[0202.886] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.886] lstrlenW (lpString="|sd|") returned 4
[0202.886] lstrlenW (lpString="|XML|") returned 5
[0202.886] RtlRestoreLastWin32Error () returned 0x490
[0202.886] lstrlenW (lpString="ed") returned 2
[0202.886] lstrlenW (lpString="ed") returned 2
[0202.886] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.886] lstrlenW (lpString="XML") returned 3
[0202.886] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.886] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|ed|") returned 4
[0202.886] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.886] lstrlenW (lpString="|ed|") returned 4
[0202.886] lstrlenW (lpString="|XML|") returned 5
[0202.886] RtlRestoreLastWin32Error () returned 0x490
[0202.887] lstrlenW (lpString="it") returned 2
[0202.887] lstrlenW (lpString="it") returned 2
[0202.887] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.887] lstrlenW (lpString="XML") returned 3
[0202.887] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.887] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|it|") returned 4
[0202.887] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.887] lstrlenW (lpString="|it|") returned 4
[0202.887] lstrlenW (lpString="|XML|") returned 5
[0202.887] RtlRestoreLastWin32Error () returned 0x490
[0202.887] lstrlenW (lpString="et") returned 2
[0202.887] lstrlenW (lpString="et") returned 2
[0202.887] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.887] lstrlenW (lpString="XML") returned 3
[0202.887] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.887] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|et|") returned 4
[0202.887] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.887] lstrlenW (lpString="|et|") returned 4
[0202.887] lstrlenW (lpString="|XML|") returned 5
[0202.887] RtlRestoreLastWin32Error () returned 0x490
[0202.887] lstrlenW (lpString="k") returned 1
[0202.887] lstrlenW (lpString="k") returned 1
[0202.887] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.887] lstrlenW (lpString="XML") returned 3
[0202.887] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.888] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|k|") returned 3
[0202.888] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.888] lstrlenW (lpString="|k|") returned 3
[0202.888] lstrlenW (lpString="|XML|") returned 5
[0202.888] RtlRestoreLastWin32Error () returned 0x490
[0202.888] lstrlenW (lpString="du") returned 2
[0202.888] lstrlenW (lpString="du") returned 2
[0202.888] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.888] lstrlenW (lpString="XML") returned 3
[0202.888] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.888] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|du|") returned 4
[0202.888] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.888] lstrlenW (lpString="|du|") returned 4
[0202.888] lstrlenW (lpString="|XML|") returned 5
[0202.888] RtlRestoreLastWin32Error () returned 0x490
[0202.888] lstrlenW (lpString="ri") returned 2
[0202.888] lstrlenW (lpString="ri") returned 2
[0202.888] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.888] lstrlenW (lpString="XML") returned 3
[0202.888] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.888] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|ri|") returned 4
[0202.888] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.888] lstrlenW (lpString="|ri|") returned 4
[0202.888] lstrlenW (lpString="|XML|") returned 5
[0202.888] RtlRestoreLastWin32Error () returned 0x490
[0202.888] lstrlenW (lpString="z") returned 1
[0202.888] lstrlenW (lpString="z") returned 1
[0202.889] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.889] lstrlenW (lpString="XML") returned 3
[0202.889] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.889] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|z|") returned 3
[0202.889] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.889] lstrlenW (lpString="|z|") returned 3
[0202.889] lstrlenW (lpString="|XML|") returned 5
[0202.889] RtlRestoreLastWin32Error () returned 0x490
[0202.889] lstrlenW (lpString="f") returned 1
[0202.889] lstrlenW (lpString="f") returned 1
[0202.889] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.889] lstrlenW (lpString="XML") returned 3
[0202.889] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.889] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3
[0202.889] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.889] lstrlenW (lpString="|f|") returned 3
[0202.889] lstrlenW (lpString="|XML|") returned 5
[0202.889] RtlRestoreLastWin32Error () returned 0x490
[0202.889] lstrlenW (lpString="v1") returned 2
[0202.889] lstrlenW (lpString="v1") returned 2
[0202.889] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.889] lstrlenW (lpString="XML") returned 3
[0202.889] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.889] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|v1|") returned 4
[0202.890] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.890] lstrlenW (lpString="|v1|") returned 4
[0202.890] lstrlenW (lpString="|XML|") returned 5
[0202.890] RtlRestoreLastWin32Error () returned 0x490
[0202.890] lstrlenW (lpString="xml") returned 3
[0202.890] lstrlenW (lpString="xml") returned 3
[0202.890] _memicmp (_Buf1=0x677400, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.890] lstrlenW (lpString="XML") returned 3
[0202.890] _memicmp (_Buf1=0x6773b8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.890] _vsnwprintf (in: _Buffer=0x679660, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|xml|") returned 5
[0202.890] _vsnwprintf (in: _Buffer=0x6794a0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.890] lstrlenW (lpString="|xml|") returned 5
[0202.890] lstrlenW (lpString="|XML|") returned 5
[0202.890] StrStrIW (lpFirst="|xml|", lpSrch="|XML|") returned="|xml|"
[0202.890] RtlRestoreLastWin32Error () returned 0x0
[0202.890] RtlRestoreLastWin32Error () returned 0x0
[0202.890] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpF9CA.tmp") returned 52
[0202.890] lstrlenW (lpString="-/") returned 2
[0202.890] StrChrIW (lpStart="-/", wMatch=0x890043) returned 0x0
[0202.890] RtlRestoreLastWin32Error () returned 0x490
[0202.890] RtlRestoreLastWin32Error () returned 0x490
[0202.890] RtlRestoreLastWin32Error () returned 0x0
[0202.890] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpF9CA.tmp") returned 52
[0202.890] StrChrIW (lpStart="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpF9CA.tmp", wMatch=0x3a) returned=":\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpF9CA.tmp"
[0202.890] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpF9CA.tmp") returned 52
[0202.890] _memicmp (_Buf1=0x677430, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.890] _memicmp (_Buf1=0x67a9c8, _Buf2=0x1102708, _Size=0x7) returned 0
[0202.891] RtlRestoreLastWin32Error () returned 0x7a
[0202.891] RtlRestoreLastWin32Error () returned 0x0
[0202.891] RtlRestoreLastWin32Error () returned 0x0
[0202.891] lstrlenW (lpString="C") returned 1
[0202.891] RtlRestoreLastWin32Error () returned 0x490
[0202.891] RtlRestoreLastWin32Error () returned 0x0
[0202.891] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpF9CA.tmp") returned 52
[0202.891] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpF9CA.tmp") returned 52
[0202.891] GetProcessHeap () returned 0x670000
[0202.891] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x6a) returned 0x676a50
[0202.891] RtlRestoreLastWin32Error () returned 0x0
[0202.891] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpF9CA.tmp") returned 52
[0202.891] RtlRestoreLastWin32Error () returned 0x0
[0202.891] GetProcessHeap () returned 0x670000
[0202.891] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x1fc) returned 0x67ada0
[0202.892] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
[0202.901] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0
[0202.920] CoCreateInstance (in: rclsid=0x11026c0*(Data1=0xf87369f, Data2=0xa4e5, Data3=0x4cfc, Data4=([0]=0xbd, [1]=0x3e, [2]=0x73, [3]=0xe6, [4]=0x15, [5]=0x45, [6]=0x72, [7]=0xdd)), pUnkOuter=0x0, dwClsContext=0x17, riid=0x11026d0*(Data1=0x2faba4c7, Data2=0x4da9, Data3=0x4013, Data4=([0]=0x96, [1]=0x97, [2]=0x20, [3]=0xcc, [4]=0x3f, [5]=0xd4, [6]=0xf, [7]=0x85)), ppv=0xdd39c | out: ppv=0xdd39c*=0x893758) returned 0x0
[0203.627] TaskScheduler:ITaskService:Connect (This=0x893758, serverName=0xdd34c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), user=0xdd35c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), domain=0xdd36c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), password=0xdd37c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0)) returned 0x0
[0203.688] TaskScheduler:ITaskService:GetFolder (in: This=0x893758, Path=0x0, ppFolder=0xdd464 | out: ppFolder=0xdd464*=0x893880) returned 0x0
[0203.690] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpF9CA.tmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmpf9ca.tmp"), dwDesiredAccess=0x80000000, dwShareMode=0x5, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x12c
[0203.690] GetFileSizeEx (in: hFile=0x12c, lpFileSize=0xdcd7c | out: lpFileSize=0xdcd7c*=1597) returned 1
[0203.690] ReadFile (in: hFile=0x12c, lpBuffer=0xdcd8c, nNumberOfBytesToRead=0x2, lpNumberOfBytesRead=0xdcd88, lpOverlapped=0x0 | out: lpBuffer=0xdcd8c*, lpNumberOfBytesRead=0xdcd88*=0x2, lpOverlapped=0x0) returned 1
[0203.690] SetFilePointer (in: hFile=0x12c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0
[0203.690] malloc (_Size=0x63e) returned 0x8938d0
[0203.690] ReadFile (in: hFile=0x12c, lpBuffer=0x8938d0, nNumberOfBytesToRead=0x63e, lpNumberOfBytesRead=0xdcd88, lpOverlapped=0x0 | out: lpBuffer=0x8938d0*, lpNumberOfBytesRead=0xdcd88*=0x63d, lpOverlapped=0x0) returned 1
[0203.691] MultiByteToWideChar (in: CodePage=0x3, dwFlags=0x0, lpMultiByteStr=0x8938d0, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 1598
[0203.691] MultiByteToWideChar (in: CodePage=0x3, dwFlags=0x0, lpMultiByteStr=0x8938d0, cbMultiByte=-1, lpWideCharStr=0x68a774, cchWideChar=1598 | out: lpWideCharStr="\n\n \n 2014-10-25T14:27:44.8929027\n XC64ZB\\RDhJ0CNFevzX\n \n \n \n true\n XC64ZB\\RDhJ0CNFevzX\n \n \n false\n \n \n \n \n XC64ZB\\RDhJ0CNFevzX\n InteractiveToken\n LeastPrivilege\n \n \n \n StopExisting\n false\n true\n false\n true\n false\n \n true\n false\n \n true\n true\n false\n false\n false\n PT0S\n 7\n \n \n \n C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\RhFYnHFgJ.exe\n \n \n") returned 1598
[0203.691] SysStringLen (param_1="\n\n \n 2014-10-25T14:27:44.8929027\n XC64ZB\\RDhJ0CNFevzX\n \n \n \n true\n XC64ZB\\RDhJ0CNFevzX\n \n \n false\n \n \n \n \n XC64ZB\\RDhJ0CNFevzX\n InteractiveToken\n LeastPrivilege\n \n \n \n StopExisting\n false\n true\n false\n true\n false\n \n true\n false\n \n true\n true\n false\n false\n false\n PT0S\n 7\n \n \n \n C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\RhFYnHFgJ.exe\n \n \n") returned 0x63d
[0203.691] VarBstrCat (in: bstrLeft=0x0, bstrRight="\n\n \n 2014-10-25T14:27:44.8929027\n XC64ZB\\RDhJ0CNFevzX\n \n \n \n true\n XC64ZB\\RDhJ0CNFevzX\n \n \n false\n \n \n \n \n XC64ZB\\RDhJ0CNFevzX\n InteractiveToken\n LeastPrivilege\n \n \n \n StopExisting\n false\n true\n false\n true\n false\n \n true\n false\n \n true\n true\n false\n false\n false\n PT0S\n 7\n \n \n \n C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\RhFYnHFgJ.exe\n \n \n", pbstrResult=0xdcd2c | out: pbstrResult=0xdcd2c) returned 0x0
[0203.692] free (_Block=0x8938d0)
[0203.692] CloseHandle (hObject=0x12c) returned 1
[0203.692] lstrlenW (lpString="") returned 0
[0203.693] malloc (_Size=0xc) returned 0x893830
[0203.693] SysStringLen (param_1="") returned 0x0
[0203.693] free (_Block=0x893830)
[0203.693] lstrlenW (lpString="") returned 0
[0203.693] ITaskFolder:RegisterTask (in: This=0x893880, Path="Updates\\RhFYnHFgJ", XmlText="\n\n \n 2014-10-25T14:27:44.8929027\n XC64ZB\\RDhJ0CNFevzX\n \n \n \n true\n XC64ZB\\RDhJ0CNFevzX\n \n \n false\n \n \n \n \n XC64ZB\\RDhJ0CNFevzX\n InteractiveToken\n LeastPrivilege\n \n \n \n StopExisting\n false\n true\n false\n true\n false\n \n true\n false\n \n true\n true\n false\n false\n false\n PT0S\n 7\n \n \n \n C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\RhFYnHFgJ.exe\n \n \n", flags=2, UserId=0xdcd60*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="", varVal2=0x0), password=0xdcd70*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), LogonType=0, sddl=0xdcd84*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), ppTask=0xdcde0 | out: ppTask=0xdcde0*=0x8938d0) returned 0x0
[0204.694] GetProcessHeap () returned 0x670000
[0204.694] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x14) returned 0x6857f8
[0204.694] _memicmp (_Buf1=0x6773e8, _Buf2=0x1102708, _Size=0x7) returned 0
[0204.694] LoadStringW (in: hInstance=0x0, uID=0x12e, lpBuffer=0x67a790, cchBufferMax=256 | out: lpBuffer="SUCCESS: The scheduled task \"%s\" has successfully been created.\n") returned 0x40
[0204.694] lstrlenW (lpString="SUCCESS: The scheduled task \"%s\" has successfully been created.\n") returned 64
[0204.694] GetProcessHeap () returned 0x670000
[0204.694] RtlAllocateHeap (HeapHandle=0x670000, Flags=0xc, Size=0x82) returned 0x6892b8
[0204.694] _vsnwprintf (in: _Buffer=0xdcdf8, _BufferCount=0x1fb, _Format="SUCCESS: The scheduled task \"%s\" has successfully been created.\n", _ArgList=0xdcd94 | out: _Buffer="SUCCESS: The scheduled task \"Updates\\RhFYnHFgJ\" has successfully been created.\n") returned 79
[0204.694] __iob_func () returned 0x76b41208
[0204.694] _fileno (_File=0x76b41228) returned 1
[0204.695] _errno () returned 0x8905b0
[0204.695] _get_osfhandle (_FileHandle=1) returned 0x3c
[0204.695] _errno () returned 0x8905b0
[0204.695] GetFileType (hFile=0x3c) returned 0x2
[0204.695] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c
[0204.695] GetFileType (hFile=0x3c) returned 0x2
[0204.695] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xdcd68 | out: lpMode=0xdcd68) returned 1
[0204.838] __iob_func () returned 0x76b41208
[0204.838] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c
[0204.838] lstrlenW (lpString="SUCCESS: The scheduled task \"Updates\\RhFYnHFgJ\" has successfully been created.\n") returned 79
[0204.838] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0xdcdf8*, nNumberOfCharsToWrite=0x4f, lpNumberOfCharsWritten=0xdcd8c, lpReserved=0x0 | out: lpBuffer=0xdcdf8*, lpNumberOfCharsWritten=0xdcd8c*=0x4f) returned 1
[0204.938] IUnknown:Release (This=0x8938d0) returned 0x0
[0204.938] TaskScheduler:IUnknown:Release (This=0x893880) returned 0x0
[0204.938] TaskScheduler:IUnknown:Release (This=0x893758) returned 0x0
[0204.939] lstrlenW (lpString="") returned 0
[0204.939] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpF9CA.tmp") returned 52
[0204.939] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpF9CA.tmp", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53
[0204.939] GetProcessHeap () returned 0x670000
[0204.939] GetProcessHeap () returned 0x670000
[0204.939] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x67ada0) returned 1
[0204.939] GetProcessHeap () returned 0x670000
[0204.939] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x67ada0) returned 0x1fc
[0204.941] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x67ada0) returned 1
[0204.942] GetProcessHeap () returned 0x670000
[0204.942] GetProcessHeap () returned 0x670000
[0204.942] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x676a50) returned 1
[0204.942] GetProcessHeap () returned 0x670000
[0204.942] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x676a50) returned 0x6a
[0204.943] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x676a50) returned 1
[0204.943] GetProcessHeap () returned 0x670000
[0204.943] GetProcessHeap () returned 0x670000
[0204.943] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x679320) returned 1
[0204.943] GetProcessHeap () returned 0x670000
[0204.943] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x679320) returned 0x16
[0204.943] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x679320) returned 1
[0204.943] GetProcessHeap () returned 0x670000
[0204.943] GetProcessHeap () returned 0x670000
[0204.943] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x67aa58) returned 1
[0204.943] GetProcessHeap () returned 0x670000
[0204.943] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x67aa58) returned 0x10
[0204.943] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x67aa58) returned 1
[0204.943] GetProcessHeap () returned 0x670000
[0204.944] GetProcessHeap () returned 0x670000
[0204.944] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x679620) returned 1
[0204.944] GetProcessHeap () returned 0x670000
[0204.944] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x679620) returned 0x14
[0204.944] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x679620) returned 1
[0204.944] GetProcessHeap () returned 0x670000
[0204.944] GetProcessHeap () returned 0x670000
[0204.944] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x678ee8) returned 1
[0204.944] GetProcessHeap () returned 0x670000
[0204.944] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x678ee8) returned 0xa0
[0204.945] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x678ee8) returned 1
[0204.945] GetProcessHeap () returned 0x670000
[0204.945] GetProcessHeap () returned 0x670000
[0204.945] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x677388) returned 1
[0204.945] GetProcessHeap () returned 0x670000
[0204.945] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x677388) returned 0x10
[0204.945] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x677388) returned 1
[0204.945] GetProcessHeap () returned 0x670000
[0204.945] GetProcessHeap () returned 0x670000
[0204.945] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x6795a0) returned 1
[0204.945] GetProcessHeap () returned 0x670000
[0204.945] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x6795a0) returned 0x14
[0204.945] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6795a0) returned 1
[0204.945] GetProcessHeap () returned 0x670000
[0204.945] GetProcessHeap () returned 0x670000
[0204.945] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x6769d8) returned 1
[0204.946] GetProcessHeap () returned 0x670000
[0204.946] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x6769d8) returned 0x6e
[0204.946] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6769d8) returned 1
[0204.946] GetProcessHeap () returned 0x670000
[0204.946] GetProcessHeap () returned 0x670000
[0204.946] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x67a9c8) returned 1
[0204.946] GetProcessHeap () returned 0x670000
[0204.946] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x67a9c8) returned 0x10
[0204.946] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x67a9c8) returned 1
[0204.946] GetProcessHeap () returned 0x670000
[0204.946] GetProcessHeap () returned 0x670000
[0204.946] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x679520) returned 1
[0204.946] GetProcessHeap () returned 0x670000
[0204.946] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x679520) returned 0x14
[0204.947] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x679520) returned 1
[0204.947] GetProcessHeap () returned 0x670000
[0204.947] GetProcessHeap () returned 0x670000
[0204.947] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x677460) returned 1
[0204.947] GetProcessHeap () returned 0x670000
[0204.947] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x677460) returned 0xc
[0204.947] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x677460) returned 1
[0204.947] GetProcessHeap () returned 0x670000
[0204.947] GetProcessHeap () returned 0x670000
[0204.947] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x677430) returned 1
[0204.947] GetProcessHeap () returned 0x670000
[0204.947] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x677430) returned 0x10
[0204.947] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x677430) returned 1
[0204.947] GetProcessHeap () returned 0x670000
[0204.947] GetProcessHeap () returned 0x670000
[0204.947] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x679480) returned 1
[0204.947] GetProcessHeap () returned 0x670000
[0204.947] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x679480) returned 0x14
[0204.947] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x679480) returned 1
[0204.947] GetProcessHeap () returned 0x670000
[0204.947] GetProcessHeap () returned 0x670000
[0204.947] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x678cd8) returned 1
[0204.948] GetProcessHeap () returned 0x670000
[0204.948] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x678cd8) returned 0x208
[0204.948] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x678cd8) returned 1
[0204.948] GetProcessHeap () returned 0x670000
[0204.948] GetProcessHeap () returned 0x670000
[0204.948] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x677358) returned 1
[0204.948] GetProcessHeap () returned 0x670000
[0204.948] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x677358) returned 0x10
[0204.948] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x677358) returned 1
[0204.948] GetProcessHeap () returned 0x670000
[0204.948] GetProcessHeap () returned 0x670000
[0204.948] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x6793a0) returned 1
[0204.948] GetProcessHeap () returned 0x670000
[0204.948] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x6793a0) returned 0x14
[0204.949] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6793a0) returned 1
[0204.949] GetProcessHeap () returned 0x670000
[0204.949] GetProcessHeap () returned 0x670000
[0204.949] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x67a790) returned 1
[0204.949] GetProcessHeap () returned 0x670000
[0204.949] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x67a790) returned 0x200
[0204.949] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x67a790) returned 1
[0204.949] GetProcessHeap () returned 0x670000
[0204.949] GetProcessHeap () returned 0x670000
[0204.949] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x6773e8) returned 1
[0204.949] GetProcessHeap () returned 0x670000
[0204.949] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x6773e8) returned 0x10
[0204.949] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6773e8) returned 1
[0204.949] GetProcessHeap () returned 0x670000
[0204.949] GetProcessHeap () returned 0x670000
[0204.949] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x679640) returned 1
[0204.949] GetProcessHeap () returned 0x670000
[0204.949] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x679640) returned 0x14
[0204.950] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x679640) returned 1
[0204.950] GetProcessHeap () returned 0x670000
[0204.950] GetProcessHeap () returned 0x670000
[0204.950] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x6794a0) returned 1
[0204.950] GetProcessHeap () returned 0x670000
[0204.950] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x6794a0) returned 0x14
[0204.950] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6794a0) returned 1
[0204.950] GetProcessHeap () returned 0x670000
[0204.950] GetProcessHeap () returned 0x670000
[0204.950] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x6773b8) returned 1
[0204.950] GetProcessHeap () returned 0x670000
[0204.950] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x6773b8) returned 0x10
[0204.950] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6773b8) returned 1
[0204.950] GetProcessHeap () returned 0x670000
[0204.950] GetProcessHeap () returned 0x670000
[0204.950] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x672780) returned 1
[0204.950] GetProcessHeap () returned 0x670000
[0204.950] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x672780) returned 0x14
[0204.950] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x672780) returned 1
[0204.950] GetProcessHeap () returned 0x670000
[0204.950] GetProcessHeap () returned 0x670000
[0204.950] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x679660) returned 1
[0204.950] GetProcessHeap () returned 0x670000
[0204.950] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x679660) returned 0x16
[0204.950] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x679660) returned 1
[0204.950] GetProcessHeap () returned 0x670000
[0204.950] GetProcessHeap () returned 0x670000
[0204.950] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x677400) returned 1
[0204.950] GetProcessHeap () returned 0x670000
[0204.950] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x677400) returned 0x10
[0204.950] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x677400) returned 1
[0204.951] GetProcessHeap () returned 0x670000
[0204.951] GetProcessHeap () returned 0x670000
[0204.951] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x676610) returned 1
[0204.951] GetProcessHeap () returned 0x670000
[0204.951] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x676610) returned 0x14
[0204.951] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x676610) returned 1
[0204.951] GetProcessHeap () returned 0x670000
[0204.951] GetProcessHeap () returned 0x670000
[0204.951] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x670598) returned 1
[0204.951] GetProcessHeap () returned 0x670000
[0204.951] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x670598) returned 0x2
[0204.951] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x670598) returned 1
[0204.951] GetProcessHeap () returned 0x670000
[0204.951] GetProcessHeap () returned 0x670000
[0204.951] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x676e40) returned 1
[0204.951] GetProcessHeap () returned 0x670000
[0204.951] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x676e40) returned 0x14
[0204.951] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x676e40) returned 1
[0204.951] GetProcessHeap () returned 0x670000
[0204.951] GetProcessHeap () returned 0x670000
[0204.951] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x676c08) returned 1
[0204.951] GetProcessHeap () returned 0x670000
[0204.951] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x676c08) returned 0x14
[0204.951] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x676c08) returned 1
[0204.951] GetProcessHeap () returned 0x670000
[0204.951] GetProcessHeap () returned 0x670000
[0204.951] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x676c28) returned 1
[0204.951] GetProcessHeap () returned 0x670000
[0204.951] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x676c28) returned 0x14
[0204.952] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x676c28) returned 1
[0204.952] GetProcessHeap () returned 0x670000
[0204.952] GetProcessHeap () returned 0x670000
[0204.952] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x676c48) returned 1
[0204.952] GetProcessHeap () returned 0x670000
[0204.952] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x676c48) returned 0x14
[0204.952] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x676c48) returned 1
[0204.952] GetProcessHeap () returned 0x670000
[0204.952] GetProcessHeap () returned 0x670000
[0204.952] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x679420) returned 1
[0204.952] GetProcessHeap () returned 0x670000
[0204.952] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x679420) returned 0x14
[0204.952] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x679420) returned 1
[0204.952] GetProcessHeap () returned 0x670000
[0204.952] GetProcessHeap () returned 0x670000
[0204.952] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x679540) returned 1
[0204.952] GetProcessHeap () returned 0x670000
[0204.952] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x679540) returned 0x14
[0204.952] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x679540) returned 1
[0204.952] GetProcessHeap () returned 0x670000
[0204.952] GetProcessHeap () returned 0x670000
[0204.952] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x672588) returned 1
[0204.952] GetProcessHeap () returned 0x670000
[0204.952] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x672588) returned 0x30
[0204.953] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x672588) returned 1
[0204.953] GetProcessHeap () returned 0x670000
[0204.953] GetProcessHeap () returned 0x670000
[0204.953] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x679560) returned 1
[0204.953] GetProcessHeap () returned 0x670000
[0204.953] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x679560) returned 0x14
[0204.953] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x679560) returned 1
[0204.953] GetProcessHeap () returned 0x670000
[0204.953] GetProcessHeap () returned 0x670000
[0204.954] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x678f90) returned 1
[0204.954] GetProcessHeap () returned 0x670000
[0204.954] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x678f90) returned 0x30
[0204.954] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x678f90) returned 1
[0204.954] GetProcessHeap () returned 0x670000
[0204.954] GetProcessHeap () returned 0x670000
[0204.954] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x679580) returned 1
[0204.955] GetProcessHeap () returned 0x670000
[0204.955] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x679580) returned 0x14
[0204.955] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x679580) returned 1
[0204.955] GetProcessHeap () returned 0x670000
[0204.955] GetProcessHeap () returned 0x670000
[0204.955] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x6892b8) returned 1
[0204.955] GetProcessHeap () returned 0x670000
[0204.955] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x6892b8) returned 0x82
[0204.956] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6892b8) returned 1
[0204.956] GetProcessHeap () returned 0x670000
[0204.956] GetProcessHeap () returned 0x670000
[0204.956] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x6857f8) returned 1
[0204.956] GetProcessHeap () returned 0x670000
[0204.956] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x6857f8) returned 0x14
[0204.956] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6857f8) returned 1
[0204.956] GetProcessHeap () returned 0x670000
[0204.956] GetProcessHeap () returned 0x670000
[0204.956] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x677328) returned 1
[0204.956] GetProcessHeap () returned 0x670000
[0204.956] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x677328) returned 0x10
[0204.956] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x677328) returned 1
[0204.956] GetProcessHeap () returned 0x670000
[0204.956] GetProcessHeap () returned 0x670000
[0204.956] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x676838) returned 1
[0204.957] GetProcessHeap () returned 0x670000
[0204.957] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x676838) returned 0x14
[0204.957] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x676838) returned 1
[0204.957] GetProcessHeap () returned 0x670000
[0204.957] GetProcessHeap () returned 0x670000
[0204.957] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x676858) returned 1
[0204.957] GetProcessHeap () returned 0x670000
[0204.957] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x676858) returned 0x14
[0204.957] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x676858) returned 1
[0204.957] GetProcessHeap () returned 0x670000
[0204.957] GetProcessHeap () returned 0x670000
[0204.957] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x676878) returned 1
[0204.957] GetProcessHeap () returned 0x670000
[0204.957] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x676878) returned 0x14
[0204.958] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x676878) returned 1
[0204.958] GetProcessHeap () returned 0x670000
[0204.958] GetProcessHeap () returned 0x670000
[0204.958] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x6765d0) returned 1
[0204.958] GetProcessHeap () returned 0x670000
[0204.958] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x6765d0) returned 0x14
[0204.958] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6765d0) returned 1
[0204.958] GetProcessHeap () returned 0x670000
[0204.958] GetProcessHeap () returned 0x670000
[0204.958] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x6774d8) returned 1
[0204.958] GetProcessHeap () returned 0x670000
[0204.958] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x6774d8) returned 0x10
[0204.958] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6774d8) returned 1
[0204.958] GetProcessHeap () returned 0x670000
[0204.958] GetProcessHeap () returned 0x670000
[0204.958] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x6765f0) returned 1
[0204.958] GetProcessHeap () returned 0x670000
[0204.958] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x6765f0) returned 0x14
[0204.958] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6765f0) returned 1
[0204.959] GetProcessHeap () returned 0x670000
[0204.959] GetProcessHeap () returned 0x670000
[0204.959] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x6727a0) returned 1
[0204.959] GetProcessHeap () returned 0x670000
[0204.959] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x6727a0) returned 0x14
[0204.959] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6727a0) returned 1
[0204.959] GetProcessHeap () returned 0x670000
[0204.959] GetProcessHeap () returned 0x670000
[0204.959] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x679460) returned 1
[0204.959] GetProcessHeap () returned 0x670000
[0204.959] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x679460) returned 0x14
[0204.959] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x679460) returned 1
[0204.959] GetProcessHeap () returned 0x670000
[0204.959] GetProcessHeap () returned 0x670000
[0204.959] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x679500) returned 1
[0204.959] GetProcessHeap () returned 0x670000
[0204.959] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x679500) returned 0x14
[0204.959] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x679500) returned 1
[0204.960] GetProcessHeap () returned 0x670000
[0204.960] GetProcessHeap () returned 0x670000
[0204.960] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x679600) returned 1
[0204.960] GetProcessHeap () returned 0x670000
[0204.960] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x679600) returned 0x14
[0204.960] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x679600) returned 1
[0204.960] GetProcessHeap () returned 0x670000
[0204.960] GetProcessHeap () returned 0x670000
[0204.960] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x679400) returned 1
[0204.960] GetProcessHeap () returned 0x670000
[0204.960] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x679400) returned 0x14
[0204.960] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x679400) returned 1
[0204.960] GetProcessHeap () returned 0x670000
[0204.960] GetProcessHeap () returned 0x670000
[0204.960] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x677340) returned 1
[0204.960] GetProcessHeap () returned 0x670000
[0204.960] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x677340) returned 0x10
[0204.961] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x677340) returned 1
[0204.961] GetProcessHeap () returned 0x670000
[0204.961] GetProcessHeap () returned 0x670000
[0204.961] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x6727c0) returned 1
[0204.961] GetProcessHeap () returned 0x670000
[0204.961] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x6727c0) returned 0x14
[0204.961] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6727c0) returned 1
[0204.961] GetProcessHeap () returned 0x670000
[0204.961] GetProcessHeap () returned 0x670000
[0204.961] HeapValidate (hHeap=0x670000, dwFlags=0x0, lpMem=0x677310) returned 1
[0204.961] GetProcessHeap () returned 0x670000
[0204.961] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x677310) returned 0x10
[0204.961] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x677310) returned 1
[0204.961] exit (_Code=0)
Thread:
id = 25
os_tid = 0x10d0
Process:
id = "5"
image_name = "conhost.exe"
filename = "c:\\windows\\system32\\conhost.exe"
page_root = "0x73b74000"
os_pid = "0x858"
os_integrity_level = "0x3000"
os_privileges = "0x60800000"
monitor_reason = "child_process"
parent_id = "4"
os_parent_pid = "0xe1c"
cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1"
cur_dir = "C:\\Windows"
os_username = "XC64ZB\\RDhJ0CNFevzX"
bitness = "32"
os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fa87" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 646
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 647
start_va = 0x30000
end_va = 0x44fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 648
start_va = 0x50000
end_va = 0x8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 649
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 650
start_va = 0x400000
end_va = 0x5fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 651
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 652
start_va = 0x7df5fffc0000
end_va = 0x7df5fffe2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5fffc0000"
filename = ""
Region:
id = 653
start_va = 0x7df5ffff0000
end_va = 0x7ff5fffeffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffff0000"
filename = ""
Region:
id = 654
start_va = 0x7ff637930000
end_va = 0x7ff637940fff
monitored = 0
entry_point = 0x7ff6379316b0
region_type = mapped_file
name = "conhost.exe"
filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")
Region:
id = 655
start_va = 0x7ffa16770000
end_va = 0x7ffa16930fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 656
start_va = 0x600000
end_va = 0x8cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000600000"
filename = ""
Region:
id = 657
start_va = 0x7ffa15160000
end_va = 0x7ffa1520cfff
monitored = 0
entry_point = 0x7ffa151781a0
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 658
start_va = 0x7ffa13130000
end_va = 0x7ffa13317fff
monitored = 0
entry_point = 0x7ffa1315ba70
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 659
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 660
start_va = 0x7df5ffec0000
end_va = 0x7df5fffbffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffec0000"
filename = ""
Region:
id = 661
start_va = 0x90000
end_va = 0x14dfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 662
start_va = 0x7ffa13cc0000
end_va = 0x7ffa13d5cfff
monitored = 0
entry_point = 0x7ffa13cc78a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 663
start_va = 0x150000
end_va = 0x18ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000150000"
filename = ""
Region:
id = 664
start_va = 0x600000
end_va = 0x6bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000600000"
filename = ""
Region:
id = 665
start_va = 0x7d0000
end_va = 0x8cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000007d0000"
filename = ""
Region:
id = 666
start_va = 0x20000
end_va = 0x26fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 667
start_va = 0x7ffa0abf0000
end_va = 0x7ffa0ac48fff
monitored = 0
entry_point = 0x7ffa0abffbf0
region_type = mapped_file
name = "conhostv2.dll"
filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll")
Region:
id = 668
start_va = 0x190000
end_va = 0x190fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000190000"
filename = ""
Region:
id = 669
start_va = 0x7ffa14340000
end_va = 0x7ffa145bcfff
monitored = 0
entry_point = 0x7ffa14414970
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")
Region:
id = 670
start_va = 0x7ffa145c0000
end_va = 0x7ffa146dbfff
monitored = 0
entry_point = 0x7ffa146002b0
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 671
start_va = 0x7ffa13320000
end_va = 0x7ffa13389fff
monitored = 0
entry_point = 0x7ffa13356d50
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")
Region:
id = 672
start_va = 0x7ffa13d80000
end_va = 0x7ffa13ed5fff
monitored = 0
entry_point = 0x7ffa13d8a8d0
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 673
start_va = 0x7ffa13ee0000
end_va = 0x7ffa14065fff
monitored = 0
entry_point = 0x7ffa13f2ffc0
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 676
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001a0000"
filename = ""
Region:
id = 677
start_va = 0x7ffa13b70000
end_va = 0x7ffa13cb2fff
monitored = 0
entry_point = 0x7ffa13b98210
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 678
start_va = 0x7ffa14070000
end_va = 0x7ffa140cafff
monitored = 0
entry_point = 0x7ffa140838b0
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 679
start_va = 0x7ffa141e0000
end_va = 0x7ffa1421afff
monitored = 0
entry_point = 0x7ffa141e12f0
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 680
start_va = 0x7ffa147c0000
end_va = 0x7ffa14880fff
monitored = 0
entry_point = 0x7ffa147e0da0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 681
start_va = 0x7ffa11220000
end_va = 0x7ffa113a5fff
monitored = 0
entry_point = 0x7ffa1126d700
region_type = mapped_file
name = "propsys.dll"
filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")
Region:
id = 685
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001b0000"
filename = ""
Region:
id = 686
start_va = 0x1c0000
end_va = 0x1c0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001c0000"
filename = ""
Region:
id = 687
start_va = 0x8d0000
end_va = 0xa57fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000008d0000"
filename = ""
Region:
id = 688
start_va = 0xa60000
end_va = 0xbe0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000a60000"
filename = ""
Region:
id = 689
start_va = 0xbf0000
end_va = 0x1feffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000bf0000"
filename = ""
Region:
id = 690
start_va = 0x1ff0000
end_va = 0x21affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001ff0000"
filename = ""
Region:
id = 692
start_va = 0x600000
end_va = 0x63ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000600000"
filename = ""
Region:
id = 693
start_va = 0x6b0000
end_va = 0x6bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000006b0000"
filename = ""
Region:
id = 694
start_va = 0x7ffa15210000
end_va = 0x7ffa1676efff
monitored = 0
entry_point = 0x7ffa153711f0
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")
Region:
id = 695
start_va = 0x7ffa13390000
end_va = 0x7ffa133d2fff
monitored = 0
entry_point = 0x7ffa133a4b50
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")
Region:
id = 696
start_va = 0x7ffa13520000
end_va = 0x7ffa13b63fff
monitored = 0
entry_point = 0x7ffa136e64b0
region_type = mapped_file
name = "windows.storage.dll"
filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll")
Region:
id = 697
start_va = 0x7ffa15090000
end_va = 0x7ffa15136fff
monitored = 0
entry_point = 0x7ffa150a58d0
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 698
start_va = 0x7ffa14ba0000
end_va = 0x7ffa14bf1fff
monitored = 0
entry_point = 0x7ffa14baf530
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")
Region:
id = 699
start_va = 0x7ffa12e10000
end_va = 0x7ffa12e1efff
monitored = 0
entry_point = 0x7ffa12e13210
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")
Region:
id = 700
start_va = 0x7ffa12e80000
end_va = 0x7ffa12f34fff
monitored = 0
entry_point = 0x7ffa12ec22e0
region_type = mapped_file
name = "shcore.dll"
filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")
Region:
id = 701
start_va = 0x7ffa12dc0000
end_va = 0x7ffa12e0afff
monitored = 0
entry_point = 0x7ffa12dc35f0
region_type = mapped_file
name = "powrprof.dll"
filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")
Region:
id = 702
start_va = 0x7ffa12d90000
end_va = 0x7ffa12da3fff
monitored = 0
entry_point = 0x7ffa12d952e0
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")
Region:
id = 706
start_va = 0x7ffa11710000
end_va = 0x7ffa117a5fff
monitored = 0
entry_point = 0x7ffa11735570
region_type = mapped_file
name = "uxtheme.dll"
filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")
Region:
id = 707
start_va = 0x6c0000
end_va = 0x76ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000006c0000"
filename = ""
Region:
id = 713
start_va = 0x21b0000
end_va = 0x24e6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 714
start_va = 0x24f0000
end_va = 0x270cfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000024f0000"
filename = ""
Region:
id = 715
start_va = 0x2710000
end_va = 0x292afff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002710000"
filename = ""
Region:
id = 716
start_va = 0x1ff0000
end_va = 0x20fefff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001ff0000"
filename = ""
Region:
id = 717
start_va = 0x21a0000
end_va = 0x21affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000021a0000"
filename = ""
Region:
id = 718
start_va = 0x2930000
end_va = 0x2b4dfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002930000"
filename = ""
Region:
id = 719
start_va = 0x2b50000
end_va = 0x2c58fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002b50000"
filename = ""
Region:
id = 723
start_va = 0x640000
end_va = 0x67ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000640000"
filename = ""
Region:
id = 724
start_va = 0x7ffa14a40000
end_va = 0x7ffa14b99fff
monitored = 0
entry_point = 0x7ffa14a838e0
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 725
start_va = 0x50000
end_va = 0x50fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000050000"
filename = ""
Region:
id = 726
start_va = 0x2c60000
end_va = 0x2d1bfff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002c60000"
filename = ""
Region:
id = 727
start_va = 0x50000
end_va = 0x53fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000050000"
filename = ""
Region:
id = 728
start_va = 0x7ffa10610000
end_va = 0x7ffa10631fff
monitored = 0
entry_point = 0x7ffa10611a40
region_type = mapped_file
name = "dwmapi.dll"
filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll")
Region:
id = 734
start_va = 0x7ffa11410000
end_va = 0x7ffa11422fff
monitored = 0
entry_point = 0x7ffa11412760
region_type = mapped_file
name = "wtsapi32.dll"
filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")
Region:
id = 735
start_va = 0x7ffa12ba0000
end_va = 0x7ffa12bf5fff
monitored = 0
entry_point = 0x7ffa12bb0bf0
region_type = mapped_file
name = "winsta.dll"
filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")
Region:
id = 736
start_va = 0x60000
end_va = 0x66fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000060000"
filename = ""
Region:
id = 737
start_va = 0x70000
end_va = 0x70fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000070000"
filename = ""
Region:
id = 738
start_va = 0x80000
end_va = 0x80fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000080000"
filename = ""
Region:
id = 739
start_va = 0x1d0000
end_va = 0x1d4fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "user32.dll.mui"
filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui")
Region:
id = 741
start_va = 0x1e0000
end_va = 0x1e0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "conhostv2.dll.mui"
filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui")
Region:
id = 742
start_va = 0x1f0000
end_va = 0x1f1fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001f0000"
filename = ""
Region:
id = 743
start_va = 0x7ffa080f0000
end_va = 0x7ffa08363fff
monitored = 0
entry_point = 0x7ffa08160400
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll")
Region:
id = 744
start_va = 0x680000
end_va = 0x680fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "windowsshell.manifest"
filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")
Region:
id = 745
start_va = 0x690000
end_va = 0x691fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000690000"
filename = ""
Thread:
id = 19
os_tid = 0x3fc
Thread:
id = 20
os_tid = 0x848
Thread:
id = 21
os_tid = 0x488
Thread:
id = 23
os_tid = 0xe48
Process:
id = "6"
image_name = "svchost.exe"
filename = "c:\\windows\\system32\\svchost.exe"
page_root = "0x75956000"
os_pid = "0x360"
os_integrity_level = "0x4000"
os_privileges = "0xe60b1e890"
monitor_reason = "created_scheduled_job"
parent_id = "4"
os_parent_pid = "0x214"
cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs"
cur_dir = "C:\\Windows\\system32\\"
os_username = "NT AUTHORITY\\SYSTEM"
bitness = "32"
os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xe], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\DcpSvc" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DoSvc" [0xa], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\lfsvc" [0xa], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\RetailDemo" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\UsoSvc" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wlidsvc" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000abff" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe]
Region:
id = 813
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 814
start_va = 0x20000
end_va = 0x20fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "svchost.exe.mui"
filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui")
Region:
id = 815
start_va = 0x30000
end_va = 0x44fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 816
start_va = 0x50000
end_va = 0xcffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 817
start_va = 0xd0000
end_va = 0xd3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000d0000"
filename = ""
Region:
id = 818
start_va = 0xe0000
end_va = 0xe0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000e0000"
filename = ""
Region:
id = 819
start_va = 0xf0000
end_va = 0xf1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000f0000"
filename = ""
Region:
id = 820
start_va = 0x100000
end_va = 0x1bdfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 821
start_va = 0x1c0000
end_va = 0x1c0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001c0000"
filename = ""
Region:
id = 822
start_va = 0x1d0000
end_va = 0x1d0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001d0000"
filename = ""
Region:
id = 823
start_va = 0x1e0000
end_va = 0x1e0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001e0000"
filename = ""
Region:
id = 824
start_va = 0x1f0000
end_va = 0x1f0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001f0000"
filename = ""
Region:
id = 825
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 826
start_va = 0x400000
end_va = 0x400fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 827
start_va = 0x410000
end_va = 0x410fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000410000"
filename = ""
Region:
id = 828
start_va = 0x420000
end_va = 0x421fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "dosvc.dll.mui"
filename = "\\Windows\\System32\\en-US\\dosvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\dosvc.dll.mui")
Region:
id = 829
start_va = 0x430000
end_va = 0x434fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "winnlsres.dll"
filename = "\\Windows\\System32\\winnlsres.dll" (normalized: "c:\\windows\\system32\\winnlsres.dll")
Region:
id = 830
start_va = 0x440000
end_va = 0x44ffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "winnlsres.dll.mui"
filename = "\\Windows\\System32\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\winnlsres.dll.mui")
Region:
id = 831
start_va = 0x460000
end_va = 0x460fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "usocore.dll.mui"
filename = "\\Windows\\System32\\en-US\\usocore.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\usocore.dll.mui")
Region:
id = 832
start_va = 0x470000
end_va = 0x472fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "mswsock.dll.mui"
filename = "\\Windows\\System32\\en-US\\mswsock.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\mswsock.dll.mui")
Region:
id = 833
start_va = 0x480000
end_va = 0x53ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000480000"
filename = ""
Region:
id = 834
start_va = 0x540000
end_va = 0x546fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000540000"
filename = ""
Region:
id = 835
start_va = 0x550000
end_va = 0x5cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000550000"
filename = ""
Region:
id = 836
start_va = 0x5d0000
end_va = 0x5d6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005d0000"
filename = ""
Region:
id = 837
start_va = 0x5e0000
end_va = 0x5e1fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000005e0000"
filename = ""
Region:
id = 838
start_va = 0x5f0000
end_va = 0x5f1fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000005f0000"
filename = ""
Region:
id = 839
start_va = 0x600000
end_va = 0x6fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000600000"
filename = ""
Region:
id = 840
start_va = 0x700000
end_va = 0x887fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000700000"
filename = ""
Region:
id = 841
start_va = 0x890000
end_va = 0x890fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000890000"
filename = ""
Region:
id = 842
start_va = 0x8a0000
end_va = 0x8a0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000008a0000"
filename = ""
Region:
id = 843
start_va = 0x8b0000
end_va = 0x8bcfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "gpsvc.dll.mui"
filename = "\\Windows\\System32\\en-US\\gpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\gpsvc.dll.mui")
Region:
id = 844
start_va = 0x8c0000
end_va = 0x8c1fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000008c0000"
filename = ""
Region:
id = 845
start_va = 0x8d0000
end_va = 0x8d9fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "crypt32.dll.mui"
filename = "\\Windows\\System32\\en-US\\crypt32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\crypt32.dll.mui")
Region:
id = 846
start_va = 0x8e0000
end_va = 0x8e3fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 847
start_va = 0x8f0000
end_va = 0x8f6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000008f0000"
filename = ""
Region:
id = 848
start_va = 0x900000
end_va = 0x9fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000900000"
filename = ""
Region:
id = 849
start_va = 0xa00000
end_va = 0xb80fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000a00000"
filename = ""
Region:
id = 850
start_va = 0xb90000
end_va = 0xc8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000b90000"
filename = ""
Region:
id = 851
start_va = 0xc90000
end_va = 0xc93fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 852
start_va = 0xca0000
end_va = 0xcb0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "propsys.dll.mui"
filename = "\\Windows\\System32\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\propsys.dll.mui")
Region:
id = 853
start_va = 0xcc0000
end_va = 0xcc6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000cc0000"
filename = ""
Region:
id = 854
start_va = 0xcd0000
end_va = 0xd14fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000c.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db")
Region:
id = 855
start_va = 0xd20000
end_va = 0xd2cfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "iphlpsvc.dll.mui"
filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui")
Region:
id = 856
start_va = 0xd30000
end_va = 0xd36fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000d30000"
filename = ""
Region:
id = 857
start_va = 0xdc0000
end_va = 0xdc8fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "vsstrace.dll.mui"
filename = "\\Windows\\System32\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\vsstrace.dll.mui")
Region:
id = 858
start_va = 0xdd0000
end_va = 0xdd6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000dd0000"
filename = ""
Region:
id = 859
start_va = 0xde0000
end_va = 0xde1fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "activeds.dll.mui"
filename = "\\Windows\\System32\\en-US\\activeds.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\activeds.dll.mui")
Region:
id = 860
start_va = 0xdf0000
end_va = 0xdf0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000df0000"
filename = ""
Region:
id = 861
start_va = 0xe00000
end_va = 0xefffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000e00000"
filename = ""
Region:
id = 862
start_va = 0xf00000
end_va = 0xffffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000f00000"
filename = ""
Region:
id = 863
start_va = 0x1000000
end_va = 0x1336fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 864
start_va = 0x1340000
end_va = 0x143ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001340000"
filename = ""
Region:
id = 865
start_va = 0x1440000
end_va = 0x153ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001440000"
filename = ""
Region:
id = 866
start_va = 0x1540000
end_va = 0x15bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001540000"
filename = ""
Region:
id = 867
start_va = 0x15c0000
end_va = 0x15c0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000015c0000"
filename = ""
Region:
id = 868
start_va = 0x15d0000
end_va = 0x15e0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_1256.nls"
filename = "\\Windows\\System32\\C_1256.NLS" (normalized: "c:\\windows\\system32\\c_1256.nls")
Region:
id = 869
start_va = 0x1600000
end_va = 0x16fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001600000"
filename = ""
Region:
id = 870
start_va = 0x1700000
end_va = 0x17fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001700000"
filename = ""
Region:
id = 871
start_va = 0x1800000
end_va = 0x18dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "kernelbase.dll.mui"
filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui")
Region:
id = 872
start_va = 0x18e0000
end_va = 0x18f0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_1251.nls"
filename = "\\Windows\\System32\\C_1251.NLS" (normalized: "c:\\windows\\system32\\c_1251.nls")
Region:
id = 873
start_va = 0x1900000
end_va = 0x19fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001900000"
filename = ""
Region:
id = 874
start_va = 0x1a00000
end_va = 0x1a10fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_1254.nls"
filename = "\\Windows\\System32\\C_1254.NLS" (normalized: "c:\\windows\\system32\\c_1254.nls")
Region:
id = 875
start_va = 0x1a20000
end_va = 0x1a30fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_1250.nls"
filename = "\\Windows\\System32\\C_1250.NLS" (normalized: "c:\\windows\\system32\\c_1250.nls")
Region:
id = 876
start_va = 0x1a40000
end_va = 0x1a50fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_1253.nls"
filename = "\\Windows\\System32\\C_1253.NLS" (normalized: "c:\\windows\\system32\\c_1253.nls")
Region:
id = 877
start_va = 0x1a60000
end_va = 0x1a70fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_1257.nls"
filename = "\\Windows\\System32\\C_1257.NLS" (normalized: "c:\\windows\\system32\\c_1257.nls")
Region:
id = 878
start_va = 0x1a80000
end_va = 0x1b7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001a80000"
filename = ""
Region:
id = 879
start_va = 0x1b80000
end_va = 0x1c7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001b80000"
filename = ""
Region:
id = 880
start_va = 0x1c80000
end_va = 0x1c90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_1255.nls"
filename = "\\Windows\\System32\\C_1255.NLS" (normalized: "c:\\windows\\system32\\c_1255.nls")
Region:
id = 881
start_va = 0x1ca0000
end_va = 0x1cc7fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_932.nls"
filename = "\\Windows\\System32\\C_932.NLS" (normalized: "c:\\windows\\system32\\c_932.nls")
Region:
id = 882
start_va = 0x1cd0000
end_va = 0x1d00fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_949.nls"
filename = "\\Windows\\System32\\C_949.NLS" (normalized: "c:\\windows\\system32\\c_949.nls")
Region:
id = 883
start_va = 0x1d10000
end_va = 0x1d20fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_874.nls"
filename = "\\Windows\\System32\\C_874.NLS" (normalized: "c:\\windows\\system32\\c_874.nls")
Region:
id = 884
start_va = 0x1d30000
end_va = 0x1d40fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_1258.nls"
filename = "\\Windows\\System32\\C_1258.NLS" (normalized: "c:\\windows\\system32\\c_1258.nls")
Region:
id = 885
start_va = 0x1d80000
end_va = 0x1e7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001d80000"
filename = ""
Region:
id = 886
start_va = 0x1e80000
end_va = 0x1f7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001e80000"
filename = ""
Region:
id = 887
start_va = 0x1f80000
end_va = 0x207ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001f80000"
filename = ""
Region:
id = 888
start_va = 0x2080000
end_va = 0x217ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002080000"
filename = ""
Region:
id = 889
start_va = 0x2180000
end_va = 0x227ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002180000"
filename = ""
Region:
id = 890
start_va = 0x2280000
end_va = 0x237ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002280000"
filename = ""
Region:
id = 891
start_va = 0x2380000
end_va = 0x247ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002380000"
filename = ""
Region:
id = 892
start_va = 0x2480000
end_va = 0x24b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_936.nls"
filename = "\\Windows\\System32\\C_936.NLS" (normalized: "c:\\windows\\system32\\c_936.nls")
Region:
id = 893
start_va = 0x24c0000
end_va = 0x24f0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_950.nls"
filename = "\\Windows\\System32\\C_950.NLS" (normalized: "c:\\windows\\system32\\c_950.nls")
Region:
id = 894
start_va = 0x2500000
end_va = 0x25fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002500000"
filename = ""
Region:
id = 895
start_va = 0x2600000
end_va = 0x26fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002600000"
filename = ""
Region:
id = 896
start_va = 0x2700000
end_va = 0x27fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002700000"
filename = ""
Region:
id = 897
start_va = 0x2800000
end_va = 0x28fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002800000"
filename = ""
Region:
id = 898
start_va = 0x2900000
end_va = 0x29fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002900000"
filename = ""
Region:
id = 899
start_va = 0x2a00000
end_va = 0x2afffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002a00000"
filename = ""
Region:
id = 900
start_va = 0x2b00000
end_va = 0x2bfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002b00000"
filename = ""
Region:
id = 901
start_va = 0x2c00000
end_va = 0x2c8dfff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db")
Region:
id = 902
start_va = 0x2c90000
end_va = 0x2d0ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002c90000"
filename = ""
Region:
id = 903
start_va = 0x2d10000
end_va = 0x2e0ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002d10000"
filename = ""
Region:
id = 904
start_va = 0x2e10000
end_va = 0x2f0ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002e10000"
filename = ""
Region:
id = 905
start_va = 0x2f80000
end_va = 0x2f86fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002f80000"
filename = ""
Region:
id = 906
start_va = 0x3000000
end_va = 0x30fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003000000"
filename = ""
Region:
id = 907
start_va = 0x3100000
end_va = 0x317ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003100000"
filename = ""
Region:
id = 908
start_va = 0x3190000
end_va = 0x328ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003190000"
filename = ""
Region:
id = 909
start_va = 0x3290000
end_va = 0x330ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003290000"
filename = ""
Region:
id = 910
start_va = 0x3310000
end_va = 0x338ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003310000"
filename = ""
Region:
id = 911
start_va = 0x3390000
end_va = 0x3396fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003390000"
filename = ""
Region:
id = 912
start_va = 0x33a0000
end_va = 0x349ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000033a0000"
filename = ""
Region:
id = 913
start_va = 0x34a0000
end_va = 0x351ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000034a0000"
filename = ""
Region:
id = 914
start_va = 0x3570000
end_va = 0x35effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003570000"
filename = ""
Region:
id = 915
start_va = 0x35f0000
end_va = 0x36effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000035f0000"
filename = ""
Region:
id = 916
start_va = 0x3710000
end_va = 0x3716fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003710000"
filename = ""
Region:
id = 917
start_va = 0x3770000
end_va = 0x386ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003770000"
filename = ""
Region:
id = 918
start_va = 0x3870000
end_va = 0x38effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003870000"
filename = ""
Region:
id = 919
start_va = 0x3900000
end_va = 0x39fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003900000"
filename = ""
Region:
id = 920
start_va = 0x3a00000
end_va = 0x3afffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003a00000"
filename = ""
Region:
id = 921
start_va = 0x3b00000
end_va = 0x3bfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003b00000"
filename = ""
Region:
id = 922
start_va = 0x3c00000
end_va = 0x3c7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003c00000"
filename = ""
Region:
id = 923
start_va = 0x3c80000
end_va = 0x3cfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003c80000"
filename = ""
Region:
id = 924
start_va = 0x3d80000
end_va = 0x3dfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003d80000"
filename = ""
Region:
id = 925
start_va = 0x3e00000
end_va = 0x3e7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003e00000"
filename = ""
Region:
id = 926
start_va = 0x3e80000
end_va = 0x3efffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003e80000"
filename = ""
Region:
id = 927
start_va = 0x3f00000
end_va = 0x3ffffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003f00000"
filename = ""
Region:
id = 928
start_va = 0x4000000
end_va = 0x40fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004000000"
filename = ""
Region:
id = 929
start_va = 0x4100000
end_va = 0x41fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004100000"
filename = ""
Region:
id = 930
start_va = 0x4200000
end_va = 0x42fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004200000"
filename = ""
Region:
id = 931
start_va = 0x4300000
end_va = 0x43fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004300000"
filename = ""
Region:
id = 932
start_va = 0x4400000
end_va = 0x44fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004400000"
filename = ""
Region:
id = 933
start_va = 0x4500000
end_va = 0x45fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004500000"
filename = ""
Region:
id = 934
start_va = 0x4600000
end_va = 0x46fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004600000"
filename = ""
Region:
id = 935
start_va = 0x4700000
end_va = 0x47fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004700000"
filename = ""
Region:
id = 936
start_va = 0x4800000
end_va = 0x48fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004800000"
filename = ""
Region:
id = 937
start_va = 0x4900000
end_va = 0x49fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004900000"
filename = ""
Region:
id = 938
start_va = 0x4a00000
end_va = 0x4afffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004a00000"
filename = ""
Region:
id = 939
start_va = 0x4b60000
end_va = 0x4b66fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004b60000"
filename = ""
Region:
id = 940
start_va = 0x4c00000
end_va = 0x4cfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004c00000"
filename = ""
Region:
id = 941
start_va = 0x4d00000
end_va = 0x4dfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004d00000"
filename = ""
Region:
id = 942
start_va = 0x4e00000
end_va = 0x4efffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004e00000"
filename = ""
Region:
id = 943
start_va = 0x4f00000
end_va = 0x4ffffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004f00000"
filename = ""
Region:
id = 944
start_va = 0x5200000
end_va = 0x52fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005200000"
filename = ""
Region:
id = 945
start_va = 0x5400000
end_va = 0x54fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005400000"
filename = ""
Region:
id = 946
start_va = 0x5500000
end_va = 0x55fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005500000"
filename = ""
Region:
id = 947
start_va = 0x5600000
end_va = 0x56fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005600000"
filename = ""
Region:
id = 948
start_va = 0x5700000
end_va = 0x57fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005700000"
filename = ""
Region:
id = 949
start_va = 0x5800000
end_va = 0x58fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005800000"
filename = ""
Region:
id = 950
start_va = 0x5900000
end_va = 0x59fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005900000"
filename = ""
Region:
id = 951
start_va = 0x5a00000
end_va = 0x5afffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005a00000"
filename = ""
Region:
id = 952
start_va = 0x5b00000
end_va = 0x5bfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005b00000"
filename = ""
Region:
id = 953
start_va = 0x5c00000
end_va = 0x5cfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005c00000"
filename = ""
Region:
id = 954
start_va = 0x5d00000
end_va = 0x5dfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005d00000"
filename = ""
Region:
id = 955
start_va = 0x5e00000
end_va = 0x5efffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005e00000"
filename = ""
Region:
id = 956
start_va = 0x5f00000
end_va = 0x5ffffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005f00000"
filename = ""
Region:
id = 957
start_va = 0x6000000
end_va = 0x60fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006000000"
filename = ""
Region:
id = 958
start_va = 0x6100000
end_va = 0x61fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006100000"
filename = ""
Region:
id = 959
start_va = 0x6200000
end_va = 0x62fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006200000"
filename = ""
Region:
id = 960
start_va = 0x6300000
end_va = 0x63fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006300000"
filename = ""
Region:
id = 961
start_va = 0x6400000
end_va = 0x64fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006400000"
filename = ""
Region:
id = 962
start_va = 0x6500000
end_va = 0x65fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006500000"
filename = ""
Region:
id = 963
start_va = 0x6600000
end_va = 0x66fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006600000"
filename = ""
Region:
id = 964
start_va = 0x6700000
end_va = 0x67fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006700000"
filename = ""
Region:
id = 965
start_va = 0x6800000
end_va = 0x68fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006800000"
filename = ""
Region:
id = 966
start_va = 0x6e00000
end_va = 0x6efffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006e00000"
filename = ""
Region:
id = 967
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 968
start_va = 0x7df5ffec0000
end_va = 0x7df5fffbffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffec0000"
filename = ""
Region:
id = 969
start_va = 0x7df5fffc0000
end_va = 0x7df5fffe2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5fffc0000"
filename = ""
Region:
id = 970
start_va = 0x7df5ffff0000
end_va = 0x7ff5fffeffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffff0000"
filename = ""
Region:
id = 971
start_va = 0x7ff681250000
end_va = 0x7ff68125cfff
monitored = 0
entry_point = 0x7ff681253980
region_type = mapped_file
name = "svchost.exe"
filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe")
Region:
id = 972
start_va = 0x7ff9fbb00000
end_va = 0x7ff9fbb07fff
monitored = 0
entry_point = 0x7ff9fbb013b0
region_type = mapped_file
name = "dmiso8601utils.dll"
filename = "\\Windows\\System32\\dmiso8601utils.dll" (normalized: "c:\\windows\\system32\\dmiso8601utils.dll")
Region:
id = 973
start_va = 0x7ff9fbd90000
end_va = 0x7ff9fbda6fff
monitored = 0
entry_point = 0x7ff9fbd97520
region_type = mapped_file
name = "usoapi.dll"
filename = "\\Windows\\System32\\usoapi.dll" (normalized: "c:\\windows\\system32\\usoapi.dll")
Region:
id = 974
start_va = 0x7ff9fbdb0000
end_va = 0x7ff9fbe84fff
monitored = 0
entry_point = 0x7ff9fbdccf80
region_type = mapped_file
name = "wuapi.dll"
filename = "\\Windows\\System32\\wuapi.dll" (normalized: "c:\\windows\\system32\\wuapi.dll")
Region:
id = 975
start_va = 0x7ff9fc400000
end_va = 0x7ff9fc6affff
monitored = 0
entry_point = 0x7ff9fc401cf0
region_type = mapped_file
name = "netshell.dll"
filename = "\\Windows\\System32\\netshell.dll" (normalized: "c:\\windows\\system32\\netshell.dll")
Region:
id = 976
start_va = 0x7ff9fde70000
end_va = 0x7ff9fdeb3fff
monitored = 0
entry_point = 0x7ff9fde983e0
region_type = mapped_file
name = "updatehandlers.dll"
filename = "\\Windows\\System32\\updatehandlers.dll" (normalized: "c:\\windows\\system32\\updatehandlers.dll")
Region:
id = 977
start_va = 0x7ff9fdec0000
end_va = 0x7ff9fdee1fff
monitored = 0
entry_point = 0x7ff9fded2540
region_type = mapped_file
name = "updatepolicy.dll"
filename = "\\Windows\\System32\\updatepolicy.dll" (normalized: "c:\\windows\\system32\\updatepolicy.dll")
Region:
id = 978
start_va = 0x7ff9ff7c0000
end_va = 0x7ff9ff7dcfff
monitored = 0
entry_point = 0x7ff9ff7c4f60
region_type = mapped_file
name = "appinfo.dll"
filename = "\\Windows\\System32\\appinfo.dll" (normalized: "c:\\windows\\system32\\appinfo.dll")
Region:
id = 979
start_va = 0x7ff9ff880000
end_va = 0x7ff9ff890fff
monitored = 0
entry_point = 0x7ff9ff8828d0
region_type = mapped_file
name = "credentialmigrationhandler.dll"
filename = "\\Windows\\System32\\CredentialMigrationHandler.dll" (normalized: "c:\\windows\\system32\\credentialmigrationhandler.dll")
Region:
id = 980
start_va = 0x7ff9ff8a0000
end_va = 0x7ff9ff8d1fff
monitored = 0
entry_point = 0x7ff9ff8ab0c0
region_type = mapped_file
name = "shacct.dll"
filename = "\\Windows\\System32\\shacct.dll" (normalized: "c:\\windows\\system32\\shacct.dll")
Region:
id = 981
start_va = 0x7ff9ff8e0000
end_va = 0x7ff9ff91efff
monitored = 0
entry_point = 0x7ff9ff9082d0
region_type = mapped_file
name = "tcpipcfg.dll"
filename = "\\Windows\\System32\\tcpipcfg.dll" (normalized: "c:\\windows\\system32\\tcpipcfg.dll")
Region:
id = 982
start_va = 0x7ff9ffa20000
end_va = 0x7ff9ffa86fff
monitored = 0
entry_point = 0x7ff9ffa2b160
region_type = mapped_file
name = "upnp.dll"
filename = "\\Windows\\System32\\upnp.dll" (normalized: "c:\\windows\\system32\\upnp.dll")
Region:
id = 983
start_va = 0x7ff9ffa90000
end_va = 0x7ff9ffb0ffff
monitored = 0
entry_point = 0x7ff9ffabd280
region_type = mapped_file
name = "webio.dll"
filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll")
Region:
id = 984
start_va = 0x7ff9ffbc0000
end_va = 0x7ff9ffbf5fff
monitored = 0
entry_point = 0x7ff9ffbc27f0
region_type = mapped_file
name = "windows.networking.hostname.dll"
filename = "\\Windows\\System32\\Windows.Networking.HostName.dll" (normalized: "c:\\windows\\system32\\windows.networking.hostname.dll")
Region:
id = 985
start_va = 0x7ff9ffd30000
end_va = 0x7ff9ffd8cfff
monitored = 0
entry_point = 0x7ff9ffd5e510
region_type = mapped_file
name = "usocore.dll"
filename = "\\Windows\\System32\\usocore.dll" (normalized: "c:\\windows\\system32\\usocore.dll")
Region:
id = 986
start_va = 0x7ff9ffd90000
end_va = 0x7ff9ffe9efff
monitored = 0
entry_point = 0x7ff9ffdcc010
region_type = mapped_file
name = "dosvc.dll"
filename = "\\Windows\\System32\\dosvc.dll" (normalized: "c:\\windows\\system32\\dosvc.dll")
Region:
id = 987
start_va = 0x7ffa00360000
end_va = 0x7ffa0047cfff
monitored = 0
entry_point = 0x7ffa0038fe60
region_type = mapped_file
name = "qmgr.dll"
filename = "\\Windows\\System32\\qmgr.dll" (normalized: "c:\\windows\\system32\\qmgr.dll")
Region:
id = 988
start_va = 0x7ffa01270000
end_va = 0x7ffa01287fff
monitored = 0
entry_point = 0x7ffa01271b10
region_type = mapped_file
name = "locationframeworkinternalps.dll"
filename = "\\Windows\\System32\\LocationFrameworkInternalPS.dll" (normalized: "c:\\windows\\system32\\locationframeworkinternalps.dll")
Region:
id = 989
start_va = 0x7ffa01690000
end_va = 0x7ffa016a3fff
monitored = 0
entry_point = 0x7ffa01693710
region_type = mapped_file
name = "mskeyprotect.dll"
filename = "\\Windows\\System32\\mskeyprotect.dll" (normalized: "c:\\windows\\system32\\mskeyprotect.dll")
Region:
id = 990
start_va = 0x7ffa01740000
end_va = 0x7ffa0175dfff
monitored = 0
entry_point = 0x7ffa0174ef80
region_type = mapped_file
name = "ncryptsslp.dll"
filename = "\\Windows\\System32\\ncryptsslp.dll" (normalized: "c:\\windows\\system32\\ncryptsslp.dll")
Region:
id = 991
start_va = 0x7ffa04070000
end_va = 0x7ffa04087fff
monitored = 0
entry_point = 0x7ffa0407b850
region_type = mapped_file
name = "dmcmnutils.dll"
filename = "\\Windows\\System32\\dmcmnutils.dll" (normalized: "c:\\windows\\system32\\dmcmnutils.dll")
Region:
id = 992
start_va = 0x7ffa06940000
end_va = 0x7ffa06951fff
monitored = 0
entry_point = 0x7ffa06941a80
region_type = mapped_file
name = "bitsproxy.dll"
filename = "\\Windows\\System32\\BitsProxy.dll" (normalized: "c:\\windows\\system32\\bitsproxy.dll")
Region:
id = 993
start_va = 0x7ffa069a0000
end_va = 0x7ffa069b5fff
monitored = 0
entry_point = 0x7ffa069a1d50
region_type = mapped_file
name = "wwapi.dll"
filename = "\\Windows\\System32\\wwapi.dll" (normalized: "c:\\windows\\system32\\wwapi.dll")
Region:
id = 994
start_va = 0x7ffa07a20000
end_va = 0x7ffa07a30fff
monitored = 0
entry_point = 0x7ffa07a27480
region_type = mapped_file
name = "tetheringclient.dll"
filename = "\\Windows\\System32\\tetheringclient.dll" (normalized: "c:\\windows\\system32\\tetheringclient.dll")
Region:
id = 995
start_va = 0x7ffa07a40000
end_va = 0x7ffa07ac3fff
monitored = 0
entry_point = 0x7ffa07a58d50
region_type = mapped_file
name = "wbemess.dll"
filename = "\\Windows\\System32\\wbem\\wbemess.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemess.dll")
Region:
id = 996
start_va = 0x7ffa07ad0000
end_va = 0x7ffa07ae5fff
monitored = 0
entry_point = 0x7ffa07ad55e0
region_type = mapped_file
name = "ncobjapi.dll"
filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll")
Region:
id = 997
start_va = 0x7ffa07af0000
end_va = 0x7ffa07bc5fff
monitored = 0
entry_point = 0x7ffa07b1a800
region_type = mapped_file
name = "wmiprvsd.dll"
filename = "\\Windows\\System32\\wbem\\WmiPrvSD.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiprvsd.dll")
Region:
id = 998
start_va = 0x7ffa07c20000
end_va = 0x7ffa07c83fff
monitored = 0
entry_point = 0x7ffa07c3bed0
region_type = mapped_file
name = "repdrvfs.dll"
filename = "\\Windows\\System32\\wbem\\repdrvfs.dll" (normalized: "c:\\windows\\system32\\wbem\\repdrvfs.dll")
Region:
id = 999
start_va = 0x7ffa07c90000
end_va = 0x7ffa07cb4fff
monitored = 0
entry_point = 0x7ffa07c99900
region_type = mapped_file
name = "wmiutils.dll"
filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll")
Region:
id = 1000
start_va = 0x7ffa07cc0000
end_va = 0x7ffa07cd3fff
monitored = 0
entry_point = 0x7ffa07cc1800
region_type = mapped_file
name = "wbemsvc.dll"
filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll")
Region:
id = 1001
start_va = 0x7ffa07ce0000
end_va = 0x7ffa07dd5fff
monitored = 0
entry_point = 0x7ffa07d19590
region_type = mapped_file
name = "fastprox.dll"
filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll")
Region:
id = 1002
start_va = 0x7ffa07de0000
end_va = 0x7ffa07e53fff
monitored = 0
entry_point = 0x7ffa07df5eb0
region_type = mapped_file
name = "esscli.dll"
filename = "\\Windows\\System32\\wbem\\esscli.dll" (normalized: "c:\\windows\\system32\\wbem\\esscli.dll")
Region:
id = 1003
start_va = 0x7ffa07e60000
end_va = 0x7ffa07f96fff
monitored = 0
entry_point = 0x7ffa07ea0480
region_type = mapped_file
name = "wbemcore.dll"
filename = "\\Windows\\System32\\wbem\\wbemcore.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemcore.dll")
Region:
id = 1004
start_va = 0x7ffa08390000
end_va = 0x7ffa083a0fff
monitored = 0
entry_point = 0x7ffa08392fc0
region_type = mapped_file
name = "wbemprox.dll"
filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll")
Region:
id = 1005
start_va = 0x7ffa083b0000
end_va = 0x7ffa083cdfff
monitored = 0
entry_point = 0x7ffa083b3a40
region_type = mapped_file
name = "atl.dll"
filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll")
Region:
id = 1006
start_va = 0x7ffa083d0000
end_va = 0x7ffa08451fff
monitored = 0
entry_point = 0x7ffa083d2a10
region_type = mapped_file
name = "hnetcfg.dll"
filename = "\\Windows\\System32\\hnetcfg.dll" (normalized: "c:\\windows\\system32\\hnetcfg.dll")
Region:
id = 1007
start_va = 0x7ffa08460000
end_va = 0x7ffa08475fff
monitored = 0
entry_point = 0x7ffa08461af0
region_type = mapped_file
name = "napinsp.dll"
filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll")
Region:
id = 1008
start_va = 0x7ffa08480000
end_va = 0x7ffa08499fff
monitored = 0
entry_point = 0x7ffa08482330
region_type = mapped_file
name = "pnrpnsp.dll"
filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll")
Region:
id = 1009
start_va = 0x7ffa088d0000
end_va = 0x7ffa08915fff
monitored = 0
entry_point = 0x7ffa088d79a0
region_type = mapped_file
name = "adsldp.dll"
filename = "\\Windows\\System32\\adsldp.dll" (normalized: "c:\\windows\\system32\\adsldp.dll")
Region:
id = 1010
start_va = 0x7ffa08940000
end_va = 0x7ffa0894efff
monitored = 0
entry_point = 0x7ffa08944960
region_type = mapped_file
name = "nci.dll"
filename = "\\Windows\\System32\\nci.dll" (normalized: "c:\\windows\\system32\\nci.dll")
Region:
id = 1011
start_va = 0x7ffa08a00000
end_va = 0x7ffa08a0bfff
monitored = 0
entry_point = 0x7ffa08a035c0
region_type = mapped_file
name = "secur32.dll"
filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll")
Region:
id = 1012
start_va = 0x7ffa08a10000
end_va = 0x7ffa08a4ffff
monitored = 0
entry_point = 0x7ffa08a1cbe0
region_type = mapped_file
name = "adsldpc.dll"
filename = "\\Windows\\System32\\adsldpc.dll" (normalized: "c:\\windows\\system32\\adsldpc.dll")
Region:
id = 1013
start_va = 0x7ffa08a50000
end_va = 0x7ffa08a96fff
monitored = 0
entry_point = 0x7ffa08a51d10
region_type = mapped_file
name = "activeds.dll"
filename = "\\Windows\\System32\\activeds.dll" (normalized: "c:\\windows\\system32\\activeds.dll")
Region:
id = 1014
start_va = 0x7ffa08ae0000
end_va = 0x7ffa08b21fff
monitored = 0
entry_point = 0x7ffa08ae3670
region_type = mapped_file
name = "wdscore.dll"
filename = "\\Windows\\System32\\wdscore.dll" (normalized: "c:\\windows\\system32\\wdscore.dll")
Region:
id = 1015
start_va = 0x7ffa08e00000
end_va = 0x7ffa08e1efff
monitored = 0
entry_point = 0x7ffa08e037e0
region_type = mapped_file
name = "netsetupapi.dll"
filename = "\\Windows\\System32\\NetSetupApi.dll" (normalized: "c:\\windows\\system32\\netsetupapi.dll")
Region:
id = 1016
start_va = 0x7ffa08e20000
end_va = 0x7ffa08e98fff
monitored = 0
entry_point = 0x7ffa08e276a0
region_type = mapped_file
name = "netsetupshim.dll"
filename = "\\Windows\\System32\\NetSetupShim.dll" (normalized: "c:\\windows\\system32\\netsetupshim.dll")
Region:
id = 1017
start_va = 0x7ffa08eb0000
end_va = 0x7ffa08eeffff
monitored = 0
entry_point = 0x7ffa08ec6c60
region_type = mapped_file
name = "netprofm.dll"
filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll")
Region:
id = 1018
start_va = 0x7ffa08f10000
end_va = 0x7ffa08f27fff
monitored = 0
entry_point = 0x7ffa08f14e10
region_type = mapped_file
name = "adhsvc.dll"
filename = "\\Windows\\System32\\adhsvc.dll" (normalized: "c:\\windows\\system32\\adhsvc.dll")
Region:
id = 1019
start_va = 0x7ffa08f30000
end_va = 0x7ffa08f54fff
monitored = 0
entry_point = 0x7ffa08f35ca0
region_type = mapped_file
name = "httpprxm.dll"
filename = "\\Windows\\System32\\httpprxm.dll" (normalized: "c:\\windows\\system32\\httpprxm.dll")
Region:
id = 1020
start_va = 0x7ffa08f60000
end_va = 0x7ffa090e1fff
monitored = 0
entry_point = 0x7ffa08f782a0
region_type = mapped_file
name = "vssapi.dll"
filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll")
Region:
id = 1021
start_va = 0x7ffa090f0000
end_va = 0x7ffa09192fff
monitored = 0
entry_point = 0x7ffa090f2c10
region_type = mapped_file
name = "clusapi.dll"
filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll")
Region:
id = 1022
start_va = 0x7ffa091a0000
end_va = 0x7ffa091f1fff
monitored = 0
entry_point = 0x7ffa091a5770
region_type = mapped_file
name = "resutils.dll"
filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll")
Region:
id = 1023
start_va = 0x7ffa09200000
end_va = 0x7ffa0922dfff
monitored = 1
entry_point = 0x7ffa09202300
region_type = mapped_file
name = "wmidcom.dll"
filename = "\\Windows\\System32\\wmidcom.dll" (normalized: "c:\\windows\\system32\\wmidcom.dll")
Region:
id = 1024
start_va = 0x7ffa09230000
end_va = 0x7ffa0928dfff
monitored = 0
entry_point = 0x7ffa09235080
region_type = mapped_file
name = "miutils.dll"
filename = "\\Windows\\System32\\miutils.dll" (normalized: "c:\\windows\\system32\\miutils.dll")
Region:
id = 1025
start_va = 0x7ffa09290000
end_va = 0x7ffa092affff
monitored = 0
entry_point = 0x7ffa09291f50
region_type = mapped_file
name = "mi.dll"
filename = "\\Windows\\System32\\mi.dll" (normalized: "c:\\windows\\system32\\mi.dll")
Region:
id = 1026
start_va = 0x7ffa092b0000
end_va = 0x7ffa092b8fff
monitored = 0
entry_point = 0x7ffa092b18f0
region_type = mapped_file
name = "sscoreext.dll"
filename = "\\Windows\\System32\\sscoreext.dll" (normalized: "c:\\windows\\system32\\sscoreext.dll")
Region:
id = 1027
start_va = 0x7ffa092c0000
end_va = 0x7ffa092d0fff
monitored = 0
entry_point = 0x7ffa092c1d30
region_type = mapped_file
name = "sscore.dll"
filename = "\\Windows\\System32\\sscore.dll" (normalized: "c:\\windows\\system32\\sscore.dll")
Region:
id = 1028
start_va = 0x7ffa09330000
end_va = 0x7ffa09347fff
monitored = 0
entry_point = 0x7ffa09332000
region_type = mapped_file
name = "vsstrace.dll"
filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll")
Region:
id = 1029
start_va = 0x7ffa09350000
end_va = 0x7ffa09390fff
monitored = 0
entry_point = 0x7ffa09353750
region_type = mapped_file
name = "sqmapi.dll"
filename = "\\Windows\\System32\\sqmapi.dll" (normalized: "c:\\windows\\system32\\sqmapi.dll")
Region:
id = 1030
start_va = 0x7ffa09430000
end_va = 0x7ffa0947bfff
monitored = 0
entry_point = 0x7ffa09445310
region_type = mapped_file
name = "srvsvc.dll"
filename = "\\Windows\\System32\\srvsvc.dll" (normalized: "c:\\windows\\system32\\srvsvc.dll")
Region:
id = 1031
start_va = 0x7ffa09490000
end_va = 0x7ffa0950efff
monitored = 0
entry_point = 0x7ffa094a7110
region_type = mapped_file
name = "wbemcomn.dll"
filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll")
Region:
id = 1032
start_va = 0x7ffa09510000
end_va = 0x7ffa0954bfff
monitored = 0
entry_point = 0x7ffa09516aa0
region_type = mapped_file
name = "wmisvc.dll"
filename = "\\Windows\\System32\\wbem\\WMIsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wmisvc.dll")
Region:
id = 1033
start_va = 0x7ffa09c80000
end_va = 0x7ffa09c88fff
monitored = 0
entry_point = 0x7ffa09c821d0
region_type = mapped_file
name = "httpprxc.dll"
filename = "\\Windows\\System32\\httpprxc.dll" (normalized: "c:\\windows\\system32\\httpprxc.dll")
Region:
id = 1034
start_va = 0x7ffa09c90000
end_va = 0x7ffa09cc4fff
monitored = 0
entry_point = 0x7ffa09c9a270
region_type = mapped_file
name = "fwpolicyiomgr.dll"
filename = "\\Windows\\System32\\fwpolicyiomgr.dll" (normalized: "c:\\windows\\system32\\fwpolicyiomgr.dll")
Region:
id = 1035
start_va = 0x7ffa0a560000
end_va = 0x7ffa0a652fff
monitored = 0
entry_point = 0x7ffa0a585d80
region_type = mapped_file
name = "iphlpsvc.dll"
filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll")
Region:
id = 1036
start_va = 0x7ffa0ac50000
end_va = 0x7ffa0ac59fff
monitored = 0
entry_point = 0x7ffa0ac514c0
region_type = mapped_file
name = "rasadhlp.dll"
filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll")
Region:
id = 1037
start_va = 0x7ffa0afc0000
end_va = 0x7ffa0afd1fff
monitored = 0
entry_point = 0x7ffa0afc3580
region_type = mapped_file
name = "cscapi.dll"
filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll")
Region:
id = 1038
start_va = 0x7ffa0b050000
end_va = 0x7ffa0b06afff
monitored = 0
entry_point = 0x7ffa0b051040
region_type = mapped_file
name = "mpr.dll"
filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll")
Region:
id = 1039
start_va = 0x7ffa0b300000
end_va = 0x7ffa0b314fff
monitored = 0
entry_point = 0x7ffa0b302dc0
region_type = mapped_file
name = "ondemandconnroutehelper.dll"
filename = "\\Windows\\System32\\OnDemandConnRouteHelper.dll" (normalized: "c:\\windows\\system32\\ondemandconnroutehelper.dll")
Region:
id = 1040
start_va = 0x7ffa0b320000
end_va = 0x7ffa0b32dfff
monitored = 0
entry_point = 0x7ffa0b321460
region_type = mapped_file
name = "npmproxy.dll"
filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll")
Region:
id = 1041
start_va = 0x7ffa0b330000
end_va = 0x7ffa0b33bfff
monitored = 0
entry_point = 0x7ffa0b332830
region_type = mapped_file
name = "bi.dll"
filename = "\\Windows\\System32\\bi.dll" (normalized: "c:\\windows\\system32\\bi.dll")
Region:
id = 1042
start_va = 0x7ffa0b340000
end_va = 0x7ffa0b34ffff
monitored = 0
entry_point = 0x7ffa0b341700
region_type = mapped_file
name = "proximityservicepal.dll"
filename = "\\Windows\\System32\\ProximityServicePal.dll" (normalized: "c:\\windows\\system32\\proximityservicepal.dll")
Region:
id = 1043
start_va = 0x7ffa0b350000
end_va = 0x7ffa0b358fff
monitored = 0
entry_point = 0x7ffa0b351ed0
region_type = mapped_file
name = "proximitycommonpal.dll"
filename = "\\Windows\\System32\\ProximityCommonPal.dll" (normalized: "c:\\windows\\system32\\proximitycommonpal.dll")
Region:
id = 1044
start_va = 0x7ffa0b360000
end_va = 0x7ffa0b38cfff
monitored = 0
entry_point = 0x7ffa0b362290
region_type = mapped_file
name = "proximitycommon.dll"
filename = "\\Windows\\System32\\ProximityCommon.dll" (normalized: "c:\\windows\\system32\\proximitycommon.dll")
Region:
id = 1045
start_va = 0x7ffa0b390000
end_va = 0x7ffa0b3e1fff
monitored = 0
entry_point = 0x7ffa0b3938e0
region_type = mapped_file
name = "proximityservice.dll"
filename = "\\Windows\\System32\\ProximityService.dll" (normalized: "c:\\windows\\system32\\proximityservice.dll")
Region:
id = 1046
start_va = 0x7ffa0b4a0000
end_va = 0x7ffa0b4b4fff
monitored = 0
entry_point = 0x7ffa0b4a3460
region_type = mapped_file
name = "ssdpapi.dll"
filename = "\\Windows\\System32\\ssdpapi.dll" (normalized: "c:\\windows\\system32\\ssdpapi.dll")
Region:
id = 1047
start_va = 0x7ffa0b4c0000
end_va = 0x7ffa0b559fff
monitored = 0
entry_point = 0x7ffa0b4dada0
region_type = mapped_file
name = "shsvcs.dll"
filename = "\\Windows\\System32\\shsvcs.dll" (normalized: "c:\\windows\\system32\\shsvcs.dll")
Region:
id = 1048
start_va = 0x7ffa0b640000
end_va = 0x7ffa0b6a6fff
monitored = 0
entry_point = 0x7ffa0b6463e0
region_type = mapped_file
name = "fwpuclnt.dll"
filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll")
Region:
id = 1049
start_va = 0x7ffa0b7a0000
end_va = 0x7ffa0b7aafff
monitored = 0
entry_point = 0x7ffa0b7a1d30
region_type = mapped_file
name = "winnsi.dll"
filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll")
Region:
id = 1050
start_va = 0x7ffa0b800000
end_va = 0x7ffa0b8bffff
monitored = 0
entry_point = 0x7ffa0b82fd20
region_type = mapped_file
name = "fveapi.dll"
filename = "\\Windows\\System32\\fveapi.dll" (normalized: "c:\\windows\\system32\\fveapi.dll")
Region:
id = 1051
start_va = 0x7ffa0b9f0000
end_va = 0x7ffa0ba09fff
monitored = 0
entry_point = 0x7ffa0b9f2430
region_type = mapped_file
name = "dhcpcsvc.dll"
filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll")
Region:
id = 1052
start_va = 0x7ffa0ba10000
end_va = 0x7ffa0ba25fff
monitored = 0
entry_point = 0x7ffa0ba119f0
region_type = mapped_file
name = "dhcpcsvc6.dll"
filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll")
Region:
id = 1053
start_va = 0x7ffa0baf0000
end_va = 0x7ffa0bb27fff
monitored = 0
entry_point = 0x7ffa0bb08cc0
region_type = mapped_file
name = "iphlpapi.dll"
filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll")
Region:
id = 1054
start_va = 0x7ffa0bbe0000
end_va = 0x7ffa0bc8dfff
monitored = 0
entry_point = 0x7ffa0bbf80c0
region_type = mapped_file
name = "windows.networking.connectivity.dll"
filename = "\\Windows\\System32\\Windows.Networking.Connectivity.dll" (normalized: "c:\\windows\\system32\\windows.networking.connectivity.dll")
Region:
id = 1055
start_va = 0x7ffa0bc90000
end_va = 0x7ffa0bca1fff
monitored = 0
entry_point = 0x7ffa0bc99260
region_type = mapped_file
name = "rilproxy.dll"
filename = "\\Windows\\System32\\rilproxy.dll" (normalized: "c:\\windows\\system32\\rilproxy.dll")
Region:
id = 1056
start_va = 0x7ffa0bcb0000
end_va = 0x7ffa0bd60fff
monitored = 0
entry_point = 0x7ffa0bd288b0
region_type = mapped_file
name = "cellularapi.dll"
filename = "\\Windows\\System32\\CellularAPI.dll" (normalized: "c:\\windows\\system32\\cellularapi.dll")
Region:
id = 1057
start_va = 0x7ffa0bd70000
end_va = 0x7ffa0bd83fff
monitored = 0
entry_point = 0x7ffa0bd72d50
region_type = mapped_file
name = "rtutils.dll"
filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll")
Region:
id = 1058
start_va = 0x7ffa0c070000
end_va = 0x7ffa0c102fff
monitored = 0
entry_point = 0x7ffa0c079680
region_type = mapped_file
name = "msvcp_win.dll"
filename = "\\Windows\\System32\\msvcp_win.dll" (normalized: "c:\\windows\\system32\\msvcp_win.dll")
Region:
id = 1059
start_va = 0x7ffa0c2b0000
end_va = 0x7ffa0c2d4fff
monitored = 0
entry_point = 0x7ffa0c2c2f20
region_type = mapped_file
name = "wificonnapi.dll"
filename = "\\Windows\\System32\\wificonnapi.dll" (normalized: "c:\\windows\\system32\\wificonnapi.dll")
Region:
id = 1060
start_va = 0x7ffa0c2e0000
end_va = 0x7ffa0c2f0fff
monitored = 0
entry_point = 0x7ffa0c2e7ea0
region_type = mapped_file
name = "dcpapi.dll"
filename = "\\Windows\\System32\\dcpapi.dll" (normalized: "c:\\windows\\system32\\dcpapi.dll")
Region:
id = 1061
start_va = 0x7ffa0c300000
end_va = 0x7ffa0c318fff
monitored = 0
entry_point = 0x7ffa0c304520
region_type = mapped_file
name = "samcli.dll"
filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll")
Region:
id = 1062
start_va = 0x7ffa0ca80000
end_va = 0x7ffa0ca99fff
monitored = 0
entry_point = 0x7ffa0ca82cf0
region_type = mapped_file
name = "locationpelegacywinlocation.dll"
filename = "\\Windows\\System32\\LocationPeLegacyWinLocation.dll" (normalized: "c:\\windows\\system32\\locationpelegacywinlocation.dll")
Region:
id = 1063
start_va = 0x7ffa0ce40000
end_va = 0x7ffa0d1c1fff
monitored = 0
entry_point = 0x7ffa0ce91220
region_type = mapped_file
name = "iertutil.dll"
filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll")
Region:
id = 1064
start_va = 0x7ffa0e2c0000
end_va = 0x7ffa0e3cdfff
monitored = 0
entry_point = 0x7ffa0e30eaa0
region_type = mapped_file
name = "mrmcorer.dll"
filename = "\\Windows\\System32\\MrmCoreR.dll" (normalized: "c:\\windows\\system32\\mrmcorer.dll")
Region:
id = 1065
start_va = 0x7ffa0e6d0000
end_va = 0x7ffa0e724fff
monitored = 0
entry_point = 0x7ffa0e6d3fb0
region_type = mapped_file
name = "policymanager.dll"
filename = "\\Windows\\System32\\policymanager.dll" (normalized: "c:\\windows\\system32\\policymanager.dll")
Region:
id = 1066
start_va = 0x7ffa0e730000
end_va = 0x7ffa0e766fff
monitored = 0
entry_point = 0x7ffa0e736020
region_type = mapped_file
name = "gnssadapter.dll"
filename = "\\Windows\\System32\\GnssAdapter.dll" (normalized: "c:\\windows\\system32\\gnssadapter.dll")
Region:
id = 1067
start_va = 0x7ffa0e770000
end_va = 0x7ffa0e78ffff
monitored = 0
entry_point = 0x7ffa0e7739a0
region_type = mapped_file
name = "locationwinpalmisc.dll"
filename = "\\Windows\\System32\\LocationWinPalMisc.dll" (normalized: "c:\\windows\\system32\\locationwinpalmisc.dll")
Region:
id = 1068
start_va = 0x7ffa0e790000
end_va = 0x7ffa0e7a6fff
monitored = 0
entry_point = 0x7ffa0e795630
region_type = mapped_file
name = "sens.dll"
filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll")
Region:
id = 1069
start_va = 0x7ffa0e7b0000
end_va = 0x7ffa0e7c2fff
monitored = 0
entry_point = 0x7ffa0e7b57f0
region_type = mapped_file
name = "themeservice.dll"
filename = "\\Windows\\System32\\themeservice.dll" (normalized: "c:\\windows\\system32\\themeservice.dll")
Region:
id = 1070
start_va = 0x7ffa0e7d0000
end_va = 0x7ffa0e849fff
monitored = 0
entry_point = 0x7ffa0e7f7630
region_type = mapped_file
name = "es.dll"
filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll")
Region:
id = 1071
start_va = 0x7ffa0e850000
end_va = 0x7ffa0e87dfff
monitored = 0
entry_point = 0x7ffa0e857550
region_type = mapped_file
name = "netjoin.dll"
filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll")
Region:
id = 1072
start_va = 0x7ffa0e880000
end_va = 0x7ffa0e895fff
monitored = 0
entry_point = 0x7ffa0e881b60
region_type = mapped_file
name = "wkscli.dll"
filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll")
Region:
id = 1073
start_va = 0x7ffa0e8a0000
end_va = 0x7ffa0e903fff
monitored = 0
entry_point = 0x7ffa0e8b5ae0
region_type = mapped_file
name = "wevtapi.dll"
filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll")
Region:
id = 1074
start_va = 0x7ffa0ead0000
end_va = 0x7ffa0eb10fff
monitored = 0
entry_point = 0x7ffa0ead4840
region_type = mapped_file
name = "usermgrproxy.dll"
filename = "\\Windows\\System32\\UserMgrProxy.dll" (normalized: "c:\\windows\\system32\\usermgrproxy.dll")
Region:
id = 1075
start_va = 0x7ffa0eb20000
end_va = 0x7ffa0eb2bfff
monitored = 0
entry_point = 0x7ffa0eb214d0
region_type = mapped_file
name = "locationframeworkps.dll"
filename = "\\Windows\\System32\\LocationFrameworkPS.dll" (normalized: "c:\\windows\\system32\\locationframeworkps.dll")
Region:
id = 1076
start_va = 0x7ffa0eb30000
end_va = 0x7ffa0ec65fff
monitored = 0
entry_point = 0x7ffa0eb5f350
region_type = mapped_file
name = "wintypes.dll"
filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll")
Region:
id = 1077
start_va = 0x7ffa0ec70000
end_va = 0x7ffa0ed55fff
monitored = 0
entry_point = 0x7ffa0ec8cf10
region_type = mapped_file
name = "usermgr.dll"
filename = "\\Windows\\System32\\usermgr.dll" (normalized: "c:\\windows\\system32\\usermgr.dll")
Region:
id = 1078
start_va = 0x7ffa0ed60000
end_va = 0x7ffa0ee27fff
monitored = 0
entry_point = 0x7ffa0eda13f0
region_type = mapped_file
name = "winhttp.dll"
filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll")
Region:
id = 1079
start_va = 0x7ffa0ee30000
end_va = 0x7ffa0ee90fff
monitored = 0
entry_point = 0x7ffa0ee34b50
region_type = mapped_file
name = "wlanapi.dll"
filename = "\\Windows\\System32\\wlanapi.dll" (normalized: "c:\\windows\\system32\\wlanapi.dll")
Region:
id = 1080
start_va = 0x7ffa0eea0000
end_va = 0x7ffa0f01bfff
monitored = 0
entry_point = 0x7ffa0eef1650
region_type = mapped_file
name = "locationframework.dll"
filename = "\\Windows\\System32\\LocationFramework.dll" (normalized: "c:\\windows\\system32\\locationframework.dll")
Region:
id = 1081
start_va = 0x7ffa0f020000
end_va = 0x7ffa0f02afff
monitored = 0
entry_point = 0x7ffa0f021770
region_type = mapped_file
name = "lfsvc.dll"
filename = "\\Windows\\System32\\lfsvc.dll" (normalized: "c:\\windows\\system32\\lfsvc.dll")
Region:
id = 1082
start_va = 0x7ffa0f030000
end_va = 0x7ffa0f06dfff
monitored = 0
entry_point = 0x7ffa0f03a050
region_type = mapped_file
name = "logoncli.dll"
filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll")
Region:
id = 1083
start_va = 0x7ffa0f070000
end_va = 0x7ffa0f096fff
monitored = 0
entry_point = 0x7ffa0f073bf0
region_type = mapped_file
name = "profsvcext.dll"
filename = "\\Windows\\System32\\profsvcext.dll" (normalized: "c:\\windows\\system32\\profsvcext.dll")
Region:
id = 1084
start_va = 0x7ffa0f0a0000
end_va = 0x7ffa0f0e9fff
monitored = 0
entry_point = 0x7ffa0f0aac30
region_type = mapped_file
name = "deviceaccess.dll"
filename = "\\Windows\\System32\\deviceaccess.dll" (normalized: "c:\\windows\\system32\\deviceaccess.dll")
Region:
id = 1085
start_va = 0x7ffa0f0f0000
end_va = 0x7ffa0f144fff
monitored = 0
entry_point = 0x7ffa0f0ffc00
region_type = mapped_file
name = "profsvc.dll"
filename = "\\Windows\\System32\\profsvc.dll" (normalized: "c:\\windows\\system32\\profsvc.dll")
Region:
id = 1086
start_va = 0x7ffa0f190000
end_va = 0x7ffa0f221fff
monitored = 0
entry_point = 0x7ffa0f1da780
region_type = mapped_file
name = "msvcp110_win.dll"
filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll")
Region:
id = 1087
start_va = 0x7ffa0f2b0000
end_va = 0x7ffa0f2bcfff
monitored = 0
entry_point = 0x7ffa0f2b1420
region_type = mapped_file
name = "winrnr.dll"
filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll")
Region:
id = 1088
start_va = 0x7ffa0f2d0000
end_va = 0x7ffa0f2dffff
monitored = 0
entry_point = 0x7ffa0f2d2c60
region_type = mapped_file
name = "usermgrcli.dll"
filename = "\\Windows\\System32\\usermgrcli.dll" (normalized: "c:\\windows\\system32\\usermgrcli.dll")
Region:
id = 1089
start_va = 0x7ffa0f2e0000
end_va = 0x7ffa0f2ecfff
monitored = 0
entry_point = 0x7ffa0f2e2ca0
region_type = mapped_file
name = "csystemeventsbrokerclient.dll"
filename = "\\Windows\\System32\\CSystemEventsBrokerClient.dll" (normalized: "c:\\windows\\system32\\csystemeventsbrokerclient.dll")
Region:
id = 1090
start_va = 0x7ffa0f2f0000
end_va = 0x7ffa0f31efff
monitored = 0
entry_point = 0x7ffa0f2f8910
region_type = mapped_file
name = "wptaskscheduler.dll"
filename = "\\Windows\\System32\\WPTaskScheduler.dll" (normalized: "c:\\windows\\system32\\wptaskscheduler.dll")
Region:
id = 1091
start_va = 0x7ffa0f320000
end_va = 0x7ffa0f33efff
monitored = 0
entry_point = 0x7ffa0f324960
region_type = mapped_file
name = "ncprov.dll"
filename = "\\Windows\\System32\\wbem\\NCProv.dll" (normalized: "c:\\windows\\system32\\wbem\\ncprov.dll")
Region:
id = 1092
start_va = 0x7ffa0f370000
end_va = 0x7ffa0f3ddfff
monitored = 0
entry_point = 0x7ffa0f377f60
region_type = mapped_file
name = "taskcomp.dll"
filename = "\\Windows\\System32\\taskcomp.dll" (normalized: "c:\\windows\\system32\\taskcomp.dll")
Region:
id = 1093
start_va = 0x7ffa0f3e0000
end_va = 0x7ffa0f3f0fff
monitored = 0
entry_point = 0x7ffa0f3e3320
region_type = mapped_file
name = "wmiclnt.dll"
filename = "\\Windows\\System32\\wmiclnt.dll" (normalized: "c:\\windows\\system32\\wmiclnt.dll")
Region:
id = 1094
start_va = 0x7ffa0f430000
end_va = 0x7ffa0f465fff
monitored = 0
entry_point = 0x7ffa0f440070
region_type = mapped_file
name = "xmllite.dll"
filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll")
Region:
id = 1095
start_va = 0x7ffa0fc30000
end_va = 0x7ffa0fc70fff
monitored = 0
entry_point = 0x7ffa0fc47eb0
region_type = mapped_file
name = "ubpm.dll"
filename = "\\Windows\\System32\\ubpm.dll" (normalized: "c:\\windows\\system32\\ubpm.dll")
Region:
id = 1096
start_va = 0x7ffa0fc80000
end_va = 0x7ffa0fd7bfff
monitored = 0
entry_point = 0x7ffa0fcb6df0
region_type = mapped_file
name = "schedsvc.dll"
filename = "\\Windows\\System32\\schedsvc.dll" (normalized: "c:\\windows\\system32\\schedsvc.dll")
Region:
id = 1097
start_va = 0x7ffa0fe10000
end_va = 0x7ffa0fecefff
monitored = 0
entry_point = 0x7ffa0fe31c50
region_type = mapped_file
name = "taskschd.dll"
filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll")
Region:
id = 1098
start_va = 0x7ffa0ff20000
end_va = 0x7ffa0ff29fff
monitored = 0
entry_point = 0x7ffa0ff21660
region_type = mapped_file
name = "dsrole.dll"
filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll")
Region:
id = 1099
start_va = 0x7ffa0ff30000
end_va = 0x7ffa0ff47fff
monitored = 0
entry_point = 0x7ffa0ff35910
region_type = mapped_file
name = "nlaapi.dll"
filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll")
Region:
id = 1100
start_va = 0x7ffa0ff50000
end_va = 0x7ffa1009cfff
monitored = 0
entry_point = 0x7ffa0ff93da0
region_type = mapped_file
name = "gpsvc.dll"
filename = "\\Windows\\System32\\gpsvc.dll" (normalized: "c:\\windows\\system32\\gpsvc.dll")
Region:
id = 1101
start_va = 0x7ffa10cc0000
end_va = 0x7ffa11152fff
monitored = 0
entry_point = 0x7ffa10ccf760
region_type = mapped_file
name = "actxprxy.dll"
filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll")
Region:
id = 1102
start_va = 0x7ffa11160000
end_va = 0x7ffa111c6fff
monitored = 0
entry_point = 0x7ffa1117e710
region_type = mapped_file
name = "bcp47langs.dll"
filename = "\\Windows\\System32\\BCP47Langs.dll" (normalized: "c:\\windows\\system32\\bcp47langs.dll")
Region:
id = 1103
start_va = 0x7ffa11220000
end_va = 0x7ffa113a5fff
monitored = 0
entry_point = 0x7ffa1126d700
region_type = mapped_file
name = "propsys.dll"
filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")
Region:
id = 1104
start_va = 0x7ffa113b0000
end_va = 0x7ffa113cbfff
monitored = 0
entry_point = 0x7ffa113b37a0
region_type = mapped_file
name = "samlib.dll"
filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll")
Region:
id = 1105
start_va = 0x7ffa113d0000
end_va = 0x7ffa113dafff
monitored = 0
entry_point = 0x7ffa113d1de0
region_type = mapped_file
name = "bitsperf.dll"
filename = "\\Windows\\System32\\bitsperf.dll" (normalized: "c:\\windows\\system32\\bitsperf.dll")
Region:
id = 1106
start_va = 0x7ffa11410000
end_va = 0x7ffa11422fff
monitored = 0
entry_point = 0x7ffa11412760
region_type = mapped_file
name = "wtsapi32.dll"
filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")
Region:
id = 1107
start_va = 0x7ffa114c0000
end_va = 0x7ffa114c9fff
monitored = 0
entry_point = 0x7ffa114c1350
region_type = mapped_file
name = "version.dll"
filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll")
Region:
id = 1108
start_va = 0x7ffa11560000
end_va = 0x7ffa11573fff
monitored = 0
entry_point = 0x7ffa11562a00
region_type = mapped_file
name = "bitsigd.dll"
filename = "\\Windows\\System32\\bitsigd.dll" (normalized: "c:\\windows\\system32\\bitsigd.dll")
Region:
id = 1109
start_va = 0x7ffa11580000
end_va = 0x7ffa115f8fff
monitored = 0
entry_point = 0x7ffa1159fb90
region_type = mapped_file
name = "apphelp.dll"
filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll")
Region:
id = 1110
start_va = 0x7ffa11600000
end_va = 0x7ffa11607fff
monitored = 0
entry_point = 0x7ffa116013e0
region_type = mapped_file
name = "dabapi.dll"
filename = "\\Windows\\System32\\dabapi.dll" (normalized: "c:\\windows\\system32\\dabapi.dll")
Region:
id = 1111
start_va = 0x7ffa11640000
end_va = 0x7ffa1167ffff
monitored = 0
entry_point = 0x7ffa11651960
region_type = mapped_file
name = "brokerlib.dll"
filename = "\\Windows\\System32\\BrokerLib.dll" (normalized: "c:\\windows\\system32\\brokerlib.dll")
Region:
id = 1112
start_va = 0x7ffa117d0000
end_va = 0x7ffa117f6fff
monitored = 0
entry_point = 0x7ffa117d7940
region_type = mapped_file
name = "devobj.dll"
filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll")
Region:
id = 1113
start_va = 0x7ffa11800000
end_va = 0x7ffa118a9fff
monitored = 0
entry_point = 0x7ffa11827910
region_type = mapped_file
name = "dnsapi.dll"
filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll")
Region:
id = 1114
start_va = 0x7ffa118b0000
end_va = 0x7ffa119affff
monitored = 0
entry_point = 0x7ffa118f0f80
region_type = mapped_file
name = "twinapi.appcore.dll"
filename = "\\Windows\\System32\\twinapi.appcore.dll" (normalized: "c:\\windows\\system32\\twinapi.appcore.dll")
Region:
id = 1115
start_va = 0x7ffa11a40000
end_va = 0x7ffa11a4bfff
monitored = 0
entry_point = 0x7ffa11a42480
region_type = mapped_file
name = "sysntfy.dll"
filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll")
Region:
id = 1116
start_va = 0x7ffa11b10000
end_va = 0x7ffa11b41fff
monitored = 0
entry_point = 0x7ffa11b22340
region_type = mapped_file
name = "fwbase.dll"
filename = "\\Windows\\System32\\fwbase.dll" (normalized: "c:\\windows\\system32\\fwbase.dll")
Region:
id = 1117
start_va = 0x7ffa11d80000
end_va = 0x7ffa11d8bfff
monitored = 0
entry_point = 0x7ffa11d82790
region_type = mapped_file
name = "hid.dll"
filename = "\\Windows\\System32\\hid.dll" (normalized: "c:\\windows\\system32\\hid.dll")
Region:
id = 1118
start_va = 0x7ffa11d90000
end_va = 0x7ffa11db3fff
monitored = 0
entry_point = 0x7ffa11d93260
region_type = mapped_file
name = "gpapi.dll"
filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll")
Region:
id = 1119
start_va = 0x7ffa11f30000
end_va = 0x7ffa12023fff
monitored = 0
entry_point = 0x7ffa11f3a960
region_type = mapped_file
name = "ucrtbase.dll"
filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll")
Region:
id = 1120
start_va = 0x7ffa12080000
end_va = 0x7ffa120c8fff
monitored = 0
entry_point = 0x7ffa1208a090
region_type = mapped_file
name = "authz.dll"
filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll")
Region:
id = 1121
start_va = 0x7ffa121a0000
end_va = 0x7ffa121abfff
monitored = 0
entry_point = 0x7ffa121a27e0
region_type = mapped_file
name = "netutils.dll"
filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll")
Region:
id = 1122
start_va = 0x7ffa12280000
end_va = 0x7ffa122b0fff
monitored = 0
entry_point = 0x7ffa12287d10
region_type = mapped_file
name = "ntmarta.dll"
filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll")
Region:
id = 1123
start_va = 0x7ffa122e0000
end_va = 0x7ffa12359fff
monitored = 0
entry_point = 0x7ffa12301a50
region_type = mapped_file
name = "schannel.dll"
filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll")
Region:
id = 1124
start_va = 0x7ffa123a0000
end_va = 0x7ffa123d3fff
monitored = 0
entry_point = 0x7ffa123bae70
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 1125
start_va = 0x7ffa123e0000
end_va = 0x7ffa123e9fff
monitored = 0
entry_point = 0x7ffa123e1830
region_type = mapped_file
name = "dpapi.dll"
filename = "\\Windows\\System32\\dpapi.dll" (normalized: "c:\\windows\\system32\\dpapi.dll")
Region:
id = 1126
start_va = 0x7ffa124f0000
end_va = 0x7ffa1250efff
monitored = 0
entry_point = 0x7ffa124f5d30
region_type = mapped_file
name = "userenv.dll"
filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll")
Region:
id = 1127
start_va = 0x7ffa12660000
end_va = 0x7ffa126bbfff
monitored = 0
entry_point = 0x7ffa12676f70
region_type = mapped_file
name = "mswsock.dll"
filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll")
Region:
id = 1128
start_va = 0x7ffa12710000
end_va = 0x7ffa12726fff
monitored = 0
entry_point = 0x7ffa127179d0
region_type = mapped_file
name = "cryptsp.dll"
filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll")
Region:
id = 1129
start_va = 0x7ffa12830000
end_va = 0x7ffa1283afff
monitored = 0
entry_point = 0x7ffa128319a0
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll")
Region:
id = 1130
start_va = 0x7ffa12870000
end_va = 0x7ffa12890fff
monitored = 0
entry_point = 0x7ffa12880250
region_type = mapped_file
name = "joinutil.dll"
filename = "\\Windows\\System32\\joinutil.dll" (normalized: "c:\\windows\\system32\\joinutil.dll")
Region:
id = 1131
start_va = 0x7ffa128c0000
end_va = 0x7ffa128f9fff
monitored = 0
entry_point = 0x7ffa128c8d20
region_type = mapped_file
name = "ntasn1.dll"
filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll")
Region:
id = 1132
start_va = 0x7ffa12900000
end_va = 0x7ffa12926fff
monitored = 0
entry_point = 0x7ffa12910aa0
region_type = mapped_file
name = "ncrypt.dll"
filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll")
Region:
id = 1133
start_va = 0x7ffa12a10000
end_va = 0x7ffa12a3cfff
monitored = 0
entry_point = 0x7ffa12a29d40
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll")
Region:
id = 1134
start_va = 0x7ffa12ba0000
end_va = 0x7ffa12bf5fff
monitored = 0
entry_point = 0x7ffa12bb0bf0
region_type = mapped_file
name = "winsta.dll"
filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")
Region:
id = 1135
start_va = 0x7ffa12c00000
end_va = 0x7ffa12c18fff
monitored = 0
entry_point = 0x7ffa12c05e10
region_type = mapped_file
name = "eventaggregation.dll"
filename = "\\Windows\\System32\\EventAggregation.dll" (normalized: "c:\\windows\\system32\\eventaggregation.dll")
Region:
id = 1136
start_va = 0x7ffa12c20000
end_va = 0x7ffa12c48fff
monitored = 0
entry_point = 0x7ffa12c34530
region_type = mapped_file
name = "bcrypt.dll"
filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll")
Region:
id = 1137
start_va = 0x7ffa12c50000
end_va = 0x7ffa12ce8fff
monitored = 0
entry_point = 0x7ffa12c7f4e0
region_type = mapped_file
name = "sxs.dll"
filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll")
Region:
id = 1138
start_va = 0x7ffa12d90000
end_va = 0x7ffa12da3fff
monitored = 0
entry_point = 0x7ffa12d952e0
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")
Region:
id = 1139
start_va = 0x7ffa12db0000
end_va = 0x7ffa12dbffff
monitored = 0
entry_point = 0x7ffa12db56e0
region_type = mapped_file
name = "msasn1.dll"
filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll")
Region:
id = 1140
start_va = 0x7ffa12dc0000
end_va = 0x7ffa12e0afff
monitored = 0
entry_point = 0x7ffa12dc35f0
region_type = mapped_file
name = "powrprof.dll"
filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")
Region:
id = 1141
start_va = 0x7ffa12e10000
end_va = 0x7ffa12e1efff
monitored = 0
entry_point = 0x7ffa12e13210
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")
Region:
id = 1142
start_va = 0x7ffa12e20000
end_va = 0x7ffa12e74fff
monitored = 0
entry_point = 0x7ffa12e37970
region_type = mapped_file
name = "wintrust.dll"
filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll")
Region:
id = 1143
start_va = 0x7ffa12e80000
end_va = 0x7ffa12f34fff
monitored = 0
entry_point = 0x7ffa12ec22e0
region_type = mapped_file
name = "shcore.dll"
filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")
Region:
id = 1144
start_va = 0x7ffa12f40000
end_va = 0x7ffa13106fff
monitored = 0
entry_point = 0x7ffa12f9db80
region_type = mapped_file
name = "crypt32.dll"
filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll")
Region:
id = 1145
start_va = 0x7ffa13110000
end_va = 0x7ffa13126fff
monitored = 0
entry_point = 0x7ffa13111390
region_type = mapped_file
name = "netapi32.dll"
filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll")
Region:
id = 1146
start_va = 0x7ffa13130000
end_va = 0x7ffa13317fff
monitored = 0
entry_point = 0x7ffa1315ba70
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 1147
start_va = 0x7ffa13320000
end_va = 0x7ffa13389fff
monitored = 0
entry_point = 0x7ffa13356d50
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")
Region:
id = 1148
start_va = 0x7ffa13390000
end_va = 0x7ffa133d2fff
monitored = 0
entry_point = 0x7ffa133a4b50
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")
Region:
id = 1149
start_va = 0x7ffa133e0000
end_va = 0x7ffa13465fff
monitored = 0
entry_point = 0x7ffa133ed8f0
region_type = mapped_file
name = "firewallapi.dll"
filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll")
Region:
id = 1150
start_va = 0x7ffa13520000
end_va = 0x7ffa13b63fff
monitored = 0
entry_point = 0x7ffa136e64b0
region_type = mapped_file
name = "windows.storage.dll"
filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll")
Region:
id = 1151
start_va = 0x7ffa13b70000
end_va = 0x7ffa13cb2fff
monitored = 0
entry_point = 0x7ffa13b98210
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 1152
start_va = 0x7ffa13cc0000
end_va = 0x7ffa13d5cfff
monitored = 0
entry_point = 0x7ffa13cc78a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 1153
start_va = 0x7ffa13d60000
end_va = 0x7ffa13d67fff
monitored = 0
entry_point = 0x7ffa13d61ea0
region_type = mapped_file
name = "nsi.dll"
filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll")
Region:
id = 1154
start_va = 0x7ffa13d80000
end_va = 0x7ffa13ed5fff
monitored = 0
entry_point = 0x7ffa13d8a8d0
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 1155
start_va = 0x7ffa13ee0000
end_va = 0x7ffa14065fff
monitored = 0
entry_point = 0x7ffa13f2ffc0
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 1156
start_va = 0x7ffa14070000
end_va = 0x7ffa140cafff
monitored = 0
entry_point = 0x7ffa140838b0
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 1157
start_va = 0x7ffa14220000
end_va = 0x7ffa142c6fff
monitored = 0
entry_point = 0x7ffa1422b4d0
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll")
Region:
id = 1158
start_va = 0x7ffa14340000
end_va = 0x7ffa145bcfff
monitored = 0
entry_point = 0x7ffa14414970
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")
Region:
id = 1159
start_va = 0x7ffa145c0000
end_va = 0x7ffa146dbfff
monitored = 0
entry_point = 0x7ffa146002b0
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 1160
start_va = 0x7ffa146e0000
end_va = 0x7ffa1474afff
monitored = 0
entry_point = 0x7ffa146f90c0
region_type = mapped_file
name = "ws2_32.dll"
filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll")
Region:
id = 1161
start_va = 0x7ffa147c0000
end_va = 0x7ffa14880fff
monitored = 0
entry_point = 0x7ffa147e0da0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 1162
start_va = 0x7ffa14ba0000
end_va = 0x7ffa14bf1fff
monitored = 0
entry_point = 0x7ffa14baf530
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")
Region:
id = 1163
start_va = 0x7ffa14c00000
end_va = 0x7ffa15028fff
monitored = 0
entry_point = 0x7ffa14c28740
region_type = mapped_file
name = "setupapi.dll"
filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll")
Region:
id = 1164
start_va = 0x7ffa15030000
end_va = 0x7ffa1508bfff
monitored = 0
entry_point = 0x7ffa1504b720
region_type = mapped_file
name = "wldap32.dll"
filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll")
Region:
id = 1165
start_va = 0x7ffa15090000
end_va = 0x7ffa15136fff
monitored = 0
entry_point = 0x7ffa150a58d0
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 1166
start_va = 0x7ffa15160000
end_va = 0x7ffa1520cfff
monitored = 0
entry_point = 0x7ffa151781a0
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 1167
start_va = 0x7ffa15210000
end_va = 0x7ffa1676efff
monitored = 0
entry_point = 0x7ffa153711f0
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")
Region:
id = 1168
start_va = 0x7ffa16770000
end_va = 0x7ffa16930fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 1319
start_va = 0x450000
end_va = 0x450fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000450000"
filename = ""
Region:
id = 1366
start_va = 0x450000
end_va = 0x450fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000450000"
filename = ""
Thread:
id = 26
os_tid = 0x1028
Thread:
id = 27
os_tid = 0x11b0
Thread:
id = 28
os_tid = 0xe44
Thread:
id = 29
os_tid = 0x4e8
Thread:
id = 30
os_tid = 0x448
Thread:
id = 31
os_tid = 0x4f8
Thread:
id = 32
os_tid = 0x790
Thread:
id = 33
os_tid = 0x4f4
Thread:
id = 34
os_tid = 0x804
Thread:
id = 35
os_tid = 0x82c
Thread:
id = 36
os_tid = 0xae0
Thread:
id = 37
os_tid = 0xa1c
Thread:
id = 38
os_tid = 0xb60
Thread:
id = 39
os_tid = 0x9dc
Thread:
id = 40
os_tid = 0x870
Thread:
id = 41
os_tid = 0x868
Thread:
id = 42
os_tid = 0x3ac
Thread:
id = 43
os_tid = 0x8d4
Thread:
id = 44
os_tid = 0x914
Thread:
id = 45
os_tid = 0x7f8
Thread:
id = 46
os_tid = 0x60c
Thread:
id = 47
os_tid = 0x5a0
Thread:
id = 48
os_tid = 0x828
Thread:
id = 49
os_tid = 0x4bc
Thread:
id = 50
os_tid = 0x79c
Thread:
id = 51
os_tid = 0xac8
Thread:
id = 52
os_tid = 0xa08
Thread:
id = 53
os_tid = 0xac0
Thread:
id = 54
os_tid = 0xab4
Thread:
id = 55
os_tid = 0xad4
Thread:
id = 56
os_tid = 0xae4
Thread:
id = 57
os_tid = 0xa04
Thread:
id = 58
os_tid = 0xacc
Thread:
id = 59
os_tid = 0xbb0
Thread:
id = 60
os_tid = 0xbf8
Thread:
id = 61
os_tid = 0x5ec
Thread:
id = 62
os_tid = 0x780
Thread:
id = 63
os_tid = 0x5ac
Thread:
id = 64
os_tid = 0x728
Thread:
id = 65
os_tid = 0x508
Thread:
id = 66
os_tid = 0x428
Thread:
id = 67
os_tid = 0x4f8
Thread:
id = 68
os_tid = 0x7e4
Thread:
id = 69
os_tid = 0x7dc
Thread:
id = 70
os_tid = 0x7d8
Thread:
id = 71
os_tid = 0x7cc
Thread:
id = 72
os_tid = 0x7c4
Thread:
id = 73
os_tid = 0x788
Thread:
id = 74
os_tid = 0x744
Thread:
id = 75
os_tid = 0x448
Thread:
id = 76
os_tid = 0x6f8
Thread:
id = 77
os_tid = 0x6d4
Thread:
id = 78
os_tid = 0x648
Thread:
id = 79
os_tid = 0x640
Thread:
id = 80
os_tid = 0x62c
Thread:
id = 81
os_tid = 0x530
Thread:
id = 82
os_tid = 0x4a8
Thread:
id = 83
os_tid = 0x2ac
Thread:
id = 84
os_tid = 0x270
Thread:
id = 85
os_tid = 0x154
Thread:
id = 86
os_tid = 0x1b8
Thread:
id = 87
os_tid = 0x1bc
Thread:
id = 88
os_tid = 0x180
Thread:
id = 89
os_tid = 0x188
Thread:
id = 90
os_tid = 0x148
Thread:
id = 91
os_tid = 0x12c
Thread:
id = 92
os_tid = 0xfc
Thread:
id = 93
os_tid = 0x60
Thread:
id = 94
os_tid = 0x3f0
Thread:
id = 95
os_tid = 0x3e8
Thread:
id = 96
os_tid = 0x3cc
Thread:
id = 97
os_tid = 0x364
Process:
id = "7"
image_name = "da6abb6f3aae250d50ed09b6eacc267c33e50895e3ebd7e6ba800ab018351ec5.exe"
filename = "c:\\users\\rdhj0cnfevzx\\desktop\\da6abb6f3aae250d50ed09b6eacc267c33e50895e3ebd7e6ba800ab018351ec5.exe"
page_root = "0x60017000"
os_pid = "0x109c"
os_integrity_level = "0x3000"
os_privileges = "0x60800000"
monitor_reason = "child_process"
parent_id = "1"
os_parent_pid = "0x138c"
cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\da6abb6f3aae250d50ed09b6eacc267c33e50895e3ebd7e6ba800ab018351ec5.exe\""
cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
os_username = "XC64ZB\\RDhJ0CNFevzX"
bitness = "32"
os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fa87" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 1218
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 1219
start_va = 0x30000
end_va = 0x31fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000030000"
filename = ""
Region:
id = 1220
start_va = 0x40000
end_va = 0x54fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 1221
start_va = 0x60000
end_va = 0x9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000060000"
filename = ""
Region:
id = 1222
start_va = 0xa0000
end_va = 0x19ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000a0000"
filename = ""
Region:
id = 1223
start_va = 0x1a0000
end_va = 0x1a3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001a0000"
filename = ""
Region:
id = 1224
start_va = 0x1b0000
end_va = 0x1b1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001b0000"
filename = ""
Region:
id = 1225
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 1226
start_va = 0x400000
end_va = 0x49dfff
monitored = 1
entry_point = 0x499162
region_type = mapped_file
name = "da6abb6f3aae250d50ed09b6eacc267c33e50895e3ebd7e6ba800ab018351ec5.exe"
filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\da6abb6f3aae250d50ed09b6eacc267c33e50895e3ebd7e6ba800ab018351ec5.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\da6abb6f3aae250d50ed09b6eacc267c33e50895e3ebd7e6ba800ab018351ec5.exe")
Region:
id = 1227
start_va = 0x771d0000
end_va = 0x7734afff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")
Region:
id = 1228
start_va = 0x7ffb0000
end_va = 0x7ffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007ffb0000"
filename = ""
Region:
id = 1229
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 1230
start_va = 0x7fff0000
end_va = 0x7ffa1676ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007fff0000"
filename = ""
Region:
id = 1231
start_va = 0x7ffa16770000
end_va = 0x7ffa16930fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 1232
start_va = 0x7ffa16931000
end_va = 0x7ffffffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00007ffa16931000"
filename = ""
Region:
id = 1234
start_va = 0x400000
end_va = 0x411fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 1236
start_va = 0x420000
end_va = 0x50ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000420000"
filename = ""
Region:
id = 1237
start_va = 0x640d0000
end_va = 0x6411ffff
monitored = 0
entry_point = 0x640e8180
region_type = mapped_file
name = "wow64.dll"
filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")
Region:
id = 1238
start_va = 0x64050000
end_va = 0x640c9fff
monitored = 0
entry_point = 0x64063290
region_type = mapped_file
name = "wow64win.dll"
filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")
Region:
id = 1239
start_va = 0x76720000
end_va = 0x767fffff
monitored = 0
entry_point = 0x76733980
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 1240
start_va = 0x64120000
end_va = 0x64127fff
monitored = 0
entry_point = 0x641217c0
region_type = mapped_file
name = "wow64cpu.dll"
filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")
Region:
id = 1241
start_va = 0x510000
end_va = 0x78ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000510000"
filename = ""
Region:
id = 1242
start_va = 0x6f8e0000
end_va = 0x6f938fff
monitored = 1
entry_point = 0x6f8f0780
region_type = mapped_file
name = "mscoree.dll"
filename = "\\Windows\\SysWOW64\\mscoree.dll" (normalized: "c:\\windows\\syswow64\\mscoree.dll")
Region:
id = 1243
start_va = 0x76720000
end_va = 0x767fffff
monitored = 0
entry_point = 0x76733980
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 1244
start_va = 0x76910000
end_va = 0x76a8dfff
monitored = 0
entry_point = 0x769c1b90
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")
Region:
id = 1245
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 1246
start_va = 0x7feb0000
end_va = 0x7ffaffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007feb0000"
filename = ""
Region:
id = 1247
start_va = 0x420000
end_va = 0x4ddfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 1248
start_va = 0x500000
end_va = 0x50ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000500000"
filename = ""
Region:
id = 1249
start_va = 0x510000
end_va = 0x5fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000510000"
filename = ""
Region:
id = 1250
start_va = 0x690000
end_va = 0x78ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000690000"
filename = ""
Region:
id = 1251
start_va = 0x20000
end_va = 0x23fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 1252
start_va = 0x76600000
end_va = 0x7667afff
monitored = 0
entry_point = 0x7661e970
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")
Region:
id = 1253
start_va = 0x76a90000
end_va = 0x76b4dfff
monitored = 0
entry_point = 0x76ac5630
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")
Region:
id = 1254
start_va = 0x1c0000
end_va = 0x1fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001c0000"
filename = ""
Region:
id = 1255
start_va = 0x790000
end_va = 0x88ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000790000"
filename = ""
Region:
id = 1256
start_va = 0x76cb0000
end_va = 0x76cf3fff
monitored = 0
entry_point = 0x76cc9d80
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")
Region:
id = 1257
start_va = 0x76c00000
end_va = 0x76cacfff
monitored = 0
entry_point = 0x76c14f00
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")
Region:
id = 1258
start_va = 0x73f00000
end_va = 0x73f1dfff
monitored = 0
entry_point = 0x73f0b640
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")
Region:
id = 1259
start_va = 0x73ef0000
end_va = 0x73ef9fff
monitored = 0
entry_point = 0x73ef2a00
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")
Region:
id = 1260
start_va = 0x76840000
end_va = 0x76897fff
monitored = 0
entry_point = 0x768825c0
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")
Region:
id = 1261
start_va = 0x890000
end_va = 0x97ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000890000"
filename = ""
Region:
id = 1262
start_va = 0x6f860000
end_va = 0x6f8dcfff
monitored = 1
entry_point = 0x6f870db0
region_type = mapped_file
name = "mscoreei.dll"
filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscoreei.dll")
Region:
id = 1265
start_va = 0x76d00000
end_va = 0x76d44fff
monitored = 0
entry_point = 0x76d1de90
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll")
Region:
id = 1266
start_va = 0x762b0000
end_va = 0x7646cfff
monitored = 0
entry_point = 0x76392a10
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll")
Region:
id = 1267
start_va = 0x74ab0000
end_va = 0x74bfefff
monitored = 0
entry_point = 0x74b66820
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll")
Region:
id = 1268
start_va = 0x743d0000
end_va = 0x74516fff
monitored = 0
entry_point = 0x743e1cf0
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")
Region:
id = 1269
start_va = 0x510000
end_va = 0x539fff
monitored = 0
entry_point = 0x515680
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")
Region:
id = 1270
start_va = 0x5f0000
end_va = 0x5fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005f0000"
filename = ""
Region:
id = 1271
start_va = 0x980000
end_va = 0xb07fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000980000"
filename = ""
Region:
id = 1272
start_va = 0x741b0000
end_va = 0x741dafff
monitored = 0
entry_point = 0x741b5680
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")
Region:
id = 1273
start_va = 0x30000
end_va = 0x30fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000030000"
filename = ""
Region:
id = 1274
start_va = 0x4e0000
end_va = 0x4e0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000004e0000"
filename = ""
Region:
id = 1275
start_va = 0xb10000
end_va = 0xc90fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000b10000"
filename = ""
Region:
id = 1276
start_va = 0xca0000
end_va = 0x209ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000ca0000"
filename = ""
Region:
id = 1277
start_va = 0x510000
end_va = 0x5a7fff
monitored = 1
entry_point = 0x5a9162
region_type = mapped_file
name = "da6abb6f3aae250d50ed09b6eacc267c33e50895e3ebd7e6ba800ab018351ec5.exe"
filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\da6abb6f3aae250d50ed09b6eacc267c33e50895e3ebd7e6ba800ab018351ec5.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\da6abb6f3aae250d50ed09b6eacc267c33e50895e3ebd7e6ba800ab018351ec5.exe")
Region:
id = 1278
start_va = 0x76d50000
end_va = 0x76d5bfff
monitored = 0
entry_point = 0x76d53930
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll")
Region:
id = 1279
start_va = 0x6f980000
end_va = 0x6f987fff
monitored = 0
entry_point = 0x6f9817b0
region_type = mapped_file
name = "version.dll"
filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll")
Region:
id = 1280
start_va = 0x6f170000
end_va = 0x6f850fff
monitored = 1
entry_point = 0x6f19cd70
region_type = mapped_file
name = "clr.dll"
filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll")
Region:
id = 1281
start_va = 0x6f070000
end_va = 0x6f164fff
monitored = 0
entry_point = 0x6f0c4160
region_type = mapped_file
name = "msvcr120_clr0400.dll"
filename = "\\Windows\\SysWOW64\\msvcr120_clr0400.dll" (normalized: "c:\\windows\\syswow64\\msvcr120_clr0400.dll")
Region:
id = 1282
start_va = 0x4f0000
end_va = 0x4f0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000004f0000"
filename = ""
Region:
id = 1283
start_va = 0x510000
end_va = 0x51ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000510000"
filename = ""
Region:
id = 1284
start_va = 0x520000
end_va = 0x52ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000520000"
filename = ""
Region:
id = 1285
start_va = 0x530000
end_va = 0x53ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000530000"
filename = ""
Region:
id = 1286
start_va = 0x540000
end_va = 0x54ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000540000"
filename = ""
Region:
id = 1287
start_va = 0x550000
end_va = 0x55ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000550000"
filename = ""
Region:
id = 1288
start_va = 0x560000
end_va = 0x56ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000560000"
filename = ""
Region:
id = 1289
start_va = 0x570000
end_va = 0x570fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000570000"
filename = ""
Region:
id = 1290
start_va = 0x580000
end_va = 0x580fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000580000"
filename = ""
Region:
id = 1291
start_va = 0x600000
end_va = 0x67ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000600000"
filename = ""
Region:
id = 1292
start_va = 0x20a0000
end_va = 0x220ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000020a0000"
filename = ""
Region:
id = 1293
start_va = 0x590000
end_va = 0x5cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000590000"
filename = ""
Region:
id = 1294
start_va = 0x20a0000
end_va = 0x219ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000020a0000"
filename = ""
Region:
id = 1295
start_va = 0x2200000
end_va = 0x220ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002200000"
filename = ""
Region:
id = 1296
start_va = 0x5d0000
end_va = 0x5dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005d0000"
filename = ""
Region:
id = 1297
start_va = 0x2210000
end_va = 0x420ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002210000"
filename = ""
Region:
id = 1298
start_va = 0x890000
end_va = 0x92ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000890000"
filename = ""
Region:
id = 1299
start_va = 0x970000
end_va = 0x97ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000970000"
filename = ""
Region:
id = 1300
start_va = 0x600000
end_va = 0x63ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000600000"
filename = ""
Region:
id = 1301
start_va = 0x670000
end_va = 0x67ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000670000"
filename = ""
Region:
id = 1302
start_va = 0x4210000
end_va = 0x430ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004210000"
filename = ""
Region:
id = 1303
start_va = 0x4310000
end_va = 0x4646fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 1304
start_va = 0x6d430000
end_va = 0x6e6e1fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "mscorlib.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\mscorlib\\7582400666d289c016013ad0f6e0e3e6\\mscorlib.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\mscorlib\\7582400666d289c016013ad0f6e0e3e6\\mscorlib.ni.dll")
Region:
id = 1305
start_va = 0x74dc0000
end_va = 0x74eaafff
monitored = 0
entry_point = 0x74dfd650
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")
Region:
id = 1306
start_va = 0x4650000
end_va = 0x46e0fff
monitored = 0
entry_point = 0x4688cf0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")
Region:
id = 1307
start_va = 0x5d0000
end_va = 0x5dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005d0000"
filename = ""
Region:
id = 1308
start_va = 0x6eff0000
end_va = 0x6f06ffff
monitored = 1
entry_point = 0x6eff1180
region_type = mapped_file
name = "clrjit.dll"
filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clrjit.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clrjit.dll")
Region:
id = 1309
start_va = 0x76680000
end_va = 0x76711fff
monitored = 0
entry_point = 0x766b8cf0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")
Region:
id = 1310
start_va = 0x5e0000
end_va = 0x5effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005e0000"
filename = ""
Region:
id = 1311
start_va = 0x640000
end_va = 0x64ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000640000"
filename = ""
Region:
id = 1312
start_va = 0x640000
end_va = 0x64ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000640000"
filename = ""
Region:
id = 1320
start_va = 0x6ca60000
end_va = 0x6d42bfff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System\\1be7a15b1f33bf22e4f53aaf45518c77\\System.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system\\1be7a15b1f33bf22e4f53aaf45518c77\\system.ni.dll")
Region:
id = 1321
start_va = 0x640000
end_va = 0x64ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000640000"
filename = ""
Region:
id = 1322
start_va = 0x71200000
end_va = 0x71212fff
monitored = 0
entry_point = 0x71209950
region_type = mapped_file
name = "cryptsp.dll"
filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll")
Region:
id = 1323
start_va = 0x70230000
end_va = 0x7025efff
monitored = 0
entry_point = 0x702495e0
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll")
Region:
id = 1324
start_va = 0x71560000
end_va = 0x7157afff
monitored = 0
entry_point = 0x71569050
region_type = mapped_file
name = "bcrypt.dll"
filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll")
Region:
id = 1326
start_va = 0x6e8c0000
end_va = 0x6efe0fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.core.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Core\\eb4cca4f06a15158c3f7e2c56516729b\\System.Core.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.core\\eb4cca4f06a15158c3f7e2c56516729b\\system.core.ni.dll")
Region:
id = 1327
start_va = 0x640000
end_va = 0x64ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000640000"
filename = ""
Region:
id = 1328
start_va = 0x4650000
end_va = 0x482ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004650000"
filename = ""
Region:
id = 1329
start_va = 0x640000
end_va = 0x64ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000640000"
filename = ""
Region:
id = 1330
start_va = 0x73f90000
end_va = 0x74107fff
monitored = 0
entry_point = 0x73fe8a90
region_type = mapped_file
name = "crypt32.dll"
filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll")
Region:
id = 1331
start_va = 0x764c0000
end_va = 0x764cdfff
monitored = 0
entry_point = 0x764c5410
region_type = mapped_file
name = "msasn1.dll"
filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll")
Region:
id = 1332
start_va = 0x650000
end_va = 0x659fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "crypt32.dll.mui"
filename = "\\Windows\\SysWOW64\\en-US\\crypt32.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\crypt32.dll.mui")
Region:
id = 1333
start_va = 0x73f20000
end_va = 0x73f2efff
monitored = 0
entry_point = 0x73f22e40
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll")
Region:
id = 1334
start_va = 0x74eb0000
end_va = 0x762aefff
monitored = 0
entry_point = 0x7506b990
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll")
Region:
id = 1335
start_va = 0x76800000
end_va = 0x76836fff
monitored = 0
entry_point = 0x76803b50
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll")
Region:
id = 1336
start_va = 0x745b0000
end_va = 0x74aa8fff
monitored = 0
entry_point = 0x747b7610
region_type = mapped_file
name = "windows.storage.dll"
filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll")
Region:
id = 1337
start_va = 0x74520000
end_va = 0x745acfff
monitored = 0
entry_point = 0x74569b90
region_type = mapped_file
name = "shcore.dll"
filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll")
Region:
id = 1338
start_va = 0x76470000
end_va = 0x764b3fff
monitored = 0
entry_point = 0x76477410
region_type = mapped_file
name = "powrprof.dll"
filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll")
Region:
id = 1339
start_va = 0x660000
end_va = 0x660fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000660000"
filename = ""
Region:
id = 1340
start_va = 0x680000
end_va = 0x68ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000680000"
filename = ""
Region:
id = 1341
start_va = 0x930000
end_va = 0x93ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000930000"
filename = ""
Region:
id = 1342
start_va = 0x6b0a0000
end_va = 0x6b190fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.configuration.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Configuration\\fe4b221b4109f0c78f57a792500699b5\\System.Configuration.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.configuration\\fe4b221b4109f0c78f57a792500699b5\\system.configuration.ni.dll")
Region:
id = 1343
start_va = 0x6a980000
end_va = 0x6b09dfff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.xml.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Xml\\4fbda26d781323081b45526da6e87b35\\System.Xml.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.xml\\4fbda26d781323081b45526da6e87b35\\system.xml.ni.dll")
Region:
id = 1345
start_va = 0x73f30000
end_va = 0x73f8efff
monitored = 0
entry_point = 0x73f34af0
region_type = mapped_file
name = "ws2_32.dll"
filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll")
Region:
id = 1346
start_va = 0x71420000
end_va = 0x7146efff
monitored = 0
entry_point = 0x7142d850
region_type = mapped_file
name = "mswsock.dll"
filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll")
Region:
id = 1354
start_va = 0x4650000
end_va = 0x472ffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "kernelbase.dll.mui"
filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui")
Region:
id = 1355
start_va = 0x4820000
end_va = 0x482ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004820000"
filename = ""
Thread:
id = 100
os_tid = 0x10c4
[0208.217] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
[0208.221] RoInitialize () returned 0x1
[0208.221] RoUninitialize () returned 0x0
[0216.136] CryptAcquireContextW (in: phProv=0x19f3f8, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f3f8*=0x6df608) returned 1
[0216.141] CryptGetProvParam (in: hProv=0x6df608, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x1 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1
[0216.143] CoTaskMemAlloc (cb=0x20) returned 0x6d82c0
[0216.143] CryptGetProvParam (in: hProv=0x6df608, dwParam=0x1, pbData=0x6d82c0, pdwDataLen=0x19f3bc, dwFlags=0x1 | out: pbData=0x6d82c0, pdwDataLen=0x19f3bc) returned 1
[0216.144] CoTaskMemFree (pv=0x6d82c0)
[0216.144] CryptGetProvParam (in: hProv=0x6df608, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1
[0216.145] CoTaskMemAlloc (cb=0x20) returned 0x6d82c0
[0216.145] CryptGetProvParam (in: hProv=0x6df608, dwParam=0x1, pbData=0x6d82c0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x6d82c0, pdwDataLen=0x19f3bc) returned 1
[0216.145] CoTaskMemFree (pv=0x6d82c0)
[0216.145] CryptGetProvParam (in: hProv=0x6df608, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1
[0216.145] CoTaskMemAlloc (cb=0x20) returned 0x6d82c0
[0216.145] CryptGetProvParam (in: hProv=0x6df608, dwParam=0x1, pbData=0x6d82c0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x6d82c0, pdwDataLen=0x19f3bc) returned 1
[0216.145] CoTaskMemFree (pv=0x6d82c0)
[0216.145] CryptGetProvParam (in: hProv=0x6df608, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1
[0216.145] CoTaskMemAlloc (cb=0x20) returned 0x6d82c0
[0216.145] CryptGetProvParam (in: hProv=0x6df608, dwParam=0x1, pbData=0x6d82c0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x6d82c0, pdwDataLen=0x19f3bc) returned 1
[0216.145] CoTaskMemFree (pv=0x6d82c0)
[0216.145] CryptGetProvParam (in: hProv=0x6df608, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1
[0216.145] CoTaskMemAlloc (cb=0x20) returned 0x6d82c0
[0216.145] CryptGetProvParam (in: hProv=0x6df608, dwParam=0x1, pbData=0x6d82c0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x6d82c0, pdwDataLen=0x19f3bc) returned 1
[0216.145] CoTaskMemFree (pv=0x6d82c0)
[0216.145] CryptGetProvParam (in: hProv=0x6df608, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1
[0216.145] CoTaskMemAlloc (cb=0x20) returned 0x6d82c0
[0216.145] CryptGetProvParam (in: hProv=0x6df608, dwParam=0x1, pbData=0x6d82c0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x6d82c0, pdwDataLen=0x19f3bc) returned 1
[0216.145] CoTaskMemFree (pv=0x6d82c0)
[0216.145] CryptGetProvParam (in: hProv=0x6df608, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1
[0216.145] CoTaskMemAlloc (cb=0x20) returned 0x6d82c0
[0216.146] CryptGetProvParam (in: hProv=0x6df608, dwParam=0x1, pbData=0x6d82c0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x6d82c0, pdwDataLen=0x19f3bc) returned 1
[0216.146] CoTaskMemFree (pv=0x6d82c0)
[0216.146] CryptGetProvParam (in: hProv=0x6df608, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1
[0216.146] CoTaskMemAlloc (cb=0x20) returned 0x6d82c0
[0216.146] CryptGetProvParam (in: hProv=0x6df608, dwParam=0x1, pbData=0x6d82c0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x6d82c0, pdwDataLen=0x19f3bc) returned 1
[0216.146] CoTaskMemFree (pv=0x6d82c0)
[0216.146] CryptGetProvParam (in: hProv=0x6df608, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1
[0216.146] CoTaskMemAlloc (cb=0x20) returned 0x6d82c0
[0216.146] CryptGetProvParam (in: hProv=0x6df608, dwParam=0x1, pbData=0x6d82c0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x6d82c0, pdwDataLen=0x19f3bc) returned 1
[0216.146] CoTaskMemFree (pv=0x6d82c0)
[0216.146] CryptGetProvParam (in: hProv=0x6df608, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1
[0216.146] CoTaskMemAlloc (cb=0x20) returned 0x6d82c0
[0216.146] CryptGetProvParam (in: hProv=0x6df608, dwParam=0x1, pbData=0x6d82c0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x6d82c0, pdwDataLen=0x19f3bc) returned 1
[0216.146] CoTaskMemFree (pv=0x6d82c0)
[0216.146] CryptGetProvParam (in: hProv=0x6df608, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1
[0216.146] CoTaskMemAlloc (cb=0x20) returned 0x6d82c0
[0216.146] CryptGetProvParam (in: hProv=0x6df608, dwParam=0x1, pbData=0x6d82c0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x6d82c0, pdwDataLen=0x19f3bc) returned 1
[0216.146] CoTaskMemFree (pv=0x6d82c0)
[0216.146] CryptGetProvParam (in: hProv=0x6df608, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1
[0216.146] CoTaskMemAlloc (cb=0x20) returned 0x6d82c0
[0216.146] CryptGetProvParam (in: hProv=0x6df608, dwParam=0x1, pbData=0x6d82c0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x6d82c0, pdwDataLen=0x19f3bc) returned 1
[0216.147] CoTaskMemFree (pv=0x6d82c0)
[0216.147] CryptGetProvParam (in: hProv=0x6df608, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1
[0216.147] CoTaskMemAlloc (cb=0x20) returned 0x6d82c0
[0216.147] CryptGetProvParam (in: hProv=0x6df608, dwParam=0x1, pbData=0x6d82c0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x6d82c0, pdwDataLen=0x19f3bc) returned 1
[0216.147] CoTaskMemFree (pv=0x6d82c0)
[0216.147] CryptGetProvParam (in: hProv=0x6df608, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1
[0216.147] CoTaskMemAlloc (cb=0x20) returned 0x6d82c0
[0216.147] CryptGetProvParam (in: hProv=0x6df608, dwParam=0x1, pbData=0x6d82c0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x6d82c0, pdwDataLen=0x19f3bc) returned 1
[0216.147] CoTaskMemFree (pv=0x6d82c0)
[0216.147] CryptGetProvParam (in: hProv=0x6df608, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1
[0216.147] CoTaskMemAlloc (cb=0x20) returned 0x6d82c0
[0216.147] CryptGetProvParam (in: hProv=0x6df608, dwParam=0x1, pbData=0x6d82c0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x6d82c0, pdwDataLen=0x19f3bc) returned 1
[0216.147] CoTaskMemFree (pv=0x6d82c0)
[0216.147] CryptGetProvParam (in: hProv=0x6df608, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1
[0216.147] CoTaskMemAlloc (cb=0x20) returned 0x6d82c0
[0216.147] CryptGetProvParam (in: hProv=0x6df608, dwParam=0x1, pbData=0x6d82c0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x6d82c0, pdwDataLen=0x19f3bc) returned 1
[0216.147] CoTaskMemFree (pv=0x6d82c0)
[0216.147] CryptGetProvParam (in: hProv=0x6df608, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1
[0216.147] CoTaskMemAlloc (cb=0x20) returned 0x6d82c0
[0216.147] CryptGetProvParam (in: hProv=0x6df608, dwParam=0x1, pbData=0x6d82c0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x6d82c0, pdwDataLen=0x19f3bc) returned 1
[0216.148] CoTaskMemFree (pv=0x6d82c0)
[0216.148] CryptGetProvParam (in: hProv=0x6df608, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1
[0216.148] CoTaskMemAlloc (cb=0x20) returned 0x6d82c0
[0216.148] CryptGetProvParam (in: hProv=0x6df608, dwParam=0x1, pbData=0x6d82c0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x6d82c0, pdwDataLen=0x19f3bc) returned 1
[0216.148] CoTaskMemFree (pv=0x6d82c0)
[0216.148] CryptGetProvParam (in: hProv=0x6df608, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1
[0216.148] CoTaskMemAlloc (cb=0x20) returned 0x6d82c0
[0216.148] CryptGetProvParam (in: hProv=0x6df608, dwParam=0x1, pbData=0x6d82c0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x6d82c0, pdwDataLen=0x19f3bc) returned 1
[0216.148] CoTaskMemFree (pv=0x6d82c0)
[0216.148] CryptGetProvParam (in: hProv=0x6df608, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1
[0216.148] CoTaskMemAlloc (cb=0x20) returned 0x6d82c0
[0216.148] CryptGetProvParam (in: hProv=0x6df608, dwParam=0x1, pbData=0x6d82c0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x6d82c0, pdwDataLen=0x19f3bc) returned 1
[0216.148] CoTaskMemFree (pv=0x6d82c0)
[0216.148] CryptGetProvParam (in: hProv=0x6df608, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 0
[0216.155] CryptImportKey (in: hProv=0x6df608, pbData=0x22e8328, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x19f3c8 | out: phKey=0x19f3c8*=0x6dec00) returned 1
[0216.158] CryptContextAddRef (hProv=0x6df608, pdwReserved=0x0, dwFlags=0x0) returned 1
[0216.226] BCryptGetFipsAlgorithmMode (in: pfEnabled=0x19f3e8 | out: pfEnabled=0x19f3e8) returned 0x0
[0216.232] CryptContextAddRef (hProv=0x6df608, pdwReserved=0x0, dwFlags=0x0) returned 1
[0216.232] CryptDuplicateKey (in: hKey=0x6dec00, pdwReserved=0x0, dwFlags=0x0, phKey=0x19f3b8 | out: phKey=0x19f3b8*=0x6de880) returned 1
[0216.232] CryptContextAddRef (hProv=0x6df608, pdwReserved=0x0, dwFlags=0x0) returned 1
[0216.233] CryptSetKeyParam (hKey=0x6de880, dwParam=0x4, pbData=0x22e8d08*=0x1, dwFlags=0x0) returned 1
[0216.233] CryptSetKeyParam (hKey=0x6de880, dwParam=0x1, pbData=0x22e8cd4, dwFlags=0x0) returned 1
[0216.236] CryptDecrypt (in: hKey=0x6de880, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x22e8de8, pdwDataLen=0x19f3f8 | out: pbData=0x22e8de8, pdwDataLen=0x19f3f8) returned 1
[0216.257] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\AppContext", ulOptions=0x0, samDesired=0x20019, phkResult=0x19de18 | out: phkResult=0x19de18*=0x0) returned 0x2
[0216.308] CryptDecrypt (in: hKey=0x6de880, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x22e8eec, pdwDataLen=0x19f3f8 | out: pbData=0x22e8eec, pdwDataLen=0x19f3f8) returned 0
[0216.309] CryptDestroyKey (hKey=0x6dec00) returned 1
[0216.309] CryptReleaseContext (hProv=0x6df608, dwFlags=0x0) returned 1
[0216.309] CryptReleaseContext (hProv=0x6df608, dwFlags=0x0) returned 1
[0216.309] CryptAcquireContextW (in: phProv=0x19f3f8, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f3f8*=0x6dff10) returned 1
[0216.310] CryptImportKey (in: hProv=0x6dff10, pbData=0x22ea78c, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x19f3c8 | out: phKey=0x19f3c8*=0x6ded00) returned 1
[0216.310] CryptContextAddRef (hProv=0x6dff10, pdwReserved=0x0, dwFlags=0x0) returned 1
[0216.310] CryptContextAddRef (hProv=0x6dff10, pdwReserved=0x0, dwFlags=0x0) returned 1
[0216.310] CryptDuplicateKey (in: hKey=0x6ded00, pdwReserved=0x0, dwFlags=0x0, phKey=0x19f3b8 | out: phKey=0x19f3b8*=0x6decc0) returned 1
[0216.310] CryptContextAddRef (hProv=0x6dff10, pdwReserved=0x0, dwFlags=0x0) returned 1
[0216.310] CryptSetKeyParam (hKey=0x6decc0, dwParam=0x4, pbData=0x22eaee4*=0x1, dwFlags=0x0) returned 1
[0216.310] CryptSetKeyParam (hKey=0x6decc0, dwParam=0x1, pbData=0x22eaeb0, dwFlags=0x0) returned 1
[0216.311] CryptDecrypt (in: hKey=0x6decc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x22eafc4, pdwDataLen=0x19f3f8 | out: pbData=0x22eafc4, pdwDataLen=0x19f3f8) returned 1
[0216.311] CryptDecrypt (in: hKey=0x6decc0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x22eaffc, pdwDataLen=0x19f3f8 | out: pbData=0x22eaffc, pdwDataLen=0x19f3f8) returned 0
[0216.311] CryptDestroyKey (hKey=0x6ded00) returned 1
[0216.311] CryptReleaseContext (hProv=0x6dff10, dwFlags=0x0) returned 1
[0216.311] CryptReleaseContext (hProv=0x6dff10, dwFlags=0x0) returned 1
[0216.311] CryptAcquireContextW (in: phProv=0x19f3f8, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f3f8*=0x6dff98) returned 1
[0216.312] CryptImportKey (in: hProv=0x6dff98, pbData=0x22eb16c, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x19f3c8 | out: phKey=0x19f3c8*=0x6de800) returned 1
[0216.312] CryptContextAddRef (hProv=0x6dff98, pdwReserved=0x0, dwFlags=0x0) returned 1
[0216.312] CryptContextAddRef (hProv=0x6dff98, pdwReserved=0x0, dwFlags=0x0) returned 1
[0216.312] CryptDuplicateKey (in: hKey=0x6de800, pdwReserved=0x0, dwFlags=0x0, phKey=0x19f3b8 | out: phKey=0x19f3b8*=0x6de900) returned 1
[0216.312] CryptContextAddRef (hProv=0x6dff98, pdwReserved=0x0, dwFlags=0x0) returned 1
[0216.312] CryptSetKeyParam (hKey=0x6de900, dwParam=0x4, pbData=0x22eb8c4*=0x1, dwFlags=0x0) returned 1
[0216.312] CryptSetKeyParam (hKey=0x6de900, dwParam=0x1, pbData=0x22eb890, dwFlags=0x0) returned 1
[0216.313] CryptDecrypt (in: hKey=0x6de900, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x22eb9a4, pdwDataLen=0x19f3f8 | out: pbData=0x22eb9a4, pdwDataLen=0x19f3f8) returned 1
[0216.313] CryptDecrypt (in: hKey=0x6de900, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x22eb9d4, pdwDataLen=0x19f3f8 | out: pbData=0x22eb9d4, pdwDataLen=0x19f3f8) returned 0
[0216.313] CryptDestroyKey (hKey=0x6de800) returned 1
[0216.313] CryptReleaseContext (hProv=0x6dff98, dwFlags=0x0) returned 1
[0216.313] CryptReleaseContext (hProv=0x6dff98, dwFlags=0x0) returned 1
[0216.313] CryptAcquireContextW (in: phProv=0x19f3f8, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f3f8*=0x6dfa48) returned 1
[0216.313] CryptImportKey (in: hProv=0x6dfa48, pbData=0x22ebb30, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x19f3c8 | out: phKey=0x19f3c8*=0x6de8c0) returned 1
[0216.314] CryptContextAddRef (hProv=0x6dfa48, pdwReserved=0x0, dwFlags=0x0) returned 1
[0216.314] CryptContextAddRef (hProv=0x6dfa48, pdwReserved=0x0, dwFlags=0x0) returned 1
[0216.314] CryptDuplicateKey (in: hKey=0x6de8c0, pdwReserved=0x0, dwFlags=0x0, phKey=0x19f3b8 | out: phKey=0x19f3b8*=0x6ded00) returned 1
[0216.314] CryptContextAddRef (hProv=0x6dfa48, pdwReserved=0x0, dwFlags=0x0) returned 1
[0216.314] CryptSetKeyParam (hKey=0x6ded00, dwParam=0x4, pbData=0x22ec288*=0x1, dwFlags=0x0) returned 1
[0216.314] CryptSetKeyParam (hKey=0x6ded00, dwParam=0x1, pbData=0x22ec254, dwFlags=0x0) returned 1
[0216.314] CryptDecrypt (in: hKey=0x6ded00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x22ec368, pdwDataLen=0x19f3f8 | out: pbData=0x22ec368, pdwDataLen=0x19f3f8) returned 1
[0216.314] CryptDecrypt (in: hKey=0x6ded00, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x22ec398, pdwDataLen=0x19f3f8 | out: pbData=0x22ec398, pdwDataLen=0x19f3f8) returned 0
[0216.314] CryptDestroyKey (hKey=0x6de8c0) returned 1
[0216.314] CryptReleaseContext (hProv=0x6dfa48, dwFlags=0x0) returned 1
[0216.315] CryptReleaseContext (hProv=0x6dfa48, dwFlags=0x0) returned 1
[0216.315] CryptAcquireContextW (in: phProv=0x19f3f8, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f3f8*=0x6e0240) returned 1
[0216.315] CryptImportKey (in: hProv=0x6e0240, pbData=0x22ec500, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x19f3c8 | out: phKey=0x19f3c8*=0x6de680) returned 1
[0216.315] CryptContextAddRef (hProv=0x6e0240, pdwReserved=0x0, dwFlags=0x0) returned 1
[0216.316] CryptContextAddRef (hProv=0x6e0240, pdwReserved=0x0, dwFlags=0x0) returned 1
[0216.316] CryptDuplicateKey (in: hKey=0x6de680, pdwReserved=0x0, dwFlags=0x0, phKey=0x19f3b8 | out: phKey=0x19f3b8*=0x6de980) returned 1
[0216.316] CryptContextAddRef (hProv=0x6e0240, pdwReserved=0x0, dwFlags=0x0) returned 1
[0216.316] CryptSetKeyParam (hKey=0x6de980, dwParam=0x4, pbData=0x22ecc68*=0x1, dwFlags=0x0) returned 1
[0216.316] CryptSetKeyParam (hKey=0x6de980, dwParam=0x1, pbData=0x22ecc34, dwFlags=0x0) returned 1
[0216.316] CryptDecrypt (in: hKey=0x6de980, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x22ecd4c, pdwDataLen=0x19f3c8 | out: pbData=0x22ecd4c, pdwDataLen=0x19f3c8) returned 1
[0216.316] CryptDecrypt (in: hKey=0x6de980, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x22ecd94, pdwDataLen=0x19f3f8 | out: pbData=0x22ecd94, pdwDataLen=0x19f3f8) returned 1
[0216.316] CryptDecrypt (in: hKey=0x6de980, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x22ecdc0, pdwDataLen=0x19f3f8 | out: pbData=0x22ecdc0, pdwDataLen=0x19f3f8) returned 0
[0216.316] CryptDestroyKey (hKey=0x6de680) returned 1
[0216.316] CryptReleaseContext (hProv=0x6e0240, dwFlags=0x0) returned 1
[0216.316] CryptReleaseContext (hProv=0x6e0240, dwFlags=0x0) returned 1
[0216.316] CryptAcquireContextW (in: phProv=0x19f3f8, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f3f8*=0x6df690) returned 1
[0216.317] CryptImportKey (in: hProv=0x6df690, pbData=0x22ecf44, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x19f3c8 | out: phKey=0x19f3c8*=0x6dea40) returned 1
[0216.317] CryptContextAddRef (hProv=0x6df690, pdwReserved=0x0, dwFlags=0x0) returned 1
[0216.318] CryptContextAddRef (hProv=0x6df690, pdwReserved=0x0, dwFlags=0x0) returned 1
[0216.318] CryptDuplicateKey (in: hKey=0x6dea40, pdwReserved=0x0, dwFlags=0x0, phKey=0x19f3b8 | out: phKey=0x19f3b8*=0x6de740) returned 1
[0216.318] CryptContextAddRef (hProv=0x6df690, pdwReserved=0x0, dwFlags=0x0) returned 1
[0216.318] CryptSetKeyParam (hKey=0x6de740, dwParam=0x4, pbData=0x22ed69c*=0x1, dwFlags=0x0) returned 1
[0216.318] CryptSetKeyParam (hKey=0x6de740, dwParam=0x1, pbData=0x22ed668, dwFlags=0x0) returned 1
[0216.318] CryptDecrypt (in: hKey=0x6de740, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x22ed77c, pdwDataLen=0x19f3f8 | out: pbData=0x22ed77c, pdwDataLen=0x19f3f8) returned 1
[0216.318] CryptDecrypt (in: hKey=0x6de740, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x22ed7a8, pdwDataLen=0x19f3f8 | out: pbData=0x22ed7a8, pdwDataLen=0x19f3f8) returned 0
[0216.318] CryptDestroyKey (hKey=0x6dea40) returned 1
[0216.318] CryptReleaseContext (hProv=0x6df690, dwFlags=0x0) returned 1
[0216.318] CryptReleaseContext (hProv=0x6df690, dwFlags=0x0) returned 1
[0216.318] CryptAcquireContextW (in: phProv=0x19f3f8, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f3f8*=0x6e0130) returned 1
[0216.320] CryptImportKey (in: hProv=0x6e0130, pbData=0x22ed8fc, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x19f3c8 | out: phKey=0x19f3c8*=0x6de600) returned 1
[0216.320] CryptContextAddRef (hProv=0x6e0130, pdwReserved=0x0, dwFlags=0x0) returned 1
[0216.320] CryptContextAddRef (hProv=0x6e0130, pdwReserved=0x0, dwFlags=0x0) returned 1
[0216.320] CryptDuplicateKey (in: hKey=0x6de600, pdwReserved=0x0, dwFlags=0x0, phKey=0x19f3b8 | out: phKey=0x19f3b8*=0x6de780) returned 1
[0216.320] CryptContextAddRef (hProv=0x6e0130, pdwReserved=0x0, dwFlags=0x0) returned 1
[0216.320] CryptSetKeyParam (hKey=0x6de780, dwParam=0x4, pbData=0x22ee054*=0x1, dwFlags=0x0) returned 1
[0216.320] CryptSetKeyParam (hKey=0x6de780, dwParam=0x1, pbData=0x22ee020, dwFlags=0x0) returned 1
[0216.320] CryptDecrypt (in: hKey=0x6de780, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x22ee134, pdwDataLen=0x19f3f8 | out: pbData=0x22ee134, pdwDataLen=0x19f3f8) returned 1
[0216.321] CryptDecrypt (in: hKey=0x6de780, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x22ee164, pdwDataLen=0x19f3f8 | out: pbData=0x22ee164, pdwDataLen=0x19f3f8) returned 0
[0216.321] CryptDestroyKey (hKey=0x6de600) returned 1
[0216.321] CryptReleaseContext (hProv=0x6e0130, dwFlags=0x0) returned 1
[0216.321] CryptReleaseContext (hProv=0x6e0130, dwFlags=0x0) returned 1
[0216.321] CryptAcquireContextW (in: phProv=0x19f3f8, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f3f8*=0x6e00a8) returned 1
[0216.321] CryptImportKey (in: hProv=0x6e00a8, pbData=0x22ee2bc, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x19f3c8 | out: phKey=0x19f3c8*=0x6de600) returned 1
[0216.321] CryptContextAddRef (hProv=0x6e00a8, pdwReserved=0x0, dwFlags=0x0) returned 1
[0216.322] CryptContextAddRef (hProv=0x6e00a8, pdwReserved=0x0, dwFlags=0x0) returned 1
[0216.322] CryptDuplicateKey (in: hKey=0x6de600, pdwReserved=0x0, dwFlags=0x0, phKey=0x19f3b8 | out: phKey=0x19f3b8*=0x6de680) returned 1
[0216.322] CryptContextAddRef (hProv=0x6e00a8, pdwReserved=0x0, dwFlags=0x0) returned 1
[0216.322] CryptSetKeyParam (hKey=0x6de680, dwParam=0x4, pbData=0x22eea14*=0x1, dwFlags=0x0) returned 1
[0216.322] CryptSetKeyParam (hKey=0x6de680, dwParam=0x1, pbData=0x22ee9e0, dwFlags=0x0) returned 1
[0216.322] CryptDecrypt (in: hKey=0x6de680, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x22eeaf4, pdwDataLen=0x19f3f8 | out: pbData=0x22eeaf4, pdwDataLen=0x19f3f8) returned 1
[0216.322] CryptDecrypt (in: hKey=0x6de680, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x22eeb24, pdwDataLen=0x19f3f8 | out: pbData=0x22eeb24, pdwDataLen=0x19f3f8) returned 0
[0216.322] CryptDestroyKey (hKey=0x6de600) returned 1
[0216.322] CryptReleaseContext (hProv=0x6e00a8, dwFlags=0x0) returned 1
[0216.323] CryptReleaseContext (hProv=0x6e00a8, dwFlags=0x0) returned 1
[0216.323] CryptAcquireContextW (in: phProv=0x19f3f8, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f3f8*=0x6dfe00) returned 1
[0216.323] CryptImportKey (in: hProv=0x6dfe00, pbData=0x22eec7c, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x19f3c8 | out: phKey=0x19f3c8*=0x6de600) returned 1
[0216.323] CryptContextAddRef (hProv=0x6dfe00, pdwReserved=0x0, dwFlags=0x0) returned 1
[0216.324] CryptContextAddRef (hProv=0x6dfe00, pdwReserved=0x0, dwFlags=0x0) returned 1
[0216.324] CryptDuplicateKey (in: hKey=0x6de600, pdwReserved=0x0, dwFlags=0x0, phKey=0x19f3b8 | out: phKey=0x19f3b8*=0x6de6c0) returned 1
[0216.324] CryptContextAddRef (hProv=0x6dfe00, pdwReserved=0x0, dwFlags=0x0) returned 1
[0216.324] CryptSetKeyParam (hKey=0x6de6c0, dwParam=0x4, pbData=0x22ef3d4*=0x1, dwFlags=0x0) returned 1
[0216.324] CryptSetKeyParam (hKey=0x6de6c0, dwParam=0x1, pbData=0x22ef3a0, dwFlags=0x0) returned 1
[0216.324] CryptDecrypt (in: hKey=0x6de6c0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x22ef4b4, pdwDataLen=0x19f3f8 | out: pbData=0x22ef4b4, pdwDataLen=0x19f3f8) returned 1
[0216.324] CryptDecrypt (in: hKey=0x6de6c0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x22ef4e4, pdwDataLen=0x19f3f8 | out: pbData=0x22ef4e4, pdwDataLen=0x19f3f8) returned 0
[0216.324] CryptDestroyKey (hKey=0x6de600) returned 1
[0216.324] CryptReleaseContext (hProv=0x6dfe00, dwFlags=0x0) returned 1
[0216.324] CryptReleaseContext (hProv=0x6dfe00, dwFlags=0x0) returned 1
[0216.339] GetUserNameW (in: lpBuffer=0x19f20c, pcbBuffer=0x19f484 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x19f484) returned 1
[0216.398] GetComputerNameW (in: lpBuffer=0x19f20c, nSize=0x19f484 | out: lpBuffer="XC64ZB", nSize=0x19f484) returned 1
[0216.398] CoTaskMemAlloc (cb=0x20c) returned 0x6ec9b0
[0216.398] GetSystemDirectoryW (in: lpBuffer=0x6ec9b0, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
[0216.399] CoTaskMemFree (pv=0x6ec9b0)
[0216.404] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x19eea4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
[0216.406] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x19f440) returned 1
[0216.407] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x19f46c, lpTotalNumberOfBytes=0x19f464, lpTotalNumberOfFreeBytes=0x19f45c | out: lpFreeBytesAvailableToCaller=0x19f46c, lpTotalNumberOfBytes=0x19f464, lpTotalNumberOfFreeBytes=0x19f45c) returned 1
[0216.408] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x19f43c) returned 1
[0216.492] CryptAcquireContextW (in: phProv=0x19f3f8, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f3f8*=0x6df828) returned 1
[0216.493] CryptImportKey (in: hProv=0x6df828, pbData=0x22f15a4, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x19f3c8 | out: phKey=0x19f3c8*=0x6df100) returned 1
[0216.493] CryptContextAddRef (hProv=0x6df828, pdwReserved=0x0, dwFlags=0x0) returned 1
[0216.494] CryptContextAddRef (hProv=0x6df828, pdwReserved=0x0, dwFlags=0x0) returned 1
[0216.494] CryptDuplicateKey (in: hKey=0x6df100, pdwReserved=0x0, dwFlags=0x0, phKey=0x19f3b8 | out: phKey=0x19f3b8*=0x6defc0) returned 1
[0216.494] CryptContextAddRef (hProv=0x6df828, pdwReserved=0x0, dwFlags=0x0) returned 1
[0216.494] CryptSetKeyParam (hKey=0x6defc0, dwParam=0x4, pbData=0x22f225c*=0x1, dwFlags=0x0) returned 1
[0216.494] CryptSetKeyParam (hKey=0x6defc0, dwParam=0x1, pbData=0x22f2228, dwFlags=0x0) returned 1
[0216.494] CryptDecrypt (in: hKey=0x6defc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x22f2860, pdwDataLen=0x19f3c8 | out: pbData=0x22f2860, pdwDataLen=0x19f3c8) returned 1
[0216.494] CryptDecrypt (in: hKey=0x6defc0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x22f2b38, pdwDataLen=0x19f3f8 | out: pbData=0x22f2b38, pdwDataLen=0x19f3f8) returned 1
[0216.495] CryptDecrypt (in: hKey=0x6defc0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x22f2b6c, pdwDataLen=0x19f3f8 | out: pbData=0x22f2b6c, pdwDataLen=0x19f3f8) returned 0
[0216.495] CryptDestroyKey (hKey=0x6df100) returned 1
[0216.495] CryptReleaseContext (hProv=0x6df828, dwFlags=0x0) returned 1
[0216.495] CryptReleaseContext (hProv=0x6df828, dwFlags=0x0) returned 1
[0216.495] CryptAcquireContextW (in: phProv=0x19f3f8, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f3f8*=0x6e01b8) returned 1
[0216.496] CryptImportKey (in: hProv=0x6e01b8, pbData=0x22f3bc8, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x19f3c8 | out: phKey=0x19f3c8*=0x6df2c0) returned 1
[0216.496] CryptContextAddRef (hProv=0x6e01b8, pdwReserved=0x0, dwFlags=0x0) returned 1
[0216.497] CryptContextAddRef (hProv=0x6e01b8, pdwReserved=0x0, dwFlags=0x0) returned 1
[0216.497] CryptDuplicateKey (in: hKey=0x6df2c0, pdwReserved=0x0, dwFlags=0x0, phKey=0x19f3b8 | out: phKey=0x19f3b8*=0x6df340) returned 1
[0216.497] CryptContextAddRef (hProv=0x6e01b8, pdwReserved=0x0, dwFlags=0x0) returned 1
[0216.497] CryptSetKeyParam (hKey=0x6df340, dwParam=0x4, pbData=0x22f5080*=0x1, dwFlags=0x0) returned 1
[0216.497] CryptSetKeyParam (hKey=0x6df340, dwParam=0x1, pbData=0x22f504c, dwFlags=0x0) returned 1
[0216.497] CryptDecrypt (in: hKey=0x6df340, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x22f5e84, pdwDataLen=0x19f3c8 | out: pbData=0x22f5e84, pdwDataLen=0x19f3c8) returned 1
[0216.498] CryptDecrypt (in: hKey=0x6df340, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x22f655c, pdwDataLen=0x19f3f8 | out: pbData=0x22f655c, pdwDataLen=0x19f3f8) returned 1
[0216.498] CryptDecrypt (in: hKey=0x6df340, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x22f6584, pdwDataLen=0x19f3f8 | out: pbData=0x22f6584, pdwDataLen=0x19f3f8) returned 0
[0216.498] CryptDestroyKey (hKey=0x6df2c0) returned 1
[0216.498] CryptReleaseContext (hProv=0x6e01b8, dwFlags=0x0) returned 1
[0216.498] CryptReleaseContext (hProv=0x6e01b8, dwFlags=0x0) returned 1
[0216.578] CertDuplicateCertificateContext (pCertContext=0x6e5f40) returned 0x6e5f40
[0216.660] LocalAlloc (uFlags=0x0, uBytes=0x2a) returned 0x6db930
[0216.671] CryptFindOIDInfo (dwKeyType=0x2, pvKey=0x6db930, dwGroupId=0x3) returned 0x0
[0216.745] LocalFree (hMem=0x6db930) returned 0x0
[0216.745] LocalAlloc (uFlags=0x0, uBytes=0x2a) returned 0x6f7778
[0216.745] CryptFindOIDInfo (dwKeyType=0x2, pvKey=0x6f7778, dwGroupId=0x0) returned 0x0
[0216.756] LocalFree (hMem=0x6f7778) returned 0x0
[0216.762] LocalAlloc (uFlags=0x0, uBytes=0x15) returned 0x6e5118
[0216.762] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x6e5118, dwGroupId=0x0) returned 0x73f9d6c0
[0216.767] CryptDecodeObject (in: dwCertEncodingType=0x10001, lpszStructType=0x13, pbEncoded=0x22f87b8, cbEncoded=0x20e, dwFlags=0x0, pvStructInfo=0x0, pcbStructInfo=0x19f434 | out: pvStructInfo=0x0, pcbStructInfo=0x19f434) returned 1
[0216.768] LocalAlloc (uFlags=0x0, uBytes=0x214) returned 0x6ee610
[0216.768] CryptDecodeObject (in: dwCertEncodingType=0x10001, lpszStructType=0x13, pbEncoded=0x22f87b8, cbEncoded=0x20e, dwFlags=0x0, pvStructInfo=0x6ee610, pcbStructInfo=0x19f434 | out: pvStructInfo=0x6ee610, pcbStructInfo=0x19f434) returned 1
[0216.768] LocalFree (hMem=0x6ee610) returned 0x0
[0216.958] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", nBufferLength=0x105, lpBuffer=0x19eda4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", lpFilePart=0x0) returned 0x43
[0216.960] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", nBufferLength=0x105, lpBuffer=0x19ee08, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", lpFilePart=0x0) returned 0x43
[0216.960] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x19f2b0) returned 1
[0216.960] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x19f32c | out: lpFileInformation=0x19f32c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56a29ff, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97df7583, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97df7583, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x8c8f)) returned 1
[0216.960] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x19f2ac) returned 1
[0217.059] CoTaskMemAlloc (cb=0x2e) returned 0x6f77b0
[0217.065] CryptFindOIDInfo (dwKeyType=0x2, pvKey=0x6f77b0, dwGroupId=0x1) returned 0x0
[0217.065] CryptFindOIDInfo (dwKeyType=0x2, pvKey=0x6f77b0, dwGroupId=0x0) returned 0x0
[0217.065] CoTaskMemFree (pv=0x6f77b0)
[0217.074] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="AsyncMutex_6SI8OkPnk") returned 0x2f0
[0217.137] SetThreadExecutionState (esFlags=0x80000003) returned 0x80000000
[0218.014] GetCurrentProcess () returned 0xffffffff
[0218.014] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19f0c0 | out: TokenHandle=0x19f0c0*=0x2f4) returned 1
[0218.019] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\", nBufferLength=0x105, lpBuffer=0x19eb58, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\", lpFilePart=0x0) returned 0x2e
[0218.022] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x19f0b8 | out: lpFileInformation=0x19f0b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56a29ff, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97df7583, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97df7583, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x8c8f)) returned 1
[0218.023] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", nBufferLength=0x105, lpBuffer=0x19eb24, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", lpFilePart=0x0) returned 0x43
[0218.023] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x19f0c0 | out: lpFileInformation=0x19f0c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56a29ff, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97df7583, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97df7583, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x8c8f)) returned 1
[0218.024] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", nBufferLength=0x105, lpBuffer=0x19eac0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", lpFilePart=0x0) returned 0x43
[0218.024] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x19eff8) returned 1
[0218.024] CreateFileW (lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x300
[0218.025] GetFileType (hFile=0x300) returned 0x1
[0218.025] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x19eff4) returned 1
[0218.025] GetFileType (hFile=0x300) returned 0x1
[0218.081] GetFileSize (in: hFile=0x300, lpFileSizeHigh=0x19f0b4 | out: lpFileSizeHigh=0x19f0b4*=0x0) returned 0x8c8f
[0218.081] ReadFile (in: hFile=0x300, lpBuffer=0x231cd78, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19f070, lpOverlapped=0x0 | out: lpBuffer=0x231cd78*, lpNumberOfBytesRead=0x19f070*=0x1000, lpOverlapped=0x0) returned 1
[0218.102] ReadFile (in: hFile=0x300, lpBuffer=0x231cd78, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19ef20, lpOverlapped=0x0 | out: lpBuffer=0x231cd78*, lpNumberOfBytesRead=0x19ef20*=0x1000, lpOverlapped=0x0) returned 1
[0218.104] ReadFile (in: hFile=0x300, lpBuffer=0x231cd78, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19edd4, lpOverlapped=0x0 | out: lpBuffer=0x231cd78*, lpNumberOfBytesRead=0x19edd4*=0x1000, lpOverlapped=0x0) returned 1
[0218.105] ReadFile (in: hFile=0x300, lpBuffer=0x231cd78, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19edd4, lpOverlapped=0x0 | out: lpBuffer=0x231cd78*, lpNumberOfBytesRead=0x19edd4*=0x1000, lpOverlapped=0x0) returned 1
[0218.105] ReadFile (in: hFile=0x300, lpBuffer=0x231cd78, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19edd4, lpOverlapped=0x0 | out: lpBuffer=0x231cd78*, lpNumberOfBytesRead=0x19edd4*=0x1000, lpOverlapped=0x0) returned 1
[0218.105] ReadFile (in: hFile=0x300, lpBuffer=0x231cd78, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19ed0c, lpOverlapped=0x0 | out: lpBuffer=0x231cd78*, lpNumberOfBytesRead=0x19ed0c*=0x1000, lpOverlapped=0x0) returned 1
[0218.109] ReadFile (in: hFile=0x300, lpBuffer=0x231cd78, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19ee8c, lpOverlapped=0x0 | out: lpBuffer=0x231cd78*, lpNumberOfBytesRead=0x19ee8c*=0x1000, lpOverlapped=0x0) returned 1
[0218.111] ReadFile (in: hFile=0x300, lpBuffer=0x231cd78, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19ed9c, lpOverlapped=0x0 | out: lpBuffer=0x231cd78*, lpNumberOfBytesRead=0x19ed9c*=0x1000, lpOverlapped=0x0) returned 1
[0218.111] ReadFile (in: hFile=0x300, lpBuffer=0x231cd78, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19ed9c, lpOverlapped=0x0 | out: lpBuffer=0x231cd78*, lpNumberOfBytesRead=0x19ed9c*=0xc8f, lpOverlapped=0x0) returned 1
[0218.111] ReadFile (in: hFile=0x300, lpBuffer=0x231cd78, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19ee5c, lpOverlapped=0x0 | out: lpBuffer=0x231cd78*, lpNumberOfBytesRead=0x19ee5c*=0x0, lpOverlapped=0x0) returned 1
[0218.111] CloseHandle (hObject=0x300) returned 1
[0218.112] GetCurrentProcess () returned 0xffffffff
[0218.112] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19f204 | out: TokenHandle=0x19f204*=0x300) returned 1
[0218.113] GetCurrentProcess () returned 0xffffffff
[0218.113] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19f204 | out: TokenHandle=0x19f204*=0x304) returned 1
[0218.114] GetCurrentProcess () returned 0xffffffff
[0218.114] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19f0c0 | out: TokenHandle=0x19f0c0*=0x308) returned 1
[0218.114] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\da6abb6f3aae250d50ed09b6eacc267c33e50895e3ebd7e6ba800ab018351ec5.exe.config" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\da6abb6f3aae250d50ed09b6eacc267c33e50895e3ebd7e6ba800ab018351ec5.exe.config"), fInfoLevelId=0x0, lpFileInformation=0x19f0b8 | out: lpFileInformation=0x19f0b8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0
[0218.114] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\da6abb6f3aae250d50ed09b6eacc267c33e50895e3ebd7e6ba800ab018351ec5.exe.config", nBufferLength=0x105, lpBuffer=0x19eb24, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\da6abb6f3aae250d50ed09b6eacc267c33e50895e3ebd7e6ba800ab018351ec5.exe.config", lpFilePart=0x0) returned 0x69
[0218.114] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\da6abb6f3aae250d50ed09b6eacc267c33e50895e3ebd7e6ba800ab018351ec5.exe.config" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\da6abb6f3aae250d50ed09b6eacc267c33e50895e3ebd7e6ba800ab018351ec5.exe.config"), fInfoLevelId=0x0, lpFileInformation=0x19f0c0 | out: lpFileInformation=0x19f0c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0
[0218.115] GetCurrentProcess () returned 0xffffffff
[0218.115] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19f204 | out: TokenHandle=0x19f204*=0x30c) returned 1
[0218.115] GetCurrentProcess () returned 0xffffffff
[0218.115] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19f204 | out: TokenHandle=0x19f204*=0x310) returned 1
[0218.175] GetCurrentProcess () returned 0xffffffff
[0218.176] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19f064 | out: TokenHandle=0x19f064*=0x314) returned 1
[0218.197] GetCurrentProcess () returned 0xffffffff
[0218.197] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19f074 | out: TokenHandle=0x19f074*=0x318) returned 1
[0218.285] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x19f258 | out: lpWSAData=0x19f258) returned 0
[0218.293] WSASocketW (af=2, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x0) returned 0x340
[0218.726] setsockopt (s=0x340, level=65535, optname=128, optval="\x01", optlen=4) returned -1
[0218.726] closesocket (s=0x340) returned 0
[0218.726] WSASocketW (af=23, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x0) returned 0x340
[0218.728] setsockopt (s=0x340, level=65535, optname=128, optval="\x01", optlen=4) returned -1
[0218.728] closesocket (s=0x340) returned 0
[0218.733] GetCurrentProcess () returned 0xffffffff
[0218.733] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19f0a0 | out: TokenHandle=0x19f0a0*=0x340) returned 1
[0218.739] GetCurrentProcess () returned 0xffffffff
[0218.739] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19f0b0 | out: TokenHandle=0x19f0b0*=0x344) returned 1
[0218.809] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x348
[0218.812] setsockopt (s=0x348, level=65535, optname=4098, optval="", optlen=4) returned 0
[0218.813] setsockopt (s=0x348, level=65535, optname=4097, optval="", optlen=4) returned 0
[0218.826] WSAConnect (in: s=0x348, name=0x233bd10*(sa_family=2, sin_port=0xbd6, sin_addr="91.193.75.135"), namelen=16, lpCallerData=0x0, lpCalleeData=0x0, lpSQOS=0x0, lpGQOS=0x0 | out: lpCalleeData=0x0) returned -1
[0220.206] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x274d, dwLanguageId=0x0, lpBuffer=0x19f184, nSize=0x101, Arguments=0x0 | out: lpBuffer="No connection could be made because the target machine actively refused it.\r\n") returned 0x4d
[0225.270] closesocket (s=0x348) returned 0
[0225.271] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x348
[0225.273] setsockopt (s=0x348, level=65535, optname=4098, optval="", optlen=4) returned 0
[0225.273] setsockopt (s=0x348, level=65535, optname=4097, optval="", optlen=4) returned 0
[0225.275] WSAConnect (in: s=0x348, name=0x233ca38*(sa_family=2, sin_port=0xbd6, sin_addr="91.193.75.135"), namelen=16, lpCallerData=0x0, lpCalleeData=0x0, lpSQOS=0x0, lpGQOS=0x0 | out: lpCalleeData=0x0) returned -1
[0226.650] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x274d, dwLanguageId=0x0, lpBuffer=0x19f184, nSize=0x101, Arguments=0x0 | out: lpBuffer="No connection could be made because the target machine actively refused it.\r\n") returned 0x4d
Thread:
id = 102
os_tid = 0x10a0
Thread:
id = 103
os_tid = 0x1098
Thread:
id = 104
os_tid = 0x10a4
[0208.221] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
[0208.222] RoInitialize () returned 0x1
[0208.222] RoUninitialize () returned 0x0
Process:
id = "8"
image_name = "svchost.exe"
filename = "c:\\windows\\system32\\svchost.exe"
page_root = "0x50e1a000"
os_pid = "0x3ec"
os_integrity_level = "0x4000"
os_privileges = "0xe60b1e890"
monitor_reason = "created_scheduled_job"
parent_id = "4"
os_parent_pid = "0x210"
cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs"
cur_dir = "C:\\Windows\\system32\\"
os_username = "NT AUTHORITY\\SYSTEM"
bitness = "32"
os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\DcpSvc" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DoSvc" [0xa], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\lfsvc" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\RetailDemo" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\UsoSvc" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wlidsvc" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d37f" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe]
Region:
id = 1462
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 1463
start_va = 0x30000
end_va = 0x44fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 1464
start_va = 0x50000
end_va = 0xcffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 1465
start_va = 0xd0000
end_va = 0xd3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000d0000"
filename = ""
Region:
id = 1466
start_va = 0xe0000
end_va = 0xe0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000e0000"
filename = ""
Region:
id = 1467
start_va = 0xf0000
end_va = 0xf1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000f0000"
filename = ""
Region:
id = 1468
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 1469
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 1470
start_va = 0x7df5fffc0000
end_va = 0x7df5fffe2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5fffc0000"
filename = ""
Region:
id = 1471
start_va = 0x7df5ffff0000
end_va = 0x7ff5fffeffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffff0000"
filename = ""
Region:
id = 1472
start_va = 0x7ff7d7f90000
end_va = 0x7ff7d7f9cfff
monitored = 0
entry_point = 0x7ff7d7f93980
region_type = mapped_file
name = "svchost.exe"
filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe")
Region:
id = 1473
start_va = 0x7fff4aee0000
end_va = 0x7fff4b0a0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 1591
start_va = 0x100000
end_va = 0x176fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000100000"
filename = ""
Region:
id = 1592
start_va = 0x400000
end_va = 0x5fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 1593
start_va = 0x400000
end_va = 0x4fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 1594
start_va = 0x7fff48b20000
end_va = 0x7fff48bccfff
monitored = 0
entry_point = 0x7fff48b381a0
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 1595
start_va = 0x7fff477b0000
end_va = 0x7fff47997fff
monitored = 0
entry_point = 0x7fff477dba70
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 1596
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 1597
start_va = 0x7df5ffec0000
end_va = 0x7df5fffbffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffec0000"
filename = ""
Region:
id = 1598
start_va = 0x500000
end_va = 0x5bdfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 1599
start_va = 0x7fff4ae80000
end_va = 0x7fff4aedafff
monitored = 0
entry_point = 0x7fff4ae938b0
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 1600
start_va = 0x7fff48cd0000
end_va = 0x7fff48debfff
monitored = 0
entry_point = 0x7fff48d102b0
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 1601
start_va = 0x180000
end_va = 0x1fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000180000"
filename = ""
Region:
id = 1602
start_va = 0x7fff466a0000
end_va = 0x7fff46793fff
monitored = 0
entry_point = 0x7fff466aa960
region_type = mapped_file
name = "ucrtbase.dll"
filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll")
Region:
id = 1603
start_va = 0x7fff48f50000
end_va = 0x7fff491ccfff
monitored = 0
entry_point = 0x7fff49024970
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")
Region:
id = 1604
start_va = 0x7fff48c30000
end_va = 0x7fff48cccfff
monitored = 0
entry_point = 0x7fff48c378a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 1605
start_va = 0x7fff47a70000
end_va = 0x7fff47ad9fff
monitored = 0
entry_point = 0x7fff47aa6d50
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")
Region:
id = 1606
start_va = 0x5c0000
end_va = 0x666fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005c0000"
filename = ""
Region:
id = 1607
start_va = 0x670000
end_va = 0x86ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000670000"
filename = ""
Region:
id = 1608
start_va = 0x700000
end_va = 0x7fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000700000"
filename = ""
Region:
id = 1609
start_va = 0x800000
end_va = 0x8dcfff
monitored = 0
entry_point = 0x85e0b0
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 1611
start_va = 0x7fff47560000
end_va = 0x7fff4756efff
monitored = 0
entry_point = 0x7fff47563210
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")
Region:
id = 1612
start_va = 0x7fff48df0000
end_va = 0x7fff48f45fff
monitored = 0
entry_point = 0x7fff48dfa8d0
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 1613
start_va = 0x7fff493f0000
end_va = 0x7fff49575fff
monitored = 0
entry_point = 0x7fff4943ffc0
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 1614
start_va = 0x800000
end_va = 0x987fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000800000"
filename = ""
Region:
id = 1615
start_va = 0x990000
end_va = 0xb10fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000990000"
filename = ""
Region:
id = 1616
start_va = 0xb20000
end_va = 0xbdffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000b20000"
filename = ""
Region:
id = 1617
start_va = 0x20000
end_va = 0x20fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "svchost.exe.mui"
filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui")
Region:
id = 1618
start_va = 0x100000
end_va = 0x100fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000100000"
filename = ""
Region:
id = 1619
start_va = 0x110000
end_va = 0x110fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000110000"
filename = ""
Region:
id = 1620
start_va = 0x170000
end_va = 0x176fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000170000"
filename = ""
Region:
id = 1621
start_va = 0xbe0000
end_va = 0xdb6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000be0000"
filename = ""
Region:
id = 1622
start_va = 0xdc0000
end_va = 0xfbffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000dc0000"
filename = ""
Region:
id = 1623
start_va = 0xe00000
end_va = 0xefffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000e00000"
filename = ""
Region:
id = 1624
start_va = 0xbe0000
end_va = 0xcdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000be0000"
filename = ""
Region:
id = 1625
start_va = 0xdb0000
end_va = 0xdb6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000db0000"
filename = ""
Region:
id = 1626
start_va = 0x7fff41650000
end_va = 0x7fff4179cfff
monitored = 0
entry_point = 0x7fff41693da0
region_type = mapped_file
name = "gpsvc.dll"
filename = "\\Windows\\System32\\gpsvc.dll" (normalized: "c:\\windows\\system32\\gpsvc.dll")
Region:
id = 1627
start_va = 0x7fff461b0000
end_va = 0x7fff461bbfff
monitored = 0
entry_point = 0x7fff461b2480
region_type = mapped_file
name = "sysntfy.dll"
filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll")
Region:
id = 1628
start_va = 0x7fff41630000
end_va = 0x7fff41647fff
monitored = 0
entry_point = 0x7fff41635910
region_type = mapped_file
name = "nlaapi.dll"
filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll")
Region:
id = 1629
start_va = 0x7fff41620000
end_va = 0x7fff41629fff
monitored = 0
entry_point = 0x7fff41621660
region_type = mapped_file
name = "dsrole.dll"
filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll")
Region:
id = 1630
start_va = 0xf00000
end_va = 0xffffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000f00000"
filename = ""
Region:
id = 1631
start_va = 0x7fff41610000
end_va = 0x7fff4161afff
monitored = 0
entry_point = 0x7fff41611770
region_type = mapped_file
name = "lfsvc.dll"
filename = "\\Windows\\System32\\lfsvc.dll" (normalized: "c:\\windows\\system32\\lfsvc.dll")
Region:
id = 1632
start_va = 0x7fff43dc0000
end_va = 0x7fff43e51fff
monitored = 0
entry_point = 0x7fff43e0a780
region_type = mapped_file
name = "msvcp110_win.dll"
filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll")
Region:
id = 1633
start_va = 0x7fff41490000
end_va = 0x7fff4160bfff
monitored = 0
entry_point = 0x7fff414e1650
region_type = mapped_file
name = "locationframework.dll"
filename = "\\Windows\\System32\\LocationFramework.dll" (normalized: "c:\\windows\\system32\\locationframework.dll")
Region:
id = 1634
start_va = 0x7fff49580000
end_va = 0x7fff49640fff
monitored = 0
entry_point = 0x7fff495a0da0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 1635
start_va = 0x7fff47500000
end_va = 0x7fff4754afff
monitored = 0
entry_point = 0x7fff475035f0
region_type = mapped_file
name = "powrprof.dll"
filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")
Region:
id = 1636
start_va = 0x7fff491e0000
end_va = 0x7fff49286fff
monitored = 0
entry_point = 0x7fff491f58d0
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 1637
start_va = 0x7fff475e0000
end_va = 0x7fff477a6fff
monitored = 0
entry_point = 0x7fff4763db80
region_type = mapped_file
name = "crypt32.dll"
filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll")
Region:
id = 1638
start_va = 0x7fff47550000
end_va = 0x7fff4755ffff
monitored = 0
entry_point = 0x7fff475556e0
region_type = mapped_file
name = "msasn1.dll"
filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll")
Region:
id = 1639
start_va = 0x7fff48a30000
end_va = 0x7fff48a9afff
monitored = 0
entry_point = 0x7fff48a490c0
region_type = mapped_file
name = "ws2_32.dll"
filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll")
Region:
id = 1640
start_va = 0x7fff45db0000
end_va = 0x7fff45deffff
monitored = 0
entry_point = 0x7fff45dc1960
region_type = mapped_file
name = "brokerlib.dll"
filename = "\\Windows\\System32\\BrokerLib.dll" (normalized: "c:\\windows\\system32\\brokerlib.dll")
Region:
id = 1641
start_va = 0x1000000
end_va = 0x10fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001000000"
filename = ""
Region:
id = 1642
start_va = 0x7fff413c0000
end_va = 0x7fff41487fff
monitored = 0
entry_point = 0x7fff414013f0
region_type = mapped_file
name = "winhttp.dll"
filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll")
Region:
id = 1643
start_va = 0x7fff43f30000
end_va = 0x7fff43f65fff
monitored = 0
entry_point = 0x7fff43f40070
region_type = mapped_file
name = "xmllite.dll"
filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll")
Region:
id = 1644
start_va = 0x7fff41350000
end_va = 0x7fff413b0fff
monitored = 0
entry_point = 0x7fff41354b50
region_type = mapped_file
name = "wlanapi.dll"
filename = "\\Windows\\System32\\wlanapi.dll" (normalized: "c:\\windows\\system32\\wlanapi.dll")
Region:
id = 1645
start_va = 0x1100000
end_va = 0x1242fff
monitored = 0
entry_point = 0x1128210
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 1646
start_va = 0x7fff41320000
end_va = 0x7fff41336fff
monitored = 0
entry_point = 0x7fff41325630
region_type = mapped_file
name = "sens.dll"
filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll")
Region:
id = 1647
start_va = 0x1100000
end_va = 0x11dcfff
monitored = 0
entry_point = 0x115e0b0
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 1648
start_va = 0x1100000
end_va = 0x11fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001100000"
filename = ""
Region:
id = 1649
start_va = 0x1200000
end_va = 0x12fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001200000"
filename = ""
Region:
id = 1650
start_va = 0x1300000
end_va = 0x13fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001300000"
filename = ""
Region:
id = 1651
start_va = 0x120000
end_va = 0x120fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000120000"
filename = ""
Region:
id = 1652
start_va = 0x7fff4ac20000
end_va = 0x7fff4acc6fff
monitored = 0
entry_point = 0x7fff4ac2b4d0
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll")
Region:
id = 1653
start_va = 0x130000
end_va = 0x130fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000130000"
filename = ""
Region:
id = 1654
start_va = 0x1400000
end_va = 0x14fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001400000"
filename = ""
Region:
id = 1655
start_va = 0x140000
end_va = 0x140fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000140000"
filename = ""
Region:
id = 1656
start_va = 0x150000
end_va = 0x166fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000150000"
filename = ""
Region:
id = 1657
start_va = 0x1500000
end_va = 0x16fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001500000"
filename = ""
Region:
id = 1658
start_va = 0x1500000
end_va = 0x15fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001500000"
filename = ""
Region:
id = 1659
start_va = 0x7fff41300000
end_va = 0x7fff41312fff
monitored = 0
entry_point = 0x7fff413057f0
region_type = mapped_file
name = "themeservice.dll"
filename = "\\Windows\\System32\\themeservice.dll" (normalized: "c:\\windows\\system32\\themeservice.dll")
Region:
id = 1660
start_va = 0x7fff467a0000
end_va = 0x7fff467f5fff
monitored = 0
entry_point = 0x7fff467b0bf0
region_type = mapped_file
name = "winsta.dll"
filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")
Region:
id = 1661
start_va = 0x1600000
end_va = 0x16fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001600000"
filename = ""
Region:
id = 1662
start_va = 0x1700000
end_va = 0x17fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001700000"
filename = ""
Region:
id = 1663
start_va = 0x7fff412e0000
end_va = 0x7fff412fffff
monitored = 0
entry_point = 0x7fff412e39a0
region_type = mapped_file
name = "locationwinpalmisc.dll"
filename = "\\Windows\\System32\\LocationWinPalMisc.dll" (normalized: "c:\\windows\\system32\\locationwinpalmisc.dll")
Region:
id = 1664
start_va = 0x7fff496c0000
end_va = 0x7fff4ac1efff
monitored = 0
entry_point = 0x7fff498211f0
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")
Region:
id = 1665
start_va = 0x7fff47590000
end_va = 0x7fff475d2fff
monitored = 0
entry_point = 0x7fff475a4b50
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")
Region:
id = 1666
start_va = 0x7fff47ae0000
end_va = 0x7fff48123fff
monitored = 0
entry_point = 0x7fff47ca64b0
region_type = mapped_file
name = "windows.storage.dll"
filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll")
Region:
id = 1667
start_va = 0x7fff49660000
end_va = 0x7fff496b1fff
monitored = 0
entry_point = 0x7fff4966f530
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")
Region:
id = 1668
start_va = 0x7fff48220000
end_va = 0x7fff482d4fff
monitored = 0
entry_point = 0x7fff482622e0
region_type = mapped_file
name = "shcore.dll"
filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")
Region:
id = 1669
start_va = 0x7fff47570000
end_va = 0x7fff47583fff
monitored = 0
entry_point = 0x7fff475752e0
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")
Region:
id = 1670
start_va = 0x7fff46cc0000
end_va = 0x7fff46cdefff
monitored = 0
entry_point = 0x7fff46cc5d30
region_type = mapped_file
name = "userenv.dll"
filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll")
Region:
id = 1671
start_va = 0x7fff45f40000
end_va = 0x7fff45f66fff
monitored = 0
entry_point = 0x7fff45f47940
region_type = mapped_file
name = "devobj.dll"
filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll")
Region:
id = 1672
start_va = 0x150000
end_va = 0x150fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000150000"
filename = ""
Region:
id = 1673
start_va = 0x160000
end_va = 0x166fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000160000"
filename = ""
Region:
id = 1674
start_va = 0x7fff412d0000
end_va = 0x7fff412dbfff
monitored = 0
entry_point = 0x7fff412d14d0
region_type = mapped_file
name = "locationframeworkps.dll"
filename = "\\Windows\\System32\\LocationFrameworkPS.dll" (normalized: "c:\\windows\\system32\\locationframeworkps.dll")
Region:
id = 1675
start_va = 0x7fff41270000
end_va = 0x7fff412c4fff
monitored = 0
entry_point = 0x7fff4127fc00
region_type = mapped_file
name = "profsvc.dll"
filename = "\\Windows\\System32\\profsvc.dll" (normalized: "c:\\windows\\system32\\profsvc.dll")
Region:
id = 1676
start_va = 0x7fff41230000
end_va = 0x7fff41266fff
monitored = 0
entry_point = 0x7fff41236020
region_type = mapped_file
name = "gnssadapter.dll"
filename = "\\Windows\\System32\\GnssAdapter.dll" (normalized: "c:\\windows\\system32\\gnssadapter.dll")
Region:
id = 1677
start_va = 0x7fff411d0000
end_va = 0x7fff41224fff
monitored = 0
entry_point = 0x7fff411d3fb0
region_type = mapped_file
name = "policymanager.dll"
filename = "\\Windows\\System32\\policymanager.dll" (normalized: "c:\\windows\\system32\\policymanager.dll")
Region:
id = 1678
start_va = 0x1000000
end_va = 0x10fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001000000"
filename = ""
Region:
id = 1679
start_va = 0x1800000
end_va = 0x1b36fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 1680
start_va = 0x7fff41340000
end_va = 0x7fff4134bfff
monitored = 0
entry_point = 0x7fff41342830
region_type = mapped_file
name = "bi.dll"
filename = "\\Windows\\System32\\bi.dll" (normalized: "c:\\windows\\system32\\bi.dll")
Region:
id = 1681
start_va = 0x1b40000
end_va = 0x1c3ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001b40000"
filename = ""
Region:
id = 1682
start_va = 0x7fff411a0000
end_va = 0x7fff411c6fff
monitored = 0
entry_point = 0x7fff411a3bf0
region_type = mapped_file
name = "profsvcext.dll"
filename = "\\Windows\\System32\\profsvcext.dll" (normalized: "c:\\windows\\system32\\profsvcext.dll")
Region:
id = 1683
start_va = 0x7fff48bd0000
end_va = 0x7fff48c2bfff
monitored = 0
entry_point = 0x7fff48beb720
region_type = mapped_file
name = "wldap32.dll"
filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll")
Region:
id = 1684
start_va = 0x7fff46970000
end_va = 0x7fff4697bfff
monitored = 0
entry_point = 0x7fff469727e0
region_type = mapped_file
name = "netutils.dll"
filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll")
Region:
id = 1685
start_va = 0x7fff41160000
end_va = 0x7fff4119dfff
monitored = 0
entry_point = 0x7fff4116a050
region_type = mapped_file
name = "logoncli.dll"
filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll")
Region:
id = 1686
start_va = 0x7fff41140000
end_va = 0x7fff41159fff
monitored = 0
entry_point = 0x7fff41142cf0
region_type = mapped_file
name = "locationpelegacywinlocation.dll"
filename = "\\Windows\\System32\\LocationPeLegacyWinLocation.dll" (normalized: "c:\\windows\\system32\\locationpelegacywinlocation.dll")
Region:
id = 1687
start_va = 0x7fff4ad30000
end_va = 0x7fff4ae72fff
monitored = 0
entry_point = 0x7fff4ad58210
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 1688
start_va = 0x7fff41120000
end_va = 0x7fff41130fff
monitored = 0
entry_point = 0x7fff41127ea0
region_type = mapped_file
name = "dcpapi.dll"
filename = "\\Windows\\System32\\dcpapi.dll" (normalized: "c:\\windows\\system32\\dcpapi.dll")
Region:
id = 1689
start_va = 0x7fff410f0000
end_va = 0x7fff41114fff
monitored = 0
entry_point = 0x7fff41102f20
region_type = mapped_file
name = "wificonnapi.dll"
filename = "\\Windows\\System32\\wificonnapi.dll" (normalized: "c:\\windows\\system32\\wificonnapi.dll")
Region:
id = 1690
start_va = 0x7fff41030000
end_va = 0x7fff410e0fff
monitored = 0
entry_point = 0x7fff410a88b0
region_type = mapped_file
name = "cellularapi.dll"
filename = "\\Windows\\System32\\CellularAPI.dll" (normalized: "c:\\windows\\system32\\cellularapi.dll")
Region:
id = 1691
start_va = 0x7fff47390000
end_va = 0x7fff473b8fff
monitored = 0
entry_point = 0x7fff473a4530
region_type = mapped_file
name = "bcrypt.dll"
filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll")
Region:
id = 1692
start_va = 0x7fff40ff0000
end_va = 0x7fff41028fff
monitored = 0
entry_point = 0x7fff40ff9c90
region_type = mapped_file
name = "aepic.dll"
filename = "\\Windows\\System32\\aepic.dll" (normalized: "c:\\windows\\system32\\aepic.dll")
Region:
id = 1693
start_va = 0x7fff40fd0000
end_va = 0x7fff40fe0fff
monitored = 0
entry_point = 0x7fff40fd3e10
region_type = mapped_file
name = "sfc_os.dll"
filename = "\\Windows\\System32\\sfc_os.dll" (normalized: "c:\\windows\\system32\\sfc_os.dll")
Region:
id = 1694
start_va = 0x7fff424a0000
end_va = 0x7fff42821fff
monitored = 0
entry_point = 0x7fff424f1220
region_type = mapped_file
name = "iertutil.dll"
filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll")
Region:
id = 1695
start_va = 0x7fff40fb0000
end_va = 0x7fff40fc1fff
monitored = 0
entry_point = 0x7fff40fb9260
region_type = mapped_file
name = "rilproxy.dll"
filename = "\\Windows\\System32\\rilproxy.dll" (normalized: "c:\\windows\\system32\\rilproxy.dll")
Region:
id = 1696
start_va = 0x7fff40f00000
end_va = 0x7fff40fadfff
monitored = 0
entry_point = 0x7fff40f180c0
region_type = mapped_file
name = "windows.networking.connectivity.dll"
filename = "\\Windows\\System32\\Windows.Networking.Connectivity.dll" (normalized: "c:\\windows\\system32\\windows.networking.connectivity.dll")
Region:
id = 1697
start_va = 0x7fff40e40000
end_va = 0x7fff40efefff
monitored = 0
entry_point = 0x7fff40e61c50
region_type = mapped_file
name = "taskschd.dll"
filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll")
Region:
id = 1698
start_va = 0x1c40000
end_va = 0x1d3ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001c40000"
filename = ""
Region:
id = 1699
start_va = 0x7fff46500000
end_va = 0x7fff46523fff
monitored = 0
entry_point = 0x7fff46503260
region_type = mapped_file
name = "gpapi.dll"
filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll")
Region:
id = 1700
start_va = 0x1d40000
end_va = 0x1e3ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001d40000"
filename = ""
Region:
id = 1701
start_va = 0x7fff40cd0000
end_va = 0x7fff40dcbfff
monitored = 0
entry_point = 0x7fff40d06df0
region_type = mapped_file
name = "schedsvc.dll"
filename = "\\Windows\\System32\\schedsvc.dll" (normalized: "c:\\windows\\system32\\schedsvc.dll")
Region:
id = 1702
start_va = 0x7fff40c80000
end_va = 0x7fff40cc0fff
monitored = 0
entry_point = 0x7fff40c97eb0
region_type = mapped_file
name = "ubpm.dll"
filename = "\\Windows\\System32\\ubpm.dll" (normalized: "c:\\windows\\system32\\ubpm.dll")
Region:
id = 1703
start_va = 0x7fff47370000
end_va = 0x7fff47388fff
monitored = 0
entry_point = 0x7fff47375e10
region_type = mapped_file
name = "eventaggregation.dll"
filename = "\\Windows\\System32\\EventAggregation.dll" (normalized: "c:\\windows\\system32\\eventaggregation.dll")
Region:
id = 1704
start_va = 0x5c0000
end_va = 0x606fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005c0000"
filename = ""
Region:
id = 1705
start_va = 0x660000
end_va = 0x666fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000660000"
filename = ""
Region:
id = 1706
start_va = 0x1e40000
end_va = 0x203ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001e40000"
filename = ""
Region:
id = 1707
start_va = 0x1f00000
end_va = 0x1ffffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001f00000"
filename = ""
Region:
id = 1708
start_va = 0x7fff46800000
end_va = 0x7fff46848fff
monitored = 0
entry_point = 0x7fff4680a090
region_type = mapped_file
name = "authz.dll"
filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll")
Region:
id = 1709
start_va = 0x7fff40c60000
end_va = 0x7fff40c70fff
monitored = 0
entry_point = 0x7fff40c63320
region_type = mapped_file
name = "wmiclnt.dll"
filename = "\\Windows\\System32\\wmiclnt.dll" (normalized: "c:\\windows\\system32\\wmiclnt.dll")
Region:
id = 1710
start_va = 0x7fff471e0000
end_va = 0x7fff4720cfff
monitored = 0
entry_point = 0x7fff471f9d40
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll")
Region:
id = 1711
start_va = 0x5c0000
end_va = 0x5c0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005c0000"
filename = ""
Region:
id = 1712
start_va = 0x600000
end_va = 0x606fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000600000"
filename = ""
Region:
id = 1713
start_va = 0x5c0000
end_va = 0x5c0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005c0000"
filename = ""
Region:
id = 1714
start_va = 0x670000
end_va = 0x6effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000670000"
filename = ""
Region:
id = 1715
start_va = 0xbe0000
end_va = 0xcdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000be0000"
filename = ""
Region:
id = 1716
start_va = 0x7fff40bf0000
end_va = 0x7fff40c5dfff
monitored = 0
entry_point = 0x7fff40bf7f60
region_type = mapped_file
name = "taskcomp.dll"
filename = "\\Windows\\System32\\taskcomp.dll" (normalized: "c:\\windows\\system32\\taskcomp.dll")
Region:
id = 1717
start_va = 0x7fff46a50000
end_va = 0x7fff46a80fff
monitored = 0
entry_point = 0x7fff46a57d10
region_type = mapped_file
name = "ntmarta.dll"
filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll")
Region:
id = 1718
start_va = 0xf00000
end_va = 0xffffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000f00000"
filename = ""
Region:
id = 1719
start_va = 0xce0000
end_va = 0xd5ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000ce0000"
filename = ""
Region:
id = 1720
start_va = 0x1e40000
end_va = 0x1ebffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001e40000"
filename = ""
Region:
id = 1721
start_va = 0x7fff40ba0000
end_va = 0x7fff40be1fff
monitored = 0
entry_point = 0x7fff40ba27d0
region_type = mapped_file
name = "mstask.dll"
filename = "\\Windows\\System32\\mstask.dll" (normalized: "c:\\windows\\system32\\mstask.dll")
Region:
id = 1722
start_va = 0x5c0000
end_va = 0x5c1fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000005c0000"
filename = ""
Region:
id = 1723
start_va = 0x7fff40a60000
end_va = 0x7fff40a75fff
monitored = 0
entry_point = 0x7fff40a61b60
region_type = mapped_file
name = "wkscli.dll"
filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll")
Region:
id = 1724
start_va = 0x7fff40a30000
end_va = 0x7fff40a5efff
monitored = 0
entry_point = 0x7fff40a38910
region_type = mapped_file
name = "wptaskscheduler.dll"
filename = "\\Windows\\System32\\WPTaskScheduler.dll" (normalized: "c:\\windows\\system32\\wptaskscheduler.dll")
Region:
id = 1725
start_va = 0x7fff40a20000
end_va = 0x7fff40a2cfff
monitored = 0
entry_point = 0x7fff40a22ca0
region_type = mapped_file
name = "csystemeventsbrokerclient.dll"
filename = "\\Windows\\System32\\CSystemEventsBrokerClient.dll" (normalized: "c:\\windows\\system32\\csystemeventsbrokerclient.dll")
Region:
id = 1726
start_va = 0x2000000
end_va = 0x207ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002000000"
filename = ""
Region:
id = 1727
start_va = 0x7fff46e30000
end_va = 0x7fff46e8bfff
monitored = 0
entry_point = 0x7fff46e46f70
region_type = mapped_file
name = "mswsock.dll"
filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll")
Region:
id = 1728
start_va = 0x5d0000
end_va = 0x5d0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005d0000"
filename = ""
Region:
id = 1729
start_va = 0x7fff45c10000
end_va = 0x7fff45c22fff
monitored = 0
entry_point = 0x7fff45c12760
region_type = mapped_file
name = "wtsapi32.dll"
filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")
Region:
id = 1730
start_va = 0x7fff45990000
end_va = 0x7fff45997fff
monitored = 0
entry_point = 0x7fff459913e0
region_type = mapped_file
name = "dabapi.dll"
filename = "\\Windows\\System32\\dabapi.dll" (normalized: "c:\\windows\\system32\\dabapi.dll")
Region:
id = 1731
start_va = 0x2080000
end_va = 0x217ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002080000"
filename = ""
Region:
id = 1732
start_va = 0x5e0000
end_va = 0x5e0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000005e0000"
filename = ""
Region:
id = 1733
start_va = 0x7fff40880000
end_va = 0x7fff40965fff
monitored = 0
entry_point = 0x7fff4089cf10
region_type = mapped_file
name = "usermgr.dll"
filename = "\\Windows\\System32\\usermgr.dll" (normalized: "c:\\windows\\system32\\usermgr.dll")
Region:
id = 1734
start_va = 0x7fff42360000
end_va = 0x7fff42495fff
monitored = 0
entry_point = 0x7fff4238f350
region_type = mapped_file
name = "wintypes.dll"
filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll")
Region:
id = 1737
start_va = 0x7fff40840000
end_va = 0x7fff4086dfff
monitored = 0
entry_point = 0x7fff40847550
region_type = mapped_file
name = "netjoin.dll"
filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll")
Region:
id = 1738
start_va = 0x7fff47040000
end_va = 0x7fff47060fff
monitored = 0
entry_point = 0x7fff47050250
region_type = mapped_file
name = "joinutil.dll"
filename = "\\Windows\\System32\\joinutil.dll" (normalized: "c:\\windows\\system32\\joinutil.dll")
Region:
id = 1739
start_va = 0x7fff45bb0000
end_va = 0x7fff45bcbfff
monitored = 0
entry_point = 0x7fff45bb37a0
region_type = mapped_file
name = "samlib.dll"
filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll")
Region:
id = 1740
start_va = 0x5e0000
end_va = 0x5ecfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "gpsvc.dll.mui"
filename = "\\Windows\\System32\\en-US\\gpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\gpsvc.dll.mui")
Region:
id = 1741
start_va = 0x2180000
end_va = 0x21fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002180000"
filename = ""
Region:
id = 1742
start_va = 0x2200000
end_va = 0x22fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002200000"
filename = ""
Region:
id = 1743
start_va = 0x7fff404a0000
end_va = 0x7fff40539fff
monitored = 0
entry_point = 0x7fff404bada0
region_type = mapped_file
name = "shsvcs.dll"
filename = "\\Windows\\System32\\shsvcs.dll" (normalized: "c:\\windows\\system32\\shsvcs.dll")
Region:
id = 1744
start_va = 0x5f0000
end_va = 0x5f0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005f0000"
filename = ""
Region:
id = 1745
start_va = 0x2300000
end_va = 0x23fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002300000"
filename = ""
Region:
id = 1746
start_va = 0x5f0000
end_va = 0x5f0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005f0000"
filename = ""
Region:
id = 1747
start_va = 0x7fff40420000
end_va = 0x7fff40460fff
monitored = 0
entry_point = 0x7fff40424840
region_type = mapped_file
name = "usermgrproxy.dll"
filename = "\\Windows\\System32\\UserMgrProxy.dll" (normalized: "c:\\windows\\system32\\usermgrproxy.dll")
Region:
id = 1748
start_va = 0x2400000
end_va = 0x25fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002400000"
filename = ""
Region:
id = 1749
start_va = 0x2400000
end_va = 0x24fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002400000"
filename = ""
Region:
id = 1750
start_va = 0x7fff41f70000
end_va = 0x7fff41fd3fff
monitored = 0
entry_point = 0x7fff41f85ae0
region_type = mapped_file
name = "wevtapi.dll"
filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll")
Region:
id = 1751
start_va = 0x2500000
end_va = 0x25fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002500000"
filename = ""
Region:
id = 1752
start_va = 0x7fff47000000
end_va = 0x7fff4700afff
monitored = 0
entry_point = 0x7fff470019a0
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll")
Region:
id = 1765
start_va = 0x1c40000
end_va = 0x1cbffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001c40000"
filename = ""
Region:
id = 1766
start_va = 0x7fff45a20000
end_va = 0x7fff45ba5fff
monitored = 0
entry_point = 0x7fff45a6d700
region_type = mapped_file
name = "propsys.dll"
filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")
Region:
id = 1767
start_va = 0x5f0000
end_va = 0x5f3fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 1768
start_va = 0x610000
end_va = 0x654fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000c.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db")
Region:
id = 1769
start_va = 0x6f0000
end_va = 0x6f3fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 1770
start_va = 0x2600000
end_va = 0x268dfff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db")
Region:
id = 1771
start_va = 0xd60000
end_va = 0xd70fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "propsys.dll.mui"
filename = "\\Windows\\System32\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\propsys.dll.mui")
Region:
id = 1772
start_va = 0x7fff3fbb0000
end_va = 0x7fff3fc6ffff
monitored = 0
entry_point = 0x7fff3fbdfd20
region_type = mapped_file
name = "fveapi.dll"
filename = "\\Windows\\System32\\fveapi.dll" (normalized: "c:\\windows\\system32\\fveapi.dll")
Region:
id = 1773
start_va = 0xd80000
end_va = 0xd80fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000d80000"
filename = ""
Region:
id = 1774
start_va = 0x2690000
end_va = 0x288ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002690000"
filename = ""
Region:
id = 1775
start_va = 0x2700000
end_va = 0x27fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002700000"
filename = ""
Region:
id = 1776
start_va = 0x7fff40b90000
end_va = 0x7fff40b9ffff
monitored = 0
entry_point = 0x7fff40b92c60
region_type = mapped_file
name = "usermgrcli.dll"
filename = "\\Windows\\System32\\usermgrcli.dll" (normalized: "c:\\windows\\system32\\usermgrcli.dll")
Region:
id = 1777
start_va = 0x7fff3fba0000
end_va = 0x7fff3fbadfff
monitored = 0
entry_point = 0x7fff3fba1460
region_type = mapped_file
name = "npmproxy.dll"
filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll")
Region:
id = 1869
start_va = 0x7fff3fae0000
end_va = 0x7fff3fb31fff
monitored = 0
entry_point = 0x7fff3fae38e0
region_type = mapped_file
name = "proximityservice.dll"
filename = "\\Windows\\System32\\ProximityService.dll" (normalized: "c:\\windows\\system32\\proximityservice.dll")
Region:
id = 1870
start_va = 0x7fff3fab0000
end_va = 0x7fff3fadcfff
monitored = 0
entry_point = 0x7fff3fab2290
region_type = mapped_file
name = "proximitycommon.dll"
filename = "\\Windows\\System32\\ProximityCommon.dll" (normalized: "c:\\windows\\system32\\proximitycommon.dll")
Region:
id = 1871
start_va = 0x7fff3faa0000
end_va = 0x7fff3faa8fff
monitored = 0
entry_point = 0x7fff3faa1ed0
region_type = mapped_file
name = "proximitycommonpal.dll"
filename = "\\Windows\\System32\\ProximityCommonPal.dll" (normalized: "c:\\windows\\system32\\proximitycommonpal.dll")
Region:
id = 1872
start_va = 0x7fff40800000
end_va = 0x7fff40837fff
monitored = 0
entry_point = 0x7fff40818cc0
region_type = mapped_file
name = "iphlpapi.dll"
filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll")
Region:
id = 1873
start_va = 0x7fff3fa90000
end_va = 0x7fff3fa9ffff
monitored = 0
entry_point = 0x7fff3fa91700
region_type = mapped_file
name = "proximityservicepal.dll"
filename = "\\Windows\\System32\\ProximityServicePal.dll" (normalized: "c:\\windows\\system32\\proximityservicepal.dll")
Region:
id = 1874
start_va = 0x7fff48130000
end_va = 0x7fff481b5fff
monitored = 0
entry_point = 0x7fff4813d8f0
region_type = mapped_file
name = "firewallapi.dll"
filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll")
Region:
id = 1875
start_va = 0x7fff46280000
end_va = 0x7fff462b1fff
monitored = 0
entry_point = 0x7fff46292340
region_type = mapped_file
name = "fwbase.dll"
filename = "\\Windows\\System32\\fwbase.dll" (normalized: "c:\\windows\\system32\\fwbase.dll")
Region:
id = 1905
start_va = 0x7fff464f0000
end_va = 0x7fff464fbfff
monitored = 0
entry_point = 0x7fff464f2790
region_type = mapped_file
name = "hid.dll"
filename = "\\Windows\\System32\\hid.dll" (normalized: "c:\\windows\\system32\\hid.dll")
Region:
id = 1908
start_va = 0x7fff45bd0000
end_va = 0x7fff45c01fff
monitored = 0
entry_point = 0x7fff45bdb0c0
region_type = mapped_file
name = "shacct.dll"
filename = "\\Windows\\System32\\shacct.dll" (normalized: "c:\\windows\\system32\\shacct.dll")
Region:
id = 1911
start_va = 0x7fff3f6b0000
end_va = 0x7fff3f74afff
monitored = 0
entry_point = 0x7fff3f6b7220
region_type = mapped_file
name = "settingsync.dll"
filename = "\\Windows\\System32\\SettingSync.dll" (normalized: "c:\\windows\\system32\\settingsync.dll")
Region:
id = 1912
start_va = 0xd80000
end_va = 0xd81fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000d80000"
filename = ""
Region:
id = 1913
start_va = 0x2800000
end_va = 0x28dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "kernelbase.dll.mui"
filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui")
Region:
id = 1922
start_va = 0x7fff3f4c0000
end_va = 0x7fff3f4d0fff
monitored = 0
entry_point = 0x7fff3f4c28d0
region_type = mapped_file
name = "credentialmigrationhandler.dll"
filename = "\\Windows\\System32\\CredentialMigrationHandler.dll" (normalized: "c:\\windows\\system32\\credentialmigrationhandler.dll")
Region:
id = 1923
start_va = 0x28e0000
end_va = 0x29dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000028e0000"
filename = ""
Region:
id = 1924
start_va = 0x1cc0000
end_va = 0x1d3ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001cc0000"
filename = ""
Region:
id = 1928
start_va = 0x7fff41a70000
end_va = 0x7fff41ae9fff
monitored = 0
entry_point = 0x7fff41a97630
region_type = mapped_file
name = "es.dll"
filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll")
Region:
id = 1929
start_va = 0xd90000
end_va = 0xd90fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000d90000"
filename = ""
Region:
id = 1931
start_va = 0x7fff473c0000
end_va = 0x7fff47458fff
monitored = 0
entry_point = 0x7fff473ef4e0
region_type = mapped_file
name = "sxs.dll"
filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll")
Region:
id = 1932
start_va = 0xd90000
end_va = 0xd91fff
monitored = 0
entry_point = 0xd95630
region_type = mapped_file
name = "sens.dll"
filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll")
Region:
id = 1933
start_va = 0x28e0000
end_va = 0x29dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000028e0000"
filename = ""
Region:
id = 1934
start_va = 0xda0000
end_va = 0xda4fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "stdole2.tlb"
filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb")
Thread:
id = 105
os_tid = 0x3f0
Thread:
id = 106
os_tid = 0x148
Thread:
id = 107
os_tid = 0x2c8
Thread:
id = 108
os_tid = 0x2e0
Thread:
id = 109
os_tid = 0x398
Thread:
id = 110
os_tid = 0x3a8
Thread:
id = 111
os_tid = 0x3d8
Thread:
id = 112
os_tid = 0x2e4
Thread:
id = 113
os_tid = 0x20c
Thread:
id = 114
os_tid = 0x174
Thread:
id = 115
os_tid = 0x398
Thread:
id = 116
os_tid = 0x2a8
Thread:
id = 117
os_tid = 0x2e0
Thread:
id = 118
os_tid = 0x410
Thread:
id = 119
os_tid = 0x414
Thread:
id = 120
os_tid = 0x418
Thread:
id = 121
os_tid = 0x420
Thread:
id = 122
os_tid = 0x424
Thread:
id = 123
os_tid = 0x42c
Thread:
id = 124
os_tid = 0x440
Thread:
id = 125
os_tid = 0x448
Thread:
id = 126
os_tid = 0x4a0
Thread:
id = 127
os_tid = 0x4b0
Thread:
id = 128
os_tid = 0x498
Thread:
id = 129
os_tid = 0x510
Thread:
id = 130
os_tid = 0x524
Thread:
id = 149
os_tid = 0x5d8
Thread:
id = 152
os_tid = 0x5f0
Process:
id = "9"
image_name = "taskhostw.exe"
filename = "c:\\windows\\system32\\taskhostw.exe"
page_root = "0x87e1000"
os_pid = "0x51c"
os_integrity_level = "0x4000"
os_privileges = "0xe60b1e890"
monitor_reason = "child_process"
parent_id = "8"
os_parent_pid = "0x3ec"
cmd_line = "taskhostw.exe SYSTEM"
cur_dir = "C:\\Windows\\system32\\"
os_username = "NT AUTHORITY\\SYSTEM"
bitness = "32"
os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\DcpSvc" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DoSvc" [0xa], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\lfsvc" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\RetailDemo" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\UsoSvc" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wlidsvc" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d37f" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe]
Region:
id = 1753
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 1754
start_va = 0x30000
end_va = 0x44fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 1755
start_va = 0x50000
end_va = 0xcffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 1756
start_va = 0xd0000
end_va = 0xd3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000d0000"
filename = ""
Region:
id = 1757
start_va = 0xe0000
end_va = 0xe0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000e0000"
filename = ""
Region:
id = 1758
start_va = 0xf0000
end_va = 0xf1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000f0000"
filename = ""
Region:
id = 1759
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 1760
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 1761
start_va = 0x7df5fffc0000
end_va = 0x7df5fffe2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5fffc0000"
filename = ""
Region:
id = 1762
start_va = 0x7df5ffff0000
end_va = 0x7ff5fffeffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffff0000"
filename = ""
Region:
id = 1763
start_va = 0x7ff68fd60000
end_va = 0x7ff68fd78fff
monitored = 0
entry_point = 0x7ff68fd659b0
region_type = mapped_file
name = "taskhostw.exe"
filename = "\\Windows\\System32\\taskhostw.exe" (normalized: "c:\\windows\\system32\\taskhostw.exe")
Region:
id = 1764
start_va = 0x7fff4aee0000
end_va = 0x7fff4b0a0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 1892
start_va = 0x400000
end_va = 0x5dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 1893
start_va = 0x7fff48b20000
end_va = 0x7fff48bccfff
monitored = 0
entry_point = 0x7fff48b381a0
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 1894
start_va = 0x7fff477b0000
end_va = 0x7fff47997fff
monitored = 0
entry_point = 0x7fff477dba70
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 1895
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 1896
start_va = 0x7df5ffec0000
end_va = 0x7df5fffbffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffec0000"
filename = ""
Region:
id = 1897
start_va = 0x100000
end_va = 0x1bdfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 1898
start_va = 0x7fff48c30000
end_va = 0x7fff48cccfff
monitored = 0
entry_point = 0x7fff48c378a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 1899
start_va = 0x400000
end_va = 0x47ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 1900
start_va = 0x4e0000
end_va = 0x5dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000004e0000"
filename = ""
Region:
id = 1901
start_va = 0x7fff48cd0000
end_va = 0x7fff48debfff
monitored = 0
entry_point = 0x7fff48d102b0
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 1902
start_va = 0x7fff48f50000
end_va = 0x7fff491ccfff
monitored = 0
entry_point = 0x7fff49024970
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")
Region:
id = 1903
start_va = 0x7fff47a70000
end_va = 0x7fff47ad9fff
monitored = 0
entry_point = 0x7fff47aa6d50
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")
Region:
id = 1904
start_va = 0x7fff49580000
end_va = 0x7fff49640fff
monitored = 0
entry_point = 0x7fff495a0da0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 1914
start_va = 0x5e0000
end_va = 0x7cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005e0000"
filename = ""
Region:
id = 1915
start_va = 0x20000
end_va = 0x26fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 1916
start_va = 0x5e0000
end_va = 0x722fff
monitored = 0
entry_point = 0x608210
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 1917
start_va = 0x7c0000
end_va = 0x7cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000007c0000"
filename = ""
Region:
id = 1918
start_va = 0x5e0000
end_va = 0x6bcfff
monitored = 0
entry_point = 0x63e0b0
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 1919
start_va = 0x7fff47560000
end_va = 0x7fff4756efff
monitored = 0
entry_point = 0x7fff47563210
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")
Region:
id = 1920
start_va = 0x7fff48df0000
end_va = 0x7fff48f45fff
monitored = 0
entry_point = 0x7fff48dfa8d0
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 1921
start_va = 0x1c0000
end_va = 0x1c6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001c0000"
filename = ""
Thread:
id = 147
os_tid = 0x520
Thread:
id = 148
os_tid = 0x578
Process:
id = "10"
image_name = "svchost.exe"
filename = "c:\\windows\\system32\\svchost.exe"
page_root = "0x52114000"
os_pid = "0x3cc"
os_integrity_level = "0x4000"
os_privileges = "0x60800000"
monitor_reason = "rpc_server"
parent_id = "8"
os_parent_pid = "0x210"
cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService"
cur_dir = "C:\\Windows\\system32\\"
os_username = "NT AUTHORITY\\Local Service"
bitness = "32"
os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AJRouter" [0xa], "NT SERVICE\\bthserv" [0xa], "NT SERVICE\\CDPSvc" [0xa], "NT SERVICE\\EventSystem" [0xa], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\FontCache" [0xa], "NT SERVICE\\LicenseManager" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\PhoneSvc" [0xa], "NT SERVICE\\RemoteRegistry" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\tzautoupdate" [0xe], "NT SERVICE\\W32Time" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\WinHttpAutoProxySvc" [0xa], "NT SERVICE\\workfolderssvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d0da" [0xc000000f], "LOCAL" [0x7]
Region:
id = 1778
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 1779
start_va = 0x20000
end_va = 0x20fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "svchost.exe.mui"
filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui")
Region:
id = 1780
start_va = 0x30000
end_va = 0x44fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 1781
start_va = 0x50000
end_va = 0xcffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 1782
start_va = 0xd0000
end_va = 0xd3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000d0000"
filename = ""
Region:
id = 1783
start_va = 0xe0000
end_va = 0xe0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000e0000"
filename = ""
Region:
id = 1784
start_va = 0xf0000
end_va = 0xf1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000f0000"
filename = ""
Region:
id = 1785
start_va = 0x100000
end_va = 0x100fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000100000"
filename = ""
Region:
id = 1786
start_va = 0x110000
end_va = 0x110fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000110000"
filename = ""
Region:
id = 1787
start_va = 0x120000
end_va = 0x126fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000120000"
filename = ""
Region:
id = 1788
start_va = 0x130000
end_va = 0x136fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000130000"
filename = ""
Region:
id = 1789
start_va = 0x140000
end_va = 0x140fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000140000"
filename = ""
Region:
id = 1790
start_va = 0x150000
end_va = 0x150fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000150000"
filename = ""
Region:
id = 1791
start_va = 0x160000
end_va = 0x160fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000160000"
filename = ""
Region:
id = 1792
start_va = 0x170000
end_va = 0x176fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000170000"
filename = ""
Region:
id = 1793
start_va = 0x180000
end_va = 0x1fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000180000"
filename = ""
Region:
id = 1794
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 1795
start_va = 0x400000
end_va = 0x4fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 1796
start_va = 0x500000
end_va = 0x5bdfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 1797
start_va = 0x5c0000
end_va = 0x5c1fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "netprofmsvc.dll.mui"
filename = "\\Windows\\System32\\en-US\\netprofmsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\netprofmsvc.dll.mui")
Region:
id = 1798
start_va = 0x600000
end_va = 0x6fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000600000"
filename = ""
Region:
id = 1799
start_va = 0x700000
end_va = 0x887fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000700000"
filename = ""
Region:
id = 1800
start_va = 0x890000
end_va = 0xa10fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000890000"
filename = ""
Region:
id = 1801
start_va = 0xa20000
end_va = 0xadffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000a20000"
filename = ""
Region:
id = 1802
start_va = 0xb00000
end_va = 0xbfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000b00000"
filename = ""
Region:
id = 1803
start_va = 0xc00000
end_va = 0xc7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000c00000"
filename = ""
Region:
id = 1804
start_va = 0xc80000
end_va = 0xcc8fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "~fontcache-system.dat"
filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-System.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-system.dat")
Region:
id = 1805
start_va = 0xd00000
end_va = 0xdfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000d00000"
filename = ""
Region:
id = 1806
start_va = 0xe00000
end_va = 0xefffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000e00000"
filename = ""
Region:
id = 1807
start_va = 0xf00000
end_va = 0xffffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000f00000"
filename = ""
Region:
id = 1808
start_va = 0x1000000
end_va = 0x10d3fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "segoeuil.ttf"
filename = "\\Windows\\Fonts\\segoeuil.ttf" (normalized: "c:\\windows\\fonts\\segoeuil.ttf")
Region:
id = 1809
start_va = 0x10e0000
end_va = 0x11a3fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "segoeuisl.ttf"
filename = "\\Windows\\Fonts\\segoeuisl.ttf" (normalized: "c:\\windows\\fonts\\segoeuisl.ttf")
Region:
id = 1810
start_va = 0x1200000
end_va = 0x12fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001200000"
filename = ""
Region:
id = 1811
start_va = 0x1300000
end_va = 0x13fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001300000"
filename = ""
Region:
id = 1812
start_va = 0x1400000
end_va = 0x14fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001400000"
filename = ""
Region:
id = 1813
start_va = 0x1500000
end_va = 0x24fffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "~fontcache-fontface.dat"
filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-FontFace.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-fontface.dat")
Region:
id = 1814
start_va = 0x2500000
end_va = 0x25fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002500000"
filename = ""
Region:
id = 1815
start_va = 0x2600000
end_va = 0x2936fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 1816
start_va = 0x2a00000
end_va = 0x2afffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002a00000"
filename = ""
Region:
id = 1817
start_va = 0x2c00000
end_va = 0x2cfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002c00000"
filename = ""
Region:
id = 1818
start_va = 0x2d00000
end_va = 0x2dfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002d00000"
filename = ""
Region:
id = 1819
start_va = 0x2e00000
end_va = 0x35fffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "~fontcache-s-1-5-18.dat"
filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-S-1-5-18.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-s-1-5-18.dat")
Region:
id = 1820
start_va = 0x5370000
end_va = 0x546ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005370000"
filename = ""
Region:
id = 1821
start_va = 0x5570000
end_va = 0x566ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005570000"
filename = ""
Region:
id = 1822
start_va = 0x5670000
end_va = 0x576ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005670000"
filename = ""
Region:
id = 1823
start_va = 0x5770000
end_va = 0x586ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005770000"
filename = ""
Region:
id = 1824
start_va = 0x5870000
end_va = 0x596ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005870000"
filename = ""
Region:
id = 1825
start_va = 0x5970000
end_va = 0x5a6ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005970000"
filename = ""
Region:
id = 1826
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 1827
start_va = 0x7df5ffec0000
end_va = 0x7df5fffbffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffec0000"
filename = ""
Region:
id = 1828
start_va = 0x7df5fffc0000
end_va = 0x7df5fffe2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5fffc0000"
filename = ""
Region:
id = 1829
start_va = 0x7df5ffff0000
end_va = 0x7ff5fffeffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffff0000"
filename = ""
Region:
id = 1830
start_va = 0x7ff7d7f90000
end_va = 0x7ff7d7f9cfff
monitored = 0
entry_point = 0x7ff7d7f93980
region_type = mapped_file
name = "svchost.exe"
filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe")
Region:
id = 1831
start_va = 0x7fff3fba0000
end_va = 0x7fff3fbadfff
monitored = 0
entry_point = 0x7fff3fba1460
region_type = mapped_file
name = "npmproxy.dll"
filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll")
Region:
id = 1832
start_va = 0x7fff3fcd0000
end_va = 0x7fff3fd5afff
monitored = 0
entry_point = 0x7fff3fced2a0
region_type = mapped_file
name = "netprofmsvc.dll"
filename = "\\Windows\\System32\\netprofmsvc.dll" (normalized: "c:\\windows\\system32\\netprofmsvc.dll")
Region:
id = 1833
start_va = 0x7fff40fd0000
end_va = 0x7fff40fdcfff
monitored = 0
entry_point = 0x7fff40fd2650
region_type = mapped_file
name = "nsisvc.dll"
filename = "\\Windows\\System32\\nsisvc.dll" (normalized: "c:\\windows\\system32\\nsisvc.dll")
Region:
id = 1834
start_va = 0x7fff412d0000
end_va = 0x7fff412dbfff
monitored = 0
entry_point = 0x7fff412d14d0
region_type = mapped_file
name = "locationframeworkps.dll"
filename = "\\Windows\\System32\\LocationFrameworkPS.dll" (normalized: "c:\\windows\\system32\\locationframeworkps.dll")
Region:
id = 1835
start_va = 0x7fff41630000
end_va = 0x7fff41647fff
monitored = 0
entry_point = 0x7fff41635910
region_type = mapped_file
name = "nlaapi.dll"
filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll")
Region:
id = 1836
start_va = 0x7fff41890000
end_va = 0x7fff418b8fff
monitored = 0
entry_point = 0x7fff418a24d0
region_type = mapped_file
name = "fontprovider.dll"
filename = "\\Windows\\System32\\FontProvider.dll" (normalized: "c:\\windows\\system32\\fontprovider.dll")
Region:
id = 1837
start_va = 0x7fff418c0000
end_va = 0x7fff41a61fff
monitored = 0
entry_point = 0x7fff4190c2d0
region_type = mapped_file
name = "fntcache.dll"
filename = "\\Windows\\System32\\FntCache.dll" (normalized: "c:\\windows\\system32\\fntcache.dll")
Region:
id = 1838
start_va = 0x7fff41a70000
end_va = 0x7fff41ae9fff
monitored = 0
entry_point = 0x7fff41a97630
region_type = mapped_file
name = "es.dll"
filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll")
Region:
id = 1839
start_va = 0x7fff43d30000
end_va = 0x7fff43d79fff
monitored = 0
entry_point = 0x7fff43d3ac30
region_type = mapped_file
name = "deviceaccess.dll"
filename = "\\Windows\\System32\\deviceaccess.dll" (normalized: "c:\\windows\\system32\\deviceaccess.dll")
Region:
id = 1840
start_va = 0x7fff43d80000
end_va = 0x7fff43db2fff
monitored = 0
entry_point = 0x7fff43d8d5a0
region_type = mapped_file
name = "biwinrt.dll"
filename = "\\Windows\\System32\\biwinrt.dll" (normalized: "c:\\windows\\system32\\biwinrt.dll")
Region:
id = 1841
start_va = 0x7fff43dc0000
end_va = 0x7fff43e51fff
monitored = 0
entry_point = 0x7fff43e0a780
region_type = mapped_file
name = "msvcp110_win.dll"
filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll")
Region:
id = 1842
start_va = 0x7fff43e60000
end_va = 0x7fff43ed8fff
monitored = 0
entry_point = 0x7fff43e77800
region_type = mapped_file
name = "geolocation.dll"
filename = "\\Windows\\System32\\Geolocation.dll" (normalized: "c:\\windows\\system32\\geolocation.dll")
Region:
id = 1843
start_va = 0x7fff43ee0000
end_va = 0x7fff43ef9fff
monitored = 0
entry_point = 0x7fff43eeb670
region_type = mapped_file
name = "tzautoupdate.dll"
filename = "\\Windows\\System32\\tzautoupdate.dll" (normalized: "c:\\windows\\system32\\tzautoupdate.dll")
Region:
id = 1844
start_va = 0x7fff43f30000
end_va = 0x7fff43f65fff
monitored = 0
entry_point = 0x7fff43f40070
region_type = mapped_file
name = "xmllite.dll"
filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll")
Region:
id = 1845
start_va = 0x7fff46020000
end_va = 0x7fff4611ffff
monitored = 0
entry_point = 0x7fff46060f80
region_type = mapped_file
name = "twinapi.appcore.dll"
filename = "\\Windows\\System32\\twinapi.appcore.dll" (normalized: "c:\\windows\\system32\\twinapi.appcore.dll")
Region:
id = 1846
start_va = 0x7fff466a0000
end_va = 0x7fff46793fff
monitored = 0
entry_point = 0x7fff466aa960
region_type = mapped_file
name = "ucrtbase.dll"
filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll")
Region:
id = 1847
start_va = 0x7fff46cc0000
end_va = 0x7fff46cdefff
monitored = 0
entry_point = 0x7fff46cc5d30
region_type = mapped_file
name = "userenv.dll"
filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll")
Region:
id = 1848
start_va = 0x7fff47390000
end_va = 0x7fff473b8fff
monitored = 0
entry_point = 0x7fff473a4530
region_type = mapped_file
name = "bcrypt.dll"
filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll")
Region:
id = 1849
start_va = 0x7fff47560000
end_va = 0x7fff4756efff
monitored = 0
entry_point = 0x7fff47563210
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")
Region:
id = 1850
start_va = 0x7fff47570000
end_va = 0x7fff47583fff
monitored = 0
entry_point = 0x7fff475752e0
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")
Region:
id = 1851
start_va = 0x7fff477b0000
end_va = 0x7fff47997fff
monitored = 0
entry_point = 0x7fff477dba70
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 1852
start_va = 0x7fff47a70000
end_va = 0x7fff47ad9fff
monitored = 0
entry_point = 0x7fff47aa6d50
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")
Region:
id = 1853
start_va = 0x7fff48220000
end_va = 0x7fff482d4fff
monitored = 0
entry_point = 0x7fff482622e0
region_type = mapped_file
name = "shcore.dll"
filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")
Region:
id = 1854
start_va = 0x7fff48b10000
end_va = 0x7fff48b17fff
monitored = 0
entry_point = 0x7fff48b11ea0
region_type = mapped_file
name = "nsi.dll"
filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll")
Region:
id = 1855
start_va = 0x7fff48b20000
end_va = 0x7fff48bccfff
monitored = 0
entry_point = 0x7fff48b381a0
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 1856
start_va = 0x7fff48c30000
end_va = 0x7fff48cccfff
monitored = 0
entry_point = 0x7fff48c378a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 1857
start_va = 0x7fff48cd0000
end_va = 0x7fff48debfff
monitored = 0
entry_point = 0x7fff48d102b0
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 1858
start_va = 0x7fff48df0000
end_va = 0x7fff48f45fff
monitored = 0
entry_point = 0x7fff48dfa8d0
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 1859
start_va = 0x7fff48f50000
end_va = 0x7fff491ccfff
monitored = 0
entry_point = 0x7fff49024970
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")
Region:
id = 1860
start_va = 0x7fff491e0000
end_va = 0x7fff49286fff
monitored = 0
entry_point = 0x7fff491f58d0
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 1861
start_va = 0x7fff493f0000
end_va = 0x7fff49575fff
monitored = 0
entry_point = 0x7fff4943ffc0
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 1862
start_va = 0x7fff49580000
end_va = 0x7fff49640fff
monitored = 0
entry_point = 0x7fff495a0da0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 1863
start_va = 0x7fff4ac20000
end_va = 0x7fff4acc6fff
monitored = 0
entry_point = 0x7fff4ac2b4d0
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll")
Region:
id = 1864
start_va = 0x7fff4ad30000
end_va = 0x7fff4ae72fff
monitored = 0
entry_point = 0x7fff4ad58210
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 1865
start_va = 0x7fff4ae80000
end_va = 0x7fff4aedafff
monitored = 0
entry_point = 0x7fff4ae938b0
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 1866
start_va = 0x7fff4aee0000
end_va = 0x7fff4b0a0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 1867
start_va = 0x5a70000
end_va = 0x5b6ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005a70000"
filename = ""
Region:
id = 1868
start_va = 0x5d0000
end_va = 0x5fdfff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000005d0000"
filename = ""
Region:
id = 1883
start_va = 0x1000000
end_va = 0x10dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "kernelbase.dll.mui"
filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui")
Region:
id = 1884
start_va = 0x7fff3fa70000
end_va = 0x7fff3fa83fff
monitored = 0
entry_point = 0x7fff3fa71a50
region_type = mapped_file
name = "wlanradiomanager.dll"
filename = "\\Windows\\System32\\WlanRadioManager.dll" (normalized: "c:\\windows\\system32\\wlanradiomanager.dll")
Region:
id = 1885
start_va = 0x7fff40800000
end_va = 0x7fff40837fff
monitored = 0
entry_point = 0x7fff40818cc0
region_type = mapped_file
name = "iphlpapi.dll"
filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll")
Region:
id = 1886
start_va = 0x7fff41350000
end_va = 0x7fff413b0fff
monitored = 0
entry_point = 0x7fff41354b50
region_type = mapped_file
name = "wlanapi.dll"
filename = "\\Windows\\System32\\wlanapi.dll" (normalized: "c:\\windows\\system32\\wlanapi.dll")
Region:
id = 1887
start_va = 0x7fff3fa50000
end_va = 0x7fff3fa68fff
monitored = 0
entry_point = 0x7fff3fa52180
region_type = mapped_file
name = "bthradiomedia.dll"
filename = "\\Windows\\System32\\BthRadioMedia.dll" (normalized: "c:\\windows\\system32\\bthradiomedia.dll")
Region:
id = 1888
start_va = 0x7fff47590000
end_va = 0x7fff475d2fff
monitored = 0
entry_point = 0x7fff475a4b50
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")
Region:
id = 1889
start_va = 0x7fff45f40000
end_va = 0x7fff45f66fff
monitored = 0
entry_point = 0x7fff45f47940
region_type = mapped_file
name = "devobj.dll"
filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll")
Region:
id = 1890
start_va = 0x7fff3fa30000
end_va = 0x7fff3fa4dfff
monitored = 0
entry_point = 0x7fff3fa31690
region_type = mapped_file
name = "bluetoothapis.dll"
filename = "\\Windows\\System32\\BluetoothApis.dll" (normalized: "c:\\windows\\system32\\bluetoothapis.dll")
Region:
id = 1891
start_va = 0x7fff40870000
end_va = 0x7fff4087afff
monitored = 0
entry_point = 0x7fff40871d30
region_type = mapped_file
name = "winnsi.dll"
filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll")
Region:
id = 1906
start_va = 0x7fff48a30000
end_va = 0x7fff48a9afff
monitored = 0
entry_point = 0x7fff48a490c0
region_type = mapped_file
name = "ws2_32.dll"
filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll")
Region:
id = 1907
start_va = 0x7fff46e30000
end_va = 0x7fff46e8bfff
monitored = 0
entry_point = 0x7fff46e46f70
region_type = mapped_file
name = "mswsock.dll"
filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll")
Region:
id = 1909
start_va = 0x3600000
end_va = 0x37fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003600000"
filename = ""
Region:
id = 1910
start_va = 0x3600000
end_va = 0x36fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003600000"
filename = ""
Region:
id = 1925
start_va = 0x5b70000
end_va = 0x5c6ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005b70000"
filename = ""
Region:
id = 1926
start_va = 0x7fff413c0000
end_va = 0x7fff41487fff
monitored = 0
entry_point = 0x7fff414013f0
region_type = mapped_file
name = "winhttp.dll"
filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll")
Region:
id = 1927
start_va = 0x7fff46500000
end_va = 0x7fff46523fff
monitored = 0
entry_point = 0x7fff46503260
region_type = mapped_file
name = "gpapi.dll"
filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll")
Region:
id = 1930
start_va = 0x5c70000
end_va = 0x5d6ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005c70000"
filename = ""
Thread:
id = 131
os_tid = 0x55c
Thread:
id = 132
os_tid = 0x558
Thread:
id = 133
os_tid = 0x554
Thread:
id = 134
os_tid = 0x548
Thread:
id = 135
os_tid = 0x52c
Thread:
id = 136
os_tid = 0x480
Thread:
id = 137
os_tid = 0x258
Thread:
id = 138
os_tid = 0x250
Thread:
id = 139
os_tid = 0x254
Thread:
id = 140
os_tid = 0xf8
Thread:
id = 141
os_tid = 0x3e8
Thread:
id = 142
os_tid = 0x3e4
Thread:
id = 143
os_tid = 0x3dc
Thread:
id = 144
os_tid = 0x3d4
Thread:
id = 145
os_tid = 0x3d0
Thread:
id = 146
os_tid = 0x564
Thread:
id = 150
os_tid = 0x5e8
Thread:
id = 151
os_tid = 0x5ec