# Flog Txt Version 1 # Analyzer Version: 4.4.0 # Analyzer Build Date: Dec 8 2021 20:04:45 # Log Creation Date: 16.01.2022 22:02:27.197 Process: id = "1" image_name = "tbopbh.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\tbopbh.exe" page_root = "0x72e82000" os_pid = "0x31c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x618" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\Tbopbh.exe\" " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 117 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 118 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 119 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 120 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 121 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 122 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 123 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 124 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 125 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 126 start_va = 0x400000 end_va = 0x42ffff monitored = 1 entry_point = 0x40614e region_type = mapped_file name = "tbopbh.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\Tbopbh.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\tbopbh.exe") Region: id = 127 start_va = 0x77b90000 end_va = 0x77d0afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 128 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 129 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 130 start_va = 0x7fff0000 end_va = 0x7ffd504cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 131 start_va = 0x7ffd504d0000 end_va = 0x7ffd50690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 132 start_va = 0x7ffd50691000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffd50691000" filename = "" Region: id = 270 start_va = 0x610000 end_va = 0x61ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 271 start_va = 0x6edd0000 end_va = 0x6ee1ffff monitored = 0 entry_point = 0x6ede8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 272 start_va = 0x6ee20000 end_va = 0x6ee99fff monitored = 0 entry_point = 0x6ee33290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 273 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 274 start_va = 0x6eea0000 end_va = 0x6eea7fff monitored = 0 entry_point = 0x6eea17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 275 start_va = 0x620000 end_va = 0x82ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 276 start_va = 0x6eeb0000 end_va = 0x6ef08fff monitored = 1 entry_point = 0x6eec0780 region_type = mapped_file name = "mscoree.dll" filename = "\\Windows\\SysWOW64\\mscoree.dll" (normalized: "c:\\windows\\syswow64\\mscoree.dll") Region: id = 277 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 278 start_va = 0x76ad0000 end_va = 0x76c4dfff monitored = 0 entry_point = 0x76b81b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 279 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 280 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 281 start_va = 0x430000 end_va = 0x4edfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 282 start_va = 0x4f0000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 283 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 284 start_va = 0x77b10000 end_va = 0x77b8afff monitored = 0 entry_point = 0x77b2e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 285 start_va = 0x74a10000 end_va = 0x74acdfff monitored = 0 entry_point = 0x74a45630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 286 start_va = 0x4f0000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 287 start_va = 0x5c0000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 288 start_va = 0x620000 end_va = 0x71ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 289 start_va = 0x730000 end_va = 0x82ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 290 start_va = 0x76c50000 end_va = 0x76c93fff monitored = 0 entry_point = 0x76c69d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 291 start_va = 0x74e80000 end_va = 0x74f2cfff monitored = 0 entry_point = 0x74e94f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 292 start_va = 0x748c0000 end_va = 0x748ddfff monitored = 0 entry_point = 0x748cb640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 293 start_va = 0x748b0000 end_va = 0x748b9fff monitored = 0 entry_point = 0x748b2a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 294 start_va = 0x77680000 end_va = 0x776d7fff monitored = 0 entry_point = 0x776c25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 295 start_va = 0x530000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 296 start_va = 0x6cd40000 end_va = 0x6cdb8fff monitored = 1 entry_point = 0x6cd4f82a region_type = mapped_file name = "mscoreei.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscoreei.dll") Region: id = 297 start_va = 0x77590000 end_va = 0x775d4fff monitored = 0 entry_point = 0x775ade90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 298 start_va = 0x752b0000 end_va = 0x7546cfff monitored = 0 entry_point = 0x75392a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 299 start_va = 0x77440000 end_va = 0x7758efff monitored = 0 entry_point = 0x774f6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 300 start_va = 0x750d0000 end_va = 0x75216fff monitored = 0 entry_point = 0x750e1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 301 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 302 start_va = 0x830000 end_va = 0x9b7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 303 start_va = 0x75660000 end_va = 0x7568afff monitored = 0 entry_point = 0x75665680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 304 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 305 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 306 start_va = 0x530000 end_va = 0x564fff monitored = 1 entry_point = 0x53614e region_type = mapped_file name = "tbopbh.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\Tbopbh.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\tbopbh.exe") Region: id = 307 start_va = 0x580000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 308 start_va = 0x9c0000 end_va = 0xb40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009c0000" filename = "" Region: id = 309 start_va = 0xb50000 end_va = 0x1f4ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b50000" filename = "" Region: id = 310 start_va = 0x77320000 end_va = 0x7732bfff monitored = 0 entry_point = 0x77323930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 311 start_va = 0x6d5a0000 end_va = 0x6d5a7fff monitored = 0 entry_point = 0x6d5a17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 312 start_va = 0x1f50000 end_va = 0x2600fff monitored = 1 entry_point = 0x1f65d20 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll") Region: id = 313 start_va = 0x6c680000 end_va = 0x6cd30fff monitored = 1 entry_point = 0x6c695d20 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll") Region: id = 314 start_va = 0x6c400000 end_va = 0x6c4f4fff monitored = 0 entry_point = 0x6c454160 region_type = mapped_file name = "msvcr120_clr0400.dll" filename = "\\Windows\\SysWOW64\\msvcr120_clr0400.dll" (normalized: "c:\\windows\\syswow64\\msvcr120_clr0400.dll") Region: id = 315 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 316 start_va = 0x1f0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 317 start_va = 0x530000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 318 start_va = 0x540000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 319 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 320 start_va = 0x560000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 321 start_va = 0x570000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 322 start_va = 0x590000 end_va = 0x590fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 323 start_va = 0x5a0000 end_va = 0x5a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 324 start_va = 0x1f50000 end_va = 0x20bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f50000" filename = "" Region: id = 325 start_va = 0x5b0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 326 start_va = 0x5d0000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 327 start_va = 0x1f50000 end_va = 0x204ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f50000" filename = "" Region: id = 328 start_va = 0x20b0000 end_va = 0x20bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020b0000" filename = "" Region: id = 329 start_va = 0x720000 end_va = 0x72ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000720000" filename = "" Region: id = 330 start_va = 0x20c0000 end_va = 0x40bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020c0000" filename = "" Region: id = 331 start_va = 0x40c0000 end_va = 0x415ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040c0000" filename = "" Region: id = 332 start_va = 0x2050000 end_va = 0x208ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002050000" filename = "" Region: id = 333 start_va = 0x4160000 end_va = 0x425ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004160000" filename = "" Region: id = 334 start_va = 0x4260000 end_va = 0x4596fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 335 start_va = 0x6b1d0000 end_va = 0x6c3f7fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "mscorlib.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\mscorlib\\8062d427acd64e37f4fded7b00f4a869\\mscorlib.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\mscorlib\\8062d427acd64e37f4fded7b00f4a869\\mscorlib.ni.dll") Region: id = 336 start_va = 0x74ad0000 end_va = 0x74bbafff monitored = 0 entry_point = 0x74b0d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 337 start_va = 0x45a0000 end_va = 0x4630fff monitored = 0 entry_point = 0x45d8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 338 start_va = 0x70970000 end_va = 0x709e4fff monitored = 0 entry_point = 0x709a9a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 339 start_va = 0x45a0000 end_va = 0x46affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045a0000" filename = "" Region: id = 340 start_va = 0x720000 end_va = 0x72ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000720000" filename = "" Region: id = 341 start_va = 0x6b150000 end_va = 0x6b1cdfff monitored = 1 entry_point = 0x6b151140 region_type = mapped_file name = "clrjit.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clrjit.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clrjit.dll") Region: id = 342 start_va = 0x74d80000 end_va = 0x74e11fff monitored = 0 entry_point = 0x74db8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 343 start_va = 0x2090000 end_va = 0x209ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002090000" filename = "" Region: id = 344 start_va = 0x20a0000 end_va = 0x20affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020a0000" filename = "" Region: id = 345 start_va = 0x20a0000 end_va = 0x20affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020a0000" filename = "" Region: id = 346 start_va = 0x45a0000 end_va = 0x45affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045a0000" filename = "" Region: id = 347 start_va = 0x46a0000 end_va = 0x46affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000046a0000" filename = "" Region: id = 348 start_va = 0x45b0000 end_va = 0x45bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045b0000" filename = "" Region: id = 349 start_va = 0x45c0000 end_va = 0x45cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045c0000" filename = "" Region: id = 350 start_va = 0x45d0000 end_va = 0x45dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045d0000" filename = "" Region: id = 351 start_va = 0x20a0000 end_va = 0x20affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020a0000" filename = "" Region: id = 352 start_va = 0x20a0000 end_va = 0x20affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020a0000" filename = "" Region: id = 353 start_va = 0x6a7a0000 end_va = 0x6b14bfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System\\cc4e5d110dd318e8b7d61a9ed184ab74\\System.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system\\cc4e5d110dd318e8b7d61a9ed184ab74\\system.ni.dll") Region: id = 354 start_va = 0x6a610000 end_va = 0x6a79cfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.drawing.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Drawing\\9b645a48c9bcfc95aaadf6a069bb4ebe\\System.Drawing.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.drawing\\9b645a48c9bcfc95aaadf6a069bb4ebe\\system.drawing.ni.dll") Region: id = 355 start_va = 0x699b0000 end_va = 0x6a608fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.windows.forms.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Windows.Forms\\8cd2187094ba6cade0ca0fab4f932654\\System.Windows.Forms.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.windows.forms\\8cd2187094ba6cade0ca0fab4f932654\\system.windows.forms.ni.dll") Region: id = 356 start_va = 0x20a0000 end_va = 0x20affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020a0000" filename = "" Region: id = 357 start_va = 0x75690000 end_va = 0x76a8efff monitored = 0 entry_point = 0x7584b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 358 start_va = 0x76a90000 end_va = 0x76ac6fff monitored = 0 entry_point = 0x76a93b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 359 start_va = 0x76e20000 end_va = 0x77318fff monitored = 0 entry_point = 0x77027610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 360 start_va = 0x775e0000 end_va = 0x7766cfff monitored = 0 entry_point = 0x77629b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 361 start_va = 0x74e20000 end_va = 0x74e63fff monitored = 0 entry_point = 0x74e27410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 362 start_va = 0x77670000 end_va = 0x7767efff monitored = 0 entry_point = 0x77672e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 363 start_va = 0x20a0000 end_va = 0x20a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000020a0000" filename = "" Region: id = 364 start_va = 0x45a0000 end_va = 0x45dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045a0000" filename = "" Region: id = 365 start_va = 0x46b0000 end_va = 0x47affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000046b0000" filename = "" Region: id = 366 start_va = 0x72850000 end_va = 0x7299afff monitored = 0 entry_point = 0x728b1660 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\SysWOW64\\propsys.dll" (normalized: "c:\\windows\\syswow64\\propsys.dll") Region: id = 367 start_va = 0x45e0000 end_va = 0x461ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045e0000" filename = "" Region: id = 368 start_va = 0x47b0000 end_va = 0x48affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000047b0000" filename = "" Region: id = 369 start_va = 0x4620000 end_va = 0x465ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004620000" filename = "" Region: id = 370 start_va = 0x4660000 end_va = 0x469ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004660000" filename = "" Region: id = 371 start_va = 0x48b0000 end_va = 0x49affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000048b0000" filename = "" Region: id = 372 start_va = 0x49b0000 end_va = 0x4aaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000049b0000" filename = "" Region: id = 373 start_va = 0x4ab0000 end_va = 0x4ab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 374 start_va = 0x75220000 end_va = 0x752a3fff monitored = 0 entry_point = 0x75246220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 375 start_va = 0x741a0000 end_va = 0x743bbfff monitored = 0 entry_point = 0x7436bc40 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\SysWOW64\\actxprxy.dll" (normalized: "c:\\windows\\syswow64\\actxprxy.dll") Region: id = 376 start_va = 0x4ac0000 end_va = 0x4ac0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ac0000" filename = "" Region: id = 377 start_va = 0x4ad0000 end_va = 0x4ad3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 378 start_va = 0x4ae0000 end_va = 0x4af2fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000a.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000a.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000a.db") Region: id = 379 start_va = 0x4b00000 end_va = 0x4b00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004b00000" filename = "" Region: id = 380 start_va = 0x4ad0000 end_va = 0x4ad3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 381 start_va = 0x4b10000 end_va = 0x4b54fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000005.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db") Region: id = 382 start_va = 0x4b60000 end_va = 0x4b63fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 383 start_va = 0x4b70000 end_va = 0x4bfdfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db") Region: id = 384 start_va = 0x4c00000 end_va = 0x4c01fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004c00000" filename = "" Region: id = 385 start_va = 0x4c10000 end_va = 0x4c10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004c10000" filename = "" Region: id = 386 start_va = 0x4c20000 end_va = 0x501afff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004c20000" filename = "" Region: id = 387 start_va = 0x70ce0000 end_va = 0x70e5dfff monitored = 0 entry_point = 0x70d5c630 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 388 start_va = 0x72420000 end_va = 0x726eafff monitored = 0 entry_point = 0x7265c4c0 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 389 start_va = 0x5020000 end_va = 0x5020fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005020000" filename = "" Thread: id = 1 os_tid = 0x488 [0112.331] CoInitializeEx (pvReserved=0x0, dwCoInit=0x2) returned 0x0 [0113.180] RoInitialize () returned 0x1 [0113.181] RoUninitialize () returned 0x0 [0117.109] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Tbopbh.exe", nBufferLength=0x105, lpBuffer=0x19ef40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Tbopbh.exe", lpFilePart=0x0) returned 0x28 [0117.119] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0117.377] LocalAlloc (uFlags=0x0, uBytes=0x16) returned 0x7821d0 [0117.379] LocalAlloc (uFlags=0x0, uBytes=0x6c) returned 0x777538 [0123.405] ShellExecuteExW (in: pExecInfo=0x20c5f90*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="powershell", lpParameters="-enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20c5f90*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="powershell", lpParameters="-enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x3f0)) returned 1 [0127.502] LocalFree (hMem=0x7821d0) returned 0x0 [0127.503] LocalFree (hMem=0x777538) returned 0x0 [0127.671] GetCurrentProcess () returned 0xffffffff [0127.671] GetCurrentProcess () returned 0xffffffff [0127.673] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x3f0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x19f3e4, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x19f3e4*=0x2a8) returned 1 [0127.677] CoWaitForMultipleHandles (dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x19f3dc*=0x2a8, lpdwindex=0x19f1fc) Thread: id = 2 os_tid = 0x520 Thread: id = 3 os_tid = 0xd4c Thread: id = 4 os_tid = 0x384 [0113.183] CoGetContextToken (in: pToken=0x425fc3c | out: pToken=0x425fc3c) returned 0x800401f0 [0113.183] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0113.183] RoInitialize () returned 0x1 [0113.183] RoUninitialize () returned 0x0 Thread: id = 5 os_tid = 0x66c Thread: id = 6 os_tid = 0x1218 Thread: id = 7 os_tid = 0x734 Thread: id = 8 os_tid = 0xaa0 Process: id = "2" image_name = "powershell.exe" filename = "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe" page_root = "0x699d7000" os_pid = "0x934" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x31c" cmd_line = "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 390 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 391 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 392 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 393 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 394 start_va = 0xa0000 end_va = 0xdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 395 start_va = 0xe0000 end_va = 0xe3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 396 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 397 start_va = 0x100000 end_va = 0x101fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 398 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 399 start_va = 0xb60000 end_va = 0xbd0fff monitored = 0 entry_point = 0xb69c00 region_type = mapped_file name = "powershell.exe" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe") Region: id = 400 start_va = 0xbe0000 end_va = 0x4bdffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000be0000" filename = "" Region: id = 401 start_va = 0x77b90000 end_va = 0x77d0afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 402 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 403 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 404 start_va = 0x7fff0000 end_va = 0x7dfd504cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 405 start_va = 0x7dfd504d0000 end_va = 0x7ffd504cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfd504d0000" filename = "" Region: id = 406 start_va = 0x7ffd504d0000 end_va = 0x7ffd50690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 407 start_va = 0x7ffd50691000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffd50691000" filename = "" Region: id = 408 start_va = 0x5c0000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 409 start_va = 0x6edd0000 end_va = 0x6ee1ffff monitored = 0 entry_point = 0x6ede8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 410 start_va = 0x6ee20000 end_va = 0x6ee99fff monitored = 0 entry_point = 0x6ee33290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 411 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 412 start_va = 0x6eea0000 end_va = 0x6eea7fff monitored = 0 entry_point = 0x6eea17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 413 start_va = 0x400000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 414 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 415 start_va = 0x76ad0000 end_va = 0x76c4dfff monitored = 0 entry_point = 0x76b81b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 416 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 417 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 494 start_va = 0x110000 end_va = 0x1cdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 495 start_va = 0x77b10000 end_va = 0x77b8afff monitored = 0 entry_point = 0x77b2e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 496 start_va = 0x74a10000 end_va = 0x74acdfff monitored = 0 entry_point = 0x74a45630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 497 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 498 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 499 start_va = 0x490000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 500 start_va = 0x76c50000 end_va = 0x76c93fff monitored = 0 entry_point = 0x76c69d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 501 start_va = 0x74e80000 end_va = 0x74f2cfff monitored = 0 entry_point = 0x74e94f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 502 start_va = 0x748c0000 end_va = 0x748ddfff monitored = 0 entry_point = 0x748cb640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 503 start_va = 0x748b0000 end_va = 0x748b9fff monitored = 0 entry_point = 0x748b2a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 504 start_va = 0x77680000 end_va = 0x776d7fff monitored = 0 entry_point = 0x776c25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 505 start_va = 0x74ad0000 end_va = 0x74bbafff monitored = 0 entry_point = 0x74b0d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 506 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 507 start_va = 0x752b0000 end_va = 0x7546cfff monitored = 0 entry_point = 0x75392a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 508 start_va = 0x77440000 end_va = 0x7758efff monitored = 0 entry_point = 0x774f6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 509 start_va = 0x750d0000 end_va = 0x75216fff monitored = 0 entry_point = 0x750e1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 510 start_va = 0x6d580000 end_va = 0x6d597fff monitored = 0 entry_point = 0x6d584820 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\SysWOW64\\atl.dll" (normalized: "c:\\windows\\syswow64\\atl.dll") Region: id = 511 start_va = 0x74d80000 end_va = 0x74e11fff monitored = 0 entry_point = 0x74db8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 512 start_va = 0x6eeb0000 end_va = 0x6ef08fff monitored = 1 entry_point = 0x6eec0780 region_type = mapped_file name = "mscoree.dll" filename = "\\Windows\\SysWOW64\\mscoree.dll" (normalized: "c:\\windows\\syswow64\\mscoree.dll") Region: id = 513 start_va = 0x1d0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 514 start_va = 0x590000 end_va = 0x5b9fff monitored = 0 entry_point = 0x595680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 515 start_va = 0x5d0000 end_va = 0x757fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 516 start_va = 0x75660000 end_va = 0x7568afff monitored = 0 entry_point = 0x75665680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 517 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 518 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 519 start_va = 0x1e0000 end_va = 0x1e2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "powershell.exe.mui" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\powershell.exe.mui" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\en-us\\powershell.exe.mui") Region: id = 520 start_va = 0x1f0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 521 start_va = 0x760000 end_va = 0x8e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000760000" filename = "" Region: id = 522 start_va = 0x4be0000 end_va = 0x5fdffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004be0000" filename = "" Region: id = 523 start_va = 0x480000 end_va = 0x480fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 524 start_va = 0x590000 end_va = 0x590fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 525 start_va = 0x8f0000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008f0000" filename = "" Region: id = 526 start_va = 0x5fe0000 end_va = 0x6316fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 527 start_va = 0x6cd40000 end_va = 0x6cdb8fff monitored = 1 entry_point = 0x6cd4f82a region_type = mapped_file name = "mscoreei.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscoreei.dll") Region: id = 528 start_va = 0x77590000 end_va = 0x775d4fff monitored = 0 entry_point = 0x775ade90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 529 start_va = 0x77320000 end_va = 0x7732bfff monitored = 0 entry_point = 0x77323930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 530 start_va = 0x6d5a0000 end_va = 0x6d5a7fff monitored = 0 entry_point = 0x6d5a17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 531 start_va = 0x6c680000 end_va = 0x6cd30fff monitored = 1 entry_point = 0x6c695d20 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll") Region: id = 532 start_va = 0x6c400000 end_va = 0x6c4f4fff monitored = 0 entry_point = 0x6c454160 region_type = mapped_file name = "msvcr120_clr0400.dll" filename = "\\Windows\\SysWOW64\\msvcr120_clr0400.dll" (normalized: "c:\\windows\\syswow64\\msvcr120_clr0400.dll") Region: id = 533 start_va = 0x5a0000 end_va = 0x5a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 534 start_va = 0x5b0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 535 start_va = 0x8f0000 end_va = 0x8fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008f0000" filename = "" Region: id = 536 start_va = 0xa70000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a70000" filename = "" Region: id = 537 start_va = 0x900000 end_va = 0x90ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 538 start_va = 0x910000 end_va = 0x91ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000910000" filename = "" Region: id = 539 start_va = 0x920000 end_va = 0x92ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000920000" filename = "" Region: id = 540 start_va = 0x930000 end_va = 0x93ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000930000" filename = "" Region: id = 541 start_va = 0x940000 end_va = 0x940fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 542 start_va = 0x950000 end_va = 0x950fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 543 start_va = 0x6320000 end_va = 0x64cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006320000" filename = "" Region: id = 544 start_va = 0x960000 end_va = 0xa5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000960000" filename = "" Region: id = 545 start_va = 0x960000 end_va = 0x99ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000960000" filename = "" Region: id = 546 start_va = 0x9a0000 end_va = 0x9dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 547 start_va = 0xa50000 end_va = 0xa5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 548 start_va = 0x9e0000 end_va = 0x9effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 549 start_va = 0x64d0000 end_va = 0x84cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000064d0000" filename = "" Region: id = 550 start_va = 0x9e0000 end_va = 0x9fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 551 start_va = 0xa00000 end_va = 0xa3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a00000" filename = "" Region: id = 552 start_va = 0xa80000 end_va = 0xabffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 553 start_va = 0x6b1d0000 end_va = 0x6c3f7fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "mscorlib.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\mscorlib\\8062d427acd64e37f4fded7b00f4a869\\mscorlib.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\mscorlib\\8062d427acd64e37f4fded7b00f4a869\\mscorlib.ni.dll") Region: id = 554 start_va = 0xac0000 end_va = 0xadffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 555 start_va = 0xa40000 end_va = 0xa4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Region: id = 556 start_va = 0x6a7a0000 end_va = 0x6b14bfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System\\cc4e5d110dd318e8b7d61a9ed184ab74\\System.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system\\cc4e5d110dd318e8b7d61a9ed184ab74\\system.ni.dll") Region: id = 557 start_va = 0x68ce0000 end_va = 0x693f1fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.core.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Core\\abad45b9cc652ba7e38c4c837234c0ab\\System.Core.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.core\\abad45b9cc652ba7e38c4c837234c0ab\\system.core.ni.dll") Region: id = 558 start_va = 0x68c50000 end_va = 0x68cdafff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.consolehost.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Microsoft.Pb378ec07#\\24c2ce3e0888a5f9c613c20443ec3711\\Microsoft.PowerShell.ConsoleHost.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\microsoft.pb378ec07#\\24c2ce3e0888a5f9c613c20443ec3711\\microsoft.powershell.consolehost.ni.dll") Region: id = 559 start_va = 0x70770000 end_va = 0x70782fff monitored = 0 entry_point = 0x70779950 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 562 start_va = 0x70740000 end_va = 0x7076efff monitored = 0 entry_point = 0x707595e0 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 563 start_va = 0x74560000 end_va = 0x7457afff monitored = 0 entry_point = 0x74569050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 564 start_va = 0x673a0000 end_va = 0x68c4dfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.management.automation.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Manaa57fc8cc#\\1ccb63704392d146fb118a3c7c02e118\\System.Management.Automation.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.manaa57fc8cc#\\1ccb63704392d146fb118a3c7c02e118\\system.management.automation.ni.dll") Region: id = 565 start_va = 0xae0000 end_va = 0xb41fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "mscorrc.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorrc.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscorrc.dll") Region: id = 566 start_va = 0xa60000 end_va = 0xa64fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll" filename = "\\Windows\\SysWOW64\\winnlsres.dll" (normalized: "c:\\windows\\syswow64\\winnlsres.dll") Region: id = 567 start_va = 0xac0000 end_va = 0xacffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\winnlsres.dll.mui") Region: id = 568 start_va = 0xad0000 end_va = 0xadffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 569 start_va = 0x776e0000 end_va = 0x776e5fff monitored = 0 entry_point = 0x776e1460 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll") Region: id = 570 start_va = 0x6320000 end_va = 0x641ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006320000" filename = "" Region: id = 571 start_va = 0x64c0000 end_va = 0x64cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000064c0000" filename = "" Region: id = 572 start_va = 0x69960000 end_va = 0x699a3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.numerics.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Numerics\\4d1e79f86c195a48bfb3d1e5ca404930\\System.Numerics.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.numerics\\4d1e79f86c195a48bfb3d1e5ca404930\\system.numerics.ni.dll") Region: id = 573 start_va = 0xb50000 end_va = 0xb5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b50000" filename = "" Region: id = 574 start_va = 0x698e0000 end_va = 0x69959fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.management.infrastructure.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Microsoft.Mf49f6405#\\c5cf09a01c434d73a149336798330955\\Microsoft.Management.Infrastructure.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\microsoft.mf49f6405#\\c5cf09a01c434d73a149336798330955\\microsoft.management.infrastructure.ni.dll") Region: id = 575 start_va = 0x66c80000 end_va = 0x67395fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.xml.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Xml\\1f87b5140145c221b5201351fffc52d8\\System.Xml.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.xml\\1f87b5140145c221b5201351fffc52d8\\system.xml.ni.dll") Region: id = 576 start_va = 0x6420000 end_va = 0x642ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006420000" filename = "" Region: id = 577 start_va = 0x697c0000 end_va = 0x698dbfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.directoryservices.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Dired13b18a9#\\495b4726107659a7a7f716d2b34703ce\\System.DirectoryServices.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.dired13b18a9#\\495b4726107659a7a7f716d2b34703ce\\system.directoryservices.ni.dll") Region: id = 578 start_va = 0x696a0000 end_va = 0x697bbfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.management.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Management\\d2f554a0c84513cd793fdcd77a86dab1\\System.Management.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.management\\d2f554a0c84513cd793fdcd77a86dab1\\system.management.ni.dll") Region: id = 579 start_va = 0x6430000 end_va = 0x643ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006430000" filename = "" Region: id = 580 start_va = 0x6440000 end_va = 0x644ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006440000" filename = "" Region: id = 581 start_va = 0x6450000 end_va = 0x645ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006450000" filename = "" Region: id = 582 start_va = 0x6460000 end_va = 0x646ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006460000" filename = "" Region: id = 583 start_va = 0x6470000 end_va = 0x647ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006470000" filename = "" Region: id = 584 start_va = 0x6480000 end_va = 0x648ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006480000" filename = "" Region: id = 585 start_va = 0x6490000 end_va = 0x649ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006490000" filename = "" Region: id = 586 start_va = 0x64a0000 end_va = 0x64affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000064a0000" filename = "" Region: id = 587 start_va = 0x64b0000 end_va = 0x64bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000064b0000" filename = "" Region: id = 588 start_va = 0x84d0000 end_va = 0x84dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000084d0000" filename = "" Region: id = 589 start_va = 0x69670000 end_va = 0x69695fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.configuration.install.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Confe64a9051#\\1ba9fabb6a4cb3c022579f789ba3280b\\System.Configuration.Install.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.confe64a9051#\\1ba9fabb6a4cb3c022579f789ba3280b\\system.configuration.install.ni.dll") Region: id = 590 start_va = 0x695c0000 end_va = 0x6966dfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.transactions.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Transactions\\8a03e2886313defa91cef9f385480f4e\\System.Transactions.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.transactions\\8a03e2886313defa91cef9f385480f4e\\system.transactions.ni.dll") Region: id = 591 start_va = 0x69570000 end_va = 0x695bafff monitored = 1 entry_point = 0x6958f53e region_type = mapped_file name = "system.transactions.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Transactions\\v4.0_4.0.0.0__b77a5c561934e089\\System.Transactions.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.transactions\\v4.0_4.0.0.0__b77a5c561934e089\\system.transactions.dll") Region: id = 592 start_va = 0x84e0000 end_va = 0x852afff monitored = 1 entry_point = 0x84ff53e region_type = mapped_file name = "system.transactions.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Transactions\\v4.0_4.0.0.0__b77a5c561934e089\\System.Transactions.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.transactions\\v4.0_4.0.0.0__b77a5c561934e089\\system.transactions.dll") Region: id = 593 start_va = 0x6d570000 end_va = 0x6d574fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.diagnostics.tracing.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Diagd2d95910#\\00f2884f94840274aeab684b7683f0fb\\System.Diagnostics.Tracing.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.diagd2d95910#\\00f2884f94840274aeab684b7683f0fb\\system.diagnostics.tracing.ni.dll") Region: id = 594 start_va = 0x75690000 end_va = 0x76a8efff monitored = 0 entry_point = 0x7584b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 595 start_va = 0x76a90000 end_va = 0x76ac6fff monitored = 0 entry_point = 0x76a93b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 596 start_va = 0x76e20000 end_va = 0x77318fff monitored = 0 entry_point = 0x77027610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 597 start_va = 0x775e0000 end_va = 0x7766cfff monitored = 0 entry_point = 0x77629b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 598 start_va = 0x74e20000 end_va = 0x74e63fff monitored = 0 entry_point = 0x74e27410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 599 start_va = 0x77670000 end_va = 0x7767efff monitored = 0 entry_point = 0x77672e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 600 start_va = 0x84e0000 end_va = 0x84e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000084e0000" filename = "" Region: id = 601 start_va = 0x84f0000 end_va = 0x84f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 602 start_va = 0x84f0000 end_va = 0x84f8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 603 start_va = 0x84f0000 end_va = 0x84f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 604 start_va = 0x84f0000 end_va = 0x84f8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 605 start_va = 0x84f0000 end_va = 0x84f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 606 start_va = 0x84f0000 end_va = 0x84f8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 607 start_va = 0x84f0000 end_va = 0x852ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000084f0000" filename = "" Region: id = 608 start_va = 0x8530000 end_va = 0x856ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008530000" filename = "" Region: id = 609 start_va = 0x8570000 end_va = 0x85affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008570000" filename = "" Region: id = 610 start_va = 0x85b0000 end_va = 0x85effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000085b0000" filename = "" Region: id = 611 start_va = 0x6b150000 end_va = 0x6b1cdfff monitored = 1 entry_point = 0x6b151140 region_type = mapped_file name = "clrjit.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clrjit.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clrjit.dll") Region: id = 612 start_va = 0x85f0000 end_va = 0x85fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000085f0000" filename = "" Region: id = 613 start_va = 0x8600000 end_va = 0x860ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008600000" filename = "" Region: id = 614 start_va = 0x69520000 end_va = 0x6956ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.security.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Microsoft.P6f792626#\\24dec2ee5afa2e530624f4ea9795a28f\\Microsoft.PowerShell.Security.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\microsoft.p6f792626#\\24dec2ee5afa2e530624f4ea9795a28f\\microsoft.powershell.security.ni.dll") Region: id = 615 start_va = 0x8610000 end_va = 0x861ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008610000" filename = "" Region: id = 616 start_va = 0x6ce00000 end_va = 0x6ce09fff monitored = 0 entry_point = 0x6ce03200 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 617 start_va = 0x8620000 end_va = 0x869ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008620000" filename = "" Region: id = 618 start_va = 0x86a0000 end_va = 0x86affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000086a0000" filename = "" Region: id = 619 start_va = 0x86b0000 end_va = 0x86bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000086b0000" filename = "" Region: id = 620 start_va = 0x86c0000 end_va = 0x86cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000086c0000" filename = "" Region: id = 621 start_va = 0x69430000 end_va = 0x6951efff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.configuration.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Configuration\\1b51e779650e38bb712f3e535efcf132\\System.Configuration.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.configuration\\1b51e779650e38bb712f3e535efcf132\\system.configuration.ni.dll") Region: id = 622 start_va = 0x69420000 end_va = 0x69429fff monitored = 0 entry_point = 0x69422420 region_type = mapped_file name = "wldp.dll" filename = "\\Windows\\SysWOW64\\wldp.dll" (normalized: "c:\\windows\\syswow64\\wldp.dll") Region: id = 623 start_va = 0x76ca0000 end_va = 0x76e17fff monitored = 0 entry_point = 0x76cf8a90 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 624 start_va = 0x74e70000 end_va = 0x74e7dfff monitored = 0 entry_point = 0x74e75410 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 625 start_va = 0x77330000 end_va = 0x77371fff monitored = 0 entry_point = 0x77346f10 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\SysWOW64\\wintrust.dll" (normalized: "c:\\windows\\syswow64\\wintrust.dll") Region: id = 626 start_va = 0x86d0000 end_va = 0x870ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000086d0000" filename = "" Region: id = 627 start_va = 0x8710000 end_va = 0x874ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008710000" filename = "" Region: id = 628 start_va = 0x8750000 end_va = 0x875ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008750000" filename = "" Region: id = 629 start_va = 0x8760000 end_va = 0x8770fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008760000" filename = "" Region: id = 630 start_va = 0x8780000 end_va = 0x8783fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "certificate.format.ps1xml" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\certificate.format.ps1xml") Region: id = 631 start_va = 0x8780000 end_va = 0x87bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008780000" filename = "" Region: id = 632 start_va = 0x87c0000 end_va = 0x87fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000087c0000" filename = "" Region: id = 633 start_va = 0x8800000 end_va = 0x88fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008800000" filename = "" Region: id = 634 start_va = 0x8900000 end_va = 0x8afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008900000" filename = "" Region: id = 635 start_va = 0x69400000 end_va = 0x6941efff monitored = 0 entry_point = 0x69408a90 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\SysWOW64\\gpapi.dll" (normalized: "c:\\windows\\syswow64\\gpapi.dll") Region: id = 636 start_va = 0x8b00000 end_va = 0x8efafff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008b00000" filename = "" Region: id = 637 start_va = 0x8f00000 end_va = 0x8f03fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "certificate.format.ps1xml" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\certificate.format.ps1xml") Region: id = 638 start_va = 0x8f00000 end_va = 0x8f27fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft-windows-client-features-wow64-package-automerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat" filename = "\\Windows\\System32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\Microsoft-Windows-Client-Features-WOW64-Package-AutoMerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat" (normalized: "c:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\microsoft-windows-client-features-wow64-package-automerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat") Region: id = 639 start_va = 0x8f00000 end_va = 0x8f21fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "dotnettypes.format.ps1xml" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\dotnettypes.format.ps1xml") Region: id = 640 start_va = 0x8f00000 end_va = 0x8f21fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "dotnettypes.format.ps1xml" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\dotnettypes.format.ps1xml") Region: id = 641 start_va = 0x8f00000 end_va = 0x8f27fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft-windows-client-features-wow64-package-automerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat" filename = "\\Windows\\System32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\Microsoft-Windows-Client-Features-WOW64-Package-AutoMerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat" (normalized: "c:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\microsoft-windows-client-features-wow64-package-automerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat") Region: id = 642 start_va = 0x8f00000 end_va = 0x8f06fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "filesystem.format.ps1xml" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\filesystem.format.ps1xml") Region: id = 643 start_va = 0x8f00000 end_va = 0x8f27fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft-windows-client-features-wow64-package-automerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat" filename = "\\Windows\\System32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\Microsoft-Windows-Client-Features-WOW64-Package-AutoMerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat" (normalized: "c:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\microsoft-windows-client-features-wow64-package-automerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat") Region: id = 644 start_va = 0x8f00000 end_va = 0x8f44fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "help.format.ps1xml" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Help.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\help.format.ps1xml") Region: id = 645 start_va = 0x8f00000 end_va = 0x8f44fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "help.format.ps1xml" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Help.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\help.format.ps1xml") Region: id = 646 start_va = 0x8f00000 end_va = 0x8f27fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft-windows-client-features-wow64-package-automerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat" filename = "\\Windows\\System32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\Microsoft-Windows-Client-Features-WOW64-Package-AutoMerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat" (normalized: "c:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\microsoft-windows-client-features-wow64-package-automerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat") Region: id = 647 start_va = 0x8f00000 end_va = 0x8f33fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "helpv3.format.ps1xml" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\HelpV3.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\helpv3.format.ps1xml") Region: id = 648 start_va = 0x8f00000 end_va = 0x8f33fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "helpv3.format.ps1xml" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\HelpV3.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\helpv3.format.ps1xml") Region: id = 649 start_va = 0x8f00000 end_va = 0x8f27fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft-windows-client-features-wow64-package-automerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat" filename = "\\Windows\\System32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\Microsoft-Windows-Client-Features-WOW64-Package-AutoMerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat" (normalized: "c:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\microsoft-windows-client-features-wow64-package-automerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat") Region: id = 650 start_va = 0x8f00000 end_va = 0x8f32fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "powershellcore.format.ps1xml" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershellcore.format.ps1xml") Region: id = 651 start_va = 0x8f00000 end_va = 0x8f32fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "powershellcore.format.ps1xml" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershellcore.format.ps1xml") Region: id = 652 start_va = 0x8f00000 end_va = 0x8f27fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft-windows-client-features-wow64-package-automerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat" filename = "\\Windows\\System32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\Microsoft-Windows-Client-Features-WOW64-Package-AutoMerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat" (normalized: "c:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\microsoft-windows-client-features-wow64-package-automerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat") Region: id = 653 start_va = 0x8f00000 end_va = 0x8f01fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "powershelltrace.format.ps1xml" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershelltrace.format.ps1xml") Region: id = 654 start_va = 0x8f00000 end_va = 0x8f27fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft-windows-client-features-wow64-package-automerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat" filename = "\\Windows\\System32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\Microsoft-Windows-Client-Features-WOW64-Package-AutoMerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat" (normalized: "c:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\microsoft-windows-client-features-wow64-package-automerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat") Region: id = 655 start_va = 0x8f00000 end_va = 0x8f02fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "registry.format.ps1xml" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\registry.format.ps1xml") Region: id = 656 start_va = 0x8f00000 end_va = 0x8f27fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft-windows-client-features-wow64-package-automerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat" filename = "\\Windows\\System32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\Microsoft-Windows-Client-Features-WOW64-Package-AutoMerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat" (normalized: "c:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\microsoft-windows-client-features-wow64-package-automerged-admin~31bf3856ad364e35~amd64~~10.0.10586.0.cat") Region: id = 657 start_va = 0x8f00000 end_va = 0x8f3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008f00000" filename = "" Region: id = 658 start_va = 0x8f40000 end_va = 0x98cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008f40000" filename = "" Region: id = 659 start_va = 0x70970000 end_va = 0x709e4fff monitored = 0 entry_point = 0x709a9a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 660 start_va = 0x98d0000 end_va = 0x9a4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000098d0000" filename = "" Region: id = 661 start_va = 0x98d0000 end_va = 0x990ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000098d0000" filename = "" Region: id = 662 start_va = 0x9910000 end_va = 0x994ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009910000" filename = "" Region: id = 663 start_va = 0x9950000 end_va = 0x998ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009950000" filename = "" Region: id = 664 start_va = 0x9990000 end_va = 0x99cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009990000" filename = "" Region: id = 665 start_va = 0x99d0000 end_va = 0x9a0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000099d0000" filename = "" Region: id = 666 start_va = 0x9a40000 end_va = 0x9a4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009a40000" filename = "" Region: id = 667 start_va = 0x9a50000 end_va = 0x9a8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009a50000" filename = "" Region: id = 668 start_va = 0x66c70000 end_va = 0x66c7cfff monitored = 0 entry_point = 0x66c763e0 region_type = mapped_file name = "amsi.dll" filename = "\\Windows\\SysWOW64\\amsi.dll" (normalized: "c:\\windows\\syswow64\\amsi.dll") Region: id = 669 start_va = 0x9a10000 end_va = 0x9a10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000009a10000" filename = "" Region: id = 670 start_va = 0x75220000 end_va = 0x752a3fff monitored = 0 entry_point = 0x75246220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 671 start_va = 0x9a20000 end_va = 0x9a20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000009a20000" filename = "" Region: id = 672 start_va = 0x66c50000 end_va = 0x66c65fff monitored = 0 entry_point = 0x66c5e7a0 region_type = mapped_file name = "mpoav.dll" filename = "\\Program Files (x86)\\Windows Defender\\MpOAV.dll" (normalized: "c:\\program files (x86)\\windows defender\\mpoav.dll") Region: id = 673 start_va = 0x9a30000 end_va = 0x9a33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009a30000" filename = "" Region: id = 674 start_va = 0x66ba0000 end_va = 0x66c45fff monitored = 0 entry_point = 0x66be20b0 region_type = mapped_file name = "mpclient.dll" filename = "\\Program Files (x86)\\Windows Defender\\MpClient.dll" (normalized: "c:\\program files (x86)\\windows defender\\mpclient.dll") Region: id = 675 start_va = 0x9a90000 end_va = 0x9a91fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msmplics.dll" filename = "\\Program Files (x86)\\Windows Defender\\MsMpLics.dll" (normalized: "c:\\program files (x86)\\windows defender\\msmplics.dll") Region: id = 676 start_va = 0x9aa0000 end_va = 0x9b9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009aa0000" filename = "" Region: id = 677 start_va = 0x70950000 end_va = 0x70968fff monitored = 0 entry_point = 0x709547e0 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\SysWOW64\\userenv.dll" (normalized: "c:\\windows\\syswow64\\userenv.dll") Region: id = 678 start_va = 0x9ba0000 end_va = 0x9bcdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000009ba0000" filename = "" Region: id = 679 start_va = 0x9bd0000 end_va = 0x9c0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009bd0000" filename = "" Region: id = 680 start_va = 0x9c10000 end_va = 0x9c4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009c10000" filename = "" Region: id = 681 start_va = 0x9c50000 end_va = 0x9c8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009c50000" filename = "" Region: id = 682 start_va = 0x9c90000 end_va = 0x9ccffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009c90000" filename = "" Thread: id = 9 os_tid = 0x614 Thread: id = 14 os_tid = 0x708 Thread: id = 15 os_tid = 0x9cc Thread: id = 16 os_tid = 0xe2c Thread: id = 17 os_tid = 0x12d8 Thread: id = 18 os_tid = 0x11ec Thread: id = 19 os_tid = 0x13c0 Thread: id = 20 os_tid = 0x4dc Thread: id = 21 os_tid = 0xcbc [0165.218] SetThreadUILanguage (LangId=0x0) returned 0x409 [0165.228] CoCreateGuid (in: pguid=0x98cf674 | out: pguid=0x98cf674*(Data1=0x9134be18, Data2=0x3fcd, Data3=0x4142, Data4=([0]=0x9a, [1]=0x9, [2]=0xa0, [3]=0xbd, [4]=0x9e, [5]=0x7, [6]=0xb0, [7]=0x86))) returned 0x0 [0165.235] GetCurrentProcessId () returned 0x934 [0165.235] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x934) returned 0x5f8 [0165.235] EnumProcessModules (in: hProcess=0x5f8, lphModule=0x6a51174, cb=0x100, lpcbNeeded=0x98cf5b0 | out: lphModule=0x6a51174, lpcbNeeded=0x98cf5b0) returned 1 [0165.237] GetModuleInformation (in: hProcess=0x5f8, hModule=0xb60000, lpmodinfo=0x6a512b4, cb=0xc | out: lpmodinfo=0x6a512b4*(lpBaseOfDll=0xb60000, SizeOfImage=0x71000, EntryPoint=0xb69c00)) returned 1 [0165.237] CoTaskMemAlloc (cb=0x804) returned 0x8851c10 [0165.237] GetModuleBaseNameW (in: hProcess=0x5f8, hModule=0xb60000, lpBaseName=0x8851c10, nSize=0x800 | out: lpBaseName="powershell.exe") returned 0xe [0165.237] CoTaskMemFree (pv=0x8851c10) [0165.237] CoTaskMemAlloc (cb=0x804) returned 0x8851c10 [0165.237] GetModuleFileNameExW (in: hProcess=0x5f8, hModule=0xb60000, lpFilename=0x8851c10, nSize=0x800 | out: lpFilename="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0165.237] CoTaskMemFree (pv=0x8851c10) [0165.237] CloseHandle (hObject=0x5f8) returned 1 [0165.238] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x934) returned 0x5f8 [0165.238] EnumProcessModules (in: hProcess=0x5f8, lphModule=0x6a5343c, cb=0x100, lpcbNeeded=0x98cf5b0 | out: lphModule=0x6a5343c, lpcbNeeded=0x98cf5b0) returned 1 [0165.239] GetModuleInformation (in: hProcess=0x5f8, hModule=0xb60000, lpmodinfo=0x6a5357c, cb=0xc | out: lpmodinfo=0x6a5357c*(lpBaseOfDll=0xb60000, SizeOfImage=0x71000, EntryPoint=0xb69c00)) returned 1 [0165.239] CoTaskMemAlloc (cb=0x804) returned 0x8851c10 [0165.239] GetModuleBaseNameW (in: hProcess=0x5f8, hModule=0xb60000, lpBaseName=0x8851c10, nSize=0x800 | out: lpBaseName="powershell.exe") returned 0xe [0165.239] CoTaskMemFree (pv=0x8851c10) [0165.239] CoTaskMemAlloc (cb=0x804) returned 0x8851c10 [0165.239] GetModuleFileNameExW (in: hProcess=0x5f8, hModule=0xb60000, lpFilename=0x8851c10, nSize=0x800 | out: lpFilename="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0165.240] CoTaskMemFree (pv=0x8851c10) [0165.240] CloseHandle (hObject=0x5f8) returned 1 [0165.240] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", nBufferLength=0x105, lpBuffer=0x98cf0d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", lpFilePart=0x0) returned 0x39 [0165.240] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x98cf530) returned 1 [0165.240] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0x98cf5ac | out: lpFileInformation=0x98cf5ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60ffe178, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x60ffe178, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x60ffe178, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x6e200)) returned 1 [0165.240] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x98cf52c) returned 1 [0165.240] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", lpdwHandle=0x98cf620 | out: lpdwHandle=0x98cf620) returned 0x73c [0165.241] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", dwHandle=0x0, dwLen=0x73c, lpData=0x6a557b8 | out: lpData=0x6a557b8) returned 1 [0165.242] VerQueryValueW (in: pBlock=0x6a557b8, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x98cf5f4, puLen=0x98cf5f0 | out: lplpBuffer=0x98cf5f4*=0x6a55b50, puLen=0x98cf5f0) returned 1 [0165.242] VerQueryValueW (in: pBlock=0x6a557b8, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\CompanyName", lplpBuffer=0x98cf574, puLen=0x98cf570 | out: lplpBuffer=0x98cf574*=0x6a55870, puLen=0x98cf570) returned 1 [0165.242] VerQueryValueW (in: pBlock=0x6a557b8, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\FileDescription", lplpBuffer=0x98cf574, puLen=0x98cf570 | out: lplpBuffer=0x98cf574*=0x6a558c4, puLen=0x98cf570) returned 1 [0165.242] VerQueryValueW (in: pBlock=0x6a557b8, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\FileVersion", lplpBuffer=0x98cf574, puLen=0x98cf570 | out: lplpBuffer=0x98cf574*=0x6a5590c, puLen=0x98cf570) returned 1 [0165.242] VerQueryValueW (in: pBlock=0x6a557b8, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\InternalName", lplpBuffer=0x98cf574, puLen=0x98cf570 | out: lplpBuffer=0x98cf574*=0x6a5597c, puLen=0x98cf570) returned 1 [0165.242] VerQueryValueW (in: pBlock=0x6a557b8, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\LegalCopyright", lplpBuffer=0x98cf574, puLen=0x98cf570 | out: lplpBuffer=0x98cf574*=0x6a559b8, puLen=0x98cf570) returned 1 [0165.242] VerQueryValueW (in: pBlock=0x6a557b8, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\OriginalFilename", lplpBuffer=0x98cf574, puLen=0x98cf570 | out: lplpBuffer=0x98cf574*=0x6a55a3c, puLen=0x98cf570) returned 1 [0165.242] VerQueryValueW (in: pBlock=0x6a557b8, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\ProductName", lplpBuffer=0x98cf574, puLen=0x98cf570 | out: lplpBuffer=0x98cf574*=0x6a55a84, puLen=0x98cf570) returned 1 [0165.242] VerQueryValueW (in: pBlock=0x6a557b8, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\ProductVersion", lplpBuffer=0x98cf574, puLen=0x98cf570 | out: lplpBuffer=0x98cf574*=0x6a55af4, puLen=0x98cf570) returned 1 [0165.242] VerQueryValueW (in: pBlock=0x6a557b8, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\Comments", lplpBuffer=0x98cf574, puLen=0x98cf570 | out: lplpBuffer=0x98cf574*=0x0, puLen=0x98cf570) returned 0 [0165.243] VerQueryValueW (in: pBlock=0x6a557b8, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\LegalTrademarks", lplpBuffer=0x98cf574, puLen=0x98cf570 | out: lplpBuffer=0x98cf574*=0x0, puLen=0x98cf570) returned 0 [0165.243] VerQueryValueW (in: pBlock=0x6a557b8, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\PrivateBuild", lplpBuffer=0x98cf574, puLen=0x98cf570 | out: lplpBuffer=0x98cf574*=0x0, puLen=0x98cf570) returned 0 [0165.243] VerQueryValueW (in: pBlock=0x6a557b8, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\SpecialBuild", lplpBuffer=0x98cf574, puLen=0x98cf570 | out: lplpBuffer=0x98cf574*=0x0, puLen=0x98cf570) returned 0 [0165.243] VerQueryValueW (in: pBlock=0x6a557b8, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x98cf568, puLen=0x98cf564 | out: lplpBuffer=0x98cf568*=0x6a55b50, puLen=0x98cf564) returned 1 [0165.243] VerLanguageNameW (in: wLang=0x409, szLang=0x98cf2f8, cchLang=0x100 | out: szLang="English (United States)") returned 0x17 [0165.243] VerQueryValueW (in: pBlock=0x6a557b8, lpSubBlock="\\", lplpBuffer=0x98cf578, puLen=0x98cf574 | out: lplpBuffer=0x98cf578*=0x6a557e0, puLen=0x98cf574) returned 1 [0165.401] AmsiInitialize () returned 0x0 [0165.602] AmsiOpenSession () returned 0x0 [0165.602] AmsiScanString () returned 0x80070015 [0166.731] EtwEventRegister (in: ProviderId=0x6a57cd8, EnableCallback=0xad28be, CallbackContext=0x0, RegHandle=0x6a57cb4 | out: RegHandle=0x6a57cb4) returned 0x0 [0166.731] EtwEventSetInformation (RegHandle=0x896bc18, InformationClass=0x4d, EventInformation=0x2, InformationLength=0x6a57c84) returned 0x0 [0166.740] RoGetParameterizedTypeInstanceIID () returned 0x0 [0166.741] Ro::detail::SimpleMetaDataBuilder::SetParameterizedInterface () returned 0x0 [0166.741] Ro::detail::SimpleMetaDataBuilder::SetParameterizedInterface () returned 0x0 [0166.768] WindowsCreateStringReference () returned 0x0 [0166.768] RoGetActivationFactory () returned 0x0 [0166.770] QueryInterface () returned 0x0 [0166.771] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::QueryInterface () returned 0x80004002 [0166.771] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::QueryInterface () returned 0x80004002 [0166.771] QueryInterface () returned 0x0 [0166.771] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::GetRuntimeClassName () returned 0x8000000e [0166.771] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::Release () returned 0x3 [0166.771] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::AddRef () returned 0x4 [0166.771] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::QueryInterface () returned 0x80004002 [0166.771] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::QueryInterface () returned 0x0 [0166.771] Release () returned 0x4 [0166.771] CoGetContextToken (in: pToken=0x98ce078 | out: pToken=0x98ce078) returned 0x0 [0166.771] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::QueryInterface () returned 0x80004002 [0166.771] CoGetContextToken (in: pToken=0x98ce380 | out: pToken=0x98ce380) returned 0x0 [0166.771] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::QueryInterface () returned 0x0 [0166.771] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::Release () returned 0x4 [0166.771] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::Release () returned 0x3 [0166.772] WindowsDeleteString () returned 0x0 [0166.772] Release () returned 0x2 [0166.772] CoGetContextToken (in: pToken=0x98ceaf0 | out: pToken=0x98ceaf0) returned 0x0 [0166.772] CoGetContextToken (in: pToken=0x98cea50 | out: pToken=0x98cea50) returned 0x0 [0166.772] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::QueryInterface () returned 0x0 [0166.772] AddRef () returned 0x4 [0166.772] Release () returned 0x3 [0166.780] IIDFromString (in: lpsz="{410B7711-FF3B-477F-9C9A-D2EFDA302DC3}", lpiid=0x98ce180 | out: lpiid=0x98ce180) returned 0x0 [0166.781] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::add_TracingStatusChanged () returned 0x0 [0166.812] GenericStreamBase::Write () returned 0x0 [0166.812] GenericStreamBase::Write () returned 0x0 [0166.812] CoCreateGuid (in: pguid=0x6ccd529c | out: pguid=0x6ccd529c*(Data1=0xb784b78, Data2=0x1cc0, Data3=0x4993, Data4=([0]=0x9c, [1]=0x0, [2]=0xe7, [3]=0xbf, [4]=0x3a, [5]=0x6a, [6]=0x94, [7]=0x48))) returned 0x0 [0166.812] GenericStreamBase::Write () returned 0x0 [0166.821] Windows::Foundation::Diagnostics::TracingStatusChangedEventArgs::QueryInterface () returned 0x0 [0166.821] Microsoft::WRL::Details::RuntimeClass >,Microsoft::WRL::RuntimeClassFlags<1>,1,1,0>::AddRef () returned 0x3 [0166.821] Windows::Foundation::Diagnostics::TracingStatusChangedEventArgs::QueryInterface () returned 0x80004002 [0166.821] Windows::Foundation::Diagnostics::TracingStatusChangedEventArgs::QueryInterface () returned 0x0 [0166.821] Release () returned 0x3 [0166.821] CoGetContextToken (in: pToken=0x98cdf50 | out: pToken=0x98cdf50) returned 0x0 [0166.822] Windows::Foundation::Diagnostics::TracingStatusChangedEventArgs::QueryInterface () returned 0x80004002 [0166.823] WindowsCreateString () returned 0x0 [0166.823] Microsoft::WRL::Details::RuntimeClass >,Microsoft::WRL::RuntimeClassFlags<1>,1,1,0>::AddRef () returned 0x4 [0166.823] Windows::Foundation::Diagnostics::TracingStatusChangedEventArgs::Release () returned 0x3 [0166.824] Windows::Foundation::Diagnostics::TracingStatusChangedEventArgs::get_Enabled () returned 0x0 [0167.318] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x98cf49c, nSize=0x80 | out: lpBuffer="") returned 0x0 [0167.549] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x98cf6f0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x98cf6f0*(Data1=0x63ee2f59, Data2=0xe78c, Data3=0x0, Data4=([0]=0xdf, [1]=0x30, [2]=0xee, [3]=0x63, [4]=0x8c, [5]=0xe7, [6]=0xd7, [7]=0x1))) returned 0x0 [0167.549] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x98cf650*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x98cf650*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0))) returned 0x0 [0167.549] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x98cf6e0*(Data1=0x63ee2f59, Data2=0xe78c, Data3=0x0, Data4=([0]=0xdf, [1]=0x30, [2]=0xee, [3]=0x63, [4]=0x8c, [5]=0xe7, [6]=0xd7, [7]=0x1)) | out: ActivityId=0x98cf6e0*(Data1=0x63ee2f59, Data2=0xe78c, Data3=0x0, Data4=([0]=0xdf, [1]=0x30, [2]=0xee, [3]=0x63, [4]=0x8c, [5]=0xe7, [6]=0xd7, [7]=0x1))) returned 0x0 [0167.555] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x98cf6f0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x98cf6f0*(Data1=0x63ee2f59, Data2=0xe78c, Data3=0x0, Data4=([0]=0xe0, [1]=0x30, [2]=0xee, [3]=0x63, [4]=0x8c, [5]=0xe7, [6]=0xd7, [7]=0x1))) returned 0x0 [0167.555] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x98cf650*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x98cf650*(Data1=0x63ee2f59, Data2=0xe78c, Data3=0x0, Data4=([0]=0xdf, [1]=0x30, [2]=0xee, [3]=0x63, [4]=0x8c, [5]=0xe7, [6]=0xd7, [7]=0x1))) returned 0x0 [0167.555] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x98cf6e0*(Data1=0x63ee2f59, Data2=0xe78c, Data3=0x0, Data4=([0]=0xe0, [1]=0x30, [2]=0xee, [3]=0x63, [4]=0x8c, [5]=0xe7, [6]=0xd7, [7]=0x1)) | out: ActivityId=0x98cf6e0*(Data1=0x63ee2f59, Data2=0xe78c, Data3=0x0, Data4=([0]=0xe0, [1]=0x30, [2]=0xee, [3]=0x63, [4]=0x8c, [5]=0xe7, [6]=0xd7, [7]=0x1))) returned 0x0 Thread: id = 22 os_tid = 0x9a4 Thread: id = 23 os_tid = 0xffc Thread: id = 24 os_tid = 0xc70 Thread: id = 25 os_tid = 0x714 [0166.888] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0166.889] CoGetContextToken (in: pToken=0x9c4fbc4 | out: pToken=0x9c4fbc4) returned 0x0 [0166.889] CObjectContext::QueryInterface () returned 0x0 [0166.890] CObjectContext::GetCurrentThreadType () returned 0x0 [0166.890] Release () returned 0x0 [0166.890] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x1 [0166.890] CoUninitialize () [0166.890] RoInitialize () returned 0x1 [0166.890] RoUninitialize () returned 0x0 Thread: id = 26 os_tid = 0xeb4 Process: id = "3" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x1121e000" os_pid = "0xa74" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x934" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 418 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 419 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 420 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 421 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 422 start_va = 0x400000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 423 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 424 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 425 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 426 start_va = 0x7ff7625c0000 end_va = 0x7ff7625d0fff monitored = 0 entry_point = 0x7ff7625c16b0 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 427 start_va = 0x7ffd504d0000 end_va = 0x7ffd50690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 428 start_va = 0x750000 end_va = 0x84ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 429 start_va = 0x7ffd4d670000 end_va = 0x7ffd4d857fff monitored = 0 entry_point = 0x7ffd4d69ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 430 start_va = 0x7ffd4e1c0000 end_va = 0x7ffd4e26cfff monitored = 0 entry_point = 0x7ffd4e1d81a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 431 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 432 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 433 start_va = 0x90000 end_va = 0x14dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 434 start_va = 0x7ffd4df00000 end_va = 0x7ffd4df9cfff monitored = 0 entry_point = 0x7ffd4df078a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 435 start_va = 0x150000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 436 start_va = 0x600000 end_va = 0x6affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 437 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 438 start_va = 0x7ffd45030000 end_va = 0x7ffd45088fff monitored = 0 entry_point = 0x7ffd4503fbf0 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 439 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 440 start_va = 0x7ffd4dc70000 end_va = 0x7ffd4deecfff monitored = 0 entry_point = 0x7ffd4dd44970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 441 start_va = 0x7ffd4da60000 end_va = 0x7ffd4db7bfff monitored = 0 entry_point = 0x7ffd4daa02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 442 start_va = 0x7ffd4d860000 end_va = 0x7ffd4d8c9fff monitored = 0 entry_point = 0x7ffd4d896d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 443 start_va = 0x7ffd4e9d0000 end_va = 0x7ffd4eb25fff monitored = 0 entry_point = 0x7ffd4e9da8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 444 start_va = 0x7ffd4d8d0000 end_va = 0x7ffd4da55fff monitored = 0 entry_point = 0x7ffd4d91ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 445 start_va = 0x1a0000 end_va = 0x1a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 446 start_va = 0x7ffd50380000 end_va = 0x7ffd504c2fff monitored = 0 entry_point = 0x7ffd503a8210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 447 start_va = 0x7ffd4e160000 end_va = 0x7ffd4e1bafff monitored = 0 entry_point = 0x7ffd4e1738b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 448 start_va = 0x7ffd4e2e0000 end_va = 0x7ffd4e31afff monitored = 0 entry_point = 0x7ffd4e2e12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 449 start_va = 0x7ffd4db80000 end_va = 0x7ffd4dc40fff monitored = 0 entry_point = 0x7ffd4dba0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 450 start_va = 0x7ffd4b010000 end_va = 0x7ffd4b195fff monitored = 0 entry_point = 0x7ffd4b05d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 451 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 452 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 453 start_va = 0x850000 end_va = 0x9d7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000850000" filename = "" Region: id = 454 start_va = 0x9e0000 end_va = 0xb60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009e0000" filename = "" Region: id = 455 start_va = 0xb70000 end_va = 0x1f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b70000" filename = "" Region: id = 456 start_va = 0x1f70000 end_va = 0x20cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f70000" filename = "" Region: id = 457 start_va = 0x600000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 458 start_va = 0x6a0000 end_va = 0x6affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 459 start_va = 0x7ffd4caf0000 end_va = 0x7ffd4cb03fff monitored = 0 entry_point = 0x7ffd4caf52e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 460 start_va = 0x7ffd4cb10000 end_va = 0x7ffd4cb5afff monitored = 0 entry_point = 0x7ffd4cb135f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 461 start_va = 0x7ffd4cb70000 end_va = 0x7ffd4cb7efff monitored = 0 entry_point = 0x7ffd4cb73210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 462 start_va = 0x7ffd4cb80000 end_va = 0x7ffd4cbc2fff monitored = 0 entry_point = 0x7ffd4cb94b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 463 start_va = 0x7ffd4cce0000 end_va = 0x7ffd4d323fff monitored = 0 entry_point = 0x7ffd4cea64b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 464 start_va = 0x7ffd4d5b0000 end_va = 0x7ffd4d664fff monitored = 0 entry_point = 0x7ffd4d5f22e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 465 start_va = 0x7ffd4e480000 end_va = 0x7ffd4e526fff monitored = 0 entry_point = 0x7ffd4e4958d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 466 start_va = 0x7ffd4eb30000 end_va = 0x7ffd5008efff monitored = 0 entry_point = 0x7ffd4ec911f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 467 start_va = 0x7ffd500f0000 end_va = 0x7ffd50141fff monitored = 0 entry_point = 0x7ffd500ff530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 468 start_va = 0x7ffd4b470000 end_va = 0x7ffd4b505fff monitored = 0 entry_point = 0x7ffd4b495570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 469 start_va = 0x50000 end_va = 0x6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 470 start_va = 0x20d0000 end_va = 0x2406fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 471 start_va = 0x1f70000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f70000" filename = "" Region: id = 472 start_va = 0x20c0000 end_va = 0x20cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020c0000" filename = "" Region: id = 473 start_va = 0x2410000 end_va = 0x260ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 474 start_va = 0x640000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 475 start_va = 0x7ffd4e320000 end_va = 0x7ffd4e479fff monitored = 0 entry_point = 0x7ffd4e3638e0 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 476 start_va = 0x50000 end_va = 0x50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 477 start_va = 0x60000 end_va = 0x6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 478 start_va = 0x2610000 end_va = 0x26cbfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002610000" filename = "" Region: id = 479 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 480 start_va = 0x7ffd4a370000 end_va = 0x7ffd4a391fff monitored = 0 entry_point = 0x7ffd4a371a40 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 481 start_va = 0x7ffd4b200000 end_va = 0x7ffd4b212fff monitored = 0 entry_point = 0x7ffd4b202760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 482 start_va = 0x7ffd4c900000 end_va = 0x7ffd4c955fff monitored = 0 entry_point = 0x7ffd4c910bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 483 start_va = 0x70000 end_va = 0x76fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 484 start_va = 0x80000 end_va = 0x80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 485 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 486 start_va = 0x1e0000 end_va = 0x1e1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 487 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 488 start_va = 0x680000 end_va = 0x684fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 489 start_va = 0x690000 end_va = 0x690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "conhostv2.dll.mui" filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui") Region: id = 490 start_va = 0x6b0000 end_va = 0x6b1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006b0000" filename = "" Region: id = 491 start_va = 0x7ffd43ba0000 end_va = 0x7ffd43e13fff monitored = 0 entry_point = 0x7ffd43c10400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 492 start_va = 0x6c0000 end_va = 0x6c0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 493 start_va = 0x6d0000 end_va = 0x6d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Thread: id = 10 os_tid = 0xbac Thread: id = 11 os_tid = 0xc0c Thread: id = 12 os_tid = 0x1374 Thread: id = 13 os_tid = 0x550