# Flog Txt Version 1 # Analyzer Version: 2.3.1 # Analyzer Build Date: Jul 30 2018 18:01:18 # Log Creation Date: 06.08.2018 13:03:31.786 Process: id = "1" image_name = "winword.exe" filename = "c:\\program files\\microsoft office\\office16\\winword.exe" page_root = "0x3e6f0000" os_pid = "0xe0" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Program Files\\Microsoft Office\\Office16\\WINWORD.EXE\" /n" cur_dir = "C:\\Users\\Nd9E1FYi\\Desktop\\" os_username = "X2VS1CUM\\Nd9E1FYi" os_groups = "X2VS1CUM\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e439" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 143 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 144 start_va = 0x6401600000 end_va = 0x64017fffff entry_point = 0x0 region_type = private name = "private_0x0000006401600000" filename = "" Region: id = 145 start_va = 0x6401800000 end_va = 0x64018fffff entry_point = 0x0 region_type = private name = "private_0x0000006401800000" filename = "" Region: id = 146 start_va = 0x6401900000 end_va = 0x64019fffff entry_point = 0x0 region_type = private name = "private_0x0000006401900000" filename = "" Region: id = 147 start_va = 0x6401b00000 end_va = 0x6401bfffff entry_point = 0x0 region_type = private name = "private_0x0000006401b00000" filename = "" Region: id = 148 start_va = 0x6401c00000 end_va = 0x6401cfffff entry_point = 0x0 region_type = private name = "private_0x0000006401c00000" filename = "" Region: id = 149 start_va = 0x6401d00000 end_va = 0x6401dfffff entry_point = 0x0 region_type = private name = "private_0x0000006401d00000" filename = "" Region: id = 150 start_va = 0x6401e00000 end_va = 0x6401efffff entry_point = 0x0 region_type = private name = "private_0x0000006401e00000" filename = "" Region: id = 151 start_va = 0x6401f00000 end_va = 0x6401ffffff entry_point = 0x0 region_type = private name = "private_0x0000006401f00000" filename = "" Region: id = 152 start_va = 0x6402000000 end_va = 0x64020fffff entry_point = 0x0 region_type = private name = "private_0x0000006402000000" filename = "" Region: id = 153 start_va = 0x6402100000 end_va = 0x64021fffff entry_point = 0x0 region_type = private name = "private_0x0000006402100000" filename = "" Region: id = 154 start_va = 0x6402300000 end_va = 0x64023fffff entry_point = 0x0 region_type = private name = "private_0x0000006402300000" filename = "" Region: id = 155 start_va = 0x6402400000 end_va = 0x64024fffff entry_point = 0x0 region_type = private name = "private_0x0000006402400000" filename = "" Region: id = 156 start_va = 0x6402500000 end_va = 0x64025fffff entry_point = 0x0 region_type = private name = "private_0x0000006402500000" filename = "" Region: id = 157 start_va = 0x6402600000 end_va = 0x64026fffff entry_point = 0x0 region_type = private name = "private_0x0000006402600000" filename = "" Region: id = 158 start_va = 0x6402700000 end_va = 0x64027fffff entry_point = 0x0 region_type = private name = "private_0x0000006402700000" filename = "" Region: id = 159 start_va = 0x1a780000000 end_va = 0x1a780004fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a780000000" filename = "" Region: id = 160 start_va = 0x1a780010000 end_va = 0x1a78080ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a780010000" filename = "" Region: id = 161 start_va = 0x1a780810000 end_va = 0x1a780810fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a780810000" filename = "" Region: id = 162 start_va = 0x1a780820000 end_va = 0x1a780820fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a780820000" filename = "" Region: id = 163 start_va = 0x1a780830000 end_va = 0x1a7808bbfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a780830000" filename = "" Region: id = 164 start_va = 0x1a7808c0000 end_va = 0x1a7808c0fff entry_point = 0x0 region_type = private name = "private_0x000001a7808c0000" filename = "" Region: id = 165 start_va = 0x1a780a10000 end_va = 0x1a780e0ffff entry_point = 0x0 region_type = private name = "private_0x000001a780a10000" filename = "" Region: id = 166 start_va = 0x1a780e10000 end_va = 0x1a780f0ffff entry_point = 0x0 region_type = private name = "private_0x000001a780e10000" filename = "" Region: id = 167 start_va = 0x1a780f10000 end_va = 0x1a780f10fff entry_point = 0x1a780f10000 region_type = mapped_file name = "msxml6r.dll" filename = "\\Windows\\System32\\msxml6r.dll" (normalized: "c:\\windows\\system32\\msxml6r.dll") Region: id = 168 start_va = 0x1a780f20000 end_va = 0x1a780f32fff entry_point = 0x1a780f20000 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000025.db" filename = "\\Users\\Nd9E1FYi\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000025.db" (normalized: "c:\\users\\nd9e1fyi\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000025.db") Region: id = 169 start_va = 0x1a780f40000 end_va = 0x1a780f40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a780f40000" filename = "" Region: id = 170 start_va = 0x1a780f50000 end_va = 0x1a780f56fff entry_point = 0x0 region_type = private name = "private_0x000001a780f50000" filename = "" Region: id = 171 start_va = 0x1a780f60000 end_va = 0x1a780f61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a780f60000" filename = "" Region: id = 172 start_va = 0x1a780f70000 end_va = 0x1a780f70fff entry_point = 0x0 region_type = private name = "private_0x000001a780f70000" filename = "" Region: id = 173 start_va = 0x1a780f80000 end_va = 0x1a780f81fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a780f80000" filename = "" Region: id = 174 start_va = 0x1a780f90000 end_va = 0x1a780faefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a780f90000" filename = "" Region: id = 175 start_va = 0x1a780fb0000 end_va = 0x1a780fbffff entry_point = 0x0 region_type = private name = "private_0x000001a780fb0000" filename = "" Region: id = 176 start_va = 0x1a780fc0000 end_va = 0x1a78109ffff entry_point = 0x1a780fc0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 177 start_va = 0x1a7810a0000 end_va = 0x1a78119ffff entry_point = 0x0 region_type = private name = "private_0x000001a7810a0000" filename = "" Region: id = 178 start_va = 0x1a7811a0000 end_va = 0x1a78219ffff entry_point = 0x1a7811a0000 region_type = mapped_file name = "~fontcache-fontface.dat" filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-FontFace.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-fontface.dat") Region: id = 179 start_va = 0x1a7821a0000 end_va = 0x1a78227efff entry_point = 0x1a7821a0000 region_type = mapped_file name = "segoeui.ttf" filename = "\\Windows\\Fonts\\segoeui.ttf" (normalized: "c:\\windows\\fonts\\segoeui.ttf") Region: id = 180 start_va = 0x1a782280000 end_va = 0x1a7822c1fff entry_point = 0x1a782280000 region_type = mapped_file name = "d2d1.dll.mui" filename = "\\Windows\\System32\\en-US\\d2d1.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\d2d1.dll.mui") Region: id = 181 start_va = 0x1a7822d0000 end_va = 0x1a7823a5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a7822d0000" filename = "" Region: id = 182 start_va = 0x1a7823b0000 end_va = 0x1a782485fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a7823b0000" filename = "" Region: id = 183 start_va = 0x1a782490000 end_va = 0x1a7824aefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a782490000" filename = "" Region: id = 184 start_va = 0x1a7827b0000 end_va = 0x1a7827bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a7827b0000" filename = "" Region: id = 185 start_va = 0x1a7827c0000 end_va = 0x1a7827cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a7827c0000" filename = "" Region: id = 186 start_va = 0x1a7827d0000 end_va = 0x1a7827dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a7827d0000" filename = "" Region: id = 187 start_va = 0x1a7827e0000 end_va = 0x1a782be7fff entry_point = 0x0 region_type = private name = "private_0x000001a7827e0000" filename = "" Region: id = 188 start_va = 0x1a782bf0000 end_va = 0x1a782ff9fff entry_point = 0x0 region_type = private name = "private_0x000001a782bf0000" filename = "" Region: id = 189 start_va = 0x1a783000000 end_va = 0x1a78340afff entry_point = 0x0 region_type = private name = "private_0x000001a783000000" filename = "" Region: id = 190 start_va = 0x1a783410000 end_va = 0x1a78348ffff entry_point = 0x0 region_type = private name = "private_0x000001a783410000" filename = "" Region: id = 191 start_va = 0x1a783490000 end_va = 0x1a78368ffff entry_point = 0x0 region_type = private name = "private_0x000001a783490000" filename = "" Region: id = 192 start_va = 0x1a783690000 end_va = 0x1a7836a0fff entry_point = 0x1a783690000 region_type = mapped_file name = "c_1255.nls" filename = "\\Windows\\System32\\C_1255.NLS" (normalized: "c:\\windows\\system32\\c_1255.nls") Region: id = 193 start_va = 0x1a7836b0000 end_va = 0x1a7846effff entry_point = 0x1a7836b0000 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 194 start_va = 0x1a784700000 end_va = 0x1a784efffff entry_point = 0x0 region_type = private name = "private_0x000001a784700000" filename = "" Region: id = 195 start_va = 0x1a784f00000 end_va = 0x1a7853ddfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a784f00000" filename = "" Region: id = 196 start_va = 0x1a7f5ff0000 end_va = 0x1a7f5ffffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a7f5ff0000" filename = "" Region: id = 197 start_va = 0x1a7f6000000 end_va = 0x1a7f6006fff entry_point = 0x0 region_type = private name = "private_0x000001a7f6000000" filename = "" Region: id = 198 start_va = 0x1a7f6010000 end_va = 0x1a7f6024fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a7f6010000" filename = "" Region: id = 199 start_va = 0x1a7f6030000 end_va = 0x1a7f6033fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a7f6030000" filename = "" Region: id = 200 start_va = 0x1a7f6040000 end_va = 0x1a7f6043fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a7f6040000" filename = "" Region: id = 201 start_va = 0x1a7f6050000 end_va = 0x1a7f6051fff entry_point = 0x0 region_type = private name = "private_0x000001a7f6050000" filename = "" Region: id = 202 start_va = 0x1a7f6060000 end_va = 0x1a7f611dfff entry_point = 0x1a7f6060000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 203 start_va = 0x1a7f6120000 end_va = 0x1a7f6126fff entry_point = 0x0 region_type = private name = "private_0x000001a7f6120000" filename = "" Region: id = 204 start_va = 0x1a7f6130000 end_va = 0x1a7f6130fff entry_point = 0x0 region_type = private name = "private_0x000001a7f6130000" filename = "" Region: id = 205 start_va = 0x1a7f6140000 end_va = 0x1a7f6140fff entry_point = 0x0 region_type = private name = "private_0x000001a7f6140000" filename = "" Region: id = 206 start_va = 0x1a7f6150000 end_va = 0x1a7f6151fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a7f6150000" filename = "" Region: id = 207 start_va = 0x1a7f6160000 end_va = 0x1a7f6161fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a7f6160000" filename = "" Region: id = 208 start_va = 0x1a7f6170000 end_va = 0x1a7f6170fff entry_point = 0x0 region_type = private name = "private_0x000001a7f6170000" filename = "" Region: id = 209 start_va = 0x1a7f6180000 end_va = 0x1a7f6180fff entry_point = 0x0 region_type = private name = "private_0x000001a7f6180000" filename = "" Region: id = 210 start_va = 0x1a7f6190000 end_va = 0x1a7f6191fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a7f6190000" filename = "" Region: id = 211 start_va = 0x1a7f61a0000 end_va = 0x1a7f61affff entry_point = 0x0 region_type = private name = "private_0x000001a7f61a0000" filename = "" Region: id = 212 start_va = 0x1a7f61b0000 end_va = 0x1a7f61b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a7f61b0000" filename = "" Region: id = 213 start_va = 0x1a7f61c0000 end_va = 0x1a7f62bffff entry_point = 0x0 region_type = private name = "private_0x000001a7f61c0000" filename = "" Region: id = 214 start_va = 0x1a7f62c0000 end_va = 0x1a7f6447fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a7f62c0000" filename = "" Region: id = 215 start_va = 0x1a7f6450000 end_va = 0x1a7f6451fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a7f6450000" filename = "" Region: id = 216 start_va = 0x1a7f6460000 end_va = 0x1a7f6461fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a7f6460000" filename = "" Region: id = 217 start_va = 0x1a7f6470000 end_va = 0x1a7f6471fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a7f6470000" filename = "" Region: id = 218 start_va = 0x1a7f6480000 end_va = 0x1a7f6481fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a7f6480000" filename = "" Region: id = 219 start_va = 0x1a7f6490000 end_va = 0x1a7f6494fff entry_point = 0x1a7f6490000 region_type = mapped_file name = "winnlsres.dll" filename = "\\Windows\\System32\\winnlsres.dll" (normalized: "c:\\windows\\system32\\winnlsres.dll") Region: id = 220 start_va = 0x1a7f64a0000 end_va = 0x1a7f64a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a7f64a0000" filename = "" Region: id = 221 start_va = 0x1a7f64b0000 end_va = 0x1a7f64bffff entry_point = 0x0 region_type = private name = "private_0x000001a7f64b0000" filename = "" Region: id = 222 start_va = 0x1a7f64c0000 end_va = 0x1a7f6640fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a7f64c0000" filename = "" Region: id = 223 start_va = 0x1a7f6650000 end_va = 0x1a7f7a4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a7f6650000" filename = "" Region: id = 224 start_va = 0x1a7f7a50000 end_va = 0x1a7f7b0bfff entry_point = 0x1a7f7a50000 region_type = mapped_file name = "wwintl.dll" filename = "\\Program Files\\Microsoft Office\\Office16\\1033\\WWINTL.DLL" (normalized: "c:\\program files\\microsoft office\\office16\\1033\\wwintl.dll") Region: id = 225 start_va = 0x1a7f7b10000 end_va = 0x1a7f7b11fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a7f7b10000" filename = "" Region: id = 226 start_va = 0x1a7f7b20000 end_va = 0x1a7f7b3ffff entry_point = 0x0 region_type = private name = "private_0x000001a7f7b20000" filename = "" Region: id = 227 start_va = 0x1a7f7b40000 end_va = 0x1a7f7cf8fff entry_point = 0x1a7f7b40000 region_type = mapped_file name = "office.odf" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Cultures\\OFFICE.ODF" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\cultures\\office.odf") Region: id = 228 start_va = 0x1a7f7d00000 end_va = 0x1a7f7d00fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a7f7d00000" filename = "" Region: id = 229 start_va = 0x1a7f7d10000 end_va = 0x1a7f7d1ffff entry_point = 0x1a7f7d10000 region_type = mapped_file name = "winnlsres.dll.mui" filename = "\\Windows\\System32\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\winnlsres.dll.mui") Region: id = 230 start_va = 0x1a7f7d20000 end_va = 0x1a7f7d2efff entry_point = 0x1a7f7d20000 region_type = mapped_file name = "msointl30.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\1033\\msointl30.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\1033\\msointl30.dll") Region: id = 231 start_va = 0x1a7f7d30000 end_va = 0x1a7f7eaafff entry_point = 0x1a7f7d30000 region_type = mapped_file name = "msointl.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\1033\\MSOINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\1033\\msointl.dll") Region: id = 232 start_va = 0x1a7f7eb0000 end_va = 0x1a7f7ebffff entry_point = 0x0 region_type = private name = "private_0x000001a7f7eb0000" filename = "" Region: id = 233 start_va = 0x1a7f7ec0000 end_va = 0x1a7f81c7fff entry_point = 0x1a7f7ec0000 region_type = mapped_file name = "mso40uires.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\MSO40UIRES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\mso40uires.dll") Region: id = 234 start_va = 0x1a7f81d0000 end_va = 0x1a7f8af0fff entry_point = 0x1a7f81d0000 region_type = mapped_file name = "mso99lres.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\MSO99LRES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\mso99lres.dll") Region: id = 235 start_va = 0x1a7f8b00000 end_va = 0x1a7fd93efff entry_point = 0x1a7f8b00000 region_type = mapped_file name = "msores.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\MSORES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\msores.dll") Region: id = 236 start_va = 0x1a7fd9e0000 end_va = 0x1a7fd9e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a7fd9e0000" filename = "" Region: id = 237 start_va = 0x1a7fd9f0000 end_va = 0x1a7fd9f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a7fd9f0000" filename = "" Region: id = 238 start_va = 0x1a7fda00000 end_va = 0x1a7fda00fff entry_point = 0x0 region_type = private name = "private_0x000001a7fda00000" filename = "" Region: id = 239 start_va = 0x1a7fda10000 end_va = 0x1a7fda16fff entry_point = 0x0 region_type = private name = "private_0x000001a7fda10000" filename = "" Region: id = 240 start_va = 0x1a7fdae0000 end_va = 0x1a7fde16fff entry_point = 0x1a7fdae0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 241 start_va = 0x1a7fde20000 end_va = 0x1a7fdf1ffff entry_point = 0x0 region_type = private name = "private_0x000001a7fde20000" filename = "" Region: id = 242 start_va = 0x1a7fdf20000 end_va = 0x1a7fdf4dfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a7fdf20000" filename = "" Region: id = 243 start_va = 0x1a7fdf50000 end_va = 0x1a7fdf50fff entry_point = 0x0 region_type = private name = "private_0x000001a7fdf50000" filename = "" Region: id = 244 start_va = 0x1a7fdf60000 end_va = 0x1a7fdf60fff entry_point = 0x0 region_type = private name = "private_0x000001a7fdf60000" filename = "" Region: id = 245 start_va = 0x1a7fdf70000 end_va = 0x1a7fdf70fff entry_point = 0x0 region_type = private name = "private_0x000001a7fdf70000" filename = "" Region: id = 246 start_va = 0x1a7fdf80000 end_va = 0x1a7fe03bfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a7fdf80000" filename = "" Region: id = 247 start_va = 0x1a7fe040000 end_va = 0x1a7fe043fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a7fe040000" filename = "" Region: id = 248 start_va = 0x1a7fe050000 end_va = 0x1a7fe0c5fff entry_point = 0x1a7fe050000 region_type = mapped_file name = "~fontcache-system.dat" filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-System.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-system.dat") Region: id = 249 start_va = 0x1a7fe0d0000 end_va = 0x1a7fe1cffff entry_point = 0x0 region_type = private name = "private_0x000001a7fe0d0000" filename = "" Region: id = 250 start_va = 0x1a7fe1d0000 end_va = 0x1a7fe9cffff entry_point = 0x1a7fe1d0000 region_type = mapped_file name = "~fontcache-s-1-5-21-2172869166-1497266965-2109836178-1000.dat" filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-S-1-5-21-2172869166-1497266965-2109836178-1000.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-s-1-5-21-2172869166-1497266965-2109836178-1000.dat") Region: id = 251 start_va = 0x1a7fe9d0000 end_va = 0x1a7fedcffff entry_point = 0x0 region_type = private name = "private_0x000001a7fe9d0000" filename = "" Region: id = 252 start_va = 0x1a7fedd0000 end_va = 0x1a7ff2c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a7fedd0000" filename = "" Region: id = 253 start_va = 0x1a7ff2d0000 end_va = 0x1a7ff2d0fff entry_point = 0x0 region_type = private name = "private_0x000001a7ff2d0000" filename = "" Region: id = 254 start_va = 0x1a7ff2e0000 end_va = 0x1a7ff2e0fff entry_point = 0x0 region_type = private name = "private_0x000001a7ff2e0000" filename = "" Region: id = 255 start_va = 0x1a7ff2f0000 end_va = 0x1a7ff2f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a7ff2f0000" filename = "" Region: id = 256 start_va = 0x1a7ff300000 end_va = 0x1a7ff300fff entry_point = 0x0 region_type = private name = "private_0x000001a7ff300000" filename = "" Region: id = 257 start_va = 0x1a7ff310000 end_va = 0x1a7ff316fff entry_point = 0x0 region_type = private name = "private_0x000001a7ff310000" filename = "" Region: id = 258 start_va = 0x1a7ff380000 end_va = 0x1a7ff38ffff entry_point = 0x0 region_type = private name = "private_0x000001a7ff380000" filename = "" Region: id = 259 start_va = 0x1a7ff390000 end_va = 0x1a7ff58ffff entry_point = 0x0 region_type = private name = "private_0x000001a7ff390000" filename = "" Region: id = 260 start_va = 0x1a7ff6e0000 end_va = 0x1a7ff6effff entry_point = 0x0 region_type = private name = "private_0x000001a7ff6e0000" filename = "" Region: id = 261 start_va = 0x7ff78b910000 end_va = 0x7ff78b91ffff entry_point = 0x0 region_type = private name = "private_0x00007ff78b910000" filename = "" Region: id = 262 start_va = 0x7ff78b920000 end_va = 0x7ff78b92ffff entry_point = 0x0 region_type = private name = "private_0x00007ff78b920000" filename = "" Region: id = 263 start_va = 0x7ff78b930000 end_va = 0x7ff78ba2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff78b930000" filename = "" Region: id = 264 start_va = 0x7ff78ba30000 end_va = 0x7ff78ba52fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff78ba30000" filename = "" Region: id = 265 start_va = 0x7ff78c360000 end_va = 0x7ff78c539fff entry_point = 0x7ff78c360000 region_type = mapped_file name = "winword.exe" filename = "\\Program Files\\Microsoft Office\\Office16\\WINWORD.EXE" (normalized: "c:\\program files\\microsoft office\\office16\\winword.exe") Region: id = 266 start_va = 0x7ff8d6250000 end_va = 0x7ff8d625ffff entry_point = 0x0 region_type = private name = "private_0x00007ff8d6250000" filename = "" Region: id = 267 start_va = 0x7ff8f5160000 end_va = 0x7ff8f5177fff entry_point = 0x7ff8f5160000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 268 start_va = 0x7ff8f5180000 end_va = 0x7ff8f5c78fff entry_point = 0x7ff8f5180000 region_type = mapped_file name = "chart.dll" filename = "\\Program Files\\Microsoft Office\\Office16\\CHART.DLL" (normalized: "c:\\program files\\microsoft office\\office16\\chart.dll") Region: id = 269 start_va = 0x7ff8f6110000 end_va = 0x7ff8f6332fff entry_point = 0x7ff8f6110000 region_type = mapped_file name = "riched20.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\RICHED20.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\riched20.dll") Region: id = 270 start_va = 0x7ff8f6340000 end_va = 0x7ff8f64affff entry_point = 0x7ff8f6340000 region_type = mapped_file name = "msptls.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\MSPTLS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\msptls.dll") Region: id = 271 start_va = 0x7ff8f64b0000 end_va = 0x7ff8f778bfff entry_point = 0x7ff8f64b0000 region_type = mapped_file name = "mso.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\MSO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\mso.dll") Region: id = 272 start_va = 0x7ff8f7790000 end_va = 0x7ff8f7f5bfff entry_point = 0x7ff8f7790000 region_type = mapped_file name = "mso99lwin32client.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Mso99Lwin32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\mso99lwin32client.dll") Region: id = 273 start_va = 0x7ff8f7f60000 end_va = 0x7ff8f884afff entry_point = 0x7ff8f7f60000 region_type = mapped_file name = "mso40uiwin32client.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Mso40UIwin32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\mso40uiwin32client.dll") Region: id = 274 start_va = 0x7ff8f8850000 end_va = 0x7ff8f8cc7fff entry_point = 0x7ff8f8850000 region_type = mapped_file name = "mso30win32client.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Mso30win32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\mso30win32client.dll") Region: id = 275 start_va = 0x7ff8f8cd0000 end_va = 0x7ff8f9e3bfff entry_point = 0x7ff8f8cd0000 region_type = mapped_file name = "oart.dll" filename = "\\Program Files\\Microsoft Office\\Office16\\OART.DLL" (normalized: "c:\\program files\\microsoft office\\office16\\oart.dll") Region: id = 276 start_va = 0x7ff8f9e40000 end_va = 0x7ff8fc1defff entry_point = 0x7ff8f9e40000 region_type = mapped_file name = "wwlib.dll" filename = "\\Program Files\\Microsoft Office\\Office16\\WWLIB.DLL" (normalized: "c:\\program files\\microsoft office\\office16\\wwlib.dll") Region: id = 277 start_va = 0x7ff8fd320000 end_va = 0x7ff8fd623fff entry_point = 0x7ff8fd320000 region_type = mapped_file name = "mso20win32client.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Mso20win32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\mso20win32client.dll") Region: id = 278 start_va = 0x7ff8fe110000 end_va = 0x7ff8fe1a7fff entry_point = 0x7ff8fe110000 region_type = mapped_file name = "mscoreei.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\mscoreei.dll") Region: id = 279 start_va = 0x7ff9005a0000 end_va = 0x7ff900607fff entry_point = 0x7ff9005a0000 region_type = mapped_file name = "mscoree.dll" filename = "\\Windows\\System32\\mscoree.dll" (normalized: "c:\\windows\\system32\\mscoree.dll") Region: id = 280 start_va = 0x7ff900610000 end_va = 0x7ff900671fff entry_point = 0x7ff900610000 region_type = mapped_file name = "d3d10_1core.dll" filename = "\\Windows\\System32\\d3d10_1core.dll" (normalized: "c:\\windows\\system32\\d3d10_1core.dll") Region: id = 281 start_va = 0x7ff900c50000 end_va = 0x7ff900c81fff entry_point = 0x7ff900c50000 region_type = mapped_file name = "d3d10_1.dll" filename = "\\Windows\\System32\\d3d10_1.dll" (normalized: "c:\\windows\\system32\\d3d10_1.dll") Region: id = 282 start_va = 0x7ff900dc0000 end_va = 0x7ff900dfdfff entry_point = 0x7ff900dc0000 region_type = mapped_file name = "mlang.dll" filename = "\\Windows\\System32\\mlang.dll" (normalized: "c:\\windows\\system32\\mlang.dll") Region: id = 283 start_va = 0x7ff904750000 end_va = 0x7ff9049c9fff entry_point = 0x7ff904750000 region_type = mapped_file name = "msxml6.dll" filename = "\\Windows\\System32\\msxml6.dll" (normalized: "c:\\windows\\system32\\msxml6.dll") Region: id = 284 start_va = 0x7ff904d10000 end_va = 0x7ff904d93fff entry_point = 0x7ff904d10000 region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\System32\\winspool.drv" (normalized: "c:\\windows\\system32\\winspool.drv") Region: id = 285 start_va = 0x7ff906270000 end_va = 0x7ff9065a9fff entry_point = 0x7ff906270000 region_type = mapped_file name = "msi.dll" filename = "\\Windows\\System32\\msi.dll" (normalized: "c:\\windows\\system32\\msi.dll") Region: id = 286 start_va = 0x7ff9065b0000 end_va = 0x7ff90664bfff entry_point = 0x7ff9065b0000 region_type = mapped_file name = "msvcp140.dll" filename = "\\Windows\\System32\\msvcp140.dll" (normalized: "c:\\windows\\system32\\msvcp140.dll") Region: id = 287 start_va = 0x7ff906650000 end_va = 0x7ff906665fff entry_point = 0x7ff906650000 region_type = mapped_file name = "vcruntime140.dll" filename = "\\Windows\\System32\\vcruntime140.dll" (normalized: "c:\\windows\\system32\\vcruntime140.dll") Region: id = 288 start_va = 0x7ff908370000 end_va = 0x7ff908420fff entry_point = 0x7ff908370000 region_type = mapped_file name = "twinapi.dll" filename = "\\Windows\\System32\\twinapi.dll" (normalized: "c:\\windows\\system32\\twinapi.dll") Region: id = 289 start_va = 0x7ff909310000 end_va = 0x7ff90934ffff entry_point = 0x7ff909310000 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 290 start_va = 0x7ff90a710000 end_va = 0x7ff90a71bfff entry_point = 0x7ff90a710000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 291 start_va = 0x7ff90a9d0000 end_va = 0x7ff90a9d9fff entry_point = 0x7ff90a9d0000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 292 start_va = 0x7ff90aa00000 end_va = 0x7ff90aba8fff entry_point = 0x7ff90aa00000 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10586.0_none_0bdd1d3064f6384a\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10586.0_none_0bdd1d3064f6384a\\gdiplus.dll") Region: id = 293 start_va = 0x7ff90c1a0000 end_va = 0x7ff90c413fff entry_point = 0x7ff90c1a0000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 294 start_va = 0x7ff90c7b0000 end_va = 0x7ff90c7bdfff entry_point = 0x7ff90c7b0000 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 295 start_va = 0x7ff90ea40000 end_va = 0x7ff90ebc4fff entry_point = 0x7ff90ea40000 region_type = mapped_file name = "windows.globalization.dll" filename = "\\Windows\\System32\\Windows.Globalization.dll" (normalized: "c:\\windows\\system32\\windows.globalization.dll") Region: id = 296 start_va = 0x7ff90ebd0000 end_va = 0x7ff90ee2ffff entry_point = 0x7ff90ebd0000 region_type = mapped_file name = "dwrite.dll" filename = "\\Windows\\System32\\DWrite.dll" (normalized: "c:\\windows\\system32\\dwrite.dll") Region: id = 297 start_va = 0x7ff911760000 end_va = 0x7ff911788fff entry_point = 0x7ff911760000 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll") Region: id = 298 start_va = 0x7ff911790000 end_va = 0x7ff9117c5fff entry_point = 0x7ff911790000 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 299 start_va = 0x7ff9117d0000 end_va = 0x7ff911d14fff entry_point = 0x7ff9117d0000 region_type = mapped_file name = "d2d1.dll" filename = "\\Windows\\System32\\d2d1.dll" (normalized: "c:\\windows\\system32\\d2d1.dll") Region: id = 300 start_va = 0x7ff911d20000 end_va = 0x7ff911f8efff entry_point = 0x7ff911d20000 region_type = mapped_file name = "d3d10warp.dll" filename = "\\Windows\\System32\\d3d10warp.dll" (normalized: "c:\\windows\\system32\\d3d10warp.dll") Region: id = 301 start_va = 0x7ff9120c0000 end_va = 0x7ff912270fff entry_point = 0x7ff9120c0000 region_type = mapped_file name = "windowscodecs.dll" filename = "\\Windows\\System32\\WindowsCodecs.dll" (normalized: "c:\\windows\\system32\\windowscodecs.dll") Region: id = 302 start_va = 0x7ff912290000 end_va = 0x7ff912331fff entry_point = 0x7ff912290000 region_type = mapped_file name = "dxgi.dll" filename = "\\Windows\\System32\\dxgi.dll" (normalized: "c:\\windows\\system32\\dxgi.dll") Region: id = 303 start_va = 0x7ff912340000 end_va = 0x7ff9125e7fff entry_point = 0x7ff912340000 region_type = mapped_file name = "d3d11.dll" filename = "\\Windows\\System32\\d3d11.dll" (normalized: "c:\\windows\\system32\\d3d11.dll") Region: id = 304 start_va = 0x7ff9125f0000 end_va = 0x7ff912611fff entry_point = 0x7ff9125f0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 305 start_va = 0x7ff912700000 end_va = 0x7ff9127e2fff entry_point = 0x7ff912700000 region_type = mapped_file name = "dcomp.dll" filename = "\\Windows\\System32\\dcomp.dll" (normalized: "c:\\windows\\system32\\dcomp.dll") Region: id = 306 start_va = 0x7ff912ba0000 end_va = 0x7ff912ba6fff entry_point = 0x7ff912ba0000 region_type = mapped_file name = "msimg32.dll" filename = "\\Windows\\System32\\msimg32.dll" (normalized: "c:\\windows\\system32\\msimg32.dll") Region: id = 307 start_va = 0x7ff912cb0000 end_va = 0x7ff912cdffff entry_point = 0x7ff912cb0000 region_type = mapped_file name = "globinputhost.dll" filename = "\\Windows\\System32\\globinputhost.dll" (normalized: "c:\\windows\\system32\\globinputhost.dll") Region: id = 308 start_va = 0x7ff9131f0000 end_va = 0x7ff913256fff entry_point = 0x7ff9131f0000 region_type = mapped_file name = "bcp47langs.dll" filename = "\\Windows\\System32\\BCP47Langs.dll" (normalized: "c:\\windows\\system32\\bcp47langs.dll") Region: id = 309 start_va = 0x7ff9132b0000 end_va = 0x7ff913435fff entry_point = 0x7ff9132b0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 310 start_va = 0x7ff9134a0000 end_va = 0x7ff9134b2fff entry_point = 0x7ff9134a0000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 311 start_va = 0x7ff9134c0000 end_va = 0x7ff9134e4fff entry_point = 0x7ff9134c0000 region_type = mapped_file name = "sppc.dll" filename = "\\Windows\\System32\\sppc.dll" (normalized: "c:\\windows\\system32\\sppc.dll") Region: id = 312 start_va = 0x7ff913520000 end_va = 0x7ff913544fff entry_point = 0x7ff913520000 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 313 start_va = 0x7ff9136e0000 end_va = 0x7ff913775fff entry_point = 0x7ff9136e0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 314 start_va = 0x7ff913880000 end_va = 0x7ff91397ffff entry_point = 0x7ff913880000 region_type = mapped_file name = "twinapi.appcore.dll" filename = "\\Windows\\System32\\twinapi.appcore.dll" (normalized: "c:\\windows\\system32\\twinapi.appcore.dll") Region: id = 315 start_va = 0x7ff913f00000 end_va = 0x7ff913ff3fff entry_point = 0x7ff913f00000 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 316 start_va = 0x7ff9149e0000 end_va = 0x7ff914a0cfff entry_point = 0x7ff9149e0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 317 start_va = 0x7ff914b70000 end_va = 0x7ff914bc5fff entry_point = 0x7ff914b70000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 318 start_va = 0x7ff914c90000 end_va = 0x7ff914cb8fff entry_point = 0x7ff914c90000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 319 start_va = 0x7ff914d60000 end_va = 0x7ff914d73fff entry_point = 0x7ff914d60000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 320 start_va = 0x7ff914d80000 end_va = 0x7ff914d8efff entry_point = 0x7ff914d80000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 321 start_va = 0x7ff914d90000 end_va = 0x7ff914ddafff entry_point = 0x7ff914d90000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 322 start_va = 0x7ff914df0000 end_va = 0x7ff915433fff entry_point = 0x7ff914df0000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 323 start_va = 0x7ff9154a0000 end_va = 0x7ff915554fff entry_point = 0x7ff9154a0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 324 start_va = 0x7ff915610000 end_va = 0x7ff915679fff entry_point = 0x7ff915610000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 325 start_va = 0x7ff915870000 end_va = 0x7ff915a57fff entry_point = 0x7ff915870000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 326 start_va = 0x7ff915a60000 end_va = 0x7ff915aa2fff entry_point = 0x7ff915a60000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 327 start_va = 0x7ff915b40000 end_va = 0x7ff915c99fff entry_point = 0x7ff915b40000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 328 start_va = 0x7ff915d00000 end_va = 0x7ff915d3afff entry_point = 0x7ff915d00000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 329 start_va = 0x7ff915d40000 end_va = 0x7ff915ec5fff entry_point = 0x7ff915d40000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 330 start_va = 0x7ff915ed0000 end_va = 0x7ff916012fff entry_point = 0x7ff915ed0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 331 start_va = 0x7ff916020000 end_va = 0x7ff9160c6fff entry_point = 0x7ff916020000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 332 start_va = 0x7ff9160d0000 end_va = 0x7ff916176fff entry_point = 0x7ff9160d0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 333 start_va = 0x7ff916180000 end_va = 0x7ff91621cfff entry_point = 0x7ff916180000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 334 start_va = 0x7ff916220000 end_va = 0x7ff916375fff entry_point = 0x7ff916220000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 335 start_va = 0x7ff9164a0000 end_va = 0x7ff91671cfff entry_point = 0x7ff9164a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 336 start_va = 0x7ff9168d0000 end_va = 0x7ff91693efff entry_point = 0x7ff9168d0000 region_type = mapped_file name = "coml2.dll" filename = "\\Windows\\System32\\coml2.dll" (normalized: "c:\\windows\\system32\\coml2.dll") Region: id = 337 start_va = 0x7ff9169a0000 end_va = 0x7ff916a0afff entry_point = 0x7ff9169a0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 338 start_va = 0x7ff916a20000 end_va = 0x7ff916ae0fff entry_point = 0x7ff916a20000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 339 start_va = 0x7ff916b10000 end_va = 0x7ff916b61fff entry_point = 0x7ff916b10000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 340 start_va = 0x7ff916b70000 end_va = 0x7ff916c8bfff entry_point = 0x7ff916b70000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 341 start_va = 0x7ff9170c0000 end_va = 0x7ff91716cfff entry_point = 0x7ff9170c0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 342 start_va = 0x7ff917170000 end_va = 0x7ff9186cefff entry_point = 0x7ff917170000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 343 start_va = 0x7ff9186e0000 end_va = 0x7ff91873afff entry_point = 0x7ff9186e0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 344 start_va = 0x7ff918740000 end_va = 0x7ff918900fff entry_point = 0x7ff918740000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 351 start_va = 0x6402800000 end_va = 0x64028fffff entry_point = 0x0 region_type = private name = "private_0x0000006402800000" filename = "" Region: id = 352 start_va = 0x7ff90a550000 end_va = 0x7ff90a707fff entry_point = 0x7ff90a550000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 353 start_va = 0x7ff90f4e0000 end_va = 0x7ff90f861fff entry_point = 0x7ff90f4e0000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 354 start_va = 0x1a7808d0000 end_va = 0x1a7808d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a7808d0000" filename = "" Region: id = 355 start_va = 0x7ff909040000 end_va = 0x7ff909050fff entry_point = 0x7ff909040000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 356 start_va = 0x7ff90a0d0000 end_va = 0x7ff90a14efff entry_point = 0x7ff90a0d0000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 357 start_va = 0x7ff911520000 end_va = 0x7ff91152cfff entry_point = 0x7ff911520000 region_type = mapped_file name = "wordcnvpxy.cnv" filename = "\\Program Files\\Microsoft Office\\Office16\\Wordcnvpxy.cnv" (normalized: "c:\\program files\\microsoft office\\office16\\wordcnvpxy.cnv") Region: id = 358 start_va = 0x7ff911520000 end_va = 0x7ff91152efff entry_point = 0x7ff911520000 region_type = mapped_file name = "recovr32.cnv" filename = "\\Program Files\\Common Files\\microsoft shared\\TextConv\\RECOVR32.CNV" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\recovr32.cnv") Region: id = 359 start_va = 0x7ff902de0000 end_va = 0x7ff902e06fff entry_point = 0x7ff902de0000 region_type = mapped_file name = "msconv97.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\TextConv\\MSCONV97.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\msconv97.dll") Region: id = 360 start_va = 0x7ff902dd0000 end_va = 0x7ff902e08fff entry_point = 0x7ff902dd0000 region_type = mapped_file name = "wpft532.cnv" filename = "\\Program Files\\Common Files\\microsoft shared\\TextConv\\WPFT532.CNV" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\wpft532.cnv") Region: id = 361 start_va = 0x7ff902dc0000 end_va = 0x7ff902e0efff entry_point = 0x7ff902dc0000 region_type = mapped_file name = "wpft632.cnv" filename = "\\Program Files\\Common Files\\microsoft shared\\TextConv\\WPFT632.CNV" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\wpft632.cnv") Region: id = 362 start_va = 0x7ff902da0000 end_va = 0x7ff902dc6fff entry_point = 0x7ff902da0000 region_type = mapped_file name = "msconv97.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\TextConv\\MSCONV97.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\msconv97.dll") Region: id = 363 start_va = 0x7ff902dd0000 end_va = 0x7ff902e08fff entry_point = 0x7ff902dd0000 region_type = mapped_file name = "wpft532.cnv" filename = "\\Program Files\\Common Files\\microsoft shared\\TextConv\\WPFT532.CNV" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\wpft532.cnv") Region: id = 364 start_va = 0x7ff902dc0000 end_va = 0x7ff902e0efff entry_point = 0x7ff902dc0000 region_type = mapped_file name = "wpft632.cnv" filename = "\\Program Files\\Common Files\\microsoft shared\\TextConv\\WPFT632.CNV" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\wpft632.cnv") Region: id = 365 start_va = 0x7ff902da0000 end_va = 0x7ff902dc6fff entry_point = 0x7ff902da0000 region_type = mapped_file name = "msconv97.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\TextConv\\MSCONV97.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\msconv97.dll") Region: id = 366 start_va = 0x7ff902dd0000 end_va = 0x7ff902e08fff entry_point = 0x7ff902dd0000 region_type = mapped_file name = "wpft532.cnv" filename = "\\Program Files\\Common Files\\microsoft shared\\TextConv\\WPFT532.CNV" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\wpft532.cnv") Region: id = 367 start_va = 0x7ff902dc0000 end_va = 0x7ff902e0efff entry_point = 0x7ff902dc0000 region_type = mapped_file name = "wpft632.cnv" filename = "\\Program Files\\Common Files\\microsoft shared\\TextConv\\WPFT632.CNV" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\wpft632.cnv") Region: id = 368 start_va = 0x1a7808e0000 end_va = 0x1a7808e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a7808e0000" filename = "" Region: id = 369 start_va = 0x7ff8f4f80000 end_va = 0x7ff8f50dbfff entry_point = 0x7ff8f4f80000 region_type = mapped_file name = "uiautomationcore.dll" filename = "\\Windows\\System32\\UIAutomationCore.dll" (normalized: "c:\\windows\\system32\\uiautomationcore.dll") Region: id = 370 start_va = 0x7ff9144c0000 end_va = 0x7ff9144defff entry_point = 0x7ff9144c0000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 371 start_va = 0x1a7808f0000 end_va = 0x1a7808f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a7808f0000" filename = "" Region: id = 372 start_va = 0x7ff908b90000 end_va = 0x7ff908ba3fff entry_point = 0x7ff908b90000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 373 start_va = 0x7ff908bb0000 end_va = 0x7ff908ca5fff entry_point = 0x7ff908bb0000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 374 start_va = 0x7ff914bf0000 end_va = 0x7ff914c88fff entry_point = 0x7ff914bf0000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 375 start_va = 0x1a780900000 end_va = 0x1a78097ffff entry_point = 0x1a780900000 region_type = mapped_file name = "~wrf{cdd03d3e-f44d-4966-810f-c6ebe16373d4}.tmp" filename = "\\Users\\Nd9E1FYi\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Word\\~WRF{CDD03D3E-F44D-4966-810F-C6EBE16373D4}.tmp" (normalized: "c:\\users\\nd9e1fyi\\appdata\\local\\microsoft\\windows\\inetcache\\content.word\\~wrf{cdd03d3e-f44d-4966-810f-c6ebe16373d4}.tmp") Region: id = 376 start_va = 0x1a780980000 end_va = 0x1a780983fff entry_point = 0x1a780980000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 377 start_va = 0x1a780990000 end_va = 0x1a7809d4fff entry_point = 0x1a780990000 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000005.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db") Region: id = 378 start_va = 0x1a7809e0000 end_va = 0x1a7809e3fff entry_point = 0x1a7809e0000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 379 start_va = 0x1a7809f0000 end_va = 0x1a7809f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a7809f0000" filename = "" Region: id = 380 start_va = 0x1a780a00000 end_va = 0x1a780a01fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a780a00000" filename = "" Region: id = 381 start_va = 0x1a7824b0000 end_va = 0x1a78253dfff entry_point = 0x1a7824b0000 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db") Region: id = 382 start_va = 0x1a7853e0000 end_va = 0x1a7863dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a7853e0000" filename = "" Region: id = 383 start_va = 0x1a7863e0000 end_va = 0x1a7867dafff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a7863e0000" filename = "" Region: id = 384 start_va = 0x7ff908070000 end_va = 0x7ff9080b9fff entry_point = 0x7ff908070000 region_type = mapped_file name = "dataexchange.dll" filename = "\\Windows\\System32\\DataExchange.dll" (normalized: "c:\\windows\\system32\\dataexchange.dll") Region: id = 385 start_va = 0x6402900000 end_va = 0x64029fffff entry_point = 0x0 region_type = private name = "private_0x0000006402900000" filename = "" Region: id = 386 start_va = 0x1a782540000 end_va = 0x1a782626fff entry_point = 0x1a782540000 region_type = mapped_file name = "calibri.ttf" filename = "\\Windows\\Fonts\\calibri.ttf" (normalized: "c:\\windows\\fonts\\calibri.ttf") Region: id = 387 start_va = 0x1a782630000 end_va = 0x1a78272ffff entry_point = 0x0 region_type = private name = "private_0x000001a782630000" filename = "" Region: id = 388 start_va = 0x1a782730000 end_va = 0x1a78273ffff entry_point = 0x0 region_type = private name = "private_0x000001a782730000" filename = "" Region: id = 389 start_va = 0x1a782740000 end_va = 0x1a78274ffff entry_point = 0x0 region_type = private name = "private_0x000001a782740000" filename = "" Region: id = 390 start_va = 0x1a782750000 end_va = 0x1a78275ffff entry_point = 0x0 region_type = private name = "private_0x000001a782750000" filename = "" Region: id = 391 start_va = 0x1a782760000 end_va = 0x1a78276ffff entry_point = 0x0 region_type = private name = "private_0x000001a782760000" filename = "" Region: id = 392 start_va = 0x1a7867e0000 end_va = 0x1a786b9cfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a7867e0000" filename = "" Region: id = 393 start_va = 0x1a786ba0000 end_va = 0x1a786f5cfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a786ba0000" filename = "" Region: id = 394 start_va = 0x7ff907ab0000 end_va = 0x7ff907abcfff entry_point = 0x7ff907ab0000 region_type = mapped_file name = "linkinfo.dll" filename = "\\Windows\\System32\\linkinfo.dll" (normalized: "c:\\windows\\system32\\linkinfo.dll") Region: id = 395 start_va = 0x7ff906bd0000 end_va = 0x7ff906caafff entry_point = 0x7ff906bd0000 region_type = mapped_file name = "ntshrui.dll" filename = "\\Windows\\System32\\ntshrui.dll" (normalized: "c:\\windows\\system32\\ntshrui.dll") Region: id = 396 start_va = 0x7ff908e70000 end_va = 0x7ff908e95fff entry_point = 0x7ff908e70000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 397 start_va = 0x1a782770000 end_va = 0x1a782770fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a782770000" filename = "" Region: id = 398 start_va = 0x7ff90d390000 end_va = 0x7ff90d3a1fff entry_point = 0x7ff90d390000 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 399 start_va = 0x1a7827a0000 end_va = 0x1a7827a6fff entry_point = 0x0 region_type = private name = "private_0x000001a7827a0000" filename = "" Region: id = 400 start_va = 0x1a786f60000 end_va = 0x1a78705ffff entry_point = 0x0 region_type = private name = "private_0x000001a786f60000" filename = "" Region: id = 401 start_va = 0x7ff8f4960000 end_va = 0x7ff8f4dabfff entry_point = 0x7ff8f4960000 region_type = mapped_file name = "d3dcompiler_47.dll" filename = "\\Windows\\System32\\D3DCompiler_47.dll" (normalized: "c:\\windows\\system32\\d3dcompiler_47.dll") Region: id = 402 start_va = 0x7ff9146e0000 end_va = 0x7ff9146f6fff entry_point = 0x7ff9146e0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 403 start_va = 0x1a782780000 end_va = 0x1a78278ffff entry_point = 0x0 region_type = private name = "private_0x000001a782780000" filename = "" Region: id = 404 start_va = 0x1a782790000 end_va = 0x1a78279ffff entry_point = 0x0 region_type = private name = "private_0x000001a782790000" filename = "" Region: id = 405 start_va = 0x1a787060000 end_va = 0x1a78802ffff entry_point = 0x0 region_type = private name = "private_0x000001a787060000" filename = "" Region: id = 406 start_va = 0x1a788030000 end_va = 0x1a78812ffff entry_point = 0x0 region_type = private name = "private_0x000001a788030000" filename = "" Region: id = 407 start_va = 0x7ff78b900000 end_va = 0x7ff78b90ffff entry_point = 0x0 region_type = private name = "private_0x00007ff78b900000" filename = "" Region: id = 408 start_va = 0x1a7846f0000 end_va = 0x1a7846fffff entry_point = 0x0 region_type = private name = "private_0x000001a7846f0000" filename = "" Region: id = 409 start_va = 0x1a788130000 end_va = 0x1a78813ffff entry_point = 0x0 region_type = private name = "private_0x000001a788130000" filename = "" Region: id = 410 start_va = 0x1a788140000 end_va = 0x1a78814ffff entry_point = 0x0 region_type = private name = "private_0x000001a788140000" filename = "" Region: id = 411 start_va = 0x1a788150000 end_va = 0x1a78815ffff entry_point = 0x0 region_type = private name = "private_0x000001a788150000" filename = "" Region: id = 412 start_va = 0x1a788160000 end_va = 0x1a78816ffff entry_point = 0x0 region_type = private name = "private_0x000001a788160000" filename = "" Region: id = 413 start_va = 0x1a788170000 end_va = 0x1a78826ffff entry_point = 0x0 region_type = private name = "private_0x000001a788170000" filename = "" Region: id = 414 start_va = 0x1a788270000 end_va = 0x1a78827ffff entry_point = 0x0 region_type = private name = "private_0x000001a788270000" filename = "" Region: id = 415 start_va = 0x1a788280000 end_va = 0x1a78828ffff entry_point = 0x0 region_type = private name = "private_0x000001a788280000" filename = "" Region: id = 416 start_va = 0x1a788290000 end_va = 0x1a78829ffff entry_point = 0x0 region_type = private name = "private_0x000001a788290000" filename = "" Region: id = 417 start_va = 0x1a7882a0000 end_va = 0x1a7882affff entry_point = 0x0 region_type = private name = "private_0x000001a7882a0000" filename = "" Region: id = 418 start_va = 0x1a7882b0000 end_va = 0x1a7882bffff entry_point = 0x0 region_type = private name = "private_0x000001a7882b0000" filename = "" Region: id = 419 start_va = 0x1a7882c0000 end_va = 0x1a7882cffff entry_point = 0x0 region_type = private name = "private_0x000001a7882c0000" filename = "" Region: id = 420 start_va = 0x1a7882d0000 end_va = 0x1a7882dffff entry_point = 0x0 region_type = private name = "private_0x000001a7882d0000" filename = "" Region: id = 421 start_va = 0x1a7882e0000 end_va = 0x1a7882effff entry_point = 0x0 region_type = private name = "private_0x000001a7882e0000" filename = "" Region: id = 422 start_va = 0x1a7882f0000 end_va = 0x1a7882fffff entry_point = 0x0 region_type = private name = "private_0x000001a7882f0000" filename = "" Region: id = 423 start_va = 0x1a788300000 end_va = 0x1a78830ffff entry_point = 0x0 region_type = private name = "private_0x000001a788300000" filename = "" Region: id = 424 start_va = 0x7ff78b8f0000 end_va = 0x7ff78b8fffff entry_point = 0x0 region_type = private name = "private_0x00007ff78b8f0000" filename = "" Region: id = 425 start_va = 0x1a788310000 end_va = 0x1a78831cfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a788310000" filename = "" Region: id = 426 start_va = 0x1a788320000 end_va = 0x1a78832cfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a788320000" filename = "" Region: id = 427 start_va = 0x7ff8fcf00000 end_va = 0x7ff8fcf53fff entry_point = 0x7ff8fcf00000 region_type = mapped_file name = "msproof7.dll" filename = "\\Program Files\\Microsoft Office\\Office16\\msproof7.dll" (normalized: "c:\\program files\\microsoft office\\office16\\msproof7.dll") Region: id = 428 start_va = 0x1a788330000 end_va = 0x1a788341fff entry_point = 0x1a788330000 region_type = mapped_file name = "normidna.nls" filename = "\\Windows\\System32\\normidna.nls" (normalized: "c:\\windows\\system32\\normidna.nls") Region: id = 429 start_va = 0x7ff907b80000 end_va = 0x7ff907bcffff entry_point = 0x7ff907b80000 region_type = mapped_file name = "edputil.dll" filename = "\\Windows\\System32\\edputil.dll" (normalized: "c:\\windows\\system32\\edputil.dll") Region: id = 430 start_va = 0x7ff916380000 end_va = 0x7ff916386fff entry_point = 0x7ff916380000 region_type = mapped_file name = "normaliz.dll" filename = "\\Windows\\System32\\normaliz.dll" (normalized: "c:\\windows\\system32\\normaliz.dll") Region: id = 431 start_va = 0x1a788370000 end_va = 0x1a788370fff entry_point = 0x0 region_type = private name = "private_0x000001a788370000" filename = "" Region: id = 432 start_va = 0x1a788380000 end_va = 0x1a788475fff entry_point = 0x1a788380000 region_type = mapped_file name = "times.ttf" filename = "\\Windows\\Fonts\\times.ttf" (normalized: "c:\\windows\\fonts\\times.ttf") Region: id = 433 start_va = 0x1a788490000 end_va = 0x1a788491fff entry_point = 0x0 region_type = private name = "private_0x000001a788490000" filename = "" Region: id = 434 start_va = 0x1a7884b0000 end_va = 0x1a7884b1fff entry_point = 0x0 region_type = private name = "private_0x000001a7884b0000" filename = "" Region: id = 435 start_va = 0x1a7884c0000 end_va = 0x1a788585fff entry_point = 0x1a7884c0000 region_type = mapped_file name = "calibril.ttf" filename = "\\Windows\\Fonts\\calibril.ttf" (normalized: "c:\\windows\\fonts\\calibril.ttf") Region: id = 436 start_va = 0x1a7885a0000 end_va = 0x1a7885a1fff entry_point = 0x0 region_type = private name = "private_0x000001a7885a0000" filename = "" Region: id = 437 start_va = 0x1a7885c0000 end_va = 0x1a7885c1fff entry_point = 0x0 region_type = private name = "private_0x000001a7885c0000" filename = "" Region: id = 438 start_va = 0x1a7885e0000 end_va = 0x1a7885e1fff entry_point = 0x0 region_type = private name = "private_0x000001a7885e0000" filename = "" Region: id = 439 start_va = 0x1a788600000 end_va = 0x1a788601fff entry_point = 0x0 region_type = private name = "private_0x000001a788600000" filename = "" Region: id = 440 start_va = 0x1a788610000 end_va = 0x1a788703fff entry_point = 0x1a788610000 region_type = mapped_file name = "calibrii.ttf" filename = "\\Windows\\Fonts\\calibrii.ttf" (normalized: "c:\\windows\\fonts\\calibrii.ttf") Region: id = 441 start_va = 0x1a788720000 end_va = 0x1a788721fff entry_point = 0x0 region_type = private name = "private_0x000001a788720000" filename = "" Region: id = 442 start_va = 0x1a788740000 end_va = 0x1a788741fff entry_point = 0x0 region_type = private name = "private_0x000001a788740000" filename = "" Region: id = 443 start_va = 0x1a788760000 end_va = 0x1a788761fff entry_point = 0x0 region_type = private name = "private_0x000001a788760000" filename = "" Region: id = 444 start_va = 0x7ff8f46a0000 end_va = 0x7ff8f472cfff entry_point = 0x7ff8f46a0000 region_type = mapped_file name = "msgr8en.dll" filename = "\\Program Files\\Microsoft Office\\Office16\\PROOF\\1033\\MSGR8EN.DLL" (normalized: "c:\\program files\\microsoft office\\office16\\proof\\1033\\msgr8en.dll") Region: id = 445 start_va = 0x7ff914370000 end_va = 0x7ff9143a3fff entry_point = 0x7ff914370000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 446 start_va = 0x7ff914800000 end_va = 0x7ff91480afff entry_point = 0x7ff914800000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 447 start_va = 0x7ff78b8e0000 end_va = 0x7ff78b8effff entry_point = 0x0 region_type = private name = "private_0x00007ff78b8e0000" filename = "" Region: id = 448 start_va = 0x1a788350000 end_va = 0x1a788350fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a788350000" filename = "" Region: id = 449 start_va = 0x1a788360000 end_va = 0x1a788360fff entry_point = 0x0 region_type = private name = "private_0x000001a788360000" filename = "" Region: id = 450 start_va = 0x1a788480000 end_va = 0x1a78848efff entry_point = 0x0 region_type = private name = "private_0x000001a788480000" filename = "" Region: id = 451 start_va = 0x1a7884a0000 end_va = 0x1a7884a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a7884a0000" filename = "" Region: id = 452 start_va = 0x1a788590000 end_va = 0x1a788590fff entry_point = 0x0 region_type = private name = "private_0x000001a788590000" filename = "" Region: id = 453 start_va = 0x1a7885d0000 end_va = 0x1a7885d0fff entry_point = 0x0 region_type = private name = "private_0x000001a7885d0000" filename = "" Region: id = 454 start_va = 0x1a788710000 end_va = 0x1a788710fff entry_point = 0x0 region_type = private name = "private_0x000001a788710000" filename = "" Region: id = 455 start_va = 0x1a788750000 end_va = 0x1a788750fff entry_point = 0x0 region_type = private name = "private_0x000001a788750000" filename = "" Region: id = 456 start_va = 0x1a788780000 end_va = 0x1a78878ffff entry_point = 0x0 region_type = private name = "private_0x000001a788780000" filename = "" Region: id = 457 start_va = 0x1a788790000 end_va = 0x1a78879ffff entry_point = 0x0 region_type = private name = "private_0x000001a788790000" filename = "" Region: id = 458 start_va = 0x7ff8f3a60000 end_va = 0x7ff8f451dfff entry_point = 0x7ff8f3a60000 region_type = mapped_file name = "igx.dll" filename = "\\Program Files\\Microsoft Office\\Office16\\IGX.DLL" (normalized: "c:\\program files\\microsoft office\\office16\\igx.dll") Region: id = 459 start_va = 0x7ff90f030000 end_va = 0x7ff90f0f7fff entry_point = 0x7ff90f030000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 460 start_va = 0x6402a00000 end_va = 0x6402afffff entry_point = 0x0 region_type = private name = "private_0x0000006402a00000" filename = "" Region: id = 461 start_va = 0x7ff90de40000 end_va = 0x7ff90de77fff entry_point = 0x7ff90de40000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 462 start_va = 0x7ff9186d0000 end_va = 0x7ff9186d7fff entry_point = 0x7ff9186d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 463 start_va = 0x7ff90d750000 end_va = 0x7ff90d765fff entry_point = 0x7ff90d750000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 464 start_va = 0x7ff90d730000 end_va = 0x7ff90d749fff entry_point = 0x7ff90d730000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 465 start_va = 0x7ff90c710000 end_va = 0x7ff90c724fff entry_point = 0x7ff90c710000 region_type = mapped_file name = "ondemandconnroutehelper.dll" filename = "\\Windows\\System32\\OnDemandConnRouteHelper.dll" (normalized: "c:\\windows\\system32\\ondemandconnroutehelper.dll") Region: id = 466 start_va = 0x7ff90a2c0000 end_va = 0x7ff90a54dfff entry_point = 0x7ff90a2c0000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll") Region: id = 467 start_va = 0x1a7885b0000 end_va = 0x1a7885b0fff entry_point = 0x1a7885b0000 region_type = mapped_file name = "counters.dat" filename = "\\Users\\Nd9E1FYi\\AppData\\Local\\Microsoft\\Windows\\INetCache\\counters.dat" (normalized: "c:\\users\\nd9e1fyi\\appdata\\local\\microsoft\\windows\\inetcache\\counters.dat") Region: id = 468 start_va = 0x7ff9137d0000 end_va = 0x7ff913879fff entry_point = 0x7ff9137d0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 469 start_va = 0x7ff914630000 end_va = 0x7ff91468bfff entry_point = 0x7ff914630000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 470 start_va = 0x7ff90d6a0000 end_va = 0x7ff90d6aafff entry_point = 0x7ff90d6a0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 471 start_va = 0x7ff908890000 end_va = 0x7ff90890ffff entry_point = 0x7ff908890000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 472 start_va = 0x7ff90c420000 end_va = 0x7ff90c429fff entry_point = 0x7ff90c420000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 473 start_va = 0x7ff90d5e0000 end_va = 0x7ff90d646fff entry_point = 0x7ff90d5e0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 474 start_va = 0x7ff9142b0000 end_va = 0x7ff914329fff entry_point = 0x7ff9142b0000 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll") Region: id = 475 start_va = 0x7ff914de0000 end_va = 0x7ff914deffff entry_point = 0x7ff914de0000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 476 start_va = 0x7ff915680000 end_va = 0x7ff915846fff entry_point = 0x7ff915680000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 477 start_va = 0x1a7885f0000 end_va = 0x1a7885f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001a7885f0000" filename = "" Region: id = 478 start_va = 0x1a788730000 end_va = 0x1a788732fff entry_point = 0x0 region_type = private name = "private_0x000001a788730000" filename = "" Region: id = 479 start_va = 0x7ff900cd0000 end_va = 0x7ff900ce3fff entry_point = 0x7ff900cd0000 region_type = mapped_file name = "mskeyprotect.dll" filename = "\\Windows\\System32\\mskeyprotect.dll" (normalized: "c:\\windows\\system32\\mskeyprotect.dll") Region: id = 480 start_va = 0x7ff914890000 end_va = 0x7ff9148c9fff entry_point = 0x7ff914890000 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll") Region: id = 481 start_va = 0x7ff9148d0000 end_va = 0x7ff9148f6fff entry_point = 0x7ff9148d0000 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 482 start_va = 0x6402b00000 end_va = 0x6402bfffff entry_point = 0x0 region_type = private name = "private_0x0000006402b00000" filename = "" Region: id = 483 start_va = 0x7ff900d50000 end_va = 0x7ff900d6dfff entry_point = 0x7ff900d50000 region_type = mapped_file name = "ncryptsslp.dll" filename = "\\Windows\\System32\\ncryptsslp.dll" (normalized: "c:\\windows\\system32\\ncryptsslp.dll") Region: id = 484 start_va = 0x7ff904a50000 end_va = 0x7ff904bb1fff entry_point = 0x7ff904a50000 region_type = mapped_file name = "webservices.dll" filename = "\\Windows\\System32\\webservices.dll" (normalized: "c:\\windows\\system32\\webservices.dll") Region: id = 485 start_va = 0x7ff9143b0000 end_va = 0x7ff9143b9fff entry_point = 0x7ff9143b0000 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\System32\\dpapi.dll" (normalized: "c:\\windows\\system32\\dpapi.dll") Thread: id = 1 os_tid = 0x44c Thread: id = 2 os_tid = 0xe94 Thread: id = 3 os_tid = 0xd54 Thread: id = 4 os_tid = 0x80c Thread: id = 5 os_tid = 0x424 Thread: id = 6 os_tid = 0xe18 Thread: id = 7 os_tid = 0x5b0 Thread: id = 8 os_tid = 0x2e4 Thread: id = 9 os_tid = 0x874 Thread: id = 10 os_tid = 0x62c Thread: id = 11 os_tid = 0x5f8 Thread: id = 12 os_tid = 0x4ec Thread: id = 13 os_tid = 0x4bc Thread: id = 14 os_tid = 0xd34 Thread: id = 15 os_tid = 0x78 Thread: id = 16 os_tid = 0x79c Thread: id = 17 os_tid = 0xad8 Thread: id = 18 os_tid = 0xad0 Thread: id = 19 os_tid = 0xc38 Thread: id = 20 os_tid = 0xb84