# Flog Txt Version 1 # Analyzer Version: 2.3.1 # Analyzer Build Date: Jul 30 2018 16:44:55 # Log Creation Date: 05.08.2018 19:04:18.342 Process: id = "1" image_name = "winword.exe" filename = "c:\\program files\\microsoft office\\office16\\winword.exe" page_root = "0x46e89000" os_pid = "0xcdc" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Program Files\\Microsoft Office\\Office16\\WINWORD.EXE\" /n" cur_dir = "C:\\Users\\Nd9E1FYi\\Desktop\\" os_username = "X2VS1CUM\\Nd9E1FYi" os_groups = "X2VS1CUM\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f77c" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 136 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 137 start_va = 0x76a7400000 end_va = 0x76a75fffff entry_point = 0x0 region_type = private name = "private_0x00000076a7400000" filename = "" Region: id = 138 start_va = 0x76a7600000 end_va = 0x76a76fffff entry_point = 0x0 region_type = private name = "private_0x00000076a7600000" filename = "" Region: id = 139 start_va = 0x76a7700000 end_va = 0x76a77fffff entry_point = 0x0 region_type = private name = "private_0x00000076a7700000" filename = "" Region: id = 140 start_va = 0x76a7900000 end_va = 0x76a79fffff entry_point = 0x0 region_type = private name = "private_0x00000076a7900000" filename = "" Region: id = 141 start_va = 0x76a7a00000 end_va = 0x76a7afffff entry_point = 0x0 region_type = private name = "private_0x00000076a7a00000" filename = "" Region: id = 142 start_va = 0x76a7b00000 end_va = 0x76a7bfffff entry_point = 0x0 region_type = private name = "private_0x00000076a7b00000" filename = "" Region: id = 143 start_va = 0x76a7c00000 end_va = 0x76a7cfffff entry_point = 0x0 region_type = private name = "private_0x00000076a7c00000" filename = "" Region: id = 144 start_va = 0x76a7d00000 end_va = 0x76a7dfffff entry_point = 0x0 region_type = private name = "private_0x00000076a7d00000" filename = "" Region: id = 145 start_va = 0x76a7e00000 end_va = 0x76a7efffff entry_point = 0x0 region_type = private name = "private_0x00000076a7e00000" filename = "" Region: id = 146 start_va = 0x76a7f00000 end_va = 0x76a7ffffff entry_point = 0x0 region_type = private name = "private_0x00000076a7f00000" filename = "" Region: id = 147 start_va = 0x76a8000000 end_va = 0x76a80fffff entry_point = 0x0 region_type = private name = "private_0x00000076a8000000" filename = "" Region: id = 148 start_va = 0x76a8200000 end_va = 0x76a82fffff entry_point = 0x0 region_type = private name = "private_0x00000076a8200000" filename = "" Region: id = 149 start_va = 0x76a8300000 end_va = 0x76a83fffff entry_point = 0x0 region_type = private name = "private_0x00000076a8300000" filename = "" Region: id = 150 start_va = 0x76a8400000 end_va = 0x76a84fffff entry_point = 0x0 region_type = private name = "private_0x00000076a8400000" filename = "" Region: id = 151 start_va = 0x76a8500000 end_va = 0x76a85fffff entry_point = 0x0 region_type = private name = "private_0x00000076a8500000" filename = "" Region: id = 152 start_va = 0x76a8600000 end_va = 0x76a86fffff entry_point = 0x0 region_type = private name = "private_0x00000076a8600000" filename = "" Region: id = 153 start_va = 0x20f8c0c0000 end_va = 0x20f8c0cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f8c0c0000" filename = "" Region: id = 154 start_va = 0x20f8c0d0000 end_va = 0x20f8c0d6fff entry_point = 0x0 region_type = private name = "private_0x0000020f8c0d0000" filename = "" Region: id = 155 start_va = 0x20f8c0e0000 end_va = 0x20f8c0f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f8c0e0000" filename = "" Region: id = 156 start_va = 0x20f8c100000 end_va = 0x20f8c103fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f8c100000" filename = "" Region: id = 157 start_va = 0x20f8c110000 end_va = 0x20f8c113fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f8c110000" filename = "" Region: id = 158 start_va = 0x20f8c120000 end_va = 0x20f8c121fff entry_point = 0x0 region_type = private name = "private_0x0000020f8c120000" filename = "" Region: id = 159 start_va = 0x20f8c130000 end_va = 0x20f8c136fff entry_point = 0x0 region_type = private name = "private_0x0000020f8c130000" filename = "" Region: id = 160 start_va = 0x20f8c140000 end_va = 0x20f8c140fff entry_point = 0x0 region_type = private name = "private_0x0000020f8c140000" filename = "" Region: id = 161 start_va = 0x20f8c150000 end_va = 0x20f8c150fff entry_point = 0x0 region_type = private name = "private_0x0000020f8c150000" filename = "" Region: id = 162 start_va = 0x20f8c160000 end_va = 0x20f8c161fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f8c160000" filename = "" Region: id = 163 start_va = 0x20f8c170000 end_va = 0x20f8c171fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f8c170000" filename = "" Region: id = 164 start_va = 0x20f8c180000 end_va = 0x20f8c180fff entry_point = 0x0 region_type = private name = "private_0x0000020f8c180000" filename = "" Region: id = 165 start_va = 0x20f8c190000 end_va = 0x20f8c28ffff entry_point = 0x0 region_type = private name = "private_0x0000020f8c190000" filename = "" Region: id = 166 start_va = 0x20f8c290000 end_va = 0x20f8c34dfff entry_point = 0x20f8c290000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 167 start_va = 0x20f8c350000 end_va = 0x20f8c350fff entry_point = 0x0 region_type = private name = "private_0x0000020f8c350000" filename = "" Region: id = 168 start_va = 0x20f8c360000 end_va = 0x20f8c361fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f8c360000" filename = "" Region: id = 169 start_va = 0x20f8c370000 end_va = 0x20f8c37ffff entry_point = 0x0 region_type = private name = "private_0x0000020f8c370000" filename = "" Region: id = 170 start_va = 0x20f8c380000 end_va = 0x20f8c381fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f8c380000" filename = "" Region: id = 171 start_va = 0x20f8c390000 end_va = 0x20f8c391fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f8c390000" filename = "" Region: id = 172 start_va = 0x20f8c3a0000 end_va = 0x20f8c3a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f8c3a0000" filename = "" Region: id = 173 start_va = 0x20f8c3b0000 end_va = 0x20f8c3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f8c3b0000" filename = "" Region: id = 174 start_va = 0x20f8c3c0000 end_va = 0x20f8c3cffff entry_point = 0x0 region_type = private name = "private_0x0000020f8c3c0000" filename = "" Region: id = 175 start_va = 0x20f8c3d0000 end_va = 0x20f8c557fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f8c3d0000" filename = "" Region: id = 176 start_va = 0x20f8c560000 end_va = 0x20f8c6e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f8c560000" filename = "" Region: id = 177 start_va = 0x20f8c6f0000 end_va = 0x20f8daeffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f8c6f0000" filename = "" Region: id = 178 start_va = 0x20f8daf0000 end_va = 0x20f8daf1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f8daf0000" filename = "" Region: id = 179 start_va = 0x20f8db00000 end_va = 0x20f8db04fff entry_point = 0x20f8db00000 region_type = mapped_file name = "winnlsres.dll" filename = "\\Windows\\System32\\winnlsres.dll" (normalized: "c:\\windows\\system32\\winnlsres.dll") Region: id = 180 start_va = 0x20f8db10000 end_va = 0x20f8db11fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f8db10000" filename = "" Region: id = 181 start_va = 0x20f8db20000 end_va = 0x20f8db21fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f8db20000" filename = "" Region: id = 182 start_va = 0x20f8db30000 end_va = 0x20f8db30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f8db30000" filename = "" Region: id = 183 start_va = 0x20f8db40000 end_va = 0x20f8db4ffff entry_point = 0x20f8db40000 region_type = mapped_file name = "winnlsres.dll.mui" filename = "\\Windows\\System32\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\winnlsres.dll.mui") Region: id = 184 start_va = 0x20f8db50000 end_va = 0x20f8db5efff entry_point = 0x20f8db50000 region_type = mapped_file name = "msointl30.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\1033\\msointl30.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\1033\\msointl30.dll") Region: id = 185 start_va = 0x20f8db60000 end_va = 0x20f8db60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f8db60000" filename = "" Region: id = 186 start_va = 0x20f8db70000 end_va = 0x20f8db76fff entry_point = 0x0 region_type = private name = "private_0x0000020f8db70000" filename = "" Region: id = 187 start_va = 0x20f8dbb0000 end_va = 0x20f8dbbffff entry_point = 0x0 region_type = private name = "private_0x0000020f8dbb0000" filename = "" Region: id = 188 start_va = 0x20f8dbc0000 end_va = 0x20f8dc7bfff entry_point = 0x20f8dbc0000 region_type = mapped_file name = "wwintl.dll" filename = "\\Program Files\\Microsoft Office\\Office16\\1033\\WWINTL.DLL" (normalized: "c:\\program files\\microsoft office\\office16\\1033\\wwintl.dll") Region: id = 189 start_va = 0x20f8dca0000 end_va = 0x20f8dca3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f8dca0000" filename = "" Region: id = 190 start_va = 0x20f8dcb0000 end_va = 0x20f8dcb0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f8dcb0000" filename = "" Region: id = 191 start_va = 0x20f8dcc0000 end_va = 0x20f8dcdffff entry_point = 0x0 region_type = private name = "private_0x0000020f8dcc0000" filename = "" Region: id = 192 start_va = 0x20f8dce0000 end_va = 0x20f8de98fff entry_point = 0x20f8dce0000 region_type = mapped_file name = "office.odf" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Cultures\\OFFICE.ODF" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\cultures\\office.odf") Region: id = 193 start_va = 0x20f8dea0000 end_va = 0x20f8e1a7fff entry_point = 0x20f8dea0000 region_type = mapped_file name = "mso40uires.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\MSO40UIRES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\mso40uires.dll") Region: id = 194 start_va = 0x20f8e1b0000 end_va = 0x20f8ead0fff entry_point = 0x20f8e1b0000 region_type = mapped_file name = "mso99lres.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\MSO99LRES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\mso99lres.dll") Region: id = 195 start_va = 0x20f8eae0000 end_va = 0x20f9391efff entry_point = 0x20f8eae0000 region_type = mapped_file name = "msores.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\MSORES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\msores.dll") Region: id = 196 start_va = 0x20f93920000 end_va = 0x20f93a9afff entry_point = 0x20f93920000 region_type = mapped_file name = "msointl.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\1033\\MSOINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\1033\\msointl.dll") Region: id = 197 start_va = 0x20f93bb0000 end_va = 0x20f93ee6fff entry_point = 0x20f93bb0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 198 start_va = 0x20f93ef0000 end_va = 0x20f93fabfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f93ef0000" filename = "" Region: id = 199 start_va = 0x20f93fb0000 end_va = 0x20f940affff entry_point = 0x0 region_type = private name = "private_0x0000020f93fb0000" filename = "" Region: id = 200 start_va = 0x20f940b0000 end_va = 0x20f940ddfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f940b0000" filename = "" Region: id = 201 start_va = 0x20f940e0000 end_va = 0x20f940e0fff entry_point = 0x0 region_type = private name = "private_0x0000020f940e0000" filename = "" Region: id = 202 start_va = 0x20f940f0000 end_va = 0x20f940f0fff entry_point = 0x0 region_type = private name = "private_0x0000020f940f0000" filename = "" Region: id = 203 start_va = 0x20f94100000 end_va = 0x20f94100fff entry_point = 0x0 region_type = private name = "private_0x0000020f94100000" filename = "" Region: id = 204 start_va = 0x20f94110000 end_va = 0x20f94110fff entry_point = 0x0 region_type = private name = "private_0x0000020f94110000" filename = "" Region: id = 205 start_va = 0x20f94120000 end_va = 0x20f94195fff entry_point = 0x20f94120000 region_type = mapped_file name = "~fontcache-system.dat" filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-System.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-system.dat") Region: id = 206 start_va = 0x20f941a0000 end_va = 0x20f9429ffff entry_point = 0x0 region_type = private name = "private_0x0000020f941a0000" filename = "" Region: id = 207 start_va = 0x20f942a0000 end_va = 0x20f94a9ffff entry_point = 0x20f942a0000 region_type = mapped_file name = "~fontcache-s-1-5-21-2172869166-1497266965-2109836178-1000.dat" filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-S-1-5-21-2172869166-1497266965-2109836178-1000.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-s-1-5-21-2172869166-1497266965-2109836178-1000.dat") Region: id = 208 start_va = 0x20f94aa0000 end_va = 0x20f94e9ffff entry_point = 0x0 region_type = private name = "private_0x0000020f94aa0000" filename = "" Region: id = 209 start_va = 0x20f94ea0000 end_va = 0x20f95391fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f94ea0000" filename = "" Region: id = 210 start_va = 0x20f953a0000 end_va = 0x20f953a0fff entry_point = 0x0 region_type = private name = "private_0x0000020f953a0000" filename = "" Region: id = 211 start_va = 0x20f953b0000 end_va = 0x20f953b0fff entry_point = 0x0 region_type = private name = "private_0x0000020f953b0000" filename = "" Region: id = 212 start_va = 0x20f953c0000 end_va = 0x20f953c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f953c0000" filename = "" Region: id = 213 start_va = 0x20f953d0000 end_va = 0x20f953d0fff entry_point = 0x0 region_type = private name = "private_0x0000020f953d0000" filename = "" Region: id = 214 start_va = 0x20f953e0000 end_va = 0x20f953e6fff entry_point = 0x0 region_type = private name = "private_0x0000020f953e0000" filename = "" Region: id = 215 start_va = 0x20f953f0000 end_va = 0x20f953f4fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f953f0000" filename = "" Region: id = 216 start_va = 0x20f95400000 end_va = 0x20f95400fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f95400000" filename = "" Region: id = 217 start_va = 0x20f95410000 end_va = 0x20f9541ffff entry_point = 0x0 region_type = private name = "private_0x0000020f95410000" filename = "" Region: id = 218 start_va = 0x20f95420000 end_va = 0x20f95420fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f95420000" filename = "" Region: id = 219 start_va = 0x20f95430000 end_va = 0x20f954bbfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f95430000" filename = "" Region: id = 220 start_va = 0x20f954c0000 end_va = 0x20f954c0fff entry_point = 0x0 region_type = private name = "private_0x0000020f954c0000" filename = "" Region: id = 221 start_va = 0x20f954d0000 end_va = 0x20f954d0fff entry_point = 0x20f954d0000 region_type = mapped_file name = "msxml6r.dll" filename = "\\Windows\\System32\\msxml6r.dll" (normalized: "c:\\windows\\system32\\msxml6r.dll") Region: id = 222 start_va = 0x20f954e0000 end_va = 0x20f954fbfff entry_point = 0x20f954e0000 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000025.db" filename = "\\Users\\Nd9E1FYi\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000025.db" (normalized: "c:\\users\\nd9e1fyi\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000025.db") Region: id = 223 start_va = 0x20f95500000 end_va = 0x20f95500fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f95500000" filename = "" Region: id = 224 start_va = 0x20f95510000 end_va = 0x20f95516fff entry_point = 0x0 region_type = private name = "private_0x0000020f95510000" filename = "" Region: id = 225 start_va = 0x20f95520000 end_va = 0x20f95521fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f95520000" filename = "" Region: id = 226 start_va = 0x20f95530000 end_va = 0x20f9553ffff entry_point = 0x0 region_type = private name = "private_0x0000020f95530000" filename = "" Region: id = 227 start_va = 0x20f95540000 end_va = 0x20f9573ffff entry_point = 0x0 region_type = private name = "private_0x0000020f95540000" filename = "" Region: id = 228 start_va = 0x20f95740000 end_va = 0x20f95f3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f95740000" filename = "" Region: id = 229 start_va = 0x20f96080000 end_va = 0x20f9647ffff entry_point = 0x0 region_type = private name = "private_0x0000020f96080000" filename = "" Region: id = 230 start_va = 0x20f96480000 end_va = 0x20f9657ffff entry_point = 0x0 region_type = private name = "private_0x0000020f96480000" filename = "" Region: id = 231 start_va = 0x20f96580000 end_va = 0x20f96580fff entry_point = 0x0 region_type = private name = "private_0x0000020f96580000" filename = "" Region: id = 232 start_va = 0x20f96590000 end_va = 0x20f965d1fff entry_point = 0x20f96590000 region_type = mapped_file name = "d2d1.dll.mui" filename = "\\Windows\\System32\\en-US\\d2d1.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\d2d1.dll.mui") Region: id = 233 start_va = 0x20f965e0000 end_va = 0x20f965e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f965e0000" filename = "" Region: id = 234 start_va = 0x20f965f0000 end_va = 0x20f965fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f965f0000" filename = "" Region: id = 235 start_va = 0x20f96600000 end_va = 0x20f9660ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f96600000" filename = "" Region: id = 236 start_va = 0x20f96610000 end_va = 0x20f9661ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f96610000" filename = "" Region: id = 237 start_va = 0x20f96630000 end_va = 0x20f96640fff entry_point = 0x20f96630000 region_type = mapped_file name = "c_1255.nls" filename = "\\Windows\\System32\\C_1255.NLS" (normalized: "c:\\windows\\system32\\c_1255.nls") Region: id = 238 start_va = 0x20f96650000 end_va = 0x20f9665ffff entry_point = 0x0 region_type = private name = "private_0x0000020f96650000" filename = "" Region: id = 239 start_va = 0x20f96660000 end_va = 0x20f9673ffff entry_point = 0x20f96660000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 240 start_va = 0x20f96740000 end_va = 0x20f9683ffff entry_point = 0x0 region_type = private name = "private_0x0000020f96740000" filename = "" Region: id = 241 start_va = 0x20f96840000 end_va = 0x20f9783ffff entry_point = 0x20f96840000 region_type = mapped_file name = "~fontcache-fontface.dat" filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-FontFace.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-fontface.dat") Region: id = 242 start_va = 0x20f97840000 end_va = 0x20f9791efff entry_point = 0x20f97840000 region_type = mapped_file name = "segoeui.ttf" filename = "\\Windows\\Fonts\\segoeui.ttf" (normalized: "c:\\windows\\fonts\\segoeui.ttf") Region: id = 243 start_va = 0x20f97920000 end_va = 0x20f979f5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f97920000" filename = "" Region: id = 244 start_va = 0x20f97a00000 end_va = 0x20f97ad5fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f97a00000" filename = "" Region: id = 245 start_va = 0x20f97ae0000 end_va = 0x20f97afefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f97ae0000" filename = "" Region: id = 246 start_va = 0x20f97b00000 end_va = 0x20f97b1efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f97b00000" filename = "" Region: id = 247 start_va = 0x20f97e00000 end_va = 0x20f9820dfff entry_point = 0x0 region_type = private name = "private_0x0000020f97e00000" filename = "" Region: id = 248 start_va = 0x20f98210000 end_va = 0x20f9861afff entry_point = 0x0 region_type = private name = "private_0x0000020f98210000" filename = "" Region: id = 249 start_va = 0x20f98620000 end_va = 0x20f98a23fff entry_point = 0x0 region_type = private name = "private_0x0000020f98620000" filename = "" Region: id = 250 start_va = 0x20f98a30000 end_va = 0x20f98aaffff entry_point = 0x0 region_type = private name = "private_0x0000020f98a30000" filename = "" Region: id = 251 start_va = 0x20f98ab0000 end_va = 0x20f98caffff entry_point = 0x0 region_type = private name = "private_0x0000020f98ab0000" filename = "" Region: id = 252 start_va = 0x20f98cb0000 end_va = 0x20f99ceffff entry_point = 0x20f98cb0000 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 253 start_va = 0x20f99d10000 end_va = 0x20f9a50ffff entry_point = 0x0 region_type = private name = "private_0x0000020f99d10000" filename = "" Region: id = 254 start_va = 0x20f9a510000 end_va = 0x20f9a9edfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f9a510000" filename = "" Region: id = 255 start_va = 0x7ff67b760000 end_va = 0x7ff67b76ffff entry_point = 0x0 region_type = private name = "private_0x00007ff67b760000" filename = "" Region: id = 256 start_va = 0x7ff67b770000 end_va = 0x7ff67b77ffff entry_point = 0x0 region_type = private name = "private_0x00007ff67b770000" filename = "" Region: id = 257 start_va = 0x7ff67b780000 end_va = 0x7ff67b87ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67b780000" filename = "" Region: id = 258 start_va = 0x7ff67b880000 end_va = 0x7ff67b8a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff67b880000" filename = "" Region: id = 259 start_va = 0x7ff67c310000 end_va = 0x7ff67c4e9fff entry_point = 0x7ff67c310000 region_type = mapped_file name = "winword.exe" filename = "\\Program Files\\Microsoft Office\\Office16\\WINWORD.EXE" (normalized: "c:\\program files\\microsoft office\\office16\\winword.exe") Region: id = 260 start_va = 0x7ffb761a0000 end_va = 0x7ffb761affff entry_point = 0x0 region_type = private name = "private_0x00007ffb761a0000" filename = "" Region: id = 261 start_va = 0x7ffb95710000 end_va = 0x7ffb95727fff entry_point = 0x7ffb95710000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 262 start_va = 0x7ffb95730000 end_va = 0x7ffb96228fff entry_point = 0x7ffb95730000 region_type = mapped_file name = "chart.dll" filename = "\\Program Files\\Microsoft Office\\Office16\\CHART.DLL" (normalized: "c:\\program files\\microsoft office\\office16\\chart.dll") Region: id = 263 start_va = 0x7ffb968a0000 end_va = 0x7ffb97b7bfff entry_point = 0x7ffb968a0000 region_type = mapped_file name = "mso.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\MSO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\mso.dll") Region: id = 264 start_va = 0x7ffb97b80000 end_va = 0x7ffb9834bfff entry_point = 0x7ffb97b80000 region_type = mapped_file name = "mso99lwin32client.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Mso99Lwin32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\mso99lwin32client.dll") Region: id = 265 start_va = 0x7ffb98350000 end_va = 0x7ffb98c3afff entry_point = 0x7ffb98350000 region_type = mapped_file name = "mso40uiwin32client.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Mso40UIwin32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\mso40uiwin32client.dll") Region: id = 266 start_va = 0x7ffb98c40000 end_va = 0x7ffb990b7fff entry_point = 0x7ffb98c40000 region_type = mapped_file name = "mso30win32client.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Mso30win32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\mso30win32client.dll") Region: id = 267 start_va = 0x7ffb990c0000 end_va = 0x7ffb9a22bfff entry_point = 0x7ffb990c0000 region_type = mapped_file name = "oart.dll" filename = "\\Program Files\\Microsoft Office\\Office16\\OART.DLL" (normalized: "c:\\program files\\microsoft office\\office16\\oart.dll") Region: id = 268 start_va = 0x7ffb9a230000 end_va = 0x7ffb9c5cefff entry_point = 0x7ffb9a230000 region_type = mapped_file name = "wwlib.dll" filename = "\\Program Files\\Microsoft Office\\Office16\\WWLIB.DLL" (normalized: "c:\\program files\\microsoft office\\office16\\wwlib.dll") Region: id = 269 start_va = 0x7ffb9e340000 end_va = 0x7ffb9e562fff entry_point = 0x7ffb9e340000 region_type = mapped_file name = "riched20.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\RICHED20.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\riched20.dll") Region: id = 270 start_va = 0x7ffb9e940000 end_va = 0x7ffb9e9d7fff entry_point = 0x7ffb9e940000 region_type = mapped_file name = "mscoreei.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\mscoreei.dll") Region: id = 271 start_va = 0x7ffb9e9e0000 end_va = 0x7ffb9ea47fff entry_point = 0x7ffb9e9e0000 region_type = mapped_file name = "mscoree.dll" filename = "\\Windows\\System32\\mscoree.dll" (normalized: "c:\\windows\\system32\\mscoree.dll") Region: id = 272 start_va = 0x7ffb9ea50000 end_va = 0x7ffb9ebbffff entry_point = 0x7ffb9ea50000 region_type = mapped_file name = "msptls.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\MSPTLS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\msptls.dll") Region: id = 273 start_va = 0x7ffb9ebc0000 end_va = 0x7ffb9eec3fff entry_point = 0x7ffb9ebc0000 region_type = mapped_file name = "mso20win32client.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Mso20win32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\mso20win32client.dll") Region: id = 274 start_va = 0x7ffba3630000 end_va = 0x7ffba366dfff entry_point = 0x7ffba3630000 region_type = mapped_file name = "mlang.dll" filename = "\\Windows\\System32\\mlang.dll" (normalized: "c:\\windows\\system32\\mlang.dll") Region: id = 275 start_va = 0x7ffba3d00000 end_va = 0x7ffba3d61fff entry_point = 0x7ffba3d00000 region_type = mapped_file name = "d3d10_1core.dll" filename = "\\Windows\\System32\\d3d10_1core.dll" (normalized: "c:\\windows\\system32\\d3d10_1core.dll") Region: id = 276 start_va = 0x7ffba59e0000 end_va = 0x7ffba5c59fff entry_point = 0x7ffba59e0000 region_type = mapped_file name = "msxml6.dll" filename = "\\Windows\\System32\\msxml6.dll" (normalized: "c:\\windows\\system32\\msxml6.dll") Region: id = 277 start_va = 0x7ffba6050000 end_va = 0x7ffba60ebfff entry_point = 0x7ffba6050000 region_type = mapped_file name = "msvcp140.dll" filename = "\\Windows\\System32\\msvcp140.dll" (normalized: "c:\\windows\\system32\\msvcp140.dll") Region: id = 278 start_va = 0x7ffba60f0000 end_va = 0x7ffba6105fff entry_point = 0x7ffba60f0000 region_type = mapped_file name = "vcruntime140.dll" filename = "\\Windows\\System32\\vcruntime140.dll" (normalized: "c:\\windows\\system32\\vcruntime140.dll") Region: id = 279 start_va = 0x7ffba6820000 end_va = 0x7ffba6b59fff entry_point = 0x7ffba6820000 region_type = mapped_file name = "msi.dll" filename = "\\Windows\\System32\\msi.dll" (normalized: "c:\\windows\\system32\\msi.dll") Region: id = 280 start_va = 0x7ffba6b60000 end_va = 0x7ffba6be3fff entry_point = 0x7ffba6b60000 region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\System32\\winspool.drv" (normalized: "c:\\windows\\system32\\winspool.drv") Region: id = 281 start_va = 0x7ffba83e0000 end_va = 0x7ffba8490fff entry_point = 0x7ffba83e0000 region_type = mapped_file name = "twinapi.dll" filename = "\\Windows\\System32\\twinapi.dll" (normalized: "c:\\windows\\system32\\twinapi.dll") Region: id = 282 start_va = 0x7ffba96d0000 end_va = 0x7ffba970ffff entry_point = 0x7ffba96d0000 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 283 start_va = 0x7ffbaac00000 end_va = 0x7ffbaac0bfff entry_point = 0x7ffbaac00000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 284 start_va = 0x7ffbaac40000 end_va = 0x7ffbaac49fff entry_point = 0x7ffbaac40000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 285 start_va = 0x7ffbaac70000 end_va = 0x7ffbaae18fff entry_point = 0x7ffbaac70000 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10586.0_none_0bdd1d3064f6384a\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10586.0_none_0bdd1d3064f6384a\\gdiplus.dll") Region: id = 286 start_va = 0x7ffbac410000 end_va = 0x7ffbac683fff entry_point = 0x7ffbac410000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 287 start_va = 0x7ffbad5f0000 end_va = 0x7ffbad5fdfff entry_point = 0x7ffbad5f0000 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 288 start_va = 0x7ffbad870000 end_va = 0x7ffbad8a1fff entry_point = 0x7ffbad870000 region_type = mapped_file name = "d3d10_1.dll" filename = "\\Windows\\System32\\d3d10_1.dll" (normalized: "c:\\windows\\system32\\d3d10_1.dll") Region: id = 289 start_va = 0x7ffbae6f0000 end_va = 0x7ffbae874fff entry_point = 0x7ffbae6f0000 region_type = mapped_file name = "windows.globalization.dll" filename = "\\Windows\\System32\\Windows.Globalization.dll" (normalized: "c:\\windows\\system32\\windows.globalization.dll") Region: id = 290 start_va = 0x7ffbae880000 end_va = 0x7ffbaeadffff entry_point = 0x7ffbae880000 region_type = mapped_file name = "dwrite.dll" filename = "\\Windows\\System32\\DWrite.dll" (normalized: "c:\\windows\\system32\\dwrite.dll") Region: id = 291 start_va = 0x7ffbb0a30000 end_va = 0x7ffbb0a36fff entry_point = 0x7ffbb0a30000 region_type = mapped_file name = "msimg32.dll" filename = "\\Windows\\System32\\msimg32.dll" (normalized: "c:\\windows\\system32\\msimg32.dll") Region: id = 292 start_va = 0x7ffbb1b60000 end_va = 0x7ffbb1b88fff entry_point = 0x7ffbb1b60000 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll") Region: id = 293 start_va = 0x7ffbb1b90000 end_va = 0x7ffbb1bc5fff entry_point = 0x7ffbb1b90000 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 294 start_va = 0x7ffbb1bd0000 end_va = 0x7ffbb2114fff entry_point = 0x7ffbb1bd0000 region_type = mapped_file name = "d2d1.dll" filename = "\\Windows\\System32\\d2d1.dll" (normalized: "c:\\windows\\system32\\d2d1.dll") Region: id = 295 start_va = 0x7ffbb2120000 end_va = 0x7ffbb238efff entry_point = 0x7ffbb2120000 region_type = mapped_file name = "d3d10warp.dll" filename = "\\Windows\\System32\\d3d10warp.dll" (normalized: "c:\\windows\\system32\\d3d10warp.dll") Region: id = 296 start_va = 0x7ffbb24c0000 end_va = 0x7ffbb2670fff entry_point = 0x7ffbb24c0000 region_type = mapped_file name = "windowscodecs.dll" filename = "\\Windows\\System32\\WindowsCodecs.dll" (normalized: "c:\\windows\\system32\\windowscodecs.dll") Region: id = 297 start_va = 0x7ffbb2790000 end_va = 0x7ffbb27bffff entry_point = 0x7ffbb2790000 region_type = mapped_file name = "globinputhost.dll" filename = "\\Windows\\System32\\globinputhost.dll" (normalized: "c:\\windows\\system32\\globinputhost.dll") Region: id = 298 start_va = 0x7ffbb2cd0000 end_va = 0x7ffbb2d36fff entry_point = 0x7ffbb2cd0000 region_type = mapped_file name = "bcp47langs.dll" filename = "\\Windows\\System32\\BCP47Langs.dll" (normalized: "c:\\windows\\system32\\bcp47langs.dll") Region: id = 299 start_va = 0x7ffbb2dd0000 end_va = 0x7ffbb2e71fff entry_point = 0x7ffbb2dd0000 region_type = mapped_file name = "dxgi.dll" filename = "\\Windows\\System32\\dxgi.dll" (normalized: "c:\\windows\\system32\\dxgi.dll") Region: id = 300 start_va = 0x7ffbb2e80000 end_va = 0x7ffbb3127fff entry_point = 0x7ffbb2e80000 region_type = mapped_file name = "d3d11.dll" filename = "\\Windows\\System32\\d3d11.dll" (normalized: "c:\\windows\\system32\\d3d11.dll") Region: id = 301 start_va = 0x7ffbb3130000 end_va = 0x7ffbb3151fff entry_point = 0x7ffbb3130000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 302 start_va = 0x7ffbb3240000 end_va = 0x7ffbb3322fff entry_point = 0x7ffbb3240000 region_type = mapped_file name = "dcomp.dll" filename = "\\Windows\\System32\\dcomp.dll" (normalized: "c:\\windows\\system32\\dcomp.dll") Region: id = 303 start_va = 0x7ffbb3630000 end_va = 0x7ffbb37b5fff entry_point = 0x7ffbb3630000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 304 start_va = 0x7ffbb3820000 end_va = 0x7ffbb3832fff entry_point = 0x7ffbb3820000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 305 start_va = 0x7ffbb3840000 end_va = 0x7ffbb3864fff entry_point = 0x7ffbb3840000 region_type = mapped_file name = "sppc.dll" filename = "\\Windows\\System32\\sppc.dll" (normalized: "c:\\windows\\system32\\sppc.dll") Region: id = 306 start_va = 0x7ffbb38a0000 end_va = 0x7ffbb38c4fff entry_point = 0x7ffbb38a0000 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 307 start_va = 0x7ffbb3ae0000 end_va = 0x7ffbb3b75fff entry_point = 0x7ffbb3ae0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 308 start_va = 0x7ffbb3c80000 end_va = 0x7ffbb3d7ffff entry_point = 0x7ffbb3c80000 region_type = mapped_file name = "twinapi.appcore.dll" filename = "\\Windows\\System32\\twinapi.appcore.dll" (normalized: "c:\\windows\\system32\\twinapi.appcore.dll") Region: id = 309 start_va = 0x7ffbb4300000 end_va = 0x7ffbb43f3fff entry_point = 0x7ffbb4300000 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 310 start_va = 0x7ffbb4de0000 end_va = 0x7ffbb4e0cfff entry_point = 0x7ffbb4de0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 311 start_va = 0x7ffbb4f70000 end_va = 0x7ffbb4fc5fff entry_point = 0x7ffbb4f70000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 312 start_va = 0x7ffbb5090000 end_va = 0x7ffbb50b8fff entry_point = 0x7ffbb5090000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 313 start_va = 0x7ffbb5170000 end_va = 0x7ffbb5183fff entry_point = 0x7ffbb5170000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 314 start_va = 0x7ffbb5190000 end_va = 0x7ffbb51dafff entry_point = 0x7ffbb5190000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 315 start_va = 0x7ffbb51e0000 end_va = 0x7ffbb51eefff entry_point = 0x7ffbb51e0000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 316 start_va = 0x7ffbb51f0000 end_va = 0x7ffbb5833fff entry_point = 0x7ffbb51f0000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 317 start_va = 0x7ffbb5840000 end_va = 0x7ffbb5a27fff entry_point = 0x7ffbb5840000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 318 start_va = 0x7ffbb5c80000 end_va = 0x7ffbb5d34fff entry_point = 0x7ffbb5c80000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 319 start_va = 0x7ffbb5e80000 end_va = 0x7ffbb5ec2fff entry_point = 0x7ffbb5e80000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 320 start_va = 0x7ffbb5ed0000 end_va = 0x7ffbb5f39fff entry_point = 0x7ffbb5ed0000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 321 start_va = 0x7ffbb5f50000 end_va = 0x7ffbb6010fff entry_point = 0x7ffbb5f50000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 322 start_va = 0x7ffbb6020000 end_va = 0x7ffbb6162fff entry_point = 0x7ffbb6020000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 323 start_va = 0x7ffbb6170000 end_va = 0x7ffbb62c5fff entry_point = 0x7ffbb6170000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 324 start_va = 0x7ffbb62d0000 end_va = 0x7ffbb633efff entry_point = 0x7ffbb62d0000 region_type = mapped_file name = "coml2.dll" filename = "\\Windows\\System32\\coml2.dll" (normalized: "c:\\windows\\system32\\coml2.dll") Region: id = 325 start_va = 0x7ffbb6340000 end_va = 0x7ffbb63dcfff entry_point = 0x7ffbb6340000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 326 start_va = 0x7ffbb63e0000 end_va = 0x7ffbb648cfff entry_point = 0x7ffbb63e0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 327 start_va = 0x7ffbb6490000 end_va = 0x7ffbb6536fff entry_point = 0x7ffbb6490000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 328 start_va = 0x7ffbb6550000 end_va = 0x7ffbb66d5fff entry_point = 0x7ffbb6550000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 329 start_va = 0x7ffbb66e0000 end_va = 0x7ffbb6839fff entry_point = 0x7ffbb66e0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 330 start_va = 0x7ffbb6840000 end_va = 0x7ffbb6891fff entry_point = 0x7ffbb6840000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 331 start_va = 0x7ffbb68a0000 end_va = 0x7ffbb69bbfff entry_point = 0x7ffbb68a0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 332 start_va = 0x7ffbb6f00000 end_va = 0x7ffbb717cfff entry_point = 0x7ffbb6f00000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 333 start_va = 0x7ffbb7180000 end_va = 0x7ffbb71dafff entry_point = 0x7ffbb7180000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 334 start_va = 0x7ffbb71e0000 end_va = 0x7ffbb724afff entry_point = 0x7ffbb71e0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 335 start_va = 0x7ffbb7400000 end_va = 0x7ffbb743afff entry_point = 0x7ffbb7400000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 336 start_va = 0x7ffbb7510000 end_va = 0x7ffbb8a6efff entry_point = 0x7ffbb7510000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 337 start_va = 0x7ffbb8a70000 end_va = 0x7ffbb8b16fff entry_point = 0x7ffbb8a70000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 338 start_va = 0x7ffbb8b40000 end_va = 0x7ffbb8d00fff entry_point = 0x7ffbb8b40000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 339 start_va = 0x7ffbaaa40000 end_va = 0x7ffbaabf7fff entry_point = 0x7ffbaaa40000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 340 start_va = 0x7ffbaeca0000 end_va = 0x7ffbaf021fff entry_point = 0x7ffbaeca0000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 341 start_va = 0x20f8db80000 end_va = 0x20f8db80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f8db80000" filename = "" Region: id = 342 start_va = 0x7ffba8e10000 end_va = 0x7ffba8e20fff entry_point = 0x7ffba8e10000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 343 start_va = 0x7ffbaa670000 end_va = 0x7ffbaa6eefff entry_point = 0x7ffbaa670000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 344 start_va = 0x7ffb95480000 end_va = 0x7ffb955dbfff entry_point = 0x7ffb95480000 region_type = mapped_file name = "uiautomationcore.dll" filename = "\\Windows\\System32\\UIAutomationCore.dll" (normalized: "c:\\windows\\system32\\uiautomationcore.dll") Region: id = 345 start_va = 0x7ffbb48c0000 end_va = 0x7ffbb48defff entry_point = 0x7ffbb48c0000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 346 start_va = 0x20f8db90000 end_va = 0x20f8db90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f8db90000" filename = "" Region: id = 347 start_va = 0x20f8dba0000 end_va = 0x20f8dba1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f8dba0000" filename = "" Region: id = 348 start_va = 0x7ffba8800000 end_va = 0x7ffba8813fff entry_point = 0x7ffba8800000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 349 start_va = 0x7ffba8820000 end_va = 0x7ffba8915fff entry_point = 0x7ffba8820000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 350 start_va = 0x7ffbb4ae0000 end_va = 0x7ffbb4af6fff entry_point = 0x7ffbb4ae0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 351 start_va = 0x7ffbb4770000 end_va = 0x7ffbb47a3fff entry_point = 0x7ffbb4770000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 352 start_va = 0x7ffbb4c00000 end_va = 0x7ffbb4c0afff entry_point = 0x7ffbb4c00000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 353 start_va = 0x7ffbb4ff0000 end_va = 0x7ffbb5088fff entry_point = 0x7ffbb4ff0000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 354 start_va = 0x20f93aa0000 end_va = 0x20f93b1ffff entry_point = 0x20f93aa0000 region_type = mapped_file name = "~wrf{8d1dfc6c-a821-4b7d-a20e-243e0260c94f}.tmp" filename = "\\Users\\Nd9E1FYi\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Word\\~WRF{8D1DFC6C-A821-4B7D-A20E-243E0260C94F}.tmp" (normalized: "c:\\users\\nd9e1fyi\\appdata\\local\\microsoft\\windows\\inetcache\\content.word\\~wrf{8d1dfc6c-a821-4b7d-a20e-243e0260c94f}.tmp") Region: id = 355 start_va = 0x20f9a9f0000 end_va = 0x20f9b9effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f9a9f0000" filename = "" Region: id = 356 start_va = 0x7ffbadda0000 end_va = 0x7ffbaddb8fff entry_point = 0x7ffbadda0000 region_type = mapped_file name = "packager.dll" filename = "\\Windows\\System32\\packager.dll" (normalized: "c:\\windows\\system32\\packager.dll") Region: id = 453 start_va = 0x20f8dc80000 end_va = 0x20f8dc81fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f8dc80000" filename = "" Region: id = 454 start_va = 0x20f8dc90000 end_va = 0x20f8dc90fff entry_point = 0x20f8dc90000 region_type = mapped_file name = "85fd57d3.wmf" filename = "\\Users\\Nd9E1FYi\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.MSO\\85FD57D3.wmf" (normalized: "c:\\users\\nd9e1fyi\\appdata\\local\\microsoft\\windows\\inetcache\\content.mso\\85fd57d3.wmf") Region: id = 455 start_va = 0x7ffbb0fa0000 end_va = 0x7ffbb0fddfff entry_point = 0x7ffbb0fa0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 550 start_va = 0x20f93b20000 end_va = 0x20f93b23fff entry_point = 0x20f93b20000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 551 start_va = 0x20f93b30000 end_va = 0x20f93b74fff entry_point = 0x20f93b30000 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000005.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db") Region: id = 552 start_va = 0x20f93b80000 end_va = 0x20f93b83fff entry_point = 0x20f93b80000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 553 start_va = 0x20f93b90000 end_va = 0x20f93b91fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f93b90000" filename = "" Region: id = 554 start_va = 0x20f93ba0000 end_va = 0x20f93ba1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f93ba0000" filename = "" Region: id = 555 start_va = 0x20f94ea0000 end_va = 0x20f94f2dfff entry_point = 0x20f94ea0000 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db") Region: id = 556 start_va = 0x20f94f30000 end_va = 0x20f9532afff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f94f30000" filename = "" Region: id = 557 start_va = 0x20f95f40000 end_va = 0x20f96026fff entry_point = 0x20f95f40000 region_type = mapped_file name = "calibri.ttf" filename = "\\Windows\\Fonts\\calibri.ttf" (normalized: "c:\\windows\\fonts\\calibri.ttf") Region: id = 558 start_va = 0x20f97b20000 end_va = 0x20f97bfcfff entry_point = 0x20f97b20000 region_type = mapped_file name = "calibrib.ttf" filename = "\\Windows\\Fonts\\calibrib.ttf" (normalized: "c:\\windows\\fonts\\calibrib.ttf") Region: id = 559 start_va = 0x20f9b9f0000 end_va = 0x20f9bee1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f9b9f0000" filename = "" Region: id = 560 start_va = 0x7ffba8270000 end_va = 0x7ffba82b9fff entry_point = 0x7ffba8270000 region_type = mapped_file name = "dataexchange.dll" filename = "\\Windows\\System32\\DataExchange.dll" (normalized: "c:\\windows\\system32\\dataexchange.dll") Region: id = 561 start_va = 0x20f95330000 end_va = 0x20f9533ffff entry_point = 0x0 region_type = private name = "private_0x0000020f95330000" filename = "" Region: id = 562 start_va = 0x20f95340000 end_va = 0x20f9534ffff entry_point = 0x0 region_type = private name = "private_0x0000020f95340000" filename = "" Region: id = 563 start_va = 0x20f95350000 end_va = 0x20f9535ffff entry_point = 0x0 region_type = private name = "private_0x0000020f95350000" filename = "" Region: id = 564 start_va = 0x20f95360000 end_va = 0x20f9536ffff entry_point = 0x0 region_type = private name = "private_0x0000020f95360000" filename = "" Region: id = 565 start_va = 0x20f95370000 end_va = 0x20f9537ffff entry_point = 0x0 region_type = private name = "private_0x0000020f95370000" filename = "" Region: id = 566 start_va = 0x20f95380000 end_va = 0x20f9538ffff entry_point = 0x0 region_type = private name = "private_0x0000020f95380000" filename = "" Region: id = 567 start_va = 0x20f95390000 end_va = 0x20f9539ffff entry_point = 0x0 region_type = private name = "private_0x0000020f95390000" filename = "" Region: id = 568 start_va = 0x20f96030000 end_va = 0x20f9603ffff entry_point = 0x0 region_type = private name = "private_0x0000020f96030000" filename = "" Region: id = 569 start_va = 0x20f97c00000 end_va = 0x20f97cfffff entry_point = 0x0 region_type = private name = "private_0x0000020f97c00000" filename = "" Region: id = 570 start_va = 0x20f9bef0000 end_va = 0x20f9c2acfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f9bef0000" filename = "" Region: id = 571 start_va = 0x20f9c2b0000 end_va = 0x20f9c66cfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f9c2b0000" filename = "" Region: id = 572 start_va = 0x7ffb956c0000 end_va = 0x7ffb956defff entry_point = 0x7ffb956c0000 region_type = mapped_file name = "hlink.dll" filename = "\\Windows\\System32\\hlink.dll" (normalized: "c:\\windows\\system32\\hlink.dll") Region: id = 573 start_va = 0x20f95370000 end_va = 0x20f95381fff entry_point = 0x20f95370000 region_type = mapped_file name = "normidna.nls" filename = "\\Windows\\System32\\normidna.nls" (normalized: "c:\\windows\\system32\\normidna.nls") Region: id = 574 start_va = 0x20f95390000 end_va = 0x20f95391fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f95390000" filename = "" Region: id = 575 start_va = 0x20f96040000 end_va = 0x20f96040fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f96040000" filename = "" Region: id = 576 start_va = 0x7ffbb1920000 end_va = 0x7ffbb192cfff entry_point = 0x7ffbb1920000 region_type = mapped_file name = "linkinfo.dll" filename = "\\Windows\\System32\\linkinfo.dll" (normalized: "c:\\windows\\system32\\linkinfo.dll") Region: id = 577 start_va = 0x7ffbb74a0000 end_va = 0x7ffbb74a6fff entry_point = 0x7ffbb74a0000 region_type = mapped_file name = "normaliz.dll" filename = "\\Windows\\System32\\normaliz.dll" (normalized: "c:\\windows\\system32\\normaliz.dll") Region: id = 578 start_va = 0x7ffba6680000 end_va = 0x7ffba675afff entry_point = 0x7ffba6680000 region_type = mapped_file name = "ntshrui.dll" filename = "\\Windows\\System32\\ntshrui.dll" (normalized: "c:\\windows\\system32\\ntshrui.dll") Region: id = 579 start_va = 0x7ffba6650000 end_va = 0x7ffba6675fff entry_point = 0x7ffba6650000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 580 start_va = 0x76a8700000 end_va = 0x76a87fffff entry_point = 0x0 region_type = private name = "private_0x00000076a8700000" filename = "" Region: id = 581 start_va = 0x7ffbad200000 end_va = 0x7ffbad211fff entry_point = 0x7ffbad200000 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 582 start_va = 0x20f96030000 end_va = 0x20f9603ffff entry_point = 0x0 region_type = private name = "private_0x0000020f96030000" filename = "" Region: id = 583 start_va = 0x20f96050000 end_va = 0x20f9605ffff entry_point = 0x0 region_type = private name = "private_0x0000020f96050000" filename = "" Region: id = 584 start_va = 0x20f9c670000 end_va = 0x20f9d63ffff entry_point = 0x0 region_type = private name = "private_0x0000020f9c670000" filename = "" Region: id = 585 start_va = 0x7ff67b750000 end_va = 0x7ff67b75ffff entry_point = 0x0 region_type = private name = "private_0x00007ff67b750000" filename = "" Region: id = 586 start_va = 0x7ffb94ce0000 end_va = 0x7ffb9512bfff entry_point = 0x7ffb94ce0000 region_type = mapped_file name = "d3dcompiler_47.dll" filename = "\\Windows\\System32\\D3DCompiler_47.dll" (normalized: "c:\\windows\\system32\\d3dcompiler_47.dll") Region: id = 587 start_va = 0x20f96060000 end_va = 0x20f9606ffff entry_point = 0x0 region_type = private name = "private_0x0000020f96060000" filename = "" Region: id = 588 start_va = 0x20f96070000 end_va = 0x20f9607ffff entry_point = 0x0 region_type = private name = "private_0x0000020f96070000" filename = "" Region: id = 589 start_va = 0x20f96620000 end_va = 0x20f9662ffff entry_point = 0x0 region_type = private name = "private_0x0000020f96620000" filename = "" Region: id = 590 start_va = 0x20f97d00000 end_va = 0x20f97dfffff entry_point = 0x0 region_type = private name = "private_0x0000020f97d00000" filename = "" Region: id = 591 start_va = 0x20f99cf0000 end_va = 0x20f99cfffff entry_point = 0x0 region_type = private name = "private_0x0000020f99cf0000" filename = "" Region: id = 592 start_va = 0x20f99d00000 end_va = 0x20f99d0ffff entry_point = 0x0 region_type = private name = "private_0x0000020f99d00000" filename = "" Region: id = 593 start_va = 0x20f9d640000 end_va = 0x20f9d73ffff entry_point = 0x0 region_type = private name = "private_0x0000020f9d640000" filename = "" Region: id = 594 start_va = 0x20f9d740000 end_va = 0x20f9d74ffff entry_point = 0x0 region_type = private name = "private_0x0000020f9d740000" filename = "" Region: id = 595 start_va = 0x20f9d750000 end_va = 0x20f9d75ffff entry_point = 0x0 region_type = private name = "private_0x0000020f9d750000" filename = "" Region: id = 596 start_va = 0x20f9d760000 end_va = 0x20f9d76ffff entry_point = 0x0 region_type = private name = "private_0x0000020f9d760000" filename = "" Region: id = 597 start_va = 0x20f9d770000 end_va = 0x20f9d77ffff entry_point = 0x0 region_type = private name = "private_0x0000020f9d770000" filename = "" Region: id = 598 start_va = 0x20f9d780000 end_va = 0x20f9d78ffff entry_point = 0x0 region_type = private name = "private_0x0000020f9d780000" filename = "" Region: id = 599 start_va = 0x20f9d790000 end_va = 0x20f9d79ffff entry_point = 0x0 region_type = private name = "private_0x0000020f9d790000" filename = "" Region: id = 600 start_va = 0x20f9d7a0000 end_va = 0x20f9d7affff entry_point = 0x0 region_type = private name = "private_0x0000020f9d7a0000" filename = "" Region: id = 601 start_va = 0x20f9d7b0000 end_va = 0x20f9d7bffff entry_point = 0x0 region_type = private name = "private_0x0000020f9d7b0000" filename = "" Region: id = 602 start_va = 0x20f9d7c0000 end_va = 0x20f9d7cffff entry_point = 0x0 region_type = private name = "private_0x0000020f9d7c0000" filename = "" Region: id = 603 start_va = 0x20f9d7d0000 end_va = 0x20f9d7dffff entry_point = 0x0 region_type = private name = "private_0x0000020f9d7d0000" filename = "" Region: id = 604 start_va = 0x7ff67b740000 end_va = 0x7ff67b74ffff entry_point = 0x0 region_type = private name = "private_0x00007ff67b740000" filename = "" Region: id = 605 start_va = 0x20f9d7e0000 end_va = 0x20f9d7ecfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f9d7e0000" filename = "" Region: id = 606 start_va = 0x20f9d7f0000 end_va = 0x20f9d7fcfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f9d7f0000" filename = "" Region: id = 607 start_va = 0x7ffba7d80000 end_va = 0x7ffba7dcffff entry_point = 0x7ffba7d80000 region_type = mapped_file name = "edputil.dll" filename = "\\Windows\\System32\\edputil.dll" (normalized: "c:\\windows\\system32\\edputil.dll") Region: id = 608 start_va = 0x20f9d800000 end_va = 0x20f9d809fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f9d800000" filename = "" Region: id = 609 start_va = 0x20f9d810000 end_va = 0x20f9d819fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f9d810000" filename = "" Region: id = 610 start_va = 0x20f9d820000 end_va = 0x20f9d91ffff entry_point = 0x0 region_type = private name = "private_0x0000020f9d820000" filename = "" Region: id = 611 start_va = 0x20f9d920000 end_va = 0x20f9d926fff entry_point = 0x0 region_type = private name = "private_0x0000020f9d920000" filename = "" Region: id = 612 start_va = 0x20f9d930000 end_va = 0x20f9d931fff entry_point = 0x0 region_type = private name = "private_0x0000020f9d930000" filename = "" Region: id = 613 start_va = 0x20f9d950000 end_va = 0x20f9d951fff entry_point = 0x0 region_type = private name = "private_0x0000020f9d950000" filename = "" Region: id = 614 start_va = 0x20f9d960000 end_va = 0x20f9d960fff entry_point = 0x0 region_type = private name = "private_0x0000020f9d960000" filename = "" Region: id = 615 start_va = 0x20f9da50000 end_va = 0x20f9da51fff entry_point = 0x0 region_type = private name = "private_0x0000020f9da50000" filename = "" Region: id = 616 start_va = 0x20f9da70000 end_va = 0x20f9da71fff entry_point = 0x0 region_type = private name = "private_0x0000020f9da70000" filename = "" Region: id = 617 start_va = 0x20f9da90000 end_va = 0x20f9da91fff entry_point = 0x0 region_type = private name = "private_0x0000020f9da90000" filename = "" Region: id = 618 start_va = 0x20f9dab0000 end_va = 0x20f9dab1fff entry_point = 0x0 region_type = private name = "private_0x0000020f9dab0000" filename = "" Region: id = 619 start_va = 0x20f9dbd0000 end_va = 0x20f9dbd1fff entry_point = 0x0 region_type = private name = "private_0x0000020f9dbd0000" filename = "" Region: id = 620 start_va = 0x20f9dbf0000 end_va = 0x20f9dbf1fff entry_point = 0x0 region_type = private name = "private_0x0000020f9dbf0000" filename = "" Region: id = 621 start_va = 0x20f9dc10000 end_va = 0x20f9dc11fff entry_point = 0x0 region_type = private name = "private_0x0000020f9dc10000" filename = "" Region: id = 622 start_va = 0x20f9dc20000 end_va = 0x20f9dcf3fff entry_point = 0x20f9dc20000 region_type = mapped_file name = "arialbd.ttf" filename = "\\Windows\\Fonts\\arialbd.ttf" (normalized: "c:\\windows\\fonts\\arialbd.ttf") Region: id = 623 start_va = 0x7ffb94a60000 end_va = 0x7ffb94ab3fff entry_point = 0x7ffb94a60000 region_type = mapped_file name = "msproof7.dll" filename = "\\Program Files\\Microsoft Office\\Office16\\msproof7.dll" (normalized: "c:\\program files\\microsoft office\\office16\\msproof7.dll") Region: id = 624 start_va = 0x7ffb949d0000 end_va = 0x7ffb94a5cfff entry_point = 0x7ffb949d0000 region_type = mapped_file name = "msgr8en.dll" filename = "\\Program Files\\Microsoft Office\\Office16\\PROOF\\1033\\MSGR8EN.DLL" (normalized: "c:\\program files\\microsoft office\\office16\\proof\\1033\\msgr8en.dll") Region: id = 625 start_va = 0x7ff67b730000 end_va = 0x7ff67b73ffff entry_point = 0x0 region_type = private name = "private_0x00007ff67b730000" filename = "" Region: id = 626 start_va = 0x20f9d940000 end_va = 0x20f9d94ffff entry_point = 0x0 region_type = private name = "private_0x0000020f9d940000" filename = "" Region: id = 627 start_va = 0x20f9d980000 end_va = 0x20f9d981fff entry_point = 0x0 region_type = private name = "private_0x0000020f9d980000" filename = "" Region: id = 628 start_va = 0x20f9d990000 end_va = 0x20f9d990fff entry_point = 0x0 region_type = private name = "private_0x0000020f9d990000" filename = "" Region: id = 629 start_va = 0x20f9d9b0000 end_va = 0x20f9d9b0fff entry_point = 0x0 region_type = private name = "private_0x0000020f9d9b0000" filename = "" Region: id = 630 start_va = 0x20f9d9d0000 end_va = 0x20f9d9d0fff entry_point = 0x0 region_type = private name = "private_0x0000020f9d9d0000" filename = "" Region: id = 631 start_va = 0x20f9d9f0000 end_va = 0x20f9d9f0fff entry_point = 0x0 region_type = private name = "private_0x0000020f9d9f0000" filename = "" Region: id = 632 start_va = 0x20f9da10000 end_va = 0x20f9da10fff entry_point = 0x0 region_type = private name = "private_0x0000020f9da10000" filename = "" Region: id = 633 start_va = 0x7ffb9e770000 end_va = 0x7ffb9e83cfff entry_point = 0x7ffb9e770000 region_type = mapped_file name = "msspell7.dll" filename = "\\Program Files\\Microsoft Office\\Office16\\PROOF\\msspell7.dll" (normalized: "c:\\program files\\microsoft office\\office16\\proof\\msspell7.dll") Region: id = 634 start_va = 0x20f9dd00000 end_va = 0x20f9de87fff entry_point = 0x20f9dd00000 region_type = mapped_file name = "mssp7en.lex" filename = "\\Program Files\\Microsoft Office\\Office16\\PROOF\\MSSP7EN.LEX" (normalized: "c:\\program files\\microsoft office\\office16\\proof\\mssp7en.lex") Region: id = 635 start_va = 0x7ffb9e6d0000 end_va = 0x7ffb9e765fff entry_point = 0x7ffb9e6d0000 region_type = mapped_file name = "mscss7en.dll" filename = "\\Program Files\\Microsoft Office\\Office16\\mscss7en.dll" (normalized: "c:\\program files\\microsoft office\\office16\\mscss7en.dll") Region: id = 636 start_va = 0x7ffb9e630000 end_va = 0x7ffb9e6c9fff entry_point = 0x7ffb9e630000 region_type = mapped_file name = "css7data0009.dll" filename = "\\Program Files\\Microsoft Office\\Office16\\CSS7DATA0009.DLL" (normalized: "c:\\program files\\microsoft office\\office16\\css7data0009.dll") Region: id = 637 start_va = 0x20f9d970000 end_va = 0x20f9d972fff entry_point = 0x20f9d970000 region_type = mapped_file name = "mscss7cm_en.dub" filename = "\\Program Files\\Microsoft Office\\Office16\\mscss7cm_en.dub" (normalized: "c:\\program files\\microsoft office\\office16\\mscss7cm_en.dub") Region: id = 638 start_va = 0x20f9d9a0000 end_va = 0x20f9d9a0fff entry_point = 0x20f9d9a0000 region_type = mapped_file name = "msgr8en.dub" filename = "\\Program Files\\Microsoft Office\\Office16\\PROOF\\msgr8en.dub" (normalized: "c:\\program files\\microsoft office\\office16\\proof\\msgr8en.dub") Region: id = 639 start_va = 0x20f9d9c0000 end_va = 0x20f9d9cffff entry_point = 0x0 region_type = private name = "private_0x0000020f9d9c0000" filename = "" Region: id = 640 start_va = 0x20f9d9e0000 end_va = 0x20f9d9effff entry_point = 0x0 region_type = private name = "private_0x0000020f9d9e0000" filename = "" Region: id = 641 start_va = 0x20f9da20000 end_va = 0x20f9da3afff entry_point = 0x20f9da20000 region_type = mapped_file name = "mscss7wre_en.dub" filename = "\\Program Files\\Microsoft Office\\Office16\\mscss7wre_en.dub" (normalized: "c:\\program files\\microsoft office\\office16\\mscss7wre_en.dub") Region: id = 642 start_va = 0x20f9da40000 end_va = 0x20f9da4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f9da40000" filename = "" Region: id = 643 start_va = 0x20f9da60000 end_va = 0x20f9da62fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f9da60000" filename = "" Region: id = 644 start_va = 0x20f9da80000 end_va = 0x20f9da81fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f9da80000" filename = "" Region: id = 645 start_va = 0x20f9daa0000 end_va = 0x20f9daa1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f9daa0000" filename = "" Region: id = 646 start_va = 0x20f9dac0000 end_va = 0x20f9dac2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f9dac0000" filename = "" Region: id = 647 start_va = 0x20f9de90000 end_va = 0x20f9e017fff entry_point = 0x20f9de90000 region_type = mapped_file name = "mssp7en.lex" filename = "\\Program Files\\Microsoft Office\\Office16\\PROOF\\MSSP7EN.LEX" (normalized: "c:\\program files\\microsoft office\\office16\\proof\\mssp7en.lex") Region: id = 648 start_va = 0x20f9e020000 end_va = 0x20f9e57bfff entry_point = 0x20f9e020000 region_type = mapped_file name = "nl7models0009.dll" filename = "\\Program Files\\Microsoft Office\\Office16\\NL7MODELS0009.dll" (normalized: "c:\\program files\\microsoft office\\office16\\nl7models0009.dll") Region: id = 649 start_va = 0x20f9e580000 end_va = 0x20f9ed81fff entry_point = 0x20f9e580000 region_type = mapped_file name = "msgr8en.lex" filename = "\\Program Files\\Microsoft Office\\Office16\\PROOF\\MSGR8EN.LEX" (normalized: "c:\\program files\\microsoft office\\office16\\proof\\msgr8en.lex") Region: id = 650 start_va = 0x7ffbb11a0000 end_va = 0x7ffbb1267fff entry_point = 0x7ffbb11a0000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 651 start_va = 0x76a8800000 end_va = 0x76a88fffff entry_point = 0x0 region_type = private name = "private_0x00000076a8800000" filename = "" Region: id = 652 start_va = 0x7ffbae570000 end_va = 0x7ffbae5a7fff entry_point = 0x7ffbae570000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 653 start_va = 0x7ffbb5f40000 end_va = 0x7ffbb5f47fff entry_point = 0x7ffbb5f40000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 654 start_va = 0x7ffbade90000 end_va = 0x7ffbadea5fff entry_point = 0x7ffbade90000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 655 start_va = 0x7ffbade70000 end_va = 0x7ffbade89fff entry_point = 0x7ffbade70000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 656 start_va = 0x7ffbad5d0000 end_va = 0x7ffbad5e4fff entry_point = 0x7ffbad5d0000 region_type = mapped_file name = "ondemandconnroutehelper.dll" filename = "\\Windows\\System32\\OnDemandConnRouteHelper.dll" (normalized: "c:\\windows\\system32\\ondemandconnroutehelper.dll") Region: id = 657 start_va = 0x7ffbaa7b0000 end_va = 0x7ffbaaa3dfff entry_point = 0x7ffbaa7b0000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll") Region: id = 658 start_va = 0x20f9da00000 end_va = 0x20f9da00fff entry_point = 0x20f9da00000 region_type = mapped_file name = "counters.dat" filename = "\\Users\\Nd9E1FYi\\AppData\\Local\\Microsoft\\Windows\\INetCache\\counters.dat" (normalized: "c:\\users\\nd9e1fyi\\appdata\\local\\microsoft\\windows\\inetcache\\counters.dat") Region: id = 659 start_va = 0x7ffbb4a30000 end_va = 0x7ffbb4a8bfff entry_point = 0x7ffbb4a30000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 660 start_va = 0x7ffbadcc0000 end_va = 0x7ffbadccafff entry_point = 0x7ffbadcc0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 661 start_va = 0x7ffbb3bd0000 end_va = 0x7ffbb3c79fff entry_point = 0x7ffbb3bd0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 662 start_va = 0x7ffba8f70000 end_va = 0x7ffba8feffff entry_point = 0x7ffba8f70000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 663 start_va = 0x7ffbad540000 end_va = 0x7ffbad549fff entry_point = 0x7ffbad540000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 664 start_va = 0x7ffbadb60000 end_va = 0x7ffbadbc6fff entry_point = 0x7ffbadb60000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 665 start_va = 0x7ffbb46b0000 end_va = 0x7ffbb4729fff entry_point = 0x7ffbb46b0000 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll") Region: id = 666 start_va = 0x7ffbb5160000 end_va = 0x7ffbb516ffff entry_point = 0x7ffbb5160000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 667 start_va = 0x7ffbb5a50000 end_va = 0x7ffbb5c16fff entry_point = 0x7ffbb5a50000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 668 start_va = 0x20f9dad0000 end_va = 0x20f9dad1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000020f9dad0000" filename = "" Region: id = 669 start_va = 0x20f9dae0000 end_va = 0x20f9dae2fff entry_point = 0x0 region_type = private name = "private_0x0000020f9dae0000" filename = "" Region: id = 670 start_va = 0x7ffba8bf0000 end_va = 0x7ffba8c03fff entry_point = 0x7ffba8bf0000 region_type = mapped_file name = "mskeyprotect.dll" filename = "\\Windows\\System32\\mskeyprotect.dll" (normalized: "c:\\windows\\system32\\mskeyprotect.dll") Region: id = 671 start_va = 0x7ffbb4c90000 end_va = 0x7ffbb4cc9fff entry_point = 0x7ffbb4c90000 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll") Region: id = 672 start_va = 0x7ffbb4cd0000 end_va = 0x7ffbb4cf6fff entry_point = 0x7ffbb4cd0000 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 673 start_va = 0x76a8900000 end_va = 0x76a89fffff entry_point = 0x0 region_type = private name = "private_0x00000076a8900000" filename = "" Region: id = 674 start_va = 0x7ffba8ca0000 end_va = 0x7ffba8cbdfff entry_point = 0x7ffba8ca0000 region_type = mapped_file name = "ncryptsslp.dll" filename = "\\Windows\\System32\\ncryptsslp.dll" (normalized: "c:\\windows\\system32\\ncryptsslp.dll") Region: id = 675 start_va = 0x7ffba5ce0000 end_va = 0x7ffba5e41fff entry_point = 0x7ffba5ce0000 region_type = mapped_file name = "webservices.dll" filename = "\\Windows\\System32\\webservices.dll" (normalized: "c:\\windows\\system32\\webservices.dll") Region: id = 676 start_va = 0x7ffbb47b0000 end_va = 0x7ffbb47b9fff entry_point = 0x7ffbb47b0000 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\System32\\dpapi.dll" (normalized: "c:\\windows\\system32\\dpapi.dll") Region: id = 677 start_va = 0x7ffbb4570000 end_va = 0x7ffbb457bfff entry_point = 0x7ffbb4570000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Thread: id = 1 os_tid = 0x9d8 Thread: id = 2 os_tid = 0x878 Thread: id = 3 os_tid = 0xad8 Thread: id = 4 os_tid = 0xa84 Thread: id = 5 os_tid = 0x788 Thread: id = 6 os_tid = 0x2cc Thread: id = 7 os_tid = 0x310 Thread: id = 8 os_tid = 0x558 Thread: id = 9 os_tid = 0xea0 Thread: id = 10 os_tid = 0xc2c Thread: id = 11 os_tid = 0xc28 Thread: id = 12 os_tid = 0xc30 Thread: id = 13 os_tid = 0xc38 Thread: id = 14 os_tid = 0xc74 Thread: id = 15 os_tid = 0xce8 Thread: id = 28 os_tid = 0xd9c Thread: id = 29 os_tid = 0xe38 Thread: id = 30 os_tid = 0xaac Process: id = "2" image_name = "eqnedt32.exe" filename = "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe" page_root = "0x3cdfe000" os_pid = "0xd4c" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "rpc_server" parent_id = "1" os_parent_pid = "0xcdc" cmd_line = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE\" -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "X2VS1CUM\\Nd9E1FYi" os_groups = "X2VS1CUM\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f77c" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 357 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 358 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 359 start_va = 0x40000 end_va = 0x54fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 360 start_va = 0x60000 end_va = 0x9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 361 start_va = 0xa0000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 362 start_va = 0x1a0000 end_va = 0x1a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 363 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 364 start_va = 0x1c0000 end_va = 0x1c1fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 365 start_va = 0x200000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 366 start_va = 0x400000 end_va = 0x48dfff entry_point = 0x400000 region_type = mapped_file name = "eqnedt32.exe" filename = "\\Program Files\\Common Files\\microsoft shared\\EQUATION\\EQNEDT32.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe") Region: id = 367 start_va = 0x77270000 end_va = 0x773eafff entry_point = 0x77270000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 368 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 369 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 370 start_va = 0x7fff0000 end_va = 0x7ffbb8b3ffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 371 start_va = 0x7ffbb8b40000 end_va = 0x7ffbb8d00fff entry_point = 0x7ffbb8b40000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 372 start_va = 0x7ffbb8d01000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffbb8d01000" filename = "" Region: id = 373 start_va = 0x650000 end_va = 0x65ffff entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 374 start_va = 0x51da0000 end_va = 0x51deffff entry_point = 0x51da0000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 375 start_va = 0x51df0000 end_va = 0x51e69fff entry_point = 0x51df0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 376 start_va = 0x51e70000 end_va = 0x51e77fff entry_point = 0x51e70000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 377 start_va = 0x510000 end_va = 0x60ffff entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 378 start_va = 0x74d10000 end_va = 0x74deffff entry_point = 0x74d10000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 379 start_va = 0x76f20000 end_va = 0x7709dfff entry_point = 0x76f20000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 380 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 381 start_va = 0x660000 end_va = 0x71dfff entry_point = 0x660000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 382 start_va = 0x73ef0000 end_va = 0x73f81fff entry_point = 0x73ef0000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\SysWOW64\\apphelp.dll" (normalized: "c:\\windows\\syswow64\\apphelp.dll") Region: id = 383 start_va = 0x7feb0000 end_va = 0x7ffaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 384 start_va = 0x20000 end_va = 0x23fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 385 start_va = 0x490000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 386 start_va = 0x720000 end_va = 0x81ffff entry_point = 0x0 region_type = private name = "private_0x0000000000720000" filename = "" Region: id = 387 start_va = 0x6f890000 end_va = 0x6f921fff entry_point = 0x6f890000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 388 start_va = 0x73f90000 end_va = 0x73f99fff entry_point = 0x73f90000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 389 start_va = 0x73fa0000 end_va = 0x73fbdfff entry_point = 0x73fa0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 390 start_va = 0x73fe0000 end_va = 0x73febfff entry_point = 0x73fe0000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 391 start_va = 0x74230000 end_va = 0x74376fff entry_point = 0x74230000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 392 start_va = 0x74380000 end_va = 0x743d7fff entry_point = 0x74380000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 393 start_va = 0x74410000 end_va = 0x744bcfff entry_point = 0x74410000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 394 start_va = 0x744c0000 end_va = 0x7460efff entry_point = 0x744c0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 395 start_va = 0x74610000 end_va = 0x74653fff entry_point = 0x74610000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 396 start_va = 0x747e0000 end_va = 0x7489dfff entry_point = 0x747e0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 397 start_va = 0x748a0000 end_va = 0x748e3fff entry_point = 0x748a0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 398 start_va = 0x74b80000 end_va = 0x74c6afff entry_point = 0x74b80000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 399 start_va = 0x74c80000 end_va = 0x74c8efff entry_point = 0x74c80000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 400 start_va = 0x74c90000 end_va = 0x74d0afff entry_point = 0x74c90000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 401 start_va = 0x74df0000 end_va = 0x752e8fff entry_point = 0x74df0000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 402 start_va = 0x75360000 end_va = 0x7551cfff entry_point = 0x75360000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 403 start_va = 0x755f0000 end_va = 0x75626fff entry_point = 0x755f0000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 404 start_va = 0x75630000 end_va = 0x75674fff entry_point = 0x75630000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 405 start_va = 0x75a90000 end_va = 0x75b1cfff entry_point = 0x75a90000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 406 start_va = 0x75b20000 end_va = 0x76f1efff entry_point = 0x75b20000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 407 start_va = 0x820000 end_va = 0x9a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 408 start_va = 0x743e0000 end_va = 0x7440afff entry_point = 0x743e0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 409 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 410 start_va = 0x1d0000 end_va = 0x1d0fff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 411 start_va = 0x1e0000 end_va = 0x1e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 412 start_va = 0x4f0000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 413 start_va = 0x9b0000 end_va = 0xb30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009b0000" filename = "" Region: id = 414 start_va = 0xb40000 end_va = 0x1f3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b40000" filename = "" Region: id = 415 start_va = 0x20a0000 end_va = 0x20affff entry_point = 0x0 region_type = private name = "private_0x00000000020a0000" filename = "" Region: id = 416 start_va = 0x2240000 end_va = 0x224ffff entry_point = 0x0 region_type = private name = "private_0x0000000002240000" filename = "" Region: id = 417 start_va = 0x2250000 end_va = 0x264ffff entry_point = 0x0 region_type = private name = "private_0x0000000002250000" filename = "" Region: id = 418 start_va = 0x6f500000 end_va = 0x6f888fff entry_point = 0x6f500000 region_type = mapped_file name = "msi.dll" filename = "\\Windows\\SysWOW64\\msi.dll" (normalized: "c:\\windows\\syswow64\\msi.dll") Region: id = 419 start_va = 0x73c40000 end_va = 0x73c5afff entry_point = 0x73c40000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 420 start_va = 0x6f2f0000 end_va = 0x6f4fefff entry_point = 0x6f2f0000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll") Region: id = 421 start_va = 0x4d0000 end_va = 0x4d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 422 start_va = 0x3de20000 end_va = 0x3de2dfff entry_point = 0x3de20000 region_type = mapped_file name = "eeintl.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\EQUATION\\1033\\EEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll") Region: id = 423 start_va = 0x70420000 end_va = 0x70494fff entry_point = 0x70420000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 424 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 425 start_va = 0x2800000 end_va = 0x280ffff entry_point = 0x0 region_type = private name = "private_0x0000000002800000" filename = "" Region: id = 426 start_va = 0x741a0000 end_va = 0x74223fff entry_point = 0x741a0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 427 start_va = 0x610000 end_va = 0x64ffff entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 428 start_va = 0x1f40000 end_va = 0x203ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f40000" filename = "" Region: id = 429 start_va = 0x2040000 end_va = 0x207ffff entry_point = 0x0 region_type = private name = "private_0x0000000002040000" filename = "" Region: id = 430 start_va = 0x20b0000 end_va = 0x21affff entry_point = 0x0 region_type = private name = "private_0x00000000020b0000" filename = "" Region: id = 431 start_va = 0x21b0000 end_va = 0x21effff entry_point = 0x0 region_type = private name = "private_0x00000000021b0000" filename = "" Region: id = 432 start_va = 0x2650000 end_va = 0x274ffff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 433 start_va = 0x748f0000 end_va = 0x74a0efff entry_point = 0x748f0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 434 start_va = 0x4e0000 end_va = 0x4e4fff entry_point = 0x4e0000 region_type = mapped_file name = "winnlsres.dll" filename = "\\Windows\\SysWOW64\\winnlsres.dll" (normalized: "c:\\windows\\syswow64\\winnlsres.dll") Region: id = 435 start_va = 0x500000 end_va = 0x501fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 436 start_va = 0x2080000 end_va = 0x2080fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 437 start_va = 0x2090000 end_va = 0x209ffff entry_point = 0x2090000 region_type = mapped_file name = "winnlsres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\winnlsres.dll.mui") Region: id = 438 start_va = 0x21f0000 end_va = 0x222ffff entry_point = 0x0 region_type = private name = "private_0x00000000021f0000" filename = "" Region: id = 439 start_va = 0x2230000 end_va = 0x2233fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002230000" filename = "" Region: id = 440 start_va = 0x2750000 end_va = 0x27cffff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 441 start_va = 0x2810000 end_va = 0x290ffff entry_point = 0x0 region_type = private name = "private_0x0000000002810000" filename = "" Region: id = 442 start_va = 0x2910000 end_va = 0x29cbfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002910000" filename = "" Region: id = 443 start_va = 0x6f930000 end_va = 0x6f94cfff entry_point = 0x6f930000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 444 start_va = 0x27d0000 end_va = 0x27d3fff entry_point = 0x0 region_type = private name = "private_0x00000000027d0000" filename = "" Region: id = 445 start_va = 0x27e0000 end_va = 0x27e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000027e0000" filename = "" Region: id = 446 start_va = 0x27f0000 end_va = 0x27f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000027f0000" filename = "" Region: id = 447 start_va = 0x29d0000 end_va = 0x2d06fff entry_point = 0x29d0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 448 start_va = 0x2d10000 end_va = 0x2d10fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d10000" filename = "" Region: id = 449 start_va = 0x2d20000 end_va = 0x3211fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d20000" filename = "" Region: id = 450 start_va = 0x3220000 end_va = 0x425ffff entry_point = 0x3220000 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 451 start_va = 0x4260000 end_va = 0x42ebfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004260000" filename = "" Region: id = 452 start_va = 0x75520000 end_va = 0x75579fff entry_point = 0x75520000 region_type = mapped_file name = "coml2.dll" filename = "\\Windows\\SysWOW64\\coml2.dll" (normalized: "c:\\windows\\syswow64\\coml2.dll") Thread: id = 16 os_tid = 0xd68 [0032.173] GetProcAddress (hModule=0x74d10000, lpProcName="GetTempPathA") returned 0x74d36b20 [0032.173] GetTempPathA (in: nBufferLength=0x100, lpBuffer=0x19ec0c | out: lpBuffer="C:\\Users\\Nd9E1FYi\\AppData\\Local\\Temp\\") returned 0x25 [0032.173] GetProcAddress (hModule=0x74d10000, lpProcName="GetEnvironmentVariableA") returned 0x74d2a8a0 [0032.173] GetEnvironmentVariableA (in: lpName="APPDATA", lpBuffer=0x19eb90, nSize=0x100 | out: lpBuffer="C:\\Users\\Nd9E1FYi\\AppData\\Roaming") returned 0x21 [0032.174] GetProcAddress (hModule=0x74d10000, lpProcName="CreateDirectoryA") returned 0x74d36850 [0032.174] CreateDirectoryA (lpPathName="C:\\Users\\Nd9E1FYi\\AppData\\Roaming\\Microsoft\\Excel" (normalized: "c:\\users\\nd9e1fyi\\appdata\\roaming\\microsoft\\excel"), lpSecurityAttributes=0x0) returned 0 [0032.184] CreateDirectoryA (lpPathName="C:\\Users\\Nd9E1FYi\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART" (normalized: "c:\\users\\nd9e1fyi\\appdata\\roaming\\microsoft\\excel\\xlstart"), lpSecurityAttributes=0x0) returned 0 [0032.189] GetProcAddress (hModule=0x74d10000, lpProcName="MoveFileA") returned 0x74d33c90 [0032.189] MoveFileA (lpExistingFileName="C:\\Users\\Nd9E1FYi\\AppData\\Local\\Temp\\~ZqSpEj.tmp" (normalized: "c:\\users\\nd9e1fyi\\appdata\\local\\temp\\~zqspej.tmp"), lpNewFileName="C:\\Users\\Nd9E1FYi\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\AddIn.XLAM" (normalized: "c:\\users\\nd9e1fyi\\appdata\\roaming\\microsoft\\excel\\xlstart\\addin.xlam")) returned 1 [0032.190] GetProcAddress (hModule=0x74d10000, lpProcName="ExitProcess") returned 0x74d37b30 [0032.190] ExitProcess (uExitCode=0x0) Thread: id = 17 os_tid = 0xd0c Thread: id = 18 os_tid = 0xd44 Thread: id = 19 os_tid = 0xd40 Thread: id = 20 os_tid = 0xd28 Thread: id = 21 os_tid = 0xd38 Process: id = "3" image_name = "eqnedt32.exe" filename = "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe" page_root = "0x3e2d5000" os_pid = "0xd3c" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "rpc_server" parent_id = "1" os_parent_pid = "0xcdc" cmd_line = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE\" -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "X2VS1CUM\\Nd9E1FYi" os_groups = "X2VS1CUM\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f77c" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 456 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 457 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 458 start_va = 0x40000 end_va = 0x54fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 459 start_va = 0x60000 end_va = 0x9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 460 start_va = 0xa0000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 461 start_va = 0x1a0000 end_va = 0x1a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 462 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 463 start_va = 0x1c0000 end_va = 0x1c1fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 464 start_va = 0x200000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 465 start_va = 0x400000 end_va = 0x48dfff entry_point = 0x400000 region_type = mapped_file name = "eqnedt32.exe" filename = "\\Program Files\\Common Files\\microsoft shared\\EQUATION\\EQNEDT32.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe") Region: id = 466 start_va = 0x77270000 end_va = 0x773eafff entry_point = 0x77270000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 467 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 468 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 469 start_va = 0x7fff0000 end_va = 0x7ffbb8b3ffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 470 start_va = 0x7ffbb8b40000 end_va = 0x7ffbb8d00fff entry_point = 0x7ffbb8b40000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 471 start_va = 0x7ffbb8d01000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffbb8d01000" filename = "" Region: id = 472 start_va = 0x550000 end_va = 0x55ffff entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 473 start_va = 0x750000 end_va = 0x84ffff entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 474 start_va = 0x51da0000 end_va = 0x51deffff entry_point = 0x51da0000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 475 start_va = 0x51df0000 end_va = 0x51e69fff entry_point = 0x51df0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 476 start_va = 0x51e70000 end_va = 0x51e77fff entry_point = 0x51e70000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 477 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 478 start_va = 0x20000 end_va = 0x23fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 479 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 480 start_va = 0x1d0000 end_va = 0x1d0fff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 481 start_va = 0x1e0000 end_va = 0x1e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 482 start_va = 0x490000 end_va = 0x54dfff entry_point = 0x490000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 483 start_va = 0x560000 end_va = 0x59ffff entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 484 start_va = 0x5a0000 end_va = 0x69ffff entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 485 start_va = 0x710000 end_va = 0x71ffff entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 486 start_va = 0x730000 end_va = 0x73ffff entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 487 start_va = 0x850000 end_va = 0x9d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000850000" filename = "" Region: id = 488 start_va = 0x9e0000 end_va = 0xb60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009e0000" filename = "" Region: id = 489 start_va = 0xb70000 end_va = 0x1f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b70000" filename = "" Region: id = 490 start_va = 0x2130000 end_va = 0x213ffff entry_point = 0x0 region_type = private name = "private_0x0000000002130000" filename = "" Region: id = 491 start_va = 0x2140000 end_va = 0x253ffff entry_point = 0x0 region_type = private name = "private_0x0000000002140000" filename = "" Region: id = 492 start_va = 0x6f500000 end_va = 0x6f888fff entry_point = 0x6f500000 region_type = mapped_file name = "msi.dll" filename = "\\Windows\\SysWOW64\\msi.dll" (normalized: "c:\\windows\\syswow64\\msi.dll") Region: id = 493 start_va = 0x6f890000 end_va = 0x6f921fff entry_point = 0x6f890000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 494 start_va = 0x73c40000 end_va = 0x73c5afff entry_point = 0x73c40000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 495 start_va = 0x73f90000 end_va = 0x73f99fff entry_point = 0x73f90000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 496 start_va = 0x73fa0000 end_va = 0x73fbdfff entry_point = 0x73fa0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 497 start_va = 0x73fe0000 end_va = 0x73febfff entry_point = 0x73fe0000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 498 start_va = 0x74230000 end_va = 0x74376fff entry_point = 0x74230000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 499 start_va = 0x74380000 end_va = 0x743d7fff entry_point = 0x74380000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 500 start_va = 0x743e0000 end_va = 0x7440afff entry_point = 0x743e0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 501 start_va = 0x74410000 end_va = 0x744bcfff entry_point = 0x74410000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 502 start_va = 0x744c0000 end_va = 0x7460efff entry_point = 0x744c0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 503 start_va = 0x74610000 end_va = 0x74653fff entry_point = 0x74610000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 504 start_va = 0x747e0000 end_va = 0x7489dfff entry_point = 0x747e0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 505 start_va = 0x748a0000 end_va = 0x748e3fff entry_point = 0x748a0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 506 start_va = 0x74b80000 end_va = 0x74c6afff entry_point = 0x74b80000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 507 start_va = 0x74c80000 end_va = 0x74c8efff entry_point = 0x74c80000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 508 start_va = 0x74c90000 end_va = 0x74d0afff entry_point = 0x74c90000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 509 start_va = 0x74d10000 end_va = 0x74deffff entry_point = 0x74d10000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 510 start_va = 0x74df0000 end_va = 0x752e8fff entry_point = 0x74df0000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 511 start_va = 0x75360000 end_va = 0x7551cfff entry_point = 0x75360000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 512 start_va = 0x755f0000 end_va = 0x75626fff entry_point = 0x755f0000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 513 start_va = 0x75630000 end_va = 0x75674fff entry_point = 0x75630000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 514 start_va = 0x75a90000 end_va = 0x75b1cfff entry_point = 0x75a90000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 515 start_va = 0x75b20000 end_va = 0x76f1efff entry_point = 0x75b20000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 516 start_va = 0x76f20000 end_va = 0x7709dfff entry_point = 0x76f20000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 517 start_va = 0x7feb0000 end_va = 0x7ffaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 518 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 519 start_va = 0x6a0000 end_va = 0x6a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 520 start_va = 0x6b0000 end_va = 0x6effff entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 521 start_va = 0x6f0000 end_va = 0x6f4fff entry_point = 0x6f0000 region_type = mapped_file name = "winnlsres.dll" filename = "\\Windows\\SysWOW64\\winnlsres.dll" (normalized: "c:\\windows\\syswow64\\winnlsres.dll") Region: id = 522 start_va = 0x700000 end_va = 0x701fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000700000" filename = "" Region: id = 523 start_va = 0x720000 end_va = 0x720fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 524 start_va = 0x740000 end_va = 0x74ffff entry_point = 0x740000 region_type = mapped_file name = "winnlsres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\winnlsres.dll.mui") Region: id = 525 start_va = 0x1f70000 end_va = 0x206ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f70000" filename = "" Region: id = 526 start_va = 0x2070000 end_va = 0x20affff entry_point = 0x0 region_type = private name = "private_0x0000000002070000" filename = "" Region: id = 527 start_va = 0x20b0000 end_va = 0x20effff entry_point = 0x0 region_type = private name = "private_0x00000000020b0000" filename = "" Region: id = 528 start_va = 0x20f0000 end_va = 0x20fffff entry_point = 0x0 region_type = private name = "private_0x00000000020f0000" filename = "" Region: id = 529 start_va = 0x2100000 end_va = 0x2103fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002100000" filename = "" Region: id = 530 start_va = 0x2110000 end_va = 0x2113fff entry_point = 0x0 region_type = private name = "private_0x0000000002110000" filename = "" Region: id = 531 start_va = 0x2120000 end_va = 0x2120fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002120000" filename = "" Region: id = 532 start_va = 0x2540000 end_va = 0x263ffff entry_point = 0x0 region_type = private name = "private_0x0000000002540000" filename = "" Region: id = 533 start_va = 0x2640000 end_va = 0x273ffff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 534 start_va = 0x2740000 end_va = 0x277ffff entry_point = 0x0 region_type = private name = "private_0x0000000002740000" filename = "" Region: id = 535 start_va = 0x2780000 end_va = 0x287ffff entry_point = 0x0 region_type = private name = "private_0x0000000002780000" filename = "" Region: id = 536 start_va = 0x2880000 end_va = 0x28fffff entry_point = 0x0 region_type = private name = "private_0x0000000002880000" filename = "" Region: id = 537 start_va = 0x2900000 end_va = 0x29bbfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002900000" filename = "" Region: id = 538 start_va = 0x29c0000 end_va = 0x2cf6fff entry_point = 0x29c0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 539 start_va = 0x2d00000 end_va = 0x2d00fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d00000" filename = "" Region: id = 540 start_va = 0x3210000 end_va = 0x424ffff entry_point = 0x3210000 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 541 start_va = 0x4250000 end_va = 0x42dbfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004250000" filename = "" Region: id = 542 start_va = 0x3de20000 end_va = 0x3de2dfff entry_point = 0x3de20000 region_type = mapped_file name = "eeintl.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\EQUATION\\1033\\EEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll") Region: id = 543 start_va = 0x6f2f0000 end_va = 0x6f4fefff entry_point = 0x6f2f0000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll") Region: id = 544 start_va = 0x6f930000 end_va = 0x6f94cfff entry_point = 0x6f930000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 545 start_va = 0x70420000 end_va = 0x70494fff entry_point = 0x70420000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 546 start_va = 0x741a0000 end_va = 0x74223fff entry_point = 0x741a0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 547 start_va = 0x748f0000 end_va = 0x74a0efff entry_point = 0x748f0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 548 start_va = 0x74a30000 end_va = 0x74ac1fff entry_point = 0x74a30000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 549 start_va = 0x75520000 end_va = 0x75579fff entry_point = 0x75520000 region_type = mapped_file name = "coml2.dll" filename = "\\Windows\\SysWOW64\\coml2.dll" (normalized: "c:\\windows\\syswow64\\coml2.dll") Thread: id = 22 os_tid = 0xd34 Thread: id = 23 os_tid = 0xd58 Thread: id = 24 os_tid = 0xd30 Thread: id = 25 os_tid = 0x318 Thread: id = 26 os_tid = 0xda0 Thread: id = 27 os_tid = 0xda4