VMRay Analyzer Report
Localhost
Logfile Output
X
Occurrences
Sample Information
ID#12091
MD5 hash valuea86ac0ad1f8928e8d4e1b728448f54f9
SHA1 hash value207a8b797fed46abbb72fe2555687887f36094bf
File namea86ac0ad1f8928e8d4e1b728448f54f9.exe
File size1713664
File typePE32 (gui)
Analysis Information
Creation Time2014-09-18 14:39 (UTC+2)
Execution successfulTrue
Prescript-
Commandline parameters-
Number of processes33
Termination reasonTimeout
Analyzer and Guest Information
Analyzer Version1.1.0
Analyzer Build Date2014-09-18 12:58
Guest Architecturex86 64-bit
Guest OSWindows NT based
Kernel Version6.1.7601.18409 (bf9e1903-5978-4c2d-8796-cf5537b238b4)
Analysis Hints
Information
Data may be missing due to evasive loop detection
Kernel code was executed
Analysis Files
Archive Binary Log Function Log Generic Log PCAP
Screenshots
ScreenshotScreenshotScreenshotScreenshot
Processes
ID PID Monitor Reason CMD Line Origin PID
#10xb6canalysis_target"C:\Users\user\Desktop\a86ac0ad1f8928e8d4e1b728448f54f9.exe" -
#20xb90child_process"C:\Windows\$NtUninstallQ923283$\pxinsi64.exe"0xb6c
#30x4kernel_analysis--
#40xf8child_process\SystemRoot\System32\smss.exe0x4
#50x148child_process%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=160xf8
#60x16cchild_processwininit.exe0xf8
#70x178child_process%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=160xf8
#80x1a0child_processwinlogon.exe0xf8
#90x1c4child_processC:\Windows\system32\services.exe0x16c
#100x1ccchild_processC:\Windows\system32\lsass.exe0x16c
#110x1d4child_processC:\Windows\system32\lsm.exe0x16c
#120x244child_processC:\Windows\system32\svchost.exe -k DcomLaunch0x1c4
#130x288child_processC:\Windows\system32\svchost.exe -k RPCSS0x1c4
#140x2b8child_processC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted0x1c4
#150x314child_processC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted0x1c4
#160x36cchild_processC:\Windows\system32\svchost.exe -k LocalService0x1c4
#170x394child_processC:\Windows\system32\svchost.exe -k netsvcs0x1c4
#180x3dcchild_processC:\Windows\system32\svchost.exe -k GPSvcGroup0x1c4
#190x1d0child_processC:\Windows\system32\svchost.exe -k NetworkService0x1c4
#200x464child_processC:\Windows\System32\spoolsv.exe0x1c4
#210x48cchild_process"taskhost.exe"0x1c4
#220x494child_processC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork0x1c4
#230x4d8child_processtaskeng.exe {156F8AD7-825D-4321-B1E4-BA03D81FD813} S-1-5-21-272637189-1204002015-1709914517-1000:user-PC\user:Interactive:Highest[1]0x394
#240x558child_processC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation0x1c4
#250x698child_processC:\Windows\system32\sppsvc.exe0x1c4
#260x6ccchild_processC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted0x1c4
#270x734child_processC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding0x244
#280x688child_processC:\Windows\system32\SearchIndexer.exe /Embedding0x1c4
#290x1b8child_process"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-272637189-1204002015-1709914517-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-272637189-1204002015-1709914517-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"0x688
#300x5b0child_process"C:\Windows\system32\SearchFilterHost.exe" 0 508 512 520 65536 516 0x688
#310x790child_process"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" 0x688
#320x824child_process"C:\Windows\system32\Dwm.exe"0x314
#330x830child_processC:\Windows\Explorer.EXE0x1a0
Process Graph
Process Graph
Process Information
ID#1
OS PID0xb6c
OS Parent PID0x830
Image Namea86ac0ad1f8928e8d4e1b728448f54f9.exe
Page Root0x7a19d000
Monitor Reasonanalysis_target
Unmonitor Reason(still running)
CMD Line"C:\Users\user\Desktop\a86ac0ad1f8928e8d4e1b728448f54f9.exe"
Current DirectoryC:\Users\user\Desktop\
Name Start VA End VA Type Monitored
private_0x00000000000100000x000100000x0002ffffprivateTrue
pagefile_0x00000000000100000x000100000x0001ffffpagefile_backedTrue
private_0x00000000000200000x000200000x0002ffffprivateTrue
private_0x00000000000300000x000300000x00031fffprivateTrue
private_0x00000000000300000x000300000x00030fffprivateTrue
apisetschema.dll0x000400000x00040fffmapped_fileFalse
private_0x00000000000500000x000500000x0008ffffprivateTrue
private_0x00000000000900000x000900000x0018ffffprivateTrue
pagefile_0x00000000001900000x001900000x00193fffpagefile_backedTrue
pagefile_0x00000000001a00000x001a00000x001a0fffpagefile_backedTrue
private_0x00000000001b00000x001b00000x001b0fffprivateTrue
locale.nls0x001c00000x00226fffmapped_fileFalse
pagefile_0x00000000002300000x002300000x003b7fffpagefile_backedTrue
private_0x00000000003c00000x003c00000x003c0fffprivateTrue
oleaccrc.dll0x003d00000x003d0fffmapped_fileFalse
private_0x00000000003e00000x003e00000x003e0fffprivateTrue
private_0x00000000003f00000x003f00000x003f4fffprivateTrue
a86ac0ad1f8928e8d4e1b728448f54f9.exe0x004000000x006d9fffmapped_fileTrue
pagefile_0x00000000006e00000x006e00000x00860fffpagefile_backedTrue
private_0x00000000008700000x008700000x008affffprivateTrue
private_0x00000000008b00000x008b00000x0092ffffprivateTrue
private_0x00000000009300000x009300000x00acbfffprivateTrue
private_0x00000000009300000x009300000x00a2ffffprivateTrue
private_0x0000000000a300000x00a300000x00a30fffprivateTrue
private_0x0000000000a400000x00a400000x00a46fffprivateTrue
private_0x0000000000a500000x00a500000x00a50fffprivateTrue
private_0x0000000000a600000x00a600000x00a76fffprivateTrue
private_0x0000000000a800000x00a800000x00a80fffprivateTrue
private_0x0000000000a900000x00a900000x00a9efffprivateTrue
private_0x0000000000aa00000x00aa00000x00aa0fffprivateTrue
private_0x0000000000b000000x00b000000x00bfffffprivateTrue
pagefile_0x0000000000c000000x00c000000x01ffffffpagefile_backedTrue
private_0x00000000020000000x020000000x0219bfffprivateTrue
private_0x00000000020000000x020000000x020fffffprivateTrue
private_0x00000000020000000x020000000x020fffffprivateTrue
private_0x00000000021a00000x021a00000x023abfffprivateTrue
private_0x00000000023b00000x023b00000x02471fffprivateTrue
apphelp.dll0x741d00000x7421bfffmapped_fileFalse
secur32.dll0x742200000x74227fffmapped_fileFalse
oleacc.dll0x742300000x7426bfffmapped_fileFalse
wow64cpu.dll0x742700000x74277fffmapped_fileFalse
wow64win.dll0x742800000x742dbfffmapped_fileFalse
wow64.dll0x742e00000x7431efffmapped_fileFalse
cryptbase.dll0x752400000x7524bfffmapped_fileFalse
sspicli.dll0x752500000x752affffmapped_fileFalse
imm32.dll0x752e00000x7533ffffmapped_fileFalse
user32.dll0x754f00000x755effffmapped_fileFalse
kernel32.dll0x755f00000x756fffffmapped_fileFalse
msvcrt.dll0x758300000x758dbfffmapped_fileFalse
advapi32.dll0x758f00000x7598ffffmapped_fileFalse
msctf.dll0x759900000x75a5bfffmapped_fileFalse
ole32.dll0x75a700000x75bcbfffmapped_fileFalse
sechost.dll0x75f900000x75fa8fffmapped_fileFalse
shlwapi.dll0x75fb00000x76006fffmapped_fileFalse
shell32.dll0x762800000x76ec9fffmapped_fileFalse
usp10.dll0x770a00000x7713cfffmapped_fileFalse
KernelBase.dll0x771400000x77186fffmapped_fileFalse
lpk.dll0x771900000x77199fffmapped_fileFalse
gdi32.dll0x771a00000x7722ffffmapped_fileFalse
rpcrt4.dll0x773600000x7744ffffmapped_fileFalse
private_0x00000000774500000x774500000x77549fffprivateTrue
private_0x00000000775500000x775500000x7766efffprivateTrue
ntdll.dll0x776700000x77818fffmapped_fileFalse
ntdll.dll0x778500000x779cffffmapped_fileFalse
pagefile_0x000000007efb00000x7efb00000x7efd2fffpagefile_backedTrue
private_0x000000007efd80000x7efd80000x7efdafffprivateTrue
private_0x000000007efdb0000x7efdb0000x7efddfffprivateTrue
private_0x000000007efde0000x7efde0000x7efdefffprivateTrue
private_0x000000007efdf0000x7efdf0000x7efdffffprivateTrue
private_0x000000007efe00000x7efe00000x7ffdffffprivateTrue
private_0x000000007ffe00000x7ffe00000x7ffeffffprivateTrue
private_0x000000007fff00000x7fff00000x7fffffeffffprivateTrue
OS TIDs
0xb70, 0xb74, 0xb78, 0xb7c
Filename MD5 SHA1
c:\windows\$ntuninstallq923283$\fdisk.sys 921ad714e7fb01aaa8e9b960544e0d369e327408fedb128b5717cf0f0093756132624951
c:\windows\$ntuninstallq923283$\usbehub.sys eaea9ccb40c82af8f3867cd0f4dd5e9d7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c
c:\windows\$ntuninstallq923283$\pxinsi64.exe f156ff2a1694f479a079f6777f0c5af01f55bdf960d70c0571e171c2c75701998552dc43
ID#2
OS PID0xb90
OS Parent PID0xb6c
Image Namepxinsi64.exe
Page Root0x08576000
Monitor Reasonchild_process
Unmonitor Reasonself_terminated
CMD Line"C:\Windows\$NtUninstallQ923283$\pxinsi64.exe"
Current DirectoryC:\Users\user\Desktop\
Name Start VA End VA Type Monitored
pagefile_0x00000000000100000x000100000x0001ffffpagefile_backedTrue
private_0x00000000000100000x000100000x0002ffffprivateTrue
private_0x00000000000300000x000300000x0012ffffprivateTrue
pagefile_0x00000000001300000x001300000x00133fffpagefile_backedTrue
private_0x00000000001400000x001400000x00140fffprivateTrue
locale.nls0x001500000x001b6fffmapped_fileFalse
private_0x00000000001e00000x001e00000x002dffffprivateTrue
pxinsi64.exe0x004000000x00403fffmapped_fileTrue
kernel32.dll0x775500000x7766efffmapped_fileFalse
ntdll.dll0x776700000x77818fffmapped_fileFalse
private_0x000000007efe00000x7efe00000x7ffdffffprivateTrue
private_0x000000007ffe00000x7ffe00000x7ffeffffprivateTrue
private_0x000000007fff10000x7fff10000x7fff1fffprivateTrue
KernelBase.dll0x7fefd5400000x7fefd5abfffmapped_fileFalse
msvcrt.dll0x7feff8c00000x7feff95efffmapped_fileFalse
apisetschema.dll0x7feff9900000x7feff990fffmapped_fileFalse
pagefile_0x000007fffffb00000x7fffffb00000x7fffffd2fffpagefile_backedTrue
private_0x000007fffffd90000x7fffffd90000x7fffffd9fffprivateTrue
private_0x000007fffffde0000x7fffffde0000x7fffffdffffprivateTrue
OS TIDs
0xb94
ID#3
OS PID0x4
OS Parent PID0xffffffffffffffff
Image NameSYSTEM
Page Root0x00187000
Monitor Reasonkernel_analysis
Unmonitor Reason(still running)
CMD Line-
Current Directory-
Name Start VA End VA Type Monitored
pagefile_0x00000000000100000x000100000x00032fffpagefile_backedTrue
pagefile_0x00000000000400000x000400000x0005ffffpagefile_backedTrue
pagefile_0x00000000000600000x000600000x0007ffffpagefile_backedTrue
pagefile_0x00000000000800000x000800000x00080fffpagefile_backedTrue
ntdll.dll0x776700000x77818fffmapped_fileFalse
ntdll.dll0x778500000x779cffffmapped_fileFalse
private_0x000000007ffe00000x7ffe00000x7ffeffffprivateTrue
pagefile_0x000007fffebd00000x7fffebd00000x7fffebfffffpagefile_backedTrue
pagefile_0x000007ffff0d00000x7ffff0d00000x7ffff0fffffpagefile_backedTrue
pagefile_0x000007ffff5d00000x7ffff5d00000x7ffff5fffffpagefile_backedTrue
pagefile_0x000007ffffad00000x7ffffad00000x7ffffafffffpagefile_backedTrue
OS TIDs
0xa28, 0x9ac, 0x7c, 0x60, 0x434, 0x8a4, 0xec, 0x458, 0x50, 0x45c, 0x530, 0x18, 0x20, 0x7c8, 0x760, 0x1c, 0x620, 0x610, 0x600, 0x5f0, 0x5e0, 0x5d4, 0x598, 0x78, 0x52c, 0x4e8, 0x10, 0x454, 0xc4, 0xc8, 0x138, 0xac, 0x3ec, 0x84, 0x80, 0x88, 0x2fc, 0x280, 0x74, 0x94, 0x90, 0x128, 0x8c, 0x118, 0xf4, 0x24, 0x18c, 0x5c, 0x130, 0x4c, 0x2c, 0x124, 0xb8, 0x120, 0xa4, 0x11c, 0x38, 0x3c, 0x48, 0x68, 0x10c, 0x28, 0x9c, 0x40, 0xb4, 0x44, 0x8, 0x0, 0xb9c, 0xba0, 0xba4, 0xba8, 0xbac, 0xbb0, 0xbb4, 0xbb8, 0xbbc, 0xbc0, 0xbc4, 0xbc8
ID#4
OS PID0xf8
OS Parent PID0x4
Image Namesmss.exe
Page Root0x220db000
Monitor Reasonchild_process
Unmonitor Reason(still running)
CMD Line\SystemRoot\System32\smss.exe
Current DirectoryC:\Windows
Name Start VA End VA Type Monitored
OS TIDs
0x174, 0x13c, 0x100, 0xfc
ID#5
OS PID0x148
OS Parent PID0xffffffffffffffff
Image Namecsrss.exe
Page Root0x1b918000
Monitor Reasonchild_process
Unmonitor Reason(still running)
CMD Line%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
Current DirectoryC:\Windows\system32
Name Start VA End VA Type Monitored
locale.nls0x000100000x00076fffmapped_fileFalse
csrss.exe.mui0x000800000x00080fffmapped_fileFalse
winsrv.dll.mui0x000900000x00091fffmapped_fileFalse
private_0x00000000000a00000x000a00000x000a0fffprivateTrue
pagefile_0x00000000000b00000x000b00000x000bffffpagefile_backedTrue
marlett.ttf0x000c00000x000c6fffmapped_fileFalse
pagefile_0x00000000000d00000x000d00000x000e7fffpagefile_backedTrue
private_0x00000000000f00000x000f00000x001effffprivateTrue
vgasys.fon0x001f00000x001f1fffmapped_fileFalse
private_0x00000000002000000x002000000x00200fffprivateTrue
pagefile_0x00000000002100000x002100000x0021ffffpagefile_backedTrue
private_0x00000000002200000x002200000x0025ffffprivateTrue
private_0x00000000002600000x002600000x0035ffffprivateTrue
private_0x00000000003600000x003600000x0039ffffprivateTrue
segoeui.ttf0x003a00000x0041efffmapped_fileFalse
pagefile_0x00000000004200000x004200000x0042ffffpagefile_backedTrue
pagefile_0x00000000004300000x004300000x0043ffffpagefile_backedTrue
private_0x00000000004400000x004400000x0047ffffprivateTrue
pagefile_0x00000000004800000x004800000x004affffpagefile_backedTrue
pagefile_0x00000000004b00000x004b00000x004bffffpagefile_backedTrue
pagefile_0x00000000004c00000x004c00000x004cffffpagefile_backedTrue
private_0x00000000004d00000x004d00000x004dffffprivateTrue
pagefile_0x00000000004e00000x004e00000x00660fffpagefile_backedTrue
pagefile_0x00000000006700000x006700000x0067ffffpagefile_backedTrue
private_0x00000000006800000x006800000x006bffffprivateTrue
pagefile_0x00000000006c00000x006c00000x006c1fffpagefile_backedTrue
pagefile_0x00000000006d00000x006d00000x006dffffpagefile_backedTrue
pagefile_0x00000000006e00000x006e00000x006effffpagefile_backedTrue
pagefile_0x00000000006f00000x006f00000x006fffffpagefile_backedTrue
pagefile_0x00000000007000000x007000000x0070ffffpagefile_backedTrue
pagefile_0x00000000007100000x007100000x0071ffffpagefile_backedTrue
pagefile_0x00000000007200000x007200000x0072ffffpagefile_backedTrue
pagefile_0x00000000007300000x007300000x0073ffffpagefile_backedTrue
pagefile_0x00000000007400000x007400000x0074ffffpagefile_backedTrue
pagefile_0x00000000007500000x007500000x0075ffffpagefile_backedTrue
private_0x00000000007600000x007600000x0079ffffprivateTrue
private_0x00000000007a00000x007a00000x007dffffprivateTrue
pagefile_0x00000000007e00000x007e00000x00967fffpagefile_backedTrue
private_0x00000000009700000x009700000x009affffprivateTrue
pagefile_0x00000000009b00000x009b00000x01daffffpagefile_backedTrue
pagefile_0x0000000001db00000x01db00000x01dbffffpagefile_backedTrue
pagefile_0x0000000001dc00000x01dc00000x01dcffffpagefile_backedTrue
pagefile_0x0000000001dd00000x01dd00000x01ddffffpagefile_backedTrue
pagefile_0x0000000001de00000x01de00000x01deffffpagefile_backedTrue
private_0x0000000001e500000x01e500000x01e8ffffprivateTrue
pagefile_0x0000000001e900000x01e900000x01f4ffffpagefile_backedTrue
pagefile_0x0000000001f500000x01f500000x0200ffffpagefile_backedTrue
pagefile_0x00000000020100000x020100000x020cffffpagefile_backedTrue
pagefile_0x00000000020d00000x020d00000x0218ffffpagefile_backedTrue
csrss.exe0x49c600000x49c65fffmapped_fileFalse
user32.dll0x774500000x77549fffmapped_fileFalse
kernel32.dll0x775500000x7766efffmapped_fileFalse
ntdll.dll0x776700000x77818fffmapped_fileFalse
pagefile_0x000000007efe00000x7efe00000x7f0dffffpagefile_backedTrue
private_0x000000007f0e00000x7f0e00000x7ffdffffprivateTrue
private_0x000000007ffe00000x7ffe00000x7ffeffffprivateTrue
cryptbase.dll0x7fefd2e00000x7fefd2eefffmapped_fileFalse
sxs.dll0x7fefd2f00000x7fefd380fffmapped_fileFalse
sxssrv.dll0x7fefd3f00000x7fefd3fbfffmapped_fileFalse
winsrv.dll0x7fefd4000000x7fefd437fffmapped_fileFalse
basesrv.dll0x7fefd4400000x7fefd450fffmapped_fileFalse
csrsrv.dll0x7fefd4600000x7fefd472fffmapped_fileFalse
KernelBase.dll0x7fefd5400000x7fefd5abfffmapped_fileFalse
gdi32.dll0x7fefda700000x7fefdad6fffmapped_fileFalse
lpk.dll0x7fefdd900000x7fefdd9dfffmapped_fileFalse
usp10.dll0x7feff6c00000x7feff788fffmapped_fileFalse
rpcrt4.dll0x7feff7900000x7feff8bcfffmapped_fileFalse
msvcrt.dll0x7feff8c00000x7feff95efffmapped_fileFalse
apisetschema.dll0x7feff9900000x7feff990fffmapped_fileFalse
private_0x000007fffffaa0000x7fffffaa0000x7fffffabfffprivateTrue
private_0x000007fffffac0000x7fffffac0000x7fffffadfffprivateTrue
private_0x000007fffffae0000x7fffffae0000x7fffffaffffprivateTrue
pagefile_0x000007fffffb00000x7fffffb00000x7fffffd2fffpagefile_backedTrue
private_0x000007fffffd40000x7fffffd40000x7fffffd5fffprivateTrue
private_0x000007fffffd60000x7fffffd60000x7fffffd7fffprivateTrue
private_0x000007fffffd80000x7fffffd80000x7fffffd9fffprivateTrue
private_0x000007fffffda0000x7fffffda0000x7fffffdafffprivateTrue
private_0x000007fffffdc0000x7fffffdc0000x7fffffddfffprivateTrue
private_0x000007fffffde0000x7fffffde0000x7fffffdffffprivateTrue
OS TIDs
0x1e8, 0x1ac, 0x1a8, 0x180, 0x160, 0x15c, 0x158, 0x154, 0x14c
ID#6
OS PID0x16c
OS Parent PID0xffffffffffffffff
Image Namewininit.exe
Page Root0x1b51e000
Monitor Reasonchild_process
Unmonitor Reason(still running)
CMD Linewininit.exe
Current DirectoryC:\Windows\system32
Name Start VA End VA Type Monitored
pagefile_0x00000000000100000x000100000x0001ffffpagefile_backedTrue
locale.nls0x000200000x00086fffmapped_fileFalse
user32.dll.mui0x000900000x00094fffmapped_fileFalse
private_0x00000000000a00000x000a00000x000a0fffprivateTrue
private_0x00000000000b00000x000b00000x000b0fffprivateTrue
private_0x00000000000c00000x000c00000x0013ffffprivateTrue
private_0x00000000001400000x001400000x0023ffffprivateTrue
private_0x00000000002400000x002400000x00240fffprivateTrue
private_0x00000000002500000x002500000x0025ffffprivateTrue
pagefile_0x00000000002700000x002700000x0029ffffpagefile_backedTrue
private_0x00000000002c00000x002c00000x003bffffprivateTrue
pagefile_0x00000000003c00000x003c00000x00547fffpagefile_backedTrue
pagefile_0x00000000005500000x005500000x006d0fffpagefile_backedTrue
private_0x00000000007500000x007500000x007cffffprivateTrue
private_0x00000000007d00000x007d00000x0084ffffprivateTrue
private_0x00000000008a00000x008a00000x0091ffffprivateTrue
private_0x0000000000a700000x00a700000x00aeffffprivateTrue
private_0x0000000000b000000x00b000000x00b7ffffprivateTrue
private_0x0000000000c800000x00c800000x00cfffffprivateTrue
private_0x0000000000d300000x00d300000x00daffffprivateTrue
pagefile_0x0000000000db00000x00db00000x021affffpagefile_backedTrue
private_0x00000000022100000x022100000x0228ffffprivateTrue
SortDefault.nls0x022900000x0255efffmapped_fileFalse
private_0x00000000025800000x025800000x025fffffprivateTrue
private_0x00000000026800000x026800000x026fffffprivateTrue
user32.dll0x774500000x77549fffmapped_fileFalse
kernel32.dll0x775500000x7766efffmapped_fileFalse
ntdll.dll0x776700000x77818fffmapped_fileFalse
pagefile_0x000000007efe00000x7efe00000x7f0dffffpagefile_backedTrue
private_0x000000007f0e00000x7f0e00000x7ffdffffprivateTrue
private_0x000000007ffe00000x7ffe00000x7ffeffffprivateTrue
wininit.exe0xfff400000xfff62fffmapped_fileFalse
WSHTCPIP.DLL0x7fefc6400000x7fefc646fffmapped_fileFalse
credssp.dll0x7fefc8800000x7fefc889fffmapped_fileFalse
wship6.dll0x7fefcc100000x7fefcc16fffmapped_fileFalse
mswsock.dll0x7fefcc200000x7fefcc74fffmapped_fileFalse
secur32.dll0x7fefd2200000x7fefd22afffmapped_fileFalse
sspicli.dll0x7fefd2500000x7fefd274fffmapped_fileFalse
apphelp.dll0x7fefd2800000x7fefd2d6fffmapped_fileFalse
cryptbase.dll0x7fefd2e00000x7fefd2eefffmapped_fileFalse
RpcRtRemote.dll0x7fefd3d00000x7fefd3e3fffmapped_fileFalse
profapi.dll0x7fefd4900000x7fefd49efffmapped_fileFalse
KernelBase.dll0x7fefd5400000x7fefd5abfffmapped_fileFalse
imm32.dll0x7fefd8400000x7fefd86dfffmapped_fileFalse
advapi32.dll0x7fefd8700000x7fefd94afffmapped_fileFalse
gdi32.dll0x7fefda700000x7fefdad6fffmapped_fileFalse
lpk.dll0x7fefdd900000x7fefdd9dfffmapped_fileFalse
ws2_32.dll0x7fefdda00000x7fefddecfffmapped_fileFalse
nsi.dll0x7fefddf00000x7fefddf7fffmapped_fileFalse
sechost.dll0x7fefe2900000x7fefe2aefffmapped_fileFalse
msctf.dll0x7fefe6100000x7fefe718fffmapped_fileFalse
usp10.dll0x7feff6c00000x7feff788fffmapped_fileFalse
rpcrt4.dll0x7feff7900000x7feff8bcfffmapped_fileFalse
msvcrt.dll0x7feff8c00000x7feff95efffmapped_fileFalse
apisetschema.dll0x7feff9900000x7feff990fffmapped_fileFalse
private_0x000007fffffae0000x7fffffae0000x7fffffaffffprivateTrue
pagefile_0x000007fffffb00000x7fffffb00000x7fffffd2fffpagefile_backedTrue
private_0x000007fffffd30000x7fffffd30000x7fffffd4fffprivateTrue
private_0x000007fffffd50000x7fffffd50000x7fffffd6fffprivateTrue
private_0x000007fffffd70000x7fffffd70000x7fffffd8fffprivateTrue
private_0x000007fffffd90000x7fffffd90000x7fffffdafffprivateTrue
private_0x000007fffffdb0000x7fffffdb0000x7fffffdcfffprivateTrue
private_0x000007fffffdd0000x7fffffdd0000x7fffffddfffprivateTrue
private_0x000007fffffde0000x7fffffde0000x7fffffdffffprivateTrue
OS TIDs
0x2c0, 0x200, 0x1dc, 0x1bc, 0x1b8, 0x188, 0x184, 0x170
ID#7
OS PID0x178
OS Parent PID0xffffffffffffffff
Image Namecsrss.exe
Page Root0x1b681000
Monitor Reasonchild_process
Unmonitor Reason(still running)
CMD Line%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
Current DirectoryC:\Windows\system32
Name Start VA End VA Type Monitored
locale.nls0x000100000x00076fffmapped_fileFalse
winsrv.dll.mui0x000800000x00081fffmapped_fileFalse
pagefile_0x00000000000900000x000900000x0009ffffpagefile_backedTrue
private_0x00000000000a00000x000a00000x000a0fffprivateTrue
vgasys.fon0x000b00000x000b1fffmapped_fileFalse
private_0x00000000000c00000x000c00000x000c0fffprivateTrue
pagefile_0x00000000000d00000x000d00000x000dffffpagefile_backedTrue
marlett.ttf0x000e00000x000e6fffmapped_fileFalse
pagefile_0x00000000000f00000x000f00000x000f1fffpagefile_backedTrue
private_0x00000000001000000x001000000x0013ffffprivateTrue
pagefile_0x00000000001400000x001400000x0014ffffpagefile_backedTrue
private_0x00000000001500000x001500000x0024ffffprivateTrue
private_0x00000000002500000x002500000x0034ffffprivateTrue
pagefile_0x00000000003500000x003500000x00367fffpagefile_backedTrue
private_0x00000000003700000x003700000x0037ffffprivateTrue
pagefile_0x00000000003800000x003800000x00500fffpagefile_backedTrue
pagefile_0x00000000005100000x005100000x0053ffffpagefile_backedTrue
pagefile_0x00000000005400000x005400000x0054ffffpagefile_backedTrue
pagefile_0x00000000005500000x005500000x0055ffffpagefile_backedTrue
private_0x00000000005600000x005600000x0059ffffprivateTrue
pagefile_0x00000000005a00000x005a00000x005affffpagefile_backedTrue
pagefile_0x00000000005b00000x005b00000x005bffffpagefile_backedTrue
pagefile_0x00000000005c00000x005c00000x005cffffpagefile_backedTrue
vga850.fon0x005d00000x005d1fffmapped_fileFalse
private_0x00000000005e00000x005e00000x0061ffffprivateTrue
segoeui.ttf0x006200000x0069efffmapped_fileFalse
private_0x00000000006a00000x006a00000x006dffffprivateTrue
app850.fon0x006e00000x006e8fffmapped_fileFalse
cga40850.fon0x006f00000x006f1fffmapped_fileFalse
private_0x00000000007000000x007000000x0073ffffprivateTrue
pagefile_0x00000000007400000x007400000x008c7fffpagefile_backedTrue
cga80850.fon0x008d00000x008d1fffmapped_fileFalse
ega40850.fon0x008e00000x008e2fffmapped_fileFalse
pagefile_0x00000000008f00000x008f00000x008fffffpagefile_backedTrue
private_0x00000000009600000x009600000x0099ffffprivateTrue
private_0x00000000009d00000x009d00000x00a0ffffprivateTrue
pagefile_0x0000000000a100000x00a100000x01e0ffffpagefile_backedTrue
micross.ttf0x01e100000x01eaffffmapped_fileFalse
segoeuii.ttf0x01eb00000x01f0efffmapped_fileFalse
segoeuib.ttf0x01f100000x01f89fffmapped_fileFalse
csrss.exe0x49c600000x49c65fffmapped_fileFalse
user32.dll0x774500000x77549fffmapped_fileFalse
kernel32.dll0x775500000x7766efffmapped_fileFalse
ntdll.dll0x776700000x77818fffmapped_fileFalse
pagefile_0x000000007efe00000x7efe00000x7f0dffffpagefile_backedTrue
private_0x000000007f0e00000x7f0e00000x7ffdffffprivateTrue
private_0x000000007ffe00000x7ffe00000x7ffeffffprivateTrue
cryptbase.dll0x7fefd2e00000x7fefd2eefffmapped_fileFalse
sxs.dll0x7fefd2f00000x7fefd380fffmapped_fileFalse
sxssrv.dll0x7fefd3f00000x7fefd3fbfffmapped_fileFalse
winsrv.dll0x7fefd4000000x7fefd437fffmapped_fileFalse
basesrv.dll0x7fefd4400000x7fefd450fffmapped_fileFalse
csrsrv.dll0x7fefd4600000x7fefd472fffmapped_fileFalse
KernelBase.dll0x7fefd5400000x7fefd5abfffmapped_fileFalse
advapi32.dll0x7fefd8700000x7fefd94afffmapped_fileFalse
gdi32.dll0x7fefda700000x7fefdad6fffmapped_fileFalse
lpk.dll0x7fefdd900000x7fefdd9dfffmapped_fileFalse
sechost.dll0x7fefe2900000x7fefe2aefffmapped_fileFalse
usp10.dll0x7feff6c00000x7feff788fffmapped_fileFalse
rpcrt4.dll0x7feff7900000x7feff8bcfffmapped_fileFalse
msvcrt.dll0x7feff8c00000x7feff95efffmapped_fileFalse
apisetschema.dll0x7feff9900000x7feff990fffmapped_fileFalse
private_0x000007fffffae0000x7fffffae0000x7fffffaffffprivateTrue
pagefile_0x000007fffffb00000x7fffffb00000x7fffffd2fffpagefile_backedTrue
private_0x000007fffffd30000x7fffffd30000x7fffffd4fffprivateTrue
private_0x000007fffffd50000x7fffffd50000x7fffffd6fffprivateTrue
private_0x000007fffffd70000x7fffffd70000x7fffffd8fffprivateTrue
private_0x000007fffffd90000x7fffffd90000x7fffffdafffprivateTrue
private_0x000007fffffdb0000x7fffffdb0000x7fffffdcfffprivateTrue
private_0x000007fffffdd0000x7fffffdd0000x7fffffdefffprivateTrue
private_0x000007fffffdf0000x7fffffdf0000x7fffffdffffprivateTrue
OS TIDs
0x1e0, 0x1b0, 0x19c, 0x198, 0x194, 0x190, 0x17c, 0x1e4
ID#8
OS PID0x1a0
OS Parent PID0xffffffffffffffff
Image Namewinlogon.exe
Page Root0x1ad47000
Monitor Reasonchild_process
Unmonitor Reason(still running)
CMD Linewinlogon.exe
Current DirectoryC:\Windows\system32
Name Start VA End VA Type Monitored
OS TIDs
0x38c, 0x330, 0x2d4, 0x1c0, 0x1b4, 0x1a4
ID#9
OS PID0x1c4
OS Parent PID0x16c
Image Nameservices.exe
Page Root0x1e87f000
Monitor Reasonchild_process
Unmonitor Reason(still running)
CMD LineC:\Windows\system32\services.exe
Current DirectoryC:\Windows\system32\
Name Start VA End VA Type Monitored
pagefile_0x00000000000100000x000100000x0001ffffpagefile_backedTrue
services.exe.mui0x000200000x00024fffmapped_fileFalse
pagefile_0x00000000000300000x000300000x00033fffpagefile_backedTrue
pagefile_0x00000000000400000x000400000x00040fffpagefile_backedTrue
private_0x00000000000500000x000500000x00050fffprivateTrue
locale.nls0x000600000x000c6fffmapped_fileFalse
private_0x00000000000d00000x000d00000x000d0fffprivateTrue
private_0x00000000000e00000x000e00000x000e0fffprivateTrue
private_0x00000000001000000x001000000x00100fffprivateTrue
private_0x00000000001100000x001100000x00110fffprivateTrue
private_0x00000000002000000x002000000x002fffffprivateTrue
pagefile_0x00000000003000000x003000000x003bffffpagefile_backedTrue
private_0x00000000003d00000x003d00000x003dffffprivateTrue
private_0x00000000003e00000x003e00000x004dffffprivateTrue
pagefile_0x00000000004e00000x004e00000x00667fffpagefile_backedTrue
pagefile_0x00000000006700000x006700000x007f0fffpagefile_backedTrue
private_0x00000000008000000x008000000x0087ffffprivateTrue
private_0x00000000008e00000x008e00000x0091ffffprivateTrue
private_0x00000000009c00000x009c00000x00a3ffffprivateTrue
private_0x0000000000a800000x00a800000x00afffffprivateTrue
private_0x0000000000b000000x00b000000x00b7ffffprivateTrue
private_0x0000000000b800000x00b800000x00bfffffprivateTrue
private_0x0000000000c200000x00c200000x00c9ffffprivateTrue
private_0x0000000000ca00000x00ca00000x00d1ffffprivateTrue
private_0x0000000000d700000x00d700000x00deffffprivateTrue
private_0x0000000000ec00000x00ec00000x00f3ffffprivateTrue
private_0x0000000000f500000x00f500000x00fcffffprivateTrue
private_0x0000000000fd00000x00fd00000x0104ffffprivateTrue
private_0x00000000010900000x010900000x0110ffffprivateTrue
private_0x00000000011900000x011900000x0120ffffprivateTrue
private_0x00000000012400000x012400000x012bffffprivateTrue
private_0x00000000012c00000x012c00000x013bffffprivateTrue
private_0x00000000014200000x014200000x0149ffffprivateTrue
private_0x00000000014a00000x014a00000x0151ffffprivateTrue
SortDefault.nls0x015200000x017eefffmapped_fileFalse
private_0x00000000017f00000x017f00000x018effffprivateTrue
private_0x00000000018f00000x018f00000x01aeffffprivateTrue
private_0x0000000001af00000x01af00000x01ceffffprivateTrue
private_0x0000000001d300000x01d300000x01daffffprivateTrue
private_0x0000000001de00000x01de00000x01e5ffffprivateTrue
private_0x0000000001f400000x01f400000x01fbffffprivateTrue
private_0x0000000001fc00000x01fc00000x0203ffffprivateTrue
private_0x00000000020600000x020600000x020dffffprivateTrue
private_0x00000000021000000x021000000x0217ffffprivateTrue
private_0x00000000022300000x022300000x022affffprivateTrue
private_0x00000000023200000x023200000x0239ffffprivateTrue
user32.dll0x774500000x77549fffmapped_fileFalse
kernel32.dll0x775500000x7766efffmapped_fileFalse
ntdll.dll0x776700000x77818fffmapped_fileFalse
pagefile_0x000000007efe00000x7efe00000x7f0dffffpagefile_backedTrue
private_0x000000007f0e00000x7f0e00000x7ffdffffprivateTrue
private_0x000000007ffe00000x7ffe00000x7ffeffffprivateTrue
services.exe0xffff00000x100042fffmapped_fileFalse
wtsapi32.dll0x7fefb6c00000x7fefb6d0fffmapped_fileFalse
WSHTCPIP.DLL0x7fefc6400000x7fefc646fffmapped_fileFalse
ubpm.dll0x7fefc8400000x7fefc878fffmapped_fileFalse
credssp.dll0x7fefc8800000x7fefc889fffmapped_fileFalse
wship6.dll0x7fefcc100000x7fefcc16fffmapped_fileFalse
mswsock.dll0x7fefcc200000x7fefcc74fffmapped_fileFalse
authz.dll0x7fefce700000x7fefce9efffmapped_fileFalse
srvcli.dll0x7fefd1800000x7fefd1a2fffmapped_fileFalse
scesrv.dll0x7fefd1b00000x7fefd216fffmapped_fileFalse
secur32.dll0x7fefd2200000x7fefd22afffmapped_fileFalse
scext.dll0x7fefd2300000x7fefd248fffmapped_fileFalse
sspicli.dll0x7fefd2500000x7fefd274fffmapped_fileFalse
apphelp.dll0x7fefd2800000x7fefd2d6fffmapped_fileFalse
cryptbase.dll0x7fefd2e00000x7fefd2eefffmapped_fileFalse
winsta.dll0x7fefd3900000x7fefd3ccfffmapped_fileFalse
RpcRtRemote.dll0x7fefd3d00000x7fefd3e3fffmapped_fileFalse
profapi.dll0x7fefd4900000x7fefd49efffmapped_fileFalse
KernelBase.dll0x7fefd5400000x7fefd5abfffmapped_fileFalse
imm32.dll0x7fefd8400000x7fefd86dfffmapped_fileFalse
advapi32.dll0x7fefd8700000x7fefd94afffmapped_fileFalse
gdi32.dll0x7fefda700000x7fefdad6fffmapped_fileFalse
lpk.dll0x7fefdd900000x7fefdd9dfffmapped_fileFalse
ws2_32.dll0x7fefdda00000x7fefddecfffmapped_fileFalse
nsi.dll0x7fefddf00000x7fefddf7fffmapped_fileFalse
sechost.dll0x7fefe2900000x7fefe2aefffmapped_fileFalse
msctf.dll0x7fefe6100000x7fefe718fffmapped_fileFalse
usp10.dll0x7feff6c00000x7feff788fffmapped_fileFalse
rpcrt4.dll0x7feff7900000x7feff8bcfffmapped_fileFalse
msvcrt.dll0x7feff8c00000x7feff95efffmapped_fileFalse
apisetschema.dll0x7feff9900000x7feff990fffmapped_fileFalse
private_0x000007fffff8a0000x7fffff8a0000x7fffff8bfffprivateTrue
private_0x000007fffff8c0000x7fffff8c0000x7fffff8dfffprivateTrue
private_0x000007fffff8e0000x7fffff8e0000x7fffff8ffffprivateTrue
private_0x000007fffff900000x7fffff900000x7fffff91fffprivateTrue
private_0x000007fffff920000x7fffff920000x7fffff93fffprivateTrue
private_0x000007fffff940000x7fffff940000x7fffff95fffprivateTrue
private_0x000007fffff960000x7fffff960000x7fffff97fffprivateTrue
private_0x000007fffff980000x7fffff980000x7fffff99fffprivateTrue
private_0x000007fffff9a0000x7fffff9a0000x7fffff9bfffprivateTrue
private_0x000007fffff9c0000x7fffff9c0000x7fffff9dfffprivateTrue
private_0x000007fffff9e0000x7fffff9e0000x7fffff9ffffprivateTrue
private_0x000007fffffa00000x7fffffa00000x7fffffa1fffprivateTrue
private_0x000007fffffa20000x7fffffa20000x7fffffa3fffprivateTrue
private_0x000007fffffa40000x7fffffa40000x7fffffa5fffprivateTrue
private_0x000007fffffa60000x7fffffa60000x7fffffa7fffprivateTrue
private_0x000007fffffa80000x7fffffa80000x7fffffa9fffprivateTrue
private_0x000007fffffaa0000x7fffffaa0000x7fffffabfffprivateTrue
private_0x000007fffffac0000x7fffffac0000x7fffffadfffprivateTrue
private_0x000007fffffae0000x7fffffae0000x7fffffaffffprivateTrue
pagefile_0x000007fffffb00000x7fffffb00000x7fffffd2fffpagefile_backedTrue
private_0x000007fffffd40000x7fffffd40000x7fffffd5fffprivateTrue
private_0x000007fffffd60000x7fffffd60000x7fffffd7fffprivateTrue
private_0x000007fffffd80000x7fffffd80000x7fffffd9fffprivateTrue
private_0x000007fffffda0000x7fffffda0000x7fffffdbfffprivateTrue
private_0x000007fffffdc0000x7fffffdc0000x7fffffdcfffprivateTrue
OS TIDs
0x21c, 0x218, 0x214, 0x210, 0x684, 0x67c, 0x678, 0x674, 0x670, 0x66c, 0x668, 0x664, 0x49c, 0x478, 0x390, 0x27c, 0x240, 0x23c, 0x238, 0x234, 0x230, 0x22c, 0x228
ID#10
OS PID0x1cc
OS Parent PID0x16c
Image Namelsass.exe
Page Root0x1a9df000
Monitor Reasonchild_process
Unmonitor Reason(still running)
CMD LineC:\Windows\system32\lsass.exe
Current DirectoryC:\Windows\system32\
Name Start VA End VA Type Monitored
pagefile_0x00000000000100000x000100000x0001ffffpagefile_backedTrue
pagefile_0x00000000000200000x000200000x00020fffpagefile_backedTrue
pagefile_0x00000000000300000x000300000x00033fffpagefile_backedTrue
pagefile_0x00000000000400000x000400000x00040fffpagefile_backedTrue
private_0x00000000000500000x000500000x00050fffprivateTrue
private_0x00000000000600000x000600000x00060fffprivateTrue
private_0x00000000000700000x000700000x00070fffprivateTrue
pagefile_0x00000000000800000x000800000x0008ffffpagefile_backedTrue
pagefile_0x00000000000900000x000900000x0009ffffpagefile_backedTrue
locale.nls0x001200000x00186fffmapped_fileFalse
lsasrv.dll.mui0x001900000x0019bfffmapped_fileFalse
pagefile_0x00000000001a00000x001a00000x001affffpagefile_backedTrue
private_0x00000000001b00000x001b00000x001b0fffprivateTrue
private_0x00000000001c00000x001c00000x0023ffffprivateTrue
private_0x00000000002400000x002400000x0033ffffprivateTrue
private_0x00000000003400000x003400000x0043ffffprivateTrue
C_28591.NLS0x004400000x00450fffmapped_fileFalse
private_0x00000000004600000x004600000x00460fffprivateTrue
private_0x00000000004700000x004700000x00470fffprivateTrue
private_0x00000000004800000x004800000x00480fffprivateTrue
private_0x00000000004900000x004900000x00490fffprivateTrue
private_0x00000000004a00000x004a00000x004affffprivateTrue
pagefile_0x00000000004b00000x004b00000x00637fffpagefile_backedTrue
private_0x00000000006400000x006400000x006bffffprivateTrue
pagefile_0x00000000006c00000x006c00000x00840fffpagefile_backedTrue
pagefile_0x00000000008500000x008500000x0090ffffpagefile_backedTrue
private_0x00000000009100000x009100000x00910fffprivateTrue
private_0x00000000009200000x009200000x00920fffprivateTrue
private_0x00000000009300000x009300000x00930fffprivateTrue
private_0x00000000009400000x009400000x00940fffprivateTrue
private_0x00000000009900000x009900000x00a0ffffprivateTrue
private_0x0000000000a300000x00a300000x00aaffffprivateTrue
private_0x0000000000af00000x00af00000x00b6ffffprivateTrue
private_0x0000000000bf00000x00bf00000x00c6ffffprivateTrue
SortDefault.nls0x00c700000x00f3efffmapped_fileFalse
private_0x0000000000f900000x00f900000x0100ffffprivateTrue
private_0x00000000010900000x010900000x0110ffffprivateTrue
private_0x00000000011100000x011100000x0118ffffprivateTrue
private_0x00000000011f00000x011f00000x0126ffffprivateTrue
private_0x00000000012700000x012700000x0136ffffprivateTrue
private_0x00000000013700000x013700000x0146ffffprivateTrue
msprivs.dll0x752300000x75231fffmapped_fileFalse
user32.dll0x774500000x77549fffmapped_fileFalse
kernel32.dll0x775500000x7766efffmapped_fileFalse
ntdll.dll0x776700000x77818fffmapped_fileFalse
pagefile_0x000000007efe00000x7efe00000x7f0dffffpagefile_backedTrue
private_0x000000007f0e00000x7f0e00000x7ffdffffprivateTrue
private_0x000000007ffe00000x7ffe00000x7ffeffffprivateTrue
lsass.exe0xff6d00000xff6dbfffmapped_fileFalse
winnsi.dll0x7fefabc00000x7fefabcafffmapped_fileFalse
IPHLPAPI.DLL0x7fefabd00000x7fefabf6fffmapped_fileFalse
wkscli.dll0x7fefb5600000x7fefb574fffmapped_fileFalse
netutils.dll0x7fefb5800000x7fefb58bfffmapped_fileFalse
WSHTCPIP.DLL0x7fefc6400000x7fefc646fffmapped_fileFalse
scecli.dll0x7fefc8000000x7fefc83dfffmapped_fileFalse
credssp.dll0x7fefc8800000x7fefc889fffmapped_fileFalse
efslsaext.dll0x7fefc8a00000x7fefc8b1fffmapped_fileFalse
bcryptprimitives.dll0x7fefc8c00000x7fefc90bfffmapped_fileFalse
pku2u.dll0x7fefc9100000x7fefc954fffmapped_fileFalse
TSpkg.dll0x7fefc9600000x7fefc978fffmapped_fileFalse
rsaenh.dll0x7fefc9800000x7fefc9c6fffmapped_fileFalse
wdigest.dll0x7fefc9d00000x7fefca05fffmapped_fileFalse
schannel.dll0x7fefca100000x7fefca66fffmapped_fileFalse
logoncli.dll0x7fefca700000x7fefca9ffffmapped_fileFalse
dnsapi.dll0x7fefcaa00000x7fefcafafffmapped_fileFalse
netlogon.dll0x7fefcb000000x7fefcbadfffmapped_fileFalse
msv1_0.dll0x7fefcbb00000x7fefcc01fffmapped_fileFalse
wship6.dll0x7fefcc100000x7fefcc16fffmapped_fileFalse
mswsock.dll0x7fefcc200000x7fefcc74fffmapped_fileFalse
cryptsp.dll0x7fefcc800000x7fefcc96fffmapped_fileFalse
kerberos.dll0x7fefcca00000x7fefcd57fffmapped_fileFalse
negoexts.dll0x7fefcd600000x7fefcd83fffmapped_fileFalse
netjoin.dll0x7fefcd900000x7fefcdc1fffmapped_fileFalse
bcrypt.dll0x7fefcdf00000x7fefce11fffmapped_fileFalse
ncrypt.dll0x7fefce200000x7fefce6cfffmapped_fileFalse
authz.dll0x7fefce700000x7fefce9efffmapped_fileFalse
cngaudit.dll0x7fefcea00000x7fefcea8fffmapped_fileFalse
wevtapi.dll0x7fefceb00000x7fefcf1cfffmapped_fileFalse
cryptdll.dll0x7fefcf200000x7fefcf33fffmapped_fileFalse
samsrv.dll0x7fefcf400000x7fefcffcfffmapped_fileFalse
lsasrv.dll0x7fefd0000000x7fefd169fffmapped_fileFalse
sspisrv.dll0x7fefd1700000x7fefd17afffmapped_fileFalse
secur32.dll0x7fefd2200000x7fefd22afffmapped_fileFalse
sspicli.dll0x7fefd2500000x7fefd274fffmapped_fileFalse
cryptbase.dll0x7fefd2e00000x7fefd2eefffmapped_fileFalse
winsta.dll0x7fefd3900000x7fefd3ccfffmapped_fileFalse
RpcRtRemote.dll0x7fefd3d00000x7fefd3e3fffmapped_fileFalse
msasn1.dll0x7fefd4800000x7fefd48efffmapped_fileFalse
profapi.dll0x7fefd4900000x7fefd49efffmapped_fileFalse
userenv.dll0x7fefd4e00000x7fefd4fdfffmapped_fileFalse
KernelBase.dll0x7fefd5400000x7fefd5abfffmapped_fileFalse
crypt32.dll0x7fefd6100000x7fefd77bfffmapped_fileFalse
imm32.dll0x7fefd8400000x7fefd86dfffmapped_fileFalse
advapi32.dll0x7fefd8700000x7fefd94afffmapped_fileFalse
gdi32.dll0x7fefda700000x7fefdad6fffmapped_fileFalse
lpk.dll0x7fefdd900000x7fefdd9dfffmapped_fileFalse
ws2_32.dll0x7fefdda00000x7fefddecfffmapped_fileFalse
nsi.dll0x7fefddf00000x7fefddf7fffmapped_fileFalse
sechost.dll0x7fefe2900000x7fefe2aefffmapped_fileFalse
msctf.dll0x7fefe6100000x7fefe718fffmapped_fileFalse
usp10.dll0x7feff6c00000x7feff788fffmapped_fileFalse
rpcrt4.dll0x7feff7900000x7feff8bcfffmapped_fileFalse
msvcrt.dll0x7feff8c00000x7feff95efffmapped_fileFalse
apisetschema.dll0x7feff9900000x7feff990fffmapped_fileFalse
private_0x000007fffffaa0000x7fffffaa0000x7fffffabfffprivateTrue
private_0x000007fffffac0000x7fffffac0000x7fffffadfffprivateTrue
private_0x000007fffffae0000x7fffffae0000x7fffffaffffprivateTrue
pagefile_0x000007fffffb00000x7fffffb00000x7fffffd2fffpagefile_backedTrue
private_0x000007fffffd30000x7fffffd30000x7fffffd4fffprivateTrue
private_0x000007fffffd50000x7fffffd50000x7fffffd6fffprivateTrue
private_0x000007fffffd70000x7fffffd70000x7fffffd7fffprivateTrue
private_0x000007fffffd80000x7fffffd80000x7fffffd9fffprivateTrue
private_0x000007fffffda0000x7fffffda0000x7fffffdbfffprivateTrue
private_0x000007fffffdc0000x7fffffdc0000x7fffffddfffprivateTrue
private_0x000007fffffde0000x7fffffde0000x7fffffdffffprivateTrue
OS TIDs
0x3b4, 0x310, 0x224, 0x204, 0x1fc, 0x1f8, 0x1f4, 0x1f0, 0x1ec
ID#11
OS PID0x1d4
OS Parent PID0x16c
Image Namelsm.exe
Page Root0x1ea25000
Monitor Reasonchild_process
Unmonitor Reason(still running)
CMD LineC:\Windows\system32\lsm.exe
Current DirectoryC:\Windows\system32\
Name Start VA End VA Type Monitored
pagefile_0x00000000000100000x000100000x0001ffffpagefile_backedTrue
private_0x00000000000200000x000200000x00020fffprivateTrue
pagefile_0x00000000000300000x000300000x00033fffpagefile_backedTrue
private_0x00000000000400000x000400000x000bffffprivateTrue
pagefile_0x00000000000c00000x000c00000x000c0fffpagefile_backedTrue
private_0x00000000000d00000x000d00000x000d0fffprivateTrue
locale.nls0x000e00000x00146fffmapped_fileFalse
pagefile_0x00000000001500000x001500000x00151fffpagefile_backedTrue
private_0x00000000001600000x001600000x001dffffprivateTrue
pagefile_0x00000000001e00000x001e00000x001e1fffpagefile_backedTrue
lsm.exe.mui0x001f00000x001f1fffmapped_fileFalse
private_0x00000000002000000x002000000x00200fffprivateTrue
private_0x00000000002100000x002100000x00210fffprivateTrue
private_0x00000000002200000x002200000x0031ffffprivateTrue
private_0x00000000003200000x003200000x0041ffffprivateTrue
pagefile_0x00000000004200000x004200000x00420fffpagefile_backedTrue
pagefile_0x00000000004300000x004300000x00430fffpagefile_backedTrue
private_0x00000000004400000x004400000x004bffffprivateTrue
private_0x00000000004c00000x004c00000x004cffffprivateTrue
private_0x00000000005400000x005400000x005bffffprivateTrue
private_0x00000000005f00000x005f00000x0066ffffprivateTrue
SortDefault.nls0x006700000x0093efffmapped_fileFalse
private_0x00000000009b00000x009b00000x00a2ffffprivateTrue
pagefile_0x0000000000a300000x00a300000x00aeffffpagefile_backedTrue
private_0x0000000000b100000x00b100000x00b8ffffprivateTrue
private_0x0000000000c200000x00c200000x00c9ffffprivateTrue
private_0x0000000000cf00000x00cf00000x00d6ffffprivateTrue
private_0x0000000000db00000x00db00000x00e2ffffprivateTrue
private_0x0000000000e700000x00e700000x00eeffffprivateTrue
pagefile_0x0000000000ef00000x00ef00000x01077fffpagefile_backedTrue
pagefile_0x00000000010800000x010800000x01200fffpagefile_backedTrue
private_0x00000000012300000x012300000x012affffprivateTrue
private_0x00000000013100000x013100000x0138ffffprivateTrue
user32.dll0x774500000x77549fffmapped_fileFalse
kernel32.dll0x775500000x7766efffmapped_fileFalse
ntdll.dll0x776700000x77818fffmapped_fileFalse
pagefile_0x000000007efe00000x7efe00000x7f0dffffpagefile_backedTrue
private_0x000000007f0e00000x7f0e00000x7ffdffffprivateTrue
private_0x000000007ffe00000x7ffe00000x7ffeffffprivateTrue
lsm.exe0xff7900000xff7e6fffmapped_fileFalse
lsmproxy.dll0x7fef84f00000x7fef8500fffmapped_fileFalse
ntmarta.dll0x7fefc3700000x7fefc39cfffmapped_fileFalse
credssp.dll0x7fefc8800000x7fefc889fffmapped_fileFalse
pcwum.dll0x7fefc8900000x7fefc89cfffmapped_fileFalse
rsaenh.dll0x7fefc9800000x7fefc9c6fffmapped_fileFalse
cryptsp.dll0x7fefcc800000x7fefcc96fffmapped_fileFalse
wmsgapi.dll0x7fefcdd00000x7fefcdd7fffmapped_fileFalse
sysntfy.dll0x7fefcde00000x7fefcde9fffmapped_fileFalse
secur32.dll0x7fefd2200000x7fefd22afffmapped_fileFalse
sspicli.dll0x7fefd2500000x7fefd274fffmapped_fileFalse
cryptbase.dll0x7fefd2e00000x7fefd2eefffmapped_fileFalse
RpcRtRemote.dll0x7fefd3d00000x7fefd3e3fffmapped_fileFalse
KernelBase.dll0x7fefd5400000x7fefd5abfffmapped_fileFalse
imm32.dll0x7fefd8400000x7fefd86dfffmapped_fileFalse
advapi32.dll0x7fefd8700000x7fefd94afffmapped_fileFalse
clbcatq.dll0x7fefd9d00000x7fefda68fffmapped_fileFalse
gdi32.dll0x7fefda700000x7fefdad6fffmapped_fileFalse
lpk.dll0x7fefdd900000x7fefdd9dfffmapped_fileFalse
Wldap32.dll0x7fefe0c00000x7fefe111fffmapped_fileFalse
sechost.dll0x7fefe2900000x7fefe2aefffmapped_fileFalse
oleaut32.dll0x7fefe2b00000x7fefe386fffmapped_fileFalse
msctf.dll0x7fefe6100000x7fefe718fffmapped_fileFalse
ole32.dll0x7fefe7200000x7fefe922fffmapped_fileFalse
usp10.dll0x7feff6c00000x7feff788fffmapped_fileFalse
rpcrt4.dll0x7feff7900000x7feff8bcfffmapped_fileFalse
msvcrt.dll0x7feff8c00000x7feff95efffmapped_fileFalse
apisetschema.dll0x7feff9900000x7feff990fffmapped_fileFalse
private_0x000007fffffa20000x7fffffa20000x7fffffa3fffprivateTrue
private_0x000007fffffa40000x7fffffa40000x7fffffa5fffprivateTrue
private_0x000007fffffa60000x7fffffa60000x7fffffa7fffprivateTrue
private_0x000007fffffa80000x7fffffa80000x7fffffa9fffprivateTrue
private_0x000007fffffaa0000x7fffffaa0000x7fffffabfffprivateTrue
private_0x000007fffffac0000x7fffffac0000x7fffffadfffprivateTrue
private_0x000007fffffae0000x7fffffae0000x7fffffaffffprivateTrue
pagefile_0x000007fffffb00000x7fffffb00000x7fffffd2fffpagefile_backedTrue
private_0x000007fffffd40000x7fffffd40000x7fffffd5fffprivateTrue
private_0x000007fffffd60000x7fffffd60000x7fffffd6fffprivateTrue
private_0x000007fffffd80000x7fffffd80000x7fffffd9fffprivateTrue
private_0x000007fffffda0000x7fffffda0000x7fffffdbfffprivateTrue
private_0x000007fffffdc0000x7fffffdc0000x7fffffddfffprivateTrue
private_0x000007fffffde0000x7fffffde0000x7fffffdffffprivateTrue
OS TIDs
0x818, 0x340, 0x308, 0x2f8, 0x2f4, 0x2e8, 0x2e4, 0x2e0, 0x2cc, 0x2c4, 0x24c, 0x1d8
ID#12
OS PID0x244
OS Parent PID0x1c4
Image Namesvchost.exe
Page Root0x19d94000
Monitor Reasonchild_process
Unmonitor Reason(still running)
CMD LineC:\Windows\system32\svchost.exe -k DcomLaunch
Current DirectoryC:\Windows\system32\
Name Start VA End VA Type Monitored
pagefile_0x00000000000100000x000100000x0001ffffpagefile_backedTrue
svchost.exe.mui0x000200000x00020fffmapped_fileFalse
pagefile_0x00000000000300000x000300000x00033fffpagefile_backedTrue
pagefile_0x00000000000400000x000400000x00040fffpagefile_backedTrue
private_0x00000000000500000x000500000x00050fffprivateTrue
locale.nls0x000600000x000c6fffmapped_fileFalse
private_0x00000000000d00000x000d00000x0014ffffprivateTrue
private_0x00000000001500000x001500000x0024ffffprivateTrue
private_0x00000000002500000x002500000x0034ffffprivateTrue
pagefile_0x00000000003500000x003500000x0040ffffpagefile_backedTrue
private_0x00000000004100000x004100000x0048ffffprivateTrue
private_0x00000000004900000x004900000x00490fffprivateTrue
private_0x00000000004a00000x004a00000x004a0fffprivateTrue
setupapi.dll.mui0x004b00000x004bcfffmapped_fileFalse
pagefile_0x00000000004c00000x004c00000x004c0fffpagefile_backedTrue
private_0x00000000004d00000x004d00000x004dffffprivateTrue
pagefile_0x00000000004e00000x004e00000x004e0fffpagefile_backedTrue
pagefile_0x00000000004f00000x004f00000x004f0fffpagefile_backedTrue
pagefile_0x00000000005000000x005000000x00500fffpagefile_backedTrue
pagefile_0x00000000005100000x005100000x00510fffpagefile_backedTrue
private_0x00000000005b00000x005b00000x0062ffffprivateTrue
private_0x00000000006500000x006500000x006cffffprivateTrue
SortDefault.nls0x007000000x009cefffmapped_fileFalse
pagefile_0x00000000009d00000x009d00000x00b57fffpagefile_backedTrue
pagefile_0x0000000000b600000x00b600000x00ce0fffpagefile_backedTrue
private_0x0000000000d600000x00d600000x00ddffffprivateTrue
private_0x0000000000e000000x00e000000x00e0ffffprivateTrue
private_0x0000000000e600000x00e600000x00edffffprivateTrue
private_0x0000000000f900000x00f900000x0100ffffprivateTrue
private_0x00000000010b00000x010b00000x011affffprivateTrue
private_0x00000000011b00000x011b00000x0122ffffprivateTrue
private_0x00000000012500000x012500000x012cffffprivateTrue
private_0x00000000012e00000x012e00000x0135ffffprivateTrue
private_0x00000000013700000x013700000x013effffprivateTrue
private_0x00000000013f00000x013f00000x0146ffffprivateTrue
private_0x00000000014700000x014700000x014effffprivateTrue
private_0x00000000014f00000x014f00000x0156ffffprivateTrue
private_0x00000000015a00000x015a00000x0161ffffprivateTrue
private_0x00000000017100000x017100000x0178ffffprivateTrue
private_0x00000000017900000x017900000x0188ffffprivateTrue
private_0x00000000019600000x019600000x019dffffprivateTrue
private_0x0000000001a200000x01a200000x01a9ffffprivateTrue
private_0x0000000001aa00000x01aa00000x01b9ffffprivateTrue
user32.dll0x774500000x77549fffmapped_fileFalse
kernel32.dll0x775500000x7766efffmapped_fileFalse
ntdll.dll0x776700000x77818fffmapped_fileFalse
pagefile_0x000000007efe00000x7efe00000x7f0dffffpagefile_backedTrue
private_0x000000007f0e00000x7f0e00000x7ffdffffprivateTrue
private_0x000000007ffe00000x7ffe00000x7ffeffffprivateTrue
svchost.exe0xff9200000xff92afffmapped_fileFalse
wmiutils.dll0x7fef8de00000x7fef8e05fffmapped_fileFalse
wbemsvc.dll0x7fef8e800000x7fef8e93fffmapped_fileFalse
wbemprox.dll0x7fef90f00000x7fef90fefffmapped_fileFalse
ntdsapi.dll0x7fef91000000x7fef9126fffmapped_fileFalse
fastprox.dll0x7fef91300000x7fef9211fffmapped_fileFalse
WmiDcPrv.dll0x7fef92200000x7fef9251fffmapped_fileFalse
wbemcomn.dll0x7fef94900000x7fef9515fffmapped_fileFalse
wtsapi32.dll0x7fefb6c00000x7fefb6d0fffmapped_fileFalse
ntmarta.dll0x7fefc3700000x7fefc39cfffmapped_fileFalse
rpcss.dll0x7fefc6700000x7fefc6f0fffmapped_fileFalse
umpo.dll0x7fefc7000000x7fefc72bfffmapped_fileFalse
gpapi.dll0x7fefc7300000x7fefc74afffmapped_fileFalse
devrtl.dll0x7fefc7500000x7fefc761fffmapped_fileFalse
SPInf.dll0x7fefc7700000x7fefc78efffmapped_fileFalse
umpnpmgr.dll0x7fefc7900000x7fefc7f6fffmapped_fileFalse
credssp.dll0x7fefc8800000x7fefc889fffmapped_fileFalse
pcwum.dll0x7fefc8900000x7fefc89cfffmapped_fileFalse
rsaenh.dll0x7fefc9800000x7fefc9c6fffmapped_fileFalse
cryptsp.dll0x7fefcc800000x7fefcc96fffmapped_fileFalse
sspicli.dll0x7fefd2500000x7fefd274fffmapped_fileFalse
apphelp.dll0x7fefd2800000x7fefd2d6fffmapped_fileFalse
cryptbase.dll0x7fefd2e00000x7fefd2eefffmapped_fileFalse
winsta.dll0x7fefd3900000x7fefd3ccfffmapped_fileFalse
RpcRtRemote.dll0x7fefd3d00000x7fefd3e3fffmapped_fileFalse
msasn1.dll0x7fefd4800000x7fefd48efffmapped_fileFalse
profapi.dll0x7fefd4900000x7fefd49efffmapped_fileFalse
cfgmgr32.dll0x7fefd4a00000x7fefd4d5fffmapped_fileFalse
userenv.dll0x7fefd4e00000x7fefd4fdfffmapped_fileFalse
devobj.dll0x7fefd5200000x7fefd539fffmapped_fileFalse
KernelBase.dll0x7fefd5400000x7fefd5abfffmapped_fileFalse
wintrust.dll0x7fefd5b00000x7fefd5e9fffmapped_fileFalse
crypt32.dll0x7fefd6100000x7fefd77bfffmapped_fileFalse
imm32.dll0x7fefd8400000x7fefd86dfffmapped_fileFalse
advapi32.dll0x7fefd8700000x7fefd94afffmapped_fileFalse
clbcatq.dll0x7fefd9d00000x7fefda68fffmapped_fileFalse
gdi32.dll0x7fefda700000x7fefdad6fffmapped_fileFalse
lpk.dll0x7fefdd900000x7fefdd9dfffmapped_fileFalse
ws2_32.dll0x7fefdda00000x7fefddecfffmapped_fileFalse
nsi.dll0x7fefddf00000x7fefddf7fffmapped_fileFalse
Wldap32.dll0x7fefe0c00000x7fefe111fffmapped_fileFalse
sechost.dll0x7fefe2900000x7fefe2aefffmapped_fileFalse
oleaut32.dll0x7fefe2b00000x7fefe386fffmapped_fileFalse
setupapi.dll0x7fefe4300000x7fefe606fffmapped_fileFalse
msctf.dll0x7fefe6100000x7fefe718fffmapped_fileFalse
ole32.dll0x7fefe7200000x7fefe922fffmapped_fileFalse
usp10.dll0x7feff6c00000x7feff788fffmapped_fileFalse
rpcrt4.dll0x7feff7900000x7feff8bcfffmapped_fileFalse
msvcrt.dll0x7feff8c00000x7feff95efffmapped_fileFalse
apisetschema.dll0x7feff9900000x7feff990fffmapped_fileFalse
private_0x000007fffff980000x7fffff980000x7fffff99fffprivateTrue
private_0x000007fffff9a0000x7fffff9a0000x7fffff9bfffprivateTrue
private_0x000007fffff9c0000x7fffff9c0000x7fffff9dfffprivateTrue
private_0x000007fffff9e0000x7fffff9e0000x7fffff9ffffprivateTrue
private_0x000007fffffa00000x7fffffa00000x7fffffa1fffprivateTrue
private_0x000007fffffa20000x7fffffa20000x7fffffa3fffprivateTrue
private_0x000007fffffa40000x7fffffa40000x7fffffa5fffprivateTrue
private_0x000007fffffa60000x7fffffa60000x7fffffa7fffprivateTrue
private_0x000007fffffa80000x7fffffa80000x7fffffa9fffprivateTrue
private_0x000007fffffaa0000x7fffffaa0000x7fffffabfffprivateTrue
private_0x000007fffffae0000x7fffffae0000x7fffffaffffprivateTrue
pagefile_0x000007fffffb00000x7fffffb00000x7fffffd2fffpagefile_backedTrue
private_0x000007fffffd40000x7fffffd40000x7fffffd5fffprivateTrue
private_0x000007fffffd60000x7fffffd60000x7fffffd7fffprivateTrue
private_0x000007fffffd80000x7fffffd80000x7fffffd9fffprivateTrue
private_0x000007fffffda0000x7fffffda0000x7fffffdbfffprivateTrue
private_0x000007fffffdc0000x7fffffdc0000x7fffffdcfffprivateTrue
private_0x000007fffffde0000x7fffffde0000x7fffffdffffprivateTrue
OS TIDs
0x278, 0x274, 0x270, 0x26c, 0x268, 0x25c, 0x254, 0x250, 0x248, 0x5e4, 0x5cc, 0x5c8, 0x30c, 0x29c, 0x294, 0x290
ID#13
OS PID0x288
OS Parent PID0x1c4
Image Namesvchost.exe
Page Root0x1968c000
Monitor Reasonchild_process
Unmonitor Reason(still running)
CMD LineC:\Windows\system32\svchost.exe -k RPCSS
Current DirectoryC:\Windows\system32\
Name Start VA End VA Type Monitored
pagefile_0x00000000000100000x000100000x0001ffffpagefile_backedTrue
svchost.exe.mui0x000200000x00020fffmapped_fileFalse
pagefile_0x00000000000300000x000300000x00033fffpagefile_backedTrue
pagefile_0x00000000000400000x000400000x00040fffpagefile_backedTrue
private_0x00000000000500000x000500000x000cffffprivateTrue
private_0x00000000000d00000x000d00000x000d0fffprivateTrue
locale.nls0x000e00000x00146fffmapped_fileFalse
private_0x00000000001500000x001500000x00150fffprivateTrue
private_0x00000000001600000x001600000x00160fffprivateTrue
wshtcpip.dll.mui0x001700000x00170fffmapped_fileFalse
wship6.dll.mui0x001800000x00180fffmapped_fileFalse
pagefile_0x00000000001900000x001900000x00190fffpagefile_backedTrue
pagefile_0x00000000001a00000x001a00000x001a0fffpagefile_backedTrue
private_0x00000000001c00000x001c00000x002bffffprivateTrue
private_0x00000000002c00000x002c00000x0033ffffprivateTrue
private_0x00000000003700000x003700000x0037ffffprivateTrue
private_0x00000000003800000x003800000x0047ffffprivateTrue
private_0x00000000004c00000x004c00000x0053ffffprivateTrue
private_0x00000000005800000x005800000x005fffffprivateTrue
private_0x00000000006400000x006400000x006bffffprivateTrue
pagefile_0x00000000006c00000x006c00000x0077ffffpagefile_backedTrue
SortDefault.nls0x007b00000x00a7efffmapped_fileFalse
private_0x0000000000a900000x00a900000x00b0ffffprivateTrue
private_0x0000000000b200000x00b200000x00b9ffffprivateTrue
pagefile_0x0000000000ba00000x00ba00000x00d27fffpagefile_backedTrue
pagefile_0x0000000000d300000x00d300000x00eb0fffpagefile_backedTrue
private_0x0000000000ed00000x00ed00000x00f4ffffprivateTrue
private_0x0000000000f800000x00f800000x00ffffffprivateTrue
private_0x00000000010400000x010400000x010bffffprivateTrue
private_0x00000000010c00000x010c00000x011bffffprivateTrue
private_0x00000000013600000x013600000x013dffffprivateTrue
private_0x00000000014300000x014300000x014affffprivateTrue
user32.dll0x774500000x77549fffmapped_fileFalse
kernel32.dll0x775500000x7766efffmapped_fileFalse
ntdll.dll0x776700000x77818fffmapped_fileFalse
pagefile_0x000000007efe00000x7efe00000x7f0dffffpagefile_backedTrue
private_0x000000007f0e00000x7f0e00000x7ffdffffprivateTrue
private_0x000000007ffe00000x7ffe00000x7ffeffffprivateTrue
svchost.exe0xff9200000xff92afffmapped_fileFalse
FWPUCLNT.DLL0x7fefaa600000x7fefaab2fffmapped_fileFalse
wtsapi32.dll0x7fefb6c00000x7fefb6d0fffmapped_fileFalse
version.dll0x7fefc5700000x7fefc57bfffmapped_fileFalse
FirewallAPI.dll0x7fefc5800000x7fefc63afffmapped_fileFalse
WSHTCPIP.DLL0x7fefc6400000x7fefc646fffmapped_fileFalse
RpcEpMap.dll0x7fefc6500000x7fefc663fffmapped_fileFalse
rpcss.dll0x7fefc6700000x7fefc6f0fffmapped_fileFalse
credssp.dll0x7fefc8800000x7fefc889fffmapped_fileFalse
rsaenh.dll0x7fefc9800000x7fefc9c6fffmapped_fileFalse
wship6.dll0x7fefcc100000x7fefcc16fffmapped_fileFalse
mswsock.dll0x7fefcc200000x7fefcc74fffmapped_fileFalse
cryptsp.dll0x7fefcc800000x7fefcc96fffmapped_fileFalse
secur32.dll0x7fefd2200000x7fefd22afffmapped_fileFalse
sspicli.dll0x7fefd2500000x7fefd274fffmapped_fileFalse
cryptbase.dll0x7fefd2e00000x7fefd2eefffmapped_fileFalse
winsta.dll0x7fefd3900000x7fefd3ccfffmapped_fileFalse
RpcRtRemote.dll0x7fefd3d00000x7fefd3e3fffmapped_fileFalse
KernelBase.dll0x7fefd5400000x7fefd5abfffmapped_fileFalse
imm32.dll0x7fefd8400000x7fefd86dfffmapped_fileFalse
advapi32.dll0x7fefd8700000x7fefd94afffmapped_fileFalse
clbcatq.dll0x7fefd9d00000x7fefda68fffmapped_fileFalse
gdi32.dll0x7fefda700000x7fefdad6fffmapped_fileFalse
lpk.dll0x7fefdd900000x7fefdd9dfffmapped_fileFalse
ws2_32.dll0x7fefdda00000x7fefddecfffmapped_fileFalse
nsi.dll0x7fefddf00000x7fefddf7fffmapped_fileFalse
sechost.dll0x7fefe2900000x7fefe2aefffmapped_fileFalse
oleaut32.dll0x7fefe2b00000x7fefe386fffmapped_fileFalse
msctf.dll0x7fefe6100000x7fefe718fffmapped_fileFalse
ole32.dll0x7fefe7200000x7fefe922fffmapped_fileFalse
usp10.dll0x7feff6c00000x7feff788fffmapped_fileFalse
rpcrt4.dll0x7feff7900000x7feff8bcfffmapped_fileFalse
msvcrt.dll0x7feff8c00000x7feff95efffmapped_fileFalse
apisetschema.dll0x7feff9900000x7feff990fffmapped_fileFalse
private_0x000007fffffa40000x7fffffa40000x7fffffa5fffprivateTrue
private_0x000007fffffa60000x7fffffa60000x7fffffa7fffprivateTrue
private_0x000007fffffa80000x7fffffa80000x7fffffa9fffprivateTrue
private_0x000007fffffaa0000x7fffffaa0000x7fffffabfffprivateTrue
private_0x000007fffffac0000x7fffffac0000x7fffffadfffprivateTrue
private_0x000007fffffae0000x7fffffae0000x7fffffaffffprivateTrue
pagefile_0x000007fffffb00000x7fffffb00000x7fffffd2fffpagefile_backedTrue
private_0x000007fffffd40000x7fffffd40000x7fffffd5fffprivateTrue
private_0x000007fffffd60000x7fffffd60000x7fffffd7fffprivateTrue
private_0x000007fffffd80000x7fffffd80000x7fffffd9fffprivateTrue
private_0x000007fffffda0000x7fffffda0000x7fffffdbfffprivateTrue
private_0x000007fffffdc0000x7fffffdc0000x7fffffddfffprivateTrue
private_0x000007fffffde0000x7fffffde0000x7fffffdefffprivateTrue
OS TIDs
0x6ac, 0x644, 0x408, 0x34c, 0x2b4, 0x2b0, 0x2ac, 0x2a8, 0x2a0, 0x298, 0x28c
ID#14
OS PID0x2b8
OS Parent PID0x1c4
Image Namesvchost.exe
Page Root0x19457000
Monitor Reasonchild_process
Unmonitor Reason(still running)
CMD LineC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
Current DirectoryC:\Windows\system32\
Name Start VA End VA Type Monitored
OS TIDs
0x2f0, 0x2ec, 0x2d8, 0x2d0, 0x2c8, 0x2bc, 0x9c4, 0x89c, 0x6bc, 0x544, 0x53c, 0x538, 0x258, 0x128, 0x20c, 0x118, 0x3d4, 0x3d0
ID#15
OS PID0x314
OS Parent PID0x1c4
Image Namesvchost.exe
Page Root0x1d2e2000
Monitor Reasonchild_process
Unmonitor Reason(still running)
CMD LineC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
Current DirectoryC:\Windows\system32\
Name Start VA End VA Type Monitored
pagefile_0x00000000000100000x000100000x0001ffffpagefile_backedTrue
svchost.exe.mui0x000200000x00020fffmapped_fileFalse
pagefile_0x00000000000300000x000300000x00033fffpagefile_backedTrue
private_0x00000000000400000x000400000x000bffffprivateTrue
pagefile_0x00000000000c00000x000c00000x000c0fffpagefile_backedTrue
private_0x00000000000d00000x000d00000x000d0fffprivateTrue
locale.nls0x000e00000x00146fffmapped_fileFalse
private_0x00000000001500000x001500000x00150fffprivateTrue
private_0x00000000001600000x001600000x00160fffprivateTrue
setupapi.dll.mui0x001700000x0017cfffmapped_fileFalse
pagefile_0x00000000001800000x001800000x00180fffpagefile_backedTrue
pagefile_0x00000000001900000x001900000x00190fffpagefile_backedTrue
private_0x00000000001a00000x001a00000x001a0fffprivateTrue
private_0x00000000001b00000x001b00000x001b0fffprivateTrue
pagefile_0x00000000001c00000x001c00000x001c1fffpagefile_backedTrue
pagefile_0x00000000001d00000x001d00000x001d1fffpagefile_backedTrue
private_0x00000000001e00000x001e00000x001effffprivateTrue
pagefile_0x00000000001f00000x001f00000x001f1fffpagefile_backedTrue
private_0x00000000002000000x002000000x002fffffprivateTrue
private_0x00000000003000000x003000000x003fffffprivateTrue
pagefile_0x00000000004000000x004000000x00587fffpagefile_backedTrue
pagefile_0x00000000005900000x005900000x00710fffpagefile_backedTrue
pagefile_0x00000000007200000x007200000x007dffffpagefile_backedTrue
umrdp.dll.mui0x007e00000x007e2fffmapped_fileFalse
private_0x00000000007f00000x007f00000x0086ffffprivateTrue
sysmain.dll.mui0x008700000x00874fffmapped_fileFalse
pagefile_0x00000000008800000x008800000x00880fffpagefile_backedTrue
rasdlg.dll.mui0x008900000x008affffmapped_fileFalse
private_0x00000000008b00000x008b00000x0092ffffprivateTrue
pagefile_0x00000000009300000x009300000x00930fffpagefile_backedTrue
private_0x00000000009400000x009400000x009bffffprivateTrue
private_0x00000000009e00000x009e00000x00a5ffffprivateTrue
private_0x0000000000a600000x00a600000x00adffffprivateTrue
private_0x0000000000b000000x00b000000x00b0ffffprivateTrue
private_0x0000000000b500000x00b500000x00b5ffffprivateTrue
SortDefault.nls0x00bc00000x00e8efffmapped_fileFalse
private_0x0000000000ec00000x00ec00000x00f3ffffprivateTrue
private_0x0000000000f800000x00f800000x00ffffffprivateTrue
private_0x00000000010100000x010100000x0108ffffprivateTrue
private_0x00000000010c00000x010c00000x0113ffffprivateTrue
private_0x00000000011500000x011500000x011cffffprivateTrue
private_0x00000000011f00000x011f00000x0126ffffprivateTrue
private_0x00000000012700000x012700000x012effffprivateTrue
private_0x00000000013200000x013200000x0139ffffprivateTrue
private_0x00000000014100000x014100000x0141ffffprivateTrue
private_0x00000000014200000x014200000x0149ffffprivateTrue
private_0x00000000014d00000x014d00000x0154ffffprivateTrue
private_0x00000000015900000x015900000x0159ffffprivateTrue
private_0x00000000015a00000x015a00000x0169ffffprivateTrue
private_0x00000000016b00000x016b00000x0172ffffprivateTrue
private_0x00000000017a00000x017a00000x017affffprivateTrue
private_0x00000000018000000x018000000x018fffffprivateTrue
private_0x00000000019300000x019300000x019affffprivateTrue
private_0x00000000019c00000x019c00000x019cffffprivateTrue
private_0x0000000001a000000x01a000000x01a7ffffprivateTrue
private_0x0000000001a800000x01a800000x01afffffprivateTrue
private_0x0000000001bd00000x01bd00000x01bdffffprivateTrue
private_0x0000000001be00000x01be00000x01beffffprivateTrue
private_0x0000000001c100000x01c100000x01c8ffffprivateTrue
private_0x0000000001c900000x01c900000x01d8ffffprivateTrue
private_0x0000000001d900000x01d900000x01e8ffffprivateTrue
private_0x0000000001ed00000x01ed00000x01edffffprivateTrue
private_0x0000000001fd00000x01fd00000x01fdffffprivateTrue
private_0x0000000001fe00000x01fe00000x020dffffprivateTrue
private_0x00000000020e00000x020e00000x021dffffprivateTrue
private_0x00000000021e00000x021e00000x0225ffffprivateTrue
private_0x00000000023100000x023100000x0240ffffprivateTrue
private_0x00000000024100000x024100000x0250ffffprivateTrue
private_0x00000000025100000x025100000x0270ffffprivateTrue
private_0x00000000027100000x027100000x02f0ffffprivateTrue
private_0x0000000002f400000x02f400000x02fbffffprivateTrue
private_0x0000000002fc00000x02fc00000x03177fffprivateTrue
private_0x00000000038a00000x038a00000x03c9ffffprivateTrue
private_0x0000000003ca00000x03ca00000x0449ffffprivateTrue
private_0x00000000044a00000x044a00000x0546ffffprivateTrue
sfc.dll0x73ec00000x73ec2fffmapped_fileFalse
user32.dll0x774500000x77549fffmapped_fileFalse
kernel32.dll0x775500000x7766efffmapped_fileFalse
ntdll.dll0x776700000x77818fffmapped_fileFalse
pagefile_0x000000007efe00000x7efe00000x7f0dffffpagefile_backedTrue
private_0x000000007f0e00000x7f0e00000x7ffdffffprivateTrue
private_0x000000007ffe00000x7ffe00000x7ffeffffprivateTrue
svchost.exe0xff9200000xff92afffmapped_fileFalse
rasapi32.dll0x7fef47b00000x7fef4811fffmapped_fileFalse
mprapi.dll0x7fef48200000x7fef4859fffmapped_fileFalse
rasdlg.dll0x7fef48600000x7fef4937fffmapped_fileFalse
netman.dll0x7fef49400000x7fef499bfffmapped_fileFalse
netshell.dll0x7fef4b600000x7fef4deafffmapped_fileFalse
winspool.drv0x7fef7d000000x7fef7d70fffmapped_fileFalse
umrdp.dll0x7fef7d800000x7fef7db8fffmapped_fileFalse
Apphlpdm.dll0x7fef84a00000x7fef84abfffmapped_fileFalse
wer.dll0x7fef87c00000x7fef883bfffmapped_fileFalse
wdi.dll0x7fef89300000x7fef8948fffmapped_fileFalse
hnetcfg.dll0x7fef8e100000x7fef8e7afffmapped_fileFalse
wbemsvc.dll0x7fef8e800000x7fef8e93fffmapped_fileFalse
netcfgx.dll0x7fef90600000x7fef90e3fffmapped_fileFalse
wbemprox.dll0x7fef90f00000x7fef90fefffmapped_fileFalse
ntdsapi.dll0x7fef91000000x7fef9126fffmapped_fileFalse
fastprox.dll0x7fef91300000x7fef9211fffmapped_fileFalse
wbemcomn.dll0x7fef94900000x7fef9515fffmapped_fileFalse
trkwks.dll0x7fef95600000x7fef9581fffmapped_fileFalse
sysmain.dll0x7fef95900000x7fef973dfffmapped_fileFalse
sfc_os.dll0x7fef97400000x7fef974ffffmapped_fileFalse
aepic.dll0x7fef97500000x7fef9761fffmapped_fileFalse
pcasvc.dll0x7fef97700000x7fef97a1fffmapped_fileFalse
rasman.dll0x7fefa4a00000x7fefa4bbfffmapped_fileFalse
winnsi.dll0x7fefabc00000x7fefabcafffmapped_fileFalse
IPHLPAPI.DLL0x7fefabd00000x7fefabf6fffmapped_fileFalse
uxsms.dll0x7fefac100000x7fefac1ffffmapped_fileFalse
atl.dll0x7fefacc00000x7fefacd8fffmapped_fileFalse
slc.dll0x7fefad200000x7fefad2afffmapped_fileFalse
dsrole.dll0x7fefad300000x7fefad3bfffmapped_fileFalse
nlaapi.dll0x7fefad400000x7fefad54fffmapped_fileFalse
mstask.dll0x7fefae300000x7fefae6cfffmapped_fileFalse
taskschd.dll0x7fefae700000x7fefaf96fffmapped_fileFalse
PeerDist.dll0x7fefafa00000x7fefafcffffmapped_fileFalse
cscsvc.dll0x7fefafd00000x7fefb07bfffmapped_fileFalse
avrt.dll0x7fefb1d00000x7fefb1d8fffmapped_fileFalse
powrprof.dll0x7fefb1e00000x7fefb20bfffmapped_fileFalse
audiosrv.dll0x7fefb2100000x7fefb2bbfffmapped_fileFalse
rtutils.dll0x7fefb3f00000x7fefb400fffmapped_fileFalse
wtsapi32.dll0x7fefb6c00000x7fefb6d0fffmapped_fileFalse
xmllite.dll0x7fefb8600000x7fefb894fffmapped_fileFalse
MMDevAPI.dll0x7fefb8c00000x7fefb90afffmapped_fileFalse
cscobj.dll0x7fefba700000x7fefbaaefffmapped_fileFalse
propsys.dll0x7fefbd300000x7fefbe5bfffmapped_fileFalse
comctl32.dll0x7fefbe800000x7fefc073fffmapped_fileFalse
ntmarta.dll0x7fefc3700000x7fefc39cfffmapped_fileFalse
version.dll0x7fefc5700000x7fefc57bfffmapped_fileFalse
gpapi.dll0x7fefc7300000x7fefc74afffmapped_fileFalse
devrtl.dll0x7fefc7500000x7fefc761fffmapped_fileFalse
credssp.dll0x7fefc8800000x7fefc889fffmapped_fileFalse
pcwum.dll0x7fefc8900000x7fefc89cfffmapped_fileFalse
rsaenh.dll0x7fefc9800000x7fefc9c6fffmapped_fileFalse
cryptsp.dll0x7fefcc800000x7fefcc96fffmapped_fileFalse
authz.dll0x7fefce700000x7fefce9efffmapped_fileFalse
wevtapi.dll0x7fefceb00000x7fefcf1cfffmapped_fileFalse
secur32.dll0x7fefd2200000x7fefd22afffmapped_fileFalse
sspicli.dll0x7fefd2500000x7fefd274fffmapped_fileFalse
apphelp.dll0x7fefd2800000x7fefd2d6fffmapped_fileFalse
cryptbase.dll0x7fefd2e00000x7fefd2eefffmapped_fileFalse
winsta.dll0x7fefd3900000x7fefd3ccfffmapped_fileFalse
RpcRtRemote.dll0x7fefd3d00000x7fefd3e3fffmapped_fileFalse
msasn1.dll0x7fefd4800000x7fefd48efffmapped_fileFalse
profapi.dll0x7fefd4900000x7fefd49efffmapped_fileFalse
cfgmgr32.dll0x7fefd4a00000x7fefd4d5fffmapped_fileFalse
userenv.dll0x7fefd4e00000x7fefd4fdfffmapped_fileFalse
devobj.dll0x7fefd5200000x7fefd539fffmapped_fileFalse
KernelBase.dll0x7fefd5400000x7fefd5abfffmapped_fileFalse
wintrust.dll0x7fefd5b00000x7fefd5e9fffmapped_fileFalse
crypt32.dll0x7fefd6100000x7fefd77bfffmapped_fileFalse
imm32.dll0x7fefd8400000x7fefd86dfffmapped_fileFalse
advapi32.dll0x7fefd8700000x7fefd94afffmapped_fileFalse
clbcatq.dll0x7fefd9d00000x7fefda68fffmapped_fileFalse
gdi32.dll0x7fefda700000x7fefdad6fffmapped_fileFalse
lpk.dll0x7fefdd900000x7fefdd9dfffmapped_fileFalse
ws2_32.dll0x7fefdda00000x7fefddecfffmapped_fileFalse
nsi.dll0x7fefddf00000x7fefddf7fffmapped_fileFalse
shlwapi.dll0x7fefe0400000x7fefe0b0fffmapped_fileFalse
Wldap32.dll0x7fefe0c00000x7fefe111fffmapped_fileFalse
sechost.dll0x7fefe2900000x7fefe2aefffmapped_fileFalse
oleaut32.dll0x7fefe2b00000x7fefe386fffmapped_fileFalse
setupapi.dll0x7fefe4300000x7fefe606fffmapped_fileFalse
msctf.dll0x7fefe6100000x7fefe718fffmapped_fileFalse
ole32.dll0x7fefe7200000x7fefe922fffmapped_fileFalse
shell32.dll0x7fefe9300000x7feff6b7fffmapped_fileFalse
usp10.dll0x7feff6c00000x7feff788fffmapped_fileFalse
rpcrt4.dll0x7feff7900000x7feff8bcfffmapped_fileFalse
msvcrt.dll0x7feff8c00000x7feff95efffmapped_fileFalse
apisetschema.dll0x7feff9900000x7feff990fffmapped_fileFalse
private_0x000007fffff920000x7fffff920000x7fffff93fffprivateTrue
private_0x000007fffff940000x7fffff940000x7fffff95fffprivateTrue
private_0x000007fffff960000x7fffff960000x7fffff97fffprivateTrue
private_0x000007fffff980000x7fffff980000x7fffff99fffprivateTrue
private_0x000007fffff9a0000x7fffff9a0000x7fffff9bfffprivateTrue
private_0x000007fffff9c0000x7fffff9c0000x7fffff9dfffprivateTrue
private_0x000007fffff9e0000x7fffff9e0000x7fffff9ffffprivateTrue
private_0x000007fffffa00000x7fffffa00000x7fffffa1fffprivateTrue
private_0x000007fffffa20000x7fffffa20000x7fffffa3fffprivateTrue
private_0x000007fffffa40000x7fffffa40000x7fffffa5fffprivateTrue
private_0x000007fffffa60000x7fffffa60000x7fffffa7fffprivateTrue
private_0x000007fffffa80000x7fffffa80000x7fffffa9fffprivateTrue
private_0x000007fffffaa0000x7fffffaa0000x7fffffabfffprivateTrue
private_0x000007fffffac0000x7fffffac0000x7fffffadfffprivateTrue
private_0x000007fffffae0000x7fffffae0000x7fffffaffffprivateTrue
pagefile_0x000007fffffb00000x7fffffb00000x7fffffd2fffpagefile_backedTrue
private_0x000007fffffd30000x7fffffd30000x7fffffd4fffprivateTrue
private_0x000007fffffd50000x7fffffd50000x7fffffd6fffprivateTrue
private_0x000007fffffd70000x7fffffd70000x7fffffd8fffprivateTrue
private_0x000007fffffd90000x7fffffd90000x7fffffdafffprivateTrue
private_0x000007fffffdb0000x7fffffdb0000x7fffffdcfffprivateTrue
private_0x000007fffffdd0000x7fffffdd0000x7fffffddfffprivateTrue
private_0x000007fffffde0000x7fffffde0000x7fffffdffffprivateTrue
OS TIDs
0xa2c, 0x9a8, 0x8e8, 0x6ec, 0x5b4, 0x5a4, 0x59c, 0x168, 0x114, 0x110, 0xbc, 0x64, 0x3f8, 0x3f4, 0x3e4, 0x3d8, 0x37c, 0x364, 0x360, 0x334, 0x318, 0xbcc, 0xbd0
ID#16
OS PID0x36c
OS Parent PID0x1c4
Image Namesvchost.exe
Page Root0x1b0e9000
Monitor Reasonchild_process
Unmonitor Reason(still running)
CMD LineC:\Windows\system32\svchost.exe -k LocalService
Current DirectoryC:\Windows\system32\
Name Start VA End VA Type Monitored
pagefile_0x00000000000100000x000100000x0001ffffpagefile_backedTrue
svchost.exe.mui0x000200000x00020fffmapped_fileFalse
pagefile_0x00000000000300000x000300000x00033fffpagefile_backedTrue
pagefile_0x00000000000400000x000400000x00040fffpagefile_backedTrue
private_0x00000000000500000x000500000x00050fffprivateTrue
locale.nls0x000600000x000c6fffmapped_fileFalse
pagefile_0x00000000000d00000x000d00000x0018ffffpagefile_backedTrue
private_0x00000000001900000x001900000x00190fffprivateTrue
private_0x00000000001a00000x001a00000x001a0fffprivateTrue
private_0x00000000001b00000x001b00000x0022ffffprivateTrue
private_0x00000000002300000x002300000x0032ffffprivateTrue
~FontCache-System.dat0x003300000x0037efffmapped_fileFalse
pagefile_0x00000000003800000x003800000x00380fffpagefile_backedTrue
es.dll0x003900000x003a0fffmapped_fileFalse
stdole2.tlb0x003b00000x003b3fffmapped_fileFalse
netprofm.dll.mui0x003c00000x003c1fffmapped_fileFalse
pagefile_0x00000000003d00000x003d00000x003d1fffpagefile_backedTrue
private_0x00000000003e00000x003e00000x003effffprivateTrue
private_0x00000000004000000x004000000x004fffffprivateTrue
pagefile_0x00000000005000000x005000000x00687fffpagefile_backedTrue
pagefile_0x00000000006900000x006900000x00810fffpagefile_backedTrue
private_0x00000000008200000x008200000x0091ffffprivateTrue
private_0x00000000009300000x009300000x009affffprivateTrue
private_0x00000000009d00000x009d00000x00a4ffffprivateTrue
private_0x0000000000a800000x00a800000x00a8ffffprivateTrue
private_0x0000000000ac00000x00ac00000x00b3ffffprivateTrue
private_0x0000000000b500000x00b500000x00bcffffprivateTrue
SortDefault.nls0x00c000000x00ecefffmapped_fileFalse
private_0x0000000000f200000x00f200000x00f9ffffprivateTrue
private_0x00000000010100000x010100000x0108ffffprivateTrue
~FontCache-FontFace.dat0x010900000x0208ffffmapped_fileFalse
private_0x00000000020e00000x020e00000x0215ffffprivateTrue
private_0x00000000021600000x021600000x021dffffprivateTrue
private_0x00000000022700000x022700000x022effffprivateTrue
private_0x00000000022f00000x022f00000x023effffprivateTrue
private_0x00000000024900000x024900000x0250ffffprivateTrue
private_0x00000000025300000x025300000x0253ffffprivateTrue
private_0x00000000025600000x025600000x025dffffprivateTrue
private_0x00000000026100000x026100000x0268ffffprivateTrue
private_0x00000000026900000x026900000x0270ffffprivateTrue
private_0x00000000027900000x027900000x0280ffffprivateTrue
private_0x00000000028c00000x028c00000x0293ffffprivateTrue
private_0x00000000029400000x029400000x029bffffprivateTrue
private_0x00000000029c00000x029c00000x02a3ffffprivateTrue
private_0x0000000002a800000x02a800000x02a8ffffprivateTrue
private_0x0000000002a900000x02a900000x02b0ffffprivateTrue
private_0x0000000002bc00000x02bc00000x02c3ffffprivateTrue
private_0x0000000002c400000x02c400000x02d3ffffprivateTrue
KernelBase.dll.mui0x02d400000x02dfffffmapped_fileFalse
private_0x0000000002fa00000x02fa00000x0301ffffprivateTrue
private_0x00000000030200000x030200000x0321ffffprivateTrue
sfc.dll0x73ec00000x73ec2fffmapped_fileFalse
user32.dll0x774500000x77549fffmapped_fileFalse
kernel32.dll0x775500000x7766efffmapped_fileFalse
ntdll.dll0x776700000x77818fffmapped_fileFalse
pagefile_0x000000007efe00000x7efe00000x7f0dffffpagefile_backedTrue
private_0x000000007f0e00000x7f0e00000x7ffdffffprivateTrue
private_0x000000007ffe00000x7ffe00000x7ffeffffprivateTrue
svchost.exe0xff9200000xff92afffmapped_fileFalse
winrnr.dll0x7fef7c600000x7fef7c6afffmapped_fileFalse
pnrpnsp.dll0x7fef7c700000x7fef7c88fffmapped_fileFalse
NapiNSP.dll0x7fef7c900000x7fef7ca4fffmapped_fileFalse
wer.dll0x7fef87c00000x7fef883bfffmapped_fileFalse
perftrack.dll0x7fef88400000x7fef8917fffmapped_fileFalse
npmproxy.dll0x7fef89200000x7fef892bfffmapped_fileFalse
wdi.dll0x7fef89300000x7fef8948fffmapped_fileFalse
rasadhlp.dll0x7fef8b700000x7fef8b77fffmapped_fileFalse
netprofm.dll0x7fef8b800000x7fef8bf3fffmapped_fileFalse
sfc_os.dll0x7fef97400000x7fef974ffffmapped_fileFalse
aepic.dll0x7fef97500000x7fef9761fffmapped_fileFalse
webio.dll0x7fefa3700000x7fefa3d3fffmapped_fileFalse
winhttp.dll0x7fefa3e00000x7fefa450fffmapped_fileFalse
dhcpcsvc.dll0x7fefaa100000x7fefaa27fffmapped_fileFalse
dhcpcsvc6.dll0x7fefaa300000x7fefaa40fffmapped_fileFalse
FWPUCLNT.DLL0x7fefaa600000x7fefaab2fffmapped_fileFalse
nsisvc.dll0x7fefaba00000x7fefaba9fffmapped_fileFalse
winnsi.dll0x7fefabc00000x7fefabcafffmapped_fileFalse
IPHLPAPI.DLL0x7fefabd00000x7fefabf6fffmapped_fileFalse
es.dll0x7fefac400000x7fefaca6fffmapped_fileFalse
nlaapi.dll0x7fefad400000x7fefad54fffmapped_fileFalse
FntCache.dll0x7fefb0a00000x7fefb1c3fffmapped_fileFalse
dwmapi.dll0x7fefb8a00000x7fefb8b7fffmapped_fileFalse
version.dll0x7fefc5700000x7fefc57bfffmapped_fileFalse
WSHTCPIP.DLL0x7fefc6400000x7fefc646fffmapped_fileFalse
gpapi.dll0x7fefc7300000x7fefc74afffmapped_fileFalse
credssp.dll0x7fefc8800000x7fefc889fffmapped_fileFalse
rsaenh.dll0x7fefc9800000x7fefc9c6fffmapped_fileFalse
dnsapi.dll0x7fefcaa00000x7fefcafafffmapped_fileFalse
wship6.dll0x7fefcc100000x7fefcc16fffmapped_fileFalse
mswsock.dll0x7fefcc200000x7fefcc74fffmapped_fileFalse
cryptsp.dll0x7fefcc800000x7fefcc96fffmapped_fileFalse
secur32.dll0x7fefd2200000x7fefd22afffmapped_fileFalse
sspicli.dll0x7fefd2500000x7fefd274fffmapped_fileFalse
cryptbase.dll0x7fefd2e00000x7fefd2eefffmapped_fileFalse
sxs.dll0x7fefd2f00000x7fefd380fffmapped_fileFalse
RpcRtRemote.dll0x7fefd3d00000x7fefd3e3fffmapped_fileFalse
KernelBase.dll0x7fefd5400000x7fefd5abfffmapped_fileFalse
imm32.dll0x7fefd8400000x7fefd86dfffmapped_fileFalse
advapi32.dll0x7fefd8700000x7fefd94afffmapped_fileFalse
clbcatq.dll0x7fefd9d00000x7fefda68fffmapped_fileFalse
gdi32.dll0x7fefda700000x7fefdad6fffmapped_fileFalse
lpk.dll0x7fefdd900000x7fefdd9dfffmapped_fileFalse
ws2_32.dll0x7fefdda00000x7fefddecfffmapped_fileFalse
nsi.dll0x7fefddf00000x7fefddf7fffmapped_fileFalse
shlwapi.dll0x7fefe0400000x7fefe0b0fffmapped_fileFalse
sechost.dll0x7fefe2900000x7fefe2aefffmapped_fileFalse
oleaut32.dll0x7fefe2b00000x7fefe386fffmapped_fileFalse
msctf.dll0x7fefe6100000x7fefe718fffmapped_fileFalse
ole32.dll0x7fefe7200000x7fefe922fffmapped_fileFalse
usp10.dll0x7feff6c00000x7feff788fffmapped_fileFalse
rpcrt4.dll0x7feff7900000x7feff8bcfffmapped_fileFalse
msvcrt.dll0x7feff8c00000x7feff95efffmapped_fileFalse
apisetschema.dll0x7feff9900000x7feff990fffmapped_fileFalse
private_0x000007fffff960000x7fffff960000x7fffff97fffprivateTrue
private_0x000007fffff980000x7fffff980000x7fffff99fffprivateTrue
private_0x000007fffff9a0000x7fffff9a0000x7fffff9bfffprivateTrue
private_0x000007fffff9c0000x7fffff9c0000x7fffff9dfffprivateTrue
private_0x000007fffff9e0000x7fffff9e0000x7fffff9ffffprivateTrue
private_0x000007fffffa00000x7fffffa00000x7fffffa1fffprivateTrue
private_0x000007fffffa20000x7fffffa20000x7fffffa3fffprivateTrue
private_0x000007fffffa40000x7fffffa40000x7fffffa5fffprivateTrue
private_0x000007fffffa60000x7fffffa60000x7fffffa7fffprivateTrue
private_0x000007fffffa80000x7fffffa80000x7fffffa9fffprivateTrue
private_0x000007fffffaa0000x7fffffaa0000x7fffffabfffprivateTrue
private_0x000007fffffac0000x7fffffac0000x7fffffadfffprivateTrue
private_0x000007fffffae0000x7fffffae0000x7fffffaffffprivateTrue
pagefile_0x000007fffffb00000x7fffffb00000x7fffffd2fffpagefile_backedTrue
private_0x000007fffffd40000x7fffffd40000x7fffffd5fffprivateTrue
private_0x000007fffffd60000x7fffffd60000x7fffffd7fffprivateTrue
private_0x000007fffffd80000x7fffffd80000x7fffffd9fffprivateTrue
private_0x000007fffffda0000x7fffffda0000x7fffffdafffprivateTrue
private_0x000007fffffdc0000x7fffffdc0000x7fffffddfffprivateTrue
private_0x000007fffffde0000x7fffffde0000x7fffffdffffprivateTrue
OS TIDs
0x6a8, 0x6a4, 0x690, 0x68c, 0x568, 0x140, 0x144, 0x3a4, 0x3a0, 0x388, 0x384, 0x378, 0x370, 0x814, 0x720, 0x704, 0x6f4, 0x6b0
ID#17
OS PID0x394
OS Parent PID0x1c4
Image Namesvchost.exe
Page Root0x1b3f5000
Monitor Reasonchild_process
Unmonitor Reason(still running)
CMD LineC:\Windows\system32\svchost.exe -k netsvcs
Current DirectoryC:\Windows\system32\
Name Start VA End VA Type Monitored
pagefile_0x00000000000100000x000100000x0001ffffpagefile_backedTrue
svchost.exe.mui0x000200000x00020fffmapped_fileFalse
pagefile_0x00000000000300000x000300000x00033fffpagefile_backedTrue
pagefile_0x00000000000400000x000400000x00040fffpagefile_backedTrue
private_0x00000000000500000x000500000x00050fffprivateTrue
locale.nls0x000600000x000c6fffmapped_fileFalse
private_0x00000000000d00000x000d00000x000d0fffprivateTrue
private_0x00000000000e00000x000e00000x000e0fffprivateTrue
pagefile_0x00000000000f00000x000f00000x000f0fffpagefile_backedTrue
pagefile_0x00000000001000000x001000000x00100fffpagefile_backedTrue
pagefile_0x00000000001100000x001100000x00110fffpagefile_backedTrue
setupapi.dll.mui0x001200000x0012cfffmapped_fileFalse
taskcomp.dll.mui0x001300000x00133fffmapped_fileFalse
schedsvc.dll.mui0x001400000x00149fffmapped_fileFalse
private_0x00000000001500000x001500000x0015ffffprivateTrue
private_0x00000000001600000x001600000x00160fffprivateTrue
private_0x00000000001700000x001700000x001effffprivateTrue
private_0x00000000001f00000x001f00000x0026ffffprivateTrue
private_0x00000000002700000x002700000x0036ffffprivateTrue
pagefile_0x00000000003700000x003700000x0042ffffpagefile_backedTrue
pagefile_0x00000000004300000x004300000x00431fffpagefile_backedTrue
private_0x00000000004400000x004400000x0053ffffprivateTrue
pagefile_0x00000000005400000x005400000x006c7fffpagefile_backedTrue
pagefile_0x00000000006d00000x006d00000x00850fffpagefile_backedTrue
cversions.2.db0x008600000x00863fffmapped_fileTrue
pagefile_0x00000000008700000x008700000x00871fffpagefile_backedTrue
private_0x00000000008800000x008800000x008fffffprivateTrue
cversions.2.db0x009000000x00903fffmapped_fileTrue
propsys.dll.mui0x009100000x0091dfffmapped_fileFalse
private_0x00000000009200000x009200000x0099ffffprivateTrue
private_0x00000000009a00000x009a00000x00a1ffffprivateTrue
wshtcpip.dll.mui0x00a200000x00a20fffmapped_fileFalse
private_0x0000000000a300000x00a300000x00aaffffprivateTrue
wship6.dll.mui0x00ab00000x00ab0fffmapped_fileFalse
private_0x0000000000ac00000x00ac00000x00b3ffffprivateTrue
{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000013.db0x00b400000x00b6ffffmapped_fileTrue
vsstrace.dll.mui0x00b700000x00b77fffmapped_fileFalse
pagefile_0x0000000000b800000x00b800000x00b80fffpagefile_backedTrue
pagefile_0x0000000000b900000x00b900000x00b90fffpagefile_backedTrue
certprop.dll.mui0x00ba00000x00ba1fffmapped_fileFalse
pagefile_0x0000000000bb00000x00bb00000x00bb0fffpagefile_backedTrue
private_0x0000000000bc00000x00bc00000x00c3ffffprivateTrue
SortDefault.nls0x00c400000x00f0efffmapped_fileFalse
{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db0x00f100000x00f75fffmapped_fileTrue
crypt32.dll.mui0x00f800000x00f88fffmapped_fileFalse
private_0x0000000000f900000x00f900000x0100ffffprivateTrue
FirewallAPI.dll.mui0x010100000x0102bfffmapped_fileFalse
netcfgx.dll.mui0x010300000x01035fffmapped_fileFalse
private_0x00000000010700000x010700000x010effffprivateTrue
private_0x00000000011300000x011300000x011affffprivateTrue
private_0x00000000012100000x012100000x0128ffffprivateTrue
private_0x00000000012f00000x012f00000x0136ffffprivateTrue
private_0x00000000013700000x013700000x013effffprivateTrue
private_0x00000000014000000x014000000x0147ffffprivateTrue
private_0x00000000014800000x014800000x014fffffprivateTrue
private_0x00000000015100000x015100000x0158ffffprivateTrue
private_0x00000000015f00000x015f00000x0166ffffprivateTrue
private_0x00000000016700000x016700000x0176ffffprivateTrue
private_0x00000000017800000x017800000x017fffffprivateTrue
private_0x00000000018100000x018100000x0188ffffprivateTrue
private_0x00000000019000000x019000000x0197ffffprivateTrue
private_0x00000000019900000x019900000x01a0ffffprivateTrue
private_0x0000000001a100000x01a100000x01a8ffffprivateTrue
private_0x0000000001a900000x01a900000x01b0ffffprivateTrue
private_0x0000000001b100000x01b100000x01c0ffffprivateTrue
private_0x0000000001c400000x01c400000x01cbffffprivateTrue
private_0x0000000001cc00000x01cc00000x01d3ffffprivateTrue
private_0x0000000001d800000x01d800000x01dfffffprivateTrue
private_0x0000000001e000000x01e000000x01e7ffffprivateTrue
private_0x0000000001e900000x01e900000x01f0ffffprivateTrue
private_0x0000000001f100000x01f100000x0200ffffprivateTrue
private_0x00000000020700000x020700000x020effffprivateTrue
private_0x00000000021200000x021200000x0219ffffprivateTrue
pagefile_0x00000000021a00000x021a00000x0229ffffpagefile_backedTrue
private_0x00000000022b00000x022b00000x0232ffffprivateTrue
private_0x00000000023900000x023900000x0240ffffprivateTrue
private_0x00000000024500000x024500000x024cffffprivateTrue
private_0x00000000024e00000x024e00000x0255ffffprivateTrue
private_0x00000000025800000x025800000x0258ffffprivateTrue
private_0x00000000025e00000x025e00000x0265ffffprivateTrue
private_0x00000000026600000x026600000x026dffffprivateTrue
private_0x00000000027000000x027000000x0277ffffprivateTrue
private_0x00000000027a00000x027a00000x0281ffffprivateTrue
private_0x00000000028700000x028700000x0287ffffprivateTrue
private_0x00000000028c00000x028c00000x0293ffffprivateTrue
private_0x00000000029400000x029400000x02a3ffffprivateTrue
private_0x0000000002aa00000x02aa00000x02b1ffffprivateTrue
private_0x0000000002b300000x02b300000x02baffffprivateTrue
private_0x0000000002bb00000x02bb00000x02caffffprivateTrue
private_0x0000000002d000000x02d000000x02d7ffffprivateTrue
private_0x0000000002d900000x02d900000x02d9ffffprivateTrue
private_0x0000000002da00000x02da00000x02e1ffffprivateTrue
private_0x0000000002e200000x02e200000x02f1ffffprivateTrue
private_0x0000000002f800000x02f800000x02ffffffprivateTrue
private_0x00000000030000000x030000000x0307ffffprivateTrue
private_0x00000000030c00000x030c00000x0313ffffprivateTrue
private_0x00000000031b00000x031b00000x0322ffffprivateTrue
private_0x00000000032500000x032500000x032cffffprivateTrue
private_0x00000000032e00000x032e00000x0335ffffprivateTrue
private_0x00000000033a00000x033a00000x033affffprivateTrue
private_0x00000000033b00000x033b00000x0342ffffprivateTrue
private_0x00000000034300000x034300000x034affffprivateTrue
private_0x00000000034b00000x034b00000x0352ffffprivateTrue
private_0x00000000035800000x035800000x0358ffffprivateTrue
private_0x00000000035a00000x035a00000x0361ffffprivateTrue
private_0x00000000036b00000x036b00000x038affffprivateTrue
private_0x00000000038b00000x038b00000x0392ffffprivateTrue
private_0x00000000039400000x039400000x039bffffprivateTrue
private_0x00000000039d00000x039d00000x03a4ffffprivateTrue
private_0x0000000003a800000x03a800000x03afffffprivateTrue
private_0x0000000003b200000x03b200000x03b9ffffprivateTrue
private_0x0000000003bf00000x03bf00000x03c6ffffprivateTrue
private_0x0000000003c800000x03c800000x03cfffffprivateTrue
private_0x0000000003dd00000x03dd00000x03e4ffffprivateTrue
private_0x0000000003f000000x03f000000x03f7ffffprivateTrue
private_0x0000000003fd00000x03fd00000x0404ffffprivateTrue
private_0x00000000040700000x040700000x040effffprivateTrue
private_0x00000000041300000x041300000x0422ffffprivateTrue
private_0x00000000042400000x042400000x042bffffprivateTrue
user32.dll0x774500000x77549fffmapped_fileFalse
kernel32.dll0x775500000x7766efffmapped_fileFalse
ntdll.dll0x776700000x77818fffmapped_fileFalse
pagefile_0x000000007efe00000x7efe00000x7f0dffffpagefile_backedTrue
private_0x000000007f0e00000x7f0e00000x7ffdffffprivateTrue
private_0x000000007ffe00000x7ffe00000x7ffeffffprivateTrue
svchost.exe0xff9200000xff92afffmapped_fileFalse
tcpipcfg.dll0x7fef3f200000x7fef3f61fffmapped_fileFalse
rascfg.dll0x7fef3f700000x7fef3f89fffmapped_fileFalse
aelupsvc.dll0x7fef3fa00000x7fef3fb4fffmapped_fileFalse
ndiscapCfg.dll0x7fef3fc00000x7fef3fcefffmapped_fileFalse
appinfo.dll0x7fef47900000x7fef47a4fffmapped_fileFalse
mprapi.dll0x7fef48200000x7fef4859fffmapped_fileFalse
SessEnv.dll0x7fef7cb00000x7fef7cd3fffmapped_fileFalse
certprop.dll0x7fef7ce00000x7fef7cf6fffmapped_fileFalse
actxprxy.dll0x7fef7dc00000x7fef7eadfffmapped_fileFalse
npmproxy.dll0x7fef89200000x7fef892bfffmapped_fileFalse
rasadhlp.dll0x7fef8b700000x7fef8b77fffmapped_fileFalse
netprofm.dll0x7fef8b800000x7fef8bf3fffmapped_fileFalse
wbemess.dll0x7fef8c000000x7fef8c7dfffmapped_fileFalse
ncobjapi.dll0x7fef8c800000x7fef8c95fffmapped_fileFalse
WmiPrvSD.dll0x7fef8ca00000x7fef8d5bfffmapped_fileFalse
repdrvfs.dll0x7fef8d600000x7fef8dd2fffmapped_fileFalse
wmiutils.dll0x7fef8de00000x7fef8e05fffmapped_fileFalse
hnetcfg.dll0x7fef8e100000x7fef8e7afffmapped_fileFalse
wbemsvc.dll0x7fef8e800000x7fef8e93fffmapped_fileFalse
esscli.dll0x7fef8ea00000x7fef8f0efffmapped_fileFalse
wbemcore.dll0x7fef8f100000x7fef903efffmapped_fileFalse
nci.dll0x7fef90400000x7fef9059fffmapped_fileFalse
netcfgx.dll0x7fef90600000x7fef90e3fffmapped_fileFalse
wbemprox.dll0x7fef90f00000x7fef90fefffmapped_fileFalse
ntdsapi.dll0x7fef91000000x7fef9126fffmapped_fileFalse
fastprox.dll0x7fef91300000x7fef9211fffmapped_fileFalse
resutils.dll0x7fef92600000x7fef9278fffmapped_fileFalse
clusapi.dll0x7fef92800000x7fef92cffffmapped_fileFalse
sscore.dll0x7fef92d00000x7fef92d7fffmapped_fileFalse
browser.dll0x7fef92e00000x7fef9304fffmapped_fileFalse
srvsvc.dll0x7fef93100000x7fef934cfffmapped_fileFalse
wdscore.dll0x7fef93500000x7fef9396fffmapped_fileFalse
sqmapi.dll0x7fef93a00000x7fef93e1fffmapped_fileFalse
iphlpsvc.dll0x7fef93f00000x7fef9481fffmapped_fileFalse
wbemcomn.dll0x7fef94900000x7fef9515fffmapped_fileFalse
wbemcomn.dll0x7fef94900000x7fef9515fffmapped_fileFalse
WMIsvc.dll0x7fef95200000x7fef955ffffmapped_fileFalse
WMIsvc.dll0x7fef95200000x7fef955ffffmapped_fileFalse
IKEEXT.DLL0x7fef98600000x7fef9936fffmapped_fileFalse
vsstrace.dll0x7fef9b900000x7fef9ba6fffmapped_fileFalse
vssapi.dll0x7fef9bb00000x7fef9d5ffffmapped_fileFalse
TSChannel.dll0x7fef9df00000x7fef9df8fffmapped_fileFalse
WinSCard.dll0x7fefa4600000x7fefa497fffmapped_fileFalse
taskcomp.dll0x7fefa6100000x7fefa686fffmapped_fileFalse
ktmw32.dll0x7fefa7500000x7fefa759fffmapped_fileFalse
schedsvc.dll0x7fefa7600000x7fefa871fffmapped_fileFalse
wiarpc.dll0x7fefa9200000x7fefa92efffmapped_fileFalse
fvecerts.dll0x7fefa9300000x7fefa938fffmapped_fileFalse
tbs.dll0x7fefa9400000x7fefa948fffmapped_fileFalse
fveapi.dll0x7fefa9500000x7fefa9a5fffmapped_fileFalse
shsvcs.dll0x7fefa9b00000x7fefaa0dfffmapped_fileFalse
dhcpcsvc.dll0x7fefaa100000x7fefaa27fffmapped_fileFalse
dhcpcsvc6.dll0x7fefaa300000x7fefaa40fffmapped_fileFalse
FWPUCLNT.DLL0x7fefaa600000x7fefaab2fffmapped_fileFalse
winnsi.dll0x7fefabc00000x7fefabcafffmapped_fileFalse
IPHLPAPI.DLL0x7fefabd00000x7fefabf6fffmapped_fileFalse
Sens.dll0x7fefac200000x7fefac33fffmapped_fileFalse
es.dll0x7fefac400000x7fefaca6fffmapped_fileFalse
themeservice.dll0x7fefacb00000x7fefacbffffmapped_fileFalse
atl.dll0x7fefacc00000x7fefacd8fffmapped_fileFalse
profsvc.dll0x7feface00000x7fefad16fffmapped_fileFalse
slc.dll0x7fefad200000x7fefad2afffmapped_fileFalse
dsrole.dll0x7fefad300000x7fefad3bfffmapped_fileFalse
nlaapi.dll0x7fefad400000x7fefad54fffmapped_fileFalse
mmcss.dll0x7fefb0800000x7fefb09cfffmapped_fileFalse
avrt.dll0x7fefb1d00000x7fefb1d8fffmapped_fileFalse
rtutils.dll0x7fefb3f00000x7fefb400fffmapped_fileFalse
samcli.dll0x7fefb5400000x7fefb553fffmapped_fileFalse
wkscli.dll0x7fefb5600000x7fefb574fffmapped_fileFalse
netutils.dll0x7fefb5800000x7fefb58bfffmapped_fileFalse
netapi32.dll0x7fefb5900000x7fefb5a5fffmapped_fileFalse
wtsapi32.dll0x7fefb6c00000x7fefb6d0fffmapped_fileFalse
xmllite.dll0x7fefb8600000x7fefb894fffmapped_fileFalse
uxtheme.dll0x7fefbcd00000x7fefbd25fffmapped_fileFalse
propsys.dll0x7fefbd300000x7fefbe5bfffmapped_fileFalse
samlib.dll0x7fefbe600000x7fefbe7cfffmapped_fileFalse
comctl32.dll0x7fefbe800000x7fefc073fffmapped_fileFalse
ntmarta.dll0x7fefc3700000x7fefc39cfffmapped_fileFalse
version.dll0x7fefc5700000x7fefc57bfffmapped_fileFalse
FirewallAPI.dll0x7fefc5800000x7fefc63afffmapped_fileFalse
WSHTCPIP.DLL0x7fefc6400000x7fefc646fffmapped_fileFalse
gpapi.dll0x7fefc7300000x7fefc74afffmapped_fileFalse
devrtl.dll0x7fefc7500000x7fefc761fffmapped_fileFalse
SPInf.dll0x7fefc7700000x7fefc78efffmapped_fileFalse
ubpm.dll0x7fefc8400000x7fefc878fffmapped_fileFalse
credssp.dll0x7fefc8800000x7fefc889fffmapped_fileFalse
pcwum.dll0x7fefc8900000x7fefc89cfffmapped_fileFalse
bcryptprimitives.dll0x7fefc8c00000x7fefc90bfffmapped_fileFalse
rsaenh.dll0x7fefc9800000x7fefc9c6fffmapped_fileFalse
logoncli.dll0x7fefca700000x7fefca9ffffmapped_fileFalse
dnsapi.dll0x7fefcaa00000x7fefcafafffmapped_fileFalse
wship6.dll0x7fefcc100000x7fefcc16fffmapped_fileFalse
mswsock.dll0x7fefcc200000x7fefcc74fffmapped_fileFalse
cryptsp.dll0x7fefcc800000x7fefcc96fffmapped_fileFalse
netjoin.dll0x7fefcd900000x7fefcdc1fffmapped_fileFalse
wmsgapi.dll0x7fefcdd00000x7fefcdd7fffmapped_fileFalse
sysntfy.dll0x7fefcde00000x7fefcde9fffmapped_fileFalse
bcrypt.dll0x7fefcdf00000x7fefce11fffmapped_fileFalse
ncrypt.dll0x7fefce200000x7fefce6cfffmapped_fileFalse
authz.dll0x7fefce700000x7fefce9efffmapped_fileFalse
wevtapi.dll0x7fefceb00000x7fefcf1cfffmapped_fileFalse
cryptdll.dll0x7fefcf200000x7fefcf33fffmapped_fileFalse
srvcli.dll0x7fefd1800000x7fefd1a2fffmapped_fileFalse
secur32.dll0x7fefd2200000x7fefd22afffmapped_fileFalse
sspicli.dll0x7fefd2500000x7fefd274fffmapped_fileFalse
apphelp.dll0x7fefd2800000x7fefd2d6fffmapped_fileFalse
cryptbase.dll0x7fefd2e00000x7fefd2eefffmapped_fileFalse
sxs.dll0x7fefd2f00000x7fefd380fffmapped_fileFalse
winsta.dll0x7fefd3900000x7fefd3ccfffmapped_fileFalse
RpcRtRemote.dll0x7fefd3d00000x7fefd3e3fffmapped_fileFalse
msasn1.dll0x7fefd4800000x7fefd48efffmapped_fileFalse
profapi.dll0x7fefd4900000x7fefd49efffmapped_fileFalse
cfgmgr32.dll0x7fefd4a00000x7fefd4d5fffmapped_fileFalse
userenv.dll0x7fefd4e00000x7fefd4fdfffmapped_fileFalse
devobj.dll0x7fefd5200000x7fefd539fffmapped_fileFalse
KernelBase.dll0x7fefd5400000x7fefd5abfffmapped_fileFalse
wintrust.dll0x7fefd5b00000x7fefd5e9fffmapped_fileFalse
crypt32.dll0x7fefd6100000x7fefd77bfffmapped_fileFalse
imm32.dll0x7fefd8400000x7fefd86dfffmapped_fileFalse
advapi32.dll0x7fefd8700000x7fefd94afffmapped_fileFalse
clbcatq.dll0x7fefd9d00000x7fefda68fffmapped_fileFalse
gdi32.dll0x7fefda700000x7fefdad6fffmapped_fileFalse
lpk.dll0x7fefdd900000x7fefdd9dfffmapped_fileFalse
ws2_32.dll0x7fefdda00000x7fefddecfffmapped_fileFalse
nsi.dll0x7fefddf00000x7fefddf7fffmapped_fileFalse
shlwapi.dll0x7fefe0400000x7fefe0b0fffmapped_fileFalse
Wldap32.dll0x7fefe0c00000x7fefe111fffmapped_fileFalse
sechost.dll0x7fefe2900000x7fefe2aefffmapped_fileFalse
oleaut32.dll0x7fefe2b00000x7fefe386fffmapped_fileFalse
setupapi.dll0x7fefe4300000x7fefe606fffmapped_fileFalse
msctf.dll0x7fefe6100000x7fefe718fffmapped_fileFalse
ole32.dll0x7fefe7200000x7fefe922fffmapped_fileFalse
shell32.dll0x7fefe9300000x7feff6b7fffmapped_fileFalse
usp10.dll0x7feff6c00000x7feff788fffmapped_fileFalse
rpcrt4.dll0x7feff7900000x7feff8bcfffmapped_fileFalse
msvcrt.dll0x7feff8c00000x7feff95efffmapped_fileFalse
apisetschema.dll0x7feff9900000x7feff990fffmapped_fileFalse
private_0x000007fffff500000x7fffff500000x7fffff51fffprivateTrue
private_0x000007fffff520000x7fffff520000x7fffff53fffprivateTrue
private_0x000007fffff540000x7fffff540000x7fffff55fffprivateTrue
private_0x000007fffff560000x7fffff560000x7fffff57fffprivateTrue
private_0x000007fffff580000x7fffff580000x7fffff59fffprivateTrue
private_0x000007fffff5a0000x7fffff5a0000x7fffff5bfffprivateTrue
private_0x000007fffff5c0000x7fffff5c0000x7fffff5dfffprivateTrue
private_0x000007fffff5e0000x7fffff5e0000x7fffff5ffffprivateTrue
private_0x000007fffff600000x7fffff600000x7fffff61fffprivateTrue
private_0x000007fffff620000x7fffff620000x7fffff63fffprivateTrue
private_0x000007fffff640000x7fffff640000x7fffff65fffprivateTrue
private_0x000007fffff660000x7fffff660000x7fffff67fffprivateTrue
private_0x000007fffff680000x7fffff680000x7fffff69fffprivateTrue
private_0x000007fffff6a0000x7fffff6a0000x7fffff6bfffprivateTrue
private_0x000007fffff6c0000x7fffff6c0000x7fffff6dfffprivateTrue
private_0x000007fffff6e0000x7fffff6e0000x7fffff6ffffprivateTrue
private_0x000007fffff700000x7fffff700000x7fffff71fffprivateTrue
private_0x000007fffff740000x7fffff740000x7fffff75fffprivateTrue
private_0x000007fffff760000x7fffff760000x7fffff77fffprivateTrue
private_0x000007fffff780000x7fffff780000x7fffff79fffprivateTrue
private_0x000007fffff7a0000x7fffff7a0000x7fffff7bfffprivateTrue
private_0x000007fffff7c0000x7fffff7c0000x7fffff7dfffprivateTrue
private_0x000007fffff7e0000x7fffff7e0000x7fffff7ffffprivateTrue
private_0x000007fffff800000x7fffff800000x7fffff81fffprivateTrue
private_0x000007fffff820000x7fffff820000x7fffff83fffprivateTrue
private_0x000007fffff840000x7fffff840000x7fffff85fffprivateTrue
private_0x000007fffff860000x7fffff860000x7fffff87fffprivateTrue
private_0x000007fffff880000x7fffff880000x7fffff89fffprivateTrue
private_0x000007fffff8a0000x7fffff8a0000x7fffff8bfffprivateTrue
private_0x000007fffff8c0000x7fffff8c0000x7fffff8dfffprivateTrue
private_0x000007fffff8e0000x7fffff8e0000x7fffff8ffffprivateTrue
private_0x000007fffff900000x7fffff900000x7fffff91fffprivateTrue
private_0x000007fffff920000x7fffff920000x7fffff93fffprivateTrue
private_0x000007fffff940000x7fffff940000x7fffff95fffprivateTrue
private_0x000007fffff960000x7fffff960000x7fffff97fffprivateTrue
private_0x000007fffff980000x7fffff980000x7fffff99fffprivateTrue
private_0x000007fffff9a0000x7fffff9a0000x7fffff9bfffprivateTrue
private_0x000007fffff9c0000x7fffff9c0000x7fffff9dfffprivateTrue
private_0x000007fffff9e0000x7fffff9e0000x7fffff9ffffprivateTrue
private_0x000007fffffa00000x7fffffa00000x7fffffa1fffprivateTrue
private_0x000007fffffa20000x7fffffa20000x7fffffa3fffprivateTrue
private_0x000007fffffa40000x7fffffa40000x7fffffa5fffprivateTrue
private_0x000007fffffa60000x7fffffa60000x7fffffa7fffprivateTrue
private_0x000007fffffa80000x7fffffa80000x7fffffa9fffprivateTrue
private_0x000007fffffaa0000x7fffffaa0000x7fffffabfffprivateTrue
private_0x000007fffffac0000x7fffffac0000x7fffffadfffprivateTrue
private_0x000007fffffae0000x7fffffae0000x7fffffaffffprivateTrue
pagefile_0x000007fffffb00000x7fffffb00000x7fffffd2fffpagefile_backedTrue
private_0x000007fffffd40000x7fffffd40000x7fffffd5fffprivateTrue
private_0x000007fffffd60000x7fffffd60000x7fffffd7fffprivateTrue
private_0x000007fffffd80000x7fffffd80000x7fffffd9fffprivateTrue
private_0x000007fffffda0000x7fffffda0000x7fffffdafffprivateTrue
private_0x000007fffffdc0000x7fffffdc0000x7fffffddfffprivateTrue
private_0x000007fffffde0000x7fffffde0000x7fffffdffffprivateTrue
OS TIDs
0x628, 0x61c, 0x618, 0x614, 0x608, 0x604, 0x5fc, 0x5f4, 0x5ec, 0x5e8, 0x5d8, 0x5c4, 0x5bc, 0x5ac, 0x58c, 0x470, 0x44c, 0x43c, 0x418, 0x414, 0x410, 0x3ac, 0x14c, 0x3c8, 0x124, 0x11c, 0x120, 0x3c0, 0x3bc, 0x3b8, 0x3b0, 0x3a8, 0x398, 0xab4, 0xab0, 0xaac, 0xaa8, 0x768, 0x7fc, 0x78c, 0x788, 0x778, 0x774, 0x770, 0x724, 0x71c, 0x6f8, 0x6f0, 0x6c8, 0x638, 0x630, 0x62c
ID#18
OS PID0x3dc
OS Parent PID0x1c4
Image Namesvchost.exe
Page Root0x1af3b000
Monitor Reasonchild_process
Unmonitor Reason(still running)
CMD LineC:\Windows\system32\svchost.exe -k GPSvcGroup
Current DirectoryC:\Windows\system32\
Name Start VA End VA Type Monitored
pagefile_0x00000000000100000x000100000x0001ffffpagefile_backedTrue
svchost.exe.mui0x000200000x00020fffmapped_fileFalse
pagefile_0x00000000000300000x000300000x00033fffpagefile_backedTrue
pagefile_0x00000000000400000x000400000x00040fffpagefile_backedTrue
private_0x00000000000500000x000500000x00050fffprivateTrue
locale.nls0x000600000x000c6fffmapped_fileFalse
pagefile_0x00000000000d00000x000d00000x0018ffffpagefile_backedTrue
private_0x00000000001900000x001900000x0020ffffprivateTrue
private_0x00000000002100000x002100000x0030ffffprivateTrue
private_0x00000000003100000x003100000x00310fffprivateTrue
private_0x00000000003200000x003200000x0041ffffprivateTrue
pagefile_0x00000000004200000x004200000x005a7fffpagefile_backedTrue
private_0x00000000005b00000x005b00000x005b0fffprivateTrue
private_0x00000000005c00000x005c00000x005cffffprivateTrue
pagefile_0x00000000005d00000x005d00000x00750fffpagefile_backedTrue
private_0x00000000007600000x007600000x007dffffprivateTrue
gpsvc.dll.mui0x007e00000x007eafffmapped_fileFalse
private_0x00000000008100000x008100000x0088ffffprivateTrue
private_0x00000000009700000x009700000x009effffprivateTrue
private_0x0000000000a500000x00a500000x00acffffprivateTrue
SortDefault.nls0x00ad00000x00d9efffmapped_fileFalse
private_0x0000000000e000000x00e000000x00e7ffffprivateTrue
private_0x0000000000e800000x00e800000x00e8ffffprivateTrue
private_0x00000000010100000x010100000x0108ffffprivateTrue
user32.dll0x774500000x77549fffmapped_fileFalse
kernel32.dll0x775500000x7766efffmapped_fileFalse
ntdll.dll0x776700000x77818fffmapped_fileFalse
pagefile_0x000000007efe00000x7efe00000x7f0dffffpagefile_backedTrue
private_0x000000007f0e00000x7f0e00000x7ffdffffprivateTrue
private_0x000000007ffe00000x7ffe00000x7ffeffffprivateTrue
svchost.exe0xff9200000xff92afffmapped_fileFalse
slc.dll0x7fefad200000x7fefad2afffmapped_fileFalse
dsrole.dll0x7fefad300000x7fefad3bfffmapped_fileFalse
nlaapi.dll0x7fefad400000x7fefad54fffmapped_fileFalse
gpsvc.dll0x7fefad600000x7fefae21fffmapped_fileFalse
samlib.dll0x7fefbe600000x7fefbe7cfffmapped_fileFalse
gpapi.dll0x7fefc7300000x7fefc74afffmapped_fileFalse
sysntfy.dll0x7fefcde00000x7fefcde9fffmapped_fileFalse
secur32.dll0x7fefd2200000x7fefd22afffmapped_fileFalse
sspicli.dll0x7fefd2500000x7fefd274fffmapped_fileFalse
cryptbase.dll0x7fefd2e00000x7fefd2eefffmapped_fileFalse
RpcRtRemote.dll0x7fefd3d00000x7fefd3e3fffmapped_fileFalse
KernelBase.dll0x7fefd5400000x7fefd5abfffmapped_fileFalse
imm32.dll0x7fefd8400000x7fefd86dfffmapped_fileFalse
advapi32.dll0x7fefd8700000x7fefd94afffmapped_fileFalse
gdi32.dll0x7fefda700000x7fefdad6fffmapped_fileFalse
lpk.dll0x7fefdd900000x7fefdd9dfffmapped_fileFalse
nsi.dll0x7fefddf00000x7fefddf7fffmapped_fileFalse
Wldap32.dll0x7fefe0c00000x7fefe111fffmapped_fileFalse
sechost.dll0x7fefe2900000x7fefe2aefffmapped_fileFalse
msctf.dll0x7fefe6100000x7fefe718fffmapped_fileFalse
ole32.dll0x7fefe7200000x7fefe922fffmapped_fileFalse
usp10.dll0x7feff6c00000x7feff788fffmapped_fileFalse
rpcrt4.dll0x7feff7900000x7feff8bcfffmapped_fileFalse
msvcrt.dll0x7feff8c00000x7feff95efffmapped_fileFalse
apisetschema.dll0x7feff9900000x7feff990fffmapped_fileFalse
private_0x000007fffffae0000x7fffffae0000x7fffffaffffprivateTrue
pagefile_0x000007fffffb00000x7fffffb00000x7fffffd2fffpagefile_backedTrue
private_0x000007fffffd30000x7fffffd30000x7fffffd4fffprivateTrue
private_0x000007fffffd70000x7fffffd70000x7fffffd8fffprivateTrue
private_0x000007fffffd90000x7fffffd90000x7fffffdafffprivateTrue
private_0x000007fffffdb0000x7fffffdb0000x7fffffdcfffprivateTrue
private_0x000007fffffdd0000x7fffffdd0000x7fffffdefffprivateTrue
private_0x000007fffffdf0000x7fffffdf0000x7fffffdffffprivateTrue
OS TIDs
0x420, 0x284, 0xe4, 0x3fc, 0x3e8, 0x3e0
ID#19
OS PID0x1d0
OS Parent PID0x1c4
Image Namesvchost.exe
Page Root0x169d3000
Monitor Reasonchild_process
Unmonitor Reason(still running)
CMD LineC:\Windows\system32\svchost.exe -k NetworkService
Current DirectoryC:\Windows\system32\
Name Start VA End VA Type Monitored
pagefile_0x00000000000100000x000100000x0001ffffpagefile_backedTrue
svchost.exe.mui0x000200000x00020fffmapped_fileFalse
pagefile_0x00000000000300000x000300000x00033fffpagefile_backedTrue
pagefile_0x00000000000400000x000400000x00040fffpagefile_backedTrue
private_0x00000000000500000x000500000x00050fffprivateTrue
locale.nls0x000600000x000c6fffmapped_fileFalse
private_0x00000000000d00000x000d00000x000d0fffprivateTrue
private_0x00000000000e00000x000e00000x0015ffffprivateTrue
private_0x00000000001600000x001600000x0025ffffprivateTrue
private_0x00000000002600000x002600000x00260fffprivateTrue
vsstrace.dll.mui0x002700000x00277fffmapped_fileFalse
pagefile_0x00000000002800000x002800000x00280fffpagefile_backedTrue
pagefile_0x00000000002900000x002900000x00290fffpagefile_backedTrue
private_0x00000000002a00000x002a00000x002affffprivateTrue
termsrv.dll.mui0x002b00000x002b9fffmapped_fileFalse
private_0x00000000002c00000x002c00000x002cffffprivateTrue
private_0x00000000002d00000x002d00000x002d0fffprivateTrue
setupapi.dll.mui0x002e00000x002ecfffmapped_fileFalse
private_0x00000000002f00000x002f00000x002f0fffprivateTrue
private_0x00000000003000000x003000000x003fffffprivateTrue
pagefile_0x00000000004000000x004000000x00587fffpagefile_backedTrue
pagefile_0x00000000005900000x005900000x00710fffpagefile_backedTrue
pagefile_0x00000000007200000x007200000x007dffffpagefile_backedTrue
private_0x00000000007e00000x007e00000x007f9fffprivateTrue
private_0x00000000008000000x008000000x0087ffffprivateTrue
private_0x00000000008800000x008800000x0088ffffprivateTrue
private_0x00000000008900000x008900000x0089ffffprivateTrue
private_0x00000000008a00000x008a00000x008affffprivateTrue
private_0x00000000008b00000x008b00000x0092ffffprivateTrue
private_0x00000000009300000x009300000x00930fffprivateTrue
private_0x00000000009400000x009400000x00941fffprivateTrue
private_0x00000000009500000x009500000x00954fffprivateTrue
private_0x00000000009600000x009600000x009dffffprivateTrue
private_0x00000000009e00000x009e00000x009e0fffprivateTrue
private_0x00000000009f00000x009f00000x00a6ffffprivateTrue
private_0x0000000000a700000x00a700000x00a7ffffprivateTrue
private_0x0000000000a800000x00a800000x00a80fffprivateTrue
catdb0x00a900000x00a9ffffmapped_fileFalse
private_0x0000000000aa00000x00aa00000x00b1ffffprivateTrue
private_0x0000000000b200000x00b200000x00b9ffffprivateTrue
SortDefault.nls0x00ba00000x00e6efffmapped_fileFalse
catdb0x00e700000x00e7ffffmapped_fileFalse
private_0x0000000000e800000x00e800000x00efffffprivateTrue
pagefile_0x0000000000f000000x00f000000x00f0ffffpagefile_backedTrue
pagefile_0x0000000000f100000x00f100000x00f1ffffpagefile_backedTrue
pagefile_0x0000000000f200000x00f200000x00f2ffffpagefile_backedTrue
pagefile_0x0000000000f300000x00f300000x00f3ffffpagefile_backedTrue
pagefile_0x0000000000f400000x00f400000x00f4ffffpagefile_backedTrue
pagefile_0x0000000000f500000x00f500000x00f5ffffpagefile_backedTrue
private_0x0000000000f600000x00f600000x00fdffffprivateTrue
catdb0x00fe00000x00feffffmapped_fileFalse
catdb0x00ff00000x00ffffffmapped_fileFalse
private_0x00000000010000000x010000000x0107ffffprivateTrue
private_0x00000000010800000x010800000x010fffffprivateTrue
pagefile_0x00000000011000000x011000000x0110ffffpagefile_backedTrue
pagefile_0x00000000011100000x011100000x0111ffffpagefile_backedTrue
pagefile_0x00000000011200000x011200000x0112ffffpagefile_backedTrue
pagefile_0x00000000011300000x011300000x0113ffffpagefile_backedTrue
pagefile_0x00000000011400000x011400000x0114ffffpagefile_backedTrue
pagefile_0x00000000011500000x011500000x0115ffffpagefile_backedTrue
catdb0x011600000x0116ffffmapped_fileFalse
catdb0x011700000x0117ffffmapped_fileFalse
private_0x00000000011800000x011800000x0118ffffprivateTrue
private_0x00000000011a00000x011a00000x0121ffffprivateTrue
catdb0x012200000x0122ffffmapped_fileFalse
catdb0x012300000x0123ffffmapped_fileFalse
catdb0x012400000x0124ffffmapped_fileFalse
private_0x00000000012500000x012500000x012cffffprivateTrue
private_0x00000000012d00000x012d00000x013cffffprivateTrue
catdb0x013d00000x013dffffmapped_fileFalse
catdb0x013e00000x013effffmapped_fileFalse
catdb0x013f00000x013fffffmapped_fileFalse
catdb0x014000000x0140ffffmapped_fileFalse
catdb0x014800000x0148ffffmapped_fileFalse
private_0x00000000014900000x014900000x0149ffffprivateTrue
private_0x00000000014a00000x014a00000x014affffprivateTrue
private_0x00000000014b00000x014b00000x014bffffprivateTrue
private_0x00000000014c00000x014c00000x014cffffprivateTrue
private_0x00000000014d00000x014d00000x014dffffprivateTrue
private_0x00000000014e00000x014e00000x014e0fffprivateTrue
private_0x00000000014f00000x014f00000x014f0fffprivateTrue
private_0x00000000015000000x015000000x0157ffffprivateTrue
private_0x00000000015800000x015800000x0158ffffprivateTrue
private_0x00000000015a00000x015a00000x0161ffffprivateTrue
private_0x00000000016600000x016600000x0166ffffprivateTrue
private_0x00000000016700000x016700000x0176ffffprivateTrue
private_0x00000000017a00000x017a00000x0181ffffprivateTrue
private_0x00000000018200000x018200000x0191ffffprivateTrue
private_0x00000000019200000x019200000x01a1ffffprivateTrue
private_0x0000000001ab00000x01ab00000x01b2ffffprivateTrue
private_0x0000000001b500000x01b500000x01bcffffprivateTrue
private_0x0000000001c000000x01c000000x01c7ffffprivateTrue
private_0x0000000001ca00000x01ca00000x01d1ffffprivateTrue
private_0x0000000001d200000x01d200000x01d9ffffprivateTrue
private_0x0000000001da00000x01da00000x01e1ffffprivateTrue
private_0x0000000001e400000x01e400000x01ebffffprivateTrue
private_0x0000000001ee00000x01ee00000x01f5ffffprivateTrue
KernelBase.dll.mui0x01f600000x0201ffffmapped_fileFalse
private_0x00000000020400000x020400000x0204ffffprivateTrue
private_0x00000000020e00000x020e00000x020effffprivateTrue
private_0x00000000021500000x021500000x021cffffprivateTrue
private_0x00000000021d00000x021d00000x022cffffprivateTrue
private_0x00000000023700000x023700000x0237ffffprivateTrue
private_0x00000000023a00000x023a00000x0241ffffprivateTrue
private_0x00000000024200000x024200000x0261ffffprivateTrue
private_0x00000000026200000x026200000x0271ffffprivateTrue
private_0x00000000027200000x027200000x0371ffffprivateTrue
private_0x00000000038600000x038600000x038dffffprivateTrue
user32.dll0x774500000x77549fffmapped_fileFalse
kernel32.dll0x775500000x7766efffmapped_fileFalse
ntdll.dll0x776700000x77818fffmapped_fileFalse
psapi.dll0x778400000x77846fffmapped_fileFalse
pagefile_0x000000007efe00000x7efe00000x7f0dffffpagefile_backedTrue
private_0x000000007f0e00000x7f0e00000x7ffdffffprivateTrue
private_0x000000007ffe00000x7ffe00000x7ffeffffprivateTrue
svchost.exe0xff9200000xff92afffmapped_fileFalse
esent.dll0x7fef79d00000x7fef7c49fffmapped_fileFalse
rdpwsx.dll0x7fef7eb00000x7fef7ec6fffmapped_fileFalse
rdpcorekmts.dll0x7fef7ed00000x7fef7ef9fffmapped_fileFalse
umb.dll0x7fef7f000000x7fef7f12fffmapped_fileFalse
d3d8thk.dll0x7fef7f200000x7fef7f26fffmapped_fileFalse
d3d9.dll0x7fef7f300000x7fef812efffmapped_fileFalse
tlscsp.dll0x7fef81300000x7fef8145fffmapped_fileFalse
rdpcorets.dll0x7fef81500000x7fef8470fffmapped_fileFalse
regapi.dll0x7fef84800000x7fef849afffmapped_fileFalse
lsmproxy.dll0x7fef84f00000x7fef8500fffmapped_fileFalse
icaapi.dll0x7fef87000000x7fef8709fffmapped_fileFalse
termsrv.dll0x7fef87100000x7fef87b9fffmapped_fileFalse
rasadhlp.dll0x7fef8b700000x7fef8b77fffmapped_fileFalse
ssdpapi.dll0x7fef97b00000x7fef97c0fffmapped_fileFalse
ncsi.dll0x7fef97d00000x7fef9808fffmapped_fileFalse
nlasvc.dll0x7fef98100000x7fef985dfffmapped_fileFalse
vsstrace.dll0x7fef9b900000x7fef9ba6fffmapped_fileFalse
vssapi.dll0x7fef9bb00000x7fef9d5ffffmapped_fileFalse
cryptnet.dll0x7fef9d600000x7fef9d86fffmapped_fileFalse
cryptsvc.dll0x7fef9d900000x7fef9dc1fffmapped_fileFalse
wkssvc.dll0x7fef9dd00000x7fef9deffffmapped_fileFalse
webio.dll0x7fefa3700000x7fefa3d3fffmapped_fileFalse
winhttp.dll0x7fefa3e00000x7fefa450fffmapped_fileFalse
dhcpcsvc.dll0x7fefaa100000x7fefaa27fffmapped_fileFalse
dhcpcsvc6.dll0x7fefaa300000x7fefaa40fffmapped_fileFalse
dnsext.dll0x7fefaa500000x7fefaa56fffmapped_fileFalse
FWPUCLNT.DLL0x7fefaa600000x7fefaab2fffmapped_fileFalse
dnsrslvr.dll0x7fefaac00000x7fefaaeffffmapped_fileFalse
winnsi.dll0x7fefabc00000x7fefabcafffmapped_fileFalse
IPHLPAPI.DLL0x7fefabd00000x7fefabf6fffmapped_fileFalse
es.dll0x7fefac400000x7fefaca6fffmapped_fileFalse
atl.dll0x7fefacc00000x7fefacd8fffmapped_fileFalse
slc.dll0x7fefad200000x7fefad2afffmapped_fileFalse
samcli.dll0x7fefb5400000x7fefb553fffmapped_fileFalse
wkscli.dll0x7fefb5600000x7fefb574fffmapped_fileFalse
netutils.dll0x7fefb5800000x7fefb58bfffmapped_fileFalse
wtsapi32.dll0x7fefb6c00000x7fefb6d0fffmapped_fileFalse
dwmapi.dll0x7fefb8a00000x7fefb8b7fffmapped_fileFalse
propsys.dll0x7fefbd300000x7fefbe5bfffmapped_fileFalse
samlib.dll0x7fefbe600000x7fefbe7cfffmapped_fileFalse
ntmarta.dll0x7fefc3700000x7fefc39cfffmapped_fileFalse
version.dll0x7fefc5700000x7fefc57bfffmapped_fileFalse
WSHTCPIP.DLL0x7fefc6400000x7fefc646fffmapped_fileFalse
gpapi.dll0x7fefc7300000x7fefc74afffmapped_fileFalse
credssp.dll0x7fefc8800000x7fefc889fffmapped_fileFalse
pcwum.dll0x7fefc8900000x7fefc89cfffmapped_fileFalse
bcryptprimitives.dll0x7fefc8c00000x7fefc90bfffmapped_fileFalse
rsaenh.dll0x7fefc9800000x7fefc9c6fffmapped_fileFalse
dnsapi.dll0x7fefcaa00000x7fefcafafffmapped_fileFalse
wship6.dll0x7fefcc100000x7fefcc16fffmapped_fileFalse
mswsock.dll0x7fefcc200000x7fefcc74fffmapped_fileFalse
cryptsp.dll0x7fefcc800000x7fefcc96fffmapped_fileFalse
netjoin.dll0x7fefcd900000x7fefcdc1fffmapped_fileFalse
bcrypt.dll0x7fefcdf00000x7fefce11fffmapped_fileFalse
ncrypt.dll0x7fefce200000x7fefce6cfffmapped_fileFalse
wevtapi.dll0x7fefceb00000x7fefcf1cfffmapped_fileFalse
secur32.dll0x7fefd2200000x7fefd22afffmapped_fileFalse
sspicli.dll0x7fefd2500000x7fefd274fffmapped_fileFalse
cryptbase.dll0x7fefd2e00000x7fefd2eefffmapped_fileFalse
winsta.dll0x7fefd3900000x7fefd3ccfffmapped_fileFalse
RpcRtRemote.dll0x7fefd3d00000x7fefd3e3fffmapped_fileFalse
msasn1.dll0x7fefd4800000x7fefd48efffmapped_fileFalse
profapi.dll0x7fefd4900000x7fefd49efffmapped_fileFalse
cfgmgr32.dll0x7fefd4a00000x7fefd4d5fffmapped_fileFalse
userenv.dll0x7fefd4e00000x7fefd4fdfffmapped_fileFalse
devobj.dll0x7fefd5200000x7fefd539fffmapped_fileFalse
KernelBase.dll0x7fefd5400000x7fefd5abfffmapped_fileFalse
wintrust.dll0x7fefd5b00000x7fefd5e9fffmapped_fileFalse
crypt32.dll0x7fefd6100000x7fefd77bfffmapped_fileFalse
imm32.dll0x7fefd8400000x7fefd86dfffmapped_fileFalse
advapi32.dll0x7fefd8700000x7fefd94afffmapped_fileFalse
clbcatq.dll0x7fefd9d00000x7fefda68fffmapped_fileFalse
gdi32.dll0x7fefda700000x7fefdad6fffmapped_fileFalse
lpk.dll0x7fefdd900000x7fefdd9dfffmapped_fileFalse
ws2_32.dll0x7fefdda00000x7fefddecfffmapped_fileFalse
nsi.dll0x7fefddf00000x7fefddf7fffmapped_fileFalse
shlwapi.dll0x7fefe0400000x7fefe0b0fffmapped_fileFalse
Wldap32.dll0x7fefe0c00000x7fefe111fffmapped_fileFalse
sechost.dll0x7fefe2900000x7fefe2aefffmapped_fileFalse
oleaut32.dll0x7fefe2b00000x7fefe386fffmapped_fileFalse
setupapi.dll0x7fefe4300000x7fefe606fffmapped_fileFalse
msctf.dll0x7fefe6100000x7fefe718fffmapped_fileFalse
ole32.dll0x7fefe7200000x7fefe922fffmapped_fileFalse
shell32.dll0x7fefe9300000x7feff6b7fffmapped_fileFalse
usp10.dll0x7feff6c00000x7feff788fffmapped_fileFalse
rpcrt4.dll0x7feff7900000x7feff8bcfffmapped_fileFalse
msvcrt.dll0x7feff8c00000x7feff95efffmapped_fileFalse
apisetschema.dll0x7feff9900000x7feff990fffmapped_fileFalse
private_0x000007fffff880000x7fffff880000x7fffff89fffprivateTrue
private_0x000007fffff8a0000x7fffff8a0000x7fffff8bfffprivateTrue
private_0x000007fffff8c0000x7fffff8c0000x7fffff8dfffprivateTrue
private_0x000007fffff8e0000x7fffff8e0000x7fffff8ffffprivateTrue
private_0x000007fffff900000x7fffff900000x7fffff91fffprivateTrue
private_0x000007fffff920000x7fffff920000x7fffff93fffprivateTrue
private_0x000007fffff940000x7fffff940000x7fffff95fffprivateTrue
private_0x000007fffff960000x7fffff960000x7fffff97fffprivateTrue
private_0x000007fffff980000x7fffff980000x7fffff99fffprivateTrue
private_0x000007fffff9a0000x7fffff9a0000x7fffff9bfffprivateTrue
private_0x000007fffff9c0000x7fffff9c0000x7fffff9dfffprivateTrue
private_0x000007fffff9e0000x7fffff9e0000x7fffff9ffffprivateTrue
private_0x000007fffffa00000x7fffffa00000x7fffffa1fffprivateTrue
private_0x000007fffffa20000x7fffffa20000x7fffffa3fffprivateTrue
private_0x000007fffffa60000x7fffffa60000x7fffffa7fffprivateTrue
private_0x000007fffffa80000x7fffffa80000x7fffffa9fffprivateTrue
private_0x000007fffffaa0000x7fffffaa0000x7fffffabfffprivateTrue
private_0x000007fffffac0000x7fffffac0000x7fffffadfffprivateTrue
private_0x000007fffffae0000x7fffffae0000x7fffffaffffprivateTrue
pagefile_0x000007fffffb00000x7fffffb00000x7fffffd2fffpagefile_backedTrue
private_0x000007fffffd30000x7fffffd30000x7fffffd4fffprivateTrue
private_0x000007fffffd50000x7fffffd50000x7fffffd6fffprivateTrue
private_0x000007fffffd70000x7fffffd70000x7fffffd8fffprivateTrue
private_0x000007fffffd90000x7fffffd90000x7fffffdafffprivateTrue
private_0x000007fffffdb0000x7fffffdb0000x7fffffdcfffprivateTrue
private_0x000007fffffdd0000x7fffffdd0000x7fffffddfffprivateTrue
private_0x000007fffffde0000x7fffffde0000x7fffffdffffprivateTrue
OS TIDs
0xaec, 0x9f8, 0x524, 0x75c, 0x758, 0x750, 0x72c, 0x728, 0x6d8, 0x6d4, 0x648, 0x60c, 0x5f8, 0x5dc, 0x5a8, 0x560, 0x540, 0x150, 0x108, 0x3cc, 0x39c, 0x2fc, 0x2a4, 0x12c, 0x208
ID#20
OS PID0x464
OS Parent PID0x1c4
Image Namespoolsv.exe
Page Root0x1380c000
Monitor Reasonchild_process
Unmonitor Reason(still running)
CMD LineC:\Windows\System32\spoolsv.exe
Current DirectoryC:\Windows\system32\
Name Start VA End VA Type Monitored
OS TIDs
0x990, 0x550, 0x548, 0x50c, 0x500, 0x4f8, 0x354, 0x35c, 0x77c, 0x76c, 0x488, 0x484, 0x480, 0x47c, 0x474, 0x468
ID#21
OS PID0x48c
OS Parent PID0x1c4
Image Nametaskhost.exe
Page Root0x134cf000
Monitor Reasonchild_process
Unmonitor Reason(still running)
CMD Line"taskhost.exe"
Current DirectoryC:\Windows\system32\
Name Start VA End VA Type Monitored
pagefile_0x00000000000100000x000100000x0001ffffpagefile_backedTrue
taskhost.exe.mui0x000200000x00020fffmapped_fileFalse
private_0x00000000000300000x000300000x000affffprivateTrue
pagefile_0x00000000000b00000x000b00000x000b3fffpagefile_backedTrue
private_0x00000000000c00000x000c00000x000c0fffprivateTrue
locale.nls0x000d00000x00136fffmapped_fileFalse
private_0x00000000001400000x001400000x00140fffprivateTrue
private_0x00000000001500000x001500000x00150fffprivateTrue
pagefile_0x00000000001600000x001600000x00160fffpagefile_backedTrue
private_0x00000000001700000x001700000x0026ffffprivateTrue
pagefile_0x00000000002700000x002700000x00270fffpagefile_backedTrue
pagefile_0x00000000002800000x002800000x00280fffpagefile_backedTrue
private_0x00000000002900000x002900000x002a9fffprivateTrue
MsCtfMonitor.dll.mui0x002b00000x002b0fffmapped_fileFalse
pagefile_0x00000000002c00000x002c00000x002c1fffpagefile_backedTrue
msutb.dll.mui0x002d00000x002d1fffmapped_fileFalse
private_0x00000000002e00000x002e00000x002e0fffprivateTrue
private_0x00000000002f00000x002f00000x002f0fffprivateTrue
private_0x00000000003000000x003000000x0030ffffprivateTrue
private_0x00000000003100000x003100000x0031ffffprivateTrue
private_0x00000000003200000x003200000x0041ffffprivateTrue
pagefile_0x00000000004200000x004200000x005a7fffpagefile_backedTrue
pagefile_0x00000000005b00000x005b00000x00730fffpagefile_backedTrue
pagefile_0x00000000007400000x007400000x01b3ffffpagefile_backedTrue
winmm.dll.mui0x01b400000x01b45fffmapped_fileFalse
private_0x0000000001b500000x01b500000x01b50fffprivateTrue
pagefile_0x0000000001b600000x01b600000x01b6ffffpagefile_backedTrue
pagefile_0x0000000001b700000x01b700000x01b7ffffpagefile_backedTrue
pagefile_0x0000000001b800000x01b800000x01b8ffffpagefile_backedTrue
pagefile_0x0000000001b900000x01b900000x01b9ffffpagefile_backedTrue
pagefile_0x0000000001ba00000x01ba00000x01baffffpagefile_backedTrue
pagefile_0x0000000001bb00000x01bb00000x01bbffffpagefile_backedTrue
private_0x0000000001bc00000x01bc00000x01bc7fffprivateTrue
private_0x0000000001bd00000x01bd00000x01bdffffprivateTrue
private_0x0000000001be00000x01be00000x01c5ffffprivateTrue
pagefile_0x0000000001c600000x01c600000x01d3efffpagefile_backedTrue
private_0x0000000001d400000x01d400000x01dbffffprivateTrue
KernelBase.dll.mui0x01dc00000x01e7ffffmapped_fileFalse
private_0x0000000001e800000x01e800000x01efffffprivateTrue
private_0x0000000001f000000x01f000000x01f3ffffprivateTrue
private_0x0000000001f400000x01f400000x01f4ffffprivateTrue
private_0x0000000001f500000x01f500000x01f5ffffprivateTrue
private_0x0000000001f600000x01f600000x01f60fffprivateTrue
private_0x0000000001f700000x01f700000x01f71fffprivateTrue
private_0x0000000001f800000x01f800000x01ffffffprivateTrue
private_0x00000000020000000x020000000x0207ffffprivateTrue
private_0x00000000020800000x020800000x02080fffprivateTrue
private_0x00000000020900000x020900000x0209ffffprivateTrue
private_0x00000000020a00000x020a00000x020a7fffprivateTrue
private_0x00000000020b00000x020b00000x020bffffprivateTrue
private_0x00000000020c00000x020c00000x020cffffprivateTrue
private_0x00000000020d00000x020d00000x0214ffffprivateTrue
pagefile_0x00000000021500000x021500000x0215ffffpagefile_backedTrue
pagefile_0x00000000021600000x021600000x0216ffffpagefile_backedTrue
pagefile_0x00000000021700000x021700000x0217ffffpagefile_backedTrue
pagefile_0x00000000021800000x021800000x0218ffffpagefile_backedTrue
pagefile_0x00000000021900000x021900000x0219ffffpagefile_backedTrue
pagefile_0x00000000021a00000x021a00000x021affffpagefile_backedTrue
private_0x00000000021b00000x021b00000x0222ffffprivateTrue
WebCacheV01.dat0x022300000x0223ffffmapped_fileTrue
private_0x00000000022400000x022400000x022bffffprivateTrue
WebCacheV01.dat0x022c00000x022cffffmapped_fileTrue
private_0x00000000022d00000x022d00000x0234ffffprivateTrue
WebCacheV01.dat0x023500000x0235ffffmapped_fileTrue
private_0x00000000023600000x023600000x02367fffprivateTrue
WebCacheV01.dat0x023700000x0237ffffmapped_fileTrue
WebCacheV01.dat0x023800000x0238ffffmapped_fileTrue
WebCacheV01.dat0x023900000x0239ffffmapped_fileTrue
WebCacheV01.dat0x023a00000x023affffmapped_fileTrue
WebCacheV01.dat0x023b00000x023bffffmapped_fileTrue
private_0x00000000023c00000x023c00000x024bffffprivateTrue
SortDefault.nls0x024c00000x0278efffmapped_fileFalse
private_0x00000000027900000x027900000x0280ffffprivateTrue
WebCacheV01.dat0x028100000x0281ffffmapped_fileTrue
WebCacheV01.dat0x028200000x0282ffffmapped_fileTrue
WebCacheV01.dat0x028300000x0283ffffmapped_fileTrue
WebCacheV01.dat0x028400000x0284ffffmapped_fileTrue
WebCacheV01.dat0x028500000x0285ffffmapped_fileTrue
WebCacheV01.dat0x028600000x0286ffffmapped_fileTrue
private_0x00000000028700000x028700000x028effffprivateTrue
WebCacheV01.dat0x028f00000x028fffffmapped_fileTrue
private_0x00000000029000000x029000000x0290ffffprivateTrue
private_0x00000000029100000x029100000x0291ffffprivateTrue
private_0x00000000029200000x029200000x0299ffffprivateTrue
private_0x00000000029a00000x029a00000x02a9ffffprivateTrue
private_0x0000000002aa00000x02aa00000x03a9ffffprivateTrue
pagefile_0x0000000003aa00000x03aa00000x03b0ffffpagefile_backedTrue
pagefile_0x0000000003b100000x03b100000x03b7ffffpagefile_backedTrue
private_0x0000000003b800000x03b800000x03b8ffffprivateTrue
private_0x0000000003b900000x03b900000x03b97fffprivateTrue
private_0x0000000003ba00000x03ba00000x03ba7fffprivateTrue
pagefile_0x0000000003bb00000x03bb00000x03bbffffpagefile_backedTrue
setupapi.dll.mui0x03bc00000x03bccfffmapped_fileFalse
private_0x0000000003cf00000x03cf00000x03d6ffffprivateTrue
user32.dll0x774500000x77549fffmapped_fileFalse
kernel32.dll0x775500000x7766efffmapped_fileFalse
ntdll.dll0x776700000x77818fffmapped_fileFalse
normaliz.dll0x778300000x77832fffmapped_fileFalse
psapi.dll0x778400000x77846fffmapped_fileFalse
pagefile_0x000000007efe00000x7efe00000x7f0dffffpagefile_backedTrue
private_0x000000007f0e00000x7f0e00000x7ffdffffprivateTrue
private_0x000000007ffe00000x7ffe00000x7ffeffffprivateTrue
taskhost.exe0xff4300000xff443fffmapped_fileFalse
AuxiliaryDisplayServices.dll0x7fef41500000x7fef4173fffmapped_fileFalse
winmm.dll0x7fef79900000x7fef79cafffmapped_fileFalse
esent.dll0x7fef79d00000x7fef7c49fffmapped_fileFalse
api-ms-win-downlevel-advapi32-l2-1-0.dll0x7fef7c500000x7fef7c53fffmapped_fileFalse
npmproxy.dll0x7fef89200000x7fef892bfffmapped_fileFalse
dimsjob.dll0x7fef89500000x7fef895dfffmapped_fileFalse
netprofm.dll0x7fef8b800000x7fef8bf3fffmapped_fileFalse
PlaySndSrv.dll0x7fef9ed00000x7fef9ee7fffmapped_fileFalse
msutb.dll0x7fef9ef00000x7fef9f2cfffmapped_fileFalse
MsCtfMonitor.dll0x7fef9f300000x7fef9f3afffmapped_fileFalse
HotStartUserAgent.dll0x7fef9f400000x7fef9f4afffmapped_fileFalse
slc.dll0x7fefad200000x7fefad2afffmapped_fileFalse
dsrole.dll0x7fefad300000x7fefad3bfffmapped_fileFalse
nlaapi.dll0x7fefad400000x7fefad54fffmapped_fileFalse
taskschd.dll0x7fefae700000x7fefaf96fffmapped_fileFalse
wtsapi32.dll0x7fefb6c00000x7fefb6d0fffmapped_fileFalse
dwmapi.dll0x7fefb8a00000x7fefb8b7fffmapped_fileFalse
uxtheme.dll0x7fefbcd00000x7fefbd25fffmapped_fileFalse
sqmapi.dll0x7fefc1d00000x7fefc217fffmapped_fileFalse
version.dll0x7fefc5700000x7fefc57bfffmapped_fileFalse
rsaenh.dll0x7fefc9800000x7fefc9c6fffmapped_fileFalse
cryptsp.dll0x7fefcc800000x7fefcc96fffmapped_fileFalse
sspicli.dll0x7fefd2500000x7fefd274fffmapped_fileFalse
cryptbase.dll0x7fefd2e00000x7fefd2eefffmapped_fileFalse
winsta.dll0x7fefd3900000x7fefd3ccfffmapped_fileFalse
RpcRtRemote.dll0x7fefd3d00000x7fefd3e3fffmapped_fileFalse
profapi.dll0x7fefd4900000x7fefd49efffmapped_fileFalse
cfgmgr32.dll0x7fefd4a00000x7fefd4d5fffmapped_fileFalse
userenv.dll0x7fefd4e00000x7fefd4fdfffmapped_fileFalse
api-ms-win-downlevel-normaliz-l1-1-0.dll0x7fefd5000000x7fefd502fffmapped_fileFalse
api-ms-win-downlevel-advapi32-l1-1-0.dll0x7fefd5100000x7fefd514fffmapped_fileFalse
devobj.dll0x7fefd5200000x7fefd539fffmapped_fileFalse
KernelBase.dll0x7fefd5400000x7fefd5abfffmapped_fileFalse
api-ms-win-downlevel-ole32-l1-1-0.dll0x7fefd5f00000x7fefd5f3fffmapped_fileFalse
api-ms-win-downlevel-user32-l1-1-0.dll0x7fefd6000000x7fefd603fffmapped_fileFalse
api-ms-win-downlevel-shlwapi-l1-1-0.dll0x7fefd8200000x7fefd823fffmapped_fileFalse
api-ms-win-downlevel-version-l1-1-0.dll0x7fefd8300000x7fefd833fffmapped_fileFalse
imm32.dll0x7fefd8400000x7fefd86dfffmapped_fileFalse
advapi32.dll0x7fefd8700000x7fefd94afffmapped_fileFalse
clbcatq.dll0x7fefd9d00000x7fefda68fffmapped_fileFalse
gdi32.dll0x7fefda700000x7fefdad6fffmapped_fileFalse
iertutil.dll0x7fefdae00000x7fefdd8afffmapped_fileFalse
lpk.dll0x7fefdd900000x7fefdd9dfffmapped_fileFalse
nsi.dll0x7fefddf00000x7fefddf7fffmapped_fileFalse
wininet.dll0x7fefde000000x7fefe030fffmapped_fileFalse
shlwapi.dll0x7fefe0400000x7fefe0b0fffmapped_fileFalse
sechost.dll0x7fefe2900000x7fefe2aefffmapped_fileFalse
oleaut32.dll0x7fefe2b00000x7fefe386fffmapped_fileFalse
setupapi.dll0x7fefe4300000x7fefe606fffmapped_fileFalse
msctf.dll0x7fefe6100000x7fefe718fffmapped_fileFalse
ole32.dll0x7fefe7200000x7fefe922fffmapped_fileFalse
shell32.dll0x7fefe9300000x7feff6b7fffmapped_fileFalse
usp10.dll0x7feff6c00000x7feff788fffmapped_fileFalse
rpcrt4.dll0x7feff7900000x7feff8bcfffmapped_fileFalse
msvcrt.dll0x7feff8c00000x7feff95efffmapped_fileFalse
apisetschema.dll0x7feff9900000x7feff990fffmapped_fileFalse
private_0x000007fffffa60000x7fffffa60000x7fffffa7fffprivateTrue
private_0x000007fffffa80000x7fffffa80000x7fffffa9fffprivateTrue
private_0x000007fffffaa0000x7fffffaa0000x7fffffabfffprivateTrue
private_0x000007fffffac0000x7fffffac0000x7fffffadfffprivateTrue
private_0x000007fffffae0000x7fffffae0000x7fffffaffffprivateTrue
pagefile_0x000007fffffb00000x7fffffb00000x7fffffd2fffpagefile_backedTrue
private_0x000007fffffd30000x7fffffd30000x7fffffd3fffprivateTrue
private_0x000007fffffd40000x7fffffd40000x7fffffd5fffprivateTrue
private_0x000007fffffd60000x7fffffd60000x7fffffd7fffprivateTrue
private_0x000007fffffd80000x7fffffd80000x7fffffd9fffprivateTrue
private_0x000007fffffda0000x7fffffda0000x7fffffdbfffprivateTrue
private_0x000007fffffdc0000x7fffffdc0000x7fffffddfffprivateTrue
private_0x000007fffffde0000x7fffffde0000x7fffffdffffprivateTrue
OS TIDs
0xb98, 0x764, 0x7b0, 0x7a0, 0x79c, 0x798, 0x794, 0x4b4, 0x4ac, 0x4a8, 0x4a0, 0x490
ID#22
OS PID0x494
OS Parent PID0x1c4
Image Namesvchost.exe
Page Root0x13999000
Monitor Reasonchild_process
Unmonitor Reason(still running)
CMD LineC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
Current DirectoryC:\Windows\system32\
Name Start VA End VA Type Monitored
pagefile_0x00000000000100000x000100000x0001ffffpagefile_backedTrue
svchost.exe.mui0x000200000x00020fffmapped_fileFalse
pagefile_0x00000000000300000x000300000x00033fffpagefile_backedTrue
pagefile_0x00000000000400000x000400000x00040fffpagefile_backedTrue
private_0x00000000000500000x000500000x00050fffprivateTrue
locale.nls0x000600000x000c6fffmapped_fileFalse
pagefile_0x00000000000d00000x000d00000x0018ffffpagefile_backedTrue
private_0x00000000001900000x001900000x0020ffffprivateTrue
private_0x00000000002100000x002100000x00210fffprivateTrue
private_0x00000000002200000x002200000x00220fffprivateTrue
bfe.dll.mui0x002300000x00236fffmapped_fileFalse
FirewallAPI.dll.mui0x002400000x0025bfffmapped_fileFalse
private_0x00000000002600000x002600000x00260fffprivateTrue
pagefile_0x00000000002700000x002700000x00270fffpagefile_backedTrue
private_0x00000000002800000x002800000x0037ffffprivateTrue
private_0x00000000003800000x003800000x0047ffffprivateTrue
pagefile_0x00000000004800000x004800000x00480fffpagefile_backedTrue
private_0x00000000004900000x004900000x00497fffprivateTrue
private_0x00000000004a00000x004a00000x0051ffffprivateTrue
private_0x00000000005200000x005200000x0052ffffprivateTrue
pagefile_0x00000000005300000x005300000x006b7fffpagefile_backedTrue
pagefile_0x00000000006c00000x006c00000x00840fffpagefile_backedTrue
pagefile_0x00000000008500000x008500000x00850fffpagefile_backedTrue
pagefile_0x00000000008c00000x008c00000x008c1fffpagefile_backedTrue
private_0x00000000009000000x009000000x0097ffffprivateTrue
private_0x00000000009900000x009900000x00a0ffffprivateTrue
private_0x0000000000a300000x00a300000x00aaffffprivateTrue
private_0x0000000000b200000x00b200000x00b9ffffprivateTrue
private_0x0000000000bc00000x00bc00000x00c3ffffprivateTrue
SortDefault.nls0x00c400000x00f0efffmapped_fileFalse
private_0x0000000000f200000x00f200000x00f9ffffprivateTrue
private_0x0000000000fe00000x00fe00000x0105ffffprivateTrue
private_0x00000000010b00000x010b00000x0112ffffprivateTrue
private_0x00000000011500000x011500000x011cffffprivateTrue
private_0x00000000011e00000x011e00000x0125ffffprivateTrue
private_0x00000000013000000x013000000x0137ffffprivateTrue
private_0x00000000013900000x013900000x0140ffffprivateTrue
private_0x00000000014100000x014100000x0148ffffprivateTrue
private_0x00000000015100000x015100000x0158ffffprivateTrue
private_0x00000000015d00000x015d00000x0164ffffprivateTrue
private_0x00000000016500000x016500000x016cffffprivateTrue
private_0x00000000017200000x017200000x0179ffffprivateTrue
private_0x00000000017b00000x017b00000x0182ffffprivateTrue
private_0x00000000018300000x018300000x0192ffffprivateTrue
private_0x00000000019300000x019300000x01a2ffffprivateTrue
private_0x0000000001aa00000x01aa00000x01b1ffffprivateTrue
private_0x0000000001b400000x01b400000x01bbffffprivateTrue
private_0x0000000001bf00000x01bf00000x01c6ffffprivateTrue
private_0x0000000001c900000x01c900000x01c9ffffprivateTrue
private_0x0000000001cd00000x01cd00000x01d4ffffprivateTrue
private_0x0000000001d500000x01d500000x01dcffffprivateTrue
private_0x0000000001dd00000x01dd00000x01e4ffffprivateTrue
private_0x0000000001e700000x01e700000x01eeffffprivateTrue
private_0x0000000001ef00000x01ef00000x01f6ffffprivateTrue
private_0x0000000001fa00000x01fa00000x020bffffprivateTrue
private_0x00000000020e00000x020e00000x0215ffffprivateTrue
private_0x00000000021d00000x021d00000x0224ffffprivateTrue
private_0x00000000022500000x022500000x0244ffffprivateTrue
user32.dll0x774500000x77549fffmapped_fileFalse
kernel32.dll0x775500000x7766efffmapped_fileFalse
ntdll.dll0x776700000x77818fffmapped_fileFalse
pagefile_0x000000007efe00000x7efe00000x7f0dffffpagefile_backedTrue
private_0x000000007f0e00000x7f0e00000x7ffdffffprivateTrue
private_0x000000007ffe00000x7ffe00000x7ffeffffprivateTrue
svchost.exe0xff9200000xff92afffmapped_fileFalse
wdiasqmmodule.dll0x7fef84b00000x7fef84bcfffmapped_fileFalse
radardt.dll0x7fef84c00000x7fef84dcfffmapped_fileFalse
pnpts.dll0x7fef84e00000x7fef84e7fffmapped_fileFalse
diagperf.dll0x7fef85100000x7fef8659fffmapped_fileFalse
npmproxy.dll0x7fef89200000x7fef892bfffmapped_fileFalse
wdi.dll0x7fef89300000x7fef8948fffmapped_fileFalse
netprofm.dll0x7fef8b800000x7fef8bf3fffmapped_fileFalse
wfapigp.dll0x7fef9b500000x7fef9b59fffmapped_fileFalse
dps.dll0x7fef9b600000x7fef9b8bfffmapped_fileFalse
MPSSVC.dll0x7fef9e000000x7fef9ecdfffmapped_fileFalse
BFE.DLL0x7fef9f500000x7fef9ffffffmapped_fileFalse
dhcpcsvc.dll0x7fefaa100000x7fefaa27fffmapped_fileFalse
dhcpcsvc6.dll0x7fefaa300000x7fefaa40fffmapped_fileFalse
FWPUCLNT.DLL0x7fefaa600000x7fefaab2fffmapped_fileFalse
winnsi.dll0x7fefabc00000x7fefabcafffmapped_fileFalse
IPHLPAPI.DLL0x7fefabd00000x7fefabf6fffmapped_fileFalse
slc.dll0x7fefad200000x7fefad2afffmapped_fileFalse
nlaapi.dll0x7fefad400000x7fefad54fffmapped_fileFalse
taskschd.dll0x7fefae700000x7fefaf96fffmapped_fileFalse
wtsapi32.dll0x7fefb6c00000x7fefb6d0fffmapped_fileFalse
ntmarta.dll0x7fefc3700000x7fefc39cfffmapped_fileFalse
version.dll0x7fefc5700000x7fefc57bfffmapped_fileFalse
FirewallAPI.dll0x7fefc5800000x7fefc63afffmapped_fileFalse
WSHTCPIP.DLL0x7fefc6400000x7fefc646fffmapped_fileFalse
gpapi.dll0x7fefc7300000x7fefc74afffmapped_fileFalse
credssp.dll0x7fefc8800000x7fefc889fffmapped_fileFalse
pcwum.dll0x7fefc8900000x7fefc89cfffmapped_fileFalse
rsaenh.dll0x7fefc9800000x7fefc9c6fffmapped_fileFalse
wship6.dll0x7fefcc100000x7fefcc16fffmapped_fileFalse
mswsock.dll0x7fefcc200000x7fefcc74fffmapped_fileFalse
cryptsp.dll0x7fefcc800000x7fefcc96fffmapped_fileFalse
bcrypt.dll0x7fefcdf00000x7fefce11fffmapped_fileFalse
authz.dll0x7fefce700000x7fefce9efffmapped_fileFalse
secur32.dll0x7fefd2200000x7fefd22afffmapped_fileFalse
sspicli.dll0x7fefd2500000x7fefd274fffmapped_fileFalse
cryptbase.dll0x7fefd2e00000x7fefd2eefffmapped_fileFalse
RpcRtRemote.dll0x7fefd3d00000x7fefd3e3fffmapped_fileFalse
profapi.dll0x7fefd4900000x7fefd49efffmapped_fileFalse
cfgmgr32.dll0x7fefd4a00000x7fefd4d5fffmapped_fileFalse
userenv.dll0x7fefd4e00000x7fefd4fdfffmapped_fileFalse
KernelBase.dll0x7fefd5400000x7fefd5abfffmapped_fileFalse
imm32.dll0x7fefd8400000x7fefd86dfffmapped_fileFalse
advapi32.dll0x7fefd8700000x7fefd94afffmapped_fileFalse
clbcatq.dll0x7fefd9d00000x7fefda68fffmapped_fileFalse
gdi32.dll0x7fefda700000x7fefdad6fffmapped_fileFalse
lpk.dll0x7fefdd900000x7fefdd9dfffmapped_fileFalse
ws2_32.dll0x7fefdda00000x7fefddecfffmapped_fileFalse
nsi.dll0x7fefddf00000x7fefddf7fffmapped_fileFalse
shlwapi.dll0x7fefe0400000x7fefe0b0fffmapped_fileFalse
Wldap32.dll0x7fefe0c00000x7fefe111fffmapped_fileFalse
sechost.dll0x7fefe2900000x7fefe2aefffmapped_fileFalse
oleaut32.dll0x7fefe2b00000x7fefe386fffmapped_fileFalse
msctf.dll0x7fefe6100000x7fefe718fffmapped_fileFalse
ole32.dll0x7fefe7200000x7fefe922fffmapped_fileFalse
usp10.dll0x7feff6c00000x7feff788fffmapped_fileFalse
rpcrt4.dll0x7feff7900000x7feff8bcfffmapped_fileFalse
msvcrt.dll0x7feff8c00000x7feff95efffmapped_fileFalse
apisetschema.dll0x7feff9900000x7feff990fffmapped_fileFalse
private_0x000007fffff840000x7fffff840000x7fffff85fffprivateTrue
private_0x000007fffff860000x7fffff860000x7fffff87fffprivateTrue
private_0x000007fffff880000x7fffff880000x7fffff89fffprivateTrue
private_0x000007fffff8a0000x7fffff8a0000x7fffff8bfffprivateTrue
private_0x000007fffff8c0000x7fffff8c0000x7fffff8dfffprivateTrue
private_0x000007fffff8e0000x7fffff8e0000x7fffff8ffffprivateTrue
private_0x000007fffff900000x7fffff900000x7fffff91fffprivateTrue
private_0x000007fffff920000x7fffff920000x7fffff93fffprivateTrue
private_0x000007fffff940000x7fffff940000x7fffff95fffprivateTrue
private_0x000007fffff960000x7fffff960000x7fffff97fffprivateTrue
private_0x000007fffff980000x7fffff980000x7fffff99fffprivateTrue
private_0x000007fffff9a0000x7fffff9a0000x7fffff9bfffprivateTrue
private_0x000007fffff9c0000x7fffff9c0000x7fffff9dfffprivateTrue
private_0x000007fffff9e0000x7fffff9e0000x7fffff9ffffprivateTrue
private_0x000007fffffa00000x7fffffa00000x7fffffa1fffprivateTrue
private_0x000007fffffa20000x7fffffa20000x7fffffa3fffprivateTrue
private_0x000007fffffa40000x7fffffa40000x7fffffa5fffprivateTrue
private_0x000007fffffa60000x7fffffa60000x7fffffa7fffprivateTrue
private_0x000007fffffa80000x7fffffa80000x7fffffa9fffprivateTrue
private_0x000007fffffaa0000x7fffffaa0000x7fffffabfffprivateTrue
private_0x000007fffffac0000x7fffffac0000x7fffffadfffprivateTrue
private_0x000007fffffae0000x7fffffae0000x7fffffaffffprivateTrue
pagefile_0x000007fffffb00000x7fffffb00000x7fffffd2fffpagefile_backedTrue
private_0x000007fffffd30000x7fffffd30000x7fffffd4fffprivateTrue
private_0x000007fffffd50000x7fffffd50000x7fffffd5fffprivateTrue
private_0x000007fffffd60000x7fffffd60000x7fffffd7fffprivateTrue
private_0x000007fffffd80000x7fffffd80000x7fffffd9fffprivateTrue
private_0x000007fffffda0000x7fffffda0000x7fffffdbfffprivateTrue
private_0x000007fffffdc0000x7fffffdc0000x7fffffddfffprivateTrue
private_0x000007fffffde0000x7fffffde0000x7fffffdffffprivateTrue
OS TIDs
0x680, 0x264, 0x590, 0x718, 0x710, 0x70c, 0x708, 0x700, 0x6fc, 0x6c0, 0x694, 0x640, 0x624, 0x578, 0x574, 0x570, 0x56c, 0x554, 0x528, 0x514, 0x510, 0x4f0, 0x4cc, 0x4c4, 0x4bc, 0x4b0, 0x4a4, 0x498
ID#23
OS PID0x4d8
OS Parent PID0x394
Image Nametaskeng.exe
Page Root0x13694000
Monitor Reasonchild_process
Unmonitor Reason(still running)
CMD Linetaskeng.exe {156F8AD7-825D-4321-B1E4-BA03D81FD813} S-1-5-21-272637189-1204002015-1709914517-1000:user-PC\user:Interactive:Highest[1]
Current DirectoryC:\Windows\system32\
Name Start VA End VA Type Monitored
pagefile_0x00000000000100000x000100000x0001ffffpagefile_backedTrue
TaskEng.exe.mui0x000200000x00020fffmapped_fileFalse
pagefile_0x00000000000300000x000300000x00033fffpagefile_backedTrue
pagefile_0x00000000000400000x000400000x00040fffpagefile_backedTrue
private_0x00000000000500000x000500000x00050fffprivateTrue
private_0x00000000000600000x000600000x00060fffprivateTrue
private_0x00000000000700000x000700000x00070fffprivateTrue
pagefile_0x00000000000800000x000800000x00080fffpagefile_backedTrue
private_0x00000000000c00000x000c00000x001bffffprivateTrue
private_0x00000000002100000x002100000x0028ffffprivateTrue
locale.nls0x002900000x002f6fffmapped_fileFalse
private_0x00000000003000000x003000000x003fffffprivateTrue
private_0x00000000004200000x004200000x0042ffffprivateTrue
pagefile_0x00000000004300000x004300000x005b7fffpagefile_backedTrue
pagefile_0x00000000005c00000x005c00000x00740fffpagefile_backedTrue
pagefile_0x00000000007500000x007500000x01b4ffffpagefile_backedTrue
private_0x0000000001b900000x01b900000x01c0ffffprivateTrue
private_0x0000000001c200000x01c200000x01c9ffffprivateTrue
private_0x0000000001ca00000x01ca00000x01d1ffffprivateTrue
private_0x0000000001d200000x01d200000x01e1ffffprivateTrue
private_0x0000000001e900000x01e900000x01f0ffffprivateTrue
SortDefault.nls0x01f100000x021defffmapped_fileFalse
pagefile_0x00000000021e00000x021e00000x022befffpagefile_backedTrue
private_0x00000000022c00000x022c00000x0233ffffprivateTrue
private_0x00000000023f00000x023f00000x0246ffffprivateTrue
private_0x00000000025900000x025900000x0260ffffprivateTrue
user32.dll0x774500000x77549fffmapped_fileFalse
kernel32.dll0x775500000x7766efffmapped_fileFalse
ntdll.dll0x776700000x77818fffmapped_fileFalse
pagefile_0x000000007efe00000x7efe00000x7f0dffffpagefile_backedTrue
private_0x000000007f0e00000x7f0e00000x7ffdffffprivateTrue
private_0x000000007ffe00000x7ffe00000x7ffeffffprivateTrue
taskeng.exe0xff4000000xff473fffmapped_fileFalse
TSChannel.dll0x7fef9df00000x7fef9df8fffmapped_fileFalse
ktmw32.dll0x7fefa7500000x7fefa759fffmapped_fileFalse
xmllite.dll0x7fefb8600000x7fefb894fffmapped_fileFalse
dwmapi.dll0x7fefb8a00000x7fefb8b7fffmapped_fileFalse
uxtheme.dll0x7fefbcd00000x7fefbd25fffmapped_fileFalse
rsaenh.dll0x7fefc9800000x7fefc9c6fffmapped_fileFalse
cryptsp.dll0x7fefcc800000x7fefcc96fffmapped_fileFalse
wevtapi.dll0x7fefceb00000x7fefcf1cfffmapped_fileFalse
sspicli.dll0x7fefd2500000x7fefd274fffmapped_fileFalse
apphelp.dll0x7fefd2800000x7fefd2d6fffmapped_fileFalse
cryptbase.dll0x7fefd2e00000x7fefd2eefffmapped_fileFalse
RpcRtRemote.dll0x7fefd3d00000x7fefd3e3fffmapped_fileFalse
KernelBase.dll0x7fefd5400000x7fefd5abfffmapped_fileFalse
imm32.dll0x7fefd8400000x7fefd86dfffmapped_fileFalse
advapi32.dll0x7fefd8700000x7fefd94afffmapped_fileFalse
clbcatq.dll0x7fefd9d00000x7fefda68fffmapped_fileFalse
gdi32.dll0x7fefda700000x7fefdad6fffmapped_fileFalse
lpk.dll0x7fefdd900000x7fefdd9dfffmapped_fileFalse
shlwapi.dll0x7fefe0400000x7fefe0b0fffmapped_fileFalse
sechost.dll0x7fefe2900000x7fefe2aefffmapped_fileFalse
oleaut32.dll0x7fefe2b00000x7fefe386fffmapped_fileFalse
msctf.dll0x7fefe6100000x7fefe718fffmapped_fileFalse
ole32.dll0x7fefe7200000x7fefe922fffmapped_fileFalse
usp10.dll0x7feff6c00000x7feff788fffmapped_fileFalse
rpcrt4.dll0x7feff7900000x7feff8bcfffmapped_fileFalse
msvcrt.dll0x7feff8c00000x7feff95efffmapped_fileFalse
apisetschema.dll0x7feff9900000x7feff990fffmapped_fileFalse
pagefile_0x000007fffffb00000x7fffffb00000x7fffffd2fffpagefile_backedTrue
private_0x000007fffffd30000x7fffffd30000x7fffffd4fffprivateTrue
private_0x000007fffffd50000x7fffffd50000x7fffffd6fffprivateTrue
private_0x000007fffffd70000x7fffffd70000x7fffffd8fffprivateTrue
private_0x000007fffffd90000x7fffffd90000x7fffffd9fffprivateTrue
private_0x000007fffffda0000x7fffffda0000x7fffffdbfffprivateTrue
private_0x000007fffffdc0000x7fffffdc0000x7fffffddfffprivateTrue
private_0x000007fffffde0000x7fffffde0000x7fffffdffffprivateTrue
OS TIDs
0x508, 0x504, 0x4fc, 0x4e4, 0x4e0, 0x4dc
ID#24
OS PID0x558
OS Parent PID0x1c4
Image Namesvchost.exe
Page Root0x12b11000
Monitor Reasonchild_process
Unmonitor Reason(still running)
CMD LineC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
Current DirectoryC:\Windows\system32\
Name Start VA End VA Type Monitored
OS TIDs
0x7ec, 0x780, 0x660, 0x65c, 0x658, 0x654, 0x650, 0x64c, 0x5c0, 0x580, 0x57c, 0x564, 0x55c, 0x5b8, 0x520, 0x518
ID#25
OS PID0x698
OS Parent PID0x1c4
Image Namesppsvc.exe
Page Root0x11308000
Monitor Reasonchild_process
Unmonitor Reason(still running)
CMD LineC:\Windows\system32\sppsvc.exe
Current DirectoryC:\Windows\system32\
Name Start VA End VA Type Monitored
OS TIDs
0x7d0, 0x7c4, 0x6e0, 0x6b8, 0x6b4, 0x6a0, 0x69c
ID#26
OS PID0x6cc
OS Parent PID0x1c4
Image Namesvchost.exe
Page Root0x10c12000
Monitor Reasonchild_process
Unmonitor Reason(still running)
CMD LineC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
Current DirectoryC:\Windows\system32\
Name Start VA End VA Type Monitored
OS TIDs
0x358, 0x714, 0x6e8, 0x6e4, 0x6dc, 0x6d0
ID#27
OS PID0x734
OS Parent PID0x244
Image Namerundll32.exe
Page Root0x111da000
Monitor Reasonchild_process
Unmonitor Reason(still running)
CMD LineC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
Current DirectoryC:\Windows\system32\
Name Start VA End VA Type Monitored
pagefile_0x00000000000100000x000100000x0001ffffpagefile_backedTrue
rundll32.exe.mui0x000200000x00020fffmapped_fileFalse
pagefile_0x00000000000300000x000300000x00033fffpagefile_backedTrue
pagefile_0x00000000000400000x000400000x00040fffpagefile_backedTrue
private_0x00000000000500000x000500000x00050fffprivateTrue
locale.nls0x000600000x000c6fffmapped_fileFalse
private_0x00000000000d00000x000d00000x000d0fffprivateTrue
private_0x00000000000e00000x000e00000x000e0fffprivateTrue
pagefile_0x00000000000f00000x000f00000x000f1fffpagefile_backedTrue
pagefile_0x00000000001000000x001000000x00100fffpagefile_backedTrue
pagefile_0x00000000001100000x001100000x00110fffpagefile_backedTrue
pagefile_0x00000000001200000x001200000x00121fffpagefile_backedTrue
private_0x00000000001400000x001400000x001bffffprivateTrue
private_0x00000000001c00000x001c00000x0023ffffprivateTrue
private_0x00000000002400000x002400000x0033ffffprivateTrue
pagefile_0x00000000003400000x003400000x00341fffpagefile_backedTrue
private_0x00000000003700000x003700000x0046ffffprivateTrue
private_0x00000000005100000x005100000x0058ffffprivateTrue
private_0x00000000005c00000x005c00000x005cffffprivateTrue
pagefile_0x00000000005d00000x005d00000x00757fffpagefile_backedTrue
pagefile_0x00000000007600000x007600000x008e0fffpagefile_backedTrue
pagefile_0x00000000008f00000x008f00000x01ceffffpagefile_backedTrue
private_0x0000000001d600000x01d600000x01ddffffprivateTrue
pagefile_0x0000000001de00000x01de00000x01ebefffpagefile_backedTrue
private_0x0000000001ee00000x01ee00000x01f5ffffprivateTrue
SortDefault.nls0x01f600000x0222efffmapped_fileFalse
private_0x00000000022a00000x022a00000x0231ffffprivateTrue
private_0x00000000023b00000x023b00000x0242ffffprivateTrue
private_0x00000000024800000x024800000x024fffffprivateTrue
user32.dll0x774500000x77549fffmapped_fileFalse
kernel32.dll0x775500000x7766efffmapped_fileFalse
ntdll.dll0x776700000x77818fffmapped_fileFalse
pagefile_0x000000007efe00000x7efe00000x7f0dffffpagefile_backedTrue
private_0x000000007f0e00000x7f0e00000x7ffdffffprivateTrue
private_0x000000007ffe00000x7ffe00000x7ffeffffprivateTrue
rundll32.exe0xffae00000xffaeefffmapped_fileFalse
actxprxy.dll0x7fef7dc00000x7fef7eadfffmapped_fileFalse
dwmapi.dll0x7fefb8a00000x7fefb8b7fffmapped_fileFalse
uxtheme.dll0x7fefbcd00000x7fefbd25fffmapped_fileFalse
comctl32.dll0x7fefbe800000x7fefc073fffmapped_fileFalse
rsaenh.dll0x7fefc9800000x7fefc9c6fffmapped_fileFalse
cryptsp.dll0x7fefcc800000x7fefcc96fffmapped_fileFalse
cryptbase.dll0x7fefd2e00000x7fefd2eefffmapped_fileFalse
RpcRtRemote.dll0x7fefd3d00000x7fefd3e3fffmapped_fileFalse
KernelBase.dll0x7fefd5400000x7fefd5abfffmapped_fileFalse
imm32.dll0x7fefd8400000x7fefd86dfffmapped_fileFalse
advapi32.dll0x7fefd8700000x7fefd94afffmapped_fileFalse
clbcatq.dll0x7fefd9d00000x7fefda68fffmapped_fileFalse
gdi32.dll0x7fefda700000x7fefdad6fffmapped_fileFalse
lpk.dll0x7fefdd900000x7fefdd9dfffmapped_fileFalse
shlwapi.dll0x7fefe0400000x7fefe0b0fffmapped_fileFalse
sechost.dll0x7fefe2900000x7fefe2aefffmapped_fileFalse
oleaut32.dll0x7fefe2b00000x7fefe386fffmapped_fileFalse
msctf.dll0x7fefe6100000x7fefe718fffmapped_fileFalse
ole32.dll0x7fefe7200000x7fefe922fffmapped_fileFalse
shell32.dll0x7fefe9300000x7feff6b7fffmapped_fileFalse
usp10.dll0x7feff6c00000x7feff788fffmapped_fileFalse
rpcrt4.dll0x7feff7900000x7feff8bcfffmapped_fileFalse
msvcrt.dll0x7feff8c00000x7feff95efffmapped_fileFalse
imagehlp.dll0x7feff9600000x7feff978fffmapped_fileFalse
apisetschema.dll0x7feff9900000x7feff990fffmapped_fileFalse
private_0x000007fffffae0000x7fffffae0000x7fffffaffffprivateTrue
pagefile_0x000007fffffb00000x7fffffb00000x7fffffd2fffpagefile_backedTrue
private_0x000007fffffd40000x7fffffd40000x7fffffd4fffprivateTrue
private_0x000007fffffd60000x7fffffd60000x7fffffd7fffprivateTrue
private_0x000007fffffd80000x7fffffd80000x7fffffd9fffprivateTrue
private_0x000007fffffda0000x7fffffda0000x7fffffdbfffprivateTrue
private_0x000007fffffdc0000x7fffffdc0000x7fffffddfffprivateTrue
private_0x000007fffffde0000x7fffffde0000x7fffffdffffprivateTrue
OS TIDs
0x754, 0x748, 0x744, 0x740, 0x73c, 0x738
ID#28
OS PID0x688
OS Parent PID0x1c4
Image Namesearchindexer.exe
Page Root0x0f602000
Monitor Reasonchild_process
Unmonitor Reason(still running)
CMD LineC:\Windows\system32\SearchIndexer.exe /Embedding
Current DirectoryC:\Windows\system32\
Name Start VA End VA Type Monitored
pagefile_0x00000000000100000x000100000x0001ffffpagefile_backedTrue
SearchIndexer.exe.mui0x000200000x00021fffmapped_fileFalse
pagefile_0x00000000000300000x000300000x00033fffpagefile_backedTrue
pagefile_0x00000000000400000x000400000x00040fffpagefile_backedTrue
private_0x00000000000500000x000500000x00050fffprivateTrue
private_0x00000000000600000x000600000x00060fffprivateTrue
private_0x00000000000700000x000700000x00070fffprivateTrue
pagefile_0x00000000000800000x000800000x00080fffpagefile_backedTrue
private_0x00000000000900000x000900000x0010ffffprivateTrue
private_0x00000000001100000x001100000x0020ffffprivateTrue
locale.nls0x002100000x00276fffmapped_fileFalse
pagefile_0x00000000002800000x002800000x00280fffpagefile_backedTrue
pagefile_0x00000000002900000x002900000x002a5fffpagefile_backedTrue
private_0x00000000002b00000x002b00000x002bffffprivateTrue
private_0x00000000002c00000x002c00000x003bffffprivateTrue
pagefile_0x00000000003c00000x003c00000x00547fffpagefile_backedTrue
pagefile_0x00000000005500000x005500000x006d0fffpagefile_backedTrue
pagefile_0x00000000006e00000x006e00000x0079ffffpagefile_backedTrue
pagefile_0x00000000007a00000x007a00000x007a0fffpagefile_backedTrue
pagefile_0x00000000007b00000x007b00000x007b0fffpagefile_backedTrue
pagefile_0x00000000007c00000x007c00000x007c0fffpagefile_backedTrue
pagefile_0x00000000007d00000x007d00000x007d0fffpagefile_backedTrue
cversions.2.db0x007e00000x007e3fffmapped_fileTrue
cversions.2.db0x007f00000x007f3fffmapped_fileTrue
private_0x00000000008000000x008000000x0080ffffprivateTrue
{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000013.db0x008100000x0083ffffmapped_fileTrue
cversions.2.db0x008400000x00843fffmapped_fileTrue
{80CEF694-92F9-4BDC-B349-951A4243108B}.2.ver0x0000000000000001.db0x008500000x00850fffmapped_fileTrue
tquery.dll.mui0x008600000x0088ffffmapped_fileFalse
private_0x00000000008900000x008900000x0090ffffprivateTrue
private_0x00000000009100000x009100000x00a0ffffprivateTrue
SortDefault.nls0x00a100000x00cdefffmapped_fileFalse
private_0x0000000000ce00000x00ce00000x00cf9fffprivateTrue
private_0x0000000000d000000x00d000000x00d00fffprivateTrue
private_0x0000000000d100000x00d100000x00d17fffprivateTrue
private_0x0000000000d200000x00d200000x00d9ffffprivateTrue
{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db0x00da00000x00e05fffmapped_fileTrue
private_0x0000000000e100000x00e100000x00e1ffffprivateTrue
private_0x0000000000e200000x00e200000x00e2ffffprivateTrue
private_0x0000000000e300000x00e300000x00e3ffffprivateTrue
private_0x0000000000e400000x00e400000x00e40fffprivateTrue
ESENT.dll.mui0x00e500000x00e67fffmapped_fileFalse
private_0x0000000000e700000x00e700000x00e71fffprivateTrue
private_0x0000000000e800000x00e800000x00efffffprivateTrue
private_0x0000000000f000000x00f000000x00f00fffprivateTrue
private_0x0000000000f100000x00f100000x00f17fffprivateTrue
private_0x0000000000f200000x00f200000x00f27fffprivateTrue
private_0x0000000000f300000x00f300000x00f3ffffprivateTrue
private_0x0000000000f400000x00f400000x00f47fffprivateTrue
private_0x0000000000f500000x00f500000x00f57fffprivateTrue
private_0x0000000000f600000x00f600000x00f6ffffprivateTrue
private_0x0000000000f700000x00f700000x00f7ffffprivateTrue
private_0x0000000000f800000x00f800000x00f87fffprivateTrue
private_0x0000000000f900000x00f900000x0100ffffprivateTrue
private_0x00000000010100000x010100000x01017fffprivateTrue
private_0x00000000010200000x010200000x01027fffprivateTrue
Windows.edb0x010300000x0103ffffmapped_fileTrue
Windows.edb0x010400000x0104ffffmapped_fileTrue
Windows.edb0x010500000x0105ffffmapped_fileTrue
Windows.edb0x010600000x0106ffffmapped_fileTrue
Windows.edb0x010700000x0107ffffmapped_fileTrue
private_0x00000000010800000x010800000x010fffffprivateTrue
private_0x00000000011000000x011000000x011fffffprivateTrue
Windows.edb0x012000000x0120ffffmapped_fileTrue
Windows.edb0x012100000x0121ffffmapped_fileTrue
Windows.edb0x012200000x0122ffffmapped_fileTrue
Windows.edb0x012300000x0123ffffmapped_fileTrue
private_0x00000000012400000x012400000x012bffffprivateTrue
private_0x00000000012c00000x012c00000x013bffffprivateTrue
private_0x00000000013c00000x013c00000x014bffffprivateTrue
private_0x00000000014c00000x014c00000x015bffffprivateTrue
private_0x00000000015c00000x015c00000x016bffffprivateTrue
pagefile_0x00000000016c00000x016c00000x016cffffpagefile_backedTrue
pagefile_0x00000000016d00000x016d00000x016dffffpagefile_backedTrue
pagefile_0x00000000016e00000x016e00000x016effffpagefile_backedTrue
pagefile_0x00000000016f00000x016f00000x016fffffpagefile_backedTrue
pagefile_0x00000000017000000x017000000x0170ffffpagefile_backedTrue
pagefile_0x00000000017100000x017100000x0171ffffpagefile_backedTrue
pagefile_0x00000000017200000x017200000x0172ffffpagefile_backedTrue
pagefile_0x00000000017300000x017300000x0173ffffpagefile_backedTrue
pagefile_0x00000000017400000x017400000x0174ffffpagefile_backedTrue
pagefile_0x00000000017500000x017500000x0175ffffpagefile_backedTrue
pagefile_0x00000000017600000x017600000x0176ffffpagefile_backedTrue
pagefile_0x00000000017700000x017700000x0177ffffpagefile_backedTrue
pagefile_0x00000000017800000x017800000x0178ffffpagefile_backedTrue
pagefile_0x00000000017900000x017900000x0179ffffpagefile_backedTrue
pagefile_0x00000000017a00000x017a00000x017affffpagefile_backedTrue
pagefile_0x00000000017b00000x017b00000x017bffffpagefile_backedTrue
pagefile_0x00000000017c00000x017c00000x017cffffpagefile_backedTrue
pagefile_0x00000000017d00000x017d00000x017dffffpagefile_backedTrue
pagefile_0x00000000017e00000x017e00000x017effffpagefile_backedTrue
pagefile_0x00000000017f00000x017f00000x017fffffpagefile_backedTrue
pagefile_0x00000000018000000x018000000x0180ffffpagefile_backedTrue
pagefile_0x00000000018100000x018100000x0181ffffpagefile_backedTrue
pagefile_0x00000000018200000x018200000x0182ffffpagefile_backedTrue
pagefile_0x00000000018300000x018300000x0183ffffpagefile_backedTrue
pagefile_0x00000000018400000x018400000x0184ffffpagefile_backedTrue
pagefile_0x00000000018500000x018500000x0185ffffpagefile_backedTrue
pagefile_0x00000000018600000x018600000x0186ffffpagefile_backedTrue
pagefile_0x00000000018700000x018700000x0187ffffpagefile_backedTrue
pagefile_0x00000000018800000x018800000x0188ffffpagefile_backedTrue
pagefile_0x00000000018900000x018900000x0189ffffpagefile_backedTrue
pagefile_0x00000000018a00000x018a00000x018affffpagefile_backedTrue
pagefile_0x00000000018b00000x018b00000x018bffffpagefile_backedTrue
private_0x00000000018c00000x018c00000x019bffffprivateTrue
private_0x00000000019c00000x019c00000x029bffffprivateTrue
private_0x00000000029c00000x029c00000x02abffffprivateTrue
pagefile_0x0000000002ac00000x02ac00000x02b3ffffpagefile_backedTrue
pagefile_0x0000000002b400000x02b400000x02bbffffpagefile_backedTrue
Windows.edb0x02bc00000x02bcffffmapped_fileTrue
Windows.edb0x02bd00000x02bdffffmapped_fileTrue
Windows.edb0x02be00000x02beffffmapped_fileTrue
Windows.edb0x02bf00000x02bfffffmapped_fileTrue
Windows.edb0x02c000000x02c0ffffmapped_fileTrue
Windows.edb0x02c100000x02c1ffffmapped_fileTrue
Windows.edb0x02c200000x02c2ffffmapped_fileTrue
private_0x0000000002c300000x02c300000x02c3ffffprivateTrue
private_0x0000000002c400000x02c400000x02c4ffffprivateTrue
private_0x0000000002c500000x02c500000x02c5ffffprivateTrue
Windows.edb0x02c600000x02c6ffffmapped_fileTrue
Windows.edb0x02c700000x02c7ffffmapped_fileTrue
Windows.edb0x02c800000x02c8ffffmapped_fileTrue
Windows.edb0x02c900000x02c9ffffmapped_fileTrue
Windows.edb0x02ca00000x02caffffmapped_fileTrue
private_0x0000000002cb00000x02cb00000x02cbffffprivateTrue
Windows.edb0x02cc00000x02ccffffmapped_fileTrue
private_0x0000000002cd00000x02cd00000x02d4ffffprivateTrue
Windows.edb0x02d500000x02d5ffffmapped_fileTrue
Windows.edb0x02d600000x02d6ffffmapped_fileTrue
Windows.edb0x02d700000x02d7ffffmapped_fileTrue
pagefile_0x0000000002d800000x02d800000x02d80fffpagefile_backedTrue
pagefile_0x0000000002d900000x02d900000x02d9afffpagefile_backedTrue
vsstrace.dll.mui0x02da00000x02da7fffmapped_fileFalse
00010001.wid0x02db00000x02dbffffmapped_fileTrue
00010001.dir0x02dc00000x02dc0fffmapped_fileTrue
00010002.wid0x02dd00000x02ddffffmapped_fileTrue
00010002.dir0x02de00000x02de0fffmapped_fileTrue
0001000D.wid0x02df00000x02dfffffmapped_fileTrue
0001000D.dir0x02e000000x02e00fffmapped_fileTrue
00010012.wid0x02e100000x02e1ffffmapped_fileTrue
00010012.dir0x02e200000x02e20fffmapped_fileTrue
00010013.wid0x02e300000x02e3ffffmapped_fileTrue
00010013.dir0x02e400000x02e40fffmapped_fileTrue
private_0x0000000002e500000x02e500000x02ecffffprivateTrue
Windows.edb0x02ed00000x02edffffmapped_fileTrue
Windows.edb0x02ee00000x02eeffffmapped_fileTrue
pagefile_0x0000000002ef00000x02ef00000x02efffffpagefile_backedTrue
private_0x0000000002f000000x02f000000x02f7ffffprivateTrue
pagefile_0x0000000002f800000x02f800000x02f8ffffpagefile_backedTrue
Windows.edb0x02f900000x02f9ffffmapped_fileTrue
Windows.edb0x02fa00000x02faffffmapped_fileTrue
Windows.edb0x02fb00000x02fbffffmapped_fileTrue
Windows.edb0x02fc00000x02fcffffmapped_fileTrue
Windows.edb0x02fd00000x02fdffffmapped_fileTrue
Windows.edb0x02fe00000x02feffffmapped_fileTrue
Windows.edb0x02ff00000x02ffffffmapped_fileTrue
Windows.edb0x030000000x0300ffffmapped_fileTrue
Windows.edb0x030100000x0301ffffmapped_fileTrue
Windows.edb0x030200000x0302ffffmapped_fileTrue
Windows.edb0x030300000x0303ffffmapped_fileTrue
Windows.edb0x030400000x0304ffffmapped_fileTrue
Windows.edb0x030500000x0305ffffmapped_fileTrue
pagefile_0x00000000030600000x030600000x03061fffpagefile_backedTrue
pagefile_0x00000000030700000x030700000x03070fffpagefile_backedTrue
pagefile_0x00000000030800000x030800000x03081fffpagefile_backedTrue
shell32.dll.mui0x030900000x030ebfffmapped_fileFalse
propsys.dll.mui0x030f00000x030fdfffmapped_fileFalse
Windows.edb0x031000000x0310ffffmapped_fileTrue
Windows.edb0x031100000x0311ffffmapped_fileTrue
setupapi.dll.mui0x031200000x0312cfffmapped_fileFalse
pagefile_0x00000000031300000x031300000x0313ffffpagefile_backedTrue
pagefile_0x00000000031400000x031400000x0314ffffpagefile_backedTrue
private_0x00000000031500000x031500000x031cffffprivateTrue
00010003.wid0x031d00000x031dffffmapped_fileTrue
00010003.dir0x031e00000x031e0fffmapped_fileTrue
0001000D.wsb0x031f00000x031fffffmapped_fileTrue
private_0x00000000032400000x032400000x032bffffprivateTrue
private_0x00000000032c00000x032c00000x034bffffprivateTrue
private_0x00000000035700000x035700000x035effffprivateTrue
private_0x00000000035f00000x035f00000x037f0fffprivateTrue
private_0x00000000038e00000x038e00000x0395ffffprivateTrue
private_0x00000000039b00000x039b00000x03a2ffffprivateTrue
NlsLexicons0007.dll0x744200000x74f9bfffmapped_fileFalse
NlsLexicons0009.dll0x74fa00000x75222fffmapped_fileFalse
user32.dll0x774500000x77549fffmapped_fileFalse
kernel32.dll0x775500000x7766efffmapped_fileFalse
ntdll.dll0x776700000x77818fffmapped_fileFalse
psapi.dll0x778400000x77846fffmapped_fileFalse
pagefile_0x000000007efe00000x7efe00000x7f0dffffpagefile_backedTrue
private_0x000000007f0e00000x7f0e00000x7ffdffffprivateTrue
private_0x000000007ffe00000x7ffe00000x7ffeffffprivateTrue
SearchIndexer.exe0xff1f00000xff281fffmapped_fileFalse
NlsData0007.dll0x7fef5b300000x7fef5d3dfffmapped_fileFalse
NlsData0009.dll0x7fef5d400000x7fef633efffmapped_fileFalse
tquery.dll.mui0x7fef70400000x7fef7070fffmapped_fileFalse
mssrch.dll0x7fef70800000x7fef72a2fffmapped_fileFalse
tquery.dll0x7fef72b00000x7fef74e9fffmapped_fileFalse
esent.dll0x7fef79d00000x7fef7c49fffmapped_fileFalse
vsstrace.dll0x7fef9b900000x7fef9ba6fffmapped_fileFalse
vssapi.dll0x7fef9bb00000x7fef9d5ffffmapped_fileFalse
mssprxy.dll0x7fefa7300000x7fefa74cfffmapped_fileFalse
msidle.dll0x7fefa8900000x7fefa896fffmapped_fileFalse
es.dll0x7fefac400000x7fefaca6fffmapped_fileFalse
atl.dll0x7fefacc00000x7fefacd8fffmapped_fileFalse
samcli.dll0x7fefb5400000x7fefb553fffmapped_fileFalse
netutils.dll0x7fefb5800000x7fefb58bfffmapped_fileFalse
wtsapi32.dll0x7fefb6c00000x7fefb6d0fffmapped_fileFalse
NaturalLanguage6.dll0x7fefbb800000x7fefbcc7fffmapped_fileFalse
propsys.dll0x7fefbd300000x7fefbe5bfffmapped_fileFalse
samlib.dll0x7fefbe600000x7fefbe7cfffmapped_fileFalse
comctl32.dll0x7fefbe800000x7fefc073fffmapped_fileFalse
ntmarta.dll0x7fefc3700000x7fefc39cfffmapped_fileFalse
credssp.dll0x7fefc8800000x7fefc889fffmapped_fileFalse
rsaenh.dll0x7fefc9800000x7fefc9c6fffmapped_fileFalse
cryptsp.dll0x7fefcc800000x7fefcc96fffmapped_fileFalse
secur32.dll0x7fefd2200000x7fefd22afffmapped_fileFalse
sspicli.dll0x7fefd2500000x7fefd274fffmapped_fileFalse
apphelp.dll0x7fefd2800000x7fefd2d6fffmapped_fileFalse
cryptbase.dll0x7fefd2e00000x7fefd2eefffmapped_fileFalse
sxs.dll0x7fefd2f00000x7fefd380fffmapped_fileFalse
winsta.dll0x7fefd3900000x7fefd3ccfffmapped_fileFalse
RpcRtRemote.dll0x7fefd3d00000x7fefd3e3fffmapped_fileFalse
msasn1.dll0x7fefd4800000x7fefd48efffmapped_fileFalse
profapi.dll0x7fefd4900000x7fefd49efffmapped_fileFalse
cfgmgr32.dll0x7fefd4a00000x7fefd4d5fffmapped_fileFalse
userenv.dll0x7fefd4e00000x7fefd4fdfffmapped_fileFalse
devobj.dll0x7fefd5200000x7fefd539fffmapped_fileFalse
KernelBase.dll0x7fefd5400000x7fefd5abfffmapped_fileFalse
crypt32.dll0x7fefd6100000x7fefd77bfffmapped_fileFalse
imm32.dll0x7fefd8400000x7fefd86dfffmapped_fileFalse
advapi32.dll0x7fefd8700000x7fefd94afffmapped_fileFalse
clbcatq.dll0x7fefd9d00000x7fefda68fffmapped_fileFalse
gdi32.dll0x7fefda700000x7fefdad6fffmapped_fileFalse
lpk.dll0x7fefdd900000x7fefdd9dfffmapped_fileFalse
shlwapi.dll0x7fefe0400000x7fefe0b0fffmapped_fileFalse
Wldap32.dll0x7fefe0c00000x7fefe111fffmapped_fileFalse
sechost.dll0x7fefe2900000x7fefe2aefffmapped_fileFalse
oleaut32.dll0x7fefe2b00000x7fefe386fffmapped_fileFalse
setupapi.dll0x7fefe4300000x7fefe606fffmapped_fileFalse
msctf.dll0x7fefe6100000x7fefe718fffmapped_fileFalse
ole32.dll0x7fefe7200000x7fefe922fffmapped_fileFalse
shell32.dll0x7fefe9300000x7feff6b7fffmapped_fileFalse
usp10.dll0x7feff6c00000x7feff788fffmapped_fileFalse
rpcrt4.dll0x7feff7900000x7feff8bcfffmapped_fileFalse
msvcrt.dll0x7feff8c00000x7feff95efffmapped_fileFalse
apisetschema.dll0x7feff9900000x7feff990fffmapped_fileFalse
private_0x000007fffffa00000x7fffffa00000x7fffffa1fffprivateTrue
private_0x000007fffffa20000x7fffffa20000x7fffffa3fffprivateTrue
private_0x000007fffffa40000x7fffffa40000x7fffffa5fffprivateTrue
private_0x000007fffffa60000x7fffffa60000x7fffffa7fffprivateTrue
private_0x000007fffffa80000x7fffffa80000x7fffffa9fffprivateTrue
private_0x000007fffffaa0000x7fffffaa0000x7fffffabfffprivateTrue
private_0x000007fffffac0000x7fffffac0000x7fffffadfffprivateTrue
private_0x000007fffffae0000x7fffffae0000x7fffffaffffprivateTrue
pagefile_0x000007fffffb00000x7fffffb00000x7fffffd2fffpagefile_backedTrue
private_0x000007fffffd30000x7fffffd30000x7fffffd4fffprivateTrue
private_0x000007fffffd50000x7fffffd50000x7fffffd6fffprivateTrue
private_0x000007fffffd70000x7fffffd70000x7fffffd7fffprivateTrue
private_0x000007fffffd80000x7fffffd80000x7fffffd9fffprivateTrue
private_0x000007fffffda0000x7fffffda0000x7fffffdbfffprivateTrue
private_0x000007fffffdc0000x7fffffdc0000x7fffffddfffprivateTrue
private_0x000007fffffde0000x7fffffde0000x7fffffdffffprivateTrue
OS TIDs
0x804, 0x4c8, 0x164, 0x374, 0x380, 0x368, 0x5d0, 0x594, 0x598, 0x534, 0x530, 0x3c4, 0x46c, 0x7a8
ID#29
OS PID0x1b8
OS Parent PID0x688
Image Namesearchprotocolhost.exe
Page Root0x12531000
Monitor Reasonchild_process
Unmonitor Reason(still running)
CMD Line"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-272637189-1204002015-1709914517-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-272637189-1204002015-1709914517-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
Current DirectoryC:\Windows\system32\
Name Start VA End VA Type Monitored
pagefile_0x00000000000100000x000100000x0001ffffpagefile_backedTrue
private_0x00000000000200000x000200000x00020fffprivateTrue
pagefile_0x00000000000300000x000300000x00033fffpagefile_backedTrue
private_0x00000000000400000x000400000x00040fffprivateTrue
locale.nls0x000500000x000b6fffmapped_fileFalse
private_0x00000000000c00000x000c00000x001bffffprivateTrue
private_0x00000000001c00000x001c00000x001c0fffprivateTrue
private_0x00000000001d00000x001d00000x001d0fffprivateTrue
pagefile_0x00000000001e00000x001e00000x001e0fffpagefile_backedTrue
pagefile_0x00000000001f00000x001f00000x001f0fffpagefile_backedTrue
pagefile_0x00000000002000000x002000000x0020ffffpagefile_backedTrue
private_0x00000000002100000x002100000x0028ffffprivateTrue
pagefile_0x00000000002900000x002900000x0029ffffpagefile_backedTrue
private_0x00000000002a00000x002a00000x0031ffffprivateTrue
pagefile_0x00000000003200000x003200000x00321fffpagefile_backedTrue
pagefile_0x00000000003300000x003300000x00330fffpagefile_backedTrue
pagefile_0x00000000003400000x003400000x00341fffpagefile_backedTrue
counters.dat0x003500000x00350fffmapped_fileTrue
pagefile_0x00000000003600000x003600000x0036ffffpagefile_backedTrue
cversions.2.db0x003700000x00373fffmapped_fileTrue
{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000013.db0x003800000x003affffmapped_fileTrue
private_0x00000000003b00000x003b00000x004affffprivateTrue
pagefile_0x00000000004b00000x004b00000x00637fffpagefile_backedTrue
private_0x00000000006400000x006400000x0064ffffprivateTrue
pagefile_0x00000000006500000x006500000x007d0fffpagefile_backedTrue
pagefile_0x00000000007e00000x007e00000x01bdffffpagefile_backedTrue
cversions.2.db0x01be00000x01be3fffmapped_fileTrue
{80CEF694-92F9-4BDC-B349-951A4243108B}.2.ver0x0000000000000001.db0x01bf00000x01bf0fffmapped_fileTrue
private_0x0000000001c400000x01c400000x01cbffffprivateTrue
private_0x0000000001cf00000x01cf00000x01d6ffffprivateTrue
private_0x0000000001dc00000x01dc00000x01e3ffffprivateTrue
private_0x0000000001e400000x01e400000x01f3ffffprivateTrue
private_0x0000000001fb00000x01fb00000x0202ffffprivateTrue
SortDefault.nls0x020300000x022fefffmapped_fileFalse
private_0x00000000023700000x023700000x023effffprivateTrue
private_0x00000000024b00000x024b00000x0252ffffprivateTrue
user32.dll0x774500000x77549fffmapped_fileFalse
kernel32.dll0x775500000x7766efffmapped_fileFalse
ntdll.dll0x776700000x77818fffmapped_fileFalse
normaliz.dll0x778300000x77832fffmapped_fileFalse
pagefile_0x000000007efe00000x7efe00000x7f0dffffpagefile_backedTrue
private_0x000000007f0e00000x7f0e00000x7ffdffffprivateTrue
private_0x000000007ffe00000x7ffe00000x7ffeffffprivateTrue
SearchProtocolHost.exe0xff4a00000xff4e0fffmapped_fileFalse
ieframe.dll0x7fef63400000x7fef7031fffmapped_fileFalse
tquery.dll0x7fef72b00000x7fef74e9fffmapped_fileFalse
cscapi.dll0x7fef74f00000x7fef74fefffmapped_fileFalse
api-ms-win-downlevel-advapi32-l2-1-0.dll0x7fef7c500000x7fef7c53fffmapped_fileFalse
mssprxy.dll0x7fefa7300000x7fefa74cfffmapped_fileFalse
msidle.dll0x7fefa8900000x7fefa896fffmapped_fileFalse
cscobj.dll0x7fefba700000x7fefbaaefffmapped_fileFalse
mssvp.dll0x7fefbab00000x7fefbb71fffmapped_fileFalse
propsys.dll0x7fefbd300000x7fefbe5bfffmapped_fileFalse
comctl32.dll0x7fefbe800000x7fefc073fffmapped_fileFalse
mapi32.dll0x7fefc1b00000x7fefc1cafffmapped_fileFalse
mlang.dll0x7fefc2200000x7fefc25afffmapped_fileFalse
api-ms-win-downlevel-shlwapi-l2-1-0.dll0x7fefc3a00000x7fefc3a3fffmapped_fileFalse
api-ms-win-downlevel-shell32-l1-1-0.dll0x7fefc3b00000x7fefc3b3fffmapped_fileFalse
msshooks.dll0x7fefc3c00000x7fefc3c7fffmapped_fileFalse
version.dll0x7fefc5700000x7fefc57bfffmapped_fileFalse
rsaenh.dll0x7fefc9800000x7fefc9c6fffmapped_fileFalse
cryptsp.dll0x7fefcc800000x7fefcc96fffmapped_fileFalse
secur32.dll0x7fefd2200000x7fefd22afffmapped_fileFalse
sspicli.dll0x7fefd2500000x7fefd274fffmapped_fileFalse
cryptbase.dll0x7fefd2e00000x7fefd2eefffmapped_fileFalse
RpcRtRemote.dll0x7fefd3d00000x7fefd3e3fffmapped_fileFalse
profapi.dll0x7fefd4900000x7fefd49efffmapped_fileFalse
userenv.dll0x7fefd4e00000x7fefd4fdfffmapped_fileFalse
api-ms-win-downlevel-normaliz-l1-1-0.dll0x7fefd5000000x7fefd502fffmapped_fileFalse
api-ms-win-downlevel-advapi32-l1-1-0.dll0x7fefd5100000x7fefd514fffmapped_fileFalse
KernelBase.dll0x7fefd5400000x7fefd5abfffmapped_fileFalse
api-ms-win-downlevel-ole32-l1-1-0.dll0x7fefd5f00000x7fefd5f3fffmapped_fileFalse
api-ms-win-downlevel-user32-l1-1-0.dll0x7fefd6000000x7fefd603fffmapped_fileFalse
api-ms-win-downlevel-shlwapi-l1-1-0.dll0x7fefd8200000x7fefd823fffmapped_fileFalse
api-ms-win-downlevel-version-l1-1-0.dll0x7fefd8300000x7fefd833fffmapped_fileFalse
imm32.dll0x7fefd8400000x7fefd86dfffmapped_fileFalse
advapi32.dll0x7fefd8700000x7fefd94afffmapped_fileFalse
clbcatq.dll0x7fefd9d00000x7fefda68fffmapped_fileFalse
gdi32.dll0x7fefda700000x7fefdad6fffmapped_fileFalse
iertutil.dll0x7fefdae00000x7fefdd8afffmapped_fileFalse
lpk.dll0x7fefdd900000x7fefdd9dfffmapped_fileFalse
wininet.dll0x7fefde000000x7fefe030fffmapped_fileFalse
shlwapi.dll0x7fefe0400000x7fefe0b0fffmapped_fileFalse
sechost.dll0x7fefe2900000x7fefe2aefffmapped_fileFalse
oleaut32.dll0x7fefe2b00000x7fefe386fffmapped_fileFalse
msctf.dll0x7fefe6100000x7fefe718fffmapped_fileFalse
ole32.dll0x7fefe7200000x7fefe922fffmapped_fileFalse
shell32.dll0x7fefe9300000x7feff6b7fffmapped_fileFalse
usp10.dll0x7feff6c00000x7feff788fffmapped_fileFalse
rpcrt4.dll0x7feff7900000x7feff8bcfffmapped_fileFalse
msvcrt.dll0x7feff8c00000x7feff95efffmapped_fileFalse
apisetschema.dll0x7feff9900000x7feff990fffmapped_fileFalse
private_0x000007fffffac0000x7fffffac0000x7fffffadfffprivateTrue
private_0x000007fffffae0000x7fffffae0000x7fffffaffffprivateTrue
pagefile_0x000007fffffb00000x7fffffb00000x7fffffd2fffpagefile_backedTrue
private_0x000007fffffd40000x7fffffd40000x7fffffd5fffprivateTrue
private_0x000007fffffd60000x7fffffd60000x7fffffd7fffprivateTrue
private_0x000007fffffd80000x7fffffd80000x7fffffd9fffprivateTrue
private_0x000007fffffda0000x7fffffda0000x7fffffdafffprivateTrue
private_0x000007fffffdc0000x7fffffdc0000x7fffffddfffprivateTrue
private_0x000007fffffde0000x7fffffde0000x7fffffdffffprivateTrue
OS TIDs
0x404, 0x338, 0x300, 0x348, 0x7c0, 0x5a0, 0x17c
ID#30
OS PID0x5b0
OS Parent PID0x688
Image Namesearchfilterhost.exe
Page Root0x0e994000
Monitor Reasonchild_process
Unmonitor Reason(still running)
CMD Line"C:\Windows\system32\SearchFilterHost.exe" 0 508 512 520 65536 516
Current DirectoryC:\Windows\system32\
Name Start VA End VA Type Monitored
OS TIDs
0x320, 0x31c, 0x344, 0x304, 0x33c
ID#31
OS PID0x790
OS Parent PID0x688
Image Namesearchprotocolhost.exe
Page Root0x0dec7000
Monitor Reasonchild_process
Unmonitor Reason(still running)
CMD Line"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
Current DirectoryC:\Windows\system32\
Name Start VA End VA Type Monitored
pagefile_0x00000000000100000x000100000x0001ffffpagefile_backedTrue
private_0x00000000000200000x000200000x00020fffprivateTrue
pagefile_0x00000000000300000x000300000x00033fffpagefile_backedTrue
private_0x00000000000400000x000400000x00040fffprivateTrue
locale.nls0x000500000x000b6fffmapped_fileFalse
private_0x00000000000c00000x000c00000x000c0fffprivateTrue
private_0x00000000000d00000x000d00000x000d0fffprivateTrue
pagefile_0x00000000000e00000x000e00000x000e0fffpagefile_backedTrue
pagefile_0x00000000000f00000x000f00000x000f0fffpagefile_backedTrue
pagefile_0x00000000001000000x001000000x0010ffffpagefile_backedTrue
pagefile_0x00000000001100000x001100000x0011ffffpagefile_backedTrue
private_0x00000000001600000x001600000x001dffffprivateTrue
pagefile_0x00000000001e00000x001e00000x0029ffffpagefile_backedTrue
private_0x00000000002a00000x002a00000x002affffprivateTrue
private_0x00000000002b00000x002b00000x003affffprivateTrue
private_0x00000000003c00000x003c00000x004bffffprivateTrue
pagefile_0x00000000004c00000x004c00000x00647fffpagefile_backedTrue
pagefile_0x00000000006500000x006500000x007d0fffpagefile_backedTrue
private_0x00000000008100000x008100000x0088ffffprivateTrue
private_0x00000000008900000x008900000x0090ffffprivateTrue
private_0x00000000009100000x009100000x0098ffffprivateTrue
private_0x0000000000a000000x00a000000x00a7ffffprivateTrue
private_0x0000000000b400000x00b400000x00bbffffprivateTrue
private_0x0000000000bc00000x00bc00000x00cbffffprivateTrue
private_0x0000000000d000000x00d000000x00d7ffffprivateTrue
SortDefault.nls0x00d800000x0104efffmapped_fileFalse
private_0x00000000011600000x011600000x011dffffprivateTrue
user32.dll0x774500000x77549fffmapped_fileFalse
kernel32.dll0x775500000x7766efffmapped_fileFalse
ntdll.dll0x776700000x77818fffmapped_fileFalse
pagefile_0x000000007efe00000x7efe00000x7f0dffffpagefile_backedTrue
private_0x000000007f0e00000x7f0e00000x7ffdffffprivateTrue
private_0x000000007ffe00000x7ffe00000x7ffeffffprivateTrue
SearchProtocolHost.exe0xff4a00000xff4e0fffmapped_fileFalse
tquery.dll0x7fef72b00000x7fef74e9fffmapped_fileFalse
mssprxy.dll0x7fefa7300000x7fefa74cfffmapped_fileFalse
msidle.dll0x7fefa8900000x7fefa896fffmapped_fileFalse
mssph.dll0x7fefb9f00000x7fefba6cfffmapped_fileFalse
mapi32.dll0x7fefc1b00000x7fefc1cafffmapped_fileFalse
msshooks.dll0x7fefc3c00000x7fefc3c7fffmapped_fileFalse
rsaenh.dll0x7fefc9800000x7fefc9c6fffmapped_fileFalse
cryptsp.dll0x7fefcc800000x7fefcc96fffmapped_fileFalse
authz.dll0x7fefce700000x7fefce9efffmapped_fileFalse
cryptbase.dll0x7fefd2e00000x7fefd2eefffmapped_fileFalse
RpcRtRemote.dll0x7fefd3d00000x7fefd3e3fffmapped_fileFalse
KernelBase.dll0x7fefd5400000x7fefd5abfffmapped_fileFalse
imm32.dll0x7fefd8400000x7fefd86dfffmapped_fileFalse
advapi32.dll0x7fefd8700000x7fefd94afffmapped_fileFalse
clbcatq.dll0x7fefd9d00000x7fefda68fffmapped_fileFalse
gdi32.dll0x7fefda700000x7fefdad6fffmapped_fileFalse
lpk.dll0x7fefdd900000x7fefdd9dfffmapped_fileFalse
shlwapi.dll0x7fefe0400000x7fefe0b0fffmapped_fileFalse
sechost.dll0x7fefe2900000x7fefe2aefffmapped_fileFalse
oleaut32.dll0x7fefe2b00000x7fefe386fffmapped_fileFalse
msctf.dll0x7fefe6100000x7fefe718fffmapped_fileFalse
ole32.dll0x7fefe7200000x7fefe922fffmapped_fileFalse
usp10.dll0x7feff6c00000x7feff788fffmapped_fileFalse
rpcrt4.dll0x7feff7900000x7feff8bcfffmapped_fileFalse
msvcrt.dll0x7feff8c00000x7feff95efffmapped_fileFalse
apisetschema.dll0x7feff9900000x7feff990fffmapped_fileFalse
private_0x000007fffffac0000x7fffffac0000x7fffffadfffprivateTrue
private_0x000007fffffae0000x7fffffae0000x7fffffaffffprivateTrue
pagefile_0x000007fffffb00000x7fffffb00000x7fffffd2fffpagefile_backedTrue
private_0x000007fffffd40000x7fffffd40000x7fffffd5fffprivateTrue
private_0x000007fffffd60000x7fffffd60000x7fffffd7fffprivateTrue
private_0x000007fffffd80000x7fffffd80000x7fffffd9fffprivateTrue
private_0x000007fffffda0000x7fffffda0000x7fffffdbfffprivateTrue
private_0x000007fffffdc0000x7fffffdc0000x7fffffdcfffprivateTrue
private_0x000007fffffde0000x7fffffde0000x7fffffdffffprivateTrue
OS TIDs
0x7b4, 0x784, 0x760, 0x7b8, 0x7bc, 0x7a4, 0x7ac
ID#32
OS PID0x824
OS Parent PID0x314
Image Namedwm.exe
Page Root0x1213e000
Monitor Reasonchild_process
Unmonitor Reason(still running)
CMD Line"C:\Windows\system32\Dwm.exe"
Current DirectoryC:\Windows\system32\
Name Start VA End VA Type Monitored
OS TIDs
0x98c, 0x984, 0x838, 0x82c, 0x828
ID#33
OS PID0x830
OS Parent PID0xffffffffffffffff
Image Nameexplorer.exe
Page Root0x110ef000
Monitor Reasonchild_process
Unmonitor Reason(still running)
CMD LineC:\Windows\Explorer.EXE
Current DirectoryC:\Windows\system32\
Name Start VA End VA Type Monitored
pagefile_0x00000000000100000x000100000x0001ffffpagefile_backedTrue
pagefile_0x00000000000200000x000200000x00021fffpagefile_backedTrue
pagefile_0x00000000000300000x000300000x00033fffpagefile_backedTrue
pagefile_0x00000000000400000x000400000x00041fffpagefile_backedTrue
private_0x00000000000500000x000500000x00050fffprivateTrue
locale.nls0x000600000x000c6fffmapped_fileFalse
explorer.exe.mui0x000d00000x000d5fffmapped_fileFalse
private_0x00000000000e00000x000e00000x000e0fffprivateTrue
private_0x00000000000f00000x000f00000x0016ffffprivateTrue
private_0x00000000001700000x001700000x00170fffprivateTrue
setupapi.dll.mui0x001800000x0018cfffmapped_fileFalse
private_0x00000000001900000x001900000x0028ffffprivateTrue
private_0x00000000002900000x002900000x002cffffprivateTrue
pagefile_0x00000000002d00000x002d00000x002d0fffpagefile_backedTrue
pagefile_0x00000000002e00000x002e00000x002e1fffpagefile_backedTrue
pagefile_0x00000000002f00000x002f00000x002f0fffpagefile_backedTrue
pagefile_0x00000000003000000x003000000x00301fffpagefile_backedTrue
pagefile_0x00000000003100000x003100000x00310fffpagefile_backedTrue
pagefile_0x00000000003200000x003200000x00321fffpagefile_backedTrue
pagefile_0x00000000003300000x003300000x00331fffpagefile_backedTrue
private_0x00000000003400000x003400000x00340fffprivateTrue
private_0x00000000003500000x003500000x0035ffffprivateTrue
private_0x00000000003600000x003600000x0045ffffprivateTrue
pagefile_0x00000000004600000x004600000x005e7fffpagefile_backedTrue
pagefile_0x00000000005f00000x005f00000x00770fffpagefile_backedTrue
pagefile_0x00000000007800000x007800000x01b7ffffpagefile_backedTrue
pagefile_0x0000000001b800000x01b800000x01b8ffffpagefile_backedTrue
pagefile_0x0000000001b900000x01b900000x01b9ffffpagefile_backedTrue
pagefile_0x0000000001ba00000x01ba00000x01baffffpagefile_backedTrue
pagefile_0x0000000001bb00000x01bb00000x01bb1fffpagefile_backedTrue
private_0x0000000001bc00000x01bc00000x01c01fffprivateTrue
msctf.dll.mui0x01c100000x01c10fffmapped_fileFalse
comctl32.dll.mui0x01c200000x01c22fffmapped_fileFalse
private_0x0000000001c300000x01c300000x01c30fffprivateTrue
private_0x0000000001c400000x01c400000x01cbffffprivateTrue
pagefile_0x0000000001cc00000x01cc00000x01d9efffpagefile_backedTrue
shell32.dll.mui0x01da00000x01dfbfffmapped_fileFalse
private_0x0000000001e000000x01e000000x01e2dfffprivateTrue
private_0x0000000001e300000x01e300000x01eaffffprivateTrue
private_0x0000000001eb00000x01eb00000x01eb0fffprivateTrue
private_0x0000000001ec00000x01ec00000x01ec8fffprivateTrue
private_0x0000000001ed00000x01ed00000x01f4ffffprivateTrue
SortDefault.nls0x01f500000x0221efffmapped_fileFalse
private_0x00000000022200000x022200000x02327fffprivateTrue
private_0x00000000023300000x023300000x02389fffprivateTrue
private_0x00000000023900000x023900000x023d1fffprivateTrue
private_0x00000000023e00000x023e00000x024dffffprivateTrue
private_0x00000000024e00000x024e00000x024e7fffprivateTrue
{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000026.db0x024f00000x02516fffmapped_fileTrue
pagefile_0x00000000025200000x025200000x02520fffpagefile_backedTrue
cversions.2.db0x025300000x02533fffmapped_fileTrue
{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000013.db0x025400000x0256ffffmapped_fileTrue
private_0x00000000025700000x025700000x025effffprivateTrue
private_0x00000000025f00000x025f00000x027effffprivateTrue
private_0x00000000027f00000x027f00000x0286ffffprivateTrue
cversions.2.db0x028700000x02873fffmapped_fileTrue
pagefile_0x00000000028800000x028800000x02881fffpagefile_backedTrue
msutb.dll.mui0x028900000x02891fffmapped_fileFalse
private_0x00000000028a00000x028a00000x028a0fffprivateTrue
private_0x00000000028b00000x028b00000x028b0fffprivateTrue
private_0x00000000028c00000x028c00000x0293ffffprivateTrue
private_0x00000000029400000x029400000x029bffffprivateTrue
private_0x00000000029c00000x029c00000x02abffffprivateTrue
explorerframe.dll.mui0x02ac00000x02ac4fffmapped_fileFalse
private_0x0000000002ad00000x02ad00000x02ad0fffprivateTrue
private_0x0000000002ae00000x02ae00000x02ae3fffprivateTrue
private_0x0000000002af00000x02af00000x02af3fffprivateTrue
private_0x0000000002b000000x02b000000x02b7ffffprivateTrue
StaticCache.dat0x02b800000x034affffmapped_fileFalse
pagefile_0x00000000034b00000x034b00000x034b0fffpagefile_backedTrue
private_0x00000000034c00000x034c00000x034c0fffprivateTrue
private_0x00000000034d00000x034d00000x034d0fffprivateTrue
pagefile_0x00000000034e00000x034e00000x034e1fffpagefile_backedTrue
pagefile_0x00000000034f00000x034f00000x034f1fffpagefile_backedTrue
authui.dll.mui0x035000000x03506fffmapped_fileFalse
pagefile_0x00000000035100000x035100000x03510fffpagefile_backedTrue
private_0x00000000035200000x035200000x03520fffprivateTrue
private_0x00000000035300000x035300000x03530fffprivateTrue
private_0x00000000035400000x035400000x03540fffprivateTrue
private_0x00000000035500000x035500000x03550fffprivateTrue
private_0x00000000035600000x035600000x03560fffprivateTrue
private_0x00000000035700000x035700000x03570fffprivateTrue
{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db0x035800000x035e5fffmapped_fileTrue
private_0x00000000035f00000x035f00000x035f0fffprivateTrue
private_0x00000000036000000x036000000x03600fffprivateTrue
private_0x00000000036100000x036100000x03610fffprivateTrue
private_0x00000000036200000x036200000x03620fffprivateTrue
private_0x00000000036300000x036300000x036affffprivateTrue
private_0x00000000036b00000x036b00000x036b0fffprivateTrue
private_0x00000000036c00000x036c00000x036c0fffprivateTrue
private_0x00000000036d00000x036d00000x036d0fffprivateTrue
private_0x00000000036e00000x036e00000x036e0fffprivateTrue
private_0x00000000036f00000x036f00000x036f0fffprivateTrue
private_0x00000000037000000x037000000x03720fffprivateTrue
propsys.dll.mui0x037300000x0373dfffmapped_fileFalse
private_0x00000000037400000x037400000x037bffffprivateTrue
private_0x00000000037c00000x037c00000x0383ffffprivateTrue
pagefile_0x00000000038400000x038400000x03840fffpagefile_backedTrue
private_0x00000000038500000x038500000x03850fffprivateTrue
private_0x00000000038600000x038600000x03860fffprivateTrue
private_0x00000000038700000x038700000x038effffprivateTrue
pagefile_0x00000000038f00000x038f00000x038f1fffpagefile_backedTrue
cversions.2.db0x039000000x03903fffmapped_fileTrue
{80CEF694-92F9-4BDC-B349-951A4243108B}.2.ver0x0000000000000001.db0x039100000x03910fffmapped_fileTrue
private_0x00000000039200000x039200000x03923fffprivateTrue
private_0x00000000039300000x039300000x03932fffprivateTrue
private_0x00000000039400000x039400000x039bffffprivateTrue
private_0x00000000039c00000x039c00000x03a07fffprivateTrue
thumbcache_32.db0x03a100000x03b0ffffmapped_fileTrue
thumbcache_1024.db0x03b100000x03b10fffmapped_fileTrue
thumbcache_sr.db0x03b200000x03b20fffmapped_fileTrue
thumbcache_idx.db0x03b300000x03b33fffmapped_fileTrue
stobject.dll.mui0x03b400000x03b41fffmapped_fileFalse
private_0x0000000003b500000x03b500000x03bcffffprivateTrue
private_0x0000000003bd00000x03bd00000x03c1ffffprivateTrue
pagefile_0x0000000003c200000x03c200000x03c21fffpagefile_backedTrue
private_0x0000000003c300000x03c300000x03caffffprivateTrue
cversions.2.db0x03cb00000x03cb3fffmapped_fileTrue
pagefile_0x0000000003cc00000x03cc00000x03cc1fffpagefile_backedTrue
private_0x0000000003cd00000x03cd00000x03cd0fffprivateTrue
private_0x0000000003ce00000x03ce00000x03d5ffffprivateTrue
private_0x0000000003d600000x03d600000x03f5ffffprivateTrue
sndvolsso.dll.mui0x03f600000x03f60fffmapped_fileFalse
AltTab.dll.mui0x03f700000x03f70fffmapped_fileFalse
pnidui.dll.mui0x03f800000x03f84fffmapped_fileFalse
private_0x0000000003f900000x03f900000x0400ffffprivateTrue
pagefile_0x00000000040100000x040100000x04011fffpagefile_backedTrue
private_0x00000000040200000x040200000x0409ffffprivateTrue
thumbcache_96.db0x040a00000x0419ffffmapped_fileTrue
thumbcache_256.db0x041a00000x0429ffffmapped_fileTrue
KernelBase.dll.mui0x042a00000x0435ffffmapped_fileFalse
private_0x00000000043600000x043600000x043dffffprivateTrue
pagefile_0x00000000043e00000x043e00000x043e1fffpagefile_backedTrue
pagefile_0x00000000043f00000x043f00000x043f1fffpagefile_backedTrue
pagefile_0x00000000044000000x044000000x04401fffpagefile_backedTrue
private_0x00000000044100000x044100000x0448ffffprivateTrue
imageres.dll0x044900000x057e4fffmapped_fileFalse
private_0x00000000057f00000x057f00000x0586ffffprivateTrue
bthprops.cpl.mui0x058700000x05876fffmapped_fileFalse
pagefile_0x00000000058800000x058800000x05881fffpagefile_backedTrue
pagefile_0x00000000058900000x058900000x05891fffpagefile_backedTrue
pagefile_0x00000000058a00000x058a00000x058a1fffpagefile_backedTrue
private_0x00000000058b00000x058b00000x058b0fffprivateTrue
private_0x00000000058c00000x058c00000x0593ffffprivateTrue
FXSRESM.dll.mui0x059400000x05968fffmapped_fileFalse
private_0x00000000059700000x059700000x0597ffffprivateTrue
pagefile_0x00000000059800000x059800000x05981fffpagefile_backedTrue
private_0x00000000059900000x059900000x05990fffprivateTrue
private_0x00000000059a00000x059a00000x05a1ffffprivateTrue
thumbcache_256.db0x05a200000x05a3ffffmapped_fileTrue
private_0x0000000005a400000x05a400000x05a40fffprivateTrue
private_0x0000000005a600000x05a600000x05adffffprivateTrue
pagefile_0x0000000005ae00000x05ae00000x05ae0fffpagefile_backedTrue
thumbcache_1024.db0x05af00000x05af0fffmapped_fileTrue
private_0x0000000005b000000x05b000000x05b7ffffprivateTrue
thumbcache_sr.db0x05b800000x05b80fffmapped_fileTrue
private_0x0000000005b900000x05b900000x05c0ffffprivateTrue
thumbcache_idx.db0x05c100000x05c13fffmapped_fileTrue
private_0x0000000005c200000x05c200000x05c9ffffprivateTrue
thumbcache_1024.db0x05ca00000x05ca0fffmapped_fileTrue
thumbcache_sr.db0x05cb00000x05cb0fffmapped_fileTrue
thumbcache_idx.db0x05cc00000x05cc3fffmapped_fileTrue
thumbcache_256.db0x05cd00000x05ceffffmapped_fileTrue
private_0x0000000005d100000x05d100000x05d1ffffprivateTrue
private_0x0000000005d700000x05d700000x05deffffprivateTrue
private_0x0000000005e300000x05e300000x05eaffffprivateTrue
private_0x0000000005f000000x05f000000x05f0ffffprivateTrue
private_0x0000000005f800000x05f800000x05ffffffprivateTrue
thumbcache_32.db0x060000000x060fffffmapped_fileTrue
private_0x00000000061000000x061000000x0617ffffprivateTrue
thumbcache_96.db0x061800000x0627ffffmapped_fileTrue
private_0x00000000062f00000x062f00000x0636ffffprivateTrue
private_0x00000000063700000x063700000x0646ffffprivateTrue
private_0x00000000064800000x064800000x064fffffprivateTrue
private_0x00000000065f00000x065f00000x0666ffffprivateTrue
thumbcache_256.db0x067b00000x068affffmapped_fileTrue
thumbcache_32.db0x068b00000x069affffmapped_fileTrue
thumbcache_96.db0x069b00000x06aaffffmapped_fileTrue
thumbcache_256.db0x06ab00000x06baffffmapped_fileTrue
FXSRESM.dll0x743200000x74402fffmapped_fileFalse
ksuser.dll0x744100000x74415fffmapped_fileFalse
user32.dll0x774500000x77549fffmapped_fileFalse
kernel32.dll0x775500000x7766efffmapped_fileFalse
ntdll.dll0x776700000x77818fffmapped_fileFalse
normaliz.dll0x778300000x77832fffmapped_fileFalse
psapi.dll0x778400000x77846fffmapped_fileFalse
pagefile_0x000000007efe00000x7efe00000x7f0dffffpagefile_backedTrue
private_0x000000007f0e00000x7f0e00000x7ffdffffprivateTrue
private_0x000000007ffe00000x7ffe00000x7ffeffffprivateTrue
explorer.exe0xffa000000xffcbffffmapped_fileFalse
FXSAPI.dll0x7fef3fd00000x7fef406cfffmapped_fileFalse
FXSST.dll0x7fef40700000x7fef4146fffmapped_fileFalse
provsvc.dll0x7fef41800000x7fef41b0fffmapped_fileFalse
hgcpl.dll0x7fef41c00000x7fef4214fffmapped_fileFalse
imapi2.dll0x7fef42200000x7fef429efffmapped_fileFalse
ActionCenter.dll0x7fef42a00000x7fef4361fffmapped_fileFalse
SyncCenter.dll0x7fef43700000x7fef459afffmapped_fileFalse
bthprops.cpl0x7fef45a00000x7fef4654fffmapped_fileFalse
srchadmin.dll0x7fef46600000x7fef46b7fffmapped_fileFalse
QAGENT.DLL0x7fef46c00000x7fef4704fffmapped_fileFalse
WWanAPI.dll0x7fef47100000x7fef476dfffmapped_fileFalse
wlanapi.dll0x7fef47700000x7fef478ffffmapped_fileFalse
pnidui.dll0x7fef49a00000x7fef4b5cfffmapped_fileFalse
netshell.dll0x7fef4b600000x7fef4deafffmapped_fileFalse
DXP.dll0x7fef4df00000x7fef4e63fffmapped_fileFalse
prnfldr.dll0x7fef4e700000x7fef4ed8fffmapped_fileFalse
batmeter.dll0x7fef4ee00000x7fef4f99fffmapped_fileFalse
stobject.dll0x7fef4fa00000x7fef4fe2fffmapped_fileFalse
networkexplorer.dll0x7fef4ff00000x7fef518bfffmapped_fileFalse
cryptui.dll0x7fef51900000x7fef5298fffmapped_fileFalse
authui.dll0x7fef52a00000x7fef547dfffmapped_fileFalse
gameux.dll0x7fef54800000x7fef5722fffmapped_fileFalse
GdiPlus.dll0x7fef57300000x7fef5945fffmapped_fileFalse
ieframe.dll0x7fef63400000x7fef7031fffmapped_fileFalse
cscapi.dll0x7fef74f00000x7fef74fefffmapped_fileFalse
winmm.dll0x7fef79900000x7fef79cafffmapped_fileFalse
api-ms-win-downlevel-advapi32-l2-1-0.dll0x7fef7c500000x7fef7c53fffmapped_fileFalse
winspool.drv0x7fef7d000000x7fef7d70fffmapped_fileFalse
actxprxy.dll0x7fef7dc00000x7fef7eadfffmapped_fileFalse
wer.dll0x7fef87c00000x7fef883bfffmapped_fileFalse
npmproxy.dll0x7fef89200000x7fef892bfffmapped_fileFalse
netprofm.dll0x7fef8b800000x7fef8bf3fffmapped_fileFalse
msutb.dll0x7fef9ef00000x7fef9f2cfffmapped_fileFalse
ExplorerFrame.dll0x7fefa0000000x7fefa1c9fffmapped_fileFalse
webio.dll0x7fefa3700000x7fefa3d3fffmapped_fileFalse
winhttp.dll0x7fefa3e00000x7fefa450fffmapped_fileFalse
wdmaud.drv0x7fefa4c00000x7fefa4fafffmapped_fileFalse
UIAnimation.dll0x7fefa5000000x7fefa539fffmapped_fileFalse
msftedit.dll0x7fefa5400000x7fefa605fffmapped_fileFalse
QUTIL.DLL0x7fefa6900000x7fefa6aefffmapped_fileFalse
tiptsf.dll0x7fefa6b00000x7fefa72efffmapped_fileFalse
mssprxy.dll0x7fefa7300000x7fefa74cfffmapped_fileFalse
wwapi.dll0x7fefa8800000x7fefa88cfffmapped_fileFalse
wlanutil.dll0x7fefa8a00000x7fefa8a6fffmapped_fileFalse
Syncreg.dll0x7fefa8b00000x7fefa8c5fffmapped_fileFalse
msls31.dll0x7fefa8d00000x7fefa911fffmapped_fileFalse
dhcpcsvc.dll0x7fefaa100000x7fefaa27fffmapped_fileFalse
dhcpcsvc6.dll0x7fefaa300000x7fefaa40fffmapped_fileFalse
winnsi.dll0x7fefabc00000x7fefabcafffmapped_fileFalse
IPHLPAPI.DLL0x7fefabd00000x7fefabf6fffmapped_fileFalse
es.dll0x7fefac400000x7fefaca6fffmapped_fileFalse
atl.dll0x7fefacc00000x7fefacd8fffmapped_fileFalse
slc.dll0x7fefad200000x7fefad2afffmapped_fileFalse
nlaapi.dll0x7fefad400000x7fefad54fffmapped_fileFalse
avrt.dll0x7fefb1d00000x7fefb1d8fffmapped_fileFalse
powrprof.dll0x7fefb1e00000x7fefb20bfffmapped_fileFalse
thumbcache.dll0x7fefb2c00000x7fefb2defffmapped_fileFalse
shdocvw.dll0x7fefb2e00000x7fefb313fffmapped_fileFalse
timedate.cpl0x7fefb3200000x7fefb3a2fffmapped_fileFalse
SndVolSSO.dll0x7fefb3b00000x7fefb3eafffmapped_fileFalse
shacct.dll0x7fefb4100000x7fefb433fffmapped_fileFalse
ntshrui.dll0x7fefb4400000x7fefb4bffffmapped_fileFalse
cscui.dll0x7fefb4c00000x7fefb53dfffmapped_fileFalse
samcli.dll0x7fefb5400000x7fefb553fffmapped_fileFalse
wkscli.dll0x7fefb5600000x7fefb574fffmapped_fileFalse
netutils.dll0x7fefb5800000x7fefb58bfffmapped_fileFalse
AltTab.dll0x7fefb5b00000x7fefb5bffffmapped_fileFalse
dui70.dll0x7fefb5c00000x7fefb6b1fffmapped_fileFalse
wtsapi32.dll0x7fefb6c00000x7fefb6d0fffmapped_fileFalse
hid.dll0x7fefb6e00000x7fefb6eafffmapped_fileFalse
WindowsCodecs.dll0x7fefb6f00000x7fefb850fffmapped_fileFalse
xmllite.dll0x7fefb8600000x7fefb894fffmapped_fileFalse
dwmapi.dll0x7fefb8a00000x7fefb8b7fffmapped_fileFalse
MMDevAPI.dll0x7fefb8c00000x7fefb90afffmapped_fileFalse
linkinfo.dll0x7fefb9100000x7fefb91bfffmapped_fileFalse
IconCodecService.dll0x7fefb9200000x7fefb927fffmapped_fileFalse
cscdll.dll0x7fefb9300000x7fefb93bfffmapped_fileFalse
duser.dll0x7fefb9400000x7fefb982fffmapped_fileFalse
cscobj.dll0x7fefba700000x7fefbaaefffmapped_fileFalse
uxtheme.dll0x7fefbcd00000x7fefbd25fffmapped_fileFalse
propsys.dll0x7fefbd300000x7fefbe5bfffmapped_fileFalse
samlib.dll0x7fefbe600000x7fefbe7cfffmapped_fileFalse
comctl32.dll0x7fefbe800000x7fefc073fffmapped_fileFalse
EhStorShell.dll0x7fefc0800000x7fefc0b4fffmapped_fileFalse
mpr.dll0x7fefc1900000x7fefc1a7fffmapped_fileFalse
ntmarta.dll0x7fefc3700000x7fefc39cfffmapped_fileFalse
api-ms-win-downlevel-shell32-l1-1-0.dll0x7fefc3b00000x7fefc3b3fffmapped_fileFalse
version.dll0x7fefc5700000x7fefc57bfffmapped_fileFalse
credssp.dll0x7fefc8800000x7fefc889fffmapped_fileFalse
rsaenh.dll0x7fefc9800000x7fefc9c6fffmapped_fileFalse
cryptsp.dll0x7fefcc800000x7fefcc96fffmapped_fileFalse
wevtapi.dll0x7fefceb00000x7fefcf1cfffmapped_fileFalse
srvcli.dll0x7fefd1800000x7fefd1a2fffmapped_fileFalse
secur32.dll0x7fefd2200000x7fefd22afffmapped_fileFalse
sspicli.dll0x7fefd2500000x7fefd274fffmapped_fileFalse
apphelp.dll0x7fefd2800000x7fefd2d6fffmapped_fileFalse
cryptbase.dll0x7fefd2e00000x7fefd2eefffmapped_fileFalse
sxs.dll0x7fefd2f00000x7fefd380fffmapped_fileFalse
winsta.dll0x7fefd3900000x7fefd3ccfffmapped_fileFalse
RpcRtRemote.dll0x7fefd3d00000x7fefd3e3fffmapped_fileFalse
msasn1.dll0x7fefd4800000x7fefd48efffmapped_fileFalse
profapi.dll0x7fefd4900000x7fefd49efffmapped_fileFalse
cfgmgr32.dll0x7fefd4a00000x7fefd4d5fffmapped_fileFalse
userenv.dll0x7fefd4e00000x7fefd4fdfffmapped_fileFalse
api-ms-win-downlevel-normaliz-l1-1-0.dll0x7fefd5000000x7fefd502fffmapped_fileFalse
api-ms-win-downlevel-advapi32-l1-1-0.dll0x7fefd5100000x7fefd514fffmapped_fileFalse
devobj.dll0x7fefd5200000x7fefd539fffmapped_fileFalse
KernelBase.dll0x7fefd5400000x7fefd5abfffmapped_fileFalse
wintrust.dll0x7fefd5b00000x7fefd5e9fffmapped_fileFalse
api-ms-win-downlevel-ole32-l1-1-0.dll0x7fefd5f00000x7fefd5f3fffmapped_fileFalse
api-ms-win-downlevel-user32-l1-1-0.dll0x7fefd6000000x7fefd603fffmapped_fileFalse
crypt32.dll0x7fefd6100000x7fefd77bfffmapped_fileFalse
api-ms-win-downlevel-shlwapi-l1-1-0.dll0x7fefd8200000x7fefd823fffmapped_fileFalse
api-ms-win-downlevel-version-l1-1-0.dll0x7fefd8300000x7fefd833fffmapped_fileFalse
imm32.dll0x7fefd8400000x7fefd86dfffmapped_fileFalse
advapi32.dll0x7fefd8700000x7fefd94afffmapped_fileFalse
clbcatq.dll0x7fefd9d00000x7fefda68fffmapped_fileFalse
gdi32.dll0x7fefda700000x7fefdad6fffmapped_fileFalse
iertutil.dll0x7fefdae00000x7fefdd8afffmapped_fileFalse
lpk.dll0x7fefdd900000x7fefdd9dfffmapped_fileFalse
ws2_32.dll0x7fefdda00000x7fefddecfffmapped_fileFalse
nsi.dll0x7fefddf00000x7fefddf7fffmapped_fileFalse
wininet.dll0x7fefde000000x7fefe030fffmapped_fileFalse
shlwapi.dll0x7fefe0400000x7fefe0b0fffmapped_fileFalse
Wldap32.dll0x7fefe0c00000x7fefe111fffmapped_fileFalse
urlmon.dll0x7fefe1200000x7fefe287fffmapped_fileFalse
sechost.dll0x7fefe2900000x7fefe2aefffmapped_fileFalse
oleaut32.dll0x7fefe2b00000x7fefe386fffmapped_fileFalse
setupapi.dll0x7fefe4300000x7fefe606fffmapped_fileFalse
msctf.dll0x7fefe6100000x7fefe718fffmapped_fileFalse
ole32.dll0x7fefe7200000x7fefe922fffmapped_fileFalse
shell32.dll0x7fefe9300000x7feff6b7fffmapped_fileFalse
usp10.dll0x7feff6c00000x7feff788fffmapped_fileFalse
rpcrt4.dll0x7feff7900000x7feff8bcfffmapped_fileFalse
msvcrt.dll0x7feff8c00000x7feff95efffmapped_fileFalse
apisetschema.dll0x7feff9900000x7feff990fffmapped_fileFalse
private_0x000007fffff800000x7fffff800000x7fffff81fffprivateTrue
private_0x000007fffff820000x7fffff820000x7fffff83fffprivateTrue
private_0x000007fffff840000x7fffff840000x7fffff85fffprivateTrue
private_0x000007fffff880000x7fffff880000x7fffff89fffprivateTrue
private_0x000007fffff8a0000x7fffff8a0000x7fffff8bfffprivateTrue
private_0x000007fffff8c0000x7fffff8c0000x7fffff8dfffprivateTrue
private_0x000007fffff8e0000x7fffff8e0000x7fffff8ffffprivateTrue
private_0x000007fffff900000x7fffff900000x7fffff91fffprivateTrue
private_0x000007fffff920000x7fffff920000x7fffff93fffprivateTrue
private_0x000007fffff940000x7fffff940000x7fffff95fffprivateTrue
private_0x000007fffff960000x7fffff960000x7fffff97fffprivateTrue
private_0x000007fffff980000x7fffff980000x7fffff99fffprivateTrue
private_0x000007fffff9a0000x7fffff9a0000x7fffff9bfffprivateTrue
private_0x000007fffff9c0000x7fffff9c0000x7fffff9dfffprivateTrue
private_0x000007fffff9e0000x7fffff9e0000x7fffff9ffffprivateTrue
private_0x000007fffffa00000x7fffffa00000x7fffffa1fffprivateTrue
private_0x000007fffffa20000x7fffffa20000x7fffffa3fffprivateTrue
private_0x000007fffffa40000x7fffffa40000x7fffffa5fffprivateTrue
private_0x000007fffffa60000x7fffffa60000x7fffffa7fffprivateTrue
private_0x000007fffffa80000x7fffffa80000x7fffffa9fffprivateTrue
private_0x000007fffffaa0000x7fffffaa0000x7fffffabfffprivateTrue
private_0x000007fffffac0000x7fffffac0000x7fffffadfffprivateTrue
private_0x000007fffffae0000x7fffffae0000x7fffffaffffprivateTrue
pagefile_0x000007fffffb00000x7fffffb00000x7fffffd2fffpagefile_backedTrue
private_0x000007fffffd40000x7fffffd40000x7fffffd4fffprivateTrue
private_0x000007fffffd60000x7fffffd60000x7fffffd7fffprivateTrue
private_0x000007fffffd80000x7fffffd80000x7fffffd9fffprivateTrue
private_0x000007fffffda0000x7fffffda0000x7fffffdbfffprivateTrue
private_0x000007fffffdc0000x7fffffdc0000x7fffffddfffprivateTrue
private_0x000007fffffde0000x7fffffde0000x7fffffdffffprivateTrue
OS TIDs
0xac8, 0xa50, 0x910, 0x904, 0x8f8, 0x8f4, 0x8f0, 0x8ec, 0x8e0, 0x8d8, 0x8d4, 0x8d0, 0x8cc, 0x898, 0x894, 0x890, 0x88c, 0x884, 0x880, 0x87c, 0x878, 0x870, 0x86c, 0x868, 0x864, 0x858, 0x854, 0x850, 0x84c, 0x848, 0x844, 0x834
PID Filename MD5 SHA1
0xb6cc:\windows\$ntuninstallq923283$\fdisk.sys 921ad714e7fb01aaa8e9b960544e0d369e327408fedb128b5717cf0f0093756132624951
0xb6cc:\windows\$ntuninstallq923283$\usbehub.sys eaea9ccb40c82af8f3867cd0f4dd5e9d7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c
0xb6cc:\windows\$ntuninstallq923283$\pxinsi64.exe f156ff2a1694f479a079f6777f0c5af01f55bdf960d70c0571e171c2c75701998552dc43