Windows, learning what is where

• Unfortunately, the Windows world is both opaque and fractured.
• Opacity: Sometimes we have to guess (often euphemistically called "research") what exactly Microsoft's system designers were thinking. (This opacity problem seems to be getting better with the recent change in leadership at Microsoft.)
• Fracturing: Windows has many, many different flavors, and each of them has its quirks. Still popular are XP (!), Server 2003, Server 2008, Windows 7, Windows 8, and Server 2012 (Windows NT, Windows 98, and Windows 2000 were quite popular in their day, but are all but extinct these days; ME and Vista were both poorly received.)

What kind of state is available?

• WFA usefully categorizes state by its volatility: information stored in RAM is most volatile; information burned to, say, a boot *PROM is probably the least volatile → but it's obviously not always so, look at this very interesting situation with Thunderbolt and Macs.
• WFA suggests taking a look at RFC 3227; similar but far more comprehensive information can be found in your text (particularly chapter 7) and in Casey's DECC — however, the viewpoint in those is much more from the legal side rather than the technical view taken in RFC 3227.

Live system tool derived state

• The first category of state that we will look at is that of "Live system tool-derived state." What does that long and awkward phrase mean? It means that we are using some tool running locally on a system in order to query about state on that system.
• How can we carry out these queries? Here we start running into forensics issues: we should be leery of trusting the system to answer these questions. Whatever programs we use to extract such state from the system themselves should be considered carefully. For live forensics, popular approaches include running programs from some sort of removable media, such as a CD or a USB memory key. A CD is slower, but has the advantage that it is (generally) a less-modifiable data source. A USB stick can be made non-modifiable in a few ways (including an explicit hardware switch or by using a "write-blocker"), and it is faster.

Lowdown on tools

• WFA likes to use Perl. It's very flexible.
• Perl is very easy to write.
• Perl handles system-level information gracefully for a large amount of systems and their structures. (In the few places in the Linux world where it doesn't, interestingly enough, we are seeing new kernel-level mechanisms such as signalfd(2) that do give even Perl the ability to interact very gracefully with recondite bits of the operating systems.)

"Shopping List" for volatile information

• What kind of information are we going to look at? Following Chapter 1 in WFA, let's put at least together this "shopping list".

Date/time information

• Date/time information. We could use something like

  	    date /t & time /t
  	  

• It would also be a good idea to match this against real world time. Since, unlike Linux, there's no very simple and reasonably universal way to get network time at the command line, you will have to work around this. You can visit one of the many webpages that offer time service, or just set up your own trivial web time server.

Memory acquisition

• It is a good idea to copy memory very early on — MF recommends on page 9 that you copy it immediately after you do a time check. Unfortunately, Windows is making it harder to do this, and whatever tool you use, you will very likely need administrator access.

System identification

While WFA doesn't mention system identification in chapter 1, MF does so; on page 18, it recommends hostname, whoami, and ver; on page 21, it extends this with uptime and with the now deprecated psuptime from sysinternals. It then suggests using the current psinfo from sysinternals, Microsoft's systeminfo (see systeminfo example here), or NII Consulting's dumpwin.

(MF also refers to using tools provided on Helix's livecd, but I don't believe that the free version of Helix includes any Windows binaries, just Linux binaries — and not all of those work. I tested Helix 1.9's Linux binaries from 2007, and the provided ls crashes on what appears to be a very odd (and likely very dated) use of mmap(2). The mmap(2) system call has experienced some changes over the years that have made older calls to it less likely to succeed.)

Who is using the system? Login sessions.

• We can look for logins in various ways. WFA suggestions psloggedon as one way; another is to use logonsessions. (Both programs are from live.sysinternals.com.) If you just are interested in remote users, you might try net sessions — but note that with more recent versions of Windows, you probably need to have Administrator access for this one to work.
• MF also suggests quser.
• Of course, these are only going to show proper user sessions; if "backdoors" have been set up, then those won't show up in these tools.

Who is using the system? Open files.

• WFA suggests also using programs such as net file and openfiles to see what files are open. Again, with more recent versions of Windows, you are likely to need administrator access for these to work.

What else might be scheduled?

• Windows also natively supports scheduling; MF suggests using the native at and schtasks /query to check what might be scheduled. at may require Administrator access depending on your version of Windows, but schtasks oddly enough might succeed with any account.

NetBIOS

• In the Windows world, we have the ancient and decrepit phenomenon of NetBIOS. Hackers can unfortunately use NetBIOS to see configuration information about remote machines using nbtstat -c and nbtstat -A ADDRESS for addresses listed by the -c option.

Network connectivity

• One of the most useful tools is netstat -ano which will let you see which PID created a connection.
• As mentioned on pp. 36-37 of WFA, the author has put together a Perl script svc.pl to retrieve information about services.
• It is not mentioned in the WFA book but on the DVD there is a second version of this script in the Bonus subdirectory that outputs CSV rather than text.
• The MF has an excellent suggestion, which is to also grab a copy of the ARP table on page 31; you can use arp -a to do this. The ARP table provides the mappings from IP numbers to MAC addresses:
• MF also suggests on page 48 doing an external portscan using nmap. That's always a good idea, since this can help avoid the problems of using internal structures that might be manipulated or obscured by malware by providing an "outward" view.

Keyboard history

• If you would want the keyboard history on a Windows machine for a given "system prompt" window, you can use doskey /history to retrieve that information. However, this isn't likely to occur in practice! Relatively few people use the command window at all, and it is rare to find a forensically interesting one open.

Mapped drives

• As mentioned on p. 39 of WFA, the author has put together a small Perl script di.pl to extract mappings between drives and drive letters.

Shares

• The final volatile information source mentioned today will be shares; the author has included a small Perl script svc.pl to extract this information.

"Shopping List" for non-volatile information

• First, read the warning "Handle with Care" on page 65 of MF.
• Looking in the registry: WFA has included a program reg.exe (or you might find it as reg.pl) to extract registry information (this is really for offline use, since convincing Windows to open some registry files on a live machine is problematic, even with Administrator access), and recommends also using autoruns[c] from live.sysinternals.com. In the registry, he recommends looking at these two settings since they could easily impact your work:
  • ClearPageFileAtShutdown → (viz., see Microsoft's page about the security implications of an uncleared Pagefile.sys)
  • DisableLastAccess → (you can also view this one with fsutil behavior query DisableLastAccess). There is quite a bit of information about this parameter on this page about fsutil.
• Security configuration: unfortunately, Microsoft doesn't make it easy to get a simple text version of the security configuration. MF suggests WinUpdatesList from Nirsoft.
• Static network configuration: MF suggests getting copies of the hosts, networks, and lmhosts (or lmhosts.sam) files. Malware often modifies these files since the static information in them will override any dynamic information such as DNS data.
• Events: Microsoft has traditionally provided LogParser; MF suggests eldump. Recently, Microsoft has improved event logging for Server 2008 R2 and for some versions of Windows. See this page (2010); also, there's a comprehensive (as of 2009) Excel file of possible log events at this link.

Putting it all together

Here's what a very simple "batch" script might look like. (note that this script this is referencing another script that attempts to compare NTP time with system time, sntp.pl):

	
print "Local time = " . localtime() . "\n";
print "GM time = " . gmtime() . "\n";

print "Attempting to get network time...\n";
system('perl ..\Documents\sntp.pl pool.ntp.org');
print "... end attempt\n";

print "**** LOGIN INFORMATION **** \n\n";

system("net sessions");

system("logonsessions");

print "**** OPEN FILE INFORMATION **** \n\n";

system("net file");

system("openfiles");

system("Listdlls");

print "**** NETBIOS INFORMATION ****\n\n";

system("nbtstat -c"); # this could easily be expanded...
                     # to include an automated call to nbtstat -A 
                     # for each found system...


print "**** NETWORK ACTIVITY INFORMATION ****\n\n";

system("netstat -anob");

system("netstat -rn");

print "**** TASK INFORMATION ****\n\n";

system("tasklist /v");

system("pslist -x");

system("pslist -t");

system("handle");

print "**** NETWORK CONFIGURATION ****\n\n";

system("ipconfig /all");

print "**** CLIPBOARD INFORMATION ****\n\n";

system('perl ..\Documents\clipboard.pl');



      

The output for that might look something like:

Local time = Tue Jan 12 09:48:10 2010
GM time = Tue Jan 12 17:48:10 2010
Attempting to get network time...
..\Documents\sntp.pl, SNTP - Get time from an NTP time server, V 0.2b, 2004-12-10 
Connecting to pool.ntp.org
Local Transmit Timestp : 3472307290.94657
The ntp server [pool.ntp.org 204.9.54.119] sent the following data:
Byte1                  : 28
  Leap Indicator (LI)  : 0 [no warning]
  Version number (VN)  : 3 [NTP/SNTP version number]
  Mode                 : 4 [server]
Stratum                : 1 [primary reference (e.g. radio clock)]
Poll Interval          : 0 [2**0 = 1 sec max interval between successive msgs]
Clock Precision        : -15 [2**-15 = 3.0518e-005]
Root Delay             : 00000000 [0.0000 sec]
Root Dispersion        : 00000014 [0.0003 sec]
Reference Identifier   : 43444d41 [CDMA] 
Reference Timestamp    : cef73458.849f3f56 [3472307288.51806]
Originate Timestamp    : cef7345a.f2529000 [3472307290.94657]
Receive Timestamp      : cef7345a.c9208d1d [3472307290.78565]
Transmit Timestamp     : cef7345a.c93bf238 [3472307290.78607]

Interpreted results, converted to unix epoch (sec since 1970-01-01 00:00:00):
Reference Timestamp    : 1263318488.51806 [last sync of server clock with ref]
Originate Timestamp    : 1263318490.94657 [returned Local Transmit Timestamp]
Receive Timestamp      : 1263318490.78565 [request packet arrived at server]
Transmit Timestamp     : 1263318490.78607 [this reply departed the server]
Net time UTC           : Tue Jan 12 17:48:10 2010 +786 ms
                         2010-01-12 17:48:10.786
Network roundtrip time : -0.0669 sec
Network delay          : -0.0339 sec
Local Timestamp        : 1263318490.98002 
Local time UTC         : 2010-01-12 17:48:10.980
Clock Difference       : -0.1942 sec off between pool.ntp.org and local
... end attempt
**** LOGIN INFORMATION **** 

There are no entries in the list.


Logonsesions v1.1
Copyright (C) 2004 Bryce Cogswell and Mark Russinovich
Sysinternals - wwww.sysinternals.com


[0] Logon session 00000000:000003e7:
    User name:    WORKGROUP\WIN-71P82PQYDRP$
    Auth package: NTLM
    Logon type:   (none)
    Session:      0
    Sid:          S-1-5-18
    Logon time:   8/6/2009 3:11:26 AM
    Logon server: 
    DNS Domain:   
    UPN:          

[1] Logon session 00000000:00008a3f:
    User name:    
    Auth package: NTLM
    Logon type:   (none)
    Session:      0
    Sid:          (none)
    Logon time:   8/6/2009 3:11:27 AM
    Logon server: 
    DNS Domain:   
    UPN:          

[2] Logon session 00000000:000003e5:
    User name:    NT AUTHORITY\LOCAL SERVICE
    Auth package: Negotiate
    Logon type:   Service
    Session:      0
    Sid:          S-1-5-19
    Logon time:   8/6/2009 3:11:30 AM
    Logon server: 
    DNS Domain:   
    UPN:          

[3] Logon session 00000000:00022ff9:
    User name:    WIN-71P82PQYDRP\Administrator
    Auth package: NTLM
    Logon type:   Interactive
    Session:      1
    Sid:          S-1-5-21-972268749-3273389209-3774546691-500
    Logon time:   8/6/2009 3:29:13 AM
    Logon server: WIN-71P82PQYDRP
    DNS Domain:   
    UPN:          

[4] Logon session 00000000:000003e3:
    User name:    NT AUTHORITY\IUSR
    Auth package: Negotiate
    Logon type:   Service
    Session:      0
    Sid:          S-1-5-17
    Logon time:   8/14/2009 4:24:54 AM
    Logon server: 
    DNS Domain:   
    UPN:          

[5] Logon session 00000000:000003e4:
    User name:    WORKGROUP\WIN-71P82PQYDRP$
    Auth package: Negotiate
    Logon type:   Service
    Session:      0
    Sid:          S-1-5-20
    Logon time:   8/6/2009 3:11:30 AM
    Logon server: 
    DNS Domain:   
    UPN:          

[6] Logon session 00000000:0001414c:
    User name:    NT AUTHORITY\ANONYMOUS LOGON
    Auth package: NTLM
    Logon type:   Network
    Session:      0
    Sid:          S-1-5-7
    Logon time:   8/6/2009 3:11:43 AM
    Logon server: 
    DNS Domain:   
    UPN:          
**** OPEN FILE INFORMATION **** 

There are no entries in the list.


INFO: The system global flag 'maintain objects list' needs
      to be enabled to see local opened files.
      See Openfiles /? for more information.


Files opened remotely via local share points:
---------------------------------------------

INFO: No shared open files found.

ListDLLs v2.25 - DLL lister for Win9x/NT
Copyright (C) 1997-2004 Mark Russinovich
Sysinternals - www.sysinternals.com

------------------------------------------------------------------------------
System pid: 4
Command line: 
------------------------------------------------------------------------------
smss.exe pid: 396
Command line: \SystemRoot\System32\smss.exe

  Base        Size      Version	        Path
  0x481d0000  0x12000                   \SystemRoot\System32\smss.exe
  0x77b00000  0x127000  6.00.6001.18000  C:\Windows\system32\ntdll.dll
------------------------------------------------------------------------------
csrss.exe pid: 464
Command line: C:\Windows\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

  Base        Size      Version	        Path
  0x49e60000  0x5000    6.00.6001.18000  C:\Windows\system32\csrss.exe
  0x77b00000  0x127000  6.00.6001.18000  C:\Windows\system32\ntdll.dll
  0x762d0000  0xf000    6.00.6001.18000  C:\Windows\system32\CSRSRV.dll
  0x762b0000  0x13000   6.00.6001.18000  C:\Windows\system32\basesrv.dll
  0x76250000  0x60000   6.00.6001.18000  C:\Windows\system32\winsrv.dll
  0x76f90000  0x9d000   6.00.6001.18000  C:\Windows\system32\USER32.dll
  0x772c0000  0xdb000   6.00.6001.18000  C:\Windows\system32\KERNEL32.dll
  0x77680000  0x4b000   6.00.6001.18000  C:\Windows\system32\GDI32.dll
  0x77500000  0xc6000   6.00.6001.18000  C:\Windows\system32\ADVAPI32.dll
  0x77a30000  0xc3000   6.00.6001.18000  C:\Windows\system32\RPCRT4.dll
  0x77c60000  0x9000    6.00.6001.18000  C:\Windows\system32\LPK.DLL
  0x76f10000  0x7d000   1.626.6001.18000  C:\Windows\system32\USP10.dll
  0x77cb0000  0xaa000   7.00.6001.18000  C:\Windows\system32\msvcrt.dll
  0x760c0000  0x5f000   6.00.6001.18000  C:\Windows\system32\sxs.dll
------------------------------------------------------------------------------
csrss.exe pid: 508
Command line: C:\Windows\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

  Base        Size      Version	        Path
  0x49e60000  0x5000    6.00.6001.18000  C:\Windows\system32\csrss.exe
  0x77b00000  0x127000  6.00.6001.18000  C:\Windows\system32\ntdll.dll
  0x762d0000  0xf000    6.00.6001.18000  C:\Windows\system32\CSRSRV.dll
  0x762b0000  0x13000   6.00.6001.18000  C:\Windows\system32\basesrv.dll
  0x76250000  0x60000   6.00.6001.18000  C:\Windows\system32\winsrv.dll
  0x76f90000  0x9d000   6.00.6001.18000  C:\Windows\system32\USER32.dll
  0x772c0000  0xdb000   6.00.6001.18000  C:\Windows\system32\KERNEL32.dll
  0x77680000  0x4b000   6.00.6001.18000  C:\Windows\system32\GDI32.dll
  0x77500000  0xc6000   6.00.6001.18000  C:\Windows\system32\ADVAPI32.dll
  0x77a30000  0xc3000   6.00.6001.18000  C:\Windows\system32\RPCRT4.dll
  0x77c60000  0x9000    6.00.6001.18000  C:\Windows\system32\LPK.DLL
  0x76f10000  0x7d000   1.626.6001.18000  C:\Windows\system32\USP10.dll
  0x77cb0000  0xaa000   7.00.6001.18000  C:\Windows\system32\msvcrt.dll
  0x760c0000  0x5f000   6.00.6001.18000  C:\Windows\system32\sxs.dll
------------------------------------------------------------------------------
wininit.exe pid: 532
Command line: wininit.exe

  Base        Size      Version	        Path
  0x00860000  0x1a000   6.00.6001.18000  C:\Windows\system32\wininit.exe
  0x77b00000  0x127000  6.00.6001.18000  C:\Windows\system32\ntdll.dll
  0x772c0000  0xdb000   6.00.6001.18000  C:\Windows\system32\kernel32.dll
  0x77500000  0xc6000   6.00.6001.18000  C:\Windows\system32\ADVAPI32.dll
  0x77a30000  0xc3000   6.00.6001.18000  C:\Windows\system32\RPCRT4.dll
  0x76f90000  0x9d000   6.00.6001.18000  C:\Windows\system32\USER32.dll
  0x77680000  0x4b000   6.00.6001.18000  C:\Windows\system32\GDI32.dll
  0x77cb0000  0xaa000   7.00.6001.18000  C:\Windows\system32\msvcrt.dll
  0x76230000  0x1e000   6.00.6001.18000  C:\Windows\system32\USERENV.dll
  0x76210000  0x14000   6.00.6001.18000  C:\Windows\system32\Secur32.dll
  0x77c30000  0x1e000   6.00.6001.18000  C:\Windows\system32\IMM32.DLL
  0x77430000  0xc8000   6.00.6001.18000  C:\Windows\system32\MSCTF.dll
  0x77c60000  0x9000    6.00.6001.18000  C:\Windows\system32\LPK.DLL
  0x76f10000  0x7d000   1.626.6001.18000  C:\Windows\system32\USP10.dll
  0x76180000  0x2c000   6.00.6001.18000  C:\Windows\system32\apphelp.dll
  0x76380000  0x2d000   6.00.6001.18000  C:\Windows\system32\WS2_32.dll
  0x77c70000  0x6000    6.00.6001.18000  C:\Windows\system32\NSI.dll
  0x75990000  0x3b000   6.00.6001.18000  C:\Windows\system32\mswsock.dll
  0x75590000  0x5000    6.00.6001.18000  C:\Windows\System32\wshtcpip.dll
  0x75a00000  0x5000    6.00.6001.18000  C:\Windows\System32\wship6.dll
  0x75aa0000  0x7000    6.00.6001.18000  C:\Windows\system32\credssp.dll
  0x75b40000  0xf1000   6.00.6001.18000  C:\Windows\system32\CRYPT32.dll
  0x75e00000  0x12000   6.00.6000.16386  C:\Windows\system32\MSASN1.dll
  0x75780000  0x44000   6.00.6001.18000  C:\Windows\system32\schannel.dll
  0x75f00000  0x75000   6.00.6001.18000  C:\Windows\system32\NETAPI32.dll
  0x762e0000  0x7000    6.00.6000.16386  C:\Windows\system32\PSAPI.DLL
------------------------------------------------------------------------------
winlogon.exe pid: 544
Command line: winlogon.exe

  Base        Size      Version	        Path
  0x000e0000  0x50000   6.00.6001.18000  C:\Windows\system32\winlogon.exe
  0x77b00000  0x127000  6.00.6001.18000  C:\Windows\system32\ntdll.dll
  0x772c0000  0xdb000   6.00.6001.18000  C:\Windows\system32\kernel32.dll
  0x77500000  0xc6000   6.00.6001.18000  C:\Windows\system32\ADVAPI32.dll
  0x77a30000  0xc3000   6.00.6001.18000  C:\Windows\system32\RPCRT4.dll
  0x76f90000  0x9d000   6.00.6001.18000  C:\Windows\system32\USER32.dll
  0x77680000  0x4b000   6.00.6001.18000  C:\Windows\system32\GDI32.dll
  0x77cb0000  0xaa000   7.00.6001.18000  C:\Windows\system32\msvcrt.dll
  0x76210000  0x14000   6.00.6001.18000  C:\Windows\system32\Secur32.dll
  0x761e0000  0x25000   6.00.6001.18000  C:\Windows\system32\WINSTA.dll
  0x762e0000  0x7000    6.00.6000.16386  C:\Windows\system32\PSAPI.DLL
  0x76230000  0x1e000   6.00.6001.18000  C:\Windows\system32\USERENV.dll
  0x77c30000  0x1e000   6.00.6001.18000  C:\Windows\system32\IMM32.DLL
  0x77430000  0xc8000   6.00.6001.18000  C:\Windows\system32\MSCTF.dll
  0x77c60000  0x9000    6.00.6001.18000  C:\Windows\system32\LPK.DLL
  0x76f10000  0x7d000   1.626.6001.18000  C:\Windows\system32\USP10.dll
  0x76180000  0x2c000   6.00.6001.18000  C:\Windows\system32\apphelp.dll
  0x756a0000  0x21000   6.00.6001.18000  C:\Windows\system32\NTMARTA.DLL
  0x76ec0000  0x4a000   6.00.6001.18000  C:\Windows\system32\WLDAP32.dll
  0x76380000  0x2d000   6.00.6001.18000  C:\Windows\system32\WS2_32.dll
  0x77c70000  0x6000    6.00.6001.18000  C:\Windows\system32\NSI.dll
  0x75c40000  0x11000   6.00.6001.18000  C:\Windows\system32\SAMLIB.dll
  0x776d0000  0x144000  6.00.6001.18000  C:\Windows\system32\ole32.dll
  0x74790000  0x3e000   6.00.6001.18000  C:\Windows\system32\SHSVCS.dll
  0x75d60000  0x3a000   6.00.6001.18000  C:\Windows\system32\slc.dll
  0x75dc0000  0x14000   6.00.6001.18000  C:\Windows\system32\MPR.dll
  0x761c0000  0x16000   6.00.6001.18000  C:\Windows\system32\AUTHZ.dll
------------------------------------------------------------------------------
services.exe pid: 592
Command line: C:\Windows\system32\services.exe

  Base        Size      Version	        Path
  0x002f0000  0x47000   6.00.6001.18000  C:\Windows\system32\services.exe
  0x77b00000  0x127000  6.00.6001.18000  C:\Windows\system32\ntdll.dll
  0x772c0000  0xdb000   6.00.6001.18000  C:\Windows\system32\kernel32.dll
  0x77500000  0xc6000   6.00.6001.18000  C:\Windows\system32\ADVAPI32.dll
  0x77a30000  0xc3000   6.00.6001.18000  C:\Windows\system32\RPCRT4.dll
  0x76f90000  0x9d000   6.00.6001.18000  C:\Windows\system32\USER32.dll
  0x77680000  0x4b000   6.00.6001.18000  C:\Windows\system32\GDI32.dll
  0x77cb0000  0xaa000   7.00.6001.18000  C:\Windows\system32\msvcrt.dll
  0x76230000  0x1e000   6.00.6001.18000  C:\Windows\system32\USERENV.dll
  0x76210000  0x14000   6.00.6001.18000  C:\Windows\system32\Secur32.dll
  0x76130000  0x4e000   6.00.6001.18000  C:\Windows\system32\SCESRV.dll
  0x761c0000  0x16000   6.00.6001.18000  C:\Windows\system32\AUTHZ.dll
  0x75f00000  0x75000   6.00.6001.18000  C:\Windows\system32\NETAPI32.dll
  0x762e0000  0x7000    6.00.6000.16386  C:\Windows\system32\PSAPI.DLL
  0x76120000  0xf000    6.00.6001.18000  C:\Windows\system32\NCObjAPI.DLL
  0x77c30000  0x1e000   6.00.6001.18000  C:\Windows\system32\IMM32.DLL
  0x77430000  0xc8000   6.00.6001.18000  C:\Windows\system32\MSCTF.dll
  0x77c60000  0x9000    6.00.6001.18000  C:\Windows\system32\LPK.DLL
  0x76f10000  0x7d000   1.626.6001.18000  C:\Windows\system32\USP10.dll
  0x75aa0000  0x7000    6.00.6001.18000  C:\Windows\system32\credssp.dll
  0x75b40000  0xf1000   6.00.6001.18000  C:\Windows\system32\CRYPT32.dll
  0x75e00000  0x12000   6.00.6000.16386  C:\Windows\system32\MSASN1.dll
  0x75780000  0x44000   6.00.6001.18000  C:\Windows\system32\schannel.dll
  0x76180000  0x2c000   6.00.6001.18000  C:\Windows\system32\apphelp.dll
  0x756a0000  0x21000   6.00.6001.18000  C:\Windows\system32\NTMARTA.DLL
  0x76ec0000  0x4a000   6.00.6001.18000  C:\Windows\system32\WLDAP32.dll
  0x76380000  0x2d000   6.00.6001.18000  C:\Windows\system32\WS2_32.dll
  0x77c70000  0x6000    6.00.6001.18000  C:\Windows\system32\NSI.dll
  0x75c40000  0x11000   6.00.6001.18000  C:\Windows\system32\SAMLIB.dll
  0x776d0000  0x144000  6.00.6001.18000  C:\Windows\system32\ole32.dll
  0x75990000  0x3b000   6.00.6001.18000  C:\Windows\system32\mswsock.dll
  0x75590000  0x5000    6.00.6001.18000  C:\Windows\System32\wshtcpip.dll
  0x75a00000  0x5000    6.00.6001.18000  C:\Windows\System32\wship6.dll
------------------------------------------------------------------------------
lsass.exe pid: 604
Command line: C:\Windows\system32\lsass.exe

  Base        Size      Version	        Path
  0x00870000  0x6000    6.00.6001.18000  C:\Windows\system32\lsass.exe
  0x77b00000  0x127000  6.00.6001.18000  C:\Windows\system32\ntdll.dll
  0x772c0000  0xdb000   6.00.6001.18000  C:\Windows\system32\kernel32.dll
  0x77500000  0xc6000   6.00.6001.18000  C:\Windows\system32\ADVAPI32.dll
  0x77a30000  0xc3000   6.00.6001.18000  C:\Windows\system32\RPCRT4.dll
  0x77cb0000  0xaa000   7.00.6001.18000  C:\Windows\system32\msvcrt.dll
  0x75f80000  0x135000  6.00.6001.18000  C:\Windows\system32\LSASRV.dll
  0x76210000  0x14000   6.00.6001.18000  C:\Windows\system32\Secur32.dll
  0x76f90000  0x9d000   6.00.6001.18000  C:\Windows\system32\USER32.dll
  0x77680000  0x4b000   6.00.6001.18000  C:\Windows\system32\GDI32.dll
  0x75e70000  0x7a000   6.00.6001.18000  C:\Windows\system32\SAMSRV.dll
  0x75e50000  0x11000   6.00.6001.18000  C:\Windows\system32\cryptdll.dll
  0x75e20000  0x2c000   6.00.6001.18000  C:\Windows\system32\DNSAPI.dll
  0x76380000  0x2d000   6.00.6001.18000  C:\Windows\system32\WS2_32.dll
  0x77c70000  0x6000    6.00.6001.18000  C:\Windows\system32\NSI.dll
  0x75f00000  0x75000   6.00.6001.18000  C:\Windows\system32\NETAPI32.dll
  0x762e0000  0x7000    6.00.6000.16386  C:\Windows\system32\PSAPI.DLL
  0x75c40000  0x11000   6.00.6001.18000  C:\Windows\system32\SAMLIB.dll
  0x75e00000  0x12000   6.00.6000.16386  C:\Windows\system32\MSASN1.dll
  0x75de0000  0x18000   6.00.6001.18000  C:\Windows\system32\NTDSAPI.dll
  0x76ec0000  0x4a000   6.00.6001.18000  C:\Windows\system32\WLDAP32.dll
  0x75da0000  0x11000   6.00.6001.18000  C:\Windows\system32\FeClient.dll
  0x75dc0000  0x14000   6.00.6001.18000  C:\Windows\system32\MPR.dll
  0x76230000  0x1e000   6.00.6001.18000  C:\Windows\system32\USERENV.dll
  0x75b40000  0xf1000   6.00.6001.18000  C:\Windows\system32\CRYPT32.dll
  0x75d60000  0x3a000   6.00.6001.18000  C:\Windows\system32\slc.dll
  0x761b0000  0x7000    6.00.6000.16386  C:\Windows\system32\SYSNTFY.dll
  0x75d20000  0x40000   6.00.6001.18000  C:\Windows\system32\wevtapi.dll
  0x75d00000  0x19000   6.00.6001.18000  C:\Windows\system32\IPHLPAPI.DLL
  0x75cc0000  0x35000   6.00.6001.18000  C:\Windows\system32\dhcpcsvc.DLL
  0x75cb0000  0x7000    6.00.6001.18000  C:\Windows\system32\WINNSI.DLL
  0x75c80000  0x21000   6.00.6001.18000  C:\Windows\system32\dhcpcsvc6.DLL
  0x77c30000  0x1e000   6.00.6001.18000  C:\Windows\system32\IMM32.DLL
  0x77430000  0xc8000   6.00.6001.18000  C:\Windows\system32\MSCTF.dll
  0x77c60000  0x9000    6.00.6001.18000  C:\Windows\system32\LPK.DLL
  0x76f10000  0x7d000   1.626.6001.18000  C:\Windows\system32\USP10.dll
  0x75c60000  0x6000    6.00.6000.16386  C:\Windows\system32\cngaudit.dll
  0x761c0000  0x16000   6.00.6001.18000  C:\Windows\system32\AUTHZ.dll
  0x75b00000  0x35000   6.00.6001.18000  C:\Windows\system32\ncrypt.dll
  0x75ab0000  0x45000   6.00.6001.18000  C:\Windows\system32\BCRYPT.dll
  0x75aa0000  0x7000    6.00.6001.18000  C:\Windows\system32\credssp.dll
  0x75c70000  0x2000    6.00.6000.16386  C:\Windows\system32\msprivs.dll
  0x75a10000  0x7c000   6.00.6001.18000  C:\Windows\system32\kerberos.dll
  0x75990000  0x3b000   6.00.6001.18000  C:\Windows\system32\mswsock.dll
  0x75a00000  0x5000    6.00.6001.18000  C:\Windows\System32\wship6.dll
  0x75950000  0x37000   6.00.6001.18000  C:\Windows\system32\msv1_0.dll
  0x758b0000  0x94000   6.00.6001.18000  C:\Windows\system32\netlogon.dll
  0x757d0000  0xd7000   6.00.6000.16386  C:\Windows\system32\WINBRAND.dll
  0x75780000  0x44000   6.00.6001.18000  C:\Windows\system32\schannel.dll
  0x759d0000  0x2c000   6.00.6001.18000  C:\Windows\system32\wdigest.dll
  0x75740000  0x3b000   6.00.6001.18000  C:\Windows\system32\rsaenh.dll
  0x75700000  0x12000   6.00.6001.18000  C:\Windows\system32\tspkg.dll
  0x75720000  0x15000   6.00.6001.18000  C:\Windows\system32\GPAPI.dll
  0x778a0000  0x18a000  6.00.6001.18000  C:\Windows\system32\setupapi.dll
  0x773a0000  0x8d000   6.00.6001.18000  C:\Windows\system32\OLEAUT32.dll
  0x776d0000  0x144000  6.00.6001.18000  C:\Windows\system32\ole32.dll
  0x756d0000  0x2e000   6.00.6001.18000  C:\Windows\system32\scecli.dll
  0x75a90000  0x9000    6.00.6001.18000  C:\Windows\system32\RASSFM.dll
  0x75590000  0x5000    6.00.6001.18000  C:\Windows\System32\wshtcpip.dll
  0x73bb0000  0x26000   6.00.6001.18000  C:\Windows\system32\dssenh.dll
------------------------------------------------------------------------------
lsm.exe pid: 612
Command line: C:\Windows\system32\lsm.exe

  Base        Size      Version	        Path
  0x005d0000  0x3b000   6.00.6001.18000  C:\Windows\system32\lsm.exe
  0x77b00000  0x127000  6.00.6001.18000  C:\Windows\system32\ntdll.dll
  0x772c0000  0xdb000   6.00.6001.18000  C:\Windows\system32\kernel32.dll
  0x77500000  0xc6000   6.00.6001.18000  C:\Windows\system32\ADVAPI32.dll
  0x77a30000  0xc3000   6.00.6001.18000  C:\Windows\system32\RPCRT4.dll
  0x77cb0000  0xaa000   7.00.6001.18000  C:\Windows\system32\msvcrt.dll
  0x761b0000  0x7000    6.00.6000.16386  C:\Windows\system32\SYSNTFY.dll
  0x75ef0000  0x6000    6.00.6000.16386  C:\Windows\system32\WMsgAPI.dll
  0x76210000  0x14000   6.00.6001.18000  C:\Windows\system32\secur32.dll
  0x75aa0000  0x7000    6.00.6001.18000  C:\Windows\system32\credssp.dll
  0x75b40000  0xf1000   6.00.6001.18000  C:\Windows\system32\CRYPT32.dll
  0x76f90000  0x9d000   6.00.6001.18000  C:\Windows\system32\USER32.dll
  0x77680000  0x4b000   6.00.6001.18000  C:\Windows\system32\GDI32.dll
  0x75e00000  0x12000   6.00.6000.16386  C:\Windows\system32\MSASN1.dll
  0x76230000  0x1e000   6.00.6001.18000  C:\Windows\system32\USERENV.dll
  0x77c30000  0x1e000   6.00.6001.18000  C:\Windows\system32\IMM32.DLL
  0x77430000  0xc8000   6.00.6001.18000  C:\Windows\system32\MSCTF.dll
  0x77c60000  0x9000    6.00.6001.18000  C:\Windows\system32\LPK.DLL
  0x76f10000  0x7d000   1.626.6001.18000  C:\Windows\system32\USP10.dll
  0x75780000  0x44000   6.00.6001.18000  C:\Windows\system32\schannel.dll
  0x75f00000  0x75000   6.00.6001.18000  C:\Windows\system32\NETAPI32.dll
  0x762e0000  0x7000    6.00.6000.16386  C:\Windows\system32\PSAPI.DLL
------------------------------------------------------------------------------
svchost.exe pid: 772
Command line: C:\Windows\system32\svchost.exe -k DcomLaunch

  Base        Size      Version	        Path
  0x00710000  0x8000    6.00.6001.18000  C:\Windows\system32\svchost.exe
  0x77b00000  0x127000  6.00.6001.18000  C:\Windows\system32\ntdll.dll
  0x772c0000  0xdb000   6.00.6001.18000  C:\Windows\system32\kernel32.dll
  0x77cb0000  0xaa000   7.00.6001.18000  C:\Windows\system32\msvcrt.dll
  0x77500000  0xc6000   6.00.6001.18000  C:\Windows\system32\ADVAPI32.dll
  0x77a30000  0xc3000   6.00.6001.18000  C:\Windows\system32\RPCRT4.dll
  0x75620000  0x39000   6.00.6001.18000  c:\windows\system32\umpnpmgr.dll
  0x76f90000  0x9d000   6.00.6001.18000  C:\Windows\system32\USER32.dll
  0x77680000  0x4b000   6.00.6001.18000  C:\Windows\system32\GDI32.dll
  0x76230000  0x1e000   6.00.6001.18000  c:\windows\system32\USERENV.dll
  0x76210000  0x14000   6.00.6001.18000  c:\windows\system32\Secur32.dll
  0x77c30000  0x1e000   6.00.6001.18000  C:\Windows\system32\IMM32.DLL
  0x77430000  0xc8000   6.00.6001.18000  C:\Windows\system32\MSCTF.dll
  0x77c60000  0x9000    6.00.6001.18000  C:\Windows\system32\LPK.DLL
  0x76f10000  0x7d000   1.626.6001.18000  C:\Windows\system32\USP10.dll
  0x75680000  0x1a000   6.00.6001.18000  C:\Windows\system32\POWRPROF.dll
  0x75720000  0x15000   6.00.6001.18000  C:\Windows\system32\GPAPI.dll
  0x75d60000  0x3a000   6.00.6001.18000  C:\Windows\system32\slc.dll
  0x75500000  0x89000   6.00.6001.18000  c:\windows\system32\rpcss.dll
  0x76380000  0x2d000   6.00.6001.18000  C:\Windows\system32\WS2_32.dll
  0x77c70000  0x6000    6.00.6001.18000  C:\Windows\system32\NSI.dll
  0x755b0000  0x66000   6.00.6001.18000  c:\windows\system32\FirewallAPI.dll
  0x773a0000  0x8d000   6.00.6001.18000  C:\Windows\system32\OLEAUT32.dll
  0x776d0000  0x144000  6.00.6001.18000  C:\Windows\system32\ole32.dll
  0x75660000  0x8000    6.00.6001.18000  c:\windows\system32\VERSION.dll
  0x75aa0000  0x7000    6.00.6001.18000  C:\Windows\system32\credssp.dll
  0x75b40000  0xf1000   6.00.6001.18000  C:\Windows\system32\CRYPT32.dll
  0x75e00000  0x12000   6.00.6000.16386  C:\Windows\system32\MSASN1.dll
  0x75780000  0x44000   6.00.6001.18000  C:\Windows\system32\schannel.dll
  0x75f00000  0x75000   6.00.6001.18000  C:\Windows\system32\NETAPI32.dll
  0x762e0000  0x7000    6.00.6000.16386  C:\Windows\system32\PSAPI.DLL
  0x77160000  0x84000   2001.12.6931.18000  C:\Windows\system32\CLBCatQ.DLL
  0x778a0000  0x18a000  6.00.6001.18000  C:\Windows\system32\SETUPAPI.dll
  0x76180000  0x2c000   6.00.6001.18000  C:\Windows\system32\apphelp.dll
  0x756a0000  0x21000   6.00.6001.18000  C:\Windows\system32\NTMARTA.DLL
  0x76ec0000  0x4a000   6.00.6001.18000  C:\Windows\system32\WLDAP32.dll
  0x75c40000  0x11000   6.00.6001.18000  C:\Windows\system32\SAMLIB.dll
  0x761e0000  0x25000   6.00.6001.18000  C:\Windows\system32\WINSTA.dll
  0x73cd0000  0x15000   6.00.6001.18000  C:\Windows\system32\Cabinet.dll
  0x75670000  0xa000    6.00.6001.18000  C:\Windows\system32\WTSAPI32.dll
------------------------------------------------------------------------------
VBoxService.exe pid: 816
Command line: system32\VBoxService.exe

  Base        Size      Version	        Path
  0x00400000  0x105000  3.00.0002.0000  C:\Windows\system32\VBoxService.exe
  0x77b00000  0x127000  6.00.6001.18000  C:\Windows\system32\ntdll.dll
  0x772c0000  0xdb000   6.00.6001.18000  C:\Windows\system32\kernel32.dll
  0x76210000  0x14000   6.00.6001.18000  C:\Windows\system32\Secur32.dll
  0x77500000  0xc6000   6.00.6001.18000  C:\Windows\system32\ADVAPI32.dll
  0x77a30000  0xc3000   6.00.6001.18000  C:\Windows\system32\RPCRT4.dll
  0x75670000  0xa000    6.00.6001.18000  C:\Windows\system32\WTSAPI32.dll
  0x77cb0000  0xaa000   7.00.6001.18000  C:\Windows\system32\msvcrt.dll
  0x762e0000  0x7000    6.00.6000.16386  C:\Windows\system32\PSAPI.DLL
  0x75660000  0x8000    6.00.6001.18000  C:\Windows\system32\VERSION.dll
  0x76380000  0x2d000   6.00.6001.18000  C:\Windows\system32\WS2_32.dll
  0x77c70000  0x6000    6.00.6001.18000  C:\Windows\system32\NSI.dll
  0x756a0000  0x21000   6.00.6001.18000  C:\Windows\system32\NTMARTA.DLL
  0x76f90000  0x9d000   6.00.6001.18000  C:\Windows\system32\USER32.dll
  0x77680000  0x4b000   6.00.6001.18000  C:\Windows\system32\GDI32.dll
  0x76ec0000  0x4a000   6.00.6001.18000  C:\Windows\system32\WLDAP32.dll
  0x75c40000  0x11000   6.00.6001.18000  C:\Windows\system32\SAMLIB.dll
  0x776d0000  0x144000  6.00.6001.18000  C:\Windows\system32\ole32.dll
  0x77c30000  0x1e000   6.00.6001.18000  C:\Windows\system32\IMM32.DLL
  0x77430000  0xc8000   6.00.6001.18000  C:\Windows\system32\MSCTF.dll
  0x77c60000  0x9000    6.00.6001.18000  C:\Windows\system32\LPK.DLL
  0x76f10000  0x7d000   1.626.6001.18000  C:\Windows\system32\USP10.dll
  0x75990000  0x3b000   6.00.6001.18000  C:\Windows\system32\mswsock.dll
  0x75590000  0x5000    6.00.6001.18000  C:\Windows\System32\wshtcpip.dll
  0x761e0000  0x25000   6.00.6001.18000  C:\Windows\system32\WINSTA.dll
------------------------------------------------------------------------------
svchost.exe pid: 848
Command line: C:\Windows\system32\svchost.exe -k rpcss

  Base        Size      Version	        Path
  0x00710000  0x8000    6.00.6001.18000  C:\Windows\system32\svchost.exe
  0x77b00000  0x127000  6.00.6001.18000  C:\Windows\system32\ntdll.dll
  0x772c0000  0xdb000   6.00.6001.18000  C:\Windows\system32\kernel32.dll
  0x77cb0000  0xaa000   7.00.6001.18000  C:\Windows\system32\msvcrt.dll
  0x77500000  0xc6000   6.00.6001.18000  C:\Windows\system32\ADVAPI32.dll
  0x77a30000  0xc3000   6.00.6001.18000  C:\Windows\system32\RPCRT4.dll
  0x75500000  0x89000   6.00.6001.18000  c:\windows\system32\rpcss.dll
  0x76380000  0x2d000   6.00.6001.18000  C:\Windows\system32\WS2_32.dll
  0x77c70000  0x6000    6.00.6001.18000  C:\Windows\system32\NSI.dll
  0x76210000  0x14000   6.00.6001.18000  c:\windows\system32\Secur32.dll
  0x755b0000  0x66000   6.00.6001.18000  c:\windows\system32\FirewallAPI.dll
  0x76f90000  0x9d000   6.00.6001.18000  C:\Windows\system32\USER32.dll
  0x77680000  0x4b000   6.00.6001.18000  C:\Windows\system32\GDI32.dll
  0x773a0000  0x8d000   6.00.6001.18000  C:\Windows\system32\OLEAUT32.dll
  0x776d0000  0x144000  6.00.6001.18000  C:\Windows\system32\ole32.dll
  0x75660000  0x8000    6.00.6001.18000  c:\windows\system32\VERSION.dll
  0x77c30000  0x1e000   6.00.6001.18000  C:\Windows\system32\IMM32.DLL
  0x77430000  0xc8000   6.00.6001.18000  C:\Windows\system32\MSCTF.dll
  0x77c60000  0x9000    6.00.6001.18000  C:\Windows\system32\LPK.DLL
  0x76f10000  0x7d000   1.626.6001.18000  C:\Windows\system32\USP10.dll
  0x75aa0000  0x7000    6.00.6001.18000  C:\Windows\system32\credssp.dll
  0x75b40000  0xf1000   6.00.6001.18000  C:\Windows\system32\CRYPT32.dll
  0x75e00000  0x12000   6.00.6000.16386  C:\Windows\system32\MSASN1.dll
  0x76230000  0x1e000   6.00.6001.18000  C:\Windows\system32\USERENV.dll
  0x75780000  0x44000   6.00.6001.18000  C:\Windows\system32\schannel.dll
  0x75f00000  0x75000   6.00.6001.18000  C:\Windows\system32\NETAPI32.dll
  0x762e0000  0x7000    6.00.6000.16386  C:\Windows\system32\PSAPI.DLL
  0x75740000  0x3b000   6.00.6001.18000  C:\Windows\system32\rsaenh.dll
  0x75990000  0x3b000   6.00.6001.18000  C:\Windows\system32\mswsock.dll
  0x75590000  0x5000    6.00.6001.18000  C:\Windows\System32\wshtcpip.dll
  0x75a00000  0x5000    6.00.6001.18000  C:\Windows\System32\wship6.dll
  0x77160000  0x84000   2001.12.6931.18000  C:\Windows\system32\CLBCatQ.DLL
  0x74520000  0x96000   6.00.6001.18000  C:\Windows\system32\fwpuclnt.dll
------------------------------------------------------------------------------
svchost.exe pid: 884
Command line: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

  Base        Size      Version	        Path
  0x00710000  0x8000    6.00.6001.18000  C:\Windows\System32\svchost.exe
  0x77b00000  0x127000  6.00.6001.18000  C:\Windows\system32\ntdll.dll
  0x772c0000  0xdb000   6.00.6001.18000  C:\Windows\system32\kernel32.dll
  0x77cb0000  0xaa000   7.00.6001.18000  C:\Windows\system32\msvcrt.dll
  0x77500000  0xc6000   6.00.6001.18000  C:\Windows\system32\ADVAPI32.dll
  0x77a30000  0xc3000   6.00.6001.18000  C:\Windows\system32\RPCRT4.dll
  0x75300000  0xfb000   6.00.6001.18000  c:\windows\system32\wevtsvc.dll
  0x76230000  0x1e000   6.00.6001.18000  c:\windows\system32\USERENV.dll
  0x76210000  0x14000   6.00.6001.18000  c:\windows\system32\Secur32.dll
  0x76f90000  0x9d000   6.00.6001.18000  C:\Windows\system32\USER32.dll
  0x77680000  0x4b000   6.00.6001.18000  C:\Windows\system32\GDI32.dll
  0x75660000  0x8000    6.00.6001.18000  c:\windows\system32\VERSION.dll
  0x75720000  0x15000   6.00.6001.18000  c:\windows\system32\GPAPI.dll
  0x75d60000  0x3a000   6.00.6001.18000  c:\windows\system32\slc.dll
  0x77c30000  0x1e000   6.00.6001.18000  C:\Windows\system32\IMM32.DLL
  0x77430000  0xc8000   6.00.6001.18000  C:\Windows\system32\MSCTF.dll
  0x77c60000  0x9000    6.00.6001.18000  C:\Windows\system32\LPK.DLL
  0x76f10000  0x7d000   1.626.6001.18000  C:\Windows\system32\USP10.dll
  0x75aa0000  0x7000    6.00.6001.18000  C:\Windows\System32\credssp.dll
  0x75b40000  0xf1000   6.00.6001.18000  C:\Windows\System32\CRYPT32.dll
  0x75e00000  0x12000   6.00.6000.16386  C:\Windows\System32\MSASN1.dll
  0x75780000  0x44000   6.00.6001.18000  C:\Windows\system32\schannel.dll
  0x75f00000  0x75000   6.00.6001.18000  C:\Windows\System32\NETAPI32.dll
  0x762e0000  0x7000    6.00.6000.16386  C:\Windows\system32\PSAPI.DLL
  0x76380000  0x2d000   6.00.6001.18000  C:\Windows\system32\WS2_32.dll
  0x77c70000  0x6000    6.00.6001.18000  C:\Windows\system32\NSI.dll
  0x75990000  0x3b000   6.00.6001.18000  C:\Windows\system32\mswsock.dll
  0x75590000  0x5000    6.00.6001.18000  C:\Windows\System32\wshtcpip.dll
  0x75a00000  0x5000    6.00.6001.18000  C:\Windows\System32\wship6.dll
  0x756a0000  0x21000   6.00.6001.18000  C:\Windows\System32\NTMARTA.DLL
  0x76ec0000  0x4a000   6.00.6001.18000  C:\Windows\system32\WLDAP32.dll
  0x75c40000  0x11000   6.00.6001.18000  C:\Windows\System32\SAMLIB.dll
  0x776d0000  0x144000  6.00.6001.18000  C:\Windows\system32\ole32.dll
  0x748a0000  0x8000    6.00.6000.16386  c:\windows\system32\lmhsvc.dll
  0x75d00000  0x19000   6.00.6001.18000  c:\windows\system32\IPHLPAPI.DLL
  0x75cc0000  0x35000   6.00.6001.18000  c:\windows\system32\dhcpcsvc.DLL
  0x75e20000  0x2c000   6.00.6001.18000  c:\windows\system32\DNSAPI.dll
  0x75cb0000  0x7000    6.00.6001.18000  c:\windows\system32\WINNSI.DLL
  0x75c80000  0x21000   6.00.6001.18000  c:\windows\system32\dhcpcsvc6.DLL
  0x754f0000  0xf000    6.00.6001.18000  C:\Windows\system32\NLAapi.dll
  0x739f0000  0x8000    6.00.6000.16386  C:\Windows\System32\winrnr.dll
  0x739e0000  0xf000    6.00.6001.18000  C:\Windows\system32\napinsp.dll
  0x73a00000  0x6000    6.00.6000.16386  C:\Windows\System32\rasadhlp.dll
------------------------------------------------------------------------------
svchost.exe pid: 964
Command line: C:\Windows\system32\svchost.exe -k GPSvcGroup

  Base        Size      Version	        Path
  0x00710000  0x8000    6.00.6001.18000  C:\Windows\system32\svchost.exe
  0x77b00000  0x127000  6.00.6001.18000  C:\Windows\system32\ntdll.dll
  0x772c0000  0xdb000   6.00.6001.18000  C:\Windows\system32\kernel32.dll
  0x77cb0000  0xaa000   7.00.6001.18000  C:\Windows\system32\msvcrt.dll
  0x77500000  0xc6000   6.00.6001.18000  C:\Windows\system32\ADVAPI32.dll
  0x77a30000  0xc3000   6.00.6001.18000  C:\Windows\system32\RPCRT4.dll
  0x756a0000  0x21000   6.00.6001.18000  C:\Windows\system32\NTMARTA.DLL
  0x76f90000  0x9d000   6.00.6001.18000  C:\Windows\system32\USER32.dll
  0x77680000  0x4b000   6.00.6001.18000  C:\Windows\system32\GDI32.dll
  0x76ec0000  0x4a000   6.00.6001.18000  C:\Windows\system32\WLDAP32.dll
  0x76380000  0x2d000   6.00.6001.18000  C:\Windows\system32\WS2_32.dll
  0x77c70000  0x6000    6.00.6001.18000  C:\Windows\system32\NSI.dll
  0x762e0000  0x7000    6.00.6000.16386  C:\Windows\system32\PSAPI.DLL
  0x75c40000  0x11000   6.00.6001.18000  C:\Windows\system32\SAMLIB.dll
  0x776d0000  0x144000  6.00.6001.18000  C:\Windows\system32\ole32.dll
  0x77c30000  0x1e000   6.00.6001.18000  C:\Windows\system32\IMM32.DLL
  0x77430000  0xc8000   6.00.6001.18000  C:\Windows\system32\MSCTF.dll
  0x77c60000  0x9000    6.00.6001.18000  C:\Windows\system32\LPK.DLL
  0x76f10000  0x7d000   1.626.6001.18000  C:\Windows\system32\USP10.dll
  0x74cf0000  0x8e000   6.00.6001.18000  c:\windows\system32\gpsvc.dll
  0x76210000  0x14000   6.00.6001.18000  c:\windows\system32\Secur32.dll
  0x75f00000  0x75000   6.00.6001.18000  c:\windows\system32\NETAPI32.dll
  0x75de0000  0x18000   6.00.6001.18000  c:\windows\system32\NTDSAPI.dll
  0x75e20000  0x2c000   6.00.6001.18000  c:\windows\system32\DNSAPI.dll
  0x75670000  0xa000    6.00.6001.18000  c:\windows\system32\WTSAPI32.dll
  0x773a0000  0x8d000   6.00.6001.18000  C:\Windows\system32\OLEAUT32.dll
  0x76230000  0x1e000   6.00.6001.18000  c:\windows\system32\USERENV.dll
  0x75720000  0x15000   6.00.6001.18000  c:\windows\system32\GPAPI.dll
  0x75d60000  0x3a000   6.00.6001.18000  c:\windows\system32\slc.dll
  0x761c0000  0x16000   6.00.6001.18000  c:\windows\system32\AUTHZ.dll
  0x761b0000  0x7000    6.00.6000.16386  c:\windows\system32\SYSNTFY.dll
  0x761e0000  0x25000   6.00.6001.18000  c:\windows\system32\WINSTA.dll
  0x754f0000  0xf000    6.00.6001.18000  c:\windows\system32\nlaapi.dll
  0x75d00000  0x19000   6.00.6001.18000  c:\windows\system32\IPHLPAPI.DLL
  0x75cc0000  0x35000   6.00.6001.18000  c:\windows\system32\dhcpcsvc.DLL
  0x75cb0000  0x7000    6.00.6001.18000  c:\windows\system32\WINNSI.DLL
  0x75c80000  0x21000   6.00.6001.18000  c:\windows\system32\dhcpcsvc6.DLL
  0x77160000  0x84000   2001.12.6931.18000  C:\Windows\system32\CLBCatQ.DLL
  0x72930000  0xb000    6.00.6001.18000  C:\Windows\system32\wbem\wbemprox.dll
  0x73f10000  0x5b000   6.00.6001.18000  C:\Windows\system32\wbemcomn.dll
  0x75740000  0x3b000   6.00.6001.18000  C:\Windows\system32\rsaenh.dll
  0x72920000  0x10000   6.00.6001.18000  C:\Windows\system32\wbem\wbemsvc.dll
  0x73af0000  0x99000   6.00.6001.18000  C:\Windows\system32\wbem\fastprox.dll
------------------------------------------------------------------------------
svchost.exe pid: 976
Command line: C:\Windows\system32\svchost.exe -k netsvcs

  Base        Size      Version	        Path
  0x00710000  0x8000    6.00.6001.18000  C:\Windows\system32\svchost.exe
  0x77b00000  0x127000  6.00.6001.18000  C:\Windows\system32\ntdll.dll
  0x772c0000  0xdb000   6.00.6001.18000  C:\Windows\system32\kernel32.dll
  0x77cb0000  0xaa000   7.00.6001.18000  C:\Windows\system32\msvcrt.dll
  0x77500000  0xc6000   6.00.6001.18000  C:\Windows\system32\ADVAPI32.dll
  0x77a30000  0xc3000   6.00.6001.18000  C:\Windows\system32\RPCRT4.dll
  0x756a0000  0x21000   6.00.6001.18000  C:\Windows\system32\NTMARTA.DLL
  0x76f90000  0x9d000   6.00.6001.18000  C:\Windows\system32\USER32.dll
  0x77680000  0x4b000   6.00.6001.18000  C:\Windows\system32\GDI32.dll
  0x76ec0000  0x4a000   6.00.6001.18000  C:\Windows\system32\WLDAP32.dll
  0x76380000  0x2d000   6.00.6001.18000  C:\Windows\system32\WS2_32.dll
  0x77c70000  0x6000    6.00.6001.18000  C:\Windows\system32\NSI.dll
  0x762e0000  0x7000    6.00.6000.16386  C:\Windows\system32\PSAPI.DLL
  0x75c40000  0x11000   6.00.6001.18000  C:\Windows\system32\SAMLIB.dll
  0x776d0000  0x144000  6.00.6001.18000  C:\Windows\system32\ole32.dll
  0x77c30000  0x1e000   6.00.6001.18000  C:\Windows\system32\IMM32.DLL
  0x77430000  0xc8000   6.00.6001.18000  C:\Windows\system32\MSCTF.dll
  0x77c60000  0x9000    6.00.6001.18000  C:\Windows\system32\LPK.DLL
  0x76f10000  0x7d000   1.626.6001.18000  C:\Windows\system32\USP10.dll
  0x75410000  0x29000   6.00.6001.18000  c:\windows\system32\profsvc.dll
  0x761b0000  0x7000    6.00.6000.16386  c:\windows\system32\SYSNTFY.dll
  0x76230000  0x1e000   6.00.6001.18000  c:\windows\system32\USERENV.dll
  0x76210000  0x14000   6.00.6001.18000  c:\windows\system32\Secur32.dll
  0x754f0000  0xf000    6.00.6001.18000  c:\windows\system32\nlaapi.dll
  0x75d00000  0x19000   6.00.6001.18000  c:\windows\system32\IPHLPAPI.DLL
  0x75cc0000  0x35000   6.00.6001.18000  c:\windows\system32\dhcpcsvc.DLL
  0x75e20000  0x2c000   6.00.6001.18000  c:\windows\system32\DNSAPI.dll
  0x75cb0000  0x7000    6.00.6001.18000  c:\windows\system32\WINNSI.DLL
  0x75c80000  0x21000   6.00.6001.18000  c:\windows\system32\dhcpcsvc6.DLL
  0x75480000  0x14000   3.05.2284.0000  c:\windows\system32\ATL.DLL
  0x75400000  0xe000    6.00.6001.18000  c:\windows\system32\sens.dll
  0x75670000  0xa000    6.00.6001.18000  c:\windows\system32\WTSAPI32.dll
  0x74790000  0x3e000   6.00.6001.18000  c:\windows\system32\shsvcs.dll
  0x75740000  0x3b000   6.00.6001.18000  C:\Windows\system32\rsaenh.dll
  0x77160000  0x84000   2001.12.6931.18000  C:\Windows\system32\CLBCatQ.DLL
  0x773a0000  0x8d000   6.00.6001.18000  C:\Windows\system32\OLEAUT32.dll
  0x74670000  0x85000   5.82.6001.18000  C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.6001.18000_none_886786f450a74a05\COMCTL32.dll
  0x74e90000  0x95000   6.00.6001.18000  c:\windows\system32\schedsvc.dll
  0x77620000  0x58000   6.00.6001.18000  C:\Windows\system32\SHLWAPI.dll
  0x75d20000  0x40000   6.00.6001.18000  c:\windows\system32\wevtapi.dll
  0x761c0000  0x16000   6.00.6001.18000  c:\windows\system32\AUTHZ.dll
  0x75440000  0x7000    6.00.6001.18000  c:\windows\system32\ktmw32.dll
  0x74f70000  0x19e000  6.10.6001.18000  C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll
  0x778a0000  0x18a000  6.00.6001.18000  C:\Windows\system32\SETUPAPI.dll
  0x75aa0000  0x7000    6.00.6001.18000  C:\Windows\system32\credssp.dll
  0x75b40000  0xf1000   6.00.6001.18000  C:\Windows\system32\CRYPT32.dll
  0x75e00000  0x12000   6.00.6000.16386  C:\Windows\system32\MSASN1.dll
  0x75780000  0x44000   6.00.6001.18000  C:\Windows\system32\schannel.dll
  0x75f00000  0x75000   6.00.6001.18000  C:\Windows\system32\NETAPI32.dll
  0x747e0000  0x2d000   6.00.6001.18000  C:\Windows\system32\WINTRUST.dll
  0x77c80000  0x29000   6.00.6001.18000  C:\Windows\system32\imagehlp.dll
  0x74620000  0x44000   6.00.6001.18000  C:\Windows\system32\taskcomp.dll
  0x75660000  0x8000    6.00.6001.18000  C:\Windows\system32\VERSION.dll
  0x75990000  0x3b000   6.00.6001.18000  C:\Windows\system32\mswsock.dll
  0x75590000  0x5000    6.00.6001.18000  C:\Windows\System32\wshtcpip.dll
  0x75a00000  0x5000    6.00.6001.18000  C:\Windows\System32\wship6.dll
  0x761e0000  0x25000   6.00.6001.18000  C:\Windows\system32\WINSTA.dll
  0x74720000  0x9000    6.00.6000.16386  c:\windows\system32\aelupsvc.dll
  0x76180000  0x2c000   6.00.6001.18000  c:\windows\system32\apphelp.dll
  0x74160000  0x6f000   6.00.6001.18000  c:\windows\system32\ikeext.dll
  0x74520000  0x96000   6.00.6001.18000  c:\windows\system32\fwpuclnt.dll
  0x74270000  0x8000    6.00.6001.18000  c:\windows\system32\seclogon.dll
  0x73fd0000  0x2a000   6.00.6001.18000  c:\windows\system32\wbem\wmisvc.dll
  0x73f10000  0x5b000   6.00.6001.18000  C:\Windows\system32\wbemcomn.dll
  0x75b00000  0x35000   6.00.6001.18000  C:\Windows\system32\ncrypt.dll
  0x75ab0000  0x45000   6.00.6001.18000  C:\Windows\system32\BCRYPT.dll
  0x73e80000  0x21000   6.00.6001.18000  c:\windows\system32\srvsvc.dll
  0x75d60000  0x3a000   6.00.6001.18000  c:\windows\system32\slc.dll
  0x73d70000  0x33000   6.00.6001.18000  c:\windows\system32\iphlpsvc.dll
  0x755b0000  0x66000   6.00.6001.18000  c:\windows\system32\FirewallAPI.dll
  0x754b0000  0xc000    6.00.6000.16386  c:\windows\system32\rtutils.dll
  0x73e50000  0x23000   6.00.6001.18000  c:\windows\system32\sqmapi.dll
  0x74100000  0x6000    6.00.6000.16386  C:\Windows\system32\SSCORE.DLL
  0x73d40000  0x2e000   6.00.6001.18000  C:\Windows\system32\CLUSAPI.DLL
  0x75de0000  0x18000   6.00.6001.18000  C:\Windows\system32\NTDSAPI.dll
  0x75e50000  0x11000   6.00.6001.18000  C:\Windows\system32\cryptdll.dll
  0x74300000  0x35000   6.00.6001.18000  C:\Windows\system32\ACTIVEDS.dll
  0x742c0000  0x33000   6.00.6001.18000  C:\Windows\system32\adsldpc.dll
  0x74480000  0x2e000   6.00.6001.18000  C:\Windows\system32\credui.dll
  0x763b0000  0xb0f000  6.00.6001.18000  C:\Windows\system32\SHELL32.dll
  0x73e30000  0x13000   6.00.6001.18000  C:\Windows\system32\RESUTILS.DLL
  0x73cd0000  0x15000   6.00.6001.18000  C:\Windows\system32\Cabinet.dll
  0x75720000  0x15000   6.00.6001.18000  C:\Windows\system32\GPAPI.dll
  0x73f70000  0x5f000   6.00.6001.18000  C:\Windows\system32\WINHTTP.dll
  0x74340000  0x10a000  6.00.6001.18000  C:\Windows\system32\VSSAPI.DLL
  0x742a0000  0x14000   6.00.6001.18000  C:\Windows\system32\vsstrace.dll
  0x74dc0000  0x2f000   1.02.1009.0000  C:\Windows\system32\XmlLite.dll
  0x75dc0000  0x14000   6.00.6001.18000  C:\Windows\system32\MPR.dll
  0x74940000  0xba000   6.00.6001.18000  C:\Windows\system32\PROPSYS.dll
  0x73a10000  0xb8000   6.00.6001.18000  C:\Windows\system32\wbem\wbemcore.dll
  0x73be0000  0x43000   6.00.6001.18000  C:\Windows\System32\Wbem\esscli.dll
  0x73af0000  0x99000   6.00.6001.18000  C:\Windows\System32\Wbem\FastProx.dll
  0x73ad0000  0x17000   6.00.6001.18000  C:\Windows\system32\wbem\wmiutils.dll
  0x73970000  0x44000   6.00.6001.18000  C:\Windows\system32\wbem\repdrvfs.dll
  0x73870000  0x79000   6.00.6001.18000  C:\Windows\system32\wbem\wmiprvsd.dll
  0x76120000  0xf000    6.00.6001.18000  C:\Windows\system32\NCObjAPI.DLL
  0x73ca0000  0x9000    6.00.6000.16386  C:\Windows\system32\tschannel.dll
  0x73810000  0x57000   6.00.6001.18000  C:\Windows\system32\wbem\wbemess.dll
  0x739f0000  0x8000    6.00.6000.16386  C:\Windows\System32\winrnr.dll
  0x739e0000  0xf000    6.00.6001.18000  C:\Windows\system32\napinsp.dll
  0x73a00000  0x6000    6.00.6000.16386  C:\Windows\system32\rasadhlp.dll
  0x739c0000  0x10000   6.00.6001.18000  C:\Windows\system32\wbem\ncprov.dll
  0x72bd0000  0x1bf000  7.00.6001.18000  c:\windows\system32\qmgr.dll
  0x73300000  0x5000    6.00.6000.16386  c:\windows\system32\SHFOLDER.dll
  0x73130000  0x8000    7.00.6000.16386  c:\windows\system32\bitsperf.dll
  0x73120000  0xb000    7.00.6001.18000  C:\Windows\system32\bitsigd.dll
  0x724a0000  0x1a1000  7.00.6001.18000  c:\windows\system32\wuaueng.dll
  0x73580000  0x167000  6.00.6001.18000  c:\windows\system32\ESENT.dll
  0x73490000  0x42000   6.00.6001.18000  c:\windows\system32\WINSPOOL.DRV
  0x72d90000  0xc000    6.00.6001.18000  c:\windows\system32\mspatcha.dll
  0x75ef0000  0x6000    6.00.6000.16386  C:\Windows\system32\WMsgAPI.dll
  0x760c0000  0x5f000   6.00.6001.18000  C:\Windows\system32\SXS.DLL
  0x74a90000  0xc000    7.00.6001.18000  C:\Windows\system32\wups2.dll
  0x72920000  0x10000   6.00.6001.18000  C:\Windows\system32\wbem\wbemsvc.dll
  0x72430000  0x9000    7.00.6001.18000  C:\Windows\system32\wups.dll
  0x74ac0000  0x4a000   6.00.6001.18000  C:\Windows\system32\RasApi32.dll
  0x75450000  0x14000   6.00.6001.18000  C:\Windows\system32\rasman.dll
  0x72040000  0x31000   6.00.6000.16386  C:\Windows\system32\TAPI32.dll
  0x74900000  0x32000   6.00.6001.18000  C:\Windows\system32\WINMM.dll
  0x748c0000  0x39000   4.02.5406.0000  C:\Windows\system32\OLEACC.dll
  0x6f8c0000  0x43000   6.00.6001.18000  c:\windows\system32\rasmans.dll
  0x71f80000  0x14000   6.00.6001.18000  C:\Windows\system32\rastapi.dll
  0x6f870000  0x43000   6.00.6001.18000  C:\Windows\system32\rasppp.dll
  0x74700000  0x1a000   6.00.6001.18000  C:\Windows\system32\MPRAPI.dll
  0x75a10000  0x7c000   6.00.6001.18000  C:\Windows\system32\kerberos.dll
  0x6fc60000  0x14000   6.00.6001.18000  C:\Windows\system32\RASQEC.DLL
  0x72960000  0x17000   6.00.6001.18000  C:\Windows\system32\QUtil.dll
  0x6f7d0000  0x47000   6.00.6001.18000  C:\Windows\System32\raschap.dll
  0x6f830000  0x3e000   6.00.6001.18000  C:\Windows\System32\rastls.dll
  0x6f400000  0xf0000   6.00.6001.18000  C:\Windows\system32\CRYPTUI.dll
  0x755a0000  0x5000    6.00.6000.16386  C:\Windows\system32\MSIMG32.dll
  0x74d80000  0x1f000   6.00.6001.18000  C:\Windows\system32\WinSCard.dll
------------------------------------------------------------------------------
SLsvc.exe pid: 996
Command line: C:\Windows\system32\SLsvc.exe

  Base        Size      Version	        Path
  0x008d0000  0x285000  6.00.6001.18000  C:\Windows\system32\SLsvc.exe
  0x77b00000  0x127000  6.00.6001.18000  C:\Windows\system32\ntdll.dll
  0x772c0000  0xdb000   6.00.6001.18000  C:\Windows\system32\kernel32.dll
  0x77500000  0xc6000   6.00.6001.18000  C:\Windows\system32\ADVAPI32.dll
  0x77a30000  0xc3000   6.00.6001.18000  C:\Windows\system32\RPCRT4.dll
  0x77cb0000  0xaa000   7.00.6001.18000  C:\Windows\system32\msvcrt.dll
  0x75d60000  0x3a000   6.00.6001.18000  C:\Windows\system32\slc.dll
  0x76f90000  0x9d000   6.00.6001.18000  C:\Windows\system32\USER32.dll
  0x77680000  0x4b000   6.00.6001.18000  C:\Windows\system32\GDI32.dll
  0x75e20000  0x2c000   6.00.6001.18000  C:\Windows\system32\DNSAPI.dll
  0x76380000  0x2d000   6.00.6001.18000  C:\Windows\system32\WS2_32.dll
  0x77c70000  0x6000    6.00.6001.18000  C:\Windows\system32\NSI.dll
  0x77c30000  0x1e000   6.00.6001.18000  C:\Windows\system32\IMM32.DLL
  0x77430000  0xc8000   6.00.6001.18000  C:\Windows\system32\MSCTF.dll
  0x77c60000  0x9000    6.00.6001.18000  C:\Windows\system32\LPK.DLL
  0x76f10000  0x7d000   1.626.6001.18000  C:\Windows\system32\USP10.dll
  0x75740000  0x3b000   6.00.6001.18000  C:\Windows\system32\rsaenh.dll
------------------------------------------------------------------------------
svchost.exe pid: 1056
Command line: C:\Windows\system32\svchost.exe -k LocalService

  Base        Size      Version	        Path
  0x00710000  0x8000    6.00.6001.18000  C:\Windows\system32\svchost.exe
  0x77b00000  0x127000  6.00.6001.18000  C:\Windows\system32\ntdll.dll
  0x772c0000  0xdb000   6.00.6001.18000  C:\Windows\system32\kernel32.dll
  0x77cb0000  0xaa000   7.00.6001.18000  C:\Windows\system32\msvcrt.dll
  0x77500000  0xc6000   6.00.6001.18000  C:\Windows\system32\ADVAPI32.dll
  0x77a30000  0xc3000   6.00.6001.18000  C:\Windows\system32\RPCRT4.dll
  0x756a0000  0x21000   6.00.6001.18000  C:\Windows\system32\NTMARTA.DLL
  0x76f90000  0x9d000   6.00.6001.18000  C:\Windows\system32\USER32.dll
  0x77680000  0x4b000   6.00.6001.18000  C:\Windows\system32\GDI32.dll
  0x76ec0000  0x4a000   6.00.6001.18000  C:\Windows\system32\WLDAP32.dll
  0x76380000  0x2d000   6.00.6001.18000  C:\Windows\system32\WS2_32.dll
  0x77c70000  0x6000    6.00.6001.18000  C:\Windows\system32\NSI.dll
  0x762e0000  0x7000    6.00.6000.16386  C:\Windows\system32\PSAPI.DLL
  0x75c40000  0x11000   6.00.6001.18000  C:\Windows\system32\SAMLIB.dll
  0x776d0000  0x144000  6.00.6001.18000  C:\Windows\system32\ole32.dll
  0x77c30000  0x1e000   6.00.6001.18000  C:\Windows\system32\IMM32.DLL
  0x77430000  0xc8000   6.00.6001.18000  C:\Windows\system32\MSCTF.dll
  0x77c60000  0x9000    6.00.6001.18000  C:\Windows\system32\LPK.DLL
  0x76f10000  0x7d000   1.626.6001.18000  C:\Windows\system32\USP10.dll
  0x74a40000  0x45000   2001.12.6931.18000  c:\windows\system32\es.dll
  0x773a0000  0x8d000   6.00.6001.18000  C:\Windows\system32\OLEAUT32.dll
  0x74940000  0xba000   6.00.6001.18000  c:\windows\system32\PROPSYS.dll
  0x75740000  0x3b000   6.00.6001.18000  C:\Windows\system32\rsaenh.dll
  0x77160000  0x84000   2001.12.6931.18000  C:\Windows\system32\CLBCatQ.DLL
  0x74850000  0x8000    6.00.6001.18000  c:\windows\system32\nsisvc.dll
  0x76210000  0x14000   6.00.6001.18000  C:\Windows\system32\secur32.dll
  0x75aa0000  0x7000    6.00.6001.18000  C:\Windows\system32\credssp.dll
  0x75b40000  0xf1000   6.00.6001.18000  C:\Windows\system32\CRYPT32.dll
  0x75e00000  0x12000   6.00.6000.16386  C:\Windows\system32\MSASN1.dll
  0x76230000  0x1e000   6.00.6001.18000  C:\Windows\system32\USERENV.dll
  0x75780000  0x44000   6.00.6001.18000  C:\Windows\system32\schannel.dll
  0x75f00000  0x75000   6.00.6001.18000  C:\Windows\system32\NETAPI32.dll
  0x74730000  0x2a000   6.00.6001.18000  c:\windows\system32\wkssvc.dll
  0x75d00000  0x19000   6.00.6001.18000  c:\windows\system32\IPHLPAPI.DLL
  0x75cc0000  0x35000   6.00.6001.18000  c:\windows\system32\dhcpcsvc.DLL
  0x75e20000  0x2c000   6.00.6001.18000  c:\windows\system32\DNSAPI.dll
  0x75cb0000  0x7000    6.00.6001.18000  c:\windows\system32\WINNSI.DLL
  0x75c80000  0x21000   6.00.6001.18000  c:\windows\system32\dhcpcsvc6.DLL
  0x75de0000  0x18000   6.00.6001.18000  c:\windows\system32\NTDSAPI.dll
  0x757d0000  0xd7000   6.00.6000.16386  c:\windows\system32\WINBRAND.dll
  0x74000000  0x48000   6.00.6001.18000  c:\windows\system32\w32time.dll
  0x75e50000  0x11000   6.00.6001.18000  c:\windows\system32\cryptdll.dll
  0x75990000  0x3b000   6.00.6001.18000  C:\Windows\system32\mswsock.dll
  0x75590000  0x5000    6.00.6001.18000  C:\Windows\System32\wshtcpip.dll
  0x75a00000  0x5000    6.00.6001.18000  C:\Windows\System32\wship6.dll
  0x75720000  0x15000   6.00.6001.18000  C:\Windows\system32\GPAPI.dll
  0x75d60000  0x3a000   6.00.6001.18000  C:\Windows\system32\slc.dll
  0x760c0000  0x5f000   6.00.6001.18000  C:\Windows\system32\SXS.DLL
  0x73cf0000  0x3c000   6.00.6001.18000  c:\windows\system32\netprofm.dll
  0x754f0000  0xf000    6.00.6001.18000  c:\windows\system32\nlaapi.dll
  0x73d30000  0x8000    6.00.6000.16386  C:\Windows\System32\npmproxy.dll
  0x747e0000  0x2d000   6.00.6001.18000  C:\Windows\system32\WINTRUST.dll
  0x77c80000  0x29000   6.00.6001.18000  C:\Windows\system32\imagehlp.dll
  0x74e50000  0x11000   6.00.6001.18000  c:\windows\system32\sluinotify.dll
  0x763b0000  0xb0f000  6.00.6001.18000  C:\Windows\system32\SHELL32.dll
  0x77620000  0x58000   6.00.6001.18000  C:\Windows\system32\SHLWAPI.dll
  0x74e20000  0x24000   6.00.6001.18000  c:\windows\system32\slcext.dll
  0x73f70000  0x5f000   6.00.6001.18000  c:\windows\system32\WINHTTP.dll
  0x77030000  0x128000  7.00.6001.18000  C:\Windows\system32\urlmon.dll
  0x775d0000  0x45000   7.00.6001.18000  C:\Windows\system32\iertutil.dll
  0x75670000  0xa000    6.00.6001.18000  c:\windows\system32\WTSAPI32.dll
  0x74f70000  0x19e000  6.10.6001.18000  C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll
  0x761e0000  0x25000   6.00.6001.18000  C:\Windows\system32\WINSTA.dll
  0x6fc20000  0x25000   6.00.6001.18000  c:\windows\system32\sstpsvc.dll
  0x754b0000  0xc000    6.00.6000.16386  c:\windows\system32\rtutils.dll
  0x73410000  0xb000    6.00.6001.18000  c:\windows\system32\HTTPAPI.dll
  0x77c50000  0x3000    6.00.6000.16386  C:\Windows\system32\Normaliz.dll
  0x739f0000  0x8000    6.00.6000.16386  C:\Windows\System32\winrnr.dll
  0x739e0000  0xf000    6.00.6001.18000  C:\Windows\system32\napinsp.dll
  0x73a00000  0x6000    6.00.6000.16386  C:\Windows\system32\rasadhlp.dll
------------------------------------------------------------------------------
svchost.exe pid: 1140
Command line: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

  Base        Size      Version	        Path
  0x00710000  0x8000    6.00.6001.18000  C:\Windows\System32\svchost.exe
  0x77b00000  0x127000  6.00.6001.18000  C:\Windows\system32\ntdll.dll
  0x772c0000  0xdb000   6.00.6001.18000  C:\Windows\system32\kernel32.dll
  0x77cb0000  0xaa000   7.00.6001.18000  C:\Windows\system32\msvcrt.dll
  0x77500000  0xc6000   6.00.6001.18000  C:\Windows\system32\ADVAPI32.dll
  0x77a30000  0xc3000   6.00.6001.18000  C:\Windows\system32\RPCRT4.dll
  0x756a0000  0x21000   6.00.6001.18000  C:\Windows\System32\NTMARTA.DLL
  0x76f90000  0x9d000   6.00.6001.18000  C:\Windows\system32\USER32.dll
  0x77680000  0x4b000   6.00.6001.18000  C:\Windows\system32\GDI32.dll
  0x76ec0000  0x4a000   6.00.6001.18000  C:\Windows\system32\WLDAP32.dll
  0x76380000  0x2d000   6.00.6001.18000  C:\Windows\system32\WS2_32.dll
  0x77c70000  0x6000    6.00.6001.18000  C:\Windows\system32\NSI.dll
  0x762e0000  0x7000    6.00.6000.16386  C:\Windows\system32\PSAPI.DLL
  0x75c40000  0x11000   6.00.6001.18000  C:\Windows\System32\SAMLIB.dll
  0x776d0000  0x144000  6.00.6001.18000  C:\Windows\system32\ole32.dll
  0x77c30000  0x1e000   6.00.6001.18000  C:\Windows\system32\IMM32.DLL
  0x77430000  0xc8000   6.00.6001.18000  C:\Windows\system32\MSCTF.dll
  0x77c60000  0x9000    6.00.6001.18000  C:\Windows\system32\LPK.DLL
  0x76f10000  0x7d000   1.626.6001.18000  C:\Windows\system32\USP10.dll
  0x748b0000  0xb000    6.00.6001.18000  c:\windows\system32\uxsms.dll
  0x75670000  0xa000    6.00.6001.18000  c:\windows\system32\WTSAPI32.dll
  0x76230000  0x1e000   6.00.6001.18000  c:\windows\system32\USERENV.dll
  0x76210000  0x14000   6.00.6001.18000  c:\windows\system32\Secur32.dll
  0x761e0000  0x25000   6.00.6001.18000  C:\Windows\System32\WINSTA.dll
  0x741e0000  0x15000   6.00.6001.18000  c:\windows\system32\trkwks.dll
  0x75f00000  0x75000   6.00.6001.18000  c:\windows\system32\NETAPI32.dll
  0x74280000  0x15000   6.00.6001.18000  c:\windows\system32\wdi.dll
  0x73c50000  0x15000   6.00.6000.16386  C:\Windows\system32\radardt.dll
  0x75660000  0x8000    6.00.6001.18000  C:\Windows\System32\VERSION.dll
  0x76180000  0x2c000   6.00.6001.18000  C:\Windows\system32\apphelp.dll
  0x726a0000  0x46000   6.00.6001.18000  c:\windows\system32\netman.dll
  0x773a0000  0x8d000   6.00.6001.18000  C:\Windows\system32\OLEAUT32.dll
  0x74ac0000  0x4a000   6.00.6001.18000  c:\windows\system32\RASAPI32.dll
  0x75450000  0x14000   6.00.6001.18000  c:\windows\system32\rasman.dll
  0x72040000  0x31000   6.00.6000.16386  c:\windows\system32\TAPI32.dll
  0x77620000  0x58000   6.00.6001.18000  C:\Windows\system32\SHLWAPI.dll
  0x754b0000  0xc000    6.00.6000.16386  c:\windows\system32\rtutils.dll
  0x74900000  0x32000   6.00.6001.18000  c:\windows\system32\WINMM.dll
  0x748c0000  0x39000   4.02.5406.0000  c:\windows\system32\OLEACC.dll
  0x763b0000  0xb0f000  6.00.6001.18000  C:\Windows\system32\SHELL32.dll
  0x75cb0000  0x7000    6.00.6001.18000  c:\windows\system32\WINNSI.DLL
  0x74f70000  0x19e000  6.10.6001.18000  C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll
  0x77160000  0x84000   2001.12.6931.18000  C:\Windows\system32\CLBCatQ.DLL
  0x75740000  0x3b000   6.00.6001.18000  C:\Windows\System32\rsaenh.dll
  0x75990000  0x3b000   6.00.6001.18000  C:\Windows\System32\mswsock.dll
  0x75590000  0x5000    6.00.6001.18000  C:\Windows\System32\wshtcpip.dll
  0x70700000  0x30b000  6.00.6001.18000  C:\Windows\System32\netshell.dll
  0x75d00000  0x19000   6.00.6001.18000  C:\Windows\System32\IPHLPAPI.DLL
  0x75cc0000  0x35000   6.00.6001.18000  C:\Windows\System32\dhcpcsvc.DLL
  0x75e20000  0x2c000   6.00.6001.18000  C:\Windows\System32\DNSAPI.dll
  0x75c80000  0x21000   6.00.6001.18000  C:\Windows\System32\dhcpcsvc6.DLL
  0x754f0000  0xf000    6.00.6001.18000  C:\Windows\System32\nlaapi.dll
  0x71880000  0xce000   6.00.6001.18000  C:\Windows\System32\RASDLG.dll
  0x74700000  0x1a000   6.00.6001.18000  C:\Windows\System32\MPRAPI.dll
  0x74300000  0x35000   6.00.6001.18000  C:\Windows\System32\ACTIVEDS.dll
  0x742c0000  0x33000   6.00.6001.18000  C:\Windows\System32\adsldpc.dll
  0x74480000  0x2e000   6.00.6001.18000  C:\Windows\System32\credui.dll
  0x75480000  0x14000   3.05.2284.0000  C:\Windows\System32\ATL.DLL
  0x778a0000  0x18a000  6.00.6001.18000  C:\Windows\system32\SETUPAPI.dll
  0x75d60000  0x3a000   6.00.6001.18000  C:\Windows\System32\slc.dll
  0x75b40000  0xf1000   6.00.6001.18000  C:\Windows\System32\CRYPT32.dll
  0x75e00000  0x12000   6.00.6000.16386  C:\Windows\System32\MSASN1.dll
  0x6ffb0000  0x4a000   6.00.6001.18000  C:\Windows\System32\hnetcfg.dll
  0x75720000  0x15000   6.00.6001.18000  C:\Windows\System32\GPAPI.dll
  0x73f70000  0x5f000   6.00.6001.18000  C:\Windows\System32\WINHTTP.dll
  0x747e0000  0x2d000   6.00.6001.18000  C:\Windows\System32\WINTRUST.dll
  0x77c80000  0x29000   6.00.6001.18000  C:\Windows\system32\imagehlp.dll
  0x6fc80000  0x60000   6.00.6001.18000  C:\Windows\system32\netcfgx.dll
  0x73cd0000  0x15000   6.00.6001.18000  C:\Windows\System32\Cabinet.dll
  0x72930000  0xb000    6.00.6001.18000  C:\Windows\system32\wbem\wbemprox.dll
  0x73f10000  0x5b000   6.00.6001.18000  C:\Windows\system32\wbemcomn.dll
  0x72920000  0x10000   6.00.6001.18000  C:\Windows\system32\wbem\wbemsvc.dll
  0x73af0000  0x99000   6.00.6001.18000  C:\Windows\system32\wbem\fastprox.dll
  0x75de0000  0x18000   6.00.6001.18000  C:\Windows\system32\NTDSAPI.dll
------------------------------------------------------------------------------
svchost.exe pid: 1168
Command line: C:\Windows\system32\svchost.exe -k NetworkService

  Base        Size      Version	        Path
  0x00710000  0x8000    6.00.6001.18000  C:\Windows\system32\svchost.exe
  0x77b00000  0x127000  6.00.6001.18000  C:\Windows\system32\ntdll.dll
  0x772c0000  0xdb000   6.00.6001.18000  C:\Windows\system32\kernel32.dll
  0x77cb0000  0xaa000   7.00.6001.18000  C:\Windows\system32\msvcrt.dll
  0x77500000  0xc6000   6.00.6001.18000  C:\Windows\system32\ADVAPI32.dll
  0x77a30000  0xc3000   6.00.6001.18000  C:\Windows\system32\RPCRT4.dll
  0x756a0000  0x21000   6.00.6001.18000  C:\Windows\system32\NTMARTA.DLL
  0x76f90000  0x9d000   6.00.6001.18000  C:\Windows\system32\USER32.dll
  0x77680000  0x4b000   6.00.6001.18000  C:\Windows\system32\GDI32.dll
  0x76ec0000  0x4a000   6.00.6001.18000  C:\Windows\system32\WLDAP32.dll
  0x76380000  0x2d000   6.00.6001.18000  C:\Windows\system32\WS2_32.dll
  0x77c70000  0x6000    6.00.6001.18000  C:\Windows\system32\NSI.dll
  0x762e0000  0x7000    6.00.6000.16386  C:\Windows\system32\PSAPI.DLL
  0x75c40000  0x11000   6.00.6001.18000  C:\Windows\system32\SAMLIB.dll
  0x776d0000  0x144000  6.00.6001.18000  C:\Windows\system32\ole32.dll
  0x77c30000  0x1e000   6.00.6001.18000  C:\Windows\system32\IMM32.DLL
  0x77430000  0xc8000   6.00.6001.18000  C:\Windows\system32\MSCTF.dll
  0x77c60000  0x9000    6.00.6001.18000  C:\Windows\system32\LPK.DLL
  0x76f10000  0x7d000   1.626.6001.18000  C:\Windows\system32\USP10.dll
  0x74810000  0x18000   6.00.6001.18000  c:\windows\system32\dnsrslvr.dll
  0x75e20000  0x2c000   6.00.6001.18000  c:\windows\system32\DNSAPI.dll
  0x75cc0000  0x35000   6.00.6001.18000  c:\windows\system32\dhcpcsvc.DLL
  0x76210000  0x14000   6.00.6001.18000  c:\windows\system32\Secur32.dll
  0x75cb0000  0x7000    6.00.6001.18000  c:\windows\system32\WINNSI.DLL
  0x75c80000  0x21000   6.00.6001.18000  c:\windows\system32\dhcpcsvc6.DLL
  0x75d00000  0x19000   6.00.6001.18000  c:\windows\system32\IPHLPAPI.DLL
  0x75990000  0x3b000   6.00.6001.18000  C:\Windows\system32\mswsock.dll
  0x75a00000  0x5000    6.00.6001.18000  C:\Windows\System32\wship6.dll
  0x75590000  0x5000    6.00.6001.18000  C:\Windows\System32\wshtcpip.dll
  0x74450000  0x22000   6.00.6001.18000  c:\windows\system32\cryptsvc.dll
  0x773a0000  0x8d000   6.00.6001.18000  C:\Windows\system32\OLEAUT32.dll
  0x74340000  0x10a000  6.00.6001.18000  c:\windows\system32\VSSAPI.DLL
  0x75480000  0x14000   3.05.2284.0000  c:\windows\system32\ATL.DLL
  0x742a0000  0x14000   6.00.6001.18000  c:\windows\system32\vsstrace.dll
  0x761c0000  0x16000   6.00.6001.18000  c:\windows\system32\AUTHZ.dll
  0x74dc0000  0x2f000   1.02.1009.0000  c:\windows\system32\XmlLite.dll
  0x75f00000  0x75000   6.00.6001.18000  c:\windows\system32\NETAPI32.dll
  0x75dc0000  0x14000   6.00.6001.18000  c:\windows\system32\MPR.dll
  0x778a0000  0x18a000  6.00.6001.18000  C:\Windows\system32\SETUPAPI.dll
  0x75b40000  0xf1000   6.00.6001.18000  c:\windows\system32\CRYPT32.dll
  0x75e00000  0x12000   6.00.6000.16386  c:\windows\system32\MSASN1.dll
  0x76230000  0x1e000   6.00.6001.18000  c:\windows\system32\USERENV.dll
  0x74130000  0x2b000   6.00.6001.18000  c:\windows\system32\nlasvc.dll
  0x75d20000  0x40000   6.00.6001.18000  c:\windows\system32\wevtapi.dll
  0x74220000  0x1a000   6.00.6001.18000  c:\windows\system32\ncsi.dll
  0x73f70000  0x5f000   6.00.6001.18000  c:\windows\system32\WINHTTP.dll
  0x77620000  0x58000   6.00.6001.18000  C:\Windows\system32\SHLWAPI.dll
  0x75670000  0xa000    6.00.6001.18000  c:\windows\system32\WTSAPI32.dll
  0x75ab0000  0x45000   6.00.6001.18000  c:\windows\system32\bcrypt.dll
  0x741d0000  0x8000    6.00.6001.18000  c:\windows\system32\CFGMGR32.dll
  0x74f70000  0x19e000  6.10.6001.18000  C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll
  0x73db0000  0x71000   6.00.6001.18000  c:\windows\system32\termsrv.dll
  0x74120000  0x7000    6.00.6001.18000  c:\windows\system32\ICAAPI.dll
  0x747e0000  0x2d000   6.00.6001.18000  c:\windows\system32\WINTRUST.dll
  0x77c80000  0x29000   6.00.6001.18000  C:\Windows\system32\imagehlp.dll
  0x75aa0000  0x7000    6.00.6001.18000  C:\Windows\system32\credssp.dll
  0x75780000  0x44000   6.00.6001.18000  C:\Windows\system32\schannel.dll
  0x74110000  0xc000    6.00.6000.16386  C:\Windows\system32\ssdpapi.dll
  0x77160000  0x84000   2001.12.6931.18000  C:\Windows\system32\CLBCatQ.DLL
  0x75740000  0x3b000   6.00.6001.18000  C:\Windows\system32\rsaenh.dll
  0x74a40000  0x45000   2001.12.6931.18000  C:\Windows\system32\es.dll
  0x74940000  0xba000   6.00.6001.18000  C:\Windows\system32\PROPSYS.dll
  0x761e0000  0x25000   6.00.6001.18000  C:\Windows\system32\WINSTA.dll
  0x73580000  0x167000  6.00.6001.18000  C:\Windows\system32\ESENT.dll
  0x72e90000  0x59000   2001.12.6931.18000  c:\windows\system32\msdtckrm.dll
  0x75660000  0x8000    6.00.6001.18000  c:\windows\system32\VERSION.dll
  0x75440000  0x7000    6.00.6001.18000  c:\windows\system32\ktmw32.dll
  0x73d40000  0x2e000   6.00.6001.18000  c:\windows\system32\CLUSAPI.dll
  0x75de0000  0x18000   6.00.6001.18000  c:\windows\system32\NTDSAPI.dll
  0x75e50000  0x11000   6.00.6001.18000  c:\windows\system32\cryptdll.dll
  0x74300000  0x35000   6.00.6001.18000  c:\windows\system32\ACTIVEDS.dll
  0x742c0000  0x33000   6.00.6001.18000  c:\windows\system32\adsldpc.dll
  0x74480000  0x2e000   6.00.6001.18000  c:\windows\system32\credui.dll
  0x763b0000  0xb0f000  6.00.6001.18000  C:\Windows\system32\SHELL32.dll
  0x72800000  0xb9000   6.00.6001.18000  c:\windows\system32\wsmsvc.dll
  0x72de0000  0x11000   6.00.6001.18000  c:\windows\system32\WsmProv.DLL
  0x72da0000  0x37000   6.00.6001.18000  c:\windows\system32\winrsmgr.dll
  0x75720000  0x15000   6.00.6001.18000  c:\windows\system32\GPAPI.dll
  0x75d60000  0x3a000   6.00.6001.18000  c:\windows\system32\slc.dll
  0x73410000  0xb000    6.00.6001.18000  c:\windows\system32\HTTPAPI.dll
  0x72ef0000  0x5000    6.00.6001.18000  C:\Windows\system32\WsmRes.dll
  0x72940000  0x16000   6.00.6001.18000  C:\Windows\system32\wevtfwd.dll
  0x754f0000  0xf000    6.00.6001.18000  C:\Windows\system32\NLAapi.dll
  0x739f0000  0x8000    6.00.6000.16386  C:\Windows\System32\winrnr.dll
  0x739e0000  0xf000    6.00.6001.18000  C:\Windows\system32\napinsp.dll
  0x73a00000  0x6000    6.00.6000.16386  C:\Windows\system32\rasadhlp.dll
  0x75b00000  0x35000   6.00.6001.18000  C:\Windows\system32\ncrypt.dll
  0x74a00000  0x1b000   6.00.6001.18000  C:\Windows\system32\cryptnet.dll
  0x73350000  0x6000    6.00.6000.16386  C:\Windows\system32\SensApi.dll
------------------------------------------------------------------------------
svchost.exe pid: 1292
Command line: C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

  Base        Size      Version	        Path
  0x00710000  0x8000    6.00.6001.18000  C:\Windows\system32\svchost.exe
  0x77b00000  0x127000  6.00.6001.18000  C:\Windows\system32\ntdll.dll
  0x772c0000  0xdb000   6.00.6001.18000  C:\Windows\system32\kernel32.dll
  0x77cb0000  0xaa000   7.00.6001.18000  C:\Windows\system32\msvcrt.dll
  0x77500000  0xc6000   6.00.6001.18000  C:\Windows\system32\ADVAPI32.dll
  0x77a30000  0xc3000   6.00.6001.18000  C:\Windows\system32\RPCRT4.dll
  0x745c0000  0x55000   6.00.6001.18000  c:\windows\system32\bfe.dll
  0x761c0000  0x16000   6.00.6001.18000  c:\windows\system32\AUTHZ.dll
  0x76210000  0x14000   6.00.6001.18000  c:\windows\system32\Secur32.dll
  0x76f90000  0x9d000   6.00.6001.18000  C:\Windows\system32\USER32.dll
  0x77680000  0x4b000   6.00.6001.18000  C:\Windows\system32\GDI32.dll
  0x77c30000  0x1e000   6.00.6001.18000  C:\Windows\system32\IMM32.DLL
  0x77430000  0xc8000   6.00.6001.18000  C:\Windows\system32\MSCTF.dll
  0x77c60000  0x9000    6.00.6001.18000  C:\Windows\system32\LPK.DLL
  0x76f10000  0x7d000   1.626.6001.18000  C:\Windows\system32\USP10.dll
  0x744b0000  0x62000   6.00.6001.18000  c:\windows\system32\mpssvc.dll
  0x755b0000  0x66000   6.00.6001.18000  c:\windows\system32\FirewallAPI.dll
  0x773a0000  0x8d000   6.00.6001.18000  C:\Windows\system32\OLEAUT32.dll
  0x776d0000  0x144000  6.00.6001.18000  C:\Windows\system32\ole32.dll
  0x75660000  0x8000    6.00.6001.18000  c:\windows\system32\VERSION.dll
  0x754f0000  0xf000    6.00.6001.18000  c:\windows\system32\nlaapi.dll
  0x75d00000  0x19000   6.00.6001.18000  c:\windows\system32\IPHLPAPI.DLL
  0x75cc0000  0x35000   6.00.6001.18000  c:\windows\system32\dhcpcsvc.DLL
  0x75e20000  0x2c000   6.00.6001.18000  c:\windows\system32\DNSAPI.dll
  0x76380000  0x2d000   6.00.6001.18000  C:\Windows\system32\WS2_32.dll
  0x77c70000  0x6000    6.00.6001.18000  C:\Windows\system32\NSI.dll
  0x75cb0000  0x7000    6.00.6001.18000  c:\windows\system32\WINNSI.DLL
  0x75c80000  0x21000   6.00.6001.18000  c:\windows\system32\dhcpcsvc6.DLL
  0x75b40000  0xf1000   6.00.6001.18000  c:\windows\system32\CRYPT32.dll
  0x75e00000  0x12000   6.00.6000.16386  c:\windows\system32\MSASN1.dll
  0x76230000  0x1e000   6.00.6001.18000  c:\windows\system32\USERENV.dll
  0x75ab0000  0x45000   6.00.6001.18000  c:\windows\system32\bcrypt.dll
  0x75670000  0xa000    6.00.6001.18000  c:\windows\system32\WTSAPI32.dll
  0x77620000  0x58000   6.00.6001.18000  C:\Windows\system32\SHLWAPI.dll
  0x74520000  0x96000   6.00.6001.18000  c:\windows\system32\fwpuclnt.dll
  0x74f70000  0x19e000  6.10.6001.18000  C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll
  0x75aa0000  0x7000    6.00.6001.18000  C:\Windows\system32\credssp.dll
  0x75780000  0x44000   6.00.6001.18000  C:\Windows\system32\schannel.dll
  0x75f00000  0x75000   6.00.6001.18000  C:\Windows\system32\NETAPI32.dll
  0x762e0000  0x7000    6.00.6000.16386  C:\Windows\system32\PSAPI.DLL
  0x75720000  0x15000   6.00.6001.18000  C:\Windows\system32\GPAPI.dll
  0x75d60000  0x3a000   6.00.6001.18000  C:\Windows\system32\slc.dll
  0x74840000  0x8000    6.00.6001.18000  C:\Windows\system32\wfapigp.dll
  0x756a0000  0x21000   6.00.6001.18000  C:\Windows\system32\ntmarta.dll
  0x76ec0000  0x4a000   6.00.6001.18000  C:\Windows\system32\WLDAP32.dll
  0x75c40000  0x11000   6.00.6001.18000  C:\Windows\system32\SAMLIB.dll
  0x74240000  0x23000   6.00.6001.18000  c:\windows\system32\dps.dll
  0x74280000  0x15000   6.00.6001.18000  c:\windows\system32\wdi.dll
  0x77160000  0x84000   2001.12.6931.18000  C:\Windows\system32\CLBCatQ.DLL
  0x73eb0000  0x5a000   6.00.6001.18000  C:\Windows\system32\taskschd.dll
  0x74dc0000  0x2f000   1.02.1009.0000  C:\Windows\system32\XmlLite.dll
  0x75990000  0x3b000   6.00.6001.18000  C:\Windows\system32\mswsock.dll
  0x75590000  0x5000    6.00.6001.18000  C:\Windows\System32\wshtcpip.dll
  0x75a00000  0x5000    6.00.6001.18000  C:\Windows\System32\wship6.dll
  0x75740000  0x3b000   6.00.6001.18000  C:\Windows\system32\rsaenh.dll
  0x73d30000  0x8000    6.00.6000.16386  C:\Windows\System32\npmproxy.dll
------------------------------------------------------------------------------
spoolsv.exe pid: 1432
Command line: C:\Windows\System32\spoolsv.exe

  Base        Size      Version	        Path
  0x00cb0000  0x21000   6.00.6001.18000  C:\Windows\System32\spoolsv.exe
  0x77b00000  0x127000  6.00.6001.18000  C:\Windows\system32\ntdll.dll
  0x772c0000  0xdb000   6.00.6001.18000  C:\Windows\system32\kernel32.dll
  0x77500000  0xc6000   6.00.6001.18000  C:\Windows\system32\ADVAPI32.dll
  0x77a30000  0xc3000   6.00.6001.18000  C:\Windows\system32\RPCRT4.dll
  0x77cb0000  0xaa000   7.00.6001.18000  C:\Windows\system32\msvcrt.dll
  0x75d60000  0x3a000   6.00.6001.18000  C:\Windows\System32\slc.dll
  0x76210000  0x14000   6.00.6001.18000  C:\Windows\System32\secur32.dll
  0x75aa0000  0x7000    6.00.6001.18000  C:\Windows\System32\credssp.dll
  0x75b40000  0xf1000   6.00.6001.18000  C:\Windows\System32\CRYPT32.dll
  0x76f90000  0x9d000   6.00.6001.18000  C:\Windows\system32\USER32.dll
  0x77680000  0x4b000   6.00.6001.18000  C:\Windows\system32\GDI32.dll
  0x75e00000  0x12000   6.00.6000.16386  C:\Windows\System32\MSASN1.dll
  0x76230000  0x1e000   6.00.6001.18000  C:\Windows\System32\USERENV.dll
  0x77c30000  0x1e000   6.00.6001.18000  C:\Windows\system32\IMM32.DLL
  0x77430000  0xc8000   6.00.6001.18000  C:\Windows\system32\MSCTF.dll
  0x77c60000  0x9000    6.00.6001.18000  C:\Windows\system32\LPK.DLL
  0x76f10000  0x7d000   1.626.6001.18000  C:\Windows\system32\USP10.dll
  0x75780000  0x44000   6.00.6001.18000  C:\Windows\system32\schannel.dll
  0x75f00000  0x75000   6.00.6001.18000  C:\Windows\System32\NETAPI32.dll
  0x762e0000  0x7000    6.00.6000.16386  C:\Windows\system32\PSAPI.DLL
  0x74760000  0x2c000   6.00.6001.18000  C:\Windows\System32\SPOOLSS.DLL
  0x75670000  0xa000    6.00.6001.18000  C:\Windows\System32\WTSAPI32.dll
  0x76380000  0x2d000   6.00.6001.18000  C:\Windows\system32\WS2_32.dll
  0x77c70000  0x6000    6.00.6001.18000  C:\Windows\system32\NSI.dll
  0x75990000  0x3b000   6.00.6001.18000  C:\Windows\system32\mswsock.dll
  0x75d00000  0x19000   6.00.6001.18000  C:\Windows\System32\IPHLPAPI.DLL
  0x75cc0000  0x35000   6.00.6001.18000  C:\Windows\System32\dhcpcsvc.DLL
  0x75e20000  0x2c000   6.00.6001.18000  C:\Windows\System32\DNSAPI.dll
  0x75cb0000  0x7000    6.00.6001.18000  C:\Windows\System32\WINNSI.DLL
  0x75c80000  0x21000   6.00.6001.18000  C:\Windows\System32\dhcpcsvc6.DLL
  0x73a00000  0x6000    6.00.6000.16386  C:\Windows\System32\rasadhlp.dll
  0x734e0000  0x9d000   6.00.6001.18000  C:\Windows\System32\localspl.dll
  0x776d0000  0x144000  6.00.6001.18000  C:\Windows\system32\ole32.dll
  0x773a0000  0x8d000   6.00.6001.18000  C:\Windows\system32\OLEAUT32.dll
  0x75660000  0x8000    6.00.6001.18000  C:\Windows\System32\VERSION.dll
  0x739d0000  0x5000    6.00.6000.16386  C:\Windows\System32\sfc.dll
  0x77620000  0x58000   6.00.6001.18000  C:\Windows\system32\SHLWAPI.dll
  0x763b0000  0xb0f000  6.00.6001.18000  C:\Windows\system32\SHELL32.dll
  0x778a0000  0x18a000  6.00.6001.18000  C:\Windows\system32\SETUPAPI.dll
  0x74f70000  0x19e000  6.10.6001.18000  C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll
  0x73490000  0x42000   6.00.6001.18000  C:\Windows\System32\winspool.drv
  0x73460000  0x24000   6.00.6001.18000  C:\Windows\System32\tcpmon.dll
  0x738f0000  0x9000    6.00.6000.16386  C:\Windows\System32\snmpapi.dll
  0x73450000  0xf000    6.00.6001.18000  C:\Windows\System32\wsnmp32.dll
  0x77160000  0x84000   2001.12.6931.18000  C:\Windows\system32\CLBCatQ.DLL
  0x731b0000  0x149000  6.20.1076.0000  C:\Windows\System32\msxml6.dll
  0x73440000  0xa000    6.00.6000.16386  C:\Windows\System32\tcpmib.dll
  0x73430000  0x8000    6.00.6000.16386  C:\Windows\System32\mgmtapi.dll
  0x73420000  0xb000    6.00.6001.18000  C:\Windows\System32\usbmon.dll
  0x73400000  0x6000    6.00.6000.16386  C:\Windows\system32\wls0wndh.dll
  0x747e0000  0x2d000   6.00.6001.18000  C:\Windows\System32\WINTRUST.dll
  0x77c80000  0x29000   6.00.6001.18000  C:\Windows\system32\imagehlp.dll
  0x733d0000  0x2d000   6.00.6001.18000  C:\Windows\System32\WSDMon.dll
  0x73370000  0x58000   6.00.6001.18000  C:\Windows\System32\wsdapi.dll
  0x73410000  0xb000    6.00.6001.18000  C:\Windows\System32\HTTPAPI.dll
  0x73f70000  0x5f000   6.00.6001.18000  C:\Windows\System32\WINHTTP.dll
  0x74dc0000  0x2f000   1.02.1009.0000  C:\Windows\System32\XmlLite.dll
  0x741d0000  0x8000    6.00.6001.18000  C:\Windows\System32\CFGMGR32.dll
  0x73310000  0x27000   6.00.6001.18000  C:\Windows\system32\FunDisc.dll
  0x75480000  0x14000   3.05.2284.0000  C:\Windows\system32\ATL.DLL
  0x72f50000  0x126000  8.100.1043.0000  C:\Windows\System32\msxml3.dll
  0x756a0000  0x21000   6.00.6001.18000  C:\Windows\System32\NTMARTA.DLL
  0x76ec0000  0x4a000   6.00.6001.18000  C:\Windows\system32\WLDAP32.dll
  0x75c40000  0x11000   6.00.6001.18000  C:\Windows\System32\SAMLIB.dll
  0x73140000  0x6f000   6.00.6001.18000  C:\Windows\System32\win32spl.dll
  0x73360000  0x7000    6.00.6000.16386  C:\Windows\System32\NETRAP.dll
  0x73340000  0xd000    6.00.6001.18000  C:\Windows\system32\printcom.dll
  0x73350000  0x6000    6.00.6000.16386  C:\Windows\system32\SensApi.dll
  0x75720000  0x15000   6.00.6001.18000  C:\Windows\System32\GPAPI.dll
  0x75590000  0x5000    6.00.6001.18000  C:\Windows\System32\wshtcpip.dll
  0x75a00000  0x5000    6.00.6001.18000  C:\Windows\System32\wship6.dll
  0x754f0000  0xf000    6.00.6001.18000  C:\Windows\system32\NLAapi.dll
  0x739f0000  0x8000    6.00.6000.16386  C:\Windows\System32\winrnr.dll
  0x739e0000  0xf000    6.00.6001.18000  C:\Windows\system32\napinsp.dll
  0x75740000  0x3b000   6.00.6001.18000  C:\Windows\System32\rsaenh.dll
  0x761e0000  0x25000   6.00.6001.18000  C:\Windows\System32\WINSTA.dll
------------------------------------------------------------------------------
dns.exe pid: 1472
Command line: C:\Windows\system32\dns.exe

  Base        Size      Version	        Path
  0x00c30000  0xa4000   6.00.6001.18000  C:\Windows\system32\dns.exe
  0x77b00000  0x127000  6.00.6001.18000  C:\Windows\system32\ntdll.dll
  0x772c0000  0xdb000   6.00.6001.18000  C:\Windows\system32\kernel32.dll
  0x77500000  0xc6000   6.00.6001.18000  C:\Windows\system32\ADVAPI32.dll
  0x77a30000  0xc3000   6.00.6001.18000  C:\Windows\system32\RPCRT4.dll
  0x77cb0000  0xaa000   7.00.6001.18000  C:\Windows\system32\msvcrt.dll
  0x76380000  0x2d000   6.00.6001.18000  C:\Windows\system32\WS2_32.dll
  0x77c70000  0x6000    6.00.6001.18000  C:\Windows\system32\NSI.dll
  0x76f90000  0x9d000   6.00.6001.18000  C:\Windows\system32\USER32.dll
  0x77680000  0x4b000   6.00.6001.18000  C:\Windows\system32\GDI32.dll
  0x75f00000  0x75000   6.00.6001.18000  C:\Windows\system32\NETAPI32.dll
  0x762e0000  0x7000    6.00.6000.16386  C:\Windows\system32\PSAPI.DLL
  0x76ec0000  0x4a000   6.00.6001.18000  C:\Windows\system32\WLDAP32.dll
  0x75e20000  0x2c000   6.00.6001.18000  C:\Windows\system32\DNSAPI.dll
  0x75de0000  0x18000   6.00.6001.18000  C:\Windows\system32\NTDSAPI.dll
  0x76210000  0x14000   6.00.6001.18000  C:\Windows\system32\Secur32.dll
  0x77620000  0x58000   6.00.6001.18000  C:\Windows\system32\SHLWAPI.dll
  0x75d00000  0x19000   6.00.6001.18000  C:\Windows\system32\IPHLPAPI.DLL
  0x75cc0000  0x35000   6.00.6001.18000  C:\Windows\system32\dhcpcsvc.DLL
  0x75cb0000  0x7000    6.00.6001.18000  C:\Windows\system32\WINNSI.DLL
  0x75c80000  0x21000   6.00.6001.18000  C:\Windows\system32\dhcpcsvc6.DLL
  0x75660000  0x8000    6.00.6001.18000  C:\Windows\system32\VERSION.dll
  0x74700000  0x1a000   6.00.6001.18000  C:\Windows\system32\MPRAPI.dll
  0x74300000  0x35000   6.00.6001.18000  C:\Windows\system32\ACTIVEDS.dll
  0x742c0000  0x33000   6.00.6001.18000  C:\Windows\system32\adsldpc.dll
  0x74480000  0x2e000   6.00.6001.18000  C:\Windows\system32\credui.dll
  0x763b0000  0xb0f000  6.00.6001.18000  C:\Windows\system32\SHELL32.dll
  0x75480000  0x14000   3.05.2284.0000  C:\Windows\system32\ATL.DLL
  0x776d0000  0x144000  6.00.6001.18000  C:\Windows\system32\ole32.dll
  0x773a0000  0x8d000   6.00.6001.18000  C:\Windows\system32\OLEAUT32.dll
  0x754b0000  0xc000    6.00.6000.16386  C:\Windows\system32\rtutils.dll
  0x75c40000  0x11000   6.00.6001.18000  C:\Windows\system32\SAMLIB.dll
  0x778a0000  0x18a000  6.00.6001.18000  C:\Windows\system32\SETUPAPI.dll
  0x75d60000  0x3a000   6.00.6001.18000  C:\Windows\system32\slc.dll
  0x77c30000  0x1e000   6.00.6001.18000  C:\Windows\system32\IMM32.DLL
  0x77430000  0xc8000   6.00.6001.18000  C:\Windows\system32\MSCTF.dll
  0x77c60000  0x9000    6.00.6001.18000  C:\Windows\system32\LPK.DLL
  0x76f10000  0x7d000   1.626.6001.18000  C:\Windows\system32\USP10.dll
  0x74f70000  0x19e000  6.10.6001.18000  C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll
  0x75740000  0x3b000   6.00.6001.18000  C:\Windows\system32\rsaenh.dll
  0x75990000  0x3b000   6.00.6001.18000  C:\Windows\system32\mswsock.dll
  0x75a00000  0x5000    6.00.6001.18000  C:\Windows\System32\wship6.dll
  0x75590000  0x5000    6.00.6001.18000  C:\Windows\System32\wshtcpip.dll
  0x75aa0000  0x7000    6.00.6001.18000  C:\Windows\system32\credssp.dll
  0x75b40000  0xf1000   6.00.6001.18000  C:\Windows\system32\CRYPT32.dll
  0x75e00000  0x12000   6.00.6000.16386  C:\Windows\system32\MSASN1.dll
  0x76230000  0x1e000   6.00.6001.18000  C:\Windows\system32\USERENV.dll
  0x75780000  0x44000   6.00.6001.18000  C:\Windows\system32\schannel.dll
  0x75a10000  0x7c000   6.00.6001.18000  C:\Windows\system32\kerberos.dll
  0x75e50000  0x11000   6.00.6001.18000  C:\Windows\system32\cryptdll.dll
  0x75950000  0x37000   6.00.6001.18000  C:\Windows\system32\msv1_0.dll
------------------------------------------------------------------------------
svchost.exe pid: 1512
Command line: C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

  Base        Size      Version	        Path
  0x00710000  0x8000    6.00.6001.18000  C:\Windows\system32\svchost.exe
  0x77b00000  0x127000  6.00.6001.18000  C:\Windows\system32\ntdll.dll
  0x772c0000  0xdb000   6.00.6001.18000  C:\Windows\system32\kernel32.dll
  0x77cb0000  0xaa000   7.00.6001.18000  C:\Windows\system32\msvcrt.dll
  0x77500000  0xc6000   6.00.6001.18000  C:\Windows\system32\ADVAPI32.dll
  0x77a30000  0xc3000   6.00.6001.18000  C:\Windows\system32\RPCRT4.dll
  0x740a0000  0x5b000   6.00.6001.18000  c:\windows\system32\ipsecsvc.dll
  0x761c0000  0x16000   6.00.6001.18000  c:\windows\system32\AUTHZ.dll
  0x776d0000  0x144000  6.00.6001.18000  C:\Windows\system32\ole32.dll
  0x77680000  0x4b000   6.00.6001.18000  C:\Windows\system32\GDI32.dll
  0x76f90000  0x9d000   6.00.6001.18000  C:\Windows\system32\USER32.dll
  0x75d00000  0x19000   6.00.6001.18000  c:\windows\system32\IPHLPAPI.DLL
  0x75cc0000  0x35000   6.00.6001.18000  c:\windows\system32\dhcpcsvc.DLL
  0x75e20000  0x2c000   6.00.6001.18000  c:\windows\system32\DNSAPI.dll
  0x76380000  0x2d000   6.00.6001.18000  C:\Windows\system32\WS2_32.dll
  0x77c70000  0x6000    6.00.6001.18000  C:\Windows\system32\NSI.dll
  0x76210000  0x14000   6.00.6001.18000  c:\windows\system32\Secur32.dll
  0x75cb0000  0x7000    6.00.6001.18000  c:\windows\system32\WINNSI.DLL
  0x75c80000  0x21000   6.00.6001.18000  c:\windows\system32\dhcpcsvc6.DLL
  0x75b40000  0xf1000   6.00.6001.18000  c:\windows\system32\CRYPT32.dll
  0x75e00000  0x12000   6.00.6000.16386  c:\windows\system32\MSASN1.dll
  0x76230000  0x1e000   6.00.6001.18000  c:\windows\system32\USERENV.dll
  0x74520000  0x96000   6.00.6001.18000  c:\windows\system32\fwpuclnt.dll
  0x773a0000  0x8d000   6.00.6001.18000  C:\Windows\system32\OLEAUT32.dll
  0x755b0000  0x66000   6.00.6001.18000  c:\windows\system32\FirewallAPI.dll
  0x75660000  0x8000    6.00.6001.18000  c:\windows\system32\VERSION.dll
  0x747d0000  0xa000    6.00.6001.18000  c:\windows\system32\FwRemoteSvr.DLL
  0x76ec0000  0x4a000   6.00.6001.18000  C:\Windows\system32\WLDAP32.dll
  0x762e0000  0x7000    6.00.6000.16386  C:\Windows\system32\PSAPI.DLL
  0x77c30000  0x1e000   6.00.6001.18000  C:\Windows\system32\IMM32.DLL
  0x77430000  0xc8000   6.00.6001.18000  C:\Windows\system32\MSCTF.dll
  0x77c60000  0x9000    6.00.6001.18000  C:\Windows\system32\LPK.DLL
  0x76f10000  0x7d000   1.626.6001.18000  C:\Windows\system32\USP10.dll
  0x77160000  0x84000   2001.12.6931.18000  C:\Windows\system32\CLBCatQ.DLL
  0x77620000  0x58000   6.00.6001.18000  C:\Windows\system32\SHLWAPI.dll
  0x74f70000  0x19e000  6.10.6001.18000  C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll
  0x75990000  0x3b000   6.00.6001.18000  C:\Windows\system32\mswsock.dll
  0x75590000  0x5000    6.00.6001.18000  C:\Windows\System32\wshtcpip.dll
  0x75a00000  0x5000    6.00.6001.18000  C:\Windows\System32\wship6.dll
  0x75aa0000  0x7000    6.00.6001.18000  C:\Windows\system32\credssp.dll
  0x75780000  0x44000   6.00.6001.18000  C:\Windows\system32\schannel.dll
  0x75f00000  0x75000   6.00.6001.18000  C:\Windows\system32\NETAPI32.dll
------------------------------------------------------------------------------
svchost.exe pid: 1532
Command line: C:\Windows\system32\svchost.exe -k regsvc

  Base        Size      Version	        Path
  0x00710000  0x8000    6.00.6001.18000  C:\Windows\system32\svchost.exe
  0x77b00000  0x127000  6.00.6001.18000  C:\Windows\system32\ntdll.dll
  0x772c0000  0xdb000   6.00.6001.18000  C:\Windows\system32\kernel32.dll
  0x77cb0000  0xaa000   7.00.6001.18000  C:\Windows\system32\msvcrt.dll
  0x77500000  0xc6000   6.00.6001.18000  C:\Windows\system32\ADVAPI32.dll
  0x77a30000  0xc3000   6.00.6001.18000  C:\Windows\system32\RPCRT4.dll
  0x74200000  0x1e000   6.00.6001.18000  c:\windows\system32\regsvc.dll
  0x76210000  0x14000   6.00.6001.18000  C:\Windows\system32\secur32.dll
  0x75aa0000  0x7000    6.00.6001.18000  C:\Windows\system32\credssp.dll
  0x75b40000  0xf1000   6.00.6001.18000  C:\Windows\system32\CRYPT32.dll
  0x76f90000  0x9d000   6.00.6001.18000  C:\Windows\system32\USER32.dll
  0x77680000  0x4b000   6.00.6001.18000  C:\Windows\system32\GDI32.dll
  0x75e00000  0x12000   6.00.6000.16386  C:\Windows\system32\MSASN1.dll
  0x76230000  0x1e000   6.00.6001.18000  C:\Windows\system32\USERENV.dll
  0x77c30000  0x1e000   6.00.6001.18000  C:\Windows\system32\IMM32.DLL
  0x77430000  0xc8000   6.00.6001.18000  C:\Windows\system32\MSCTF.dll
  0x77c60000  0x9000    6.00.6001.18000  C:\Windows\system32\LPK.DLL
  0x76f10000  0x7d000   1.626.6001.18000  C:\Windows\system32\USP10.dll
  0x75780000  0x44000   6.00.6001.18000  C:\Windows\system32\schannel.dll
  0x75f00000  0x75000   6.00.6001.18000  C:\Windows\system32\NETAPI32.dll
  0x762e0000  0x7000    6.00.6000.16386  C:\Windows\system32\PSAPI.DLL
------------------------------------------------------------------------------
svchost.exe pid: 1564
Command line: C:\Windows\System32\svchost.exe -k WerSvcGroup

  Base        Size      Version	        Path
  0x00710000  0x8000    6.00.6001.18000  C:\Windows\System32\svchost.exe
  0x77b00000  0x127000  6.00.6001.18000  C:\Windows\system32\ntdll.dll
  0x772c0000  0xdb000   6.00.6001.18000  C:\Windows\system32\kernel32.dll
  0x77cb0000  0xaa000   7.00.6001.18000  C:\Windows\system32\msvcrt.dll
  0x77500000  0xc6000   6.00.6001.18000  C:\Windows\system32\ADVAPI32.dll
  0x77a30000  0xc3000   6.00.6001.18000  C:\Windows\system32\RPCRT4.dll
  0x74070000  0x22000   6.00.6001.18000  c:\windows\system32\wersvc.dll
  0x75670000  0xa000    6.00.6001.18000  C:\Windows\System32\WTSAPI32.dll
  0x761e0000  0x25000   6.00.6001.18000  C:\Windows\System32\WINSTA.dll
  0x76230000  0x1e000   6.00.6001.18000  C:\Windows\System32\USERENV.dll
  0x76210000  0x14000   6.00.6001.18000  C:\Windows\System32\Secur32.dll
  0x76f90000  0x9d000   6.00.6001.18000  C:\Windows\system32\USER32.dll
  0x77680000  0x4b000   6.00.6001.18000  C:\Windows\system32\GDI32.dll
  0x776d0000  0x144000  6.00.6001.18000  C:\Windows\system32\ole32.dll
  0x773a0000  0x8d000   6.00.6001.18000  C:\Windows\system32\OLEAUT32.dll
  0x762e0000  0x7000    6.00.6000.16386  C:\Windows\system32\PSAPI.DLL
  0x77c30000  0x1e000   6.00.6001.18000  C:\Windows\system32\IMM32.DLL
  0x77430000  0xc8000   6.00.6001.18000  C:\Windows\system32\MSCTF.dll
  0x77c60000  0x9000    6.00.6001.18000  C:\Windows\system32\LPK.DLL
  0x76f10000  0x7d000   1.626.6001.18000  C:\Windows\system32\USP10.dll
  0x710e0000  0xd9000   6.00.6001.18000  C:\Windows\System32\wer.dll
  0x73350000  0x6000    6.00.6000.16386  C:\Windows\System32\SensApi.dll
  0x748c0000  0x39000   4.02.5406.0000  C:\Windows\System32\OLEACC.dll
  0x763b0000  0xb0f000  6.00.6001.18000  C:\Windows\system32\SHELL32.dll
  0x77620000  0x58000   6.00.6001.18000  C:\Windows\system32\SHLWAPI.dll
  0x74f70000  0x19e000  6.10.6001.18000  C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll
  0x75f00000  0x75000   6.00.6001.18000  C:\Windows\System32\NETAPI32.dll
  0x76180000  0x2c000   6.00.6001.18000  C:\Windows\system32\apphelp.dll
  0x756a0000  0x21000   6.00.6001.18000  C:\Windows\System32\NTMARTA.DLL
  0x76ec0000  0x4a000   6.00.6001.18000  C:\Windows\system32\WLDAP32.dll
  0x76380000  0x2d000   6.00.6001.18000  C:\Windows\system32\WS2_32.dll
  0x77c70000  0x6000    6.00.6001.18000  C:\Windows\system32\NSI.dll
  0x75c40000  0x11000   6.00.6001.18000  C:\Windows\System32\SAMLIB.dll
------------------------------------------------------------------------------
taskeng.exe pid: 1948
Command line: taskeng.exe {F8AA3FBA-B9BC-4E3F-BA9B-6514AF11740A}

  Base        Size      Version	        Path
  0x003e0000  0x2b000   6.00.6001.18000  C:\Windows\system32\taskeng.exe
  0x77b00000  0x127000  6.00.6001.18000  C:\Windows\system32\ntdll.dll
  0x772c0000  0xdb000   6.00.6001.18000  C:\Windows\system32\kernel32.dll
  0x77500000  0xc6000   6.00.6001.18000  C:\Windows\system32\ADVAPI32.dll
  0x77a30000  0xc3000   6.00.6001.18000  C:\Windows\system32\RPCRT4.dll
  0x76f90000  0x9d000   6.00.6001.18000  C:\Windows\system32\USER32.dll
  0x77680000  0x4b000   6.00.6001.18000  C:\Windows\system32\GDI32.dll
  0x77cb0000  0xaa000   7.00.6001.18000  C:\Windows\system32\msvcrt.dll
  0x763b0000  0xb0f000  6.00.6001.18000  C:\Windows\system32\SHELL32.dll
  0x77620000  0x58000   6.00.6001.18000  C:\Windows\system32\SHLWAPI.dll
  0x776d0000  0x144000  6.00.6001.18000  C:\Windows\system32\ole32.dll
  0x773a0000  0x8d000   6.00.6001.18000  C:\Windows\system32\OLEAUT32.dll
  0x76210000  0x14000   6.00.6001.18000  C:\Windows\system32\Secur32.dll
  0x74dc0000  0x2f000   1.02.1009.0000  C:\Windows\system32\XmlLite.dll
  0x75dc0000  0x14000   6.00.6001.18000  C:\Windows\system32\MPR.dll
  0x77c30000  0x1e000   6.00.6001.18000  C:\Windows\system32\IMM32.DLL
  0x77430000  0xc8000   6.00.6001.18000  C:\Windows\system32\MSCTF.dll
  0x77c60000  0x9000    6.00.6001.18000  C:\Windows\system32\LPK.DLL
  0x76f10000  0x7d000   1.626.6001.18000  C:\Windows\system32\USP10.dll
  0x74f70000  0x19e000  6.10.6001.18000  C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll
  0x75740000  0x3b000   6.00.6001.18000  C:\Windows\system32\rsaenh.dll
  0x77160000  0x84000   2001.12.6931.18000  C:\Windows\system32\CLBCatQ.DLL
  0x73ca0000  0x9000    6.00.6000.16386  C:\Windows\system32\tschannel.dll
  0x754a0000  0xc000    6.00.6001.18000  C:\Windows\system32\dimsjob.dll
  0x76230000  0x1e000   6.00.6001.18000  C:\Windows\system32\USERENV.dll
  0x75b00000  0x35000   6.00.6001.18000  C:\Windows\system32\ncrypt.dll
  0x75b40000  0xf1000   6.00.6001.18000  C:\Windows\system32\CRYPT32.dll
  0x75e00000  0x12000   6.00.6000.16386  C:\Windows\system32\MSASN1.dll
  0x75720000  0x15000   6.00.6001.18000  C:\Windows\system32\GPAPI.dll
  0x75d60000  0x3a000   6.00.6001.18000  C:\Windows\system32\slc.dll
  0x73c90000  0xd000    6.00.6000.16386  C:\Windows\system32\pautoenr.dll
  0x75f00000  0x75000   6.00.6001.18000  C:\Windows\system32\NETAPI32.dll
  0x762e0000  0x7000    6.00.6000.16386  C:\Windows\system32\PSAPI.DLL
  0x76ec0000  0x4a000   6.00.6001.18000  C:\Windows\system32\WLDAP32.dll
  0x76380000  0x2d000   6.00.6001.18000  C:\Windows\system32\WS2_32.dll
  0x77c70000  0x6000    6.00.6001.18000  C:\Windows\system32\NSI.dll
  0x73910000  0x53000   6.00.6001.18000  C:\Windows\system32\certcli.dll
  0x75480000  0x14000   3.05.2284.0000  C:\Windows\system32\ATL.DLL
  0x771f0000  0xcf000   7.00.6001.18000  C:\Windows\system32\WININET.dll
  0x77c50000  0x3000    6.00.6000.16386  C:\Windows\system32\Normaliz.dll
  0x775d0000  0x45000   7.00.6001.18000  C:\Windows\system32\iertutil.dll
  0x736f0000  0x112000  6.00.6001.18000  C:\Windows\system32\certenroll.dll
  0x75de0000  0x18000   6.00.6001.18000  C:\Windows\system32\NTDSAPI.dll
  0x75e20000  0x2c000   6.00.6001.18000  C:\Windows\system32\DNSAPI.dll
  0x74d80000  0x1f000   6.00.6001.18000  C:\Windows\system32\WinSCard.dll
  0x75670000  0xa000    6.00.6001.18000  C:\Windows\system32\WTSAPI32.dll
  0x761e0000  0x25000   6.00.6001.18000  C:\Windows\system32\WINSTA.dll
  0x76180000  0x2c000   6.00.6001.18000  C:\Windows\system32\apphelp.dll
------------------------------------------------------------------------------
msdtc.exe pid: 1812
Command line: C:\Windows\System32\msdtc.exe

  Base        Size      Version	        Path
  0x00ca0000  0x1d000   2001.12.6931.18000  C:\Windows\System32\msdtc.exe
  0x77b00000  0x127000  6.00.6001.18000  C:\Windows\system32\ntdll.dll
  0x772c0000  0xdb000   6.00.6001.18000  C:\Windows\system32\kernel32.dll
  0x776d0000  0x144000  6.00.6001.18000  C:\Windows\system32\ole32.dll
  0x77cb0000  0xaa000   7.00.6001.18000  C:\Windows\system32\msvcrt.dll
  0x77680000  0x4b000   6.00.6001.18000  C:\Windows\system32\GDI32.dll
  0x76f90000  0x9d000   6.00.6001.18000  C:\Windows\system32\USER32.dll
  0x77500000  0xc6000   6.00.6001.18000  C:\Windows\system32\ADVAPI32.dll
  0x77a30000  0xc3000   6.00.6001.18000  C:\Windows\system32\RPCRT4.dll
  0x72ac0000  0x10d000  2001.12.6931.18000  C:\Windows\System32\MSDTCTM.dll
  0x773a0000  0x8d000   6.00.6001.18000  C:\Windows\system32\OLEAUT32.dll
  0x72e00000  0x8c000   2001.12.6931.18000  C:\Windows\System32\MSDTCPRX.dll
  0x75f00000  0x75000   6.00.6001.18000  C:\Windows\System32\NETAPI32.dll
  0x762e0000  0x7000    6.00.6000.16386  C:\Windows\system32\PSAPI.DLL
  0x72f00000  0x50000   2001.12.6931.18000  C:\Windows\System32\MTXCLU.DLL
  0x76380000  0x2d000   6.00.6001.18000  C:\Windows\system32\WS2_32.dll
  0x77c70000  0x6000    6.00.6001.18000  C:\Windows\system32\NSI.dll
  0x73d40000  0x2e000   6.00.6001.18000  C:\Windows\System32\CLUSAPI.dll
  0x75de0000  0x18000   6.00.6001.18000  C:\Windows\System32\NTDSAPI.dll
  0x75e20000  0x2c000   6.00.6001.18000  C:\Windows\System32\DNSAPI.dll
  0x76ec0000  0x4a000   6.00.6001.18000  C:\Windows\system32\WLDAP32.dll
  0x76210000  0x14000   6.00.6001.18000  C:\Windows\System32\Secur32.dll
  0x75e50000  0x11000   6.00.6001.18000  C:\Windows\System32\cryptdll.dll
  0x74300000  0x35000   6.00.6001.18000  C:\Windows\System32\ACTIVEDS.dll
  0x742c0000  0x33000   6.00.6001.18000  C:\Windows\System32\adsldpc.dll
  0x74480000  0x2e000   6.00.6001.18000  C:\Windows\System32\credui.dll
  0x763b0000  0xb0f000  6.00.6001.18000  C:\Windows\system32\SHELL32.dll
  0x77620000  0x58000   6.00.6001.18000  C:\Windows\system32\SHLWAPI.dll
  0x75480000  0x14000   3.05.2284.0000  C:\Windows\System32\ATL.DLL
  0x73e30000  0x13000   6.00.6001.18000  C:\Windows\System32\RESUTILS.dll
  0x76230000  0x1e000   6.00.6001.18000  C:\Windows\System32\USERENV.dll
  0x75660000  0x8000    6.00.6001.18000  C:\Windows\System32\VERSION.dll
  0x75ab0000  0x45000   6.00.6001.18000  C:\Windows\System32\bcrypt.dll
  0x75440000  0x7000    6.00.6001.18000  C:\Windows\System32\ktmw32.dll
  0x73100000  0x1b000   2001.12.6931.18000  C:\Windows\System32\MSDTCLOG.dll
  0x74900000  0x32000   6.00.6001.18000  C:\Windows\System32\WINMM.dll
  0x748c0000  0x39000   4.02.5406.0000  C:\Windows\System32\OLEACC.dll
  0x730f0000  0xf000    2001.12.6931.18000  C:\Windows\System32\XOLEHLP.dll
  0x75990000  0x3b000   6.00.6001.18000  C:\Windows\System32\MSWSOCK.dll
  0x77c30000  0x1e000   6.00.6001.18000  C:\Windows\system32\IMM32.DLL
  0x77430000  0xc8000   6.00.6001.18000  C:\Windows\system32\MSCTF.dll
  0x77c60000  0x9000    6.00.6001.18000  C:\Windows\system32\LPK.DLL
  0x76f10000  0x7d000   1.626.6001.18000  C:\Windows\system32\USP10.dll
  0x74f70000  0x19e000  6.10.6001.18000  C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll
  0x72980000  0x13d000  2001.12.6931.18000  C:\Windows\System32\COMRES.DLL
  0x730e0000  0x6000    2001.12.6931.18000  C:\Windows\System32\msdtcVSp1res.dll
  0x73080000  0x1f000   2001.12.6931.18000  C:\Windows\System32\MTxOCI.Dll
  0x75aa0000  0x7000    6.00.6001.18000  C:\Windows\System32\credssp.dll
  0x75b40000  0xf1000   6.00.6001.18000  C:\Windows\System32\CRYPT32.dll
  0x75e00000  0x12000   6.00.6000.16386  C:\Windows\System32\MSASN1.dll
  0x75780000  0x44000   6.00.6001.18000  C:\Windows\system32\schannel.dll
  0x756a0000  0x21000   6.00.6001.18000  C:\Windows\System32\NTMARTA.DLL
  0x75c40000  0x11000   6.00.6001.18000  C:\Windows\System32\SAMLIB.dll
  0x77160000  0x84000   2001.12.6931.18000  C:\Windows\system32\CLBCatQ.DLL
  0x755b0000  0x66000   6.00.6001.18000  C:\Windows\system32\FirewallAPI.dll
------------------------------------------------------------------------------
taskeng.exe pid: 2028
Command line: taskeng.exe {D9764CDB-3244-499C-AC1C-BD2CE0513C7D}

  Base        Size      Version	        Path
  0x003e0000  0x2b000   6.00.6001.18000  C:\Windows\system32\taskeng.exe
  0x77b00000  0x127000  6.00.6001.18000  C:\Windows\system32\ntdll.dll
  0x772c0000  0xdb000   6.00.6001.18000  C:\Windows\system32\kernel32.dll
  0x77500000  0xc6000   6.00.6001.18000  C:\Windows\system32\ADVAPI32.dll
  0x77a30000  0xc3000   6.00.6001.18000  C:\Windows\system32\RPCRT4.dll
  0x76f90000  0x9d000   6.00.6001.18000  C:\Windows\system32\USER32.dll
  0x77680000  0x4b000   6.00.6001.18000  C:\Windows\system32\GDI32.dll
  0x77cb0000  0xaa000   7.00.6001.18000  C:\Windows\system32\msvcrt.dll
  0x763b0000  0xb0f000  6.00.6001.18000  C:\Windows\system32\SHELL32.dll
  0x77620000  0x58000   6.00.6001.18000  C:\Windows\system32\SHLWAPI.dll
  0x776d0000  0x144000  6.00.6001.18000  C:\Windows\system32\ole32.dll
  0x773a0000  0x8d000   6.00.6001.18000  C:\Windows\system32\OLEAUT32.dll
  0x76210000  0x14000   6.00.6001.18000  C:\Windows\system32\Secur32.dll
  0x74dc0000  0x2f000   1.02.1009.0000  C:\Windows\system32\XmlLite.dll
  0x75dc0000  0x14000   6.00.6001.18000  C:\Windows\system32\MPR.dll
  0x77c30000  0x1e000   6.00.6001.18000  C:\Windows\system32\IMM32.DLL
  0x77430000  0xc8000   6.00.6001.18000  C:\Windows\system32\MSCTF.dll
  0x77c60000  0x9000    6.00.6001.18000  C:\Windows\system32\LPK.DLL
  0x76f10000  0x7d000   1.626.6001.18000  C:\Windows\system32\USP10.dll
  0x74f70000  0x19e000  6.10.6001.18000  C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll
  0x75740000  0x3b000   6.00.6001.18000  C:\Windows\system32\rsaenh.dll
  0x77160000  0x84000   2001.12.6931.18000  C:\Windows\system32\CLBCatQ.DLL
  0x73ca0000  0x9000    6.00.6000.16386  C:\Windows\system32\tschannel.dll
  0x754a0000  0xc000    6.00.6001.18000  C:\Windows\system32\dimsjob.dll
  0x76230000  0x1e000   6.00.6001.18000  C:\Windows\system32\USERENV.dll
  0x75b00000  0x35000   6.00.6001.18000  C:\Windows\system32\ncrypt.dll
  0x75b40000  0xf1000   6.00.6001.18000  C:\Windows\system32\CRYPT32.dll
  0x75e00000  0x12000   6.00.6000.16386  C:\Windows\system32\MSASN1.dll
  0x73c30000  0x8000    6.00.6001.18000  C:\Windows\system32\MsCtfMonitor.dll
  0x730b0000  0x2b000   6.00.6001.18000  C:\Windows\system32\MSUTB.dll
  0x73cc0000  0xc000    6.00.6001.18000  C:\Windows\system32\dwmapi.dll
  0x75670000  0xa000    6.00.6001.18000  C:\Windows\system32\WTSAPI32.dll
  0x73ba0000  0x7000    6.00.6001.18000  C:\Windows\System32\PlaySndSrv.dll
  0x74900000  0x32000   6.00.6001.18000  C:\Windows\System32\WINMM.dll
  0x748c0000  0x39000   4.02.5406.0000  C:\Windows\System32\OLEACC.dll
  0x75720000  0x15000   6.00.6001.18000  C:\Windows\system32\GPAPI.dll
  0x75d60000  0x3a000   6.00.6001.18000  C:\Windows\system32\slc.dll
  0x76180000  0x2c000   6.00.6001.18000  C:\Windows\system32\apphelp.dll
  0x73c90000  0xd000    6.00.6000.16386  C:\Windows\system32\pautoenr.dll
  0x75f00000  0x75000   6.00.6001.18000  C:\Windows\system32\NETAPI32.dll
  0x762e0000  0x7000    6.00.6000.16386  C:\Windows\system32\PSAPI.DLL
  0x76ec0000  0x4a000   6.00.6001.18000  C:\Windows\system32\WLDAP32.dll
  0x76380000  0x2d000   6.00.6001.18000  C:\Windows\system32\WS2_32.dll
  0x77c70000  0x6000    6.00.6001.18000  C:\Windows\system32\NSI.dll
  0x73910000  0x53000   6.00.6001.18000  C:\Windows\system32\certcli.dll
  0x75480000  0x14000   3.05.2284.0000  C:\Windows\system32\ATL.DLL
  0x771f0000  0xcf000   7.00.6001.18000  C:\Windows\system32\WININET.dll
  0x77c50000  0x3000    6.00.6000.16386  C:\Windows\system32\Normaliz.dll
  0x775d0000  0x45000   7.00.6001.18000  C:\Windows\system32\iertutil.dll
  0x736f0000  0x112000  6.00.6001.18000  C:\Windows\system32\certenroll.dll
  0x75de0000  0x18000   6.00.6001.18000  C:\Windows\system32\NTDSAPI.dll
  0x75e20000  0x2c000   6.00.6001.18000  C:\Windows\system32\DNSAPI.dll
  0x74d80000  0x1f000   6.00.6001.18000  C:\Windows\system32\WinSCard.dll
  0x761e0000  0x25000   6.00.6001.18000  C:\Windows\system32\WINSTA.dll
  0x728f0000  0x2f000   6.00.6001.18000  C:\Windows\system32\wdmaud.drv
  0x73b90000  0x4000    6.00.6000.16386  C:\Windows\system32\ksuser.dll
  0x728c0000  0x27000   6.00.6001.18000  C:\Windows\system32\MMDevAPI.DLL
  0x73900000  0x7000    6.00.6001.18000  C:\Windows\system32\AVRT.dll
  0x74f30000  0x3f000   6.00.6001.18000  C:\Windows\system32\uxtheme.dll
  0x72080000  0x2e000   6.00.6001.18000  C:\Windows\System32\QAgent.dll
  0x74520000  0x96000   6.00.6001.18000  C:\Windows\System32\fwpuclnt.dll
  0x72960000  0x17000   6.00.6001.18000  C:\Windows\System32\QUtil.dll
  0x75d20000  0x40000   6.00.6001.18000  C:\Windows\System32\wevtapi.dll
------------------------------------------------------------------------------
dwm.exe pid: 1980
Command line: "C:\Windows\system32\Dwm.exe"

  Base        Size      Version	        Path
  0x00db0000  0x18000   6.00.6001.18000  C:\Windows\system32\Dwm.exe
  0x77b00000  0x127000  6.00.6001.18000  C:\Windows\system32\ntdll.dll
  0x772c0000  0xdb000   6.00.6001.18000  C:\Windows\system32\kernel32.dll
  0x77500000  0xc6000   6.00.6001.18000  C:\Windows\system32\ADVAPI32.dll
  0x77a30000  0xc3000   6.00.6001.18000  C:\Windows\system32\RPCRT4.dll
  0x77680000  0x4b000   6.00.6001.18000  C:\Windows\system32\GDI32.dll
  0x76f90000  0x9d000   6.00.6001.18000  C:\Windows\system32\USER32.dll
  0x77cb0000  0xaa000   7.00.6001.18000  C:\Windows\system32\msvcrt.dll
  0x776d0000  0x144000  6.00.6001.18000  C:\Windows\system32\ole32.dll
  0x773a0000  0x8d000   6.00.6001.18000  C:\Windows\system32\OLEAUT32.dll
  0x74f30000  0x3f000   6.00.6001.18000  C:\Windows\system32\UxTheme.dll
  0x77c30000  0x1e000   6.00.6001.18000  C:\Windows\system32\IMM32.dll
  0x77430000  0xc8000   6.00.6001.18000  C:\Windows\system32\MSCTF.dll
  0x73c70000  0x18000   6.00.6001.18000  C:\Windows\system32\dwmredir.dll
  0x73cb0000  0x7000    6.00.6001.18000  C:\Windows\system32\SLWGA.dll
  0x77030000  0x128000  7.00.6001.18000  C:\Windows\system32\urlmon.dll
  0x77620000  0x58000   6.00.6001.18000  C:\Windows\system32\SHLWAPI.dll
  0x775d0000  0x45000   7.00.6001.18000  C:\Windows\system32\iertutil.dll
  0x75670000  0xa000    6.00.6001.18000  C:\Windows\system32\WTSAPI32.dll
  0x75d60000  0x3a000   6.00.6001.18000  C:\Windows\system32\slc.dll
  0x77c60000  0x9000    6.00.6001.18000  C:\Windows\system32\LPK.DLL
  0x76f10000  0x7d000   1.626.6001.18000  C:\Windows\system32\USP10.dll
  0x74f70000  0x19e000  6.10.6001.18000  C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll
  0x756a0000  0x21000   6.00.6001.18000  C:\Windows\system32\NTMARTA.DLL
  0x76ec0000  0x4a000   6.00.6001.18000  C:\Windows\system32\WLDAP32.dll
  0x76380000  0x2d000   6.00.6001.18000  C:\Windows\system32\WS2_32.dll
  0x77c70000  0x6000    6.00.6001.18000  C:\Windows\system32\NSI.dll
  0x762e0000  0x7000    6.00.6000.16386  C:\Windows\system32\PSAPI.DLL
  0x75c40000  0x11000   6.00.6001.18000  C:\Windows\system32\SAMLIB.dll
  0x721d0000  0x1f0000  6.00.6001.18000  C:\Windows\system32\milcore.dll
------------------------------------------------------------------------------
explorer.exe pid: 936
Command line: C:\Windows\Explorer.EXE

  Base        Size      Version	        Path
  0x00690000  0x2cd000  6.00.6001.18000  C:\Windows\Explorer.EXE
  0x77b00000  0x127000  6.00.6001.18000  C:\Windows\system32\ntdll.dll
  0x772c0000  0xdb000   6.00.6001.18000  C:\Windows\system32\kernel32.dll
  0x77500000  0xc6000   6.00.6001.18000  C:\Windows\system32\ADVAPI32.dll
  0x77a30000  0xc3000   6.00.6001.18000  C:\Windows\system32\RPCRT4.dll
  0x77680000  0x4b000   6.00.6001.18000  C:\Windows\system32\GDI32.dll
  0x76f90000  0x9d000   6.00.6001.18000  C:\Windows\system32\USER32.dll
  0x77cb0000  0xaa000   7.00.6001.18000  C:\Windows\system32\msvcrt.dll
  0x77620000  0x58000   6.00.6001.18000  C:\Windows\system32\SHLWAPI.dll
  0x763b0000  0xb0f000  6.00.6001.18000  C:\Windows\system32\SHELL32.dll
  0x776d0000  0x144000  6.00.6001.18000  C:\Windows\system32\ole32.dll
  0x773a0000  0x8d000   6.00.6001.18000  C:\Windows\system32\OLEAUT32.dll
  0x726f0000  0x107000  6.00.6001.18000  C:\Windows\system32\SHDOCVW.dll
  0x74f30000  0x3f000   6.00.6001.18000  C:\Windows\system32\UxTheme.dll
  0x75680000  0x1a000   6.00.6001.18000  C:\Windows\system32\POWRPROF.dll
  0x73cc0000  0xc000    6.00.6001.18000  C:\Windows\system32\dwmapi.dll
  0x74b40000  0x1ab000  5.02.6001.18000  C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll
  0x75d60000  0x3a000   6.00.6001.18000  C:\Windows\system32\slc.dll
  0x74940000  0xba000   6.00.6001.18000  C:\Windows\system32\PROPSYS.dll
  0x71e30000  0x146000  6.00.6001.18000  C:\Windows\system32\BROWSEUI.dll
  0x77c30000  0x1e000   6.00.6001.18000  C:\Windows\system32\IMM32.dll
  0x77430000  0xc8000   6.00.6001.18000  C:\Windows\system32\MSCTF.dll
  0x754c0000  0x30000   6.00.6001.18000  C:\Windows\system32\DUser.dll
  0x77c60000  0x9000    6.00.6001.18000  C:\Windows\system32\LPK.DLL
  0x76f10000  0x7d000   1.626.6001.18000  C:\Windows\system32\USP10.dll
  0x74f70000  0x19e000  6.10.6001.18000  C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll
  0x71d70000  0xb3000   6.00.6001.18000  C:\Windows\system32\WindowsCodecs.dll
  0x76180000  0x2c000   6.00.6001.18000  C:\Windows\system32\apphelp.dll
  0x730a0000  0x6000    6.00.6000.16386  C:\Windows\system32\IconCodecService.dll
  0x76210000  0x14000   6.00.6001.18000  C:\Windows\system32\Secur32.dll
  0x77160000  0x84000   2001.12.6931.18000  C:\Windows\system32\CLBCatQ.DLL
  0x75740000  0x3b000   6.00.6001.18000  C:\Windows\system32\rsaenh.dll
  0x72110000  0xb2000   6.00.6001.18000  C:\Windows\system32\timedate.cpl
  0x75480000  0x14000   3.05.2284.0000  C:\Windows\system32\ATL.DLL
  0x75f00000  0x75000   6.00.6001.18000  C:\Windows\system32\NETAPI32.dll
  0x762e0000  0x7000    6.00.6000.16386  C:\Windows\system32\PSAPI.DLL
  0x748c0000  0x39000   4.02.5406.0000  C:\Windows\system32\OLEACC.dll
  0x757d0000  0xd7000   6.00.6000.16386  C:\Windows\system32\WINBRAND.dll
  0x720b0000  0x53000   6.00.6001.18000  C:\Windows\system32\actxprxy.dll
  0x76230000  0x1e000   6.00.6001.18000  C:\Windows\system32\USERENV.dll
  0x75c40000  0x11000   6.00.6001.18000  C:\Windows\System32\SAMLIB.dll
  0x72650000  0x41000   6.00.6001.18000  C:\Windows\System32\msshsq.dll
  0x71bd0000  0xc6000   6.00.6001.18000  C:\Windows\System32\NaturalLanguage6.dll
  0x75b40000  0xf1000   6.00.6001.18000  C:\Windows\System32\CRYPT32.dll
  0x75e00000  0x12000   6.00.6000.16386  C:\Windows\System32\MSASN1.dll
  0x75110000  0x1e8000  6.00.6001.18000  C:\Windows\system32\authui.dll
  0x755a0000  0x5000    6.00.6000.16386  C:\Windows\system32\MSIMG32.dll
  0x70a10000  0x5ce000  7.00.6001.18000  C:\Windows\system32\ieframe.dll
  0x775d0000  0x45000   7.00.6001.18000  C:\Windows\system32\iertutil.dll
  0x778a0000  0x18a000  6.00.6001.18000  C:\Windows\system32\SETUPAPI.dll
  0x77030000  0x128000  7.00.6001.18000  C:\Windows\system32\urlmon.dll
  0x747e0000  0x2d000   6.00.6001.18000  C:\Windows\system32\WINTRUST.dll
  0x77c80000  0x29000   6.00.6001.18000  C:\Windows\system32\imagehlp.dll
  0x73c40000  0x9000    6.00.6001.18000  C:\Windows\system32\ExplorerFrame.dll
  0x771f0000  0xcf000   7.00.6001.18000  C:\Windows\system32\WININET.dll
  0x77c50000  0x3000    6.00.6000.16386  C:\Windows\system32\Normaliz.dll
  0x756a0000  0x21000   6.00.6001.18000  C:\Windows\system32\NTMARTA.DLL
  0x76ec0000  0x4a000   6.00.6001.18000  C:\Windows\system32\WLDAP32.dll
  0x76380000  0x2d000   6.00.6001.18000  C:\Windows\system32\WS2_32.dll
  0x77c70000  0x6000    6.00.6001.18000  C:\Windows\system32\NSI.dll
  0x74900000  0x32000   6.00.6001.18000  C:\Windows\system32\WINMM.dll
  0x728f0000  0x2f000   6.00.6001.18000  C:\Windows\system32\wdmaud.drv
  0x73b90000  0x4000    6.00.6000.16386  C:\Windows\system32\ksuser.dll
  0x728c0000  0x27000   6.00.6001.18000  C:\Windows\system32\MMDevAPI.DLL
  0x73900000  0x7000    6.00.6001.18000  C:\Windows\system32\AVRT.dll
  0x71cd0000  0x92000   6.00.6001.18000  C:\Windows\system32\stobject.dll
  0x71b10000  0xb6000   6.00.6000.16386  C:\Windows\system32\BatMeter.dll
  0x75670000  0xa000    6.00.6001.18000  C:\Windows\system32\WTSAPI32.dll
  0x761e0000  0x25000   6.00.6001.18000  C:\Windows\system32\WINSTA.dll
  0x74a40000  0x45000   2001.12.6931.18000  C:\Windows\system32\es.dll
  0x74b10000  0x30000   6.00.6000.16386  C:\Windows\System32\SndVolSSO.dll
  0x70700000  0x30b000  6.00.6001.18000  C:\Windows\System32\netshell.dll
  0x75d00000  0x19000   6.00.6001.18000  C:\Windows\System32\IPHLPAPI.DLL
  0x75cc0000  0x35000   6.00.6001.18000  C:\Windows\System32\dhcpcsvc.DLL
  0x75e20000  0x2c000   6.00.6001.18000  C:\Windows\System32\DNSAPI.dll
  0x75cb0000  0x7000    6.00.6001.18000  C:\Windows\System32\WINNSI.DLL
  0x75c80000  0x21000   6.00.6001.18000  C:\Windows\System32\dhcpcsvc6.DLL
  0x754f0000  0xf000    6.00.6001.18000  C:\Windows\System32\nlaapi.dll
  0x71950000  0x1bf000  6.00.6001.18000  C:\Windows\system32\pnidui.dll
  0x72960000  0x17000   6.00.6001.18000  C:\Windows\system32\QUtil.dll
  0x75d20000  0x40000   6.00.6001.18000  C:\Windows\system32\wevtapi.dll
  0x75470000  0x6000    6.00.6000.16386  C:\Windows\system32\wlanutil.dll
  0x73d30000  0x8000    6.00.6000.16386  C:\Windows\System32\npmproxy.dll
  0x71740000  0x95000   6.00.6001.18000  C:\Windows\System32\cscui.dll
  0x74db0000  0x9000    6.00.6001.18000  C:\Windows\System32\CSCDLL.dll
  0x74ab0000  0xb000    6.00.6001.18000  C:\Windows\System32\CSCAPI.dll
  0x717e0000  0x43000   6.00.6001.18000  C:\Windows\System32\srchadmin.dll
  0x71840000  0x3c000   7.00.6001.18000  C:\Windows\system32\webcheck.dll
  0x72080000  0x2e000   6.00.6001.18000  C:\Windows\System32\QAgent.dll
  0x74520000  0x96000   6.00.6001.18000  C:\Windows\System32\fwpuclnt.dll
  0x70640000  0x51000   6.00.6001.18000  C:\Windows\system32\imapi2.dll
  0x70540000  0xf9000   6.00.6001.18000  C:\Windows\system32\bthprops.cpl
  0x760c0000  0x5f000   6.00.6001.18000  C:\Windows\system32\SXS.DLL
  0x702a0000  0x4a000   6.00.6001.18000  C:\Windows\system32\ntshrui.dll
  0x75dc0000  0x14000   6.00.6001.18000  C:\Windows\system32\MPR.dll
  0x71ca0000  0x30000   6.00.6001.18000  C:\Windows\system32\MLANG.dll
  0x75660000  0x8000    6.00.6001.18000  C:\Windows\system32\VERSION.dll
  0x10000000  0xa0000   3.00.0002.0000  C:\Windows\system32\VBoxMRXNP.dll
  0x6ff10000  0x8000    6.00.6000.16386  C:\Windows\System32\drprov.dll
  0x6fc00000  0x13000   6.00.6001.18000  C:\Windows\System32\ntlanman.dll
  0x6eaa0000  0x4a9000  6.00.6001.18000  C:\Windows\System32\NLSData0009.dll
  0x6f170000  0x283000  6.00.6000.16386  C:\Windows\System32\NLSLexicons0009.dll
------------------------------------------------------------------------------
VBoxTray.exe pid: 1816
Command line: "C:\Windows\System32\VBoxTray.exe" 

  Base        Size      Version	        Path
  0x00400000  0xfe000   3.00.0002.0000  C:\Windows\System32\VBoxTray.exe
  0x77b00000  0x127000  6.00.6001.18000  C:\Windows\system32\ntdll.dll
  0x772c0000  0xdb000   6.00.6001.18000  C:\Windows\system32\kernel32.dll
  0x76f90000  0x9d000   6.00.6001.18000  C:\Windows\system32\USER32.dll
  0x77680000  0x4b000   6.00.6001.18000  C:\Windows\system32\GDI32.dll
  0x77500000  0xc6000   6.00.6001.18000  C:\Windows\system32\ADVAPI32.dll
  0x77a30000  0xc3000   6.00.6001.18000  C:\Windows\system32\RPCRT4.dll
  0x763b0000  0xb0f000  6.00.6001.18000  C:\Windows\system32\SHELL32.dll
  0x77cb0000  0xaa000   7.00.6001.18000  C:\Windows\system32\msvcrt.dll
  0x77620000  0x58000   6.00.6001.18000  C:\Windows\system32\SHLWAPI.dll
  0x77c30000  0x1e000   6.00.6001.18000  C:\Windows\system32\IMM32.DLL
  0x77430000  0xc8000   6.00.6001.18000  C:\Windows\system32\MSCTF.dll
  0x77c60000  0x9000    6.00.6001.18000  C:\Windows\system32\LPK.DLL
  0x76f10000  0x7d000   1.626.6001.18000  C:\Windows\system32\USP10.dll
  0x74f70000  0x19e000  6.10.6001.18000  C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll
  0x10000000  0x13000   3.00.0002.0000  C:\Windows\System32\VBoxHook.dll
  0x776d0000  0x144000  6.00.6001.18000  C:\Windows\system32\ole32.dll
  0x762e0000  0x7000    6.00.6000.16386  C:\Windows\system32\PSAPI.DLL
  0x74f30000  0x3f000   6.00.6001.18000  C:\Windows\System32\UxTheme.dll
------------------------------------------------------------------------------
wuauclt.exe pid: 2272
Command line: "C:\Windows\system32\wuauclt.exe"

  Base        Size      Version	        Path
  0x00d30000  0xd000    7.00.6001.18000  C:\Windows\system32\wuauclt.exe
  0x77b00000  0x127000  6.00.6001.18000  C:\Windows\system32\ntdll.dll
  0x772c0000  0xdb000   6.00.6001.18000  C:\Windows\system32\kernel32.dll
  0x77cb0000  0xaa000   7.00.6001.18000  C:\Windows\system32\msvcrt.dll
  0x776d0000  0x144000  6.00.6001.18000  C:\Windows\system32\ole32.dll
  0x77680000  0x4b000   6.00.6001.18000  C:\Windows\system32\GDI32.dll
  0x76f90000  0x9d000   6.00.6001.18000  C:\Windows\system32\USER32.dll
  0x77500000  0xc6000   6.00.6001.18000  C:\Windows\system32\ADVAPI32.dll
  0x77a30000  0xc3000   6.00.6001.18000  C:\Windows\system32\RPCRT4.dll
  0x773a0000  0x8d000   6.00.6001.18000  C:\Windows\system32\OLEAUT32.dll
  0x77620000  0x58000   6.00.6001.18000  C:\Windows\system32\SHLWAPI.dll
  0x77c30000  0x1e000   6.00.6001.18000  C:\Windows\system32\IMM32.DLL
  0x77430000  0xc8000   6.00.6001.18000  C:\Windows\system32\MSCTF.dll
  0x77c60000  0x9000    6.00.6001.18000  C:\Windows\system32\LPK.DLL
  0x76f10000  0x7d000   1.626.6001.18000  C:\Windows\system32\USP10.dll
  0x74f70000  0x19e000  6.10.6001.18000  C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll
  0x70120000  0x172000  7.00.6001.18000  C:\Windows\system32\wucltux.dll
  0x763b0000  0xb0f000  6.00.6001.18000  C:\Windows\system32\SHELL32.dll
  0x75d60000  0x3a000   6.00.6001.18000  C:\Windows\system32\slc.dll
  0x74f30000  0x3f000   6.00.6001.18000  C:\Windows\system32\UxTheme.dll
  0x754c0000  0x30000   6.00.6001.18000  C:\Windows\system32\DUser.dll
  0x73cd0000  0x15000   6.00.6001.18000  C:\Windows\system32\Cabinet.dll
  0x75b40000  0xf1000   6.00.6001.18000  C:\Windows\system32\CRYPT32.dll
  0x75e00000  0x12000   6.00.6000.16386  C:\Windows\system32\MSASN1.dll
  0x76230000  0x1e000   6.00.6001.18000  C:\Windows\system32\USERENV.dll
  0x76210000  0x14000   6.00.6001.18000  C:\Windows\system32\Secur32.dll
  0x748c0000  0x39000   4.02.5406.0000  C:\Windows\system32\OLEACC.dll
  0x747e0000  0x2d000   6.00.6001.18000  C:\Windows\system32\WINTRUST.dll
  0x77c80000  0x29000   6.00.6001.18000  C:\Windows\system32\imagehlp.dll
  0x77160000  0x84000   2001.12.6931.18000  C:\Windows\system32\CLBCatQ.DLL
  0x75740000  0x3b000   6.00.6001.18000  C:\Windows\system32\rsaenh.dll
  0x74a90000  0xc000    7.00.6001.18000  C:\Windows\system32\wups2.dll
------------------------------------------------------------------------------
svchost.exe pid: 3968
Command line: C:\Windows\system32\svchost.exe -k apphost

  Base        Size      Version	        Path
  0x00710000  0x8000    6.00.6001.18000  C:\Windows\system32\svchost.exe
  0x77b00000  0x127000  6.00.6001.18000  C:\Windows\system32\ntdll.dll
  0x772c0000  0xdb000   6.00.6001.18000  C:\Windows\system32\kernel32.dll
  0x77cb0000  0xaa000   7.00.6001.18000  C:\Windows\system32\msvcrt.dll
  0x77500000  0xc6000   6.00.6001.18000  C:\Windows\system32\ADVAPI32.dll
  0x77a30000  0xc3000   6.00.6001.18000  C:\Windows\system32\RPCRT4.dll
  0x72480000  0x10000   7.00.6001.18000  c:\windows\system32\inetsrv\apphostsvc.dll
  0x776d0000  0x144000  6.00.6001.18000  C:\Windows\system32\ole32.dll
  0x77680000  0x4b000   6.00.6001.18000  C:\Windows\system32\GDI32.dll
  0x76f90000  0x9d000   6.00.6001.18000  C:\Windows\system32\USER32.dll
  0x763b0000  0xb0f000  6.00.6001.18000  C:\Windows\system32\SHELL32.dll
  0x77620000  0x58000   6.00.6001.18000  C:\Windows\system32\SHLWAPI.dll
  0x739d0000  0x5000    6.00.6000.16386  C:\Windows\system32\sfc.dll
  0x74060000  0xd000    6.00.6001.18000  C:\Windows\system32\sfc_os.DLL
  0x778a0000  0x18a000  6.00.6001.18000  C:\Windows\system32\SETUPAPI.dll
  0x773a0000  0x8d000   6.00.6001.18000  C:\Windows\system32\OLEAUT32.dll
  0x6f9e0000  0x35000   7.00.6001.18000  c:\windows\system32\inetsrv\IISUTIL.dll
  0x75b40000  0xf1000   6.00.6001.18000  C:\Windows\system32\CRYPT32.dll
  0x75e00000  0x12000   6.00.6000.16386  C:\Windows\system32\MSASN1.dll
  0x76230000  0x1e000   6.00.6001.18000  C:\Windows\system32\USERENV.dll
  0x76210000  0x14000   6.00.6001.18000  C:\Windows\system32\Secur32.dll
  0x76380000  0x2d000   6.00.6001.18000  C:\Windows\system32\WS2_32.dll
  0x77c70000  0x6000    6.00.6001.18000  C:\Windows\system32\NSI.dll
  0x6f5b0000  0x52000   7.00.6001.18000  c:\windows\system32\inetsrv\nativerd.dll
  0x74dc0000  0x2f000   1.02.1009.0000  C:\Windows\system32\XmlLite.dll
  0x74340000  0x10a000  6.00.6001.18000  C:\Windows\system32\VSSAPI.DLL
  0x75480000  0x14000   3.05.2284.0000  C:\Windows\system32\ATL.DLL
  0x742a0000  0x14000   6.00.6001.18000  C:\Windows\system32\vsstrace.dll
  0x761c0000  0x16000   6.00.6001.18000  C:\Windows\system32\AUTHZ.dll
  0x75f00000  0x75000   6.00.6001.18000  C:\Windows\system32\NETAPI32.dll
  0x762e0000  0x7000    6.00.6000.16386  C:\Windows\system32\PSAPI.DLL
  0x75dc0000  0x14000   6.00.6001.18000  C:\Windows\system32\MPR.dll
  0x77c30000  0x1e000   6.00.6001.18000  C:\Windows\system32\IMM32.DLL
  0x77430000  0xc8000   6.00.6001.18000  C:\Windows\system32\MSCTF.dll
  0x77c60000  0x9000    6.00.6001.18000  C:\Windows\system32\LPK.DLL
  0x76f10000  0x7d000   1.626.6001.18000  C:\Windows\system32\USP10.dll
  0x74f70000  0x19e000  6.10.6001.18000  C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll
  0x6f6f0000  0x30000   7.00.6001.18000  c:\windows\system32\inetsrv\IISRES.DLL
  0x75740000  0x3b000   6.00.6001.18000  C:\Windows\system32\rsaenh.dll
  0x75c40000  0x11000   6.00.6001.18000  C:\Windows\system32\SAMLIB.dll
  0x77160000  0x84000   2001.12.6931.18000  C:\Windows\system32\CLBCatQ.DLL
  0x74a40000  0x45000   2001.12.6931.18000  C:\Windows\system32\es.dll
  0x74940000  0xba000   6.00.6001.18000  C:\Windows\system32\PROPSYS.dll
  0x71ca0000  0x30000   6.00.6001.18000  C:\Windows\system32\mlang.dll
------------------------------------------------------------------------------
svchost.exe pid: 3352
Command line: C:\Windows\system32\svchost.exe -k iissvcs

  Base        Size      Version	        Path
  0x00710000  0x8000    6.00.6001.18000  C:\Windows\system32\svchost.exe
  0x77b00000  0x127000  6.00.6001.18000  C:\Windows\system32\ntdll.dll
  0x772c0000  0xdb000   6.00.6001.18000  C:\Windows\system32\kernel32.dll
  0x77cb0000  0xaa000   7.00.6001.18000  C:\Windows\system32\msvcrt.dll
  0x77500000  0xc6000   6.00.6001.18000  C:\Windows\system32\ADVAPI32.dll
  0x77a30000  0xc3000   6.00.6001.18000  C:\Windows\system32\RPCRT4.dll
  0x6f4f0000  0x5e000   7.00.6001.18000  c:\windows\system32\inetsrv\iisw3adm.dll
  0x76f90000  0x9d000   6.00.6001.18000  C:\Windows\system32\USER32.dll
  0x77680000  0x4b000   6.00.6001.18000  C:\Windows\system32\GDI32.dll
  0x776d0000  0x144000  6.00.6001.18000  C:\Windows\system32\ole32.dll
  0x76230000  0x1e000   6.00.6001.18000  C:\Windows\system32\USERENV.dll
  0x76210000  0x14000   6.00.6001.18000  C:\Windows\system32\Secur32.dll
  0x77c50000  0x3000    6.00.6000.16386  C:\Windows\system32\Normaliz.dll
  0x75b40000  0xf1000   6.00.6001.18000  C:\Windows\system32\CRYPT32.dll
  0x75e00000  0x12000   6.00.6000.16386  C:\Windows\system32\MSASN1.dll
  0x6f9e0000  0x35000   7.00.6001.18000  c:\windows\system32\inetsrv\IISUTIL.dll
  0x76380000  0x2d000   6.00.6001.18000  C:\Windows\system32\WS2_32.dll
  0x77c70000  0x6000    6.00.6001.18000  C:\Windows\system32\NSI.dll
  0x72470000  0x7000    7.00.6001.18000  c:\windows\system32\inetsrv\W3TP.dll
  0x6f5b0000  0x52000   7.00.6001.18000  c:\windows\system32\inetsrv\nativerd.dll
  0x773a0000  0x8d000   6.00.6001.18000  C:\Windows\system32\OLEAUT32.dll
  0x74dc0000  0x2f000   1.02.1009.0000  C:\Windows\system32\XmlLite.dll
  0x73410000  0xb000    6.00.6001.18000  C:\Windows\system32\HTTPAPI.dll
  0x77c30000  0x1e000   6.00.6001.18000  C:\Windows\system32\IMM32.DLL
  0x77430000  0xc8000   6.00.6001.18000  C:\Windows\system32\MSCTF.dll
  0x77c60000  0x9000    6.00.6001.18000  C:\Windows\system32\LPK.DLL
  0x76f10000  0x7d000   1.626.6001.18000  C:\Windows\system32\USP10.dll
  0x6f6f0000  0x30000   7.00.6001.18000  c:\windows\system32\inetsrv\IISRES.DLL
  0x75740000  0x3b000   6.00.6001.18000  C:\Windows\system32\rsaenh.dll
  0x77160000  0x84000   2001.12.6931.18000  C:\Windows\system32\CLBCatQ.DLL
  0x71ca0000  0x30000   6.00.6001.18000  C:\Windows\system32\mlang.dll
  0x74f70000  0x19e000  6.10.6001.18000  C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll
  0x77620000  0x58000   6.00.6001.18000  C:\Windows\system32\SHLWAPI.dll
  0x756a0000  0x21000   6.00.6001.18000  C:\Windows\system32\NTMARTA.DLL
  0x76ec0000  0x4a000   6.00.6001.18000  C:\Windows\system32\WLDAP32.dll
  0x762e0000  0x7000    6.00.6000.16386  C:\Windows\system32\PSAPI.DLL
  0x75c40000  0x11000   6.00.6001.18000  C:\Windows\system32\SAMLIB.dll
  0x72420000  0x7000    7.00.6001.18000  C:\Windows\system32\inetsrv\w3ctrlps.dll
  0x76180000  0x2c000   6.00.6001.18000  C:\Windows\system32\apphelp.dll
------------------------------------------------------------------------------
svchost.exe pid: 1004
Command line: C:\Windows\System32\svchost.exe -k tapisrv

  Base        Size      Version	        Path
  0x00710000  0x8000    6.00.6001.18000  C:\Windows\System32\svchost.exe
  0x77b00000  0x127000  6.00.6001.18000  C:\Windows\system32\ntdll.dll
  0x772c0000  0xdb000   6.00.6001.18000  C:\Windows\system32\kernel32.dll
  0x77cb0000  0xaa000   7.00.6001.18000  C:\Windows\system32\msvcrt.dll
  0x77500000  0xc6000   6.00.6001.18000  C:\Windows\system32\ADVAPI32.dll
  0x77a30000  0xc3000   6.00.6001.18000  C:\Windows\system32\RPCRT4.dll
  0x6f960000  0x3d000   6.00.6001.18000  c:\windows\system32\tapisrv.dll
  0x76f90000  0x9d000   6.00.6001.18000  C:\Windows\system32\USER32.dll
  0x77680000  0x4b000   6.00.6001.18000  C:\Windows\system32\GDI32.dll
  0x74300000  0x35000   6.00.6001.18000  c:\windows\system32\ACTIVEDS.dll
  0x742c0000  0x33000   6.00.6001.18000  c:\windows\system32\adsldpc.dll
  0x75f00000  0x75000   6.00.6001.18000  c:\windows\system32\NETAPI32.dll
  0x762e0000  0x7000    6.00.6000.16386  C:\Windows\system32\PSAPI.DLL
  0x76ec0000  0x4a000   6.00.6001.18000  C:\Windows\system32\WLDAP32.dll
  0x76380000  0x2d000   6.00.6001.18000  C:\Windows\system32\WS2_32.dll
  0x77c70000  0x6000    6.00.6001.18000  C:\Windows\system32\NSI.dll
  0x74480000  0x2e000   6.00.6001.18000  c:\windows\system32\credui.dll
  0x763b0000  0xb0f000  6.00.6001.18000  C:\Windows\system32\SHELL32.dll
  0x77620000  0x58000   6.00.6001.18000  C:\Windows\system32\SHLWAPI.dll
  0x75480000  0x14000   3.05.2284.0000  c:\windows\system32\ATL.DLL
  0x776d0000  0x144000  6.00.6001.18000  C:\Windows\system32\ole32.dll
  0x773a0000  0x8d000   6.00.6001.18000  C:\Windows\system32\OLEAUT32.dll
  0x76210000  0x14000   6.00.6001.18000  c:\windows\system32\Secur32.dll
  0x754b0000  0xc000    6.00.6000.16386  c:\windows\system32\rtutils.dll
  0x74900000  0x32000   6.00.6001.18000  c:\windows\system32\WINMM.dll
  0x748c0000  0x39000   4.02.5406.0000  c:\windows\system32\OLEACC.dll
  0x77c30000  0x1e000   6.00.6001.18000  C:\Windows\system32\IMM32.DLL
  0x77430000  0xc8000   6.00.6001.18000  C:\Windows\system32\MSCTF.dll
  0x77c60000  0x9000    6.00.6001.18000  C:\Windows\system32\LPK.DLL
  0x76f10000  0x7d000   1.626.6001.18000  C:\Windows\system32\USP10.dll
  0x74f70000  0x19e000  6.10.6001.18000  C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll
  0x75aa0000  0x7000    6.00.6001.18000  C:\Windows\System32\credssp.dll
  0x75b40000  0xf1000   6.00.6001.18000  C:\Windows\System32\CRYPT32.dll
  0x75e00000  0x12000   6.00.6000.16386  C:\Windows\System32\MSASN1.dll
  0x76230000  0x1e000   6.00.6001.18000  C:\Windows\System32\USERENV.dll
  0x75780000  0x44000   6.00.6001.18000  C:\Windows\system32\schannel.dll
  0x6f910000  0x48000   6.00.6001.18000  C:\Windows\System32\unimdm.tsp
  0x778a0000  0x18a000  6.00.6001.18000  C:\Windows\system32\SETUPAPI.dll
  0x74e80000  0x7000    6.00.6000.16386  C:\Windows\System32\uniplat.dll
  0x747e0000  0x2d000   6.00.6001.18000  C:\Windows\System32\WINTRUST.dll
  0x77c80000  0x29000   6.00.6001.18000  C:\Windows\system32\imagehlp.dll
  0x74da0000  0xc000    6.00.6000.16386  C:\Windows\System32\kmddsp.tsp
  0x71830000  0xf000    6.00.6000.16386  C:\Windows\System32\ndptsp.tsp
  0x6ff30000  0xb000    6.00.6000.16386  C:\Windows\System32\hidphone.tsp
  0x6ff20000  0x9000    6.00.6000.16386  C:\Windows\System32\HID.DLL
------------------------------------------------------------------------------
cmd.exe pid: 3232
Command line: "C:\Windows\System32\cmd.exe" 

  Base        Size      Version	        Path
  0x4a440000  0x50000   6.00.6001.18000  C:\Windows\System32\cmd.exe
  0x77b00000  0x127000  6.00.6001.18000  C:\Windows\system32\ntdll.dll
  0x772c0000  0xdb000   6.00.6001.18000  C:\Windows\system32\kernel32.dll
  0x77500000  0xc6000   6.00.6001.18000  C:\Windows\system32\ADVAPI32.dll
  0x77a30000  0xc3000   6.00.6001.18000  C:\Windows\system32\RPCRT4.dll
  0x77cb0000  0xaa000   7.00.6001.18000  C:\Windows\system32\msvcrt.dll
  0x76180000  0x2c000   6.00.6001.18000  C:\Windows\system32\apphelp.dll
  0x76f90000  0x9d000   6.00.6001.18000  C:\Windows\system32\USER32.dll
  0x77680000  0x4b000   6.00.6001.18000  C:\Windows\system32\GDI32.dll
  0x77c30000  0x1e000   6.00.6001.18000  C:\Windows\system32\IMM32.DLL
  0x77430000  0xc8000   6.00.6001.18000  C:\Windows\system32\MSCTF.dll
  0x77c60000  0x9000    6.00.6001.18000  C:\Windows\system32\LPK.DLL
  0x76f10000  0x7d000   1.626.6001.18000  C:\Windows\system32\USP10.dll
------------------------------------------------------------------------------
notepad.exe pid: 1744
Command line: notepad

  Base        Size      Version	        Path
  0x00cb0000  0x28000   6.00.6001.18000  C:\Windows\system32\notepad.exe
  0x77b00000  0x127000  6.00.6001.18000  C:\Windows\system32\ntdll.dll
  0x772c0000  0xdb000   6.00.6001.18000  C:\Windows\system32\kernel32.dll
  0x77500000  0xc6000   6.00.6001.18000  C:\Windows\system32\ADVAPI32.dll
  0x77a30000  0xc3000   6.00.6001.18000  C:\Windows\system32\RPCRT4.dll
  0x77680000  0x4b000   6.00.6001.18000  C:\Windows\system32\GDI32.dll
  0x76f90000  0x9d000   6.00.6001.18000  C:\Windows\system32\USER32.dll
  0x77cb0000  0xaa000   7.00.6001.18000  C:\Windows\system32\msvcrt.dll
  0x77820000  0x73000   6.00.6001.18000  C:\Windows\system32\COMDLG32.dll
  0x77620000  0x58000   6.00.6001.18000  C:\Windows\system32\SHLWAPI.dll
  0x74f70000  0x19e000  6.10.6001.18000  C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\COMCTL32.dll
  0x763b0000  0xb0f000  6.00.6001.18000  C:\Windows\system32\SHELL32.dll
  0x73490000  0x42000   6.00.6001.18000  C:\Windows\system32\WINSPOOL.DRV
  0x776d0000  0x144000  6.00.6001.18000  C:\Windows\system32\ole32.dll
  0x773a0000  0x8d000   6.00.6001.18000  C:\Windows\system32\OLEAUT32.dll
  0x77c30000  0x1e000   6.00.6001.18000  C:\Windows\system32\IMM32.DLL
  0x77430000  0xc8000   6.00.6001.18000  C:\Windows\system32\MSCTF.dll
  0x77c60000  0x9000    6.00.6001.18000  C:\Windows\system32\LPK.DLL
  0x76f10000  0x7d000   1.626.6001.18000  C:\Windows\system32\USP10.dll
  0x74f30000  0x3f000   6.00.6001.18000  C:\Windows\system32\UxTheme.dll
  0x77160000  0x84000   2001.12.6931.18000  C:\Windows\system32\CLBCatQ.DLL
  0x76180000  0x2c000   6.00.6001.18000  C:\Windows\system32\apphelp.dll
  0x70a10000  0x5ce000  7.00.6001.18000  C:\Windows\system32\ieframe.dll
  0x762e0000  0x7000    6.00.6000.16386  C:\Windows\system32\PSAPI.DLL
  0x775d0000  0x45000   7.00.6001.18000  C:\Windows\system32\iertutil.dll
  0x71e30000  0x146000  6.00.6001.18000  C:\Windows\system32\BROWSEUI.dll
  0x74940000  0xba000   6.00.6001.18000  C:\Windows\system32\PROPSYS.dll
  0x754c0000  0x30000   6.00.6001.18000  C:\Windows\system32\DUser.dll
  0x71d70000  0xb3000   6.00.6001.18000  C:\Windows\system32\WindowsCodecs.dll
  0x778a0000  0x18a000  6.00.6001.18000  C:\Windows\system32\SETUPAPI.dll
  0x76230000  0x1e000   6.00.6001.18000  C:\Windows\system32\USERENV.dll
  0x76210000  0x14000   6.00.6001.18000  C:\Windows\system32\Secur32.dll
  0x75740000  0x3b000   6.00.6001.18000  C:\Windows\system32\rsaenh.dll
  0x72650000  0x41000   6.00.6001.18000  C:\Windows\System32\msshsq.dll
  0x74a20000  0x16000   6.00.6001.18000  C:\Windows\system32\thumbcache.dll
  0x720b0000  0x53000   6.00.6001.18000  C:\Windows\system32\actxprxy.dll
  0x726f0000  0x107000  6.00.6001.18000  C:\Windows\system32\SHDOCVW.dll
  0x75f00000  0x75000   6.00.6001.18000  C:\Windows\system32\NETAPI32.dll
  0x75c40000  0x11000   6.00.6001.18000  C:\Windows\system32\SAMLIB.dll
  0x748c0000  0x39000   4.02.5406.0000  C:\Windows\system32\oleacc.dll
  0x77030000  0x128000  7.00.6001.18000  C:\Windows\system32\urlmon.dll
  0x756a0000  0x21000   6.00.6001.18000  C:\Windows\system32\NTMARTA.DLL
  0x76ec0000  0x4a000   6.00.6001.18000  C:\Windows\system32\WLDAP32.dll
  0x76380000  0x2d000   6.00.6001.18000  C:\Windows\system32\WS2_32.dll
  0x77c70000  0x6000    6.00.6001.18000  C:\Windows\system32\NSI.dll
  0x75dc0000  0x14000   6.00.6001.18000  C:\Windows\system32\MPR.dll
  0x702a0000  0x4a000   6.00.6001.18000  C:\Windows\system32\ntshrui.dll
  0x74ab0000  0xb000    6.00.6001.18000  C:\Windows\system32\cscapi.dll
  0x75d60000  0x3a000   6.00.6001.18000  C:\Windows\system32\slc.dll
------------------------------------------------------------------------------
notepad.exe pid: 3204
Command line: notepad

  Base        Size      Version	        Path
  0x00cb0000  0x28000   6.00.6001.18000  C:\Windows\system32\notepad.exe
  0x77b00000  0x127000  6.00.6001.18000  C:\Windows\system32\ntdll.dll
  0x772c0000  0xdb000   6.00.6001.18000  C:\Windows\system32\kernel32.dll
  0x77500000  0xc6000   6.00.6001.18000  C:\Windows\system32\ADVAPI32.dll
  0x77a30000  0xc3000   6.00.6001.18000  C:\Windows\system32\RPCRT4.dll
  0x77680000  0x4b000   6.00.6001.18000  C:\Windows\system32\GDI32.dll
  0x76f90000  0x9d000   6.00.6001.18000  C:\Windows\system32\USER32.dll
  0x77cb0000  0xaa000   7.00.6001.18000  C:\Windows\system32\msvcrt.dll
  0x77820000  0x73000   6.00.6001.18000  C:\Windows\system32\COMDLG32.dll
  0x77620000  0x58000   6.00.6001.18000  C:\Windows\system32\SHLWAPI.dll
  0x74f70000  0x19e000  6.10.6001.18000  C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\COMCTL32.dll
  0x763b0000  0xb0f000  6.00.6001.18000  C:\Windows\system32\SHELL32.dll
  0x73490000  0x42000   6.00.6001.18000  C:\Windows\system32\WINSPOOL.DRV
  0x776d0000  0x144000  6.00.6001.18000  C:\Windows\system32\ole32.dll
  0x773a0000  0x8d000   6.00.6001.18000  C:\Windows\system32\OLEAUT32.dll
  0x77c30000  0x1e000   6.00.6001.18000  C:\Windows\system32\IMM32.DLL
  0x77430000  0xc8000   6.00.6001.18000  C:\Windows\system32\MSCTF.dll
  0x77c60000  0x9000    6.00.6001.18000  C:\Windows\system32\LPK.DLL
  0x76f10000  0x7d000   1.626.6001.18000  C:\Windows\system32\USP10.dll
  0x74f30000  0x3f000   6.00.6001.18000  C:\Windows\system32\UxTheme.dll
  0x77160000  0x84000   2001.12.6931.18000  C:\Windows\system32\CLBCatQ.DLL
  0x76180000  0x2c000   6.00.6001.18000  C:\Windows\system32\apphelp.dll
  0x70a10000  0x5ce000  7.00.6001.18000  C:\Windows\system32\ieframe.dll
  0x762e0000  0x7000    6.00.6000.16386  C:\Windows\system32\PSAPI.DLL
  0x775d0000  0x45000   7.00.6001.18000  C:\Windows\system32\iertutil.dll
  0x71e30000  0x146000  6.00.6001.18000  C:\Windows\system32\BROWSEUI.dll
  0x74940000  0xba000   6.00.6001.18000  C:\Windows\system32\PROPSYS.dll
  0x754c0000  0x30000   6.00.6001.18000  C:\Windows\system32\DUser.dll
  0x71d70000  0xb3000   6.00.6001.18000  C:\Windows\system32\WindowsCodecs.dll
  0x76230000  0x1e000   6.00.6001.18000  C:\Windows\system32\USERENV.dll
  0x76210000  0x14000   6.00.6001.18000  C:\Windows\system32\Secur32.dll
  0x778a0000  0x18a000  6.00.6001.18000  C:\Windows\system32\SETUPAPI.dll
  0x75740000  0x3b000   6.00.6001.18000  C:\Windows\system32\rsaenh.dll
  0x72650000  0x41000   6.00.6001.18000  C:\Windows\System32\msshsq.dll
  0x74a20000  0x16000   6.00.6001.18000  C:\Windows\system32\thumbcache.dll
  0x720b0000  0x53000   6.00.6001.18000  C:\Windows\system32\actxprxy.dll
  0x726f0000  0x107000  6.00.6001.18000  C:\Windows\system32\SHDOCVW.dll
  0x75f00000  0x75000   6.00.6001.18000  C:\Windows\system32\NETAPI32.dll
  0x75c40000  0x11000   6.00.6001.18000  C:\Windows\system32\SAMLIB.dll
  0x748c0000  0x39000   4.02.5406.0000  C:\Windows\system32\oleacc.dll
  0x77030000  0x128000  7.00.6001.18000  C:\Windows\system32\urlmon.dll
------------------------------------------------------------------------------
iexplore.exe pid: 2752
Command line: "C:\Program Files\Internet Explorer\iexplore.exe" 

  Base        Size      Version	        Path
  0x00940000  0x9b000   7.00.6001.18000  C:\Program Files\Internet Explorer\iexplore.exe
  0x77b00000  0x127000  6.00.6001.18000  C:\Windows\system32\ntdll.dll
  0x772c0000  0xdb000   6.00.6001.18000  C:\Windows\system32\kernel32.dll
  0x77500000  0xc6000   6.00.6001.18000  C:\Windows\system32\ADVAPI32.dll
  0x77a30000  0xc3000   6.00.6001.18000  C:\Windows\system32\RPCRT4.dll
  0x77680000  0x4b000   6.00.6001.18000  C:\Windows\system32\GDI32.dll
  0x76f90000  0x9d000   6.00.6001.18000  C:\Windows\system32\USER32.dll
  0x77cb0000  0xaa000   7.00.6001.18000  C:\Windows\system32\msvcrt.dll
  0x77620000  0x58000   6.00.6001.18000  C:\Windows\system32\SHLWAPI.dll
  0x763b0000  0xb0f000  6.00.6001.18000  C:\Windows\system32\SHELL32.dll
  0x776d0000  0x144000  6.00.6001.18000  C:\Windows\system32\ole32.dll
  0x77030000  0x128000  7.00.6001.18000  C:\Windows\system32\urlmon.dll
  0x773a0000  0x8d000   6.00.6001.18000  C:\Windows\system32\OLEAUT32.dll
  0x775d0000  0x45000   7.00.6001.18000  C:\Windows\system32\iertutil.dll
  0x75660000  0x8000    6.00.6001.18000  C:\Windows\system32\VERSION.dll
  0x74880000  0x1e000   6.00.6000.16386  C:\Windows\system32\ShimEng.dll
  0x76180000  0x2c000   6.00.6001.18000  C:\Windows\system32\apphelp.dll
  0x74e10000  0x10000   6.00.6001.18000  C:\Windows\AppPatch\iebrshim.dll
  0x72000000  0x3e000   6.00.6001.18000  C:\Windows\AppPatch\AcRedir.DLL
  0x71620000  0x88000   6.00.6001.18000  C:\Windows\AppPatch\AcLayers.DLL
  0x76230000  0x1e000   6.00.6001.18000  C:\Windows\system32\USERENV.dll
  0x76210000  0x14000   6.00.6001.18000  C:\Windows\system32\Secur32.dll
  0x73490000  0x42000   6.00.6001.18000  C:\Windows\system32\WINSPOOL.DRV
  0x75dc0000  0x14000   6.00.6001.18000  C:\Windows\system32\MPR.dll
  0x77c30000  0x1e000   6.00.6001.18000  C:\Windows\system32\IMM32.DLL
  0x77430000  0xc8000   6.00.6001.18000  C:\Windows\system32\MSCTF.dll
  0x77c60000  0x9000    6.00.6001.18000  C:\Windows\system32\LPK.DLL
  0x76f10000  0x7d000   1.626.6001.18000  C:\Windows\system32\USP10.dll
  0x74f70000  0x19e000  6.10.6001.18000  C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll
  0x70a10000  0x5ce000  7.00.6001.18000  C:\Windows\system32\IEFRAME.dll
  0x762e0000  0x7000    6.00.6000.16386  C:\Windows\system32\PSAPI.DLL
  0x74f30000  0x3f000   6.00.6001.18000  C:\Windows\system32\UxTheme.dll
  0x75740000  0x3b000   6.00.6001.18000  C:\Windows\system32\rsaenh.dll
  0x72440000  0x2f000   7.00.6001.18000  C:\Windows\system32\IEUI.dll
  0x755a0000  0x5000    6.00.6000.16386  C:\Windows\system32\MSIMG32.dll
  0x74b40000  0x1ab000  5.02.6001.18000  C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll
  0x74dc0000  0x2f000   1.02.1009.0000  C:\Windows\system32\xmllite.dll
  0x71d70000  0xb3000   6.00.6001.18000  C:\Windows\system32\WindowsCodecs.dll
  0x77160000  0x84000   2001.12.6931.18000  C:\Windows\system32\CLBCatQ.DLL
  0x720b0000  0x53000   6.00.6001.18000  C:\Windows\system32\actxprxy.dll
  0x760c0000  0x5f000   6.00.6001.18000  C:\Windows\system32\SXS.DLL
  0x771f0000  0xcf000   7.00.6001.18000  C:\Windows\system32\WININET.dll
  0x77c50000  0x3000    6.00.6000.16386  C:\Windows\system32\Normaliz.dll
  0x71ca0000  0x30000   6.00.6001.18000  C:\Windows\system32\MLANG.dll
  0x76380000  0x2d000   6.00.6001.18000  C:\Windows\system32\ws2_32.dll
  0x77c70000  0x6000    6.00.6001.18000  C:\Windows\system32\NSI.dll
  0x6e720000  0x372000  7.00.6001.18000  C:\Windows\system32\mshtml.dll
  0x723f0000  0x29000   3.10.0349.0000  C:\Windows\system32\msls31.dll
  0x716e0000  0x60000   7.00.6000.16461  C:\Windows\system32\ieapfltr.dll
  0x747e0000  0x2d000   6.00.6001.18000  C:\Windows\system32\WINTRUST.dll
  0x75b40000  0xf1000   6.00.6001.18000  C:\Windows\system32\CRYPT32.dll
  0x75e00000  0x12000   6.00.6000.16386  C:\Windows\system32\MSASN1.dll
  0x77c80000  0x29000   6.00.6001.18000  C:\Windows\system32\imagehlp.dll
  0x756a0000  0x21000   6.00.6001.18000  C:\Windows\system32\NTMARTA.DLL
  0x76ec0000  0x4a000   6.00.6001.18000  C:\Windows\system32\WLDAP32.dll
  0x75c40000  0x11000   6.00.6001.18000  C:\Windows\system32\SAMLIB.dll
  0x74e00000  0xb000    6.00.6001.18000  C:\Windows\system32\msimtf.dll
  0x74ac0000  0x4a000   6.00.6001.18000  C:\Windows\system32\RASAPI32.dll
  0x75450000  0x14000   6.00.6001.18000  C:\Windows\system32\rasman.dll
  0x75f00000  0x75000   6.00.6001.18000  C:\Windows\system32\NETAPI32.dll
  0x72040000  0x31000   6.00.6000.16386  C:\Windows\system32\TAPI32.dll
  0x754b0000  0xc000    6.00.6000.16386  C:\Windows\system32\rtutils.dll
  0x74900000  0x32000   6.00.6001.18000  C:\Windows\system32\WINMM.dll
  0x748c0000  0x39000   4.02.5406.0000  C:\Windows\system32\OLEACC.dll
  0x73350000  0x6000    6.00.6000.16386  C:\Windows\system32\sensapi.dll
  0x74940000  0xba000   6.00.6001.18000  C:\Windows\system32\PROPSYS.dll
  0x75aa0000  0x7000    6.00.6001.18000  C:\Windows\system32\credssp.dll
  0x75780000  0x44000   6.00.6001.18000  C:\Windows\system32\schannel.dll
  0x778a0000  0x18a000  6.00.6001.18000  C:\Windows\system32\SETUPAPI.dll
  0x728f0000  0x2f000   6.00.6001.18000  C:\Windows\system32\wdmaud.drv
  0x73b90000  0x4000    6.00.6000.16386  C:\Windows\system32\ksuser.dll
  0x728c0000  0x27000   6.00.6001.18000  C:\Windows\system32\MMDevAPI.DLL
  0x73900000  0x7000    6.00.6001.18000  C:\Windows\system32\AVRT.dll
  0x754f0000  0xf000    6.00.6001.18000  C:\Windows\system32\NLAapi.dll
  0x75d00000  0x19000   6.00.6001.18000  C:\Windows\system32\IPHLPAPI.DLL
  0x75cc0000  0x35000   6.00.6001.18000  C:\Windows\system32\dhcpcsvc.DLL
  0x75e20000  0x2c000   6.00.6001.18000  C:\Windows\system32\DNSAPI.dll
  0x75cb0000  0x7000    6.00.6001.18000  C:\Windows\system32\WINNSI.DLL
  0x75c80000  0x21000   6.00.6001.18000  C:\Windows\system32\dhcpcsvc6.DLL
  0x75990000  0x3b000   6.00.6001.18000  C:\Windows\system32\mswsock.dll
  0x75590000  0x5000    6.00.6001.18000  C:\Windows\System32\wshtcpip.dll
  0x73a00000  0x6000    6.00.6000.16386  C:\Windows\system32\rasadhlp.dll
  0x75a00000  0x5000    6.00.6001.18000  C:\Windows\System32\wship6.dll
  0x739f0000  0x8000    6.00.6000.16386  C:\Windows\System32\winrnr.dll
  0x739e0000  0xf000    6.00.6001.18000  C:\Windows\system32\napinsp.dll
  0x75b00000  0x35000   6.00.6001.18000  C:\Windows\system32\ncrypt.dll
  0x75ab0000  0x45000   6.00.6001.18000  C:\Windows\system32\BCRYPT.dll
  0x75720000  0x15000   6.00.6001.18000  C:\Windows\system32\GPAPI.dll
  0x75d60000  0x3a000   6.00.6001.18000  C:\Windows\system32\slc.dll
  0x715b0000  0x62000   6.00.6001.18000  C:\Windows\system32\mscms.dll
  0x714b0000  0x7d000   5.07.0000.18000  C:\Windows\system32\jscript.dll
  0x71570000  0x39000   7.00.6001.18000  C:\Windows\system32\Dxtrans.dll
  0x75480000  0x14000   3.05.2284.0000  C:\Windows\system32\ATL.DLL
  0x74df0000  0xa000    6.00.6000.16386  C:\Windows\system32\ddrawex.dll
  0x713c0000  0xe5000   6.00.6001.18000  C:\Windows\system32\DDRAW.dll
  0x74e70000  0x6000    6.00.6000.16386  C:\Windows\system32\DCIMAN32.dll
  0x73cc0000  0xc000    6.00.6001.18000  C:\Windows\system32\dwmapi.dll
  0x74aa0000  0xc000    7.00.6001.18000  C:\Windows\system32\ImgUtil.dll
  0x74860000  0xe000    7.00.6001.18000  C:\Windows\system32\pngfilt.dll
  0x71360000  0x57000   7.00.6001.18000  C:\Windows\system32\Dxtmsft.dll
  0x71260000  0x77000   7.00.6001.18000  C:\Windows\system32\mshtmled.dll
  0x79000000  0x46000   2.00.50727.1434  C:\Windows\system32\mscoree.dll
  0x63f00000  0xc000    2.00.50727.1434  C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorie.dll
  0x711c0000  0x9b000   8.00.50727.1434  C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.1434_none_d08b6002442c891f\MSVCR80.dll
  0x71e30000  0x146000  6.00.6001.18000  C:\Windows\system32\browseui.dll
  0x754c0000  0x30000   6.00.6001.18000  C:\Windows\system32\DUser.dll
  0x63f50000  0x19000   2.00.50727.1434  C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorld.dll
  0x77820000  0x73000   6.00.6001.18000  C:\Windows\system32\comdlg32.dll
  0x72650000  0x41000   6.00.6001.18000  C:\Windows\System32\msshsq.dll
  0x726f0000  0x107000  6.00.6001.18000  C:\Windows\system32\SHDOCVW.dll
  0x73bb0000  0x26000   6.00.6001.18000  C:\Windows\system32\dssenh.dll
  0x74a00000  0x1b000   6.00.6001.18000  C:\Windows\system32\cryptnet.dll
  0x73cd0000  0x15000   6.00.6001.18000  C:\Windows\system32\Cabinet.dll
  0x72f50000  0x126000  8.100.1043.0000  C:\Windows\System32\msxml3.dll
  0x71fc0000  0x33000   7.00.6001.18000  C:\Windows\system32\MSRATING.dll
------------------------------------------------------------------------------
WmiPrvSE.exe pid: 2188
Command line: C:\Windows\system32\wbem\wmiprvse.exe

  Base        Size      Version	        Path
  0x00c70000  0x3f000   6.00.6001.18000  C:\Windows\system32\wbem\wmiprvse.exe
  0x77b00000  0x127000  6.00.6001.18000  C:\Windows\system32\ntdll.dll
  0x772c0000  0xdb000   6.00.6001.18000  C:\Windows\system32\kernel32.dll
  0x77500000  0xc6000   6.00.6001.18000  C:\Windows\system32\ADVAPI32.dll
  0x77a30000  0xc3000   6.00.6001.18000  C:\Windows\system32\RPCRT4.dll
  0x76f90000  0x9d000   6.00.6001.18000  C:\Windows\system32\USER32.dll
  0x77680000  0x4b000   6.00.6001.18000  C:\Windows\system32\GDI32.dll
  0x77cb0000  0xaa000   7.00.6001.18000  C:\Windows\system32\msvcrt.dll
  0x73f10000  0x5b000   6.00.6001.18000  C:\Windows\system32\wbemcomn.dll
  0x773a0000  0x8d000   6.00.6001.18000  C:\Windows\system32\OLEAUT32.dll
  0x776d0000  0x144000  6.00.6001.18000  C:\Windows\system32\ole32.dll
  0x73af0000  0x99000   6.00.6001.18000  C:\Windows\system32\wbem\FastProx.dll
  0x75de0000  0x18000   6.00.6001.18000  C:\Windows\system32\NTDSAPI.dll
  0x75e20000  0x2c000   6.00.6001.18000  C:\Windows\system32\DNSAPI.dll
  0x76380000  0x2d000   6.00.6001.18000  C:\Windows\system32\WS2_32.dll
  0x77c70000  0x6000    6.00.6001.18000  C:\Windows\system32\NSI.dll
  0x76ec0000  0x4a000   6.00.6001.18000  C:\Windows\system32\WLDAP32.dll
  0x762e0000  0x7000    6.00.6000.16386  C:\Windows\system32\PSAPI.DLL
  0x75f00000  0x75000   6.00.6001.18000  C:\Windows\system32\NETAPI32.dll
  0x76210000  0x14000   6.00.6001.18000  C:\Windows\system32\Secur32.dll
  0x76120000  0xf000    6.00.6001.18000  C:\Windows\system32\NCObjAPI.DLL
  0x77c30000  0x1e000   6.00.6001.18000  C:\Windows\system32\IMM32.DLL
  0x77430000  0xc8000   6.00.6001.18000  C:\Windows\system32\MSCTF.dll
  0x77c60000  0x9000    6.00.6001.18000  C:\Windows\system32\LPK.DLL
  0x76f10000  0x7d000   1.626.6001.18000  C:\Windows\system32\USP10.dll
  0x756a0000  0x21000   6.00.6001.18000  C:\Windows\system32\NTMARTA.DLL
  0x75c40000  0x11000   6.00.6001.18000  C:\Windows\system32\SAMLIB.dll
  0x77160000  0x84000   2001.12.6931.18000  C:\Windows\system32\CLBCatQ.DLL
  0x72930000  0xb000    6.00.6001.18000  C:\Windows\system32\wbem\wbemprox.dll
  0x75740000  0x3b000   6.00.6001.18000  C:\Windows\system32\rsaenh.dll
  0x72920000  0x10000   6.00.6001.18000  C:\Windows\system32\wbem\wbemsvc.dll
  0x73ad0000  0x17000   6.00.6001.18000  C:\Windows\system32\wbem\wmiutils.dll
  0x6fdc0000  0x150000  6.00.6001.18000  C:\Windows\system32\wbem\cimwin32.dll
  0x71530000  0x35000   6.00.6001.18000  C:\Windows\system32\framedynos.dll
  0x778a0000  0x18a000  6.00.6001.18000  C:\Windows\system32\SETUPAPI.dll
  0x77620000  0x58000   6.00.6001.18000  C:\Windows\system32\SHLWAPI.dll
  0x757d0000  0xd7000   6.00.6000.16386  C:\Windows\system32\WINBRAND.dll
  0x75680000  0x1a000   6.00.6001.18000  C:\Windows\system32\POWRPROF.dll
  0x74f70000  0x19e000  6.10.6001.18000  C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll
------------------------------------------------------------------------------
perl.exe pid: 3964
Command line: perl  ..\Documents\test1.pl 

  Base        Size      Version	        Path
  0x00400000  0xb000    5.10.0001.1006  C:\Perl\bin\perl.exe
  0x77b00000  0x127000  6.00.6001.18000  C:\Windows\system32\ntdll.dll
  0x772c0000  0xdb000   6.00.6001.18000  C:\Windows\system32\kernel32.dll
  0x77cb0000  0xaa000   7.00.6001.18000  C:\Windows\system32\MSVCRT.dll
  0x28000000  0xdb000   5.10.0001.1006  C:\Perl\bin\perl510.dll
  0x76f90000  0x9d000   6.00.6001.18000  C:\Windows\system32\USER32.dll
  0x77680000  0x4b000   6.00.6001.18000  C:\Windows\system32\GDI32.dll
  0x77500000  0xc6000   6.00.6001.18000  C:\Windows\system32\ADVAPI32.dll
  0x77a30000  0xc3000   6.00.6001.18000  C:\Windows\system32\RPCRT4.dll
  0x77c30000  0x1e000   6.00.6001.18000  C:\Windows\system32\IMM32.DLL
  0x77430000  0xc8000   6.00.6001.18000  C:\Windows\system32\MSCTF.dll
  0x77c60000  0x9000    6.00.6001.18000  C:\Windows\system32\LPK.DLL
  0x76f10000  0x7d000   1.626.6001.18000  C:\Windows\system32\USP10.dll
  0x76180000  0x2c000   6.00.6001.18000  C:\Windows\system32\apphelp.dll
------------------------------------------------------------------------------
Listdlls.exe pid: 2912
Command line: Listdlls

  Base        Size      Version	        Path
  0x00400000  0x29000   2.25.0000.0000  C:\Users\Administrator\Downloads\Listdlls.exe
  0x77b00000  0x127000  6.00.6001.18000  C:\Windows\system32\ntdll.dll
  0x772c0000  0xdb000   6.00.6001.18000  C:\Windows\system32\kernel32.dll
  0x76f90000  0x9d000   6.00.6001.18000  C:\Windows\system32\USER32.dll
  0x77680000  0x4b000   6.00.6001.18000  C:\Windows\system32\GDI32.dll
  0x77500000  0xc6000   6.00.6001.18000  C:\Windows\system32\ADVAPI32.dll
  0x77a30000  0xc3000   6.00.6001.18000  C:\Windows\system32\RPCRT4.dll
  0x75660000  0x8000    6.00.6001.18000  C:\Windows\system32\VERSION.dll
  0x77cb0000  0xaa000   7.00.6001.18000  C:\Windows\system32\msvcrt.dll
  0x77820000  0x73000   6.00.6001.18000  C:\Windows\system32\comdlg32.dll
  0x77620000  0x58000   6.00.6001.18000  C:\Windows\system32\SHLWAPI.dll
  0x74670000  0x85000   5.82.6001.18000  C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.6001.18000_none_886786f450a74a05\COMCTL32.dll
  0x763b0000  0xb0f000  6.00.6001.18000  C:\Windows\system32\SHELL32.dll
  0x77c80000  0x29000   6.00.6001.18000  C:\Windows\system32\imagehlp.dll
  0x77c30000  0x1e000   6.00.6001.18000  C:\Windows\system32\IMM32.DLL
  0x77430000  0xc8000   6.00.6001.18000  C:\Windows\system32\MSCTF.dll
  0x77c60000  0x9000    6.00.6001.18000  C:\Windows\system32\LPK.DLL
  0x76f10000  0x7d000   1.626.6001.18000  C:\Windows\system32\USP10.dll
  0x74f70000  0x19e000  6.10.6001.18000  C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll
**** NETBIOS INFORMATION ****

    
Local Area Connection:
Node IpAddress: [192.168.1.117] Scope Id: []

    No names in cache
**** NETWORK ACTIVITY INFORMATION ****


Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4

 Can not obtain ownership information
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       848
  RpcSs
 [svchost.exe]
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4

 Can not obtain ownership information
  TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING       532
 [wininit.exe]
  TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING       884
  EventLog
 [svchost.exe]
  TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING       976
  Schedule
 [svchost.exe]
  TCP    0.0.0.0:49155          0.0.0.0:0              LISTENING       604
 [lsass.exe]
  TCP    0.0.0.0:49156          0.0.0.0:0              LISTENING       1472
 [dns.exe]
  TCP    0.0.0.0:49157          0.0.0.0:0              LISTENING       592
 [services.exe]
  TCP    127.0.0.1:53           0.0.0.0:0              LISTENING       1472
 [dns.exe]
  TCP    192.168.1.117:53       0.0.0.0:0              LISTENING       1472
 [dns.exe]
  TCP    192.168.1.117:139      0.0.0.0:0              LISTENING       4

 Can not obtain ownership information
  TCP    [::]:80                [::]:0                 LISTENING       4

 Can not obtain ownership information
  TCP    [::]:135               [::]:0                 LISTENING       848
  RpcSs
 [svchost.exe]
  TCP    [::]:445               [::]:0                 LISTENING       4

 Can not obtain ownership information
  TCP    [::]:49152             [::]:0                 LISTENING       532
 [wininit.exe]
  TCP    [::]:49153             [::]:0                 LISTENING       884
  EventLog
 [svchost.exe]
  TCP    [::]:49154             [::]:0                 LISTENING       976
  Schedule
 [svchost.exe]
  TCP    [::]:49155             [::]:0                 LISTENING       604
 [lsass.exe]
  TCP    [::]:49156             [::]:0                 LISTENING       1472
 [dns.exe]
  TCP    [::]:49157             [::]:0                 LISTENING       592
 [services.exe]
  TCP    [::1]:53               [::]:0                 LISTENING       1472
 [dns.exe]
  TCP    [fe80::e9fc:59ac:4d5d:da19%10]:53  [::]:0                 LISTENING       1472
 [dns.exe]
  UDP    0.0.0.0:123            *:*                                    1056
  W32Time
 [svchost.exe]
  UDP    0.0.0.0:500            *:*                                    976
  IKEEXT
 [svchost.exe]
  UDP    0.0.0.0:4500           *:*                                    976
  IKEEXT
 [svchost.exe]
  UDP    0.0.0.0:5355           *:*                                    1168
  Dnscache
 [svchost.exe]
  UDP    0.0.0.0:63509          *:*                                    1472
 [dns.exe]
  UDP    127.0.0.1:53           *:*                                    1472
 [dns.exe]
  UDP    127.0.0.1:53586        *:*                                    2752
 [iexplore.exe]
  UDP    192.168.1.117:53       *:*                                    1472
 [dns.exe]
  UDP    192.168.1.117:137      *:*                                    4

 Can not obtain ownership information
  UDP    192.168.1.117:138      *:*                                    4

 Can not obtain ownership information
  UDP    [::]:123               *:*                                    1056
  W32Time
 [svchost.exe]
  UDP    [::]:500               *:*                                    976
  IKEEXT
 [svchost.exe]
  UDP    [::]:5355              *:*                                    1168
  Dnscache
 [svchost.exe]
  UDP    [::]:63510             *:*                                    1472
 [dns.exe]
  UDP    [::1]:53               *:*                                    1472
 [dns.exe]
  UDP    [::1]:56742            *:*                                    1472
 [dns.exe]
  UDP    [fe80::e9fc:59ac:4d5d:da19%10]:53  *:*                                    1472
 [dns.exe]
===========================================================================
Interface List
 10 ...08 00 27 00 02 46 ...... Intel(R) PRO/1000 MT Desktop Adapter
  1 ........................... Software Loopback Interface 1
 12 ...00 00 00 00 00 00 00 e0  Microsoft ISATAP Adapter
 11 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.117     10
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         On-link     192.168.1.117    266
    192.168.1.117  255.255.255.255         On-link     192.168.1.117    266
    192.168.1.255  255.255.255.255         On-link     192.168.1.117    266
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.1.117    266
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     192.168.1.117    266
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 11     18 ::/0                     On-link
  1    306 ::1/128                  On-link
 11     18 2001::/32                On-link
 11    266 2001:0:4137:9e50:1812:1b8e:3f57:fe8a/128
                                    On-link
 10    266 fe80::/64                On-link
 11    266 fe80::/64                On-link
 11    266 fe80::1812:1b8e:3f57:fe8a/128
                                    On-link
 10    266 fe80::e9fc:59ac:4d5d:da19/128
                                    On-link
  1    306 ff00::/8                 On-link
 11    266 ff00::/8                 On-link
 10    266 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
**** TASK INFORMATION ****


Image Name                     PID Session Name        Session#    Mem Usage Status          User Name                                              CPU Time Window Title                                                            
========================= ======== ================ =========== ============ =============== ================================================== ============ ========================================================================
System Idle Process              0 Services                   0         12 K Unknown         NT AUTHORITY\SYSTEM                                    35:11:22 N/A                                                                     
System                           4 Services                   0      2,976 K Unknown         N/A                                                     0:01:17 N/A                                                                     
smss.exe                       396 Services                   0        672 K Unknown         NT AUTHORITY\SYSTEM                                     0:00:00 N/A                                                                     
csrss.exe                      464 Services                   0      4,900 K Unknown         NT AUTHORITY\SYSTEM                                     0:00:03 N/A                                                                     
csrss.exe                      508 Console                    1      7,056 K Not Responding  NT AUTHORITY\SYSTEM                                     0:00:45 N/A                                                                     
wininit.exe                    532 Services                   0      3,864 K Unknown         NT AUTHORITY\SYSTEM                                     0:00:00 N/A                                                                     
winlogon.exe                   544 Console                    1      4,460 K Unknown         NT AUTHORITY\SYSTEM                                     0:00:01 N/A                                                                     
services.exe                   592 Services                   0      6,200 K Unknown         NT AUTHORITY\SYSTEM                                     0:00:04 N/A                                                                     
lsass.exe                      604 Services                   0      9,120 K Unknown         NT AUTHORITY\SYSTEM                                     0:01:32 N/A                                                                     
lsm.exe                        612 Services                   0      3,764 K Unknown         NT AUTHORITY\SYSTEM                                     0:00:09 N/A                                                                     
svchost.exe                    772 Services                   0      5,692 K Unknown         NT AUTHORITY\SYSTEM                                     0:00:11 N/A                                                                     
VBoxService.exe                816 Services                   0      3,672 K Unknown         NT AUTHORITY\SYSTEM                                     0:01:48 N/A                                                                     
svchost.exe                    848 Services                   0      5,760 K Unknown         NT AUTHORITY\NETWORK SERVICE                            0:00:03 N/A                                                                     
svchost.exe                    884 Services                   0      8,292 K Unknown         NT AUTHORITY\LOCAL SERVICE                              0:00:11 N/A                                                                     
svchost.exe                    964 Services                   0      5,628 K Unknown         NT AUTHORITY\SYSTEM                                     0:00:00 N/A                                                                     
svchost.exe                    976 Services                   0     26,360 K Unknown         NT AUTHORITY\SYSTEM                                     0:00:16 N/A                                                                     
SLsvc.exe                      996 Services                   0      5,672 K Unknown         NT AUTHORITY\NETWORK SERVICE                            0:00:06 N/A                                                                     
svchost.exe                   1056 Services                   0      8,832 K Unknown         NT AUTHORITY\LOCAL SERVICE                              0:00:02 N/A                                                                     
svchost.exe                   1140 Services                   0      8,336 K Unknown         NT AUTHORITY\SYSTEM                                     0:00:08 N/A                                                                     
svchost.exe                   1168 Services                   0     15,396 K Unknown         NT AUTHORITY\NETWORK SERVICE                            0:00:04 N/A                                                                     
svchost.exe                   1292 Services                   0      9,404 K Unknown         NT AUTHORITY\LOCAL SERVICE                              0:00:05 N/A                                                                     
spoolsv.exe                   1432 Services                   0      8,432 K Unknown         NT AUTHORITY\SYSTEM                                     0:00:03 N/A                                                                     
dns.exe                       1472 Services                   0      6,504 K Unknown         NT AUTHORITY\SYSTEM                                     0:00:02 N/A                                                                     
svchost.exe                   1512 Services                   0      4,980 K Unknown         NT AUTHORITY\NETWORK SERVICE                            0:00:00 N/A                                                                     
svchost.exe                   1532 Services                   0      2,792 K Unknown         NT AUTHORITY\LOCAL SERVICE                              0:00:00 N/A                                                                     
svchost.exe                   1564 Services                   0      4,076 K Unknown         NT AUTHORITY\SYSTEM                                     0:00:00 N/A                                                                     
taskeng.exe                   1948 Services                   0      5,324 K Unknown         NT AUTHORITY\SYSTEM                                     0:00:00 N/A                                                                     
msdtc.exe                     1812 Services                   0      6,648 K Unknown         NT AUTHORITY\NETWORK SERVICE                            0:00:00 N/A                                                                     
taskeng.exe                   2028 Console                    1      7,140 K Running         WIN-71P82PQYDRP\Administrator                           0:00:01 TaskEng - Task Scheduler Engine Process                                 
dwm.exe                       1980 Console                    1      4,012 K Running         WIN-71P82PQYDRP\Administrator                           0:00:02 DWM Notification Window                                                 
explorer.exe                   936 Console                    1     26,044 K Running         WIN-71P82PQYDRP\Administrator                           0:00:24 N/A                                                                     
VBoxTray.exe                  1816 Console                    1      3,348 K Running         WIN-71P82PQYDRP\Administrator                           0:00:19 VBoxSharedClipboardClass                                                
wuauclt.exe                   2272 Console                    1      4,716 K Running         WIN-71P82PQYDRP\Administrator                           0:00:00 Windows Update Taskbar Notification                                     
svchost.exe                   3968 Services                   0      9,060 K Unknown         NT AUTHORITY\SYSTEM                                     0:00:00 N/A                                                                     
svchost.exe                   3352 Services                   0      8,980 K Unknown         NT AUTHORITY\SYSTEM                                     0:00:01 N/A                                                                     
svchost.exe                   1004 Services                   0      4,812 K Unknown         NT AUTHORITY\NETWORK SERVICE                            0:00:00 N/A                                                                     
cmd.exe                       3232 Console                    1      2,620 K Running         WIN-71P82PQYDRP\Administrator                           0:00:00 Administrator: Command Prompt - perl  ..\Documents\test1.pl             
notepad.exe                   1744 Console                    1     12,448 K Running         WIN-71P82PQYDRP\Administrator                           0:00:03 test1 - Notepad                                                         
notepad.exe                   3204 Console                    1     11,520 K Running         WIN-71P82PQYDRP\Administrator                           0:00:00 sntp - Notepad                                                          
iexplore.exe                  2752 Console                    1     50,464 K Running         WIN-71P82PQYDRP\Administrator                           0:00:31 live.sysinternals.com - / - Windows Internet Explorer                   
WmiPrvSE.exe                  2188 Services                   0      6,776 K Unknown         NT AUTHORITY\NETWORK SERVICE                            0:00:00 N/A                                                                     
perl.exe                      3964 Console                    1      2,888 K Unknown         WIN-71P82PQYDRP\Administrator                           0:00:00 N/A                                                                     
tasklist.exe                  3952 Console                    1      5,088 K Unknown         WIN-71P82PQYDRP\Administrator                           0:00:00 N/A                                                                     
Process and thread information for WIN-71P82PQYDRP:

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time 
Idle                  0   0   1    0      0    35:11:22.250     0:00:00.000
                      VM      WS    Priv Priv Pk   Faults NonP Page
                       0      12       0       0        0    0    0
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
   0   0   3136569          Running  0:00:00.000  35:11:22.250    0:00:00.000

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time 
System                4   8  98  486      0     0:01:17.160  3822:37:01.782
                      VM      WS    Priv Priv Pk   Faults NonP Page
                    5080    2976       0       0    15076    0    0
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
   8   0     36817            Ready  0:00:00.000   0:00:19.347    0:00:00.000
  16  15         1   Wait:Executive  0:00:00.000   0:00:00.000 3585497:48:27.242
  20  13        11   Wait:Executive  0:00:00.000   0:00:00.000 3585497:48:27.242
  24  13        13   Wait:Executive  0:00:00.000   0:00:00.000 3585497:48:27.242
  28  15      4288       Wait:Queue  0:00:00.000   0:00:03.194 3822:37:09.954
  32  15         3       Wait:Queue  0:00:00.000   0:00:00.000 3822:37:09.954
  36  14      3174       Wait:Queue  0:00:00.000   0:00:00.941 3822:37:09.954
  40  15      7485       Wait:Queue  0:00:00.000   0:00:00.841 3822:37:09.954
  44  14     14780       Wait:Queue  0:00:00.000   0:00:00.991 3822:37:09.954
  48  15     13325       Wait:Queue  0:00:00.000   0:00:00.831 3822:37:09.954
  52  14     15180       Wait:Queue  0:00:00.000   0:00:00.991 3822:37:09.954
  56  14     20196       Wait:Queue  0:00:00.000   0:00:00.620 3822:37:09.954
  60  15     26585       Wait:Queue  0:00:00.000   0:00:00.791 3822:37:09.954
  64  15       952       Wait:Queue  0:00:00.000   0:00:00.190 3822:37:09.954
  68  12        15       Wait:Queue  0:00:00.000   0:00:00.010 3822:37:09.954
  72  15         1       Wait:Queue  0:00:00.000   0:00:00.000 3822:37:09.954
  76  15         2       Wait:Queue  0:00:00.000   0:00:00.000 3822:37:09.954
  80  13        75       Wait:Queue  0:00:00.000   0:00:00.000 3822:37:09.954
  84  13    153906       Wait:Queue  0:00:00.000   0:00:17.905 3822:37:09.954
  88  13      2508       Wait:Queue  0:00:00.000   0:00:02.403 3822:37:09.954
  92  15         7       Wait:Queue  0:00:00.000   0:00:00.000 3822:37:09.954
  96  15     58141       Wait:Queue  0:00:00.000   0:00:00.260 3822:37:09.954
 100  14    127554   Wait:Executive  0:00:00.000   0:00:00.070 3822:37:09.954
 104  31      8515   Wait:Suspended  0:00:00.000   0:00:02.904 3822:37:09.954
 108  18      7022  Wait:VirtualMem  0:00:00.000   0:00:00.701 3822:37:09.944
 112  17        42              jA  0:00:00.000   0:00:00.010 3822:37:09.944
 116  16    129891   Wait:Executive  0:00:00.000   0:00:00.951 3822:37:09.944
 120  23     93003   Wait:Executive  0:00:00.000   0:00:01.201 3822:37:09.944
 124   8     16285    Wait:FreePage  0:00:00.000   0:00:00.030 3822:37:09.924
 128  16         1       Wait:Queue  0:00:00.000   0:00:00.000 3822:37:09.864
 132  17         1       Wait:Queue  0:00:00.000   0:00:00.000 3822:37:09.864
 136  15    127555   Wait:Executive  0:00:00.000   0:00:00.030 3822:37:09.593
 140  17       416    Wait:FreePage  0:00:00.000   0:00:00.030 3822:37:09.583
 144  15    127698   Wait:Executive  0:00:00.000   0:00:00.020 3822:37:09.583
 148  15     25519   Wait:Executive  0:00:00.000   0:00:00.000 3822:37:09.583
 152  15     25518   Wait:Executive  0:00:00.000   0:00:00.440 3822:37:09.583
 156  15     25516   Wait:Executive  0:00:00.000   0:00:00.000 3822:37:09.583
 160  15    127584   Wait:Executive  0:00:00.000   0:00:00.040 3822:37:09.583
 164  15    127713   Wait:Executive  0:00:00.000   0:00:00.020 3822:37:09.583
 168  15         2   Wait:Executive  0:00:00.000   0:00:00.000 3822:37:09.573
 172  15         2   Wait:Executive  0:00:00.000   0:00:00.000 3822:37:09.573
 176  15         2   Wait:Executive  0:00:00.000   0:00:00.000 3822:37:09.573
 180  15         2   Wait:Executive  0:00:00.000   0:00:00.000 3822:37:09.573
 184   8      2129   Wait:DelayExec  0:00:00.000   0:00:00.000 3822:37:09.573
 188   8       179   Wait:Executive  0:00:00.000   0:00:00.020 3822:37:09.553
 192   8         1   Wait:Executive  0:00:00.000   0:00:00.000 3822:37:09.493
 196   8      2133   Wait:Executive  0:00:00.000   0:00:00.000 3822:37:08.602
 200   8        13       Wait:Queue  0:00:00.000   0:00:00.010 3822:37:08.552
 204   8      4258   Wait:Executive  0:00:00.000   0:00:00.000 3822:37:08.552
 224  16      8462   Wait:Executive  0:00:00.000   0:00:00.480 3822:37:06.769
 236   8         1       Wait:Queue  0:00:00.000   0:00:00.000 3822:37:05.147
 240   8         1       Wait:Queue  0:00:00.000   0:00:00.000 3822:37:05.147
 244   8         1       Wait:Queue  0:00:00.000   0:00:00.000 3822:37:05.147
 248   8         1       Wait:Queue  0:00:00.000   0:00:00.000 3822:37:05.147
 252   8         2       Wait:Queue  0:00:00.000   0:00:00.000 3822:37:05.147
 256   8         1       Wait:Queue  0:00:00.000   0:00:00.000 3822:37:05.147
 260   8         1       Wait:Queue  0:00:00.000   0:00:00.000 3822:37:05.147
 264   8      2129   Wait:Executive  0:00:00.000   0:00:00.000 3822:37:05.147
 280   9         3   Wait:Executive  0:00:00.000   0:00:00.000 3822:37:03.044
 320   8         1   Wait:Executive  0:00:00.000   0:00:00.000 3822:37:02.413
 324   8         1       Wait:Queue  0:00:00.000   0:00:00.000 3822:37:02.023
 328   8         2       Wait:Queue  0:00:00.000   0:00:00.000 3822:37:02.023
 332   8         1       Wait:Queue  0:00:00.000   0:00:00.000 3822:37:02.023
 336   8      2130   Wait:Executive  0:00:00.000   0:00:00.000 3822:37:02.023
 348   8         3       Wait:Queue  0:00:00.000   0:00:00.000 3822:37:01.882
 352   8     13452       Wait:Queue  0:00:00.000   0:00:00.010 3822:37:01.872
 356   8         1       Wait:Queue  0:00:00.000   0:00:00.000 3822:37:01.872
 360   8         1       Wait:Queue  0:00:00.000   0:00:00.000 3822:37:01.872
 364   8        86       Wait:Queue  0:00:00.000   0:00:00.000 3822:37:01.872
 368   8         3       Wait:Queue  0:00:00.000   0:00:00.000 3822:37:01.872
 372   8         1       Wait:Queue  0:00:00.000   0:00:00.000 3822:37:01.872
 376   8      6938       Wait:Queue  0:00:00.000   0:00:00.010 3822:37:01.872
 384   8      2129   Wait:Executive  0:00:00.000   0:00:00.000 3822:37:01.872
 392   9       202  Wait:LpcReceive  0:00:00.000   0:00:00.020 3822:37:01.782
 476   8         1   Wait:Executive  0:00:00.000   0:00:00.000 3822:36:55.603
 560   8      1608       Wait:Queue  0:00:00.000   0:00:00.070 3822:36:53.190
 632  15        19   Wait:Executive  0:00:00.000   0:00:00.010 3822:36:51.457
 812   9     29882   Wait:Executive  0:00:00.000   0:00:02.273 3822:36:46.811
1324   8        41   Wait:Executive  0:00:00.000   0:00:00.010 3822:36:42.346
1384   8         1   Wait:Executive  0:00:00.000   0:00:00.000 3822:36:41.760
1408   9     31470   Wait:Executive  0:00:00.000   0:00:00.040 3822:36:36.040
1412   8      1065   Wait:Executive  0:00:00.000   0:00:00.000 3822:36:36.040
1416   8      1080   Wait:Executive  0:00:00.000   0:00:00.010 3822:36:36.040
1420   8         5   Wait:Executive  0:00:00.000   0:00:00.000 3822:36:36.040
1424  11         1   Wait:Executive  0:00:00.000   0:00:00.000 3822:36:36.040
1428   8      2130   Wait:Executive  0:00:00.000   0:00:00.000 3822:36:36.040
1844   9       195       Wait:Queue  0:00:00.000   0:00:00.030 3822:36:33.294
1864   9         5       Wait:Queue  0:00:00.000   0:00:00.000 3822:36:33.264
1868   8         1       Wait:Queue  0:00:00.000   0:00:00.000 3822:36:33.254
1872   9         1       Wait:Queue  0:00:00.000   0:00:00.000 3822:36:33.244
1880   9         1       Wait:Queue  0:00:00.000   0:00:00.000 3822:36:33.224
1884   9         1       Wait:Queue  0:00:00.000   0:00:00.000 3822:36:33.214
1916  15         1   Wait:Executive  0:00:00.000   0:00:00.000 3822:36:32.976
 304  15         1   Wait:Executive  0:00:00.000   0:00:00.000 3822:35:43.725
1148  15         1   Wait:Executive  0:00:00.000   0:00:00.000 3822:34:35.429
1820  15         1   Wait:Executive  0:00:00.000   0:00:00.000 3822:34:27.397
3040   8     11002       Wait:Queue  0:00:00.000   0:00:00.010   17:02:26.041
3304  13    115179       Wait:Queue  0:00:00.000   0:00:02.904   12:24:11.375

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time 
smss                396  11   4   28    248     0:00:00.240  3822:37:01.772
                      VM      WS    Priv Priv Pk   Faults NonP Page
                    4468     672     248     284      275    0    7
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
 400  12       196     Wait:UserReq  0:00:00.000   0:00:00.220 3822:37:01.772
 448  12        12  Wait:LpcReceive  0:00:00.000   0:00:00.020 3822:36:56.304
 460  12         5  Wait:LpcReceive  0:00:00.000   0:00:00.000 3822:36:56.294
 496  12         7  Wait:LpcReceive  0:00:00.000   0:00:00.000 3822:36:53.941

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time 
csrss               464  13  11  409   1620     0:00:03.745  3822:36:56.054
                      VM      WS    Priv Priv Pk   Faults NonP Page
                  110104    4900    1620    1728     3643    4  122
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
 480  15         6    Wait:LpcReply  0:00:00.000   0:00:00.000 3822:36:54.031
 484  14        38     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:54.031
 488  14     38256  Wait:LpcReceive  0:00:00.220   0:00:00.851 3822:36:53.981
 492  14         3  Wait:LpcReceive  0:00:00.000   0:00:00.000 3822:36:53.951
 540  14     38182  Wait:LpcReceive  0:00:00.130   0:00:00.871 3822:36:53.380
 568  15      1849     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:52.970
 576  15        32     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:52.970
 620  14     38140  Wait:LpcReceive  0:00:00.210   0:00:00.670 3822:36:51.848
 624  12         3     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:51.848
 628  15       498     Wait:UserReq  0:00:00.010   0:00:00.030 3822:36:51.838
1808  15       182     Wait:UserReq  0:00:00.010   0:00:00.000 3822:21:41.642

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time 
csrss               508  13   9  226   2052     0:00:45.275  3822:36:53.931
                      VM      WS    Priv Priv Pk   Faults NonP Page
                  112028    7056    2052    2092     8810    5  119
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
 516  15       498    Wait:LpcReply  0:00:00.000   0:00:00.070 3822:36:53.400
 520  14       420     Wait:UserReq  0:00:00.000   0:00:00.060 3822:36:53.400
 524  14     18510  Wait:LpcReceive  0:00:00.270   0:00:06.559 3822:36:53.400
 528  14         3  Wait:LpcReceive  0:00:00.000   0:00:00.000 3822:36:53.390
 552  14     18721  Wait:LpcReceive  0:00:00.260   0:00:07.580 3822:36:53.360
 572  15    920294     Wait:UserReq  0:00:00.000   0:00:04.826 3822:36:52.970
 580  15     75664     Wait:UserReq  0:00:00.000   0:00:14.991 3822:36:52.960
 276  14     18687  Wait:LpcReceive  0:00:00.200   0:00:06.990 3822:18:59.699
2204  15     32114     Wait:UserReq  0:00:00.110   0:00:02.834 3822:18:50.165

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time 
wininit             532  13   3  100   1112     0:00:00.821  3822:36:53.390
                      VM      WS    Priv Priv Pk   Faults NonP Page
                   44132    3864    1112    1236     1865    4   47
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
 536  15       264     Wait:UserReq  0:00:00.030   0:00:00.410 3822:36:53.390
 600  15         7     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:51.958
 412  15        11       Wait:Queue  0:00:00.020   0:00:00.110 3822:35:14.931

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time 
winlogon            544  13   3  120   1304     0:00:01.151  3822:36:53.370
                      VM      WS    Priv Priv Pk   Faults NonP Page
                   34424    4460    1304    1420     2526    2   34
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
 548  15       572     Wait:UserReq  0:00:00.040   0:00:00.250 3822:36:53.370
 952  15        39     Wait:UserReq  0:00:00.000   0:00:00.010 3822:36:45.645
 388  13         2       Wait:Queue  0:00:00.000   0:00:00.000    0:26:55.855

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time 
services            592   9   7  236   2124     0:00:04.165  3822:36:52.489
                      VM      WS    Priv Priv Pk   Faults NonP Page
                   39268    6200    2124    3144     7869    6   47
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
 732  11        54     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:47.632
 808   9         8       Wait:Queue  0:00:00.000   0:00:00.000 3822:36:46.961
 456  11         4     Wait:UserReq  0:00:00.000   0:00:00.010 3822:35:09.836
 452  10        87     Wait:UserReq  0:00:00.000   0:00:00.000 3822:35:09.836
3528  11       730       Wait:Queue  0:00:00.000   0:00:00.030    0:24:04.258
1768  10         9       Wait:Queue  0:00:00.000   0:00:00.000    0:01:08.788
2700   9         1       Wait:Queue  0:00:00.000   0:00:00.000    0:01:08.788

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time 
lsass               604   9  17  617   3664     0:01:32.633  3822:36:51.928
                      VM      WS    Priv Priv Pk   Faults NonP Page
                   49480    9120    3664    3768    11709    9   57
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
 640  10         6   Wait:Executive  0:00:00.000   0:00:00.000 3822:36:50.085
 644  11      1598     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:49.685
 648   9        48       Wait:Queue  0:00:00.000   0:00:00.000 3822:36:49.685
 656  10      1925  Wait:LpcReceive  0:00:00.000   0:00:00.120 3822:36:49.675
 680  10    103438  Wait:LpcReceive  0:00:01.091   0:00:05.247 3822:36:48.723
 684  10     12853     Wait:UserReq  0:00:00.550   0:00:03.424 3822:36:48.723
 688  10     12852     Wait:UserReq  0:00:00.660   0:00:03.384 3822:36:48.723
 692  10     12896     Wait:UserReq  0:00:00.851   0:00:03.474 3822:36:48.723
 696  10     12865     Wait:UserReq  0:00:00.690   0:00:03.535 3822:36:48.723
 700  10     12863     Wait:UserReq  0:00:00.570   0:00:03.224 3822:36:48.723
 704  10     12865     Wait:UserReq  0:00:00.640   0:00:03.555 3822:36:48.723
 708  10     12866     Wait:UserReq  0:00:00.650   0:00:03.835 3822:36:48.723
 712  10     12848     Wait:UserReq  0:00:00.781   0:00:03.434 3822:36:48.723
 716   9         2     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:48.723
 724  10        53     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:48.683
1392  11    103492       Wait:Queue  0:00:04.496   0:00:22.852 3822:19:22.872
3760  11      4718       Wait:Queue  0:00:00.140   0:00:00.450    1:05:49.116

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time 
lsm                 612   8  10  154   1572     0:00:09.864  3822:36:51.878
                      VM      WS    Priv Priv Pk   Faults NonP Page
                   33052    3776    1572    1624     5445    3   33
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
 616   9        90     Wait:UserReq  0:00:00.000   0:00:00.060 3822:36:51.878
 892   9        34  Wait:LpcReceive  0:00:00.000   0:00:00.000 3822:36:46.006
 896   8         5     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:46.006
 904   9        29  Wait:LpcReceive  0:00:00.000   0:00:00.000 3822:36:45.988
 912   9        28  Wait:LpcReceive  0:00:00.000   0:00:00.010 3822:36:45.951
 916   9        28  Wait:LpcReceive  0:00:00.000   0:00:00.010 3822:36:45.951
 920   9       145     Wait:UserReq  0:00:00.010   0:00:00.000 3822:36:45.951
 924   9        12     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:45.942
2268   9       336       Wait:Queue  0:00:00.030   0:00:00.000    0:01:30.800
2900   9       140       Wait:Queue  0:00:00.000   0:00:00.000    0:00:00.440

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time 
svchost             772   8   7  293   2348     0:00:11.256  3822:36:47.211
                      VM      WS    Priv Priv Pk   Faults NonP Page
                   40184    5692    2348    2384    65607    4   40
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
 776  10       201   Wait:Executive  0:00:00.170   0:00:00.690 3822:36:47.211
 788  10        71     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:46.961
 800   9       635     Wait:UserReq  0:00:00.000   0:00:00.020 3822:36:46.961
 836   8         8       Wait:Queue  0:00:00.000   0:00:00.000 3822:36:46.339
 840   8        40       Wait:Queue  0:00:00.000   0:00:00.000 3822:36:46.321
3564   9         7       Wait:Queue  0:00:00.000   0:00:00.010    0:04:56.357
3436   9         7       Wait:Queue  0:00:00.010   0:00:00.000    0:01:08.788

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time 
VBoxService         816   8   3   75   1320     0:01:48.846  3822:36:46.771
                      VM      WS    Priv Priv Pk   Faults NonP Page
                   33628    3672    1320    1348   100468    2   33
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
 820   9        31   Wait:Executive  0:00:00.000   0:00:00.050 3822:36:46.771
 824   9     12806     Wait:UserReq  0:00:00.000   0:00:00.050 3822:36:46.650
 832   9    358953     Wait:UserReq  0:00:10.374   0:01:38.361 3822:36:46.630

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time 
svchost             848   8   8  266   2744     0:00:03.244  3822:36:46.231
                      VM      WS    Priv Priv Pk   Faults NonP Page
                   36968    5760    2744    2788     6355    7   47
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
 852   9        11   Wait:Executive  0:00:00.000   0:00:00.020 3822:36:46.231
 856  10      1743   Wait:DelayExec  0:00:00.020   0:00:00.080 3822:36:46.213
 860  10       133       Wait:Queue  0:00:00.000   0:00:00.010 3822:36:46.177
 864  10        86     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:46.177
3240   8       138   Wait:DelayExec  0:00:00.000   0:00:00.000    1:40:35.820
3216   9       176       Wait:Queue  0:00:00.010   0:00:00.010    0:02:47.781
2284   9        24       Wait:Queue  0:00:00.000   0:00:00.000    0:01:01.278
4024   8         1       Wait:Queue  0:00:00.000   0:00:00.000    0:01:01.117

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time 
svchost             884   8  15  300   5516     0:00:11.596  3822:36:46.015
                      VM      WS    Priv Priv Pk   Faults NonP Page
                   45420    8292    5516    6240    91917    9   44
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
 888  10        20   Wait:Executive  0:00:00.000   0:00:00.020 3822:36:46.015
 940   9       743     Wait:UserReq  0:00:00.070   0:00:00.220 3822:36:45.780
 956   9      3922     Wait:UserReq  0:00:00.010   0:00:00.040 3822:36:45.591
 984  10      1321     Wait:UserReq  0:00:00.000   0:00:00.070 3822:36:45.312
1184   9        13     Wait:UserReq  0:00:00.000   0:00:00.010 3822:36:43.374
1192   8         1     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:43.338
1196   8         1     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:43.320
1200   9        39     Wait:UserReq  0:00:00.000   0:00:00.020 3822:36:43.320
1204  10        16     Wait:UserReq  0:00:00.010   0:00:00.010 3822:36:43.311
1208   9        34     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:43.293
2636  10        79     Wait:UserReq  0:00:00.000   0:00:00.010    3:19:25.367
3120  10        34     Wait:UserReq  0:00:00.000   0:00:00.000    3:19:25.287
3932  10        62     Wait:UserReq  0:00:00.000   0:00:00.010    3:19:25.277
 212   9       226       Wait:Queue  0:00:00.000   0:00:00.020    0:03:17.904
 760   8       549            Ready  0:00:00.000   0:00:00.050    0:01:01.528

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time 
svchost             964   8   5  144   2888     0:00:00.751  3822:36:45.537
                      VM      WS    Priv Priv Pk   Faults NonP Page
                   37980    5628    2888    2944     1834    3   37
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
 968   9        36   Wait:Executive  0:00:00.020   0:00:00.020 3822:36:45.537
1028  10         3     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:44.618
1440   2      1468     Wait:UserReq  0:00:00.120   0:00:00.190 3822:36:35.980
 720   2       248     Wait:UserReq  0:00:00.030   0:00:00.170 3822:19:00.951
1404   9         9       Wait:Queue  0:00:00.000   0:00:00.000    1:11:16.305

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time 
svchost             976   8  44  916  20792     0:00:16.123  3822:36:45.330
                      VM      WS    Priv Priv Pk   Faults NonP Page
                  110660   26376   20792   22980   106218   33  111
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
 980  10       582   Wait:Executive  0:00:00.060   0:00:00.090 3822:36:45.330
 992   9        47     Wait:UserReq  0:00:00.010   0:00:00.010 3822:36:45.221
1136  10     12070     Wait:UserReq  0:00:00.010   0:00:00.040 3822:36:43.671
1244   9       217     Wait:UserReq  0:00:00.000   0:00:00.140 3822:36:43.239
1260  10       462     Wait:UserReq  0:00:00.000   0:00:00.020 3822:36:43.193
1264   9       303     Wait:UserReq  0:00:00.040   0:00:00.140 3822:36:43.184
1268   9       201       Wait:Queue  0:00:00.000   0:00:00.000 3822:36:42.968
1272   9      2135     Wait:UserReq  0:00:00.120   0:00:00.460 3822:36:42.869
1280   9         3     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:42.842
1284   8        16     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:42.752
1288  10        38     Wait:UserReq  0:00:00.010   0:00:00.000 3822:36:42.752
1480   9       115  Wait:LpcReceive  0:00:00.000   0:00:00.010 3822:36:35.792
1484   9       202     Wait:UserReq  0:00:00.000   0:00:00.010 3822:36:35.792
1576  11       165     Wait:UserReq  0:00:00.000   0:00:00.070 3822:36:34.830
1640  10     11991     Wait:UserReq  0:00:00.200   0:00:02.103 3822:36:34.245
1696   9         2     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:33.948
1708   9         2     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:33.859
1856   9        11     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:33.284
1896  11        43  Wait:LpcReceive  0:00:00.010   0:00:00.010 3822:36:33.135
1936   8         1     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:32.689
 428  10        75     Wait:UserReq  0:00:00.000   0:00:00.010 3822:35:09.941
 472   8         5     Wait:UserReq  0:00:00.000   0:00:00.010 3822:35:09.931
  12   8         5     Wait:UserReq  0:00:00.000   0:00:00.000 3822:35:09.931
 672  10      1484     Wait:UserReq  0:00:00.030   0:00:00.440 3822:34:29.017
1648  10       374     Wait:UserReq  0:00:00.040   0:00:00.270 3822:34:25.851
2588  10     50226       Wait:Queue  0:00:00.020   0:00:00.170 3629:14:35.207
1100  10        81     Wait:UserReq  0:00:00.000   0:00:00.010 3629:14:35.087
2056   8         1     Wait:UserReq  0:00:00.000   0:00:00.000 3629:14:34.857
2616   8        13     Wait:UserReq  0:00:00.000   0:00:00.000 3629:14:34.687
3568   8         5     Wait:UserReq  0:00:00.000   0:00:00.000 3629:14:34.687
2484   9         2     Wait:UserReq  0:00:00.000   0:00:00.010 3629:14:34.496
2800   8         3       Wait:Queue  0:00:00.000   0:00:00.000    0:47:48.796
3172   9        99       Wait:Queue  0:00:00.000   0:00:00.010    0:47:45.071
3828  10        17     Wait:UserReq  0:00:00.020   0:00:00.010    0:25:11.485
2804  10       263       Wait:Queue  0:00:00.050   0:00:00.040    0:13:15.725
3960   9        12   Wait:DelayExec  0:00:00.000   0:00:00.000    0:04:48.196
3736   9        52       Wait:Queue  0:00:00.000   0:00:00.000    0:04:47.935
2508   9        55       Wait:Queue  0:00:00.000   0:00:00.010    0:01:01.087
2316   9        73       Wait:Queue  0:00:00.010   0:00:00.000    0:01:00.787
2764   8         2       Wait:Queue  0:00:00.000   0:00:00.000    0:00:01.201
3612   8         2       Wait:Queue  0:00:00.000   0:00:00.000    0:00:01.201
3780   9        11     Wait:UserReq  0:00:00.000   0:00:00.000    0:00:00.590
3524   9         2     Wait:UserReq  0:00:00.000   0:00:00.000    0:00:00.580
3408   8         1     Wait:UserReq  0:00:00.000   0:00:00.000    0:00:00.580

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time 
SLsvc               996   8   4   73   4192     0:00:06.379  3822:36:45.203
                      VM      WS    Priv Priv Pk   Faults NonP Page
                   35988    5672    4192    8780    12370    2   34
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
1000   9        82   Wait:Executive  0:00:00.010   0:00:00.050 3822:36:45.203
1096  10        64     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:44.149
1372  13       220     Wait:UserReq  0:00:00.000   0:00:01.612 3822:36:41.977
1456   9        12       Wait:Queue  0:00:00.010   0:00:00.000   17:03:54.257

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time 
svchost            1056   8  12  309   4416     0:00:02.543  3822:36:44.329
                      VM      WS    Priv Priv Pk   Faults NonP Page
                   61268    8832    4416    4544     5236   13   63
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
1060  10       103   Wait:Executive  0:00:00.030   0:00:00.030 3822:36:44.329
1124  10      1262     Wait:UserReq  0:00:00.000   0:00:00.060 3822:36:43.761
1132   8        10       Wait:Queue  0:00:00.000   0:00:00.010 3822:36:43.734
1620  15        12     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:34.404
1860   9        32     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:33.284
1876  10       189     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:33.234
1928  10       256     Wait:UserReq  0:00:00.020   0:00:00.010 3822:36:32.828
4040   9        88     Wait:UserReq  0:00:00.000   0:00:00.060 3822:06:39.194
2536   9        21     Wait:UserReq  0:00:00.000   0:00:00.020 3629:14:36.149
2780   8      9877       Wait:Queue  0:00:00.000   0:00:00.010 3629:14:35.878
3252  10       809       Wait:Queue  0:00:00.020   0:00:00.130   17:04:04.823
4084   8         2       Wait:Queue  0:00:00.000   0:00:00.000    0:10:24.329

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time 
svchost            1140   8  20  249   6964     0:00:08.752  3822:36:43.581
                      VM      WS    Priv Priv Pk   Faults NonP Page
                   69992    8336    6964    7272    17653    8   63
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
1144  10       116   Wait:Executive  0:00:00.020   0:00:00.030 3822:36:43.581
1156  10       105     Wait:UserReq  0:00:00.000   0:00:00.010 3822:36:43.491
1160   9        38  Wait:LpcReceive  0:00:00.010   0:00:00.010 3822:36:43.491
1596   9        17       Wait:Queue  0:00:00.000   0:00:00.000 3822:36:34.582
1600   9       141       Wait:Queue  0:00:00.010   0:00:00.150 3822:36:34.582
1836   9        22     Wait:UserReq  0:00:00.000   0:00:00.010 3822:26:31.689
 404   8         1       Wait:Queue  0:00:00.000   0:00:00.000 3822:26:31.679
1328   8         1       Wait:Queue  0:00:00.000   0:00:00.000 3822:26:31.679
 828   8         2       Wait:Queue  0:00:00.000   0:00:00.010 3822:26:31.679
1840   8         1       Wait:Queue  0:00:00.000   0:00:00.000 3822:26:31.679
2008   8         1       Wait:Queue  0:00:00.000   0:00:00.000 3822:26:31.679
2040   8         1       Wait:Queue  0:00:00.000   0:00:00.000 3822:26:31.679
1924   8         1       Wait:Queue  0:00:00.000   0:00:00.000 3822:26:31.679
1932   8         1       Wait:Queue  0:00:00.000   0:00:00.000 3822:26:31.679
1944   8         1       Wait:Queue  0:00:00.000   0:00:00.000 3822:26:31.679
 284   8         4       Wait:Queue  0:00:00.000   0:00:00.000 3822:26:31.679
1044   8         1     Wait:UserReq  0:00:00.000   0:00:00.000 3822:26:31.649
2164  11         6       Wait:Queue  0:00:00.000   0:00:00.000 3822:18:50.376
2352  10       527     Wait:UserReq  0:00:00.010   0:00:00.030 3822:18:41.022
3492   8         2       Wait:Queue  0:00:00.000   0:00:00.000    0:04:19.948

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time 
svchost            1168   8  17  496  12168     0:00:04.907  3822:36:43.419
                      VM      WS    Priv Priv Pk   Faults NonP Page
                   79656   15396   12168   12444    34781   12   78
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
1172  10       370   Wait:Executive  0:00:00.050   0:00:00.060 3822:36:43.419
1216   8         1     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:43.257
1220  10       231     Wait:UserReq  0:00:00.020   0:00:00.110 3822:36:43.257
1224  10       620     Wait:UserReq  0:00:00.030   0:00:00.210 3822:36:43.257
1232  10     26488     Wait:UserReq  0:00:00.000   0:00:00.050 3822:36:43.257
1668   8         2     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:33.988
1732   9        62       Wait:Queue  0:00:00.000   0:00:00.000 3822:36:33.770
1784   9       517     Wait:UserReq  0:00:00.010   0:00:00.140 3822:36:33.641
1888   8         1     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:33.145
1892   9       254     Wait:UserReq  0:00:00.030   0:00:00.100 3822:36:33.145
1504   9       442       Wait:Queue  0:00:00.000   0:00:00.040 3822:34:28.310
1832   8         2     Wait:UserReq  0:00:00.000   0:00:00.000 3822:34:25.903
1508  10       540       Wait:Queue  0:00:00.050   0:00:00.150    5:03:58.300
3788   8        15     Wait:UserReq  0:00:00.000   0:00:00.000    3:40:11.639
2848  10       145       Wait:Queue  0:00:00.020   0:00:00.010    0:44:45.132
3148   8         4       Wait:Queue  0:00:00.000   0:00:00.000    0:00:19.748
2036   8         3       Wait:Queue  0:00:00.000   0:00:00.000    0:00:09.744

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time 
svchost            1292   8  17  263   5552     0:00:05.898  3822:36:42.734
                      VM      WS    Priv Priv Pk   Faults NonP Page
                   49556    9404    5552    5956    14186   22   44
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
1296  10        19   Wait:Executive  0:00:00.000   0:00:00.020 3822:36:42.734
1304  10       366     Wait:UserReq  0:00:00.000   0:00:00.010 3822:36:42.626
1308   8         1     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:42.599
1320   8         1     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:42.490
1348   9       224     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:42.067
1356   8        64     Wait:UserReq  0:00:00.020   0:00:00.020 3822:36:42.022
1376   9        40     Wait:UserReq  0:00:00.000   0:00:00.010 3822:36:41.977
1380   9        62     Wait:UserReq  0:00:00.020   0:00:00.000 3822:36:41.941
1388   9      2691       Wait:Queue  0:00:00.060   0:00:01.472 3822:36:41.742
1496  10        81     Wait:UserReq  0:00:00.010   0:00:00.030 3822:36:35.495
1660   8       150     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:33.998
1664   9        22     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:33.988
1672   9        20     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:33.988
1680   9        21     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:33.978
1688   9        23     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:33.968
1692   9        27     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:33.968
3936   8         2       Wait:Queue  0:00:00.000   0:00:00.000    0:02:26.029

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time 
spoolsv            1432   8  16  271   4696     0:00:03.124  3822:36:36.010
                      VM      WS    Priv Priv Pk   Faults NonP Page
                   84472    8432    4696    4828     4479    7   72
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
1436  10        83   Wait:Executive  0:00:00.010   0:00:00.040 3822:36:36.010
1448   9        56     Wait:UserReq  0:00:00.000   0:00:00.020 3822:36:35.911
1452  10       419     Wait:UserReq  0:00:00.000   0:00:00.010 3822:36:35.901
1460   9       348     Wait:UserReq  0:00:00.060   0:00:00.480 3822:36:35.861
1236   8    127468     Wait:UserReq  0:00:00.420   0:00:00.400 3822:34:34.927
 756   9         2     Wait:UserReq  0:00:00.000   0:00:00.000 3822:34:34.927
1300   7       215     Wait:UserReq  0:00:00.000   0:00:00.000 3822:34:34.927
1332   7      4263     Wait:UserReq  0:00:00.010   0:00:00.000 3822:34:34.824
1336   9         2     Wait:UserReq  0:00:00.000   0:00:00.000 3822:34:34.790
1340  10        44     Wait:UserReq  0:00:00.010   0:00:00.010 3822:34:34.767
 660  10        41     Wait:UserReq  0:00:00.000   0:00:00.000 3822:34:34.653
1252   9         2     Wait:UserReq  0:00:00.000   0:00:00.000 3822:34:34.630
1396   9         2     Wait:UserReq  0:00:00.000   0:00:00.000 3822:34:34.539
 768   8         2     Wait:UserReq  0:00:00.000   0:00:00.000 3822:34:34.539
 844   9         3     Wait:UserReq  0:00:00.000   0:00:00.000 3822:34:34.345
2776   9        98       Wait:Queue  0:00:00.000   0:00:00.000 3822:17:30.811

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time 
dns                1472   8  10  180   5168     0:00:02.243  3822:36:35.812
                      VM      WS    Priv Priv Pk   Faults NonP Page
                   63576    6504    5168    5924     2287   11   58
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
1476   9        62   Wait:Executive  0:00:00.020   0:00:00.130 3822:36:35.812
1492  10       384     Wait:UserReq  0:00:00.040   0:00:00.090 3822:36:35.495
1524   8    127584     Wait:UserReq  0:00:00.781   0:00:00.440 3822:36:35.128
1528   9       429     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:35.128
1540   9       428     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:35.128
1588   9      1836     Wait:UserReq  0:00:00.000   0:00:00.020 3822:36:34.701
1608  10       305       Wait:Queue  0:00:00.090   0:00:00.060 3822:36:34.464
1612   9       427     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:34.464
1616  10       147     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:34.454
3168   9        98       Wait:Queue  0:00:00.010   0:00:00.000 3279:43:55.500

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time 
svchost            1512   8   5  122   1784     0:00:00.690  3822:36:35.237
                      VM      WS    Priv Priv Pk   Faults NonP Page
                   39196    4980    1784    2188     1557    4   40
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
1516   9        15   Wait:Executive  0:00:00.010   0:00:00.000 3822:36:35.237
1520  10      1861     Wait:UserReq  0:00:00.040   0:00:00.620 3822:36:35.138
1652   8        26       Wait:Queue  0:00:00.010   0:00:00.000 3822:36:34.007
1656  10        14     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:34.007
4008   8         2       Wait:Queue  0:00:00.000   0:00:00.000    3:38:50.893

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time 
svchost            1532   8   3   73    784     0:00:00.070  3822:36:35.128
                      VM      WS    Priv Priv Pk   Faults NonP Page
                   25732    2792     784     820      760    2   28
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
1536   9        17   Wait:Executive  0:00:00.010   0:00:00.010 3822:36:35.128
1580   8         2       Wait:Queue  0:00:00.000   0:00:00.000 3822:36:34.771
1584   8         2     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:34.731

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time 
svchost            1564   8   4   91   1428     0:00:00.270  3822:36:34.880
                      VM      WS    Priv Priv Pk   Faults NonP Page
                   39340    4076    1428    1468     1295    3   39
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
1568  10        86   Wait:Executive  0:00:00.030   0:00:00.020 3822:36:34.880
1624  10       181     Wait:UserReq  0:00:00.010   0:00:00.010 3822:36:34.354
1632   9         6  Wait:LpcReceive  0:00:00.000   0:00:00.010 3822:36:34.255
1636   9       333       Wait:Queue  0:00:00.010   0:00:00.140 3822:36:34.255

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time 
taskeng            1948   6   5  133   1720     0:00:00.510  3822:36:32.233
                      VM      WS    Priv Priv Pk   Faults NonP Page
                   52992    5324    1720    1804     1690    4   52
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
1952   7       945     Wait:UserReq  0:00:00.010   0:00:00.100 3822:36:32.233
1956   6         8       Wait:Queue  0:00:00.000   0:00:00.000 3822:36:32.114
1960   8        79     Wait:UserReq  0:00:00.000   0:00:00.000 3822:36:32.104
1984   6        61     Wait:UserReq  0:00:00.000   0:00:00.040 3822:36:31.787
3864   7        26       Wait:Queue  0:00:00.000   0:00:00.010    5:02:35.551

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time 
msdtc              1812   8  11  164   2692     0:00:00.360  3822:34:28.162
                      VM      WS    Priv Priv Pk   Faults NonP Page
                   63380    6648    2692    2748     1853    7   51
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
1644   9        76   Wait:Executive  0:00:00.040   0:00:00.160 3822:34:28.162
1828   9        46     Wait:UserReq  0:00:00.000   0:00:00.020 3822:34:27.728
1040   9       237     Wait:UserReq  0:00:00.010   0:00:00.090 3822:34:27.488
1940   8         3     Wait:UserReq  0:00:00.000   0:00:00.000 3822:34:27.397
 588   9       507     Wait:UserReq  0:00:00.000   0:00:00.000 3822:34:27.397
2016   9         5       Wait:Queue  0:00:00.000   0:00:00.000 3822:34:27.386
2024   8         4     Wait:UserReq  0:00:00.000   0:00:00.010 3822:34:27.386
 796   8        17     Wait:UserReq  0:00:00.000   0:00:00.000 3822:34:27.374
1104   8         1     Wait:UserReq  0:00:00.000   0:00:00.000 3822:34:27.352
2032   8         1     Wait:UserReq  0:00:00.000   0:00:00.010 3822:34:27.352
1444  10      1023     Wait:UserReq  0:00:00.000   0:00:00.000 3822:34:27.283

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time 
taskeng            2028   8   9  243   2652     0:00:01.662  3822:19:00.831
                      VM      WS    Priv Priv Pk   Faults NonP Page
                   69452    7140    2652    2724     3327    7   69
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
1740  10      1119     Wait:UserReq  0:00:00.040   0:00:00.020 3822:19:00.831
1572   8         5       Wait:Queue  0:00:00.000   0:00:00.000 3822:19:00.640
1088  10       168     Wait:UserReq  0:00:00.000   0:00:00.010 3822:19:00.640
1712   9        54     Wait:UserReq  0:00:00.000   0:00:00.010 3822:19:00.380
 300   9        23     Wait:UserReq  0:00:00.000   0:00:00.020 3822:19:00.290
 344   9        11     Wait:UserReq  0:00:00.000   0:00:00.010 3822:19:00.280
1344  13      7585     Wait:UserReq  0:00:00.060   0:00:00.200 3822:18:59.789
2044   9     20650            Ready  0:00:00.080   0:00:00.430 3822:18:59.769
3176   8         3       Wait:Queue  0:00:00.000   0:00:00.000    0:05:29.044

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time 
dwm                1980   8   3   76   1224     0:00:02.072  3822:19:00.450
                      VM      WS    Priv Priv Pk   Faults NonP Page
                   49012    4012    1224    1468     6747    2   50
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
 876  10       258     Wait:UserReq  0:00:00.010   0:00:00.080 3822:19:00.450
1024  15       230     Wait:UserReq  0:00:00.040   0:00:00.090 3822:19:00.290
1032   8         2     Wait:UserReq  0:00:00.000   0:00:00.000 3822:19:00.290

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time 
explorer            936   8  16  457  19416     0:00:24.445  3822:19:00.080
                      VM      WS    Priv Priv Pk   Faults NonP Page
                  153540   26044   19416   21624    71353   12  145
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
 340  11      4920     Wait:UserReq  0:00:00.210   0:00:01.472 3822:19:00.080
1180  11    149211     Wait:UserReq  0:00:01.191   0:00:05.387 3822:18:58.447
1544  10      4017     Wait:UserReq  0:00:00.290   0:00:00.731 3822:18:58.117
 608  10       212     Wait:UserReq  0:00:00.000   0:00:00.000 3822:18:56.725
2108  10      5212     Wait:UserReq  0:00:00.160   0:00:00.701 3822:18:51.978
2116  11         6     Wait:UserReq  0:00:00.010   0:00:00.000 3822:18:51.948
2132  10         4     Wait:UserReq  0:00:00.000   0:00:00.000 3822:18:51.707
2140  10       294     Wait:UserReq  0:00:00.010   0:00:00.020 3822:18:51.247
2144  11         7     Wait:UserReq  0:00:00.010   0:00:00.000 3822:18:50.836
2148  10       227     Wait:UserReq  0:00:00.000   0:00:00.000 3822:18:50.836
2232   9        32       Wait:Queue  0:00:00.000   0:00:00.000 3822:18:49.634
2236   8       428     Wait:UserReq  0:00:00.000   0:00:00.000 3822:18:49.514
2252  10       269     Wait:UserReq  0:00:00.010   0:00:00.000 3822:18:46.760
3392  10        19     Wait:UserReq  0:00:00.010   0:00:00.010 3629:10:48.311
3732  10        81     Wait:UserReq  0:00:00.000   0:00:00.010    3:18:01.967
2264   9        91       Wait:Queue  0:00:00.000   0:00:00.000    0:25:43.090

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time 
VBoxTray           1816   8   7   75   1044     0:00:19.818  3822:18:56.514
                      VM      WS    Priv Priv Pk   Faults NonP Page
                   58328    3348    1044    1148     1233    3   54
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
2052   9    253969            Ready  0:00:00.200   0:00:00.490 3822:18:56.514
2068   8    127455   Wait:Executive  0:00:00.020   0:00:04.967 3822:18:55.944
2072   8    506659   Wait:Executive  0:00:00.000   0:00:01.171 3822:18:55.944
2080   8     37191   Wait:Executive  0:00:00.420   0:00:02.763 3822:18:55.703
2084   8     35003   Wait:Executive  0:00:00.380   0:00:02.733 3822:18:55.703
2088   8     35344   Wait:Executive  0:00:00.380   0:00:03.374 3822:18:55.693
2092   8     34561   Wait:Executive  0:00:00.290   0:00:02.623 3822:18:55.693

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time 
wuauclt            2272   8   2  138   2364     0:00:00.280  3822:18:45.829
                      VM      WS    Priv Priv Pk   Faults NonP Page
                   65840    4716    2364    2412     1528    3   65
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
2276  10       110     Wait:UserReq  0:00:00.020   0:00:00.220 3822:18:45.829
 504   8         8       Wait:Queue  0:00:00.000   0:00:00.000    5:02:35.771

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time 
svchost            3968   8   8  117   5232     0:00:00.500  3629:23:23.136
                      VM      WS    Priv Priv Pk   Faults NonP Page
                   56292    9060    5232    6320     7882    4   53
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
3520   9        12   Wait:Executive  0:00:00.020   0:00:00.000 3629:23:23.136
3484   9        26     Wait:UserReq  0:00:00.030   0:00:00.080 3629:23:23.106
2476   9         2     Wait:UserReq  0:00:00.010   0:00:00.000 3629:23:22.986
3808   8       951     Wait:UserReq  0:00:00.000   0:00:00.010 3629:23:22.936
3704   9       415       Wait:Queue  0:00:00.010   0:00:00.020 3629:23:22.886
1780  10       247       Wait:Queue  0:00:00.000   0:00:00.030 3629:23:22.866
2528   8       819       Wait:Queue  0:00:00.000   0:00:00.000 3629:09:22.838
3940   8         5       Wait:Queue  0:00:00.000   0:00:00.000    5:02:35.781

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time 
svchost            3352   8  15  138   4964     0:00:01.922  3629:23:22.205
                      VM      WS    Priv Priv Pk   Faults NonP Page
                   43868    8980    4964    6084    23933    5   38
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
3668  10        16   Wait:Executive  0:00:00.000   0:00:00.020 3629:23:22.205
3388   9        36     Wait:UserReq  0:00:00.010   0:00:00.060 3629:23:22.175
2880  11      4006       Wait:Queue  0:00:00.050   0:00:00.110 3629:23:22.055
2772   8         5       Wait:Queue  0:00:00.000   0:00:00.000 3629:23:22.055
 764  10      4266     Wait:UserReq  0:00:00.000   0:00:00.000 3629:23:22.055
2632   8        56       Wait:Queue  0:00:00.000   0:00:00.000 3629:23:22.055
2496   8        55       Wait:Queue  0:00:00.000   0:00:00.000 3629:23:22.055
3824   8        55       Wait:Queue  0:00:00.000   0:00:00.000 3629:23:22.055
2896   8        55       Wait:Queue  0:00:00.000   0:00:00.000 3629:23:22.055
3900   9        26       Wait:Queue  0:00:00.030   0:00:00.020 3629:23:22.025
1248  10        80       Wait:Queue  0:00:00.190   0:00:00.100 3629:23:21.985
3840   9       373       Wait:Queue  0:00:00.390   0:00:00.701 3629:23:21.975
 948   8         4     Wait:UserReq  0:00:00.000   0:00:00.000 3629:23:21.905
2440   8         1     Wait:UserReq  0:00:00.000   0:00:00.000 3629:23:21.895
3264   8         5       Wait:Queue  0:00:00.000   0:00:00.000    5:02:35.771

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time 
svchost            1004   8   9  227   3156     0:00:00.220  3629:14:36.139
                      VM      WS    Priv Priv Pk   Faults NonP Page
                   45148    4812    3156    3192     1281    7   44
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
3368   9        15   Wait:Executive  0:00:00.000   0:00:00.010 3629:14:36.139
3076  10      3277     Wait:UserReq  0:00:00.000   0:00:00.000 3629:14:35.398
2668   9       284       Wait:Queue  0:00:00.010   0:00:00.070 3629:14:35.398
3628   8         2     Wait:UserReq  0:00:00.000   0:00:00.000 3629:14:35.207
3440   9         1   Wait:DelayExec  0:00:00.000   0:00:00.000 3629:14:35.017
3652  11        22     Wait:UserReq  0:00:00.000   0:00:00.010 3629:14:34.977
2224   9         2       Wait:Queue  0:00:00.000   0:00:00.000 3629:14:34.937
3888   9         2       Wait:Queue  0:00:00.000   0:00:00.000 3629:14:34.897
3892  10        27     Wait:UserReq  0:00:00.000   0:00:00.010 3629:14:34.867

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time 
cmd                3232   8   1   24   1996     0:00:00.861     3:16:22.444
                      VM      WS    Priv Priv Pk   Faults NonP Page
                   32108    2620    1996    3028     2491    1   33
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
3500  11      3405     Wait:UserReq  0:00:00.180   0:00:00.680    3:16:22.444

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time 
notepad            1744   8   2  168   7144     0:00:03.264     2:32:59.861
                      VM      WS    Priv Priv Pk   Faults NonP Page
                   71632   12448    7144    8956     4696    5   68
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
3508  12     11754     Wait:UserReq  0:00:00.360   0:00:02.804    2:32:59.861
3644   8         2       Wait:Queue  0:00:00.000   0:00:00.000    2:25:30.716

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time 
notepad            3204   8   2  144   5868     0:00:00.901     2:26:57.320
                      VM      WS    Priv Priv Pk   Faults NonP Page
                   69316   11520    5868    7640     3982    4   65
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
1312  10      1216     Wait:UserReq  0:00:00.190   0:00:00.670    2:26:57.320
3496   8         2       Wait:Queue  0:00:00.000   0:00:00.000    2:20:43.192

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time 
iexplore           2752   8  14  657  37452     0:00:31.355     1:41:27.174
                      VM      WS    Priv Priv Pk   Faults NonP Page
                  151784   50464   37452   39692    34185   22  112
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
1748  14     15851     Wait:UserReq  0:00:00.340   0:00:03.214    1:41:27.174
3048  11         3     Wait:UserReq  0:00:00.000   0:00:00.000    1:41:27.004
2420  10     19738     Wait:UserReq  0:00:01.161   0:00:10.725    1:41:26.694
3448   8      1948       Wait:Queue  0:00:00.210   0:00:00.751    1:41:26.303
1164  12      4101     Wait:UserReq  0:00:00.000   0:00:00.200    1:41:17.681
3380  12        90     Wait:UserReq  0:00:00.000   0:00:00.000    1:41:17.671
1464  10      4687     Wait:UserReq  0:00:00.310   0:00:02.523    1:41:11.912
2724   8         2       Wait:Queue  0:00:00.000   0:00:00.000    1:41:11.682
 312   8         2       Wait:Queue  0:00:00.000   0:00:00.000    1:40:52.885
2888   8         2       Wait:Queue  0:00:00.000   0:00:00.000    1:40:52.885
4092  10      7134     Wait:UserReq  0:00:01.161   0:00:03.154    0:49:07.059
2812  11      1191       Wait:Queue  0:00:00.080   0:00:00.350    0:48:58.707
2464  10      5321     Wait:UserReq  0:00:00.470   0:00:02.834    0:48:08.925
3916   8         2       Wait:Queue  0:00:00.000   0:00:00.000    0:18:20.203

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time 
WmiPrvSE           2188   8   8  143   3192     0:00:00.650     0:01:01.197
                      VM      WS    Priv Priv Pk   Faults NonP Page
                   35976    6820    3192    3256     3827    4   34
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
3696   9        67     Wait:UserReq  0:00:00.020   0:00:00.050    0:01:01.197
2860   8         1     Wait:UserReq  0:00:00.000   0:00:00.000    0:01:01.117
3880   9       394       Wait:Queue  0:00:00.020   0:00:00.200    0:01:01.107
2332   8         4   Wait:DelayExec  0:00:00.000   0:00:00.000    0:01:01.087
3116   8         2     Wait:UserReq  0:00:00.000   0:00:00.000    0:01:01.077
3056   9       110       Wait:Queue  0:00:00.020   0:00:00.050    0:01:01.067
 408   9        18     Wait:UserReq  0:00:00.000   0:00:00.000    0:01:00.817
2696   9       597       Wait:Queue  0:00:00.030   0:00:00.250    0:01:00.797

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time 
perl               3964   8   1   24    756     0:00:00.080     0:00:05.768
                      VM      WS    Priv Priv Pk   Faults NonP Page
                   48892    2888     756     872      943    1   34
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
2212  11        32     Wait:UserReq  0:00:00.010   0:00:00.070    0:00:05.768

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time 
pslist             2552  13   1  149   2580     0:00:00.130     0:00:00.130
                      VM      WS    Priv Priv Pk   Faults NonP Page
                   56152    4624    2580    2580     1180    3   53
 Tid Pri    Cswtch            State     User Time   Kernel Time   Elapsed Time
2416  15        44          Running  0:00:00.010   0:00:00.170    0:00:00.130

Process information for WIN-71P82PQYDRP:

Name                             Pid Pri Thd  Hnd      VM      WS    Priv
Idle                               0   0   1    0       0      12       0
  System                           4   8  98  486    5080    2976       0
    smss                         396  11   4   28    4468     672     248
csrss                            464  13  11  408  110104    4900    1620
csrss                            508  13   9  226  112028    7056    2052
wininit                          532  13   3  100   44132    3864    1112
  services                       592   9   7  236   39268    6200    2124
    svchost                      772   8   7  293   40184    5692    2348
      WmiPrvSE                  2188   8   8  143   35976    6820    3192
    VBoxService                  816   8   3   75   33628    3672    1320
    svchost                      848   8   8  266   36968    5760    2744
    svchost                      884   8  15  300   45420    8292    5516
    svchost                      964   8   5  144   37980    5628    2888
    svchost                      976   8  44  916  110660   26376   20792
      taskeng                   1948   6   5  133   52992    5324    1720
      taskeng                   2028   8   9  243   69452    7140    2652
      wuauclt                   2272   8   2  138   65840    4716    2364
    SLsvc                        996   8   4   73   35988    5672    4192
    svchost                     1004   8   9  227   45148    4812    3156
    svchost                     1056   8  12  309   61268    8832    4416
    svchost                     1140   8  20  249   69992    8336    6964
      dwm                       1980   8   3   76   49012    4012    1224
    svchost                     1168   8  17  496   79656   15388   12168
    svchost                     1292   8  17  263   49556    9404    5552
    spoolsv                     1432   8  16  271   84472    8432    4696
    dns                         1472   8  10  180   63576    6504    5168
    svchost                     1512   8   5  122   39196    4980    1784
    svchost                     1532   8   3   73   25732    2792     784
    svchost                     1564   8   4   91   39340    4076    1428
    msdtc                       1812   8  11  164   63380    6648    2692
    svchost                     3352   8  15  138   43868    8980    4964
    svchost                     3968   8   8  117   56292    9060    5232
  lsass                          604   9  17  617   49480    9120    3664
  lsm                            612   8  10  154   33052    3776    1572
winlogon                         544  13   3  120   34424    4460    1304
explorer                         936   8  16  457  153540   26044   19416
  VBoxTray                      1816   8   7   75   58328    3348    1044
  iexplore                      2752   8  14  657  151784   50464   37452
  cmd                           3232   8   1   24   32108    2620    1996
    notepad                     1744   8   2  168   71632   12448    7144
    notepad                     3204   8   2  144   69316   11520    5868
    perl                        3964   8   1   24   48892    2888     756
      pslist                    3208  13   1  149   56152    4624    2580

Handle v3.42
Copyright (C) 1997-2008 Mark Russinovich
Sysinternals - www.sysinternals.com

------------------------------------------------------------------------------
System pid: 4 \
   2C: File  (---)   C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
   30: File  (---)   C:\Windows\System32\config\COMPONENTS.LOG2
   38: File  (---)   C:\Windows\System32\config\COMPONENTS
   3C: File  (---)   C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
   48: File  (---)   C:\Windows\System32\config\SECURITY.LOG1
   64: File  (---)   \clfs
   68: File  (---)   \clfs
   6C: File  (---)   \clfs
   70: File  (---)   C:\$Extend\$RmMetadata\$Txf
   74: File  (---)   \clfs
   78: File  (---)   \clfs
   7C: File  (---)   C:\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000002
   80: File  (---)   C:\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000001
   84: File  (---)   C:\$Extend\$RmMetadata\$TxfLog\$TxfLog.blf
   9C: File  (---)   C:\Windows\System32\config\SECURITY
   AC: File  (---)   C:\Windows\System32\config\COMPONENTS.LOG1
   CC: File  (---)   C:\Windows\System32\config\SAM
   D8: File  (---)   C:\Windows\System32\config\SECURITY.LOG2
   E8: File  (---)   C:\pagefile.sys
   EC: File  (---)   C:\Windows\System32\config\DEFAULT
   F8: File  (---)   C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
   FC: File  (---)   C:\Windows\System32\config\SOFTWARE
  100: File  (---)   C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
  104: File  (---)   C:\Windows\System32\config\SOFTWARE.LOG1
  108: File  (---)   C:\Windows\System32\config\SOFTWARE.LOG2
  10C: File  (---)   C:\Windows\System32\config\SYSTEM
  114: File  (---)   C:\Windows\System32\config\SYSTEM.LOG1
  118: File  (---)   C:\Windows\System32\config\SYSTEM.LOG2
  11C: File  (---)   C:\Windows\System32\config\SAM.LOG1
  120: File  (---)   C:\Windows\System32\config\SAM.LOG2
  124: File  (---)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Configuration-Wizard%4Diagnostic.etl
  128: File  (---)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Configuration-Wizard%4Operational.etl
  12C: File  (---)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-ServerManager%4Analytic.etl
  130: File  (---)   C:\Windows\System32\config\DEFAULT.LOG1
  134: File  (---)   C:\Windows\System32\config\DEFAULT.LOG2
  140: File  (---)   C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf
  144: File  (---)   C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms
  148: File  (---)   C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms
  150: File  (---)   \clfs
  154: File  (---)   \clfs
  16C: File  (---)   C:\Windows\System32\en-US\win32k.sys.mui
  174: File  (---)   C:\Boot\BCD
  178: File  (---)   C:\Boot\BCD.LOG
  2A0: File  (---)   C:\Windows\System32\LogFiles\Scm\SCM.EVM
  2C8: File  (---)   C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{7d5ec63a-c5bc-11dc-a02b-0019bbe6a65a}.TM.blf
  2D4: File  (---)   C:
  2D8: File  (---)   C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
  2DC: File  (---)   C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
  2E0: File  (---)   C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG2
  2E4: File  (---)   C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{7d5ec63a-c5bc-11dc-a02b-0019bbe6a65a}.TMContainer00000000000000000001.regtrans-ms
  2E8: File  (---)   C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{7d5ec63a-c5bc-11dc-a02b-0019bbe6a65a}.TMContainer00000000000000000002.regtrans-ms
  2F0: File  (---)   \clfs
  2F4: File  (---)   \clfs
  310: File  (---)   C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{7d5ec63a-c5bc-11dc-a02b-0019bbe6a65a}.TM.blf
  314: File  (---)   C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
  318: File  (---)   C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
  31C: File  (---)   C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG2
  320: File  (---)   C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{7d5ec63a-c5bc-11dc-a02b-0019bbe6a65a}.TMContainer00000000000000000001.regtrans-ms
  324: File  (---)   C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{7d5ec63a-c5bc-11dc-a02b-0019bbe6a65a}.TMContainer00000000000000000002.regtrans-ms
  32C: File  (---)   \clfs
  330: File  (---)   \clfs
  374: File  (---)   C:\Windows\System32\wfp\wfpdiag.etl
  408: File  (---)   C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
  40C: File  (---)   C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
  42C: File  (---)   C:\Windows\System32\SLsvc.exe
  434: File  (---)   C:\Windows\System32\ntdll.dll
  43C: File  (---)   C:\Windows\System32\kernel32.dll
  444: File  (---)   C:\Windows\System32\advapi32.dll
  44C: File  (---)   C:\Windows\System32\rpcrt4.dll
  454: File  (---)   C:\Windows\System32\msvcrt.dll
  45C: File  (---)   C:\Windows\System32\SLC.dll
  464: File  (---)   C:\Windows\System32\user32.dll
  46C: File  (---)   C:\Windows\System32\gdi32.dll
  474: File  (---)   C:\Windows\System32\dnsapi.dll
  47C: File  (---)   C:\Windows\System32\ws2_32.dll
  484: File  (---)   C:\Windows\System32\nsi.dll
  48C: File  (---)   C:\Windows\System32\imm32.dll
  494: File  (---)   C:\Windows\System32\msctf.dll
  49C: File  (---)   C:\Windows\System32\lpk.dll
  4A4: File  (---)   C:\Windows\System32\usp10.dll
  4AC: File  (---)   C:\Windows\System32\rsaenh.dll
  550: File  (---)   C:\Windows\System32\wbem\Logs\WMITracing.log
  564: File  (---)   C:\Windows\System32\config\RegBack\SECURITY
  668: File  (---)   C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000001
  66C: File  (---)   C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000002
  670: File  (---)   C:\Windows\System32\Msdtc\KtmRmTm.blf
  674: File  (---)   C:\Windows\System32\spool\SpoolerETW.etl
  678: File  (---)   \clfs
  67C: File  (---)   \clfs
  688: File  (---)   \clfs
  68C: File  (---)   C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat{e34238fe-7e29-11de-b667-080027000246}.TM.blf
  690: File  (---)   C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat
  698: File  (---)   C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1
  69C: File  (---)   C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2
  6A0: File  (---)   C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat{e34238fe-7e29-11de-b667-080027000246}.TMContainer00000000000000000001.regtrans-ms
  6A4: File  (---)   C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat{e34238fe-7e29-11de-b667-080027000246}.TMContainer00000000000000000002.regtrans-ms
  6AC: File  (---)   \clfs
  6B8: File  (---)   \clfs
  6BC: File  (---)   C:\Windows\System32\config\RegBack\SYSTEM
  6D4: File  (---)   C:\Windows\System32\Msdtc\Trace\dtctrace.log
  6D8: File  (---)   \clfs
  6E0: File  (---)   C:\Users\Administrator\NTUSER.DAT{7d5ec63a-c5bc-11dc-a02b-0019bbe6a65a}.TMContainer00000000000000000002.regtrans-ms
  6E4: File  (---)   C:\Users\Administrator\NTUSER.DAT{7d5ec63a-c5bc-11dc-a02b-0019bbe6a65a}.TMContainer00000000000000000001.regtrans-ms
  6E8: File  (---)   C:\Users\Administrator\NTUSER.DAT
  6EC: File  (---)   C:\Users\Administrator\ntuser.dat.LOG2
  6F0: File  (---)   C:\Users\Administrator\NTUSER.DAT{7d5ec63a-c5bc-11dc-a02b-0019bbe6a65a}.TM.blf
  6F4: File  (---)   C:\Users\Administrator\ntuser.dat.LOG1
  71C: File  (---)   C:
  720: File  (---)   C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT.LOG2
  730: File  (---)   C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT
  734: File  (---)   C:\Windows\System32\config\RegBack\COMPONENTS
  744: File  (---)   C:\
  748: File  (---)   C:
  750: File  (---)   C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT.LOG1
  754: File  (---)   C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{804f48ec-c682-11dc-901d-b3d7e32f3e9f}.TMContainer00000000000000000002.regtrans-ms
  758: File  (---)   C:\Windows
  760: File  (---)   C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{804f48ec-c682-11dc-901d-b3d7e32f3e9f}.TM.blf
  764: File  (---)   C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT{804f48ec-c682-11dc-901d-b3d7e32f3e9f}.TMContainer00000000000000000001.regtrans-ms
  76C: File  (---)   \clfs
  77C: File  (---)   \clfs
  7DC: File  (---)   C:\Windows\System32\config\RegBack\DEFAULT
  7F0: File  (---)   C:\Windows\System32\config\RegBack\SAM
  810: File  (---)   C:\Windows\System32\config\RegBack\SOFTWARE
  850: File  (---)   \clfs
  854: File  (---)   C:\Windows\System32\config\TxR\{7d5ec649-c5bc-11dc-a02b-0019bbe6a65a}.TxR.2.regtrans-ms
  858: File  (---)   C:\Windows\System32\config\TxR\{7d5ec649-c5bc-11dc-a02b-0019bbe6a65a}.TxR.1.regtrans-ms
  85C: File  (---)   C:\Windows\System32\config\TxR\{7d5ec649-c5bc-11dc-a02b-0019bbe6a65a}.TxR.0.regtrans-ms
  87C: File  (---)   C:\Windows\System32\config\TxR\{7d5ec649-c5bc-11dc-a02b-0019bbe6a65a}.TxR.blf
------------------------------------------------------------------------------
smss.exe pid: 396 NT AUTHORITY\SYSTEM
    4: File  (---)   C:\Windows
------------------------------------------------------------------------------
csrss.exe pid: 464 NT AUTHORITY\SYSTEM
    8: File  (---)   C:\Windows\System32
   28: Section       \Windows\SharedSection
   4C: File  (---)   C:\Windows\System32\en-US\csrss.exe.mui
  11C: File  (---)   C:\Windows\System32\ega.cpi
  150: File  (---)   C:\Windows\System32\en-US\user32.dll.mui
------------------------------------------------------------------------------
csrss.exe pid: 508 NT AUTHORITY\SYSTEM
    8: File  (---)   C:\Windows\System32
   28: Section       \Sessions\1\Windows\SharedSection
  27C: File  (---)   C:\Windows\System32\ega.cpi
  2AC: File  (---)   C:\Windows\System32\en-US\user32.dll.mui
------------------------------------------------------------------------------
wininit.exe pid: 532 NT AUTHORITY\SYSTEM
    8: File  (---)   C:\Windows\System32
   68: Section       \RPC Control\DSEC214
   94: File  (---)   C:\Windows\System32\en-US\user32.dll.mui
------------------------------------------------------------------------------
winlogon.exe pid: 544 NT AUTHORITY\SYSTEM
    8: File  (---)   C:\Windows\System32
   70: Section       \RPC Control\DSEC220
   9C: File  (---)   C:\Windows\System32\en-US\user32.dll.mui
------------------------------------------------------------------------------
services.exe pid: 592 NT AUTHORITY\SYSTEM
    8: File  (---)   C:\Windows\System32
  100: Section       \RPC Control\DSEC250
------------------------------------------------------------------------------
lsass.exe pid: 604 NT AUTHORITY\SYSTEM
    8: File  (---)   C:\Windows\System32
   98: Section       \BaseNamedObjects\Debug.Memory.25c
   C8: Section       \LsaPerformance
  208: Section       \BaseNamedObjects\Debug.Trace.Memory.25c
  2E4: File  (---)   C:\Windows\Debug\PASSWD.LOG
  37C: Section       \RPC Control\DSEC25c
  8E8: File  (---)   C:\Users\Administrator\AppData\Roaming\Microsoft\Credentials
  8EC: File  (---)   C:\Users\Administrator\AppData\Local\Microsoft\Credentials
------------------------------------------------------------------------------
lsm.exe pid: 612 NT AUTHORITY\SYSTEM
    8: File  (---)   C:\Windows\System32
   84: Section       \RPC Control\DSEC264
------------------------------------------------------------------------------
svchost.exe pid: 772 NT AUTHORITY\SYSTEM
    8: File  (---)   C:\Windows\System32
   64: File  (---)   C:\Windows\System32\en-US\svchost.exe.mui
  254: Section       \RPC Control\DSEC304
  3E0: Section       \BaseNamedObjects\__ComCatalogCache__
  410: Section       \BaseNamedObjects\RotHintTable
  418: Section       \BaseNamedObjects\{A64C7F33-DA35-459b-96CA-63B51FB0CDB9}
  428: Section       \BaseNamedObjects\__ComCatalogCache__
  42C: Section       \BaseNamedObjects\__ComCatalogCache__
------------------------------------------------------------------------------
VBoxService.exe pid: 816 NT AUTHORITY\SYSTEM
    8: File  (---)   C:\Windows\System32
------------------------------------------------------------------------------
svchost.exe pid: 848 NT AUTHORITY\NETWORK SERVICE
    8: File  (---)   C:\Windows\System32
   74: File  (---)   C:\Windows\System32\en-US\svchost.exe.mui
  16C: Section       \RPC Control\DSEC350
  28C: Section       \BaseNamedObjects\__ComCatalogCache__
  290: Section       \BaseNamedObjects\__ComCatalogCache__
------------------------------------------------------------------------------
svchost.exe pid: 884 NT AUTHORITY\LOCAL SERVICE
    8: File  (---)   C:\Windows\System32
   74: File  (---)   C:\Windows\System32\en-US\svchost.exe.mui
   80: File  (---)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx
   DC: Section       \RPC Control\DSEC374
  168: File  (---)   C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
  170: File  (---)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx
  174: File  (---)   C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
  17C: File  (---)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx
  194: File  (---)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx
  1C4: File  (---)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx
  204: File  (---)   C:\Windows\System32\winevt\Logs\System.evtx
  218: File  (---)   C:\Windows\System32\winevt\Logs\Application.evtx
  284: File  (---)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx
  288: File  (---)   C:\Windows\System32\winevt\Logs\Security.evtx
  298: File  (---)   C:\Windows\System32\winevt\Logs\Internet Explorer.evtx
  2A0: File  (---)   C:\Windows\System32\winevt\Logs\Key Management Service.evtx
  2C0: File  (---)   C:\Windows\System32\winevt\Logs\HardwareEvents.evtx
  2C8: File  (---)   C:\Windows\System32\winevt\Logs\DNS Server.evtx
  3E0: File  (---)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx
  3E4: File  (---)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Metrics.evtx
  3FC: File  (---)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx
  408: File  (---)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx
  430: File  (---)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx
  440: File  (---)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx
  470: File  (---)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-ServerManager%4Operational.evtx
  480: File  (---)   C:\Windows\System32\winevt\Logs\Setup.evtx
  4E4: File  (---)   C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx
------------------------------------------------------------------------------
svchost.exe pid: 964 NT AUTHORITY\SYSTEM
    8: File  (---)   C:\Windows\System32
   3C: File  (---)   C:\Windows\System32\en-US\svchost.exe.mui
  130: Section       \RPC Control\DSEC3c4
  208: Section       \BaseNamedObjects\__ComCatalogCache__
  218: Section       \BaseNamedObjects\__ComCatalogCache__
------------------------------------------------------------------------------
svchost.exe pid: 976 NT AUTHORITY\SYSTEM
    8: File  (---)   C:\Windows\System32
   3C: File  (---)   C:\Windows\System32\en-US\svchost.exe.mui
  10C: Section       \RPC Control\DSEC3d0
  144: Section       \BaseNamedObjects\SENS Information Cache
  1A4: Section       \BaseNamedObjects\__ComCatalogCache__
  1BC: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.6001.18000_none_886786f450a74a05
  1DC: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  318: File  (---)   C:\Windows\Tasks\SCHEDLGU.TXT
  338: File  (---)   C:
  340: File  (---)   C:\Windows\Tasks
  450: File  (---)   C:\Windows\System32\wbem\MOF
  59C: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  5A8: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  5F8: Section       \BaseNamedObjects\SqmData_FwtSqmSession10_S-1-5-18
  61C: Section       \BaseNamedObjects\__ComCatalogCache__
  64C: Section       \BaseNamedObjects\MMF_BITS_s
  704: File  (---)   C:\Windows\System32\wbem\Repository\MAPPING2.MAP
  708: File  (---)   C:\Windows\System32\wbem\Repository\MAPPING1.MAP
  70C: File  (---)   C:\Windows\System32\wbem\Repository\OBJECTS.DATA
  710: File  (---)   C:\Windows\System32\wbem\Repository\INDEX.BTR
  72C: Section       \BaseNamedObjects\windows_shell_global_counters
  758: Section       \BaseNamedObjects\Wmi Provider Sub System Counters
  A60: File  (---)   C:\Windows\SoftwareDistribution\ReportingEvents.log
  A70: File  (---)   C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat
  A74: File  (---)   C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat
  AD0: File  (---)   C:\Windows\WindowsUpdate.log
  AD4: File  (---)   C:\Windows\WindowsUpdate.log
  AD8: File  (---)   C:\Windows\WindowsUpdate.log
  ADC: File  (---)   C:\Windows\WindowsUpdate.log
  AE0: File  (---)   C:\Windows\WindowsUpdate.log
  AE4: File  (---)   C:\Windows\WindowsUpdate.log
  AE8: File  (---)   C:\Windows\WindowsUpdate.log
  AEC: File  (---)   C:\Windows\WindowsUpdate.log
  AF0: File  (---)   C:\Windows\WindowsUpdate.log
  AF4: File  (---)   C:\Windows\WindowsUpdate.log
  AF8: File  (---)   C:\Windows\WindowsUpdate.log
  AFC: File  (---)   C:\Windows\WindowsUpdate.log
  B00: File  (---)   C:\Windows\WindowsUpdate.log
  B04: File  (---)   C:\Windows\WindowsUpdate.log
  B08: File  (---)   C:\Windows\WindowsUpdate.log
  B0C: File  (---)   C:\Windows\WindowsUpdate.log
  B10: File  (---)   C:\Windows\WindowsUpdate.log
  B14: File  (---)   C:\Windows\WindowsUpdate.log
  B18: File  (---)   C:\Windows\WindowsUpdate.log
  B1C: File  (---)   C:\Windows\WindowsUpdate.log
  B20: File  (---)   C:\Windows\WindowsUpdate.log
  B24: File  (---)   C:\Windows\WindowsUpdate.log
  B28: File  (---)   C:\Windows\WindowsUpdate.log
  B2C: File  (---)   C:\Windows\WindowsUpdate.log
  B30: File  (---)   C:\Windows\WindowsUpdate.log
  B34: File  (---)   C:\Windows\WindowsUpdate.log
  B38: File  (---)   C:\Windows\WindowsUpdate.log
  B3C: File  (---)   C:\Windows\WindowsUpdate.log
  B40: File  (---)   C:\Windows\WindowsUpdate.log
  B44: File  (---)   C:\Windows\WindowsUpdate.log
  C40: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  D9C: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  DB8: File  (---)   C:\Windows\System32\en-US\rastls.dll.mui
  DBC: File  (---)   C:\Windows\System32\en-US\raschap.dll.mui
------------------------------------------------------------------------------
SLsvc.exe pid: 996 NT AUTHORITY\NETWORK SERVICE
    8: File  (---)   C:\Windows\System32
   94: Section       \RPC Control\DSEC3e4
   C0: File  (---)   C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareLicensing\tokens.dat
   D8: File  (---)   C:\Windows\System32
------------------------------------------------------------------------------
svchost.exe pid: 1056 NT AUTHORITY\LOCAL SERVICE
    8: File  (---)   C:\Windows\System32
   3C: File  (---)   C:\Windows\System32\en-US\svchost.exe.mui
   EC: Section       \RPC Control\DSEC420
  104: Section       \BaseNamedObjects\__ComCatalogCache__
  3C8: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  3CC: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  448: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  494: Section       \BaseNamedObjects\__ComCatalogCache__
  4A0: Section       \BaseNamedObjects\RotHintTable
------------------------------------------------------------------------------
svchost.exe pid: 1140 NT AUTHORITY\SYSTEM
    8: File  (---)   C:\Windows\System32
   3C: File  (---)   C:\Windows\System32\en-US\svchost.exe.mui
  130: File  (---)   C:
  148: Section       \RPC Control\DSEC474
  16C: File  (---)   C:\$Extend\$ObjId
  180: File  (---)   C:\System Volume Information\tracking.log
  22C: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  244: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  25C: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  284: Section       \BaseNamedObjects\__ComCatalogCache__
  2C4: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  2E8: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  308: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  334: Section       \BaseNamedObjects\windows_shell_global_counters
  388: Section       \BaseNamedObjects\__ComCatalogCache__
  3F4: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3
------------------------------------------------------------------------------
svchost.exe pid: 1168 NT AUTHORITY\NETWORK SERVICE
    8: File  (---)   C:\Windows\System32
   3C: File  (---)   C:\Windows\System32\en-US\svchost.exe.mui
  128: Section       \RPC Control\DSEC490
  154: File  (---)   C:\Windows\System32\drivers\etc
  22C: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  264: File  (---)   C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
  3E0: Section       \BaseNamedObjects\__ComCatalogCache__
  434: Section       \BaseNamedObjects\__ComCatalogCache__
  55C: File  (---)   C:\Windows\System32\catroot2\edb.log
  588: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  594: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  608: File  (---)   C:\Windows\System32\en-US\WsmRes.dll.mui
  77C: File  (---)   C:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
  7FC: File  (---)   C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My
  848: Section       \BaseNamedObjects\windows_shell_global_counters
------------------------------------------------------------------------------
svchost.exe pid: 1292 NT AUTHORITY\LOCAL SERVICE
    8: File  (---)   C:\Windows\System32
   C8: File  (---)   C:\Windows\System32\en-US\svchost.exe.mui
   EC: Section       \RPC Control\DSEC50c
  1A0: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  36C: Section       \BaseNamedObjects\__ComCatalogCache__
  370: Section       \BaseNamedObjects\__ComCatalogCache__
------------------------------------------------------------------------------
spoolsv.exe pid: 1432 NT AUTHORITY\SYSTEM
    8: File  (---)   C:\Windows\System32
   94: Section       \RPC Control\DSEC598
  1C4: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  1E0: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  2B4: Section       \BaseNamedObjects\__ComCatalogCache__
  2BC: Section       \BaseNamedObjects\__ComCatalogCache__
------------------------------------------------------------------------------
dns.exe pid: 1472 NT AUTHORITY\SYSTEM
    8: File  (---)   C:\Windows\System32
   38: File  (---)   C:\Windows\System32\en-US\dns.exe.mui
   70: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
   9C: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
   A8: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  12C: Section       \BaseNamedObjects\Microsoft.Windows.DNS.Perf
  130: File  (---)   C:\Windows\System32\dns\dns.log
  1C4: Section       \RPC Control\DSEC5c0
------------------------------------------------------------------------------
svchost.exe pid: 1512 NT AUTHORITY\NETWORK SERVICE
    8: File  (---)   C:\Windows\System32
   6C: File  (---)   C:\Windows\System32\en-US\svchost.exe.mui
  128: Section       \BaseNamedObjects\__ComCatalogCache__
  130: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  1E0: Section       \RPC Control\DSEC5e8
------------------------------------------------------------------------------
svchost.exe pid: 1532 NT AUTHORITY\LOCAL SERVICE
    8: File  (---)   C:\Windows\System32
   6C: Section       \RPC Control\DSEC5fc
   BC: File  (---)   C:\Windows\System32\en-US\svchost.exe.mui
------------------------------------------------------------------------------
svchost.exe pid: 1564 NT AUTHORITY\SYSTEM
    8: File  (---)   C:\Windows\System32
   84: Section       \...\WerTargetListTable
   A0: File  (---)   C:\Windows\System32
   E0: File  (---)   C:\Windows\System32\en-US\svchost.exe.mui
  120: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  13C: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  140: Section       \BaseNamedObjects\windows_shell_global_counters
------------------------------------------------------------------------------
taskeng.exe pid: 1948 NT AUTHORITY\SYSTEM
    8: File  (---)   C:\Windows\System32
   3C: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
   58: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  118: Section       \RPC Control\DSEC79c
  130: Section       \BaseNamedObjects\__ComCatalogCache__
  168: Section       \BaseNamedObjects\__ComCatalogCache__
  1D0: File  (---)   C:\Windows\System32
  1F8: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
------------------------------------------------------------------------------
msdtc.exe pid: 1812 NT AUTHORITY\NETWORK SERVICE
    8: File  (---)   C:\Windows\System32
   38: File  (---)   C:\Windows\System32\en-US\msdtc.exe.mui
   90: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
   AC: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
   B8: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  17C: Section       \RPC Control\DSEC714
  224: Section       \BaseNamedObjects\MSDTC_STATS_FILE
  268: File  (---)   C:\Windows\System32\Msdtc\MSDTC.LOG
  288: File  (---)   C:\Windows\System32\en-US\msdtcVSp1res.dll.mui
  28C: Section       \BaseNamedObjects\__ComCatalogCache__
  294: Section       \BaseNamedObjects\__ComCatalogCache__
------------------------------------------------------------------------------
taskeng.exe pid: 2028 WIN-71P82PQYDRP\Administrator
    8: File  (---)   C:\Windows\System32
   3C: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
   58: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  118: Section       \RPC Control\DSEC7ec
  130: Section       \BaseNamedObjects\__ComCatalogCache__
  178: Section       \BaseNamedObjects\__ComCatalogCache__
  248: File  (---)   C:\Windows\System32
  270: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  2F0: Section       \Sessions\1\BaseNamedObjects\CTF.AsmListCache.FMPDefaultS-1-5-21-972268749-3273389209-3774546691-500
------------------------------------------------------------------------------
dwm.exe pid: 1980 WIN-71P82PQYDRP\Administrator
    8: File  (---)   C:\Windows\System32
   68: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
   CC: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  16C: Section       \Sessions\1\BaseNamedObjects\windows_shell_global_counters
  170: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
------------------------------------------------------------------------------
explorer.exe pid: 936 WIN-71P82PQYDRP\Administrator
    8: File  (---)   C:\Windows\System32
    C: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3
   40: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
   5C: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
   88: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
   B8: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
   E8: Section       \Sessions\1\BaseNamedObjects\windows_shell_global_counters
   F0: Section       \BaseNamedObjects\__ComCatalogCache__
  140: Section       \RPC Control\DSEC3a8
  168: File  (---)   C:\ProgramData\Microsoft\Windows\Start Menu
  180: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  18C: Section       \BaseNamedObjects\__ComCatalogCache__
  1B8: Section       \BaseNamedObjects\windows_shell_global_counters
  1F8: File  (---)   C:\Users\Administrator\AppData\Local\Microsoft\Windows\Burn
  208: File  (---)   C:\Users\Administrator\AppData\Local\Microsoft\Windows\Burn
  250: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  25C: File  (---)   C:\Users\Administrator\Desktop
  26C: File  (---)   C:\Users\Administrator\Desktop
  2A8: File  (---)   C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu
  2C4: File  (---)   C:\Users\Administrator\AppData\Local\Microsoft\Windows\GameExplorer
  2FC: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  318: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  330: File  (---)   C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch
  338: File  (---)   C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch
  358: File  (---)   C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
  36C: Section       \Sessions\1\BaseNamedObjects\C:_Users_Administrator_AppData_Local_Microsoft_Windows_History_History.IE5_index.dat_16384
  37C: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  380: Section       \Sessions\1\BaseNamedObjects\windows_shell_global_counters
  3A4: File  (---)   C:\Windows\System32\en-US\imageres.dll.mui
  3CC: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.6001.18000_en-us_72e6f33f34dfabb9\comctl32.dll.mui
  3D0: Section       \Sessions\1\BaseNamedObjects\C:_Users_Administrator_AppData_Roaming_Microsoft_Windows_Cookies_index.dat_16384
  3E8: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  40C: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  414: Section       \Sessions\1\BaseNamedObjects\UrlZonesSM_Administrator
  41C: File  (---)   C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
  420: Section       \Sessions\1\BaseNamedObjects\C:_Users_Administrator_AppData_Local_Microsoft_Windows_Temporary Internet Files_Content.IE5_index.dat_65536
  428: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  430: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.6001.18000_en-us_72e6f33f34dfabb9
  46C: File  (---)   C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
  500: File  (---)   C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
  508: File  (---)   C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
  558: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  578: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  580: File  (---)   C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu
  5F0: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  5F4: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  5F8: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  6E0: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  6E8: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  710: File  (---)   C:\ProgramData\Microsoft\Windows\Start Menu
  718: File  (---)   C:\Windows\System32\en-US\user32.dll.mui
  784: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  7B0: File  (---)   C:\Windows\System32\en-US\timedate.cpl.mui
  808: File  (---)   C:\Users\Administrator\AppData\Local\Microsoft\Windows\GameExplorer
------------------------------------------------------------------------------
VBoxTray.exe pid: 1816 WIN-71P82PQYDRP\Administrator
    8: File  (---)   C:\Windows\System32
   3C: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
   58: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
   94: File  (---)   C:\Windows\System32\en-US\user32.dll.mui
------------------------------------------------------------------------------
wuauclt.exe pid: 2272 WIN-71P82PQYDRP\Administrator
    8: File  (---)   C:\Windows\System32
   5C: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
   68: File  (---)   C:\Windows\WindowsUpdate.log
   6C: File  (---)   C:\Windows\WindowsUpdate.log
   70: File  (---)   C:\Windows\WindowsUpdate.log
   74: File  (---)   C:\Windows\WindowsUpdate.log
   78: File  (---)   C:\Windows\WindowsUpdate.log
   7C: File  (---)   C:\Windows\WindowsUpdate.log
   80: File  (---)   C:\Windows\WindowsUpdate.log
   84: File  (---)   C:\Windows\WindowsUpdate.log
   88: File  (---)   C:\Windows\WindowsUpdate.log
   8C: File  (---)   C:\Windows\WindowsUpdate.log
   90: File  (---)   C:\Windows\WindowsUpdate.log
   94: File  (---)   C:\Windows\WindowsUpdate.log
   98: File  (---)   C:\Windows\WindowsUpdate.log
   9C: File  (---)   C:\Windows\WindowsUpdate.log
   A0: File  (---)   C:\Windows\WindowsUpdate.log
   A4: File  (---)   C:\Windows\WindowsUpdate.log
   A8: File  (---)   C:\Windows\WindowsUpdate.log
   AC: File  (---)   C:\Windows\WindowsUpdate.log
   B0: File  (---)   C:\Windows\WindowsUpdate.log
   B4: File  (---)   C:\Windows\WindowsUpdate.log
   B8: File  (---)   C:\Windows\WindowsUpdate.log
   BC: File  (---)   C:\Windows\WindowsUpdate.log
   C0: File  (---)   C:\Windows\WindowsUpdate.log
   C4: File  (---)   C:\Windows\WindowsUpdate.log
   C8: File  (---)   C:\Windows\WindowsUpdate.log
   CC: File  (---)   C:\Windows\WindowsUpdate.log
   D0: File  (---)   C:\Windows\WindowsUpdate.log
   D4: File  (---)   C:\Windows\WindowsUpdate.log
   D8: File  (---)   C:\Windows\WindowsUpdate.log
   DC: File  (---)   C:\Windows\WindowsUpdate.log
   F4: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  138: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  148: Section       \BaseNamedObjects\__ComCatalogCache__
  150: Section       \BaseNamedObjects\__ComCatalogCache__
  178: Section       \RPC Control\DSEC8e0
  1BC: File  (---)   C:\Windows\WindowsUpdate.log
  1C0: File  (---)   C:\Windows\WindowsUpdate.log
  1C4: File  (---)   C:\Windows\WindowsUpdate.log
  1C8: File  (---)   C:\Windows\WindowsUpdate.log
  1CC: File  (---)   C:\Windows\WindowsUpdate.log
  1D0: File  (---)   C:\Windows\WindowsUpdate.log
  1D4: File  (---)   C:\Windows\WindowsUpdate.log
  1D8: File  (---)   C:\Windows\WindowsUpdate.log
  1DC: File  (---)   C:\Windows\WindowsUpdate.log
  1E0: File  (---)   C:\Windows\WindowsUpdate.log
  1E4: File  (---)   C:\Windows\WindowsUpdate.log
  1E8: File  (---)   C:\Windows\WindowsUpdate.log
  1EC: File  (---)   C:\Windows\WindowsUpdate.log
  1F0: File  (---)   C:\Windows\WindowsUpdate.log
  1F4: File  (---)   C:\Windows\WindowsUpdate.log
  1F8: File  (---)   C:\Windows\WindowsUpdate.log
  1FC: File  (---)   C:\Windows\WindowsUpdate.log
  200: File  (---)   C:\Windows\WindowsUpdate.log
  204: File  (---)   C:\Windows\WindowsUpdate.log
  208: File  (---)   C:\Windows\WindowsUpdate.log
  20C: File  (---)   C:\Windows\WindowsUpdate.log
  210: File  (---)   C:\Windows\WindowsUpdate.log
  214: File  (---)   C:\Windows\WindowsUpdate.log
  218: File  (---)   C:\Windows\WindowsUpdate.log
  21C: File  (---)   C:\Windows\WindowsUpdate.log
  220: File  (---)   C:\Windows\WindowsUpdate.log
  224: File  (---)   C:\Windows\WindowsUpdate.log
  228: File  (---)   C:\Windows\WindowsUpdate.log
  22C: File  (---)   C:\Windows\WindowsUpdate.log
  230: File  (---)   C:\Windows\WindowsUpdate.log
------------------------------------------------------------------------------
svchost.exe pid: 3968 NT AUTHORITY\SYSTEM
    8: File  (---)   C:\Windows\System32
   64: File  (---)   C:\Windows\System32\en-US\svchost.exe.mui
   88: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
   A4: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  134: File  (---)   C:\Windows\System32\inetsrv\config
  144: Section       \BaseNamedObjects\__ComCatalogCache__
  150: Section       \BaseNamedObjects\__ComCatalogCache__
  178: Section       \RPC Control\DSECf80
  180: File  (---)   C:\Windows\System32\inetsrv\config
  1D4: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  1D8: File  (---)   C:\Windows\System32\inetsrv\config\schema
  1E8: File  (---)   C:\Windows\System32\inetsrv\config\schema
  1F4: File  (---)   C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG
  1F8: File  (---)   C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG
  1FC: File  (---)   C:\Windows\System32\inetsrv\config
------------------------------------------------------------------------------
svchost.exe pid: 3352 NT AUTHORITY\SYSTEM
    8: File  (---)   C:\Windows\System32
   60: File  (---)   C:\Windows\System32\en-US\svchost.exe.mui
  11C: Section       \BaseNamedObjects\__ComCatalogCache__
  120: Section       \BaseNamedObjects\__ComCatalogCache__
  128: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  134: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  144: File  (---)   C:\Windows\System32\inetsrv\config\schema
  154: File  (---)   C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG
  158: File  (---)   C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG
  15C: File  (---)   C:\Windows\System32\inetsrv\config
  190: File  (---)   C:\inetpub\temp\appPools\APC22A2.tmp
  1A4: Section       \RPC Control\DSECd18
  1D4: Section       \BaseNamedObjects\IISCounterControlBlock-46382a23-095e-4559-8d63-6fdeaf552c23
  1DC: Section       \BaseNamedObjects\IISCacheCounters-cdffa192-d601-486c-947f-0e3a997a700e
  1E0: Section       \BaseNamedObjects\IISCacheCounters-d8d9bc68-b099-445b-bc9c-41d9a7dc8b67
  1E4: Section       \BaseNamedObjects\IISSitesCounters-0ff1c042-12f4-413d-b61c-13d418f98cfd
  1E8: Section       \BaseNamedObjects\IISSitesCounters-db3ee32d-f4f8-4523-972a-3e1de7ea986d
  1F4: Section       \BaseNamedObjects\ASP_PERFMON_MAIN_BLOCK
  21C: File  (---)   C:\Windows\System32\inetsrv\config
------------------------------------------------------------------------------
svchost.exe pid: 1004 NT AUTHORITY\NETWORK SERVICE
    8: File  (---)   C:\Windows\System32
   64: File  (---)   C:\Windows\System32\en-US\svchost.exe.mui
   88: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
   A4: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
   B0: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  114: Section       \RPC Control\DSEC3ec
  1D4: File  (---)   C:\Windows\System32\en-US\setupapi.dll.mui
  38C: File  (---)   C:\Windows\System32\en-US\hidphone.tsp.mui
------------------------------------------------------------------------------
cmd.exe pid: 3232 WIN-71P82PQYDRP\Administrator
   3C: File  (---)   C:\Windows\System32\en-US\cmd.exe.mui
   44: File  (---)   C:\Users\Administrator\out1.txt
   5C: File  (---)   C:\Users\Administrator\Downloads
------------------------------------------------------------------------------
notepad.exe pid: 1744 WIN-71P82PQYDRP\Administrator
    8: File  (---)   C:\Users\Administrator
    C: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
   38: File  (---)   C:\Windows\System32\en-US\notepad.exe.mui
   44: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
   60: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
   A8: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
   AC: File  (---)   C:\Windows\System32\en-US\msctf.dll.mui
   C0: Section       \BaseNamedObjects\__ComCatalogCache__
   C8: Section       \BaseNamedObjects\__ComCatalogCache__
   D0: Section       \Sessions\1\BaseNamedObjects\windows_shell_global_counters
   E8: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
   EC: File  (---)   C:\Windows\System32\en-US\comdlg32.dll.mui
   F0: File  (---)   C:\Windows\System32\en-US\user32.dll.mui
   F4: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
   FC: File  (---)   C:\Windows\System32\en-US\shell32.dll.mui
  11C: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  13C: File  (---)   C:\Windows\System32\en-US\browseui.dll.mui
  160: Section       \BaseNamedObjects\windows_shell_global_counters
  164: File  (---)   C:\Windows\System32\en-US\setupapi.dll.mui
  1D8: Section       \RPC Control\DSEC6d0
  200: File  (---)   C:\Windows\System32\en-US\propsys.dll.mui
  224: Section       \Sessions\1\BaseNamedObjects\windows_shell_global_counters
  230: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  26C: File  (---)   C:\Windows\System32\en-US\shdocvw.dll.mui
  274: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  2B0: File  (---)   C:\Windows\System32\en-US\ieframe.dll.mui
  2B8: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  2D8: Section       \Sessions\1\BaseNamedObjects\windows_shell_global_counters
------------------------------------------------------------------------------
notepad.exe pid: 3204 WIN-71P82PQYDRP\Administrator
    8: File  (---)   C:\Users\Administrator\Documents
    C: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
   38: File  (---)   C:\Windows\System32\en-US\notepad.exe.mui
   44: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
   60: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
   A8: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
   AC: File  (---)   C:\Windows\System32\en-US\msctf.dll.mui
   C0: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.6001.18000_en-us_72e6f33f34dfabb9
   C4: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.6001.18000_en-us_72e6f33f34dfabb9\comctl32.dll.mui
   C8: Section       \BaseNamedObjects\__ComCatalogCache__
   D0: Section       \BaseNamedObjects\__ComCatalogCache__
   D8: Section       \Sessions\1\BaseNamedObjects\windows_shell_global_counters
   F0: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
   F4: File  (---)   C:\Windows\System32\en-US\comdlg32.dll.mui
   F8: File  (---)   C:\Windows\System32\en-US\user32.dll.mui
   FC: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  104: File  (---)   C:\Windows\System32\en-US\shell32.dll.mui
  124: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  144: File  (---)   C:\Windows\System32\en-US\browseui.dll.mui
  168: Section       \BaseNamedObjects\windows_shell_global_counters
  18C: File  (---)   C:\Windows\System32\en-US\setupapi.dll.mui
  1E0: Section       \RPC Control\DSECc84
  1FC: File  (---)   C:\Windows\System32\en-US\propsys.dll.mui
  234: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  238: Section       \Sessions\1\BaseNamedObjects\windows_shell_global_counters
  278: File  (---)   C:\Windows\System32\en-US\shdocvw.dll.mui
  2BC: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
------------------------------------------------------------------------------
iexplore.exe pid: 2752 WIN-71P82PQYDRP\Administrator
   34: File  (---)   C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui
   40: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
   5C: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
   8C: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
   F8: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
   FC: Section       \Sessions\1\BaseNamedObjects\windows_shell_global_counters
  100: Section       \Sessions\1\BaseNamedObjects\windows_shell_global_counters
  10C: File  (---)   C:\Windows\System32\en-US\shdocvw.dll.mui
  13C: Section       \RPC Control\DSECac0
  160: File  (---)   C:\Windows\System32\en-US\ieframe.dll.mui
  16C: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.6001.18000_none_886786f450a74a05
  1A8: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3
  1E0: Section       \Sessions\1\BaseNamedObjects\UrlZonesSM_Administrator
  1EC: File  (---)   C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XPNT55ZX\ActivePerl-faq2[1].htm
  1F8: Section       \BaseNamedObjects\__ComCatalogCache__
  200: Section       \BaseNamedObjects\__ComCatalogCache__
  20C: File  (---)   C:\Windows\System32\en-US\msctf.dll.mui
  240: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  260: File  (---)   C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
  264: Section       \Sessions\1\BaseNamedObjects\C:_Users_Administrator_AppData_Local_Microsoft_Windows_Temporary Internet Files_Content.IE5_index.dat_98304
  26C: File  (---)   C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
  270: Section       \Sessions\1\BaseNamedObjects\C:_Users_Administrator_AppData_Roaming_Microsoft_Windows_Cookies_index.dat_32768
  278: File  (---)   C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
  27C: Section       \Sessions\1\BaseNamedObjects\C:_Users_Administrator_AppData_Local_Microsoft_Windows_History_History.IE5_index.dat_49152
  280: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  2D4: File  (---)   C:\Windows\System32\en-US\urlmon.dll.mui
  35C: File  (---)   C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat
  360: Section       \Sessions\1\BaseNamedObjects\SmartScreen_UrsCache_B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8FHigh_S-1-5-32-544
  3D0: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  41C: Section       \BaseNamedObjects\windows_shell_global_counters
  474: File  (---)   C:\Windows\System32\en-US\mshtml.dll.mui
  484: File  (---)   C:\Windows\System32\en-US\setupapi.dll.mui
  4B4: File  (---)   C:\Windows\System32\en-US\shell32.dll.mui
  5CC: Section       \Sessions\1\BaseNamedObjects\SmartScreen_UrsCache_B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8FHigh_S-1-5-32-544
  5E0: File  (---)   C:\Users\Administrator\Favorites
  5F8: Section       \Sessions\1\BaseNamedObjects\C:_Users_Administrator_AppData_Local_Microsoft_Windows_History_History.IE5_MSHist012010011220100113_index.dat_32768
  5FC: File  (---)   C:\Windows\System32\en-US\mshtmled.dll.mui
  604: File  (---)   C:\Windows\System32\en-US\crypt32.dll.mui
  730: File  (---)   C:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My
  788: File  (---)   C:\Windows\System32\en-US\jscript.dll.mui
  794: File  (---)   C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GX8M2SEP\default[1].htm
  7BC: File  (---)   C:\Windows\System32\mshtml.tlb
  7C8: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  7CC: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.6001.18000_en-us_72e6f33f34dfabb9
  7DC: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.6001.18000_en-us_72e6f33f34dfabb9\comctl32.dll.mui
  7E0: File  (---)   C:\Windows\System32\en-US\mlang.dll.mui
  804: File  (---)   C:\Windows\System32\en-US\ddraw.dll.mui
  834: Section       \BaseNamedObjects\RotHintTable
  83C: File  (---)   C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.1434_none_d08b6002442c891f
  840: File  (---)   C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.1434_none_d08b6002442c891f
  844: File  (---)   C:\Windows\System32\dxtmsft.dll
  84C: File  (---)   C:\Windows\System32\dxtrans.dll
  870: File  (---)   C:\Windows\System32\en-US\user32.dll.mui
  880: File  (---)   C:\Windows\System32\en-US\comdlg32.dll.mui
  888: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  894: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  8A8: Section       \Sessions\1\BaseNamedObjects\SmartScreen_UrsCache_B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8FHigh_S-1-5-32-544
  8CC: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  8D8: File  (---)   C:\Windows\System32\en-US\browseui.dll.mui
  8E8: File  (---)   C:\Windows\System32\en-US\kernel32.dll.mui
  8F4: File  (---)   C:\Windows\System32\en-US\propsys.dll.mui
  924: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  950: File  (---)   C:\Windows\System32\en-US\oleaccrc.dll.mui
  95C: File  (---)   C:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My
  970: Section       \Sessions\1\BaseNamedObjects\MSIMGSIZECacheMap
  998: File  (---)   C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6ME0WO0\live_sysinternals_com[1].htm
  99C: File  (---)   C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012010011220100113\index.dat
  9AC: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
  9B4: File  (---)   C:\Windows\System32\en-US\mshtmler.dll.mui
  9F8: File  (---)   C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XPNT55ZX\resources[1].htm
  A18: File  (---)   C:\Windows\System32\stdole2.tlb
  A44: Section       \Sessions\1\BaseNamedObjects\SmartScreen_UrsCache_B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8FHigh_S-1-5-32-544
  A58: Section       \Sessions\1\BaseNamedObjects\C:_Users_Administrator_AppData_Local_Microsoft_Feeds Cache_index.dat_32768
  A94: File  (---)   C:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\index.dat
  B14: File  (---)   C:\Users\Administrator\Desktop
------------------------------------------------------------------------------
WmiPrvSE.exe pid: 2188 NT AUTHORITY\NETWORK SERVICE
    8: File  (---)   C:\Windows\System32
   D0: File  (---)   C:\Windows\System32\en-US\user32.dll.mui
  10C: Section       \BaseNamedObjects\Wmi Provider Sub System Counters
  134: Section       \BaseNamedObjects\__ComCatalogCache__
  13C: Section       \BaseNamedObjects\__ComCatalogCache__
  148: Section       \RPC Control\DSEC88c
  1CC: File  (---)   C:\Windows\System32\en-US\setupapi.dll.mui
  1E8: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
------------------------------------------------------------------------------
perl.exe pid: 3964 WIN-71P82PQYDRP\Administrator
    8: File  (---)   C:\Users\Administrator\Downloads
   44: File  (---)   C:\Users\Administrator\out1.txt
------------------------------------------------------------------------------
handle.exe pid: 292 WIN-71P82PQYDRP\Administrator
    8: File  (---)   C:\Users\Administrator\Downloads
   10: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.6001.18000_none_886786f450a74a05
   44: File  (---)   C:\Users\Administrator\out1.txt
   48: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
   64: File  (---)   C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc
**** NETWORK CONFIGURATION ****


Windows IP Configuration

   Host Name . . . . . . . . . . . . : WIN-71P82PQYDRP
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Desktop Adapter
   Physical Address. . . . . . . . . : 08-00-27-00-02-46
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::e9fc:59ac:4d5d:da19%10(Preferred) 
   IPv4 Address. . . . . . . . . . . : 192.168.1.117(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, January 11, 2010 4:44:14 PM
   Lease Expires . . . . . . . . . . : Wednesday, January 13, 2010 6:07:59 AM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DNS Servers . . . . . . . . . . . : 192.168.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 8:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 02-00-54-55-4E-01
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e50:1812:1b8e:3f57:fe8a(Preferred) 
   Link-local IPv6 Address . . . . . : fe80::1812:1b8e:3f57:fe8a%11(Preferred) 
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled
**** CLIPBOARD INFORMATION ****

Clipboard = [ ]
      

PowerShell and digital forensics

PowerShell is going to make a difference in the future for Digital Forensics. While Microsoft is still as reluctant as ever to provide deep information, at least some of the tools are improving: see for instance Use PowerShell to Aid in Security Forensics.

DECC

Digital Evidence and Computer Crime, 2nd edition, by Eoghan Casey. Academic Press, 2004. ISBN 0-12-163104-4.

WFA

Windows Forensic Analysis, 2nd Edition, by Harlan Carvey. Syngress, 2009.