# Flog Txt Version 1 # Analyzer Version: 2.2.0 # Analyzer Build Date: Dec 8 2017 12:07:14 # Log Creation Date: 11.12.2017 16:42:35.766 Process: id = "1" image_name = "cscript.exe" filename = "c:\\windows\\system32\\cscript.exe" page_root = "0x57e65000" os_pid = "0xf80" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Windows\\System32\\CScript.exe\" \"C:\\Users\\CIIHMN~1\\Desktop\\2999BA~1.WSF\" " cur_dir = "C:\\Windows\\system32\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:00013d92" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2 start_va = 0x9c3c600000 end_va = 0x9c3c61ffff entry_point = 0x0 region_type = private name = "private_0x0000009c3c600000" filename = "" Region: id = 3 start_va = 0x9c3c620000 end_va = 0x9c3c633fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009c3c620000" filename = "" Region: id = 4 start_va = 0x9c3c640000 end_va = 0x9c3c73ffff entry_point = 0x0 region_type = private name = "private_0x0000009c3c640000" filename = "" Region: id = 5 start_va = 0x9c3c740000 end_va = 0x9c3c743fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009c3c740000" filename = "" Region: id = 6 start_va = 0x9c3c750000 end_va = 0x9c3c750fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009c3c750000" filename = "" Region: id = 7 start_va = 0x9c3c760000 end_va = 0x9c3c761fff entry_point = 0x0 region_type = private name = "private_0x0000009c3c760000" filename = "" Region: id = 8 start_va = 0x7df5ffb70000 end_va = 0x7ff5ffb6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffb70000" filename = "" Region: id = 9 start_va = 0x7ff7cb670000 end_va = 0x7ff7cb692fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7cb670000" filename = "" Region: id = 10 start_va = 0x7ff7cb69c000 end_va = 0x7ff7cb69dfff entry_point = 0x0 region_type = private name = "private_0x00007ff7cb69c000" filename = "" Region: id = 11 start_va = 0x7ff7cb69e000 end_va = 0x7ff7cb69efff entry_point = 0x0 region_type = private name = "private_0x00007ff7cb69e000" filename = "" Region: id = 12 start_va = 0x7ff7cbfd0000 end_va = 0x7ff7cbffefff entry_point = 0x7ff7cbfd0000 region_type = mapped_file name = "cscript.exe" filename = "\\Windows\\System32\\cscript.exe" (normalized: "c:\\windows\\system32\\cscript.exe") Region: id = 13 start_va = 0x7ffb3d310000 end_va = 0x7ffb3d4d1fff entry_point = 0x7ffb3d310000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 153 start_va = 0x9c3c7b0000 end_va = 0x9c3c8affff entry_point = 0x0 region_type = private name = "private_0x0000009c3c7b0000" filename = "" Region: id = 154 start_va = 0x7ffb3a800000 end_va = 0x7ffb3a9dcfff entry_point = 0x7ffb3a800000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 155 start_va = 0x7ffb3d260000 end_va = 0x7ffb3d30cfff entry_point = 0x7ffb3d260000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 230 start_va = 0x9c3c600000 end_va = 0x9c3c60ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009c3c600000" filename = "" Region: id = 231 start_va = 0x9c3c610000 end_va = 0x9c3c616fff entry_point = 0x0 region_type = private name = "private_0x0000009c3c610000" filename = "" Region: id = 232 start_va = 0x9c3c8b0000 end_va = 0x9c3c96dfff entry_point = 0x9c3c8b0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 233 start_va = 0x9c3c970000 end_va = 0x9c3ca6ffff entry_point = 0x0 region_type = private name = "private_0x0000009c3c970000" filename = "" Region: id = 234 start_va = 0x7ff7cb570000 end_va = 0x7ff7cb66ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff7cb570000" filename = "" Region: id = 235 start_va = 0x7ff7cb69a000 end_va = 0x7ff7cb69bfff entry_point = 0x0 region_type = private name = "private_0x00007ff7cb69a000" filename = "" Region: id = 236 start_va = 0x7ffb318d0000 end_va = 0x7ffb318d9fff entry_point = 0x7ffb318d0000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 237 start_va = 0x7ffb3bf80000 end_va = 0x7ffb3c0a5fff entry_point = 0x7ffb3bf80000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 238 start_va = 0x7ffb3c2d0000 end_va = 0x7ffb3c375fff entry_point = 0x7ffb3c2d0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 239 start_va = 0x7ffb3c3e0000 end_va = 0x7ffb3c564fff entry_point = 0x7ffb3c3e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 240 start_va = 0x7ffb3c650000 end_va = 0x7ffb3c79dfff entry_point = 0x7ffb3c650000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 241 start_va = 0x7ffb3c950000 end_va = 0x7ffb3c9aafff entry_point = 0x7ffb3c950000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 242 start_va = 0x7ffb3c9b0000 end_va = 0x7ffb3ca6dfff entry_point = 0x7ffb3c9b0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 243 start_va = 0x7ffb3cb20000 end_va = 0x7ffb3cc60fff entry_point = 0x7ffb3cb20000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 244 start_va = 0x7ffb3cc70000 end_va = 0x7ffb3ceebfff entry_point = 0x7ffb3cc70000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 245 start_va = 0x7ffb3cf10000 end_va = 0x7ffb3cfacfff entry_point = 0x7ffb3cf10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 246 start_va = 0x9c3c770000 end_va = 0x9c3c776fff entry_point = 0x0 region_type = private name = "private_0x0000009c3c770000" filename = "" Region: id = 247 start_va = 0x9c3cb20000 end_va = 0x9c3cb2ffff entry_point = 0x0 region_type = private name = "private_0x0000009c3cb20000" filename = "" Region: id = 248 start_va = 0x9c3cb30000 end_va = 0x9c3ccb7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009c3cb30000" filename = "" Region: id = 249 start_va = 0x7ffb3c290000 end_va = 0x7ffb3c2c5fff entry_point = 0x7ffb3c290000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 250 start_va = 0x7ffb3d020000 end_va = 0x7ffb3d17bfff entry_point = 0x7ffb3d020000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 251 start_va = 0x9c3c780000 end_va = 0x9c3c782fff entry_point = 0x9c3c780000 region_type = mapped_file name = "cscript.exe.mui" filename = "\\Windows\\System32\\en-US\\cscript.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cscript.exe.mui") Region: id = 252 start_va = 0x9c3c790000 end_va = 0x9c3c790fff entry_point = 0x0 region_type = private name = "private_0x0000009c3c790000" filename = "" Region: id = 253 start_va = 0x9c3c7a0000 end_va = 0x9c3c7a0fff entry_point = 0x0 region_type = private name = "private_0x0000009c3c7a0000" filename = "" Region: id = 254 start_va = 0x9c3ccc0000 end_va = 0x9c3ce40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009c3ccc0000" filename = "" Region: id = 255 start_va = 0x9c3ce50000 end_va = 0x9c3e24ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009c3ce50000" filename = "" Region: id = 256 start_va = 0x9c3e250000 end_va = 0x9c3e325fff entry_point = 0x9c3e250000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 257 start_va = 0x7ffb39d60000 end_va = 0x7ffb39d6efff entry_point = 0x7ffb39d60000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 258 start_va = 0x7ffb39b90000 end_va = 0x7ffb39bfafff entry_point = 0x7ffb39b90000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 259 start_va = 0x7ffb38610000 end_va = 0x7ffb386a5fff entry_point = 0x7ffb38610000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 260 start_va = 0x9c3ca70000 end_va = 0x9c3cb1ffff entry_point = 0x0 region_type = private name = "private_0x0000009c3ca70000" filename = "" Region: id = 261 start_va = 0x9c3e250000 end_va = 0x9c3e586fff entry_point = 0x9c3e250000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 262 start_va = 0x9c3ca70000 end_va = 0x9c3ca78fff entry_point = 0x9c3ca70000 region_type = mapped_file name = "cscript.exe" filename = "\\Windows\\System32\\cscript.exe" (normalized: "c:\\windows\\system32\\cscript.exe") Region: id = 263 start_va = 0x9c3cb10000 end_va = 0x9c3cb1ffff entry_point = 0x0 region_type = private name = "private_0x0000009c3cb10000" filename = "" Region: id = 264 start_va = 0x7ffb39c00000 end_va = 0x7ffb39c97fff entry_point = 0x7ffb39c00000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 265 start_va = 0x9c3e590000 end_va = 0x9c3e68ffff entry_point = 0x0 region_type = private name = "private_0x0000009c3e590000" filename = "" Region: id = 266 start_va = 0x7ff7cb698000 end_va = 0x7ff7cb699fff entry_point = 0x0 region_type = private name = "private_0x00007ff7cb698000" filename = "" Region: id = 267 start_va = 0x9c3ca80000 end_va = 0x9c3ca80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009c3ca80000" filename = "" Region: id = 268 start_va = 0x9c3e690000 end_va = 0x9c3e747fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009c3e690000" filename = "" Region: id = 269 start_va = 0x9c3ca80000 end_va = 0x9c3ca83fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009c3ca80000" filename = "" Region: id = 270 start_va = 0x7ffb37f40000 end_va = 0x7ffb37f61fff entry_point = 0x7ffb37f40000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 271 start_va = 0x7ffb2ea50000 end_va = 0x7ffb2ebe6fff entry_point = 0x7ffb2ea50000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 272 start_va = 0x7ffb31aa0000 end_va = 0x7ffb31e15fff entry_point = 0x7ffb31aa0000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 273 start_va = 0x7ffb39780000 end_va = 0x7ffb3978afff entry_point = 0x7ffb39780000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 274 start_va = 0x7ffb3a570000 end_va = 0x7ffb3a622fff entry_point = 0x7ffb3a570000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 275 start_va = 0x7ffb3a9f0000 end_va = 0x7ffb3aa40fff entry_point = 0x7ffb3a9f0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 276 start_va = 0x9c3ca90000 end_va = 0x9c3ca90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009c3ca90000" filename = "" Region: id = 277 start_va = 0x7ffb3ca70000 end_va = 0x7ffb3cb14fff entry_point = 0x7ffb3ca70000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 278 start_va = 0x9c3caa0000 end_va = 0x9c3caa0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009c3caa0000" filename = "" Region: id = 279 start_va = 0x7ffb24160000 end_va = 0x7ffb241a3fff entry_point = 0x7ffb24160000 region_type = mapped_file name = "scrobj.dll" filename = "\\Windows\\System32\\scrobj.dll" (normalized: "c:\\windows\\system32\\scrobj.dll") Region: id = 280 start_va = 0x9c3e750000 end_va = 0x9c3e84ffff entry_point = 0x0 region_type = private name = "private_0x0000009c3e750000" filename = "" Region: id = 281 start_va = 0x7ffb2bea0000 end_va = 0x7ffb2beaffff entry_point = 0x7ffb2bea0000 region_type = mapped_file name = "wldp.dll" filename = "\\Windows\\System32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll") Region: id = 282 start_va = 0x7ffb3a630000 end_va = 0x7ffb3a7f0fff entry_point = 0x7ffb3a630000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 283 start_va = 0x7ffb39d40000 end_va = 0x7ffb39d50fff entry_point = 0x7ffb39d40000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 284 start_va = 0x7ffb3a460000 end_va = 0x7ffb3a4b3fff entry_point = 0x7ffb3a460000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 285 start_va = 0x9c3cab0000 end_va = 0x9c3cac7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009c3cab0000" filename = "" Region: id = 286 start_va = 0x7ffb39610000 end_va = 0x7ffb39626fff entry_point = 0x7ffb39610000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 287 start_va = 0x7ffb39b60000 end_va = 0x7ffb39b87fff entry_point = 0x7ffb39b60000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 288 start_va = 0x7ffb39260000 end_va = 0x7ffb39292fff entry_point = 0x7ffb39260000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 289 start_va = 0x9c3cab0000 end_va = 0x9c3cac7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009c3cab0000" filename = "" Region: id = 290 start_va = 0x9c3e850000 end_va = 0x9c3e94ffff entry_point = 0x0 region_type = private name = "private_0x0000009c3e850000" filename = "" Region: id = 291 start_va = 0x7ff7cb696000 end_va = 0x7ff7cb697fff entry_point = 0x0 region_type = private name = "private_0x00007ff7cb696000" filename = "" Region: id = 292 start_va = 0x7ffb30c90000 end_va = 0x7ffb30c9bfff entry_point = 0x7ffb30c90000 region_type = mapped_file name = "msisip.dll" filename = "\\Windows\\System32\\msisip.dll" (normalized: "c:\\windows\\system32\\msisip.dll") Region: id = 293 start_va = 0x7ffb3c5e0000 end_va = 0x7ffb3c64efff entry_point = 0x7ffb3c5e0000 region_type = mapped_file name = "coml2.dll" filename = "\\Windows\\System32\\coml2.dll" (normalized: "c:\\windows\\system32\\coml2.dll") Region: id = 294 start_va = 0x9c3e950000 end_va = 0x9c3f94ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009c3e950000" filename = "" Region: id = 295 start_va = 0x9c3cad0000 end_va = 0x9c3cae7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009c3cad0000" filename = "" Region: id = 296 start_va = 0x9c3e950000 end_va = 0x9c3ea4ffff entry_point = 0x0 region_type = private name = "private_0x0000009c3e950000" filename = "" Region: id = 297 start_va = 0x7ff7cb694000 end_va = 0x7ff7cb695fff entry_point = 0x0 region_type = private name = "private_0x00007ff7cb694000" filename = "" Region: id = 298 start_va = 0x7ffb25f10000 end_va = 0x7ffb25f2cfff entry_point = 0x7ffb25f10000 region_type = mapped_file name = "wshext.dll" filename = "\\Windows\\System32\\wshext.dll" (normalized: "c:\\windows\\system32\\wshext.dll") Region: id = 299 start_va = 0x7ffb240b0000 end_va = 0x7ffb24159fff entry_point = 0x7ffb240b0000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10240.16384_none_0212ec7eba871e86\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10240.16384_none_0212ec7eba871e86\\comctl32.dll") Region: id = 300 start_va = 0x7ffb3aa50000 end_va = 0x7ffb3bf74fff entry_point = 0x7ffb3aa50000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 301 start_va = 0x7ffb39de0000 end_va = 0x7ffb3a407fff entry_point = 0x7ffb39de0000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 302 start_va = 0x7ffb39d90000 end_va = 0x7ffb39dd9fff entry_point = 0x7ffb39d90000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 303 start_va = 0x7ffb39d70000 end_va = 0x7ffb39d82fff entry_point = 0x7ffb39d70000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 304 start_va = 0x9c3ea50000 end_va = 0x9c3eb5ffff entry_point = 0x0 region_type = private name = "private_0x0000009c3ea50000" filename = "" Region: id = 305 start_va = 0x9c3cad0000 end_va = 0x9c3cad6fff entry_point = 0x0 region_type = private name = "private_0x0000009c3cad0000" filename = "" Region: id = 306 start_va = 0x9c3eb60000 end_va = 0x9c3ed5ffff entry_point = 0x0 region_type = private name = "private_0x0000009c3eb60000" filename = "" Region: id = 307 start_va = 0x9c3cab0000 end_va = 0x9c3cabffff entry_point = 0x0 region_type = private name = "private_0x0000009c3cab0000" filename = "" Region: id = 308 start_va = 0x7ffb23ce0000 end_va = 0x7ffb23dadfff entry_point = 0x7ffb23ce0000 region_type = mapped_file name = "jscript.dll" filename = "\\Windows\\System32\\jscript.dll" (normalized: "c:\\windows\\system32\\jscript.dll") Region: id = 309 start_va = 0x7ffb2d270000 end_va = 0x7ffb2d27ffff entry_point = 0x7ffb2d270000 region_type = mapped_file name = "amsi.dll" filename = "\\Windows\\System32\\amsi.dll" (normalized: "c:\\windows\\system32\\amsi.dll") Region: id = 310 start_va = 0x7ffb25dc0000 end_va = 0x7ffb25ddcfff entry_point = 0x7ffb25dc0000 region_type = mapped_file name = "mpoav.dll" filename = "\\Program Files\\Windows Defender\\MpOAV.dll" (normalized: "c:\\program files\\windows defender\\mpoav.dll") Region: id = 311 start_va = 0x9c3ea50000 end_va = 0x9c3eb4ffff entry_point = 0x0 region_type = private name = "private_0x0000009c3ea50000" filename = "" Region: id = 312 start_va = 0x9c3eb50000 end_va = 0x9c3eb5ffff entry_point = 0x0 region_type = private name = "private_0x0000009c3eb50000" filename = "" Region: id = 313 start_va = 0x9c3ed60000 end_va = 0x9c3ee5ffff entry_point = 0x0 region_type = private name = "private_0x0000009c3ed60000" filename = "" Region: id = 314 start_va = 0x9c3ee60000 end_va = 0x9c3ef5ffff entry_point = 0x0 region_type = private name = "private_0x0000009c3ee60000" filename = "" Region: id = 315 start_va = 0x7ff7cb56a000 end_va = 0x7ff7cb56bfff entry_point = 0x0 region_type = private name = "private_0x00007ff7cb56a000" filename = "" Region: id = 316 start_va = 0x7ff7cb56c000 end_va = 0x7ff7cb56dfff entry_point = 0x0 region_type = private name = "private_0x00007ff7cb56c000" filename = "" Region: id = 317 start_va = 0x7ff7cb56e000 end_va = 0x7ff7cb56ffff entry_point = 0x0 region_type = private name = "private_0x00007ff7cb56e000" filename = "" Region: id = 318 start_va = 0x7ffb23c00000 end_va = 0x7ffb23cd9fff entry_point = 0x7ffb23c00000 region_type = mapped_file name = "mpclient.dll" filename = "\\Program Files\\Windows Defender\\MpClient.dll" (normalized: "c:\\program files\\windows defender\\mpclient.dll") Region: id = 319 start_va = 0x7ffb39350000 end_va = 0x7ffb3936efff entry_point = 0x7ffb39350000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 320 start_va = 0x9c3cac0000 end_va = 0x9c3cac1fff entry_point = 0x9c3cac0000 region_type = mapped_file name = "msmplics.dll" filename = "\\Program Files\\Windows Defender\\MsMpLics.dll" (normalized: "c:\\program files\\windows defender\\msmplics.dll") Region: id = 321 start_va = 0x7ffb38c60000 end_va = 0x7ffb38c82fff entry_point = 0x7ffb38c60000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 322 start_va = 0x9c3ef60000 end_va = 0x9c3f05ffff entry_point = 0x0 region_type = private name = "private_0x0000009c3ef60000" filename = "" Region: id = 323 start_va = 0x9c3f060000 end_va = 0x9c3f45ffff entry_point = 0x0 region_type = private name = "private_0x0000009c3f060000" filename = "" Region: id = 324 start_va = 0x9c3f5b0000 end_va = 0x9c3f7affff entry_point = 0x0 region_type = private name = "private_0x0000009c3f5b0000" filename = "" Region: id = 325 start_va = 0x9c3f7b0000 end_va = 0x9c3ffaffff entry_point = 0x0 region_type = private name = "private_0x0000009c3f7b0000" filename = "" Region: id = 326 start_va = 0x9c3ffb0000 end_va = 0x9c403affff entry_point = 0x0 region_type = private name = "private_0x0000009c3ffb0000" filename = "" Region: id = 327 start_va = 0x7ffb25120000 end_va = 0x7ffb25148fff entry_point = 0x7ffb25120000 region_type = mapped_file name = "wshom.ocx" filename = "\\Windows\\System32\\wshom.ocx" (normalized: "c:\\windows\\system32\\wshom.ocx") Region: id = 328 start_va = 0x7ffb242b0000 end_va = 0x7ffb242e4fff entry_point = 0x7ffb242b0000 region_type = mapped_file name = "scrrun.dll" filename = "\\Windows\\System32\\scrrun.dll" (normalized: "c:\\windows\\system32\\scrrun.dll") Region: id = 329 start_va = 0x7ffb38f70000 end_va = 0x7ffb38f8bfff entry_point = 0x7ffb38f70000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 330 start_va = 0x9c3cae0000 end_va = 0x9c3caf2fff entry_point = 0x9c3cae0000 region_type = mapped_file name = "wshom.ocx" filename = "\\Windows\\System32\\wshom.ocx" (normalized: "c:\\windows\\system32\\wshom.ocx") Region: id = 331 start_va = 0x9c3cac0000 end_va = 0x9c3cac2fff entry_point = 0x9c3cac0000 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 332 start_va = 0x9c3cb00000 end_va = 0x9c3cb08fff entry_point = 0x9c3cb00000 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 333 start_va = 0x9c3cac0000 end_va = 0x9c3cac2fff entry_point = 0x9c3cac0000 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 334 start_va = 0x9c3cb00000 end_va = 0x9c3cb08fff entry_point = 0x9c3cb00000 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 335 start_va = 0x7ffb239c0000 end_va = 0x7ffb23bf6fff entry_point = 0x7ffb239c0000 region_type = mapped_file name = "msxml3.dll" filename = "\\Windows\\System32\\msxml3.dll" (normalized: "c:\\windows\\system32\\msxml3.dll") Region: id = 336 start_va = 0x9c3f460000 end_va = 0x9c3f4affff entry_point = 0x0 region_type = private name = "private_0x0000009c3f460000" filename = "" Region: id = 337 start_va = 0x9c403b0000 end_va = 0x9c404effff entry_point = 0x0 region_type = private name = "private_0x0000009c403b0000" filename = "" Region: id = 338 start_va = 0x9c3f4b0000 end_va = 0x9c3f50ffff entry_point = 0x0 region_type = private name = "private_0x0000009c3f4b0000" filename = "" Region: id = 339 start_va = 0x9c404f0000 end_va = 0x9c406cffff entry_point = 0x0 region_type = private name = "private_0x0000009c404f0000" filename = "" Region: id = 340 start_va = 0x9c406d0000 end_va = 0x9c408bffff entry_point = 0x0 region_type = private name = "private_0x0000009c406d0000" filename = "" Region: id = 341 start_va = 0x9c403b0000 end_va = 0x9c4048efff entry_point = 0x9c403b0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 342 start_va = 0x9c404e0000 end_va = 0x9c404effff entry_point = 0x0 region_type = private name = "private_0x0000009c404e0000" filename = "" Region: id = 343 start_va = 0x9c408c0000 end_va = 0x9c40cbffff entry_point = 0x0 region_type = private name = "private_0x0000009c408c0000" filename = "" Region: id = 344 start_va = 0x9c3cac0000 end_va = 0x9c3cac0fff entry_point = 0x9c3cac0000 region_type = mapped_file name = "msxml3r.dll" filename = "\\Windows\\System32\\msxml3r.dll" (normalized: "c:\\windows\\system32\\msxml3r.dll") Region: id = 345 start_va = 0x7ffb2e5a0000 end_va = 0x7ffb2e846fff entry_point = 0x7ffb2e5a0000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll") Region: id = 346 start_va = 0x7ffb26110000 end_va = 0x7ffb2614cfff entry_point = 0x7ffb26110000 region_type = mapped_file name = "mlang.dll" filename = "\\Windows\\System32\\mlang.dll" (normalized: "c:\\windows\\system32\\mlang.dll") Region: id = 347 start_va = 0x7ffb39960000 end_va = 0x7ffb3998bfff entry_point = 0x7ffb39960000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 348 start_va = 0x9c3cb00000 end_va = 0x9c3cb00fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009c3cb00000" filename = "" Region: id = 349 start_va = 0x9c3f460000 end_va = 0x9c3f460fff entry_point = 0x9c3f460000 region_type = mapped_file name = "counters.dat" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\Microsoft\\Windows\\INetCache\\counters.dat" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\microsoft\\windows\\inetcache\\counters.dat") Region: id = 350 start_va = 0x9c3f4a0000 end_va = 0x9c3f4affff entry_point = 0x0 region_type = private name = "private_0x0000009c3f4a0000" filename = "" Region: id = 351 start_va = 0x7ffb3c570000 end_va = 0x7ffb3c5d8fff entry_point = 0x7ffb3c570000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 352 start_va = 0x7ffb3a9e0000 end_va = 0x7ffb3a9e7fff entry_point = 0x7ffb3a9e0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 353 start_va = 0x7ffb2ec80000 end_va = 0x7ffb2ec94fff entry_point = 0x7ffb2ec80000 region_type = mapped_file name = "ondemandconnroutehelper.dll" filename = "\\Windows\\System32\\OnDemandConnRouteHelper.dll" (normalized: "c:\\windows\\system32\\ondemandconnroutehelper.dll") Region: id = 354 start_va = 0x7ffb373f0000 end_va = 0x7ffb373fafff entry_point = 0x7ffb373f0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 355 start_va = 0x7ffb37410000 end_va = 0x7ffb37447fff entry_point = 0x7ffb37410000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 356 start_va = 0x7ffb333f0000 end_va = 0x7ffb334c5fff entry_point = 0x7ffb333f0000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 357 start_va = 0x7ffb395b0000 end_va = 0x7ffb3960cfff entry_point = 0x7ffb395b0000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 358 start_va = 0x9c3f470000 end_va = 0x9c3f470fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009c3f470000" filename = "" Region: id = 359 start_va = 0x7ffb393b0000 end_va = 0x7ffb39457fff entry_point = 0x7ffb393b0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 360 start_va = 0x9c3f480000 end_va = 0x9c3f481fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009c3f480000" filename = "" Region: id = 361 start_va = 0x9c3f480000 end_va = 0x9c3f48ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009c3f480000" filename = "" Region: id = 362 start_va = 0x7ffb308c0000 end_va = 0x7ffb308c9fff entry_point = 0x7ffb308c0000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 363 start_va = 0x7ffb361e0000 end_va = 0x7ffb36247fff entry_point = 0x7ffb361e0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 364 start_va = 0x9c3f490000 end_va = 0x9c3f491fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009c3f490000" filename = "" Region: id = 365 start_va = 0x7ffb34cc0000 end_va = 0x7ffb34f33fff entry_point = 0x7ffb34cc0000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_f41f7b285750ef43\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_f41f7b285750ef43\\comctl32.dll") Region: id = 366 start_va = 0x9c3f4b0000 end_va = 0x9c3f4b2fff entry_point = 0x9c3f4b0000 region_type = mapped_file name = "mswsock.dll.mui" filename = "\\Windows\\System32\\en-US\\mswsock.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\mswsock.dll.mui") Region: id = 367 start_va = 0x9c3f4c0000 end_va = 0x9c3f4c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009c3f4c0000" filename = "" Region: id = 368 start_va = 0x9c3f500000 end_va = 0x9c3f50ffff entry_point = 0x0 region_type = private name = "private_0x0000009c3f500000" filename = "" Region: id = 369 start_va = 0x7ffb390e0000 end_va = 0x7ffb39153fff entry_point = 0x7ffb390e0000 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll") Region: id = 370 start_va = 0x9c3f4d0000 end_va = 0x9c3f4d0fff entry_point = 0x0 region_type = private name = "private_0x0000009c3f4d0000" filename = "" Region: id = 371 start_va = 0x7ffb25e30000 end_va = 0x7ffb25e43fff entry_point = 0x7ffb25e30000 region_type = mapped_file name = "mskeyprotect.dll" filename = "\\Windows\\System32\\mskeyprotect.dll" (normalized: "c:\\windows\\system32\\mskeyprotect.dll") Region: id = 372 start_va = 0x7ffb39810000 end_va = 0x7ffb39845fff entry_point = 0x7ffb39810000 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll") Region: id = 373 start_va = 0x7ffb39850000 end_va = 0x7ffb39875fff entry_point = 0x7ffb39850000 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 374 start_va = 0x7ffb39160000 end_va = 0x7ffb39169fff entry_point = 0x7ffb39160000 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\System32\\dpapi.dll" (normalized: "c:\\windows\\system32\\dpapi.dll") Region: id = 375 start_va = 0x9c3f4d0000 end_va = 0x9c3f4d9fff entry_point = 0x9c3f4d0000 region_type = mapped_file name = "crypt32.dll.mui" filename = "\\Windows\\System32\\en-US\\crypt32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\crypt32.dll.mui") Region: id = 376 start_va = 0x7ffb23810000 end_va = 0x7ffb2383efff entry_point = 0x7ffb23810000 region_type = mapped_file name = "cryptnet.dll" filename = "\\Windows\\System32\\cryptnet.dll" (normalized: "c:\\windows\\system32\\cryptnet.dll") Region: id = 377 start_va = 0x7ffb3cfc0000 end_va = 0x7ffb3d01afff entry_point = 0x7ffb3cfc0000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 378 start_va = 0x9c404f0000 end_va = 0x9c405effff entry_point = 0x0 region_type = private name = "private_0x0000009c404f0000" filename = "" Region: id = 379 start_va = 0x9c406c0000 end_va = 0x9c406cffff entry_point = 0x0 region_type = private name = "private_0x0000009c406c0000" filename = "" Region: id = 380 start_va = 0x7ff7cb568000 end_va = 0x7ff7cb569fff entry_point = 0x0 region_type = private name = "private_0x00007ff7cb568000" filename = "" Region: id = 381 start_va = 0x7ffb362c0000 end_va = 0x7ffb362d5fff entry_point = 0x7ffb362c0000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 382 start_va = 0x7ffb362a0000 end_va = 0x7ffb362b9fff entry_point = 0x7ffb362a0000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 383 start_va = 0x7ffb2ae50000 end_va = 0x7ffb2aecffff entry_point = 0x7ffb2ae50000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 384 start_va = 0x9c3f4e0000 end_va = 0x9c3f4e4fff entry_point = 0x9c3f4e0000 region_type = mapped_file name = "winnlsres.dll" filename = "\\Windows\\System32\\winnlsres.dll" (normalized: "c:\\windows\\system32\\winnlsres.dll") Region: id = 385 start_va = 0x9c3f4f0000 end_va = 0x9c3f4fffff entry_point = 0x9c3f4f0000 region_type = mapped_file name = "winnlsres.dll.mui" filename = "\\Windows\\System32\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\winnlsres.dll.mui") Region: id = 386 start_va = 0x9c406d0000 end_va = 0x9c407cffff entry_point = 0x0 region_type = private name = "private_0x0000009c406d0000" filename = "" Region: id = 387 start_va = 0x9c408b0000 end_va = 0x9c408bffff entry_point = 0x0 region_type = private name = "private_0x0000009c408b0000" filename = "" Region: id = 388 start_va = 0x9c40cc0000 end_va = 0x9c40dbffff entry_point = 0x0 region_type = private name = "private_0x0000009c40cc0000" filename = "" Region: id = 389 start_va = 0x9c40dc0000 end_va = 0x9c40ebffff entry_point = 0x0 region_type = private name = "private_0x0000009c40dc0000" filename = "" Region: id = 390 start_va = 0x7ff7cb562000 end_va = 0x7ff7cb563fff entry_point = 0x0 region_type = private name = "private_0x00007ff7cb562000" filename = "" Region: id = 391 start_va = 0x7ff7cb564000 end_va = 0x7ff7cb565fff entry_point = 0x0 region_type = private name = "private_0x00007ff7cb564000" filename = "" Region: id = 392 start_va = 0x7ff7cb566000 end_va = 0x7ff7cb567fff entry_point = 0x0 region_type = private name = "private_0x00007ff7cb566000" filename = "" Region: id = 393 start_va = 0x7ffb34f40000 end_va = 0x7ffb34f66fff entry_point = 0x7ffb34f40000 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll") Region: id = 394 start_va = 0x7ffb25ee0000 end_va = 0x7ffb25efefff entry_point = 0x7ffb25ee0000 region_type = mapped_file name = "ncryptsslp.dll" filename = "\\Windows\\System32\\ncryptsslp.dll" (normalized: "c:\\windows\\system32\\ncryptsslp.dll") Region: id = 395 start_va = 0x9c404f0000 end_va = 0x9c405effff entry_point = 0x0 region_type = private name = "private_0x0000009c404f0000" filename = "" Region: id = 396 start_va = 0x7ffb236d0000 end_va = 0x7ffb23806fff entry_point = 0x7ffb236d0000 region_type = mapped_file name = "msado15.dll" filename = "\\Program Files\\Common Files\\System\\ado\\msado15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msado15.dll") Region: id = 397 start_va = 0x7ffb236a0000 end_va = 0x7ffb236c4fff entry_point = 0x7ffb236a0000 region_type = mapped_file name = "msdart.dll" filename = "\\Windows\\System32\\msdart.dll" (normalized: "c:\\windows\\system32\\msdart.dll") Region: id = 398 start_va = 0x9c40dc0000 end_va = 0x9c40ebffff entry_point = 0x0 region_type = private name = "private_0x0000009c40dc0000" filename = "" Region: id = 399 start_va = 0x7ff7cb568000 end_va = 0x7ff7cb569fff entry_point = 0x0 region_type = private name = "private_0x00007ff7cb568000" filename = "" Region: id = 400 start_va = 0x7ffb36950000 end_va = 0x7ffb36ad2fff entry_point = 0x7ffb36950000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 401 start_va = 0x9c3f510000 end_va = 0x9c3f513fff entry_point = 0x9c3f510000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 402 start_va = 0x9c3f520000 end_va = 0x9c3f562fff entry_point = 0x9c3f520000 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000007.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000007.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000007.db") Region: id = 403 start_va = 0x9c3f570000 end_va = 0x9c3f573fff entry_point = 0x9c3f570000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 404 start_va = 0x9c3f580000 end_va = 0x9c3f590fff entry_point = 0x9c3f580000 region_type = mapped_file name = "propsys.dll.mui" filename = "\\Windows\\System32\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\propsys.dll.mui") Region: id = 405 start_va = 0x9c40490000 end_va = 0x9c404b1fff entry_point = 0x9c40490000 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000012.db" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000012.db" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000012.db") Region: id = 406 start_va = 0x9c404c0000 end_va = 0x9c404c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000009c404c0000" filename = "" Region: id = 407 start_va = 0x9c405f0000 end_va = 0x9c4067afff entry_point = 0x9c405f0000 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db") Region: id = 408 start_va = 0x7ffb3a410000 end_va = 0x7ffb3a453fff entry_point = 0x7ffb3a410000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 409 start_va = 0x7ffb38570000 end_va = 0x7ffb385e7fff entry_point = 0x7ffb38570000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Thread: id = 1 os_tid = 0xf84 [0027.094] GetModuleHandleA (lpModuleName=0x0) returned 0x7ff7cbfd0000 [0027.094] GetVersionExA (in: lpVersionInformation=0x9c3c73fa70*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x9c3c73fa70*(dwOSVersionInfoSize=0x94, dwMajorVersion=0xa, dwMinorVersion=0x0, dwBuildNumber=0x2800, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0027.094] GetUserDefaultLCID () returned 0x409 [0027.096] GetLocaleInfoW (in: Locale=0x409, LCType=0x20000070, lpLCData=0x9c3c73f5e0, cchData=2 | out: lpLCData="") returned 2 [0027.096] LoadLibraryW (lpLibFileName="kernel32.dll") returned 0x7ffb3d260000 [0027.097] GetProcAddress (hModule=0x7ffb3d260000, lpProcName="SetThreadUILanguage") returned 0x7ffb3d27d550 [0027.097] SetThreadUILanguage (LangId=0x0) returned 0x409 [0027.113] FreeLibrary (hLibModule=0x7ffb3d260000) returned 1 [0027.113] GetCommandLineW () returned="\"C:\\Windows\\System32\\CScript.exe\" \"C:\\Users\\CIIHMN~1\\Desktop\\2999BA~1.WSF\" " [0027.113] wcscpy_s (in: _Destination=0x9c3c73fac0, _SizeInWords=0x4d, _Source="\"C:\\Windows\\System32\\CScript.exe\" \"C:\\Users\\CIIHMN~1\\Desktop\\2999BA~1.WSF\" " | out: _Destination="\"C:\\Windows\\System32\\CScript.exe\" \"C:\\Users\\CIIHMN~1\\Desktop\\2999BA~1.WSF\" ") returned 0x0 [0027.113] wcscpy_s (in: _Destination=0x9c3c73fac0, _SizeInWords=0x4d, _Source="C:\\Windows\\System32\\CScript.exe\" \"C:\\Users\\CIIHMN~1\\Desktop\\2999BA~1.WSF\" " | out: _Destination="C:\\Windows\\System32\\CScript.exe\" \"C:\\Users\\CIIHMN~1\\Desktop\\2999BA~1.WSF\" ") returned 0x0 [0027.113] wcscpy_s (in: _Destination=0x9c3c73fafe, _SizeInWords=0x2d, _Source=" \"C:\\Users\\CIIHMN~1\\Desktop\\2999BA~1.WSF\" " | out: _Destination=" \"C:\\Users\\CIIHMN~1\\Desktop\\2999BA~1.WSF\" ") returned 0x0 [0027.113] wcscpy_s (in: _Destination=0x9c3c73fb02, _SizeInWords=0x2a, _Source="C:\\Users\\CIIHMN~1\\Desktop\\2999BA~1.WSF\" " | out: _Destination="C:\\Users\\CIIHMN~1\\Desktop\\2999BA~1.WSF\" ") returned 0x0 [0027.113] wcscpy_s (in: _Destination=0x9c3c73fb4e, _SizeInWords=0x3, _Source=" " | out: _Destination=" ") returned 0x0 [0027.114] GetCurrentThreadId () returned 0xf84 [0027.114] CoInitialize (pvReserved=0x0) returned 0x0 [0027.452] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x9c3c73f738 | out: phkResult=0x9c3c73f738*=0x0) returned 0x2 [0027.452] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x9c3c73f730 | out: phkResult=0x9c3c73f730*=0xec) returned 0x0 [0027.452] RegQueryValueExW (in: hKey=0xec, lpValueName="Enabled", lpReserved=0x0, lpType=0x9c3c73ea24, lpData=0x9c3c73ee30, lpcbData=0x9c3c73ea20*=0x400 | out: lpType=0x9c3c73ea24*=0x0, lpData=0x9c3c73ee30*=0x0, lpcbData=0x9c3c73ea20*=0x400) returned 0x2 [0027.452] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x0, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0027.567] RegCloseKey (hKey=0xec) returned 0x0 [0027.567] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x9c3c73f450 | out: phkResult=0x9c3c73f450*=0x0) returned 0x2 [0027.567] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x9c3c73f448 | out: phkResult=0x9c3c73f448*=0xec) returned 0x0 [0027.567] RegQueryValueExW (in: hKey=0xec, lpValueName="LogSecuritySuccesses", lpReserved=0x0, lpType=0x9c3c73e744, lpData=0x9c3c73eb50, lpcbData=0x9c3c73e740*=0x400 | out: lpType=0x9c3c73e744*=0x0, lpData=0x9c3c73eb50*=0x0, lpcbData=0x9c3c73e740*=0x400) returned 0x2 [0027.567] RegCloseKey (hKey=0xec) returned 0x0 [0027.567] GetACP () returned 0x4e4 [0027.567] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x7ffb3d260000 [0027.568] GetProcAddress (hModule=0x7ffb3d260000, lpProcName="HeapSetInformation") returned 0x7ffb3d280f40 [0027.568] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0027.568] FreeLibrary (hLibModule=0x7ffb3d260000) returned 1 [0027.568] CoRegisterMessageFilter (in: lpMessageFilter=0x9c3cb259d0, lplpMessageFilter=0x9c3cb259e0 | out: lplpMessageFilter=0x9c3cb259e0*=0x0) returned 0x0 [0027.568] IUnknown:AddRef (This=0x9c3cb259d0) returned 0x2 [0027.568] GetModuleFileNameW (in: hModule=0x7ff7cbfd0000, lpFilename=0x9c3c73f7b0, nSize=0x105 | out: lpFilename="C:\\Windows\\System32\\CScript.exe" (normalized: "c:\\windows\\system32\\cscript.exe")) returned 0x1f [0027.568] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\System32\\CScript.exe", lpdwHandle=0x9c3c73f0d0 | out: lpdwHandle=0x9c3c73f0d0) returned 0x714 [0027.568] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\System32\\CScript.exe", dwHandle=0x0, dwLen=0x714, lpData=0x9c3c73e9b0 | out: lpData=0x9c3c73e9b0) returned 1 [0027.568] VerQueryValueW (in: pBlock=0x9c3c73e9b0, lpSubBlock="\\", lplpBuffer=0x9c3c73f0d8, puLen=0x9c3c73f0d4 | out: lplpBuffer=0x9c3c73f0d8*=0x9c3c73e9d8, puLen=0x9c3c73f0d4) returned 1 [0027.569] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x9c3c73f128 | out: phkResult=0x9c3c73f128*=0xec) returned 0x0 [0027.569] RegQueryValueExW (in: hKey=0xec, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x9c3c73e464, lpData=0x9c3c73e870, lpcbData=0x9c3c73e460*=0x400 | out: lpType=0x9c3c73e464*=0x0, lpData=0x9c3c73e870*=0x0, lpcbData=0x9c3c73e460*=0x400) returned 0x2 [0027.569] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x9c3c73f0e0 | out: phkResult=0x9c3c73f0e0*=0x0) returned 0x2 [0027.569] RegQueryValueExW (in: hKey=0xec, lpValueName="TrustPolicy", lpReserved=0x0, lpType=0x9c3c73f094, lpData=0x9c3c73f120, lpcbData=0x9c3c73f090*=0x4 | out: lpType=0x9c3c73f094*=0x0, lpData=0x9c3c73f120*=0x1, lpcbData=0x9c3c73f090*=0x4) returned 0x2 [0027.569] RegQueryValueExW (in: hKey=0xec, lpValueName="UseWINSAFER", lpReserved=0x0, lpType=0x9c3c73e464, lpData=0x9c3c73e870, lpcbData=0x9c3c73e460*=0x400 | out: lpType=0x9c3c73e464*=0x1, lpData="1", lpcbData=0x9c3c73e460*=0x4) returned 0x0 [0027.569] RegCloseKey (hKey=0xec) returned 0x0 [0027.569] RegCreateKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x9c00020019, lpSecurityAttributes=0x0, phkResult=0x9c3c73f128, lpdwDisposition=0x0 | out: phkResult=0x9c3c73f128*=0xec, lpdwDisposition=0x0) returned 0x0 [0027.569] RegQueryValueExW (in: hKey=0xec, lpValueName="Timeout", lpReserved=0x0, lpType=0x9c3c73f0b4, lpData=0x9c3c73f120, lpcbData=0x9c3c73f0b0*=0x4 | out: lpType=0x9c3c73f0b4*=0x0, lpData=0x9c3c73f120*=0x1, lpcbData=0x9c3c73f0b0*=0x4) returned 0x2 [0027.569] RegQueryValueExW (in: hKey=0xec, lpValueName="DisplayLogo", lpReserved=0x0, lpType=0x9c3c73e484, lpData=0x9c3c73e890, lpcbData=0x9c3c73e480*=0x400 | out: lpType=0x9c3c73e484*=0x1, lpData="1", lpcbData=0x9c3c73e480*=0x4) returned 0x0 [0027.569] RegCloseKey (hKey=0xec) returned 0x0 [0027.569] RegCreateKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x7ffb00020019, lpSecurityAttributes=0x0, phkResult=0x9c3c73f128, lpdwDisposition=0x0 | out: phkResult=0x9c3c73f128*=0x11c, lpdwDisposition=0x0) returned 0x0 [0027.571] RegQueryValueExW (in: hKey=0x11c, lpValueName="Timeout", lpReserved=0x0, lpType=0x9c3c73f0b4, lpData=0x9c3c73f120, lpcbData=0x9c3c73f0b0*=0x4 | out: lpType=0x9c3c73f0b4*=0x0, lpData=0x9c3c73f120*=0x1, lpcbData=0x9c3c73f0b0*=0x4) returned 0x2 [0027.571] RegQueryValueExW (in: hKey=0x11c, lpValueName="DisplayLogo", lpReserved=0x0, lpType=0x9c3c73e484, lpData=0x9c3c73e890, lpcbData=0x9c3c73e480*=0x400 | out: lpType=0x9c3c73e484*=0x0, lpData=0x9c3c73e890*=0x31, lpcbData=0x9c3c73e480*=0x400) returned 0x2 [0027.571] RegCloseKey (hKey=0x11c) returned 0x0 [0027.571] wcscpy_s (in: _Destination=0x9c3c73f3ac, _SizeInWords=0x104, _Source="C:\\Users\\CIIHMN~1\\Desktop\\2999BA~1.WSF" | out: _Destination="C:\\Users\\CIIHMN~1\\Desktop\\2999BA~1.WSF") returned 0x0 [0027.572] LoadStringW (in: hInstance=0x7ff7cbfd0000, uID=0x834, lpBuffer=0x9c3c73e020, cchBufferMax=2048 | out: lpBuffer="Microsoft (R) Windows Script Host Version %1!u!.%2!u!\nCopyright (C) Microsoft Corporation. All rights reserved.\n") returned 0x70 [0027.572] FormatMessageW (in: dwFlags=0x500, lpSource=0x9c3c7c96a8, dwMessageId=0x0, dwLanguageId=0x0, lpBuffer=0x9c3c73f008, nSize=0x0, Arguments=0x9c3c73f078 | out: lpBuffer="ꇰ㱼\x9c") returned 0x6c [0027.572] LocalFree (hMem=0x9c3c7ca1f0) returned 0x0 [0027.572] GetStdHandle (nStdHandle=0xfffffff5) returned 0x2c [0027.574] GetConsoleMode (in: hConsoleHandle=0x2c, lpMode=0x9c3c73edc0 | out: lpMode=0x9c3c73edc0) returned 1 [0027.574] WriteConsoleW (in: hConsoleOutput=0x2c, lpBuffer=0x9c3c7c9bc0*, nNumberOfCharsToWrite=0x6e, lpNumberOfCharsWritten=0x9c3c73edc8, lpReserved=0x0 | out: lpBuffer=0x9c3c7c9bc0*, lpNumberOfCharsWritten=0x9c3c73edc8*=0x6e) returned 1 [0027.575] LoadStringW (in: hInstance=0x7ff7cbfd0000, uID=0x7d1, lpBuffer=0x9c3c73db40, cchBufferMax=2048 | out: lpBuffer="Windows Script Host") returned 0x13 [0027.575] LoadTypeLib (in: szFile="C:\\Windows\\System32\\CScript.exe", pptlib=0x9c3c73eb80*=0x0 | out: pptlib=0x9c3c73eb80*=0x9c3c7ca400) returned 0x0 [0027.581] ITypeLib:GetTypeInfoOfGuid (in: This=0x9c3c7ca400, GUID=0x7ff7cbfe6e90*(Data1=0x91afbd1b, Data2=0x5feb, Data3=0x43f5, Data4=([0]=0xb0, [1]=0x28, [2]=0xe2, [3]=0xca, [4]=0x96, [5]=0x6, [6]=0x17, [7]=0xec)), ppTInfo=0x9c3c73eb68 | out: ppTInfo=0x9c3c73eb68*=0x9c3c7cac88) returned 0x0 [0027.751] ITypeLib:GetTypeInfoOfGuid (in: This=0x9c3c7ca400, GUID=0x7ff7cbfe6a90*(Data1=0x2cc5a9d0, Data2=0xb1e5, Data3=0x11d3, Data4=([0]=0xa2, [1]=0x86, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppTInfo=0x9c3c73eb38 | out: ppTInfo=0x9c3c73eb38*=0x9c3c7cad38) returned 0x0 [0027.751] ITypeInfo:GetRefTypeOfImplType (in: This=0x9c3c7cad38, index=0xffffffff, pRefType=0x9c3c73eb30 | out: pRefType=0x9c3c73eb30*=0xfffffffe) returned 0x0 [0027.751] ITypeInfo:GetRefTypeInfo (in: This=0x9c3c7cad38, hreftype=0xfffffffe, ppTInfo=0x7ff7cbff20c8 | out: ppTInfo=0x7ff7cbff20c8*=0x9c3c7cad90) returned 0x0 [0027.751] IUnknown:Release (This=0x9c3c7cad38) returned 0x1 [0027.751] ITypeLib:GetTypeInfoOfGuid (in: This=0x9c3c7ca400, GUID=0x7ff7cbfe77a0*(Data1=0xbf64faf0, Data2=0x5906, Data3=0x426c, Data4=([0]=0xb4, [1]=0xbc, [2]=0x7b, [3]=0x75, [4]=0x3c, [5]=0xbe, [6]=0x81, [7]=0x9f)), ppTInfo=0x9c3c73eb38 | out: ppTInfo=0x9c3c73eb38*=0x9c3c7cade8) returned 0x0 [0027.752] ITypeInfo:GetRefTypeOfImplType (in: This=0x9c3c7cade8, index=0xffffffff, pRefType=0x9c3c73eb30 | out: pRefType=0x9c3c73eb30*=0xfffffffe) returned 0x0 [0027.752] ITypeInfo:GetRefTypeInfo (in: This=0x9c3c7cade8, hreftype=0xfffffffe, ppTInfo=0x7ff7cbff2088 | out: ppTInfo=0x7ff7cbff2088*=0x9c3c7cae40) returned 0x0 [0027.752] IUnknown:Release (This=0x9c3c7cade8) returned 0x1 [0027.752] ITypeLib:GetTypeInfoOfGuid (in: This=0x9c3c7ca400, GUID=0x7ff7cbfe6ea0*(Data1=0x2cc5a9d1, Data2=0xb1e5, Data3=0x11d3, Data4=([0]=0xa2, [1]=0x86, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppTInfo=0x9c3c73eb38 | out: ppTInfo=0x9c3c73eb38*=0x9c3c7cae98) returned 0x0 [0027.752] ITypeInfo:GetRefTypeOfImplType (in: This=0x9c3c7cae98, index=0xffffffff, pRefType=0x9c3c73eb30 | out: pRefType=0x9c3c73eb30*=0xfffffffe) returned 0x0 [0027.752] ITypeInfo:GetRefTypeInfo (in: This=0x9c3c7cae98, hreftype=0xfffffffe, ppTInfo=0x7ff7cbff2048 | out: ppTInfo=0x7ff7cbff2048*=0x9c3c7caef0) returned 0x0 [0027.752] IUnknown:Release (This=0x9c3c7cae98) returned 0x1 [0027.752] IUnknown:Release (This=0x9c3c7ca400) returned 0x4 [0027.752] GetCurrentThreadId () returned 0xf84 [0027.752] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x128 [0027.752] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x7ff7cbfd1790, lpParameter=0x9c3cb25bf0, dwCreationFlags=0x0, lpThreadId=0x9c3cb25c18 | out: lpThreadId=0x9c3cb25c18*=0xff4) returned 0x12c [0027.752] MsgWaitForMultipleObjects (nCount=0x1, pHandles=0x9c3c73edb0*=0x128, fWaitAll=0, dwMilliseconds=0xffffffff, dwWakeMask=0x4ff) returned 0x0 [0027.766] CloseHandle (hObject=0x128) returned 1 [0027.766] GetFullPathNameW (in: lpFileName="C:\\Users\\CIIHMN~1\\Desktop\\2999BA~1.WSF", nBufferLength=0x104, lpBuffer=0x9c3c73eea0, lpFilePart=0x9c3c73ee98 | out: lpBuffer="C:\\Users\\CIIHMN~1\\Desktop\\2999BA~1.WSF", lpFilePart=0x9c3c73ee98*="2999BA~1.WSF") returned 0x26 [0027.766] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey=".WSF", ulOptions=0x0, samDesired=0x20019, phkResult=0x9c3c73e3a0 | out: phkResult=0x9c3c73e3a0*=0x146) returned 0x0 [0027.766] RegQueryValueExW (in: hKey=0x146, lpValueName=0x0, lpReserved=0x0, lpType=0x9c3c73e364, lpData=0x9c3c73e3b0, lpcbData=0x9c3c73e360*=0x800 | out: lpType=0x9c3c73e364*=0x1, lpData="WSFFile", lpcbData=0x9c3c73e360*=0x10) returned 0x0 [0027.766] RegCloseKey (hKey=0x146) returned 0x0 [0027.766] wcscat_s (in: _Destination="WSFFile", _SizeInWords=0x40e, _Source="\\ScriptEngine" | out: _Destination="WSFFile\\ScriptEngine") returned 0x0 [0027.766] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey="WSFFile\\ScriptEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x9c3c73e3a0 | out: phkResult=0x9c3c73e3a0*=0x0) returned 0x2 [0027.766] LoadLibraryA (lpLibFileName="urlmon.dll") returned 0x7ffb2ea50000 [0028.183] GetProcAddress (hModule=0x7ffb2ea50000, lpProcName="CreateURLMonikerEx") returned 0x7ffb2ea74fe0 [0028.183] CreateURLMonikerEx (in: pMkCtx=0x0, szURL="C:\\Users\\CIIHMN~1\\Desktop\\2999BA~1.WSF", ppmk=0x9c3c73ee88*=0x0, dwFlags=0x1 | out: ppmk=0x9c3c73ee88*=0x9c3c7d79f0) returned 0x0 [0028.188] CoCreateInstance (in: rclsid=0x7ff7cbfe69e0*(Data1=0x6290bd6, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7ff7cbfe6a80*(Data1=0x6290bea, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), ppv=0x9c3c73fa08 | out: ppv=0x9c3c73fa08*=0x0) returned 0x80040154 [0028.409] CoCreateInstance (in: rclsid=0x7ff7cbfe69f0*(Data1=0x6290bd0, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7ff7cbfe6a80*(Data1=0x6290bea, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), ppv=0x9c3c73fa08 | out: ppv=0x9c3c73fa08*=0x9c3cb26c38) returned 0x0 [0028.522] __dllonexit () returned 0x7ffb2416bcd0 [0028.522] __dllonexit () returned 0x7ffb2416bcf0 [0028.522] GetVersionExA (in: lpVersionInformation=0x9c3c73c7a0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x7ffb, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x2416bcf0, szCSDVersion="û\x7f") | out: lpVersionInformation=0x9c3c73c7a0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0xa, dwMinorVersion=0x0, dwBuildNumber=0x2800, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0028.522] GetProcessWindowStation () returned 0xbc [0028.522] GetUserObjectInformationA (in: hObj=0xbc, nIndex=1, pvInfo=0x9c3c73c788, nLength=0xc, lpnLengthNeeded=0x9c3c73c780 | out: pvInfo=0x9c3c73c788, lpnLengthNeeded=0x9c3c73c780) returned 1 [0028.523] DllGetClassObject (in: rclsid=0x9c3c7df1f0*(Data1=0x6290bd0, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), riid=0x7ffb3ce2f7c0*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x9c3c73d7e0 | out: ppv=0x9c3c73d7e0*=0x9c3cb26930) returned 0x0 [0028.523] IClassFactory:CreateInstance (in: This=0x9c3cb26930, pUnkOuter=0x0, riid=0x9c3c73e6e0*(Data1=0x6290bea, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), ppvObject=0x9c3c73d7f8 | out: ppvObject=0x9c3c73d7f8*=0x9c3cb26c38) returned 0x0 [0028.525] IUnknown:AddRef (This=0x9c3cb26c38) returned 0x2 [0028.525] IUnknown:Release (This=0x9c3cb26c38) returned 0x1 [0028.525] IUnknown:Release (This=0x9c3cb26930) returned 0x0 [0028.525] IUnknown:QueryInterface (in: This=0x9c3cb26c38, riid=0x7ff7cbfe6a80*(Data1=0x6290bea, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), ppvObject=0x9c3c73ed28 | out: ppvObject=0x9c3c73ed28*=0x9c3cb26c38) returned 0x0 [0028.525] IUnknown:Release (This=0x9c3cb26c38) returned 0x1 [0028.525] GetUserDefaultLCID () returned 0x409 [0028.525] CoGetClassObject (in: rclsid=0x7ff7cbfe6a10*(Data1=0x6290bd1, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), dwClsContext=0x1, pvReserved=0x0, riid=0x7ff7cbfe6a00*(Data1=0x342d1ea0, Data2=0xae25, Data3=0x11d1, Data4=([0]=0x89, [1]=0xc5, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), ppv=0x9c3c73edb8 | out: ppv=0x9c3c73edb8*=0x9c3cb26d00) returned 0x0 [0028.526] DllGetClassObject (in: rclsid=0x9c3c7df240*(Data1=0x6290bd1, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), riid=0x9c3c73e790*(Data1=0x342d1ea0, Data2=0xae25, Data3=0x11d1, Data4=([0]=0x89, [1]=0xc5, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), ppv=0x9c3c73d980 | out: ppv=0x9c3c73d980*=0x9c3cb26d00) returned 0x0 [0028.526] IUnknown:AddRef (This=0x9c3cb26d00) returned 0x2 [0028.526] IUnknown:Release (This=0x9c3cb26d00) returned 0x1 [0028.526] IUnknown:QueryInterface (in: This=0x9c3cb26d00, riid=0x7ff7cbfe6a00*(Data1=0x342d1ea0, Data2=0xae25, Data3=0x11d1, Data4=([0]=0x89, [1]=0xc5, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), ppvObject=0x9c3c73eaa8 | out: ppvObject=0x9c3c73eaa8*=0x9c3cb26d00) returned 0x0 [0028.526] IUnknown:Release (This=0x9c3cb26d00) returned 0x1 [0028.526] wcscpy_s (in: _Destination=0x9c3cb26e2c, _SizeInWords=0x8, _Source="WScript" | out: _Destination="WScript") returned 0x0 [0028.526] wcscpy_s (in: _Destination=0x9c3cb26e6c, _SizeInWords=0x4, _Source="WSH" | out: _Destination="WSH") returned 0x0 [0028.526] CreateBindCtx (in: reserved=0x0, ppbc=0x9c3c73eda0 | out: ppbc=0x9c3c73eda0*=0x9c3c7d5c90) returned 0x0 [0028.527] CBindCtx::SetBindOptions () returned 0x0 [0028.527] IMoniker:RemoteBindToStorage (in: This=0x9c3c7d79f0, pbc=0x9c3c7d5c90, pmkToLeft=0x0, riid=0x7ffb2418c9d8, ppvObj=0x9c3c73ed40 | out: ppvObj=0x9c3c73ed40*=0x9c3c7e4e50) returned 0x0 [0028.537] IUnknown:Release (This=0x9c3c7e4e50) returned 0x0 [0028.537] IUnknown:QueryInterface (in: This=0x9c3c7d79f0, riid=0x7ffb2418c9e8*(Data1=0xf29f6bc0, Data2=0x5021, Data3=0x11ce, Data4=([0]=0xaa, [1]=0x15, [2]=0x0, [3]=0x0, [4]=0x69, [5]=0x1, [6]=0x29, [7]=0x3f)), ppvObject=0x9c3c73e408 | out: ppvObject=0x9c3c73e408*=0x9c3c7d79f8) returned 0x0 [0028.538] IROTData:GetComparisonData (in: This=0x9c3c7d79f8, pbData=0x9c3c73e410, cbMax=0x800, pcbData=0x9c3c73e400 | out: pbData=0x9c3c73e410*=0x66, pcbData=0x9c3c73e400*=0x5e) returned 0x0 [0028.538] IUnknown:Release (This=0x9c3c7d79f8) returned 0x1 [0028.538] IUnknown:AddRef (This=0x9c3c7d79f0) returned 0x2 [0028.538] _strnicmp (_Str1="", _MaxCount=0x5) returned -43 [0028.538] IsTextUnicode (in: lpv=0x9c3e750080, iSize=97272, lpiResult=0x9c3c73ec68 | out: lpiResult=0x9c3c73ec68) returned 0 [0028.538] GetACP () returned 0x4e4 [0028.539] GetACP () returned 0x4e4 [0028.539] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x9c3e750080, cbMultiByte=97272, lpWideCharStr=0x9c3e767c80, cchWideChar=97400 | out: lpWideCharStr="\r\n