{ "statistics": { "processing": [ { "name": "AnalysisInfo", "time": 0.027 }, { "name": "BehaviorAnalysis", "time": 0.023 }, { "name": "Debug", "time": 0.002 }, { "name": "NetworkAnalysis", "time": 0.178 }, { "name": "UrlAnalysis", "time": 0.0 }, { "name": "script_log_processing", "time": 0.0 }, { "name": "ProcessMemory", "time": 0.0 } ], "signatures": [ { "name": "packer_themida", "time": 0.0 }, { "name": "stealth_network", "time": 0.0 }, { "name": "disable_driver_via_blocklist", "time": 0.0 }, { "name": "disable_driver_via_hvcidisallowedimages", "time": 0.0 }, { "name": "disable_hypervisor_protected_code_integrity", "time": 0.0 }, { "name": "pendingfilerenameoperations_Operations", "time": 0.0 }, { "name": "anomalous_deletefile", "time": 0.0 }, { "name": "antiav_360_libs", "time": 0.0 }, { "name": "antiav_ahnlab_libs", "time": 0.0 }, { "name": "antiav_avast_libs", "time": 0.0 }, { "name": "antiav_bitdefender_libs", "time": 0.0 }, { "name": "antiav_bullguard_libs", "time": 0.0 }, { "name": "antiav_emsisoft_libs", "time": 0.0 }, { "name": "antiav_qurb_libs", "time": 0.0 }, { "name": "antiav_servicestop", "time": 0.0 }, { "name": "antiav_apioverride_libs", "time": 0.0 }, { "name": "antidebug_guardpages", "time": 0.0 }, { "name": "antiav_nthookengine_libs", "time": 0.0 }, { "name": "antidebug_outputdebugstring", "time": 0.0 }, { "name": "antidebug_windows", "time": 0.0 }, { "name": "antisandbox_cuckoo", "time": 0.0 }, { "name": "antisandbox_cuckoocrash", "time": 0.0 }, { "name": "antisandbox_foregroundwindows", "time": 0.0 }, { "name": "mouse_movement_detect", "time": 0.0 }, { "name": "antisandbox_sboxie_libs", "time": 0.0 }, { "name": "antisandbox_script_timer", "time": 0.0 }, { "name": "antisandbox_sleep", "time": 0.0 }, { "name": "antisandbox_sunbelt_libs", "time": 0.0 }, { "name": "antisandbox_unhook", "time": 0.0 }, { "name": "antivm_directory_objects", "time": 0.0 }, { "name": "antivm_generic_disk", "time": 0.0 }, { "name": "antivm_generic_system", "time": 0.0 }, { "name": "antivm_checks_available_memory", "time": 0.0 }, { "name": "detect_virtualization_via_recent_files", "time": 0.0 }, { "name": "antivm_vbox_libs", "time": 0.0 }, { "name": "antivm_vmware_events", "time": 0.0 }, { "name": "antivm_vmware_libs", "time": 0.0 }, { "name": "api_spamming", "time": 0.0 }, { "name": "api_uuidfromstringa", "time": 0.0 }, { "name": "bcdedit_command", "time": 0.0 }, { "name": "bootkit", "time": 0.0 }, { "name": "potential_overwrite_mbr", "time": 0.0 }, { "name": "suspicious_ioctl_scsipassthough", "time": 0.0 }, { "name": "suspicious_iocontrol_codes", "time": 0.0 }, { "name": "browser_needed", "time": 0.0 }, { "name": "regsvr32_squiblydoo_dll_load", "time": 0.0 }, { "name": "uac_bypass_cmstp", "time": 0.0 }, { "name": "uac_bypass_eventvwr", "time": 0.0 }, { "name": "uac_bypass_windows_Backup", "time": 0.0 }, { "name": "queries_computer_name", "time": 0.0 }, { "name": "queries_user_name", "time": 0.0 }, { "name": "creates_largekey", "time": 0.0 }, { "name": "creates_nullvalue", "time": 0.0 }, { "name": "access_windows_passwords_vault", "time": 0.0 }, { "name": "lsass_credential_dumping", "time": 0.0 }, { "name": "critical_process", "time": 0.0 }, { "name": "cryptopool_domains", "time": 0.0 }, { "name": "dead_connect", "time": 0.0 }, { "name": "dead_link", "time": 0.0 }, { "name": "decoy_image", "time": 0.0 }, { "name": "deletes_consolehost_history", "time": 0.0 }, { "name": "deletes_shadow_copies", "time": 0.0 }, { "name": "deletes_system_state_backup", "time": 0.0 }, { "name": "dep_bypass", "time": 0.0 }, { "name": "dep_disable", "time": 0.0 }, { "name": "disables_mappeddrives_autodisconnect", "time": 0.0 }, { "name": "disables_wfp", "time": 0.0 }, { "name": "add_windows_defender_exclusions", "time": 0.0 }, { "name": "dll_load_uncommon_file_types", "time": 0.0 }, { "name": "document_script_exe_drop", "time": 0.0 }, { "name": "guloader_apis", "time": 0.0 }, { "name": "driver_load", "time": 0.0 }, { "name": "dynamic_function_loading", "time": 0.0 }, { "name": "exec_crash", "time": 0.0 }, { "name": "process_creation_suspicious_location", "time": 0.0 }, { "name": "exploit_getbasekerneladdress", "time": 0.0 }, { "name": "exploit_gethaldispatchtable", "time": 0.0 }, { "name": "exploit_heapspray", "time": 0.0 }, { "name": "koadic_apis", "time": 0.0 }, { "name": "koadic_network_activity", "time": 0.0 }, { "name": "downloads_from_filehosting", "time": 0.0 }, { "name": "generic_phish", "time": 0.0 }, { "name": "http_request", "time": 0.0 }, { "name": "infostealer_browser", "time": 0.0 }, { "name": "infostealer_browser_password", "time": 0.0 }, { "name": "infostealer_cookies", "time": 0.0 }, { "name": "cryptbot_network", "time": 0.0 }, { "name": "masslogger_artifacts", "time": 0.0 }, { "name": "purplewave_network_activity", "time": 0.0 }, { "name": "quilclipper_behavior", "time": 0.0 }, { "name": "raccoon_behavior", "time": 0.0 }, { "name": "captures_screenshot", "time": 0.0 }, { "name": "vidar_behavior", "time": 0.0 }, { "name": "injection_createremotethread", "time": 0.0 }, { "name": "creates_suspended_process", "time": 0.0 }, { "name": "injection_explorer", "time": 0.0 }, { "name": "injection_needextension", "time": 0.0 }, { "name": "injection_network_traffic", "time": 0.0 }, { "name": "injection_runpe", "time": 0.0 }, { "name": "injection_themeinitapihook", "time": 0.0 }, { "name": "resumethread_remote_process", "time": 0.0 }, { "name": "injection_write_exe_process", "time": 0.0 }, { "name": "injection_write_process", "time": 0.0 }, { "name": "internet_dropper", "time": 0.0 }, { "name": "escalate_privilege_via_named_pipe", "time": 0.0 }, { "name": "ipc_namedpipe", "time": 0.0 }, { "name": "js_phish", "time": 0.0 }, { "name": "js_suspicious_redirect", "time": 0.0 }, { "name": "execute_binary_via_internet_explorer_exporter", "time": 0.0 }, { "name": "execute_binary_via_run_exe_helper_utility", "time": 0.0 }, { "name": "execute_ps_via_syncappvpublishingserver", "time": 0.0 }, { "name": "malicious_dynamic_function_loading", "time": 0.0 }, { "name": "encrypt_pcinfo", "time": 0.0 }, { "name": "encrypt_data_agenttesla_http", "time": 0.0 }, { "name": "encrypt_data_agentteslat2_http", "time": 0.0 }, { "name": "encrypt_data_nanocore", "time": 0.0 }, { "name": "reads_memory_remote_process", "time": 0.0 }, { "name": "mimics_filetime", "time": 0.0 }, { "name": "amsi_bypass_via_com_registry", "time": 0.0 }, { "name": "access_auto_logons_via_registry", "time": 0.0 }, { "name": "access_boot_key_via_registry", "time": 0.0 }, { "name": "create_suspicious_lnk_files", "time": 0.0 }, { "name": "credential_access_via_windows_credential_history", "time": 0.0 }, { "name": "dll_hijacking_via_microsoft_exchange", "time": 0.0 }, { "name": "dll_hijacking_via_waas_medic_svc_com_typelib", "time": 0.0 }, { "name": "execute_file_downloaded_via_openssh", "time": 0.0 }, { "name": "execute_safe_mode_from_suspicious_process", "time": 0.0 }, { "name": "execute_scripts_via_microsoft_management_console", "time": 0.0 }, { "name": "execute_suspicious_processes_via_windows_mssql_service", "time": 0.0 }, { "name": "execution_from_self_extracting_archive", "time": 0.0 }, { "name": "ip_address_discovery_via_trusted_program", "time": 0.0 }, { "name": "load_dll_via_control_panel", "time": 0.0 }, { "name": "network_connection_via_suspicious_process", "time": 0.0 }, { "name": "potential_location_discovery_via_unusual_process", "time": 0.0 }, { "name": "store_executable_registry", "time": 0.0 }, { "name": "Suspicious_Execution_Via_MicrosoftExchangeTransportAgent", "time": 0.0 }, { "name": "suspicious_java_execution_via_win_scripts", "time": 0.0 }, { "name": "Suspicious_Scheduled_Task_Creation_Via_Masqueraded_XML_File", "time": 0.0 }, { "name": "uses_restart_manager_for_suspicious_activities", "time": 0.0 }, { "name": "modify_desktop_wallpaper", "time": 0.0 }, { "name": "move_file_on_reboot", "time": 0.0 }, { "name": "multiple_useragents", "time": 0.0 }, { "name": "network_anomaly", "time": 0.0 }, { "name": "network_bind", "time": 0.0 }, { "name": "network_cnc_https_archive", "time": 0.0 }, { "name": "network_cnc_https_free_webshoting", "time": 0.0 }, { "name": "network_cnc_https_generic", "time": 0.0 }, { "name": "network_cnc_https_temp_urldns", "time": 0.0 }, { "name": "network_cnc_https_opensource", "time": 0.0 }, { "name": "network_cnc_https_pastesite", "time": 0.0 }, { "name": "network_cnc_https_payload", "time": 0.0 }, { "name": "network_cnc_https_serviceinterface", "time": 0.0 }, { "name": "network_cnc_https_socialmedia", "time": 0.0 }, { "name": "network_cnc_https_telegram", "time": 0.0 }, { "name": "network_cnc_https_tempstorage", "time": 0.0 }, { "name": "network_cnc_https_urlshortener", "time": 0.0 }, { "name": "network_cnc_https_useragent", "time": 0.0 }, { "name": "network_cnc_smtps_exfil", "time": 0.0 }, { "name": "network_cnc_smtps_generic", "time": 0.0 }, { "name": "network_dns_idn", "time": 0.0 }, { "name": "network_dns_suspicious_querytype", "time": 0.0 }, { "name": "network_dns_tunneling_request", "time": 0.0 }, { "name": "explorer_http", "time": 0.0 }, { "name": "network_fake_useragent", "time": 0.0 }, { "name": "legitimate_domain_abuse", "time": 0.0 }, { "name": "suspicious_communication_trusted_site", "time": 0.0 }, { "name": "network_tor", "time": 0.0 }, { "name": "office_com_load", "time": 0.0 }, { "name": "office_dotnet_load", "time": 0.0 }, { "name": "office_mshtml_load", "time": 0.0 }, { "name": "office_vb_load", "time": 0.0 }, { "name": "office_wmi_load", "time": 0.0 }, { "name": "office_cve2017_11882_network", "time": 0.0 }, { "name": "office_cve_2021_40444", "time": 0.0 }, { "name": "office_cve_2021_40444_m2", "time": 0.0 }, { "name": "office_flash_load", "time": 0.0 }, { "name": "office_postscript", "time": 0.0 }, { "name": "office_suspicious_processes", "time": 0.0 }, { "name": "persistence_via_autodial_dll_registry", "time": 0.0 }, { "name": "persistence_autorun", "time": 0.0 }, { "name": "persistence_autorun_tasks", "time": 0.0 }, { "name": "persistence_bootexecute", "time": 0.0 }, { "name": "persistence_registry_script", "time": 0.0 }, { "name": "powershell_download", "time": 0.0 }, { "name": "powershell_request", "time": 0.0 }, { "name": "createtoolhelp32snapshot_module_enumeration", "time": 0.0 }, { "name": "enumerates_running_processes", "time": 0.0 }, { "name": "process_interest", "time": 0.0 }, { "name": "process_needed", "time": 0.0 }, { "name": "mass_data_encryption", "time": 0.0 }, { "name": "ransomware_file_modifications", "time": 0.0 }, { "name": "nemty_network_activity", "time": 0.0 }, { "name": "nemty_note", "time": 0.0 }, { "name": "sodinokibi_behavior", "time": 0.0 }, { "name": "stop_ransomware_registry", "time": 0.0 }, { "name": "blackrat_apis", "time": 0.0 }, { "name": "blackrat_network_activity", "time": 0.0 }, { "name": "blackrat_registry_keys", "time": 0.0 }, { "name": "dcrat_behavior", "time": 0.0 }, { "name": "karagany_system_event_objects", "time": 0.0 }, { "name": "rat_luminosity", "time": 0.0 }, { "name": "rat_nanocore", "time": 0.0 }, { "name": "netwire_behavior", "time": 0.0 }, { "name": "obliquerat_network_activity", "time": 0.0 }, { "name": "orcusrat_behavior", "time": 0.0 }, { "name": "trochilusrat_apis", "time": 0.0 }, { "name": "recon_beacon", "time": 0.0 }, { "name": "recon_programs", "time": 0.0 }, { "name": "recon_systeminfo", "time": 0.0 }, { "name": "accesses_recyclebin", "time": 0.0 }, { "name": "remcos_shell_code_dynamic_wrapper_x", "time": 0.0 }, { "name": "script_created_process", "time": 0.0 }, { "name": "script_network_activity", "time": 0.0 }, { "name": "suspicious_js_script", "time": 0.0 }, { "name": "javascript_timer", "time": 0.0 }, { "name": "secure_login_phishing", "time": 0.0 }, { "name": "securityxploded_modules", "time": 0.0 }, { "name": "get_clipboard_data", "time": 0.0 }, { "name": "sets_autoconfig_url", "time": 0.0 }, { "name": "spoofs_procname", "time": 0.0 }, { "name": "stack_pivot", "time": 0.0 }, { "name": "stack_pivot_file_created", "time": 0.0 }, { "name": "stack_pivot_process_create", "time": 0.0 }, { "name": "set_clipboard_data", "time": 0.0 }, { "name": "stealth_childproc", "time": 0.0 }, { "name": "stealth_timeout", "time": 0.0 }, { "name": "stealth_window", "time": 0.0 }, { "name": "queries_keyboard_layout", "time": 0.0 }, { "name": "queries_locale_api", "time": 0.0 }, { "name": "terminates_remote_process", "time": 0.0 }, { "name": "uiautomationcore_load", "time": 0.0 }, { "name": "user_enum", "time": 0.0 }, { "name": "virus", "time": 0.0 }, { "name": "neshta_files", "time": 0.0 }, { "name": "neshta_regkeys", "time": 0.0 }, { "name": "webmail_phish", "time": 0.0 }, { "name": "persists_dev_util", "time": 0.0 }, { "name": "spawns_dev_util", "time": 0.0 }, { "name": "alters_windows_utility", "time": 0.0 }, { "name": "overwrites_accessibility_utility", "time": 0.0 }, { "name": "Potential_Lateral_Movement_Via_SMBEXEC", "time": 0.0 }, { "name": "potential_WebShell_Via_ScreenConnectServer", "time": 0.0 }, { "name": "uses_Microsoft_HTML_Help_Executable", "time": 0.0 }, { "name": "wiper_zeroedbytes", "time": 0.0 }, { "name": "wmi_create_process", "time": 0.0 }, { "name": "wmi_script_process", "time": 0.0 }, { "name": "antianalysis_tls_section", "time": 0.0 }, { "name": "antivirus_clamav", "time": 0.0 }, { "name": "antivirus_virustotal", "time": 0.0 }, { "name": "bad_certs", "time": 0.0 }, { "name": "bad_ssl_certs", "time": 0.0 }, { "name": "banker_zeus_p2p", "time": 0.0 }, { "name": "banker_zeus_url", "time": 0.0 }, { "name": "bot_athenahttp", "time": 0.0 }, { "name": "bot_dirtjumper", "time": 0.0 }, { "name": "bot_drive", "time": 0.0 }, { "name": "bot_drive2", "time": 0.0 }, { "name": "bot_madness", "time": 0.0 }, { "name": "phishing_kit_detected", "time": 0.0 }, { "name": "family_proxyback", "time": 0.0 }, { "name": "flare_capa_antianalysis", "time": 0.0 }, { "name": "flare_capa_collection", "time": 0.0 }, { "name": "flare_capa_communication", "time": 0.0 }, { "name": "flare_capa_compiler", "time": 0.0 }, { "name": "flare_capa_datamanipulation", "time": 0.0 }, { "name": "flare_capa_executable", "time": 0.0 }, { "name": "flare_capa_hostinteraction", "time": 0.0 }, { "name": "flare_capa_impact", "time": 0.0 }, { "name": "flare_capa_lib", "time": 0.0 }, { "name": "flare_capa_linking", "time": 0.0 }, { "name": "flare_capa_loadcode", "time": 0.0 }, { "name": "flare_capa_malwarefamily", "time": 0.0 }, { "name": "flare_capa_nursery", "time": 0.0 }, { "name": "flare_capa_persistence", "time": 0.0 }, { "name": "flare_capa_runtime", "time": 0.0 }, { "name": "flare_capa_targeting", "time": 0.0 }, { "name": "threatfox", "time": 0.0 }, { "name": "log4shell", "time": 0.0 }, { "name": "mimics_extension", "time": 0.0 }, { "name": "network_ip_exe", "time": 0.0 }, { "name": "network_dga", "time": 0.0 }, { "name": "network_dga_fraunhofer", "time": 0.0 }, { "name": "network_dyndns", "time": 0.002 }, { "name": "network_icmp", "time": 0.0 }, { "name": "network_irc", "time": 0.0 }, { "name": "network_open_proxy", "time": 0.0 }, { "name": "network_smtp", "time": 0.0 }, { "name": "network_torgateway", "time": 0.001 }, { "name": "origin_langid", "time": 0.0 }, { "name": "origin_resource_langid", "time": 0.0 }, { "name": "overlay", "time": 0.0 }, { "name": "packer_unknown_pe_section_name", "time": 0.0 }, { "name": "packer_aspack", "time": 0.0 }, { "name": "packer_aspirecrypt", "time": 0.0 }, { "name": "packer_bedsprotector", "time": 0.0 }, { "name": "packer_confuser", "time": 0.0 }, { "name": "packer_enigma", "time": 0.0 }, { "name": "packer_entropy", "time": 0.0 }, { "name": "packer_mpress", "time": 0.0 }, { "name": "packer_nate", "time": 0.0 }, { "name": "packer_nspack", "time": 0.0 }, { "name": "packer_smartassembly", "time": 0.0 }, { "name": "packer_spices", "time": 0.0 }, { "name": "packer_themida", "time": 0.0 }, { "name": "packer_titan", "time": 0.0 }, { "name": "packer_upx", "time": 0.0 }, { "name": "packer_vmprotect", "time": 0.0 }, { "name": "packer_yoda", "time": 0.0 }, { "name": "punch_plus_plus_pcres", "time": 0.0 }, { "name": "procmem_yara", "time": 0.0 }, { "name": "recon_checkip", "time": 0.0 }, { "name": "static_authenticode", "time": 0.0 }, { "name": "invalid_authenticode_signature", "time": 0.0 }, { "name": "static_dotnet_anomaly", "time": 0.0 }, { "name": "static_java", "time": 0.0 }, { "name": "static_pdf", "time": 0.0 }, { "name": "contains_pe_overlay", "time": 0.0 }, { "name": "static_pe_anomaly", "time": 0.0 }, { "name": "pe_compile_timestomping", "time": 0.0 }, { "name": "static_pe_pdbpath", "time": 0.0 }, { "name": "static_rat_config", "time": 0.0 }, { "name": "static_versioninfo_anomaly", "time": 0.0 }, { "name": "suricata_alert", "time": 0.0 }, { "name": "suspicious_html_body", "time": 0.0 }, { "name": "suspicious_html_name", "time": 0.0 }, { "name": "suspicious_html_title", "time": 0.0 }, { "name": "volatility_devicetree_1", "time": 0.0 }, { "name": "volatility_handles_1", "time": 0.0 }, { "name": "volatility_ldrmodules_1", "time": 0.0 }, { "name": "volatility_ldrmodules_2", "time": 0.0 }, { "name": "volatility_malfind_1", "time": 0.0 }, { "name": "volatility_malfind_2", "time": 0.0 }, { "name": "volatility_modscan_1", "time": 0.0 }, { "name": "volatility_svcscan_1", "time": 0.0 }, { "name": "volatility_svcscan_2", "time": 0.0 }, { "name": "volatility_svcscan_3", "time": 0.0 }, { "name": "whois_create", "time": 0.0 }, { "name": "accesses_mailslot", "time": 0.0 }, { "name": "accesses_netlogon_regkey", "time": 0.0 }, { "name": "accesses_public_folder", "time": 0.0 }, { "name": "accesses_sysvol", "time": 0.0 }, { "name": "writes_sysvol", "time": 0.0 }, { "name": "adds_admin_user", "time": 0.0 }, { "name": "adds_user", "time": 0.0 }, { "name": "overwrites_admin_password", "time": 0.0 }, { "name": "antianalysis_detectfile", "time": 0.002 }, { "name": "antianalysis_detectreg", "time": 0.002 }, { "name": "modify_attachment_manager", "time": 0.0 }, { "name": "antiav_detectfile", "time": 0.003 }, { "name": "antiav_detectreg", "time": 0.009 }, { "name": "antiav_srp", "time": 0.0 }, { "name": "antiav_whitespace", "time": 0.0 }, { "name": "antidebug_devices", "time": 0.0 }, { "name": "antiemu_windefend", "time": 0.0 }, { "name": "antiemu_wine_reg", "time": 0.0 }, { "name": "antisandbox_cuckoo_files", "time": 0.0 }, { "name": "antisandbox_fortinet_files", "time": 0.0 }, { "name": "antisandbox_joe_anubis_files", "time": 0.0 }, { "name": "antisandbox_sboxie_mutex", "time": 0.0 }, { "name": "antisandbox_sunbelt_files", "time": 0.0 }, { "name": "antisandbox_threattrack_files", "time": 0.0 }, { "name": "antivm_bochs_keys", "time": 0.0 }, { "name": "antivm_generic_bios", "time": 0.0 }, { "name": "antivm_generic_diskreg", "time": 0.001 }, { "name": "antivm_hyperv_keys", "time": 0.0 }, { "name": "antivm_parallels_keys", "time": 0.001 }, { "name": "antivm_recentdocs", "time": 0.0 }, { "name": "antivm_vbox_devices", "time": 0.0 }, { "name": "antivm_vbox_files", "time": 0.001 }, { "name": "antivm_vbox_keys", "time": 0.001 }, { "name": "antivm_vmware_devices", "time": 0.0 }, { "name": "antivm_vmware_files", "time": 0.0 }, { "name": "antivm_vmware_keys", "time": 0.001 }, { "name": "antivm_vmware_mutexes", "time": 0.0 }, { "name": "antivm_vpc_files", "time": 0.0 }, { "name": "antivm_vpc_keys", "time": 0.0 }, { "name": "antivm_vpc_mutex", "time": 0.0 }, { "name": "antivm_xen_keys", "time": 0.001 }, { "name": "asyncrat_mutex", "time": 0.0 }, { "name": "gulpix_behavior", "time": 0.0 }, { "name": "ketrican_regkeys", "time": 0.0 }, { "name": "okrum_mutexes", "time": 0.0 }, { "name": "banker_cridex", "time": 0.0 }, { "name": "geodo_banking_trojan", "time": 0.001 }, { "name": "banker_spyeye_mutexes", "time": 0.0 }, { "name": "banker_zeus_mutex", "time": 0.0 }, { "name": "bitcoin_opencl", "time": 0.0 }, { "name": "accesses_primary_patition", "time": 0.0 }, { "name": "direct_hdd_access", "time": 0.0 }, { "name": "enumerates_physical_drives", "time": 0.0 }, { "name": "physical_drive_access", "time": 0.0 }, { "name": "bot_russkill", "time": 0.0 }, { "name": "browser_addon", "time": 0.0 }, { "name": "chromium_browser_extension_directory", "time": 0.0 }, { "name": "browser_helper_object", "time": 0.0 }, { "name": "browser_security", "time": 0.001 }, { "name": "browser_startpage", "time": 0.0 }, { "name": "ie_disables_process_tab", "time": 0.0 }, { "name": "odbcconf_bypass", "time": 0.0 }, { "name": "squiblydoo_bypass", "time": 0.0 }, { "name": "squiblytwo_bypass", "time": 0.0 }, { "name": "bypass_chromium_protection", "time": 0.0 }, { "name": "bypass_firewall", "time": 0.0 }, { "name": "checks_uac_status", "time": 0.0 }, { "name": "uac_bypass_cmstpcom", "time": 0.0 }, { "name": "uac_bypass_delegateexecute_sdclt", "time": 0.0 }, { "name": "uac_bypass_fodhelper", "time": 0.0 }, { "name": "cape_extracted_content", "time": 0.0 }, { "name": "carberp_mutex", "time": 0.0 }, { "name": "clears_logs", "time": 0.0 }, { "name": "cmdline_obfuscation", "time": 0.0 }, { "name": "cmdline_switches", "time": 0.0 }, { "name": "cmdline_terminate", "time": 0.0 }, { "name": "cmdline_forfiles_wildcard", "time": 0.0 }, { "name": "cmdline_http_link", "time": 0.0 }, { "name": "cmdline_long_string", "time": 0.0 }, { "name": "cmdline_reversed_http_link", "time": 0.0 }, { "name": "long_commandline", "time": 0.0 }, { "name": "powershell_renamed_commandline", "time": 0.0 }, { "name": "copies_self", "time": 0.0 }, { "name": "credwiz_credentialaccess", "time": 0.0 }, { "name": "enables_wdigest", "time": 0.0 }, { "name": "vaultcmd_credentialaccess", "time": 0.0 }, { "name": "file_credential_store_access", "time": 0.0 }, { "name": "file_credential_store_write", "time": 0.0 }, { "name": "kerberos_credential_access_via_rubeus", "time": 0.0 }, { "name": "registry_credential_dumping", "time": 0.0 }, { "name": "registry_lsa_secrets_access", "time": 0.0 }, { "name": "comsvcs_credentialdump", "time": 0.0 }, { "name": "cryptomining_stratum_command", "time": 0.0 }, { "name": "cypherit_mutexes", "time": 0.0 }, { "name": "darkcomet_regkeys", "time": 0.0 }, { "name": "datop_loader", "time": 0.0 }, { "name": "deepfreeze_mutex", "time": 0.0 }, { "name": "deletes_executed_files", "time": 0.0 }, { "name": "disables_app_launch", "time": 0.0 }, { "name": "disables_auto_app_termination", "time": 0.0 }, { "name": "disables_appv_virtualization", "time": 0.0 }, { "name": "disables_backups", "time": 0.001 }, { "name": "disables_browser_warn", "time": 0.001 }, { "name": "disables_context_menus", "time": 0.0 }, { "name": "disables_cpl_disable", "time": 0.0 }, { "name": "disables_crashdumps", "time": 0.0 }, { "name": "disables_event_logging", "time": 0.0 }, { "name": "disables_folder_options", "time": 0.0 }, { "name": "disables_notificationcenter", "time": 0.0 }, { "name": "disables_power_options", "time": 0.001 }, { "name": "disables_restore_default_state", "time": 0.0 }, { "name": "disables_run_command", "time": 0.0 }, { "name": "disables_smartscreen", "time": 0.0 }, { "name": "disables_startmenu_search", "time": 0.0 }, { "name": "disables_system_restore", "time": 0.0 }, { "name": "disables_uac", "time": 0.0 }, { "name": "disables_wer", "time": 0.0 }, { "name": "disables_windows_defender", "time": 0.0 }, { "name": "disables_windows_defender_logging", "time": 0.0 }, { "name": "removes_windows_defender_contextmenu", "time": 0.0 }, { "name": "removes_windows_defender_updates", "time": 0.0 }, { "name": "windows_defender_powershell", "time": 0.0 }, { "name": "disables_windows_file_protection", "time": 0.0 }, { "name": "disables_windowsupdate", "time": 0.0 }, { "name": "disables_winfirewall", "time": 0.0 }, { "name": "adfind_domain_enumeration", "time": 0.0 }, { "name": "domain_enumeration_commands", "time": 0.0 }, { "name": "andromut_mutexes", "time": 0.0 }, { "name": "downloader_cabby", "time": 0.0 }, { "name": "phorpiex_mutexes", "time": 0.0 }, { "name": "protonbot_mutexes", "time": 0.0 }, { "name": "driver_filtermanager", "time": 0.0 }, { "name": "dropper", "time": 0.0 }, { "name": "dll_archive_execution", "time": 0.0 }, { "name": "lnk_archive_execution", "time": 0.0 }, { "name": "script_archive_execution", "time": 0.0 }, { "name": "excel4_macro_urls", "time": 0.0 }, { "name": "escalate_privilege_via_ntlm_relay", "time": 0.0 }, { "name": "spooler_access", "time": 0.0 }, { "name": "spooler_svc_start", "time": 0.0 }, { "name": "mapped_drives_uac", "time": 0.0 }, { "name": "hides_recycle_bin_icon", "time": 0.0 }, { "name": "apocalypse_stealer_file_behavior", "time": 0.0 }, { "name": "arkei_files", "time": 0.0 }, { "name": "azorult_mutexes", "time": 0.0 }, { "name": "infostealer_bitcoin", "time": 0.002 }, { "name": "cryptbot_files", "time": 0.0 }, { "name": "echelon_files", "time": 0.001 }, { "name": "infostealer_ftp", "time": 0.004 }, { "name": "infostealer_im", "time": 0.002 }, { "name": "infostealer_mail", "time": 0.002 }, { "name": "masslogger_files", "time": 0.0 }, { "name": "poullight_files", "time": 0.001 }, { "name": "purplewave_mutexes", "time": 0.0 }, { "name": "quilclipper_mutexes", "time": 0.0 }, { "name": "qulab_files", "time": 0.0 }, { "name": "qulab_mutexes", "time": 0.0 }, { "name": "asyncrat_mutex", "time": 0.0 }, { "name": "Evade_Execution_Via_ASPNet_Compiler", "time": 0.0 }, { "name": "Evade_Execute_Via_DeviceCredentialDeployment", "time": 0.0 }, { "name": "Evade_Execution_Via_Filter_Manager_Control", "time": 0.0 }, { "name": "Evade_Execution_Via_Intel_GFXDownloadWrapper", "time": 0.0 }, { "name": "execute_binary_via_appvlp", "time": 0.0 }, { "name": "execute_binary_via_pcalua", "time": 0.0 }, { "name": "Execute_Binary_Via_OpenSSH", "time": 0.0 }, { "name": "execute_binary_via_pcalua", "time": 0.0 }, { "name": "Execute_Binary_Via_PesterPSModule", "time": 0.0 }, { "name": "Execute_Binary_Via_ScriptRunner", "time": 0.0 }, { "name": "execute_binary_via_ttdinject", "time": 0.0 }, { "name": "Execute_Binary_Via_VisualStudioLiveShare", "time": 0.0 }, { "name": "Execute_Msiexec_Via_Explorer", "time": 0.0 }, { "name": "execute_remote_msi", "time": 0.0 }, { "name": "execute_suspicious_powershell_via_runscripthelper", "time": 0.0 }, { "name": "execute_suspicious_powershell_via_sqlps", "time": 0.0 }, { "name": "Indirect_Command_Execution_Via_ConsoleWindowHost", "time": 0.0 }, { "name": "Perform_Malicious_Activities_Via_Headless_Browser", "time": 0.0 }, { "name": "Register_DLL_Via_CertOC", "time": 0.0 }, { "name": "Register_DLL_Via_MSIEXEC", "time": 0.0 }, { "name": "Register_DLL_Via_Odbcconf", "time": 0.0 }, { "name": "Scriptlet_Proxy_Execution_Via_Pubprn", "time": 0.0 }, { "name": "ie_martian_children", "time": 0.0 }, { "name": "office_martian_children", "time": 0.0 }, { "name": "mimics_icon", "time": 0.0 }, { "name": "masquerade_process_name", "time": 0.001 }, { "name": "mimikatz_modules", "time": 0.0 }, { "name": "ms_office_cmd_rce", "time": 0.0 }, { "name": "mount_copy_to_webdav_share", "time": 0.0 }, { "name": "potential_protocol_tunneling_via_legit_utilities", "time": 0.0 }, { "name": "potential_protocol_tunneling_via_qemu", "time": 0.0 }, { "name": "suspicious_execution_via_dotnet_remoting", "time": 0.0 }, { "name": "dotnet_clr_usagelog_regkeys", "time": 0.0 }, { "name": "modify_hostfile", "time": 0.0 }, { "name": "modify_oem_information", "time": 0.0 }, { "name": "modify_security_center_warnings", "time": 0.0 }, { "name": "modify_uac_prompt", "time": 0.0 }, { "name": "network_dns_blockchain", "time": 0.0 }, { "name": "network_dns_opennic", "time": 0.001 }, { "name": "network_dns_paste_site", "time": 0.001 }, { "name": "network_dns_reverse_proxy", "time": 0.0 }, { "name": "network_dns_temp_file_storage", "time": 0.001 }, { "name": "network_dns_temp_urldns", "time": 0.0 }, { "name": "network_dns_url_shortener", "time": 0.0 }, { "name": "network_dns_doh_tls", "time": 0.0 }, { "name": "suspicious_tld", "time": 0.004 }, { "name": "network_tor_service", "time": 0.0 }, { "name": "office_code_page", "time": 0.0 }, { "name": "office_addinloading", "time": 0.0 }, { "name": "office_perfkey", "time": 0.0 }, { "name": "office_macro", "time": 0.0 }, { "name": "changes_trust_center_settings", "time": 0.0 }, { "name": "disables_vba_trust_access", "time": 0.0 }, { "name": "office_macro_autoexecution", "time": 0.0 }, { "name": "office_macro_ioc", "time": 0.0 }, { "name": "office_macro_malicious_prediction", "time": 0.0 }, { "name": "office_macro_suspicious", "time": 0.0 }, { "name": "rtf_aslr_bypass", "time": 0.0 }, { "name": "rtf_anomaly_characterset", "time": 0.0 }, { "name": "rtf_anomaly_version", "time": 0.0 }, { "name": "rtf_embedded_content", "time": 0.0 }, { "name": "rtf_embedded_office_file", "time": 0.0 }, { "name": "rtf_exploit_static", "time": 0.0 }, { "name": "office_security", "time": 0.0 }, { "name": "accesses_office_username", "time": 0.0 }, { "name": "office_anomalous_feature", "time": 0.0 }, { "name": "office_dde_command", "time": 0.0 }, { "name": "packer_armadillo_mutex", "time": 0.0 }, { "name": "packer_armadillo_regkey", "time": 0.0 }, { "name": "persistence_ads", "time": 0.0 }, { "name": "persistence_safeboot", "time": 0.0 }, { "name": "persistence_ifeo", "time": 0.0 }, { "name": "persistence_silent_process_exit", "time": 0.0 }, { "name": "persistence_rdp_registry", "time": 0.0 }, { "name": "persistence_rdp_shadowing", "time": 0.0 }, { "name": "persistence_service", "time": 0.0 }, { "name": "persistence_shim_database", "time": 0.0 }, { "name": "powerpool_mutexes", "time": 0.0 }, { "name": "powershell_scriptblock_logging", "time": 0.0 }, { "name": "powershell_command_suspicious", "time": 0.0 }, { "name": "powershell_history_save_mod", "time": 0.0 }, { "name": "powershell_renamed", "time": 0.0 }, { "name": "powershell_reversed", "time": 0.0 }, { "name": "powershell_variable_obfuscation", "time": 0.0 }, { "name": "prevents_safeboot", "time": 0.0 }, { "name": "cmdline_process_discovery", "time": 0.0 }, { "name": "cryptomix_mutexes", "time": 0.0 }, { "name": "dharma_mutexes", "time": 0.0 }, { "name": "ransomware_extensions", "time": 0.003 }, { "name": "ransomware_files", "time": 0.004 }, { "name": "fonix_mutexes", "time": 0.0 }, { "name": "gandcrab_mutexes", "time": 0.0 }, { "name": "germanwiper_mutexes", "time": 0.0 }, { "name": "medusalocker_mutexes", "time": 0.0 }, { "name": "medusalocker_regkeys", "time": 0.0 }, { "name": "nemty_mutexes", "time": 0.0 }, { "name": "nemty_regkeys", "time": 0.0 }, { "name": "pysa_mutexes", "time": 0.0 }, { "name": "ransomware_radamant", "time": 0.0 }, { "name": "ransomware_recyclebin", "time": 0.0 }, { "name": "revil_mutexes", "time": 0.001 }, { "name": "ransomware_revil_regkey", "time": 0.0 }, { "name": "satan_mutexes", "time": 0.0 }, { "name": "snake_ransom_mutexes", "time": 0.0 }, { "name": "stop_ransom_mutexes", "time": 0.0 }, { "name": "stop_ransomware_cmd", "time": 0.0 }, { "name": "ransomware_stopdjvu", "time": 0.0 }, { "name": "rat_beebus_mutexes", "time": 0.0 }, { "name": "blacknet_mutexes", "time": 0.0 }, { "name": "blackrat_mutexes", "time": 0.0 }, { "name": "crat_mutexes", "time": 0.0 }, { "name": "dcrat_files", "time": 0.0 }, { "name": "dcrat_mutexes", "time": 0.0 }, { "name": "rat_fynloski_mutexes", "time": 0.0 }, { "name": "limerat_mutexes", "time": 0.0 }, { "name": "limerat_regkeys", "time": 0.0 }, { "name": "lodarat_file_behavior", "time": 0.0 }, { "name": "modirat_behavior", "time": 0.0 }, { "name": "njrat_regkeys", "time": 0.0 }, { "name": "obliquerat_files", "time": 0.0 }, { "name": "obliquerat_mutexes", "time": 0.0 }, { "name": "parallax_mutexes", "time": 0.0 }, { "name": "rat_pcclient", "time": 0.0 }, { "name": "rat_plugx_mutexes", "time": 0.0 }, { "name": "rat_poisonivy_mutexes", "time": 0.0 }, { "name": "rat_quasar_mutexes", "time": 0.0 }, { "name": "ratsnif_mutexes", "time": 0.0 }, { "name": "rat_spynet", "time": 0.0 }, { "name": "venomrat_mutexes", "time": 0.0 }, { "name": "warzonerat_files", "time": 0.0 }, { "name": "warzonerat_regkeys", "time": 0.0 }, { "name": "xpertrat_files", "time": 0.0 }, { "name": "xpertrat_mutexes", "time": 0.0 }, { "name": "rat_xtreme_mutexes", "time": 0.0 }, { "name": "recon_fingerprint", "time": 0.001 }, { "name": "remcos_files", "time": 0.0 }, { "name": "remcos_mutexes", "time": 0.0 }, { "name": "remcos_regkeys", "time": 0.0 }, { "name": "rdptcp_key", "time": 0.0 }, { "name": "uses_rdp_clip", "time": 0.0 }, { "name": "uses_remote_desktop_session", "time": 0.0 }, { "name": "removes_networking_icon", "time": 0.0 }, { "name": "removes_pinned_programs", "time": 0.0 }, { "name": "removes_security_maintenance_icon", "time": 0.0 }, { "name": "removes_startmenu_defaults", "time": 0.0 }, { "name": "removes_username_startmenu", "time": 0.0 }, { "name": "spicyhotpot_behavior", "time": 0.0 }, { "name": "sniffer_winpcap", "time": 0.0 }, { "name": "spreading_autoruninf", "time": 0.0 }, { "name": "stealth_hidden_extension", "time": 0.0 }, { "name": "stealth_hiddenreg", "time": 0.0 }, { "name": "stealth_hide_notifications", "time": 0.0 }, { "name": "stealth_webhistory", "time": 0.0 }, { "name": "sysinternals_psexec", "time": 0.0 }, { "name": "sysinternals_tools", "time": 0.0 }, { "name": "language_check_registry", "time": 0.0 }, { "name": "tampers_etw", "time": 0.0 }, { "name": "lsa_tampering", "time": 0.0 }, { "name": "tampers_powershell_logging", "time": 0.0 }, { "name": "targeted_flame", "time": 0.0 }, { "name": "territorial_disputes_sigs", "time": 0.004 }, { "name": "trickbot_mutex", "time": 0.0 }, { "name": "fleercivet_mutex", "time": 0.0 }, { "name": "lokibot_mutexes", "time": 0.0 }, { "name": "ursnif_behavior", "time": 0.001 }, { "name": "uses_adfind", "time": 0.0 }, { "name": "uses_ms_protocol", "time": 0.0 }, { "name": "neshta_mutexes", "time": 0.0 }, { "name": "renamer_mutexes", "time": 0.0 }, { "name": "owa_web_shell_files", "time": 0.0 }, { "name": "web_shell_files", "time": 0.0 }, { "name": "web_shell_processes", "time": 0.0 }, { "name": "dotnet_csc_build", "time": 0.0 }, { "name": "mavinject_lolbin", "time": 0.0 }, { "name": "multiple_explorer_instances", "time": 0.0 }, { "name": "script_tool_executed", "time": 0.0 }, { "name": "suspicious_certutil_use", "time": 0.0 }, { "name": "suspicious_command_tools", "time": 0.001 }, { "name": "suspicious_mpcmdrun_use", "time": 0.0 }, { "name": "suspicious_ping_use", "time": 0.0 }, { "name": "uses_powershell_copyitem", "time": 0.0 }, { "name": "uses_windows_utilities", "time": 0.001 }, { "name": "uses_windows_utilities_appcmd", "time": 0.0 }, { "name": "uses_windows_utilities_csvde_ldifde", "time": 0.0 }, { "name": "uses_windows_utilities_cipher", "time": 0.0 }, { "name": "uses_windows_utilities_clickonce", "time": 0.0 }, { "name": "uses_windows_utilities_curl", "time": 0.0 }, { "name": "uses_windows_utilities_dsquery", "time": 0.0 }, { "name": "uses_windows_utilities_esentutl", "time": 0.0 }, { "name": "uses_windows_utilities_finger", "time": 0.0 }, { "name": "uses_windows_utilities_mode", "time": 0.0 }, { "name": "uses_windows_utilities_ntdsutil", "time": 0.0 }, { "name": "uses_windows_utilities_nltest", "time": 0.0 }, { "name": "uses_windows_utilities_xcopy", "time": 0.0 }, { "name": "wmic_command_suspicious", "time": 0.0 }, { "name": "scrcons_wmi_script_consumer", "time": 0.0 }, { "name": "allaple_mutexes", "time": 0.0 } ], "reporting": [ { "name": "BinGraph", "time": 0.0 } ] }, "info": { "version": "2.4-CAPE", "started": "2025-11-20 07:38:02", "ended": "2025-11-20 07:38:31", "duration": 29, "id": 17, "category": "file", "custom": "", "machine": { "id": 11, "status": "stopping", "name": "MalwareGuest", "label": "MalwareGuest", "platform": "windows", "manager": "Proxmox", "started_on": "2025-11-20 07:38:02", "shutdown_on": "2025-11-20 07:38:30" }, "package": "", "timeout": false, "tlp": null, "parent_sample": null, "options": {}, "source_url": null, "route": "internet", "user_id": 0, "CAPE_current_commit": "b8e0bcad685cdd750a8c54cd86745809ad1c320b" }, "behavior": { "processes": [ { "process_id": 1984, "process_name": "cmd.exe", "parent_id": 2620, "module_path": "C:\\Windows\\SysWOW64\\cmd.exe", "first_seen": "2025-11-20 04:38:10,453", "calls": [ { "timestamp": "2025-11-20 04:38:10,640", "thread_id": "992", "caller": "0x76fb65e6", "parentcaller": "0x76fb64f1", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 0 }, { "timestamp": "2025-11-20 04:38:10,640", "thread_id": "2100", "caller": "0x76fa1b7e", "parentcaller": "0x76f9db21", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000007c" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 3, "id": 1 }, { "timestamp": "2025-11-20 04:38:10,640", "thread_id": "2052", "caller": "0x759ef792", "parentcaller": "0x759ef6a8", "category": "device", "api": "NtDeviceIoControlFile", "status": false, "return": "0xffffffffc00700bb", "arguments": [ { "name": "FileHandle", "value": "0x00000088" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc8\\xf5\\xf0\\x05\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\xf5\\xf0\\x05\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 2 }, { "timestamp": "2025-11-20 04:38:10,640", "thread_id": "2052", "caller": "0x76fb65e6", "parentcaller": "0x76fb64f1", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 3 }, { "timestamp": "2025-11-20 04:38:10,640", "thread_id": "2100", "caller": "0x759ef792", "parentcaller": "0x759ef6a8", "category": "device", "api": "NtDeviceIoControlFile", "status": false, "return": "0xffffffffc00700bb", "arguments": [ { "name": "FileHandle", "value": "0x00000088" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x18\\xf4\\xe0\\x05\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\xfe\\xff\\xff\\xff \\xf4\\xe0\\x05\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 4 }, { "timestamp": "2025-11-20 04:38:10,640", "thread_id": "2100", "caller": "0x76fb65e6", "parentcaller": "0x76fb64f1", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 5 }, { "timestamp": "2025-11-20 04:38:10,640", "thread_id": "2816", "caller": "0x759ef792", "parentcaller": "0x759ef6a8", "category": "device", "api": "NtDeviceIoControlFile", "status": false, "return": "0xffffffffc00700bb", "arguments": [ { "name": "FileHandle", "value": "0x00000088" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x000\\xf3\\xd0\\x05\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\xfe\\xff\\xff\\xff8\\xf3\\xd0\\x05\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 6 }, { "timestamp": "2025-11-20 04:38:10,640", "thread_id": "2816", "caller": "0x76fb65e6", "parentcaller": "0x76fb64f1", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 7 }, { "timestamp": "2025-11-20 04:38:10,640", "thread_id": "3016", "caller": "0x759ef792", "parentcaller": "0x759ef6a8", "category": "device", "api": "NtDeviceIoControlFile", "status": false, "return": "0xffffffffc00700bb", "arguments": [ { "name": "FileHandle", "value": "0x00000088" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\xf2\\xc0\\x05\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\xfe\\xff\\xff\\xff\\xf8\\xf2\\xc0\\x05\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 8 }, { "timestamp": "2025-11-20 04:38:10,640", "thread_id": "3016", "caller": "0x76fb65e6", "parentcaller": "0x76fb64f1", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 9 }, { "timestamp": "2025-11-20 04:38:10,640", "thread_id": "992", "caller": "0x006209de", "parentcaller": "0x00626a0a", "category": "threading", "api": "NtOpenThread", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x00000238" }, { "name": "DesiredAccess", "value": "0x001fffff", "pretty_value": "THREAD_ALL_ACCESS" }, { "name": "ProcessId", "value": "1984" }, { "name": "ThreadId", "value": "18446744073663217663" } ], "repeated": 0, "id": 10 }, { "timestamp": "2025-11-20 04:38:10,640", "thread_id": "992", "caller": "0x0061e2df", "parentcaller": "0x00626a0a", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x76520000" } ], "repeated": 0, "id": 11 }, { "timestamp": "2025-11-20 04:38:10,640", "thread_id": "992", "caller": "0x0061e2ff", "parentcaller": "0x00626a0a", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x76520000" }, { "name": "FunctionName", "value": "SetThreadUILanguage" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76554d80" } ], "repeated": 0, "id": 12 }, { "timestamp": "2025-11-20 04:38:10,640", "thread_id": "992", "caller": "0x0061e2c8", "parentcaller": "0x00626a0a", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000088" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xe4\\xf9v\\x02\\xb0\\xfav\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb8\\xfav\\x02\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 13 }, { "timestamp": "2025-11-20 04:38:10,640", "thread_id": "992", "caller": "0x00620a10", "parentcaller": "0x00626a0a", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 0, "id": 14 }, { "timestamp": "2025-11-20 04:38:10,640", "thread_id": "992", "caller": "0x00620a10", "parentcaller": "0x00626a0a", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "1" }, { "name": "TokenInformation", "value": "\\xd8\\xfbv\\x02\\x00\\x00\\x00\\x00\\x01\\x05\\x00\\x00\\x00\\x00\\x00\\x05\\x15\\x00\\x00\\x00;\\x04\\xd3\\xc5\\xa0\\xefs\\xc9-\\xbe\\xd7\\x7f\\xea\\x03\\x00\\x00\njb\\x008\\xfcv\\x02\\x96\\xa1\\x1cs\\xec\\x96;s\\x00\\x19Cs\\xfc\\x91\\xa7\\x04\\xc0&>s\\x88\\xfcv\\x02\\xd0\\xfdv\\x02\\xf8\\xfbv\\x02\\x18)\\xa9\\x02" } ], "repeated": 0, "id": 15 }, { "timestamp": "2025-11-20 04:38:10,640", "thread_id": "992", "caller": "0x00620a10", "parentcaller": "0x00626a0a", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000234" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\REGISTRY\\USER\\S-1-5-21-3318940731-3379818400-2144845357-1002" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER" } ], "repeated": 0, "id": 16 }, { "timestamp": "2025-11-20 04:38:10,640", "thread_id": "992", "caller": "0x00620a10", "parentcaller": "0x00626a0a", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 0, "id": 17 }, { "timestamp": "2025-11-20 04:38:10,640", "thread_id": "992", "caller": "0x00620a10", "parentcaller": "0x00626a0a", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000234" }, { "name": "ObjectAttributesName", "value": "Software\\Policies\\Microsoft\\Windows\\System" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System" } ], "repeated": 0, "id": 18 }, { "timestamp": "2025-11-20 04:38:10,640", "thread_id": "992", "caller": "0x00621f20", "parentcaller": "0x00626a0a", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000088" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00@\\x00\\x00\\x00(\\xfdv\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00(%a\\x000\\xfdv\\x02\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 19 }, { "timestamp": "2025-11-20 04:38:10,640", "thread_id": "992", "caller": "0x00618836", "parentcaller": "0x00620a55", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000088" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x98\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\xfcv\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb8\\xfcv\\x02\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 20 }, { "timestamp": "2025-11-20 04:38:10,640", "thread_id": "992", "caller": "0x0061884a", "parentcaller": "0x00620a55", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000088" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x94\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\xfcv\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb8\\xfcv\\x02\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 21 }, { "timestamp": "2025-11-20 04:38:10,640", "thread_id": "992", "caller": "0x0061e328", "parentcaller": "0x00620a55", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000088" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x98\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\xfcv\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\xfcv\\x02\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 22 }, { "timestamp": "2025-11-20 04:38:10,640", "thread_id": "992", "caller": "0x0061e33f", "parentcaller": "0x00620a55", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000088" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x98\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xa8\\xfcv\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\xfcv\\x02\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 23 }, { "timestamp": "2025-11-20 04:38:10,640", "thread_id": "992", "caller": "0x0061e3d7", "parentcaller": "0x00620a55", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000088" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x98\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\xfcv\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\xfcv\\x02\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 24 }, { "timestamp": "2025-11-20 04:38:10,656", "thread_id": "992", "caller": "0x0061e36e", "parentcaller": "0x00620a55", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000088" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x94\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xa8\\xfcv\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\xfcv\\x02\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 25 }, { "timestamp": "2025-11-20 04:38:10,656", "thread_id": "992", "caller": "0x0061e3a0", "parentcaller": "0x00620a55", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000088" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x94\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa8\\xfcv\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb0\\xfcv\\x02\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 26 }, { "timestamp": "2025-11-20 04:38:10,656", "thread_id": "992", "caller": "0x006182d9", "parentcaller": "0x0061886a", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 27 }, { "timestamp": "2025-11-20 04:38:10,656", "thread_id": "992", "caller": "0x006182d9", "parentcaller": "0x0061886a", "category": "registry", "api": "NtOpenKeyEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000228" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000120" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Command Processor" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor" } ], "repeated": 0, "id": 28 }, { "timestamp": "2025-11-20 04:38:10,656", "thread_id": "992", "caller": "0x00618319", "parentcaller": "0x0061886a", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000228" }, { "name": "ValueName", "value": "DisableUNCCheck" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\DisableUNCCheck" } ], "repeated": 0, "id": 29 }, { "timestamp": "2025-11-20 04:38:10,656", "thread_id": "992", "caller": "0x00618353", "parentcaller": "0x0061886a", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000228" }, { "name": "ValueName", "value": "EnableExtensions" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "1" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\EnableExtensions" } ], "repeated": 0, "id": 30 }, { "timestamp": "2025-11-20 04:38:10,656", "thread_id": "992", "caller": "0x006183a3", "parentcaller": "0x0061886a", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000228" }, { "name": "ValueName", "value": "DelayedExpansion" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\DelayedExpansion" } ], "repeated": 0, "id": 31 }, { "timestamp": "2025-11-20 04:38:10,656", "thread_id": "992", "caller": "0x006183dd", "parentcaller": "0x0061886a", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000228" }, { "name": "ValueName", "value": "DefaultColor" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\DefaultColor" } ], "repeated": 0, "id": 32 }, { "timestamp": "2025-11-20 04:38:10,656", "thread_id": "992", "caller": "0x0061842d", "parentcaller": "0x0061886a", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000228" }, { "name": "ValueName", "value": "CompletionChar" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "9" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\CompletionChar" } ], "repeated": 0, "id": 33 }, { "timestamp": "2025-11-20 04:38:10,656", "thread_id": "992", "caller": "0x0061849e", "parentcaller": "0x0061886a", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000228" }, { "name": "ValueName", "value": "PathCompletionChar" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "9" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\PathCompletionChar" } ], "repeated": 0, "id": 34 }, { "timestamp": "2025-11-20 04:38:10,656", "thread_id": "992", "caller": "0x0061852c", "parentcaller": "0x0061886a", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000228" }, { "name": "ValueName", "value": "AutoRun" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\AutoRun" } ], "repeated": 0, "id": 35 }, { "timestamp": "2025-11-20 04:38:10,656", "thread_id": "992", "caller": "0x00618540", "parentcaller": "0x0061886a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000228" } ], "repeated": 0, "id": 36 }, { "timestamp": "2025-11-20 04:38:10,656", "thread_id": "992", "caller": "0x006182d9", "parentcaller": "0x0061886a", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 37 }, { "timestamp": "2025-11-20 04:38:10,656", "thread_id": "992", "caller": "0x006182d9", "parentcaller": "0x0061886a", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x02000000", "pretty_value": "MAXIMUM_ALLOWED" }, { "name": "ObjectAttributesHandle", "value": "0x00000234" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\Command Processor" }, { "name": "ObjectAttributes", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor" } ], "repeated": 0, "id": 38 }, { "timestamp": "2025-11-20 04:38:10,656", "thread_id": "992", "caller": "0x0061855a", "parentcaller": "0x0061886a", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 39 }, { "timestamp": "2025-11-20 04:38:10,656", "thread_id": "992", "caller": "0x00618561", "parentcaller": "0x0061886a", "category": "misc", "api": "srand", "status": true, "return": "0x00000000", "arguments": [ { "name": "seed", "value": "0x691e9b32" } ], "repeated": 0, "id": 40 }, { "timestamp": "2025-11-20 04:38:10,656", "thread_id": "992", "caller": "0x0062744a", "parentcaller": "0x00626e48", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x045f3000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 41 }, { "timestamp": "2025-11-20 04:38:10,656", "thread_id": "992", "caller": "0x0062744a", "parentcaller": "0x00626e48", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x06ea0000" }, { "name": "RegionSize", "value": "0x00100000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 42 }, { "timestamp": "2025-11-20 04:38:10,656", "thread_id": "992", "caller": "0x0062744a", "parentcaller": "0x00626e48", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x06ea0000" }, { "name": "RegionSize", "value": "0x00011000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 43 }, { "timestamp": "2025-11-20 04:38:10,656", "thread_id": "992", "caller": "0x0062744a", "parentcaller": "0x00626e48", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x06eb1000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 44 }, { "timestamp": "2025-11-20 04:38:10,656", "thread_id": "992", "caller": "0x0061a9aa", "parentcaller": "0x00618901", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x02ab5000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 45 }, { "timestamp": "2025-11-20 04:38:10,656", "thread_id": "992", "caller": "0x0061aa00", "parentcaller": "0x00618901", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x02ab6000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 46 }, { "timestamp": "2025-11-20 04:38:10,656", "thread_id": "992", "caller": "0x0062744a", "parentcaller": "0x00626e48", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x06ec1000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 47 }, { "timestamp": "2025-11-20 04:38:10,656", "thread_id": "992", "caller": "0x00618d99", "parentcaller": "0x006201ce", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Temp" } ], "repeated": 0, "id": 48 }, { "timestamp": "2025-11-20 04:38:10,656", "thread_id": "992", "caller": "0x0062029d", "parentcaller": "0x00618dc1", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x02aa6960", "arguments": [ { "name": "FileName", "value": "C:\\Temp" }, { "name": "FirstCreateTimeLow", "value": "0x0c174eca" }, { "name": "FirstCreateTimeHigh", "value": "0x01dc598a" } ], "repeated": 0, "id": 49 }, { "timestamp": "2025-11-20 04:38:10,656", "thread_id": "992", "caller": "0x006202b6", "parentcaller": "0x00618dc1", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000228" } ], "repeated": 0, "id": 50 }, { "timestamp": "2025-11-20 04:38:10,656", "thread_id": "992", "caller": "0x00618de6", "parentcaller": "0x006201ce", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Temp" } ], "repeated": 0, "id": 51 }, { "timestamp": "2025-11-20 04:38:10,656", "thread_id": "992", "caller": "0x0061dcee", "parentcaller": "0x00618922", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x02ab7000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 52 }, { "timestamp": "2025-11-20 04:38:10,656", "thread_id": "992", "caller": "0x006189b1", "parentcaller": "0x00620a55", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000088" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x14{\\xfdv\\xb8\\xfcv\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\xc9\\x8ea\\x00\\xc0\\xfcv\\x02\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 53 }, { "timestamp": "2025-11-20 04:38:10,656", "thread_id": "992", "caller": "0x00618797", "parentcaller": "0x006189c7", "category": "process", "api": "NtQueryInformationToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "TokenInformationClass", "value": "10" }, { "name": "TokenInformation", "value": "\\x12\\x0b\\x05\\x00\\x00\\x00\\x00\\x00\\xc2o\\x01\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x7f\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x10\\x00\\x00\\x94\\x0f\\x00\\x00\\x0e\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x99\\x94\\x04\\x00\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 54 }, { "timestamp": "2025-11-20 04:38:10,671", "thread_id": "992", "caller": "0x00618797", "parentcaller": "0x006189c7", "category": "__notification__", "api": "sysenter", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadIdentifier", "value": "992" }, { "name": "Module", "value": "KERNELBASE.dll" }, { "name": "Return Address", "value": "0x75a163ac" } ], "repeated": 0, "id": 55 }, { "timestamp": "2025-11-20 04:38:10,687", "thread_id": "992", "caller": "0x00618797", "parentcaller": "0x006189c7", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000228" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale" } ], "repeated": 0, "id": 56 }, { "timestamp": "2025-11-20 04:38:10,687", "thread_id": "992", "caller": "0x00618797", "parentcaller": "0x006189c7", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000228" }, { "name": "ValueName", "value": "ru-RU" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\ru-RU" } ], "repeated": 0, "id": 57 }, { "timestamp": "2025-11-20 04:38:10,687", "thread_id": "992", "caller": "0x00618797", "parentcaller": "0x006189c7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000228" } ], "repeated": 0, "id": 58 }, { "timestamp": "2025-11-20 04:38:10,687", "thread_id": "992", "caller": "0x00618797", "parentcaller": "0x006189c7", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000228" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale" } ], "repeated": 0, "id": 59 }, { "timestamp": "2025-11-20 04:38:10,687", "thread_id": "992", "caller": "0x00618797", "parentcaller": "0x006189c7", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000228" }, { "name": "ValueName", "value": "ru-RU" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\ru-RU" } ], "repeated": 0, "id": 60 }, { "timestamp": "2025-11-20 04:38:10,687", "thread_id": "992", "caller": "0x00618797", "parentcaller": "0x006189c7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000228" } ], "repeated": 0, "id": 61 }, { "timestamp": "2025-11-20 04:38:10,687", "thread_id": "992", "caller": "0x00618797", "parentcaller": "0x006189c7", "category": "system", "api": "GetUserDefaultLCID", "status": true, "return": "0x00000419", "arguments": [ { "name": "SystemDefaultLangID", "value": "0x00000419" }, { "name": "LanguageName", "value": "Russian" } ], "repeated": 1, "id": 62 }, { "timestamp": "2025-11-20 04:38:10,687", "thread_id": "992", "caller": "0x00618776", "parentcaller": "0x006189c7", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x06eb1000" }, { "name": "RegionSize", "value": "0x0001f000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 63 }, { "timestamp": "2025-11-20 04:38:10,687", "thread_id": "992", "caller": "0x00618776", "parentcaller": "0x006189c7", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x06eb1000" }, { "name": "RegionSize", "value": "0x0001f000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 64 }, { "timestamp": "2025-11-20 04:38:10,687", "thread_id": "992", "caller": "0x00618776", "parentcaller": "0x006189c7", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000228" }, { "name": "DesiredAccess", "value": "0x00000009", "pretty_value": "KEY_QUERY_VALUE|KEY_ENUMERATE_SUB_KEYS" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Control\\Session Manager" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager" } ], "repeated": 0, "id": 65 }, { "timestamp": "2025-11-20 04:38:10,687", "thread_id": "992", "caller": "0x00618776", "parentcaller": "0x006189c7", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000228" }, { "name": "ValueName", "value": "ResourcePolicies" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies" } ], "repeated": 0, "id": 66 }, { "timestamp": "2025-11-20 04:38:10,687", "thread_id": "992", "caller": "0x00618776", "parentcaller": "0x006189c7", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000228" } ], "repeated": 0, "id": 67 }, { "timestamp": "2025-11-20 04:38:10,687", "thread_id": "992", "caller": "0x00618776", "parentcaller": "0x006189c7", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x028d0000" }, { "name": "RegionSize", "value": "0x0000e000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 68 }, { "timestamp": "2025-11-20 04:38:10,687", "thread_id": "992", "caller": "0x00618776", "parentcaller": "0x006189c7", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x028d0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 69 }, { "timestamp": "2025-11-20 04:38:10,687", "thread_id": "992", "caller": "0x006189ef", "parentcaller": "0x00620a55", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000088" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\xfcv\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x95oDuH\\xfcv\\x02\\x00\\x00\\x00\\x00\\x08\\x02\\x00\\x00\\xe7\\x00\\x00\\x00\\xa8X\\xab\\x02\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 70 }, { "timestamp": "2025-11-20 04:38:10,687", "thread_id": "992", "caller": "0x00618ac6", "parentcaller": "0x00620a55", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x76520000" } ], "repeated": 0, "id": 71 }, { "timestamp": "2025-11-20 04:38:10,687", "thread_id": "992", "caller": "0x00618ad7", "parentcaller": "0x00620a55", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x76520000" }, { "name": "FunctionName", "value": "CopyFileExW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76539730" } ], "repeated": 0, "id": 72 }, { "timestamp": "2025-11-20 04:38:10,687", "thread_id": "992", "caller": "0x00618aed", "parentcaller": "0x00620a55", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x76520000" }, { "name": "FunctionName", "value": "IsDebuggerPresent" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76542370" } ], "repeated": 0, "id": 73 }, { "timestamp": "2025-11-20 04:38:10,687", "thread_id": "992", "caller": "0x00618afe", "parentcaller": "0x00620a55", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x76520000" }, { "name": "FunctionName", "value": "SetConsoleInputExeNameW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x75a9d6b0" } ], "repeated": 0, "id": 74 }, { "timestamp": "2025-11-20 04:38:10,687", "thread_id": "992", "caller": "0x00618b1e", "parentcaller": "0x00620a55", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x06eb3000" }, { "name": "RegionSize", "value": "0x0001d000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 75 }, { "timestamp": "2025-11-20 04:38:10,687", "thread_id": "992", "caller": "0x00618b1e", "parentcaller": "0x00620a55", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x045f3000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 76 }, { "timestamp": "2025-11-20 04:38:10,687", "thread_id": "992", "caller": "0x0061e4f6", "parentcaller": "0x00620b09", "category": "system", "api": "FindFixAndRun", "status": true, "return": "0x00000000", "arguments": [ { "name": "Command", "value": "start" }, { "name": "Arguments", "value": " /wait \"\" \"C:\\Temp\\eicar.com\"" } ], "repeated": 0, "id": 77 }, { "timestamp": "2025-11-20 04:38:10,687", "thread_id": "992", "caller": "0x0061adbc", "parentcaller": "0x0061e4f6", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000088" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x10\\x00\\x00\\x00p\\x02\\x01\\x01\\xd8\\xf7v\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\xe0\\xf7v\\x02\\x00\\x00\\x00\\x00\\x08\\x02\\x00\\x00p\\x00\\x00\\x00\\xb8\\xfav\\x02\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 78 }, { "timestamp": "2025-11-20 04:38:10,687", "thread_id": "992", "caller": "0x0062744a", "parentcaller": "0x00626e48", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x06eb3000" }, { "name": "RegionSize", "value": "0x0001d000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 79 }, { "timestamp": "2025-11-20 04:38:10,687", "thread_id": "992", "caller": "0x0062744a", "parentcaller": "0x00626e48", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x06ed1000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 80 }, { "timestamp": "2025-11-20 04:38:10,687", "thread_id": "992", "caller": "0x0062744a", "parentcaller": "0x00626e48", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x045f3000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 81 }, { "timestamp": "2025-11-20 04:38:10,687", "thread_id": "992", "caller": "0x0062744a", "parentcaller": "0x00626e48", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x045f8000" }, { "name": "RegionSize", "value": "0x00007000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 82 }, { "timestamp": "2025-11-20 04:38:10,687", "thread_id": "992", "caller": "0x0062744a", "parentcaller": "0x00626e48", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x06ee1000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 83 }, { "timestamp": "2025-11-20 04:38:10,687", "thread_id": "992", "caller": "0x0062744a", "parentcaller": "0x00626e48", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x06ee6000" }, { "name": "RegionSize", "value": "0x00005000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 84 }, { "timestamp": "2025-11-20 04:38:10,687", "thread_id": "992", "caller": "0x0062744a", "parentcaller": "0x00626e48", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x06eeb000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 85 }, { "timestamp": "2025-11-20 04:38:10,687", "thread_id": "992", "caller": "0x0061dcee", "parentcaller": "0x00625d88", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x02abc000" }, { "name": "RegionSize", "value": "0x00020000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 86 }, { "timestamp": "2025-11-20 04:38:10,687", "thread_id": "992", "caller": "0x00621d40", "parentcaller": "0x0061f680", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x01\\x00\\x00\\x00" } ], "repeated": 0, "id": 87 }, { "timestamp": "2025-11-20 04:38:10,687", "thread_id": "992", "caller": "0x00621d4a", "parentcaller": "0x0061f680", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x00\\x00\\x00" } ], "repeated": 0, "id": 88 }, { "timestamp": "2025-11-20 04:38:10,687", "thread_id": "992", "caller": "0x00621d67", "parentcaller": "0x0061f680", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "12" }, { "name": "ProcessInformation", "value": "\\x00\\x80\\x00\\x00" } ], "repeated": 0, "id": 89 }, { "timestamp": "2025-11-20 04:38:10,687", "thread_id": "992", "caller": "0x006258c1", "parentcaller": "0x00619c30", "category": "filesystem", "api": "FindFirstFileExW", "status": true, "return": "0x02aa6de0", "arguments": [ { "name": "FileName", "value": "C:\\Temp\\eicar.com" }, { "name": "FirstCreateTimeLow", "value": "0x77fc892a" }, { "name": "FirstCreateTimeHigh", "value": "0x01dc59a8" } ], "repeated": 0, "id": 90 }, { "timestamp": "2025-11-20 04:38:10,687", "thread_id": "992", "caller": "0x00618b81", "parentcaller": "0x0061f9d3", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000228" } ], "repeated": 0, "id": 91 }, { "timestamp": "2025-11-20 04:38:10,703", "thread_id": "992", "caller": "0x00625f10", "parentcaller": "0x00625a80", "category": "process", "api": "NtCreateUserProcess", "status": false, "return": "0xffffffffc000012f", "arguments": [ { "name": "ProcessHandle", "value": "0x00000000" }, { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "ProcessDesiredAccess", "value": "0x02000000" }, { "name": "ThreadDesiredAccess", "value": "0x02000000" }, { "name": "ProcessFileName", "value": "" }, { "name": "ThreadName", "value": "" }, { "name": "ImagePathName", "value": "C:\\Temp\\eicar.com" }, { "name": "CommandLine", "value": "\"C:\\Temp\\eicar.com\" " }, { "name": "DllPath", "value": "" }, { "name": "ProcessId", "value": "0" } ], "repeated": 0, "id": 92 }, { "timestamp": "2025-11-20 04:38:10,703", "thread_id": "992", "caller": "0x00625f10", "parentcaller": "0x00625a80", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "ntdll.dll" }, { "name": "BaseAddress", "value": "0x76f50000" } ], "repeated": 0, "id": 93 }, { "timestamp": "2025-11-20 04:38:10,703", "thread_id": "992", "caller": "0x00625f10", "parentcaller": "0x00625a80", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\VERSION" }, { "name": "DllBase", "value": "0x741f0000" } ], "repeated": 0, "id": 94 }, { "timestamp": "2025-11-20 04:38:10,703", "thread_id": "992", "caller": "0x00625f10", "parentcaller": "0x00625a80", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\NtVdm64" }, { "name": "DllBase", "value": "0x73540000" } ], "repeated": 0, "id": 95 }, { "timestamp": "2025-11-20 04:38:10,703", "thread_id": "992", "caller": "0x00625f10", "parentcaller": "0x00625a80", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "NtVdm64.Dll" }, { "name": "BaseAddress", "value": "0x73540000" } ], "repeated": 0, "id": 96 }, { "timestamp": "2025-11-20 04:38:10,703", "thread_id": "992", "caller": "0x00625f10", "parentcaller": "0x00625a80", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\NtVdm64" }, { "name": "DllBase", "value": "0x73540000" } ], "repeated": 0, "id": 97 }, { "timestamp": "2025-11-20 04:38:10,703", "thread_id": "992", "caller": "0x00625f10", "parentcaller": "0x00625a80", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "unload" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\VERSION" }, { "name": "DllBase", "value": "0x741f0000" } ], "repeated": 0, "id": 98 }, { "timestamp": "2025-11-20 04:38:10,703", "thread_id": "992", "caller": "0x00625f10", "parentcaller": "0x00625a80", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "advapi32.dll" }, { "name": "BaseAddress", "value": "0x75b10000" } ], "repeated": 0, "id": 99 }, { "timestamp": "2025-11-20 04:38:10,703", "thread_id": "992", "caller": "0x00625f10", "parentcaller": "0x00625a80", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 100 }, { "timestamp": "2025-11-20 04:38:10,718", "thread_id": "992", "caller": "0x00625f10", "parentcaller": "0x00625a80", "category": "process", "api": "CreateProcessW", "status": false, "return": "0x00000000", "arguments": [ { "name": "ApplicationName", "value": "C:\\Temp\\eicar.com" }, { "name": "CommandLine", "value": "\"C:\\Temp\\eicar.com\" " }, { "name": "CreationFlags", "value": "0x00080410" }, { "name": "ProcessId", "value": "0" }, { "name": "ThreadId", "value": "0" }, { "name": "ParentHandle", "value": "0xffffffff" }, { "name": "ProcessHandle", "value": "0x00000000" }, { "name": "ThreadHandle", "value": "0x00000000" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 101 }, { "timestamp": "2025-11-20 04:38:10,718", "thread_id": "992", "caller": "0x00619a67", "parentcaller": "0x0061793a", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000088" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x9c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd8\\xf1v\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe0\\xf1v\\x02\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 102 }, { "timestamp": "2025-11-20 04:38:10,718", "thread_id": "992", "caller": "0x00617957", "parentcaller": "0x00617908", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000088" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x9c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00d\\x00\\x00\\x00\\x00\\x00\\x00\\x010\\xf1v\\x02\\x00\\x00\\x00\\x00\\\\x00\\x00\\x00\\x98\\xf1v\\x028\\xf1v\\x02\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 103 }, { "timestamp": "2025-11-20 04:38:10,718", "thread_id": "992", "caller": "0x00617eda", "parentcaller": "0x0061797e", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x02a30000" }, { "name": "RegionSize", "value": "0x00023000" } ], "repeated": 0, "id": 104 }, { "timestamp": "2025-11-20 04:38:10,718", "thread_id": "992", "caller": "0x00617eda", "parentcaller": "0x0061797e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000118" } ], "repeated": 0, "id": 105 }, { "timestamp": "2025-11-20 04:38:10,718", "thread_id": "992", "caller": "0x00617eda", "parentcaller": "0x0061797e", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU" } ], "repeated": 0, "id": 106 }, { "timestamp": "2025-11-20 04:38:10,718", "thread_id": "992", "caller": "0x00617eda", "parentcaller": "0x0061797e", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\SysWOW64\\ru-RU\\cmd.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 107 }, { "timestamp": "2025-11-20 04:38:10,718", "thread_id": "992", "caller": "0x00617eda", "parentcaller": "0x0061797e", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000248" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\sysnative\\ru-RU\\cmd.exe.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 108 }, { "timestamp": "2025-11-20 04:38:10,718", "thread_id": "992", "caller": "0x00617eda", "parentcaller": "0x0061797e", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000024c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000248" }, { "name": "FileName", "value": "C:\\Windows\\sysnative\\ru-RU\\cmd.exe.mui" } ], "repeated": 0, "id": 109 }, { "timestamp": "2025-11-20 04:38:10,718", "thread_id": "992", "caller": "0x00617eda", "parentcaller": "0x0061797e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000024c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x02a30000" }, { "name": "SectionOffset", "value": "0x0276e2d0" }, { "name": "ViewSize", "value": "0x00023000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 110 }, { "timestamp": "2025-11-20 04:38:10,718", "thread_id": "992", "caller": "0x00617eda", "parentcaller": "0x0061797e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000024c" } ], "repeated": 0, "id": 111 }, { "timestamp": "2025-11-20 04:38:10,718", "thread_id": "992", "caller": "0x00617eda", "parentcaller": "0x0061797e", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU" } ], "repeated": 0, "id": 112 }, { "timestamp": "2025-11-20 04:38:10,718", "thread_id": "992", "caller": "0x00617eda", "parentcaller": "0x0061797e", "category": "filesystem", "api": "NtOpenFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ru-RU\\KERNELBASE.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 113 }, { "timestamp": "2025-11-20 04:38:10,718", "thread_id": "992", "caller": "0x00617eda", "parentcaller": "0x0061797e", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x0000024c" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\sysnative\\ru-RU\\KERNELBASE.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 114 }, { "timestamp": "2025-11-20 04:38:10,718", "thread_id": "992", "caller": "0x00617eda", "parentcaller": "0x0061797e", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000250" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x0000024c" }, { "name": "FileName", "value": "C:\\Windows\\sysnative\\ru-RU\\KernelBase.dll.mui" } ], "repeated": 0, "id": 115 }, { "timestamp": "2025-11-20 04:38:10,718", "thread_id": "992", "caller": "0x00617eda", "parentcaller": "0x0061797e", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000250" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x06fa0000" }, { "name": "SectionOffset", "value": "0x0276e2d0" }, { "name": "ViewSize", "value": "0x0014c000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 116 }, { "timestamp": "2025-11-20 04:38:10,718", "thread_id": "992", "caller": "0x00617eda", "parentcaller": "0x0061797e", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000250" } ], "repeated": 0, "id": 117 }, { "timestamp": "2025-11-20 04:38:10,718", "thread_id": "992", "caller": "0x006179c4", "parentcaller": "0x00617908", "category": "system", "api": "WriteConsoleW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ConsoleHandle", "value": "0x0000009c" }, { "name": "Buffer", "value": "\\x42d\\x442\\x430 \\x432\\x435\\x440\\x441\\x438\\x44f \"C:\\Temp\\eicar.com\" \\x43d\\x435 \\x441\\x43e\\x432\\x43c\\x435\\x441\\x442\\x438\\x43c\\x430 \\x441 \\x432\\x435\\x440\\x441\\x438\\x435\\x439 Windows, \\x440\\x430\\x431\\x43e\\x442\\x430\\x44e\\x449\\x435\\x439 \\x43d\\x430 \\x44d\\x442\\x43e\\x43c \\x43a\\x43e\\x43c\\x43f\\x44c\\x44e\\x442\\x435\\x440\\x435. \\x41f\\x440\\x43e\\x432\\x435\\x440\\x44c\\x442\\x435 \\x441\\x432\\x435\\x434\\x435\\x43d\\x438\\x44f \\x43e \\x441\\x438\\x441\\x442\\x435\\x43c\\x435, \\x430 \\x437\\x430\\x442\\x435\\x43c \\x43e\\x431\\x440\\x430\\x442\\x438\\x442\\x435\\x441\\x44c \\x43a \\x438\\x437\\x434\\x430\\x442\\x435\\x43b\\x44e \\x43f\\x440\\x43e\\x433\\x440" } ], "repeated": 0, "id": 118 }, { "timestamp": "2025-11-20 04:38:10,734", "thread_id": "992", "caller": "0x006179c4", "parentcaller": "0x00617908", "category": "system", "api": "WriteConsoleW", "status": true, "return": "0x00000001", "arguments": [ { "name": "ConsoleHandle", "value": "0x0000009c" }, { "name": "Buffer", "value": "\\x430\\x43c\\x43c\\x43d\\x43e\\x433\\x43e \\x43e\\x431\\x435\\x441\\x43f\\x435\\x447\\x435\\x43d\\x438\\x44f.\r\n" } ], "repeated": 0, "id": 119 }, { "timestamp": "2025-11-20 04:38:10,734", "thread_id": "992", "caller": "0x00625fbc", "parentcaller": "0x00625a80", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x06edf000" }, { "name": "RegionSize", "value": "0x0001b000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 120 }, { "timestamp": "2025-11-20 04:38:10,734", "thread_id": "992", "caller": "0x00625fbc", "parentcaller": "0x00625a80", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x045fc000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 121 }, { "timestamp": "2025-11-20 04:38:10,734", "thread_id": "992", "caller": "0x00625fcc", "parentcaller": "0x00625a80", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x045fc000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 122 }, { "timestamp": "2025-11-20 04:38:10,734", "thread_id": "992", "caller": "0x00625fd8", "parentcaller": "0x00625a80", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x06edf000" }, { "name": "RegionSize", "value": "0x0001b000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 123 }, { "timestamp": "2025-11-20 04:38:10,734", "thread_id": "992", "caller": "0x00625fd8", "parentcaller": "0x00625a80", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x06edb000" }, { "name": "RegionSize", "value": "0x0001f000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 124 }, { "timestamp": "2025-11-20 04:38:10,734", "thread_id": "992", "caller": "0x00625fd8", "parentcaller": "0x00625a80", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x045f8000" }, { "name": "RegionSize", "value": "0x00006000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 125 }, { "timestamp": "2025-11-20 04:38:10,734", "thread_id": "992", "caller": "0x00625fe4", "parentcaller": "0x00625a80", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x06edb000" }, { "name": "RegionSize", "value": "0x0001f000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 126 }, { "timestamp": "2025-11-20 04:38:10,734", "thread_id": "992", "caller": "0x00625ff4", "parentcaller": "0x00625a80", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x06ed3000" }, { "name": "RegionSize", "value": "0x00027000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 127 }, { "timestamp": "2025-11-20 04:38:10,734", "thread_id": "992", "caller": "0x00626004", "parentcaller": "0x00625a80", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x045f3000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 128 }, { "timestamp": "2025-11-20 04:38:10,734", "thread_id": "992", "caller": "0x00626020", "parentcaller": "0x00625a80", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x06ed3000" }, { "name": "RegionSize", "value": "0x00027000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 129 }, { "timestamp": "2025-11-20 04:38:10,734", "thread_id": "992", "caller": "0x0061e328", "parentcaller": "0x00626a0a", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000088" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x98\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \\xfdv\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xdc-\\xfcv(\\xfdv\\x02\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 130 }, { "timestamp": "2025-11-20 04:38:10,734", "thread_id": "992", "caller": "0x0061e33f", "parentcaller": "0x00626a0a", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000088" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x98\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\xfdv\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\xfdv\\x02\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 131 }, { "timestamp": "2025-11-20 04:38:10,734", "thread_id": "992", "caller": "0x0061e36e", "parentcaller": "0x00626a0a", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000088" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x94\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x01\\x00\\x00\\x00 \\xfdv\\x02\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\xfdv\\x02\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 132 }, { "timestamp": "2025-11-20 04:38:10,734", "thread_id": "992", "caller": "0x00620aa9", "parentcaller": "0x00626a0a", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000088" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\\x00(\\xfdv\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\njb\\x000\\xfdv\\x02\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 133 }, { "timestamp": "2025-11-20 04:38:10,734", "thread_id": "992", "caller": "0x0061e2c8", "parentcaller": "0x00626a0a", "category": "device", "api": "NtDeviceIoControlFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000088" }, { "name": "HandleName", "value": "\\Device\\ConDrv" }, { "name": "IoControlCode", "value": "0x00500016" }, { "name": "InputBuffer", "value": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\xe4\\xf9v\\x02\\xb0\\xfav\\x02\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xb8\\xfav\\x02\\x00\\x00\\x00\\x00" }, { "name": "OutputBuffer", "value": "" } ], "repeated": 0, "id": 134 }, { "timestamp": "2025-11-20 04:38:10,734", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "LdrGetDllHandle", "status": false, "return": "0xffffffffc0000135", "pretty_return": "DLL_NOT_FOUND", "arguments": [ { "name": "FileName", "value": "mscoree.dll" }, { "name": "ModuleHandle", "value": "0x045f1a58" } ], "repeated": 0, "id": 135 }, { "timestamp": "2025-11-20 04:38:10,734", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "process", "api": "NtTerminateProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0x00000000" }, { "name": "ExitCode", "value": "0x00000001" } ], "repeated": 0, "id": 136 }, { "timestamp": "2025-11-20 04:38:10,734", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "GetSystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 137 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001e0" } ], "repeated": 0, "id": 138 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001ec" } ], "repeated": 0, "id": 139 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001e8" } ], "repeated": 0, "id": 140 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001d8" } ], "repeated": 0, "id": 141 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001b8" } ], "repeated": 0, "id": 142 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001bc" } ], "repeated": 0, "id": 143 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001b4" } ], "repeated": 0, "id": 144 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000019c" } ], "repeated": 0, "id": 145 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001a0" } ], "repeated": 0, "id": 146 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001a4" } ], "repeated": 0, "id": 147 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001a8" } ], "repeated": 0, "id": 148 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001ac" } ], "repeated": 0, "id": 149 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001b0" } ], "repeated": 0, "id": 150 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75242000" }, { "name": "ModuleName", "value": "ole32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 151 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x75242000" }, { "name": "ModuleName", "value": "ole32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 152 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000194" } ], "repeated": 0, "id": 153 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000198" } ], "repeated": 0, "id": 154 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000190" } ], "repeated": 0, "id": 155 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f50000" } ], "repeated": 0, "id": 156 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f50000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76faf560" } ], "repeated": 0, "id": 157 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000174" } ], "repeated": 0, "id": 158 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000178" } ], "repeated": 0, "id": 159 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000017c" } ], "repeated": 0, "id": 160 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000180" } ], "repeated": 0, "id": 161 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000184" } ], "repeated": 0, "id": 162 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000018c" } ], "repeated": 0, "id": 163 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000188" } ], "repeated": 0, "id": 164 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000154" } ], "repeated": 0, "id": 165 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000158" } ], "repeated": 0, "id": 166 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000150" } ], "repeated": 0, "id": 167 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000014c" } ], "repeated": 0, "id": 168 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000144" } ], "repeated": 0, "id": 169 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000148" } ], "repeated": 0, "id": 170 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000140" } ], "repeated": 0, "id": 171 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000013c" } ], "repeated": 0, "id": 172 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000138" } ], "repeated": 0, "id": 173 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f50000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76faf560" } ], "repeated": 0, "id": 174 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000124" } ], "repeated": 0, "id": 175 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000128" } ], "repeated": 0, "id": 176 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000f8" } ], "repeated": 0, "id": 177 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000f4" } ], "repeated": 0, "id": 178 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000fc" } ], "repeated": 0, "id": 179 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000fc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize" } ], "repeated": 0, "id": 180 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000000fc" }, { "name": "ValueName", "value": "DisableMetaFiles" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles" } ], "repeated": 0, "id": 181 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000fc" } ], "repeated": 0, "id": 182 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000fc" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize" } ], "repeated": 0, "id": 183 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x000000fc" }, { "name": "ValueName", "value": "DisableUmpdBufferSizeCheck" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableUmpdBufferSizeCheck" } ], "repeated": 0, "id": 184 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000fc" } ], "repeated": 0, "id": 185 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f50000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76faf560" } ], "repeated": 0, "id": 186 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000e8" } ], "repeated": 0, "id": 187 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000dc" } ], "repeated": 0, "id": 188 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000d8" } ], "repeated": 0, "id": 189 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f50000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76faf560" } ], "repeated": 0, "id": 190 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001f8" } ], "repeated": 0, "id": 191 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000bc" } ], "repeated": 0, "id": 192 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f50000" } ], "repeated": 0, "id": 193 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x76f50000" }, { "name": "FunctionName", "value": "RtlDllShutdownInProgress" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x76faf560" } ], "repeated": 0, "id": 194 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000a0" } ], "repeated": 0, "id": 195 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000b0" } ], "repeated": 0, "id": 196 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000000b4" } ], "repeated": 0, "id": 197 }, { "timestamp": "2025-11-20 04:38:10,765", "thread_id": "992", "caller": "0x00620ae0", "parentcaller": "0x00626a0a", "category": "process", "api": "NtTerminateProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "ExitCode", "value": "0x00000001" } ], "repeated": 0, "id": 198 } ], "threads": [ "992", "2100", "2052", "2816", "3016" ], "environ": { "UserName": "Admin", "ComputerName": "HOME-PC", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Temp\\", "CommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c start /wait \"\" \"C:\\Temp\\eicar.com\"", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "a0c0-2cc3", "SystemVolumeGUID": "2d3f192c-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x00610000", "MainExeSize": "0x0005a000", "Bitness": "32-bit" }, "file_activities": { "read_files": [], "write_files": [], "delete_files": [] } } ], "anomaly": [], "processtree": [ { "name": "cmd.exe", "pid": 1984, "parent_id": 2620, "module_path": "C:\\Windows\\SysWOW64\\cmd.exe", "children": [], "threads": [ "992", "2100", "2052", "2816", "3016" ], "environ": { "UserName": "Admin", "ComputerName": "HOME-PC", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Temp\\", "CommandLine": "\"C:\\Windows\\system32\\cmd.exe\" /c start /wait \"\" \"C:\\Temp\\eicar.com\"", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "a0c0-2cc3", "SystemVolumeGUID": "2d3f192c-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x00610000", "MainExeSize": "0x0005a000", "Bitness": "32-bit" } } ], "summary": { "files": [ "C:\\Temp", "C:\\Temp\\eicar.com", "C:\\Windows\\SysWOW64\\ru-RU\\cmd.exe.mui", "C:\\Windows\\sysnative\\ru-RU\\cmd.exe.mui", "C:\\Windows\\System32\\ru-RU\\KERNELBASE.dll.mui", "C:\\Windows\\sysnative\\ru-RU\\KERNELBASE.dll.mui" ], "read_files": [], "write_files": [], "delete_files": [], "keys": [ "HKEY_CURRENT_USER", "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\DisableUNCCheck", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\EnableExtensions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\DelayedExpansion", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\DefaultColor", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\CompletionChar", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\PathCompletionChar", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\AutoRun", "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\CustomLocale", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\ru-RU", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Nls\\ExtendedLocale", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\ru-RU", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableUmpdBufferSizeCheck" ], "read_keys": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\DisableUNCCheck", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\EnableExtensions", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\DelayedExpansion", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\DefaultColor", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\CompletionChar", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\PathCompletionChar", "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\AutoRun", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\ru-RU", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\ru-RU", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableUmpdBufferSizeCheck" ], "write_keys": [], "delete_keys": [], "executed_commands": [ "\"C:\\Temp\\eicar.com\"" ], "resolved_apis": [], "mutexes": [], "created_services": [], "started_services": [] }, "enhanced": [ { "event": "load", "object": "library", "timestamp": "2025-11-20 04:38:10,640", "eid": 1, "data": { "file": "KERNEL32.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 04:38:10,656", "eid": 2, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\DisableUNCCheck", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 04:38:10,656", "eid": 3, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\EnableExtensions", "content": "1" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 04:38:10,656", "eid": 4, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\DelayedExpansion", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 04:38:10,656", "eid": 5, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\DefaultColor", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 04:38:10,656", "eid": 6, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\CompletionChar", "content": "9" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 04:38:10,656", "eid": 7, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\PathCompletionChar", "content": "9" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 04:38:10,656", "eid": 8, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Command Processor\\AutoRun", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 04:38:10,687", "eid": 9, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\ru-RU", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 04:38:10,687", "eid": 10, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\ru-RU", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 04:38:10,687", "eid": 11, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\ResourcePolicies", "content": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 04:38:10,687", "eid": 12, "data": { "file": "KERNEL32.DLL", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 04:38:10,703", "eid": 13, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": "0x76f50000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 04:38:10,703", "eid": 14, "data": { "file": "NtVdm64.Dll", "pathtofile": null, "moduleaddress": "0x73540000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 04:38:10,703", "eid": 15, "data": { "file": "advapi32.dll", "pathtofile": null, "moduleaddress": "0x75b10000" } }, { "event": "execute", "object": "file", "timestamp": "2025-11-20 04:38:10,718", "eid": 16, "data": { "file": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 04:38:10,734", "eid": 17, "data": { "file": "mscoree.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 04:38:10,765", "eid": 18, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 04:38:10,765", "eid": 19, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-20 04:38:10,765", "eid": 20, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableUmpdBufferSizeCheck", "content": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-20 04:38:10,765", "eid": 21, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } } ], "encryptedbuffers": [] }, "debug": { "log": "2025-11-20 02:01:42,109 [root] INFO: Date set to: 20251120T07:38:01, timeout set to: 200\n2025-11-20 07:38:01,017 [root] DEBUG: Starting analyzer from: C:\\g4ngb5il\n2025-11-20 07:38:01,018 [root] DEBUG: Storing results at: C:\\KeQEql\n2025-11-20 07:38:01,018 [root] DEBUG: Pipe server name: \\\\.\\PIPE\\QkdMLo\n2025-11-20 07:38:01,019 [root] DEBUG: Python path: C:\\Users\\Admin\\AppData\\Local\\Programs\\Python\\Python313-32\n2025-11-20 07:38:01,019 [root] INFO: analysis running as an admin\n2025-11-20 07:38:01,020 [root] DEBUG: no analysis package configured, picking one for you\n2025-11-20 07:38:01,021 [root] INFO: analysis package selected: \"generic\"\n2025-11-20 07:38:01,021 [root] DEBUG: importing analysis package module: \"modules.packages.generic\"...\n2025-11-20 07:38:01,060 [root] DEBUG: imported analysis package \"generic\"\n2025-11-20 07:38:01,060 [root] DEBUG: initializing analysis package \"generic\"...\n2025-11-20 07:38:01,060 [lib.common.common] INFO: wrapping\n2025-11-20 07:38:01,061 [lib.core.compound] INFO: C:\\Temp already exists, skipping creation\n2025-11-20 07:38:01,061 [root] DEBUG: New location of moved file: C:\\Temp\\eicar.com\n2025-11-20 07:38:01,061 [root] INFO: Analyzer: Package modules.packages.generic does not specify a DLL option\n2025-11-20 07:38:01,061 [root] INFO: Analyzer: Package modules.packages.generic does not specify a DLL_64 option\n2025-11-20 07:38:01,062 [root] INFO: Analyzer: Package modules.packages.generic does not specify a loader option\n2025-11-20 07:38:01,062 [root] INFO: Analyzer: Package modules.packages.generic does not specify a loader_64 option\n2025-11-20 07:38:01,107 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.browser\"\n2025-11-20 07:38:01,168 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.digisig\"\n2025-11-20 07:38:01,193 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.disguise\"\n2025-11-20 07:38:01,219 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.human\"\n2025-11-20 07:38:01,229 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'\n2025-11-20 07:38:01,297 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'\n2025-11-20 07:38:01,357 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'\n2025-11-20 07:38:01,643 [lib.api.screenshot] INFO: Please upgrade Pillow to >= 5.4.1 for best performance\n2025-11-20 07:38:01,644 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.screenshots\"\n2025-11-20 07:38:01,648 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.tlsdump\"\n2025-11-20 07:38:01,649 [root] DEBUG: Initialized auxiliary module \"Browser\"\n2025-11-20 07:38:01,649 [root] DEBUG: attempting to configure 'Browser' from data\n2025-11-20 07:38:01,651 [root] DEBUG: module Browser does not support data configuration, ignoring\n2025-11-20 07:38:01,651 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.browser\"...\n2025-11-20 07:38:01,652 [root] DEBUG: Started auxiliary module modules.auxiliary.browser\n2025-11-20 07:38:01,652 [root] DEBUG: Initialized auxiliary module \"DigiSig\"\n2025-11-20 07:38:01,653 [root] DEBUG: attempting to configure 'DigiSig' from data\n2025-11-20 07:38:01,653 [root] DEBUG: module DigiSig does not support data configuration, ignoring\n2025-11-20 07:38:01,653 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.digisig\"...\n2025-11-20 07:38:01,653 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature\n2025-11-20 07:38:02,585 [modules.auxiliary.digisig] DEBUG: File format not recognized\n2025-11-20 07:38:02,585 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json\n2025-11-20 07:38:02,587 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig\n2025-11-20 07:38:02,587 [root] DEBUG: Initialized auxiliary module \"Disguise\"\n2025-11-20 07:38:02,587 [root] DEBUG: attempting to configure 'Disguise' from data\n2025-11-20 07:38:02,588 [root] DEBUG: module Disguise does not support data configuration, ignoring\n2025-11-20 07:38:02,588 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.disguise\"...\n2025-11-20 07:38:02,589 [modules.auxiliary.disguise] INFO: Disguising GUID to 9c410b02-8e97-47d5-b0f6-efc962d118f5\n2025-11-20 07:38:02,589 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise\n2025-11-20 07:38:02,590 [root] DEBUG: Initialized auxiliary module \"Human\"\n2025-11-20 07:38:02,590 [root] DEBUG: attempting to configure 'Human' from data\n2025-11-20 07:38:02,590 [root] DEBUG: module Human does not support data configuration, ignoring\n2025-11-20 07:38:02,590 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.human\"...\n2025-11-20 07:38:02,591 [root] DEBUG: Started auxiliary module modules.auxiliary.human\n2025-11-20 07:38:02,592 [root] DEBUG: Initialized auxiliary module \"Screenshots\"\n2025-11-20 07:38:02,592 [root] DEBUG: attempting to configure 'Screenshots' from data\n2025-11-20 07:38:02,593 [root] DEBUG: module Screenshots does not support data configuration, ignoring\n2025-11-20 07:38:02,593 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.screenshots\"...\n2025-11-20 07:38:02,594 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots\n2025-11-20 07:38:02,594 [root] DEBUG: Initialized auxiliary module \"TLSDumpMasterSecrets\"\n2025-11-20 07:38:02,595 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data\n2025-11-20 07:38:02,595 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring\n2025-11-20 07:38:02,595 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.tlsdump\"...\n2025-11-20 07:38:02,598 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 608\n2025-11-20 07:38:02,767 [lib.api.process] INFO: Monitor config for : C:\\g4ngb5il\\dll\\608.ini\n2025-11-20 07:38:02,769 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor\n2025-11-20 07:38:02,777 [lib.api.process] INFO: 64-bit DLL to inject is C:\\g4ngb5il\\dll\\CEqvWzbT.dll, loader C:\\g4ngb5il\\bin\\VUAoKDbg.exe\n2025-11-20 07:38:02,796 [root] DEBUG: Loader: Injecting process 608 with C:\\g4ngb5il\\dll\\CEqvWzbT.dll.\n2025-11-20 07:38:02,814 [root] DEBUG: 608: Python path set to 'C:\\Users\\Admin\\AppData\\Local\\Programs\\Python\\Python313-32'.\n2025-11-20 07:38:02,815 [root] DEBUG: 608: Disabling sleep skipping.\n2025-11-20 07:38:02,816 [root] DEBUG: 608: TLS secret dump mode enabled.\n2025-11-20 07:38:02,851 [root] DEBUG: 608: RtlInsertInvertedFunctionTable 0x00007FFEE348090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEE35DD4F0\n2025-11-20 07:38:02,853 [root] DEBUG: 608: Monitor initialised: 64-bit capemon loaded in process 608 at 0x00007FFEB9770000, thread 1616, image base 0x00007FF60EE30000, stack from 0x000000A5F4C72000-0x000000A5F4C80000\n2025-11-20 07:38:02,853 [root] DEBUG: 608: Commandline: C:\\Windows\\system32\\lsass.exe\n2025-11-20 07:38:02,866 [root] DEBUG: 608: Hooked 5 out of 5 functions\n2025-11-20 07:38:02,868 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.\n2025-11-20 07:38:02,869 [root] DEBUG: Successfully injected DLL C:\\g4ngb5il\\dll\\CEqvWzbT.dll.\n2025-11-20 07:38:02,873 [lib.api.process] INFO: Injected into 64-bit \n2025-11-20 07:38:02,873 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump\n2025-11-20 07:38:06,063 [root] INFO: Restarting WMI Service\n2025-11-20 07:38:08,208 [root] DEBUG: package modules.packages.generic does not support configure, ignoring\n2025-11-20 07:38:08,209 [root] WARNING: configuration error for package modules.packages.generic: error importing data.packages.generic: No module named 'data.packages'\n2025-11-20 07:38:08,210 [lib.core.compound] INFO: C:\\Temp already exists, skipping creation\n2025-11-20 07:38:08,212 [lib.api.process] INFO: Successfully executed process from path \"C:\\Windows\\system32\\cmd.exe\" with arguments \"/c start /wait \"\" \"C:\\Temp\\eicar.com\"\" with pid 1984\n2025-11-20 07:38:08,212 [lib.api.process] INFO: Monitor config for : C:\\g4ngb5il\\dll\\1984.ini\n2025-11-20 07:38:08,216 [lib.api.process] INFO: 32-bit DLL to inject is C:\\g4ngb5il\\dll\\SEXkwiMD.dll, loader C:\\g4ngb5il\\bin\\guTaJgS.exe\n2025-11-20 07:38:08,265 [root] DEBUG: Loader: Injecting process 1984 (thread 992) with C:\\g4ngb5il\\dll\\SEXkwiMD.dll.\n2025-11-20 07:38:08,268 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2025-11-20 07:38:08,269 [root] DEBUG: Successfully injected DLL C:\\g4ngb5il\\dll\\SEXkwiMD.dll.\n2025-11-20 07:38:08,272 [lib.api.process] INFO: Injected into 32-bit \n2025-11-20 07:38:10,283 [lib.api.process] INFO: Successfully resumed \n2025-11-20 07:38:10,459 [root] DEBUG: 1984: Python path set to 'C:\\Users\\Admin\\AppData\\Local\\Programs\\Python\\Python313-32'.\n2025-11-20 07:38:10,461 [root] DEBUG: 1984: Disabling sleep skipping.\n2025-11-20 07:38:10,462 [root] DEBUG: 1984: Dropped file limit defaulting to 100.\n2025-11-20 07:38:10,485 [root] DEBUG: 1984: YaraInit: Compiled 43 rule files\n2025-11-20 07:38:10,489 [root] DEBUG: 1984: YaraInit: Compiled rules saved to file C:\\g4ngb5il\\data\\yara\\capemon.yac\n2025-11-20 07:38:10,491 [root] DEBUG: 1984: YaraScan: Scanning 0x00610000, size 0x595ee\n2025-11-20 07:38:10,496 [root] DEBUG: 1984: YaraScan hit: FindFixAndRun\n2025-11-20 07:38:10,497 [root] DEBUG: 1984: Monitor initialised: 32-bit capemon loaded in process 1984 at 0x731a0000, thread 992, image base 0x610000, stack from 0x2673000-0x2770000\n2025-11-20 07:38:10,498 [root] DEBUG: 1984: Commandline: \"C:\\Windows\\system32\\cmd.exe\" /c start /wait \"\" \"C:\\Temp\\eicar.com\"\n2025-11-20 07:38:10,558 [root] DEBUG: 1984: hook_api: LdrpCallInitRoutine export address 0x76FC2B50 obtained via GetFunctionAddress\n2025-11-20 07:38:10,605 [root] WARNING: b'Unable to place hook on GetCommandLineA'\n2025-11-20 07:38:10,606 [root] DEBUG: 1984: set_hooks: Unable to hook GetCommandLineA\n2025-11-20 07:38:10,607 [root] WARNING: b'Unable to place hook on GetCommandLineW'\n2025-11-20 07:38:10,608 [root] DEBUG: 1984: set_hooks: Unable to hook GetCommandLineW\n2025-11-20 07:38:10,623 [root] DEBUG: 1984: Hooked 625 out of 627 functions\n2025-11-20 07:38:10,628 [root] DEBUG: 1984: set_hooks_exe: Hooked FindFixAndRun at 0x0061AD60\n2025-11-20 07:38:10,632 [root] DEBUG: 1984: Syscall hook installed, syscall logging level 1\n2025-11-20 07:38:10,641 [root] DEBUG: 1984: RestoreHeaders: Restored original import table.\n2025-11-20 07:38:10,642 [root] INFO: Loaded monitor into process with pid 1984\n2025-11-20 07:38:10,644 [root] DEBUG: 1984: caller_dispatch: Added region at 0x00610000 to tracked regions list (ntdll::memcpy returns to 0x006268FA, thread 992).\n2025-11-20 07:38:10,645 [root] DEBUG: 1984: YaraScan: Scanning 0x00610000, size 0x595ee\n2025-11-20 07:38:10,650 [root] DEBUG: 1984: ProcessImageBase: Main module image at 0x00610000 unmodified (entropy change 0.000000e+00)\n2025-11-20 07:38:10,698 [root] DEBUG: 1984: InstrumentationCallback: Added region at 0x75A163AC (base 0x758D0000) to tracked regions list (thread 992).\n2025-11-20 07:38:10,699 [root] DEBUG: 1984: ProcessTrackedRegion: Region at 0x758D0000 mapped as \\Device\\HarddiskVolume2\\Windows\\SysWOW64\\KernelBase.dll is in known range, skipping\n2025-11-20 07:38:10,715 [root] DEBUG: 1984: DLL loaded at 0x741F0000: C:\\Windows\\SYSTEM32\\VERSION (0x8000 bytes).\n2025-11-20 07:38:10,716 [root] DEBUG: 1984: DLL loaded at 0x73540000: C:\\Windows\\SYSTEM32\\NtVdm64 (0x9000 bytes).\n2025-11-20 07:38:10,739 [root] DEBUG: 1984: NtTerminateProcess hook: Attempting to dump process 1984\n2025-11-20 07:38:10,741 [root] DEBUG: 1984: VerifyCodeSection: Executable code does not match, 0x9d62 of 0x2bfcb matching\n2025-11-20 07:38:10,742 [root] DEBUG: 1984: DoProcessDump: Code modification detected, dumping Imagebase at 0x00610000.\n2025-11-20 07:38:10,743 [root] DEBUG: 1984: DumpImageInCurrentProcess: Attempting to dump virtual PE image.\n2025-11-20 07:38:10,743 [root] DEBUG: 1984: DumpProcess: Instantiating PeParser with address: 0x00610000.\n2025-11-20 07:38:10,744 [root] DEBUG: 1984: DumpProcess: Module entry point VA is 0x00016B20.\n2025-11-20 07:38:10,753 [lib.common.results] INFO: Uploading file C:\\KeQEql\\CAPE\\1984_424325410384204112025 to procdump\\fb5ba2cbe8fe7e1424289757374950772da9dd0957f9f5a3de5bd3c285fb5dc6; Size is 346624; Max size: 100000000\n2025-11-20 07:38:10,768 [root] DEBUG: 1984: DumpProcess: Module image dump success - dump size 0x54a00.\n2025-11-20 07:38:10,777 [root] INFO: Process with pid 1984 has terminated\n2025-11-20 07:38:16,351 [root] INFO: Process list is empty, terminating analysis\n2025-11-20 07:38:17,363 [root] INFO: Created shutdown mutex\n2025-11-20 07:38:18,377 [root] INFO: Shutting down package\n2025-11-20 07:38:18,378 [root] INFO: Stopping auxiliary modules\n2025-11-20 07:38:18,378 [root] INFO: Stopping auxiliary module: Browser\n2025-11-20 07:38:18,378 [root] INFO: Stopping auxiliary module: Human\n2025-11-20 07:38:18,394 [root] INFO: Stopping auxiliary module: Screenshots\n2025-11-20 07:38:19,114 [root] INFO: Finishing auxiliary modules\n2025-11-20 07:38:19,114 [root] INFO: Shutting down pipe server and dumping dropped files\n2025-11-20 07:38:19,115 [root] WARNING: Folder at path \"C:\\KeQEql\\debugger\" does not exist, skipping\n2025-11-20 07:38:19,115 [root] WARNING: Folder at path \"C:\\KeQEql\\tlsdump\" does not exist, skipping\n2025-11-20 07:38:19,122 [root] INFO: Analysis completed\n", "errors": [] }, "network": { "pcap_sha256": "1294f2498f057e1052fb48db6d86b3ce55496eb6fedc0c1aa5c9c2ab395302ef", "hosts": [], "domains": [ { "domain": "mozilla.map.fastly.net", "ip": "151.101.1.91" } ], "tcp": [ { "src": "192.168.1.2", "sport": 49674, "dst": "98.66.133.185", "dport": 443, "offset": 35727, "time": 0.7550380229949951 }, { "src": "192.168.1.2", "sport": 49683, "dst": "151.101.1.91", "dport": 443, "offset": 52751, "time": 2.3902149200439453 }, { "src": "192.168.1.2", "sport": 49685, "dst": "34.160.144.191", "dport": 443, "offset": 136034, "time": 2.8705248832702637 }, { "src": "192.168.1.2", "sport": 49687, "dst": "34.120.208.123", "dport": 443, "offset": 498403, "time": 4.903454065322876 } ], "udp": [ { "src": "192.168.1.2", "sport": 63376, "dst": "1.1.1.1", "dport": 53, "offset": 22732, "time": 0.4111149311065674 }, { "src": "192.168.1.2", "sport": 61196, "dst": "1.1.1.1", "dport": 53, "offset": 44348, "time": 1.4990880489349365 }, { "src": "192.168.1.2", "sport": 53184, "dst": "1.1.1.1", "dport": 53, "offset": 44974, "time": 1.5939741134643555 }, { "src": "192.168.1.2", "sport": 64330, "dst": "1.1.1.1", "dport": 53, "offset": 56549, "time": 2.4534430503845215 }, { "src": "192.168.1.2", "sport": 50916, "dst": "1.1.1.1", "dport": 53, "offset": 58114, "time": 2.481250047683716 }, { "src": "192.168.1.2", "sport": 62380, "dst": "1.1.1.1", "dport": 53, "offset": 135074, "time": 2.8398399353027344 }, { "src": "192.168.1.2", "sport": 65454, "dst": "1.1.1.1", "dport": 53, "offset": 135632, "time": 2.8645029067993164 }, { "src": "192.168.1.2", "sport": 55071, "dst": "1.1.1.1", "dport": 53, "offset": 497503, "time": 4.870342016220093 }, { "src": "192.168.1.2", "sport": 65456, "dst": "1.1.1.1", "dport": 53, "offset": 498130, "time": 4.896224021911621 }, { "src": "192.168.1.2", "sport": 138, "dst": "192.168.1.255", "dport": 138, "offset": 513289, "time": 13.641976118087769 } ], "icmp": [], "http": [], "dns": [ { "request": "mozilla.map.fastly.net", "type": "A", "answers": [ { "type": "A", "data": "151.101.65.91" }, { "type": "A", "data": "151.101.129.91" }, { "type": "A", "data": "151.101.193.91" }, { "type": "A", "data": "151.101.1.91" } ], "first_seen": 1763624293.382039 }, { "request": "mozilla.map.fastly.net", "type": "AAAA", "answers": [ { "type": "AAAA", "data": "2a04:4e42::347" }, { "type": "AAAA", "data": "2a04:4e42:200::347" }, { "type": "AAAA", "data": "2a04:4e42:600::347" }, { "type": "AAAA", "data": "2a04:4e42:400::347" } ], "first_seen": 1763624293.38386 } ], "smtp": [], "irc": [], "dead_hosts": [] }, "url_analysis": {}, "procmemory": [], "signatures": [ { "name": "stealth_network", "description": "Network activity detected but not expressed in monitor API logs", "categories": [ "stealth" ], "severity": 1, "weight": 1, "confidence": 100, "references": [], "data": [ { "domain": "mozilla.map.fastly.net" } ], "new_data": [], "alert": false, "families": [] }, { "name": "queries_locale_api", "description": "Queries the computer locale (possible geofencing)", "categories": [ "location_discovery", "geofence" ], "severity": 1, "weight": 1, "confidence": 100, "references": [], "data": [ { "type": "call", "pid": 1984, "cid": 62 } ], "new_data": [], "alert": false, "families": [] }, { "name": "stealth_timeout", "description": "Possible date expiration check, exits too soon after checking local time", "categories": [ "stealth" ], "severity": 1, "weight": 1, "confidence": 40, "references": [], "data": [ { "process": "cmd.exe, PID 1984" }, { "type": "call", "pid": 1984, "cid": 136 } ], "new_data": [], "alert": false, "families": [] }, { "name": "language_check_registry", "description": "Checks system language via registry key (possible geofencing)", "categories": [ "location_discovery", "geofence" ], "severity": 1, "weight": 1, "confidence": 100, "references": [], "data": [ { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\ru-RU" }, { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\ru-RU" } ], "new_data": [], "alert": false, "families": [] } ], "malscore": 0.0, "ttps": [ { "signature": "stealth_network", "ttps": [ "T1071" ], "mbcs": [ "OC0006", "C0002", "OC0006", "C0002" ] } ], "malstatus": null }