{ "statistics": { "processing": [ { "name": "AnalysisInfo", "time": 0.261 }, { "name": "BehaviorAnalysis", "time": 0.149 }, { "name": "Debug", "time": 0.004 }, { "name": "NetworkAnalysis", "time": 0.031 }, { "name": "UrlAnalysis", "time": 0.0 }, { "name": "script_log_processing", "time": 0.003 }, { "name": "ProcessMemory", "time": 0.005 } ], "signatures": [ { "name": "packer_themida", "time": 0.0 }, { "name": "stealth_network", "time": 0.0 }, { "name": "disable_driver_via_blocklist", "time": 0.0 }, { "name": "disable_driver_via_hvcidisallowedimages", "time": 0.0 }, { "name": "disable_hypervisor_protected_code_integrity", "time": 0.0 }, { "name": "pendingfilerenameoperations_Operations", "time": 0.0 }, { "name": "anomalous_deletefile", "time": 0.0 }, { "name": "antiav_360_libs", "time": 0.0 }, { "name": "antiav_ahnlab_libs", "time": 0.0 }, { "name": "antiav_avast_libs", "time": 0.0 }, { "name": "antiav_bitdefender_libs", "time": 0.0 }, { "name": "antiav_bullguard_libs", "time": 0.0 }, { "name": "antiav_emsisoft_libs", "time": 0.0 }, { "name": "antiav_qurb_libs", "time": 0.0 }, { "name": "antiav_servicestop", "time": 0.0 }, { "name": "antiav_apioverride_libs", "time": 0.0 }, { "name": "antidebug_guardpages", "time": 0.0 }, { "name": "antidebug_ntcreatethreadex", "time": 0.0 }, { "name": "antiav_nthookengine_libs", "time": 0.0 }, { "name": "antidebug_outputdebugstring", "time": 0.0 }, { "name": "antidebug_setunhandledexceptionfilter", "time": 0.0 }, { "name": "antidebug_windows", "time": 0.0 }, { "name": "antisandbox_cuckoocrash", "time": 0.0 }, { "name": "antisandbox_foregroundwindows", "time": 0.0 }, { "name": "mouse_movement_detect", "time": 0.0 }, { "name": "antisandbox_sboxie_libs", "time": 0.0 }, { "name": "antisandbox_script_timer", "time": 0.0 }, { "name": "antisandbox_sleep", "time": 0.0 }, { "name": "antisandbox_sunbelt_libs", "time": 0.0 }, { "name": "antisandbox_unhook", "time": 0.0 }, { "name": "antivm_directory_objects", "time": 0.0 }, { "name": "antivm_generic_disk", "time": 0.0 }, { "name": "antivm_generic_scsi", "time": 0.0 }, { "name": "antivm_generic_services", "time": 0.0 }, { "name": "antivm_generic_system", "time": 0.0 }, { "name": "antivm_checks_available_memory", "time": 0.0 }, { "name": "detect_virtualization_via_recent_files", "time": 0.0 }, { "name": "antivm_vbox_libs", "time": 0.0 }, { "name": "antivm_vmware_events", "time": 0.0 }, { "name": "antivm_vmware_libs", "time": 0.0 }, { "name": "api_spamming", "time": 0.0 }, { "name": "api_uuidfromstringa", "time": 0.0 }, { "name": "bcdedit_command", "time": 0.0 }, { "name": "bootkit", "time": 0.0 }, { "name": "potential_overwrite_mbr", "time": 0.0 }, { "name": "suspicious_ioctl_scsipassthough", "time": 0.0 }, { "name": "suspicious_iocontrol_codes", "time": 0.0 }, { "name": "browser_needed", "time": 0.0 }, { "name": "firefox_disables_process_tab", "time": 0.0 }, { "name": "regsvr32_squiblydoo_dll_load", "time": 0.0 }, { "name": "uac_bypass_cmstp", "time": 0.0 }, { "name": "uac_bypass_eventvwr", "time": 0.0 }, { "name": "uac_bypass_windows_Backup", "time": 0.0 }, { "name": "queries_computer_name", "time": 0.0 }, { "name": "queries_user_name", "time": 0.0 }, { "name": "creates_largekey", "time": 0.0 }, { "name": "creates_nullvalue", "time": 0.0 }, { "name": "access_windows_passwords_vault", "time": 0.0 }, { "name": "dump_lsa_via_windows_error_reporting", "time": 0.0 }, { "name": "lsass_credential_dumping", "time": 0.0 }, { "name": "critical_process", "time": 0.0 }, { "name": "cryptopool_domains", "time": 0.0 }, { "name": "dead_connect", "time": 0.0 }, { "name": "dead_link", "time": 0.0 }, { "name": "decoy_image", "time": 0.0 }, { "name": "deletes_consolehost_history", "time": 0.0 }, { "name": "dep_bypass", "time": 0.0 }, { "name": "dep_disable", "time": 0.0 }, { "name": "disables_spdy", "time": 0.0 }, { "name": "disables_wfp", "time": 0.0 }, { "name": "add_windows_defender_exclusions", "time": 0.0 }, { "name": "dll_load_uncommon_file_types", "time": 0.0 }, { "name": "document_script_exe_drop", "time": 0.0 }, { "name": "guloader_apis", "time": 0.0 }, { "name": "driver_load", "time": 0.0 }, { "name": "dynamic_function_loading", "time": 0.0 }, { "name": "exec_crash", "time": 0.0 }, { "name": "process_creation_suspicious_location", "time": 0.0 }, { "name": "exploit_getbasekerneladdress", "time": 0.0 }, { "name": "exploit_gethaldispatchtable", "time": 0.0 }, { "name": "exploit_heapspray", "time": 0.0 }, { "name": "koadic_apis", "time": 0.0 }, { "name": "koadic_network_activity", "time": 0.0 }, { "name": "downloads_from_filehosting", "time": 0.0 }, { "name": "generic_phish", "time": 0.0 }, { "name": "http_request", "time": 0.0 }, { "name": "infostealer_browser", "time": 0.0 }, { "name": "infostealer_browser_password", "time": 0.0 }, { "name": "infostealer_cookies", "time": 0.0 }, { "name": "cryptbot_network", "time": 0.0 }, { "name": "masslogger_version", "time": 0.0 }, { "name": "purplewave_network_activity", "time": 0.0 }, { "name": "quilclipper_behavior", "time": 0.0 }, { "name": "raccoon_behavior", "time": 0.0 }, { "name": "captures_screenshot", "time": 0.0 }, { "name": "vidar_behavior", "time": 0.0 }, { "name": "injection_createremotethread", "time": 0.0 }, { "name": "injection_explorer", "time": 0.0 }, { "name": "injection_network_traffic", "time": 0.0 }, { "name": "injection_runpe", "time": 0.0 }, { "name": "injection_themeinitapihook", "time": 0.0 }, { "name": "resumethread_remote_process", "time": 0.0 }, { "name": "injection_write_exe_process", "time": 0.0 }, { "name": "injection_write_process", "time": 0.0 }, { "name": "internet_dropper", "time": 0.0 }, { "name": "escalate_privilege_via_named_pipe", "time": 0.0 }, { "name": "ipc_namedpipe", "time": 0.0 }, { "name": "js_phish", "time": 0.0 }, { "name": "js_suspicious_redirect", "time": 0.0 }, { "name": "execute_binary_via_internet_explorer_exporter", "time": 0.0 }, { "name": "execute_binary_via_run_exe_helper_utility", "time": 0.0 }, { "name": "execute_ps_via_syncappvpublishingserver", "time": 0.0 }, { "name": "malicious_dynamic_function_loading", "time": 0.0 }, { "name": "encrypt_pcinfo", "time": 0.0 }, { "name": "encrypt_data_agenttesla_http", "time": 0.0 }, { "name": "encrypt_data_agentteslat2_http", "time": 0.0 }, { "name": "encrypt_data_nanocore", "time": 0.0 }, { "name": "reads_memory_remote_process", "time": 0.0 }, { "name": "mimics_filetime", "time": 0.0 }, { "name": "amsi_bypass_via_com_registry", "time": 0.0 }, { "name": "access_auto_logons_via_registry", "time": 0.0 }, { "name": "access_boot_key_via_registry", "time": 0.0 }, { "name": "create_suspicious_lnk_files", "time": 0.0 }, { "name": "credential_access_via_windows_credential_history", "time": 0.0 }, { "name": "dll_hijacking_via_microsoft_exchange", "time": 0.0 }, { "name": "dll_hijacking_via_waas_medic_svc_com_typelib", "time": 0.0 }, { "name": "execute_file_downloaded_via_openssh", "time": 0.0 }, { "name": "execute_safe_mode_from_suspicious_process", "time": 0.0 }, { "name": "execute_scripts_via_microsoft_management_console", "time": 0.0 }, { "name": "execute_suspicious_processes_via_windows_mssql_service", "time": 0.0 }, { "name": "execution_from_self_extracting_archive", "time": 0.0 }, { "name": "ip_address_discovery_via_trusted_program", "time": 0.0 }, { "name": "load_dll_via_control_panel", "time": 0.0 }, { "name": "network_connection_via_suspicious_process", "time": 0.0 }, { "name": "potential_location_discovery_via_unusual_process", "time": 0.0 }, { "name": "store_executable_registry", "time": 0.0 }, { "name": "Suspicious_Execution_Via_MicrosoftExchangeTransportAgent", "time": 0.0 }, { "name": "suspicious_java_execution_via_win_scripts", "time": 0.0 }, { "name": "Suspicious_Scheduled_Task_Creation_Via_Masqueraded_XML_File", "time": 0.0 }, { "name": "uses_restart_manager_for_suspicious_activities", "time": 0.0 }, { "name": "modify_desktop_wallpaper", "time": 0.0 }, { "name": "modify_zoneid_ads", "time": 0.0 }, { "name": "move_file_on_reboot", "time": 0.0 }, { "name": "multiple_useragents", "time": 0.0 }, { "name": "network_anomaly", "time": 0.0 }, { "name": "network_bind", "time": 0.0 }, { "name": "network_cnc_https_archive", "time": 0.0 }, { "name": "network_cnc_https_free_webshoting", "time": 0.0 }, { "name": "network_cnc_https_generic", "time": 0.0 }, { "name": "network_cnc_https_temp_urldns", "time": 0.0 }, { "name": "network_cnc_https_opensource", "time": 0.0 }, { "name": "network_cnc_https_pastesite", "time": 0.0 }, { "name": "network_cnc_https_payload", "time": 0.0 }, { "name": "network_cnc_https_serviceinterface", "time": 0.0 }, { "name": "network_cnc_https_socialmedia", "time": 0.0 }, { "name": "network_cnc_https_telegram", "time": 0.0 }, { "name": "network_cnc_https_tempstorage", "time": 0.0 }, { "name": "network_cnc_https_urlshortener", "time": 0.0 }, { "name": "network_cnc_https_useragent", "time": 0.0 }, { "name": "network_cnc_smtps_exfil", "time": 0.0 }, { "name": "network_cnc_smtps_generic", "time": 0.0 }, { "name": "network_dns_idn", "time": 0.0 }, { "name": "network_dns_suspicious_querytype", "time": 0.0 }, { "name": "network_dns_tunneling_request", "time": 0.0 }, { "name": "explorer_http", "time": 0.0 }, { "name": "network_fake_useragent", "time": 0.0 }, { "name": "legitimate_domain_abuse", "time": 0.0 }, { "name": "suspicious_communication_trusted_site", "time": 0.0 }, { "name": "network_tor", "time": 0.0 }, { "name": "office_com_load", "time": 0.0 }, { "name": "office_dotnet_load", "time": 0.0 }, { "name": "office_mshtml_load", "time": 0.0 }, { "name": "office_vb_load", "time": 0.0 }, { "name": "office_wmi_load", "time": 0.0 }, { "name": "office_cve2017_11882_network", "time": 0.0 }, { "name": "office_cve_2021_40444", "time": 0.0 }, { "name": "office_cve_2021_40444_m2", "time": 0.0 }, { "name": "office_flash_load", "time": 0.0 }, { "name": "office_postscript", "time": 0.0 }, { "name": "office_suspicious_processes", "time": 0.0 }, { "name": "persistence_via_autodial_dll_registry", "time": 0.0 }, { "name": "persistence_autorun", "time": 0.0 }, { "name": "persistence_autorun_tasks", "time": 0.0 }, { "name": "persistence_bootexecute", "time": 0.0 }, { "name": "persistence_registry_script", "time": 0.0 }, { "name": "powershell_download", "time": 0.0 }, { "name": "powershell_request", "time": 0.0 }, { "name": "createtoolhelp32snapshot_module_enumeration", "time": 0.0 }, { "name": "enumerates_running_processes", "time": 0.0 }, { "name": "process_interest", "time": 0.0 }, { "name": "process_needed", "time": 0.0 }, { "name": "mass_data_encryption", "time": 0.0 }, { "name": "ransomware_file_modifications", "time": 0.0 }, { "name": "ransomware_message", "time": 0.0 }, { "name": "nemty_network_activity", "time": 0.0 }, { "name": "nemty_note", "time": 0.0 }, { "name": "sodinokibi_behavior", "time": 0.0 }, { "name": "stop_ransomware_registry", "time": 0.0 }, { "name": "blackrat_apis", "time": 0.0 }, { "name": "blackrat_network_activity", "time": 0.0 }, { "name": "blackrat_registry_keys", "time": 0.0 }, { "name": "dcrat_behavior", "time": 0.0 }, { "name": "karagany_system_event_objects", "time": 0.0 }, { "name": "rat_luminosity", "time": 0.0 }, { "name": "rat_nanocore", "time": 0.0 }, { "name": "netwire_behavior", "time": 0.0 }, { "name": "obliquerat_network_activity", "time": 0.0 }, { "name": "orcusrat_behavior", "time": 0.0 }, { "name": "trochilusrat_apis", "time": 0.0 }, { "name": "recon_beacon", "time": 0.0 }, { "name": "recon_programs", "time": 0.0 }, { "name": "recon_systeminfo", "time": 0.0 }, { "name": "accesses_recyclebin", "time": 0.0 }, { "name": "remcos_shell_code_dynamic_wrapper_x", "time": 0.0 }, { "name": "script_created_process", "time": 0.0 }, { "name": "script_network_activity", "time": 0.0 }, { "name": "suspicious_js_script", "time": 0.0 }, { "name": "javascript_timer", "time": 0.0 }, { "name": "secure_login_phishing", "time": 0.0 }, { "name": "securityxploded_modules", "time": 0.0 }, { "name": "get_clipboard_data", "time": 0.0 }, { "name": "sets_autoconfig_url", "time": 0.0 }, { "name": "spoofs_procname", "time": 0.0 }, { "name": "stack_pivot", "time": 0.0 }, { "name": "stack_pivot_file_created", "time": 0.0 }, { "name": "stack_pivot_process_create", "time": 0.0 }, { "name": "set_clipboard_data", "time": 0.0 }, { "name": "stealth_childproc", "time": 0.0 }, { "name": "stealth_timeout", "time": 0.0 }, { "name": "stealth_window", "time": 0.0 }, { "name": "queries_keyboard_layout", "time": 0.0 }, { "name": "queries_locale_api", "time": 0.0 }, { "name": "terminates_remote_process", "time": 0.0 }, { "name": "uiautomationcore_load", "time": 0.0 }, { "name": "user_enum", "time": 0.0 }, { "name": "virus", "time": 0.0 }, { "name": "neshta_files", "time": 0.0 }, { "name": "neshta_regkeys", "time": 0.0 }, { "name": "webmail_phish", "time": 0.0 }, { "name": "persists_dev_util", "time": 0.0 }, { "name": "spawns_dev_util", "time": 0.0 }, { "name": "alters_windows_utility", "time": 0.0 }, { "name": "overwrites_accessibility_utility", "time": 0.0 }, { "name": "Potential_Lateral_Movement_Via_SMBEXEC", "time": 0.0 }, { "name": "potential_WebShell_Via_ScreenConnectServer", "time": 0.0 }, { "name": "uses_Microsoft_HTML_Help_Executable", "time": 0.0 }, { "name": "wiper_zeroedbytes", "time": 0.0 }, { "name": "wmi_create_process", "time": 0.0 }, { "name": "wmi_script_process", "time": 0.0 }, { "name": "antianalysis_tls_section", "time": 0.0 }, { "name": "antivirus_clamav", "time": 0.0 }, { "name": "antivirus_virustotal", "time": 0.0 }, { "name": "bad_certs", "time": 0.0 }, { "name": "bad_ssl_certs", "time": 0.0 }, { "name": "banker_zeus_p2p", "time": 0.0 }, { "name": "banker_zeus_url", "time": 0.0 }, { "name": "bot_athenahttp", "time": 0.0 }, { "name": "bot_dirtjumper", "time": 0.0 }, { "name": "bot_drive", "time": 0.001 }, { "name": "bot_drive2", "time": 0.001 }, { "name": "bot_madness", "time": 0.0 }, { "name": "phishing_kit_detected", "time": 0.0 }, { "name": "family_proxyback", "time": 0.0 }, { "name": "flare_capa_antianalysis", "time": 0.0 }, { "name": "flare_capa_collection", "time": 0.0 }, { "name": "flare_capa_communication", "time": 0.0 }, { "name": "flare_capa_compiler", "time": 0.0 }, { "name": "flare_capa_datamanipulation", "time": 0.0 }, { "name": "flare_capa_executable", "time": 0.0 }, { "name": "flare_capa_hostinteraction", "time": 0.0 }, { "name": "flare_capa_impact", "time": 0.0 }, { "name": "flare_capa_lib", "time": 0.0 }, { "name": "flare_capa_linking", "time": 0.0 }, { "name": "flare_capa_loadcode", "time": 0.0 }, { "name": "flare_capa_malwarefamily", "time": 0.0 }, { "name": "flare_capa_nursery", "time": 0.0 }, { "name": "flare_capa_persistence", "time": 0.0 }, { "name": "flare_capa_runtime", "time": 0.0 }, { "name": "flare_capa_targeting", "time": 0.0 }, { "name": "threatfox", "time": 0.0 }, { "name": "log4shell", "time": 0.0 }, { "name": "mimics_extension", "time": 0.0 }, { "name": "network_ip_exe", "time": 0.0 }, { "name": "network_dga", "time": 0.0 }, { "name": "network_dga_fraunhofer", "time": 0.0 }, { "name": "network_dyndns", "time": 0.0 }, { "name": "network_icmp", "time": 0.0 }, { "name": "network_irc", "time": 0.0 }, { "name": "network_open_proxy", "time": 0.0 }, { "name": "network_smtp", "time": 0.0 }, { "name": "network_torgateway", "time": 0.0 }, { "name": "origin_langid", "time": 0.0 }, { "name": "origin_resource_langid", "time": 0.0 }, { "name": "overlay", "time": 0.0 }, { "name": "packer_unknown_pe_section_name", "time": 0.0 }, { "name": "packer_aspack", "time": 0.0 }, { "name": "packer_aspirecrypt", "time": 0.0 }, { "name": "packer_bedsprotector", "time": 0.0 }, { "name": "packer_confuser", "time": 0.0 }, { "name": "packer_enigma", "time": 0.0 }, { "name": "packer_entropy", "time": 0.0 }, { "name": "packer_mpress", "time": 0.0 }, { "name": "packer_nate", "time": 0.0 }, { "name": "packer_nspack", "time": 0.0 }, { "name": "packer_smartassembly", "time": 0.0 }, { "name": "packer_spices", "time": 0.0 }, { "name": "packer_themida", "time": 0.0 }, { "name": "packer_titan", "time": 0.0 }, { "name": "packer_upx", "time": 0.0 }, { "name": "packer_vmprotect", "time": 0.0 }, { "name": "packer_yoda", "time": 0.0 }, { "name": "punch_plus_plus_pcres", "time": 0.0 }, { "name": "procmem_yara", "time": 0.0 }, { "name": "recon_checkip", "time": 0.0 }, { "name": "static_authenticode", "time": 0.0 }, { "name": "invalid_authenticode_signature", "time": 0.0 }, { "name": "static_dotnet_anomaly", "time": 0.0 }, { "name": "static_java", "time": 0.0 }, { "name": "static_pdf", "time": 0.0 }, { "name": "contains_pe_overlay", "time": 0.0 }, { "name": "static_pe_anomaly", "time": 0.0 }, { "name": "pe_compile_timestomping", "time": 0.0 }, { "name": "static_pe_pdbpath", "time": 0.0 }, { "name": "static_rat_config", "time": 0.0 }, { "name": "static_versioninfo_anomaly", "time": 0.0 }, { "name": "suricata_alert", "time": 0.0 }, { "name": "suspicious_html_body", "time": 0.0 }, { "name": "suspicious_html_name", "time": 0.0 }, { "name": "suspicious_html_title", "time": 0.0 }, { "name": "volatility_devicetree_1", "time": 0.0 }, { "name": "volatility_handles_1", "time": 0.0 }, { "name": "volatility_ldrmodules_1", "time": 0.0 }, { "name": "volatility_ldrmodules_2", "time": 0.0 }, { "name": "volatility_malfind_1", "time": 0.0 }, { "name": "volatility_malfind_2", "time": 0.0 }, { "name": "volatility_modscan_1", "time": 0.0 }, { "name": "volatility_svcscan_1", "time": 0.0 }, { "name": "volatility_svcscan_2", "time": 0.0 }, { "name": "volatility_svcscan_3", "time": 0.0 }, { "name": "whois_create", "time": 0.0 }, { "name": "accesses_mailslot", "time": 0.0 }, { "name": "accesses_netlogon_regkey", "time": 0.0 }, { "name": "accesses_public_folder", "time": 0.0 }, { "name": "accesses_sysvol", "time": 0.0 }, { "name": "writes_sysvol", "time": 0.0 }, { "name": "adds_admin_user", "time": 0.0 }, { "name": "adds_user", "time": 0.0 }, { "name": "overwrites_admin_password", "time": 0.0 }, { "name": "antianalysis_detectfile", "time": 0.002 }, { "name": "antianalysis_detectreg", "time": 0.002 }, { "name": "modify_attachment_manager", "time": 0.0 }, { "name": "antiav_detectfile", "time": 0.003 }, { "name": "antiav_detectreg", "time": 0.006 }, { "name": "antiav_srp", "time": 0.0 }, { "name": "antiav_whitespace", "time": 0.0 }, { "name": "antidebug_devices", "time": 0.001 }, { "name": "antiemu_windefend", "time": 0.0 }, { "name": "antiemu_wine_reg", "time": 0.0 }, { "name": "antisandbox_cuckoo_files", "time": 0.0 }, { "name": "antisandbox_fortinet_files", "time": 0.0 }, { "name": "antisandbox_joe_anubis_files", "time": 0.0 }, { "name": "antisandbox_sboxie_mutex", "time": 0.0 }, { "name": "antisandbox_sunbelt_files", "time": 0.0 }, { "name": "antisandbox_threattrack_files", "time": 0.0 }, { "name": "antivm_bochs_keys", "time": 0.0 }, { "name": "antivm_generic_bios", "time": 0.0 }, { "name": "antivm_generic_diskreg", "time": 0.0 }, { "name": "antivm_hyperv_keys", "time": 0.0 }, { "name": "antivm_parallels_keys", "time": 0.0 }, { "name": "antivm_recentdocs", "time": 0.0 }, { "name": "antivm_vbox_devices", "time": 0.0 }, { "name": "antivm_vbox_files", "time": 0.001 }, { "name": "antivm_vbox_keys", "time": 0.001 }, { "name": "antivm_vmware_devices", "time": 0.0 }, { "name": "antivm_vmware_files", "time": 0.0 }, { "name": "antivm_vmware_keys", "time": 0.0 }, { "name": "antivm_vmware_mutexes", "time": 0.0 }, { "name": "antivm_vpc_files", "time": 0.0 }, { "name": "antivm_vpc_keys", "time": 0.0 }, { "name": "antivm_vpc_mutex", "time": 0.0 }, { "name": "antivm_xen_keys", "time": 0.0 }, { "name": "asyncrat_mutex", "time": 0.0 }, { "name": "gulpix_behavior", "time": 0.0 }, { "name": "ketrican_regkeys", "time": 0.003 }, { "name": "okrum_mutexes", "time": 0.0 }, { "name": "banker_cridex", "time": 0.0 }, { "name": "geodo_banking_trojan", "time": 0.005 }, { "name": "banker_spyeye_mutexes", "time": 0.0 }, { "name": "banker_zeus_mutex", "time": 0.0 }, { "name": "bitcoin_opencl", "time": 0.0 }, { "name": "accesses_primary_patition", "time": 0.002 }, { "name": "direct_hdd_access", "time": 0.0 }, { "name": "enumerates_physical_drives", "time": 0.0 }, { "name": "physical_drive_access", "time": 0.0 }, { "name": "bot_russkill", "time": 0.0 }, { "name": "browser_addon", "time": 0.0 }, { "name": "chromium_browser_extension_directory", "time": 0.0 }, { "name": "browser_helper_object", "time": 0.0 }, { "name": "browser_security", "time": 0.005 }, { "name": "browser_startpage", "time": 0.0 }, { "name": "ie_disables_process_tab", "time": 0.0 }, { "name": "odbcconf_bypass", "time": 0.0 }, { "name": "squiblydoo_bypass", "time": 0.0 }, { "name": "squiblytwo_bypass", "time": 0.0 }, { "name": "bypass_chromium_protection", "time": 0.0 }, { "name": "bypass_firewall", "time": 0.0 }, { "name": "checks_uac_status", "time": 0.0 }, { "name": "uac_bypass_cmstpcom", "time": 0.0 }, { "name": "uac_bypass_delegateexecute_sdclt", "time": 0.0 }, { "name": "uac_bypass_fodhelper", "time": 0.0 }, { "name": "cape_extracted_content", "time": 0.0 }, { "name": "carberp_mutex", "time": 0.0 }, { "name": "clears_logs", "time": 0.004 }, { "name": "cmdline_obfuscation", "time": 0.0 }, { "name": "cmdline_switches", "time": 0.0 }, { "name": "cmdline_terminate", "time": 0.0 }, { "name": "cmdline_forfiles_wildcard", "time": 0.0 }, { "name": "cmdline_http_link", "time": 0.0 }, { "name": "cmdline_long_string", "time": 0.0 }, { "name": "cmdline_reversed_http_link", "time": 0.0 }, { "name": "long_commandline", "time": 0.0 }, { "name": "powershell_renamed_commandline", "time": 0.0 }, { "name": "copies_self", "time": 0.0 }, { "name": "credwiz_credentialaccess", "time": 0.0 }, { "name": "enables_wdigest", "time": 0.0 }, { "name": "vaultcmd_credentialaccess", "time": 0.0 }, { "name": "file_credential_store_access", "time": 0.0 }, { "name": "file_credential_store_write", "time": 0.006 }, { "name": "kerberos_credential_access_via_rubeus", "time": 0.0 }, { "name": "registry_credential_dumping", "time": 0.0 }, { "name": "registry_lsa_secrets_access", "time": 0.0 }, { "name": "comsvcs_credentialdump", "time": 0.0 }, { "name": "cryptomining_stratum_command", "time": 0.0 }, { "name": "cypherit_mutexes", "time": 0.0 }, { "name": "darkcomet_regkeys", "time": 0.0 }, { "name": "datop_loader", "time": 0.0 }, { "name": "deepfreeze_mutex", "time": 0.001 }, { "name": "deletes_executed_files", "time": 0.0 }, { "name": "disables_app_launch", "time": 0.0 }, { "name": "disables_auto_app_termination", "time": 0.0 }, { "name": "disables_appv_virtualization", "time": 0.0 }, { "name": "disables_backups", "time": 0.005 }, { "name": "disables_browser_warn", "time": 0.006 }, { "name": "disables_context_menus", "time": 0.0 }, { "name": "disables_cpl_disable", "time": 0.0 }, { "name": "disables_crashdumps", "time": 0.0 }, { "name": "disables_event_logging", "time": 0.0 }, { "name": "disables_folder_options", "time": 0.0 }, { "name": "disables_notificationcenter", "time": 0.0 }, { "name": "disables_power_options", "time": 0.009 }, { "name": "disables_restore_default_state", "time": 0.0 }, { "name": "disables_run_command", "time": 0.0 }, { "name": "disables_smartscreen", "time": 0.0 }, { "name": "disables_startmenu_search", "time": 0.0 }, { "name": "disables_system_restore", "time": 0.0 }, { "name": "disables_uac", "time": 0.0 }, { "name": "disables_wer", "time": 0.0 }, { "name": "disables_windows_defender", "time": 0.0 }, { "name": "disables_windows_defender_logging", "time": 0.0 }, { "name": "removes_windows_defender_contextmenu", "time": 0.0 }, { "name": "removes_windows_defender_updates", "time": 0.0 }, { "name": "windows_defender_powershell", "time": 0.0 }, { "name": "disables_windows_file_protection", "time": 0.0 }, { "name": "disables_windowsupdate", "time": 0.0 }, { "name": "disables_winfirewall", "time": 0.0 }, { "name": "adfind_domain_enumeration", "time": 0.0 }, { "name": "domain_enumeration_commands", "time": 0.0 }, { "name": "andromut_mutexes", "time": 0.0 }, { "name": "downloader_cabby", "time": 0.0 }, { "name": "phorpiex_mutexes", "time": 0.0 }, { "name": "protonbot_mutexes", "time": 0.0 }, { "name": "driver_filtermanager", "time": 0.0 }, { "name": "dropper", "time": 0.0 }, { "name": "dll_archive_execution", "time": 0.0 }, { "name": "lnk_archive_execution", "time": 0.0 }, { "name": "script_archive_execution", "time": 0.0 }, { "name": "excel4_macro_urls", "time": 0.0 }, { "name": "escalate_privilege_via_ntlm_relay", "time": 0.0 }, { "name": "spooler_access", "time": 0.0 }, { "name": "spooler_svc_start", "time": 0.0 }, { "name": "mapped_drives_uac", "time": 0.0 }, { "name": "hides_recycle_bin_icon", "time": 0.0 }, { "name": "apocalypse_stealer_file_behavior", "time": 0.0 }, { "name": "arkei_files", "time": 0.0 }, { "name": "azorult_mutexes", "time": 0.0 }, { "name": "infostealer_bitcoin", "time": 0.006 }, { "name": "cryptbot_files", "time": 0.0 }, { "name": "echelon_files", "time": 0.001 }, { "name": "infostealer_ftp", "time": 0.013 }, { "name": "infostealer_im", "time": 0.006 }, { "name": "infostealer_mail", "time": 0.005 }, { "name": "masslogger_files", "time": 0.0 }, { "name": "poullight_files", "time": 0.005 }, { "name": "purplewave_mutexes", "time": 0.0 }, { "name": "quilclipper_mutexes", "time": 0.0 }, { "name": "qulab_files", "time": 0.001 }, { "name": "qulab_mutexes", "time": 0.0 }, { "name": "asyncrat_mutex", "time": 0.0 }, { "name": "Evade_Execution_Via_ASPNet_Compiler", "time": 0.0 }, { "name": "Evade_Execute_Via_DeviceCredentialDeployment", "time": 0.0 }, { "name": "Evade_Execution_Via_Filter_Manager_Control", "time": 0.0 }, { "name": "Evade_Execution_Via_Intel_GFXDownloadWrapper", "time": 0.0 }, { "name": "execute_binary_via_appvlp", "time": 0.0 }, { "name": "execute_binary_via_pcalua", "time": 0.0 }, { "name": "Execute_Binary_Via_OpenSSH", "time": 0.0 }, { "name": "execute_binary_via_pcalua", "time": 0.0 }, { "name": "Execute_Binary_Via_PesterPSModule", "time": 0.0 }, { "name": "Execute_Binary_Via_ScriptRunner", "time": 0.0 }, { "name": "execute_binary_via_ttdinject", "time": 0.0 }, { "name": "Execute_Binary_Via_VisualStudioLiveShare", "time": 0.0 }, { "name": "Execute_Msiexec_Via_Explorer", "time": 0.0 }, { "name": "execute_remote_msi", "time": 0.0 }, { "name": "execute_suspicious_powershell_via_runscripthelper", "time": 0.0 }, { "name": "execute_suspicious_powershell_via_sqlps", "time": 0.0 }, { "name": "Indirect_Command_Execution_Via_ConsoleWindowHost", "time": 0.0 }, { "name": "Perform_Malicious_Activities_Via_Headless_Browser", "time": 0.0 }, { "name": "Register_DLL_Via_CertOC", "time": 0.0 }, { "name": "Register_DLL_Via_MSIEXEC", "time": 0.0 }, { "name": "Register_DLL_Via_Odbcconf", "time": 0.0 }, { "name": "Scriptlet_Proxy_Execution_Via_Pubprn", "time": 0.0 }, { "name": "ie_martian_children", "time": 0.0 }, { "name": "office_martian_children", "time": 0.0 }, { "name": "mimics_icon", "time": 0.0 }, { "name": "masquerade_process_name", "time": 0.006 }, { "name": "mimikatz_modules", "time": 0.0 }, { "name": "ms_office_cmd_rce", "time": 0.0 }, { "name": "mount_copy_to_webdav_share", "time": 0.0 }, { "name": "potential_protocol_tunneling_via_legit_utilities", "time": 0.0 }, { "name": "potential_protocol_tunneling_via_qemu", "time": 0.0 }, { "name": "suspicious_execution_via_dotnet_remoting", "time": 0.0 }, { "name": "dotnet_clr_usagelog_regkeys", "time": 0.0 }, { "name": "modify_hostfile", "time": 0.0 }, { "name": "modify_oem_information", "time": 0.016 }, { "name": "modify_security_center_warnings", "time": 0.0 }, { "name": "modify_uac_prompt", "time": 0.0 }, { "name": "network_dns_blockchain", "time": 0.0 }, { "name": "network_dns_opennic", "time": 0.0 }, { "name": "network_dns_paste_site", "time": 0.0 }, { "name": "network_dns_reverse_proxy", "time": 0.0 }, { "name": "network_dns_temp_file_storage", "time": 0.0 }, { "name": "network_dns_temp_urldns", "time": 0.0 }, { "name": "network_dns_url_shortener", "time": 0.0 }, { "name": "network_dns_doh_tls", "time": 0.0 }, { "name": "suspicious_tld", "time": 0.0 }, { "name": "network_tor_service", "time": 0.0 }, { "name": "office_code_page", "time": 0.0 }, { "name": "office_addinloading", "time": 0.0 }, { "name": "office_perfkey", "time": 0.0 }, { "name": "office_macro", "time": 0.0 }, { "name": "changes_trust_center_settings", "time": 0.0 }, { "name": "disables_vba_trust_access", "time": 0.0 }, { "name": "office_macro_autoexecution", "time": 0.0 }, { "name": "office_macro_ioc", "time": 0.0 }, { "name": "office_macro_malicious_prediction", "time": 0.0 }, { "name": "office_macro_suspicious", "time": 0.0 }, { "name": "rtf_aslr_bypass", "time": 0.0 }, { "name": "rtf_anomaly_characterset", "time": 0.0 }, { "name": "rtf_anomaly_version", "time": 0.0 }, { "name": "rtf_embedded_content", "time": 0.0 }, { "name": "rtf_embedded_office_file", "time": 0.0 }, { "name": "rtf_exploit_static", "time": 0.0 }, { "name": "office_security", "time": 0.0 }, { "name": "accesses_office_username", "time": 0.0 }, { "name": "office_anomalous_feature", "time": 0.0 }, { "name": "office_dde_command", "time": 0.0 }, { "name": "packer_armadillo_mutex", "time": 0.0 }, { "name": "packer_armadillo_regkey", "time": 0.0 }, { "name": "persistence_ads", "time": 0.0 }, { "name": "persistence_safeboot", "time": 0.0 }, { "name": "persistence_ifeo", "time": 0.0 }, { "name": "persistence_silent_process_exit", "time": 0.0 }, { "name": "persistence_rdp_registry", "time": 0.0 }, { "name": "persistence_rdp_shadowing", "time": 0.006 }, { "name": "persistence_service", "time": 0.0 }, { "name": "persistence_shim_database", "time": 0.0 }, { "name": "powerpool_mutexes", "time": 0.0 }, { "name": "powershell_scriptblock_logging", "time": 0.0 }, { "name": "powershell_command_suspicious", "time": 0.0 }, { "name": "powershell_history_save_mod", "time": 0.0 }, { "name": "powershell_renamed", "time": 0.0 }, { "name": "powershell_reversed", "time": 0.0 }, { "name": "powershell_variable_obfuscation", "time": 0.0 }, { "name": "prevents_safeboot", "time": 0.0 }, { "name": "cmdline_process_discovery", "time": 0.0 }, { "name": "cryptomix_mutexes", "time": 0.0 }, { "name": "dharma_mutexes", "time": 0.0 }, { "name": "ransomware_extensions", "time": 0.016 }, { "name": "ransomware_files", "time": 0.025 }, { "name": "fonix_mutexes", "time": 0.006 }, { "name": "gandcrab_mutexes", "time": 0.0 }, { "name": "germanwiper_mutexes", "time": 0.0 }, { "name": "medusalocker_mutexes", "time": 0.0 }, { "name": "medusalocker_regkeys", "time": 0.0 }, { "name": "nemty_mutexes", "time": 0.0 }, { "name": "nemty_regkeys", "time": 0.0 }, { "name": "pysa_mutexes", "time": 0.0 }, { "name": "ransomware_radamant", "time": 0.006 }, { "name": "ransomware_recyclebin", "time": 0.0 }, { "name": "revil_mutexes", "time": 0.001 }, { "name": "ransomware_revil_regkey", "time": 0.0 }, { "name": "satan_mutexes", "time": 0.0 }, { "name": "snake_ransom_mutexes", "time": 0.0 }, { "name": "stop_ransom_mutexes", "time": 0.0 }, { "name": "stop_ransomware_cmd", "time": 0.0 }, { "name": "ransomware_stopdjvu", "time": 0.0 }, { "name": "rat_beebus_mutexes", "time": 0.0 }, { "name": "blacknet_mutexes", "time": 0.0 }, { "name": "blackrat_mutexes", "time": 0.0 }, { "name": "crat_mutexes", "time": 0.0 }, { "name": "dcrat_files", "time": 0.004 }, { "name": "dcrat_mutexes", "time": 0.0 }, { "name": "rat_fynloski_mutexes", "time": 0.0 }, { "name": "limerat_mutexes", "time": 0.0 }, { "name": "limerat_regkeys", "time": 0.0 }, { "name": "lodarat_file_behavior", "time": 0.0 }, { "name": "modirat_behavior", "time": 0.007 }, { "name": "njrat_regkeys", "time": 0.0 }, { "name": "obliquerat_files", "time": 0.0 }, { "name": "obliquerat_mutexes", "time": 0.0 }, { "name": "parallax_mutexes", "time": 0.0 }, { "name": "rat_pcclient", "time": 0.0 }, { "name": "rat_plugx_mutexes", "time": 0.0 }, { "name": "rat_poisonivy_mutexes", "time": 0.0 }, { "name": "rat_quasar_mutexes", "time": 0.0 }, { "name": "ratsnif_mutexes", "time": 0.0 }, { "name": "rat_spynet", "time": 0.0 }, { "name": "venomrat_mutexes", "time": 0.0 }, { "name": "warzonerat_files", "time": 0.0 }, { "name": "warzonerat_regkeys", "time": 0.0 }, { "name": "xpertrat_files", "time": 0.0 }, { "name": "xpertrat_mutexes", "time": 0.0 }, { "name": "rat_xtreme_mutexes", "time": 0.0 }, { "name": "recon_fingerprint", "time": 0.001 }, { "name": "remcos_files", "time": 0.0 }, { "name": "remcos_mutexes", "time": 0.0 }, { "name": "remcos_regkeys", "time": 0.0 }, { "name": "rdptcp_key", "time": 0.0 }, { "name": "uses_rdp_clip", "time": 0.0 }, { "name": "uses_remote_desktop_session", "time": 0.0 }, { "name": "removes_networking_icon", "time": 0.0 }, { "name": "removes_pinned_programs", "time": 0.0 }, { "name": "removes_security_maintenance_icon", "time": 0.0 }, { "name": "removes_startmenu_defaults", "time": 0.001 }, { "name": "removes_username_startmenu", "time": 0.0 }, { "name": "spicyhotpot_behavior", "time": 0.0 }, { "name": "sniffer_winpcap", "time": 0.0 }, { "name": "spreading_autoruninf", "time": 0.006 }, { "name": "stealth_hidden_extension", "time": 0.0 }, { "name": "stealth_hiddenreg", "time": 0.0 }, { "name": "stealth_hide_notifications", "time": 0.0 }, { "name": "stealth_webhistory", "time": 0.0 }, { "name": "sysinternals_psexec", "time": 0.0 }, { "name": "sysinternals_tools", "time": 0.0 }, { "name": "language_check_registry", "time": 0.004 }, { "name": "tampers_etw", "time": 0.0 }, { "name": "lsa_tampering", "time": 0.0 }, { "name": "tampers_powershell_logging", "time": 0.0 }, { "name": "targeted_flame", "time": 0.0 }, { "name": "territorial_disputes_sigs", "time": 0.014 }, { "name": "trickbot_mutex", "time": 0.0 }, { "name": "fleercivet_mutex", "time": 0.0 }, { "name": "lokibot_mutexes", "time": 0.0 }, { "name": "ursnif_behavior", "time": 0.005 }, { "name": "uses_adfind", "time": 0.0 }, { "name": "uses_ms_protocol", "time": 0.0 }, { "name": "neshta_mutexes", "time": 0.0 }, { "name": "renamer_mutexes", "time": 0.0 }, { "name": "owa_web_shell_files", "time": 0.0 }, { "name": "web_shell_files", "time": 0.0 }, { "name": "web_shell_processes", "time": 0.0 }, { "name": "dotnet_csc_build", "time": 0.0 }, { "name": "mavinject_lolbin", "time": 0.0 }, { "name": "multiple_explorer_instances", "time": 0.0 }, { "name": "script_tool_executed", "time": 0.0 }, { "name": "suspicious_certutil_use", "time": 0.0 }, { "name": "suspicious_command_tools", "time": 0.0 }, { "name": "suspicious_mpcmdrun_use", "time": 0.0 }, { "name": "suspicious_ping_use", "time": 0.0 }, { "name": "uses_powershell_copyitem", "time": 0.0 }, { "name": "uses_windows_utilities", "time": 0.0 }, { "name": "uses_windows_utilities_appcmd", "time": 0.0 }, { "name": "uses_windows_utilities_csvde_ldifde", "time": 0.0 }, { "name": "uses_windows_utilities_cipher", "time": 0.0 }, { "name": "uses_windows_utilities_clickonce", "time": 0.0 }, { "name": "uses_windows_utilities_curl", "time": 0.0 }, { "name": "uses_windows_utilities_dsquery", "time": 0.0 }, { "name": "uses_windows_utilities_esentutl", "time": 0.0 }, { "name": "uses_windows_utilities_finger", "time": 0.0 }, { "name": "uses_windows_utilities_mode", "time": 0.0 }, { "name": "uses_windows_utilities_ntdsutil", "time": 0.0 }, { "name": "uses_windows_utilities_nltest", "time": 0.0 }, { "name": "uses_windows_utilities_xcopy", "time": 0.0 }, { "name": "wmic_command_suspicious", "time": 0.0 }, { "name": "scrcons_wmi_script_consumer", "time": 0.0 }, { "name": "allaple_mutexes", "time": 0.0 } ], "reporting": [ { "name": "BinGraph", "time": 0.0 } ] }, "info": { "version": "2.4-CAPE", "started": "2025-11-19 23:24:23", "ended": "2025-11-19 23:25:50", "duration": 87, "id": 9, "category": "file", "custom": "", "machine": { "id": 3, "status": "stopping", "name": "MalwareGuest", "label": "MalwareGuest", "platform": "windows", "manager": "Proxmox", "started_on": "2025-11-19 23:24:23", "shutdown_on": "2025-11-19 23:25:49" }, "package": "exe", "timeout": false, "tlp": null, "parent_sample": null, "options": {}, "source_url": null, "route": "internet", "user_id": 0, "CAPE_current_commit": "b8e0bcad685cdd750a8c54cd86745809ad1c320b" }, "behavior": { "processes": [ { "process_id": 3228, "process_name": "vesktop.exe", "parent_id": 2872, "module_path": "C:\\Temp\\vesktop.exe", "first_seen": "2025-11-19 20:24:26,220", "calls": [ { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe51d15", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "" }, { "name": "Ordinal", "value": "218" }, { "name": "FunctionAddress", "value": "0x7ffecfe608c0" } ], "repeated": 0, "id": 0 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe51d30", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "" }, { "name": "Ordinal", "value": "217" }, { "name": "FunctionAddress", "value": "0x7ffecfe97500" } ], "repeated": 0, "id": 1 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe51d4d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "SetDefaultPrinterW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe93cd0" } ], "repeated": 0, "id": 2 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe51d6a", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "GetDefaultPrinterW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe59090" } ], "repeated": 0, "id": 3 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe51d87", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "GetPrinterDriverPackagePathW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe9e8f0" } ], "repeated": 0, "id": 4 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe51da4", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "CorePrinterDriverInstalledW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe9de30" } ], "repeated": 0, "id": 5 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe51dc1", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "GetCorePrinterDriversW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe9e4c0" } ], "repeated": 0, "id": 6 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe51dde", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "UploadPrinterDriverPackageW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe9ef60" } ], "repeated": 0, "id": 7 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe51dfb", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "InstallPrinterDriverFromPackageW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe9ec00" } ], "repeated": 0, "id": 8 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe51e16", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "" }, { "name": "Ordinal", "value": "251" }, { "name": "FunctionAddress", "value": "0x7ffecfe60840" } ], "repeated": 0, "id": 9 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe51e33", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "AddPrinterConnection2W" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe9d010" } ], "repeated": 0, "id": 10 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe51e50", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "OpenPrinter2W" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe53fc0" } ], "repeated": 0, "id": 11 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe51e6d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "DeletePrinterKeyW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe8ac90" } ], "repeated": 0, "id": 12 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe51e8a", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "DeletePrinterDataExW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe8a610" } ], "repeated": 0, "id": 13 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe51ea7", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "EnumPrinterKeyW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe8bc80" } ], "repeated": 0, "id": 14 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe51ec4", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "EnumPrinterDataExW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe57570" } ], "repeated": 0, "id": 15 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe51ee1", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "GetPrinterDataExW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe568c0" } ], "repeated": 0, "id": 16 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe51efe", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "SetPrinterDataExW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe8f160" } ], "repeated": 0, "id": 17 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe51f1b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "DeletePrinterDataW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe8a790" } ], "repeated": 0, "id": 18 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe51f38", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "EnumPrinterDataW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe8ba40" } ], "repeated": 0, "id": 19 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe51f55", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "SpoolerPrinterEvent" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe8fbe0" } ], "repeated": 0, "id": 20 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe51f72", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "SetPortW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe8f000" } ], "repeated": 0, "id": 21 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe51f8f", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "DocumentPropertySheets" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe589b0" } ], "repeated": 0, "id": 22 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe51fac", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "DevicePropertySheets" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe90490" } ], "repeated": 0, "id": 23 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe51fc9", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "IsValidDevmodeW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe60050" } ], "repeated": 0, "id": 24 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe51fe6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "IsValidDevmodeA" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe7f600" } ], "repeated": 0, "id": 25 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe52003", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "AddPortExW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe87cc0" } ], "repeated": 0, "id": 26 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe52020", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "DeletePrintProvidorW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe8a350" } ], "repeated": 0, "id": 27 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe5203d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "AddPrintProvidorW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe87fa0" } ], "repeated": 0, "id": 28 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe5205a", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "DeletePrintProcessorW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe8a210" } ], "repeated": 0, "id": 29 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe52077", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "DeleteMonitorW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe89fa0" } ], "repeated": 0, "id": 30 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe52094", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "AddMonitorW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe87a60" } ], "repeated": 0, "id": 31 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe520b1", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "StartDocDlgW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe86700" } ], "repeated": 0, "id": 32 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe520ce", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "AdvancedDocumentPropertiesW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe88e70" } ], "repeated": 0, "id": 33 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe520eb", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "AdvancedDocumentPropertiesA" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe7c780" } ], "repeated": 0, "id": 34 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe52108", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "DocumentPropertiesW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe56ab0" } ], "repeated": 0, "id": 35 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe52125", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "DeviceCapabilitiesW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe566f0" } ], "repeated": 0, "id": 36 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe52142", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "DeletePrinterIC" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe8ab80" } ], "repeated": 0, "id": 37 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe5215f", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "PlayGdiScriptOnPrinterIC" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe8e330" } ], "repeated": 0, "id": 38 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe5217c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "CreatePrinterIC" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe89c30" } ], "repeated": 0, "id": 39 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe52199", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "SetJobW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe8ed50" } ], "repeated": 0, "id": 40 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe521b6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "GetJobW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe8c360" } ], "repeated": 0, "id": 41 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe521d3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "EnumJobsW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe563f0" } ], "repeated": 0, "id": 42 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe521f0", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "AddPrinterW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe88a30" } ], "repeated": 0, "id": 43 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe5220d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "SetPrinterW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe8f4c0" } ], "repeated": 0, "id": 44 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe5222a", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "GetPrinterDriverW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe58060" } ], "repeated": 0, "id": 45 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe52247", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "GetPrinterDriverDirectoryW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe8d7b0" } ], "repeated": 0, "id": 46 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe52264", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "EnumPrintersW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe596b0" } ], "repeated": 0, "id": 47 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe52281", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "AddPrinterConnectionW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe9d320" } ], "repeated": 0, "id": 48 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe5229e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "DeletePrinterConnectionW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe9d3c0" } ], "repeated": 0, "id": 49 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe522bb", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "AddPrinterDriverExW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe88130" } ], "repeated": 0, "id": 50 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe522d8", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "AddPrinterDriverExA" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe7c540" } ], "repeated": 0, "id": 51 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe522f5", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "EnumPrinterDriversW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe51280" } ], "repeated": 0, "id": 52 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe52312", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "DeletePrinterDriverW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe8aa40" } ], "repeated": 0, "id": 53 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe5232f", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "DeletePrinterDriverExW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe8a8f0" } ], "repeated": 0, "id": 54 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe5234c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "AddPrintProcessorW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe87e40" } ], "repeated": 0, "id": 55 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe52369", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "EnumPrintProcessorsW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe8b850" } ], "repeated": 0, "id": 56 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe52386", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "GetPrintProcessorDirectoryW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe8d5d0" } ], "repeated": 0, "id": 57 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe523a3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "EnumPrintProcessorDatatypesW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe8b670" } ], "repeated": 0, "id": 58 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe523be", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "" }, { "name": "Ordinal", "value": "207" }, { "name": "FunctionAddress", "value": "0x7ffecfe87bd0" } ], "repeated": 0, "id": 59 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe523d9", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "" }, { "name": "Ordinal", "value": "209" }, { "name": "FunctionAddress", "value": "0x7ffecfe8a0e0" } ], "repeated": 0, "id": 60 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe523f4", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "" }, { "name": "Ordinal", "value": "211" }, { "name": "FunctionAddress", "value": "0x7ffecfe8b2d0" } ], "repeated": 0, "id": 61 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe5240f", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "" }, { "name": "Ordinal", "value": "212" }, { "name": "FunctionAddress", "value": "0x7ffecfe60500" } ], "repeated": 0, "id": 62 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe5242c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "SplDriverUnloadComplete" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe8fbb0" } ], "repeated": 0, "id": 63 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe52447", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "" }, { "name": "Ordinal", "value": "213" }, { "name": "FunctionAddress", "value": "0x7ffecfe5b7e0" } ], "repeated": 0, "id": 64 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe52462", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "" }, { "name": "Ordinal", "value": "214" }, { "name": "FunctionAddress", "value": "0x7ffecfe600e0" } ], "repeated": 0, "id": 65 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe5247f", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "OpenPrinterW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe53380" } ], "repeated": 0, "id": 66 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe5249c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "OpenPrinterA" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe7f640" } ], "repeated": 0, "id": 67 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe524b9", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "ResetPrinterW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe561e0" } ], "repeated": 0, "id": 68 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe524d6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "StartDocPrinterW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe550f0" } ], "repeated": 0, "id": 69 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe524f3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "FlushPrinter" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe8bec0" } ], "repeated": 0, "id": 70 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe52510", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "GetPrinterDataW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe54870" } ], "repeated": 0, "id": 71 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe5252d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "SetPrinterDataW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe8f320" } ], "repeated": 0, "id": 72 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe5254a", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "AddJobW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe87610" } ], "repeated": 0, "id": 73 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe52567", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "ScheduleJob" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe8e640" } ], "repeated": 0, "id": 74 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe52584", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "WaitForPrinterChange" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe937e0" } ], "repeated": 0, "id": 75 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe525a1", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "FindNextPrinterChangeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe56e60" } ], "repeated": 0, "id": 76 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe525be", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "PrinterMessageBoxW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe8e460" } ], "repeated": 0, "id": 77 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe525db", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "ClosePrinter" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe53b00" } ], "repeated": 0, "id": 78 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe525f8", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "AddFormW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe87440" } ], "repeated": 0, "id": 79 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe52615", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "DeleteFormW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe89e00" } ], "repeated": 0, "id": 80 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe52632", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "GetFormW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe55c00" } ], "repeated": 0, "id": 81 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe5264f", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "SetFormW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe8eb70" } ], "repeated": 0, "id": 82 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe5266c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "EnumFormsW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe577a0" } ], "repeated": 0, "id": 83 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe52689", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "EnumPortsW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe8b460" } ], "repeated": 0, "id": 84 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe526a6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "EnumMonitorsW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe8b0c0" } ], "repeated": 0, "id": 85 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe526c3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "AddPortW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe87dd0" } ], "repeated": 0, "id": 86 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe526e0", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "ConfigurePortW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe891a0" } ], "repeated": 0, "id": 87 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe526fd", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "DeletePortW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe8a1a0" } ], "repeated": 0, "id": 88 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe5271a", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "GetPrinterW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe57ac0" } ], "repeated": 0, "id": 89 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe52737", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "DeletePrinterDriverPackageW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe9e0d0" } ], "repeated": 0, "id": 90 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe52752", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "" }, { "name": "Ordinal", "value": "234" }, { "name": "FunctionAddress", "value": "0x7ffecfe83440" } ], "repeated": 0, "id": 91 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe5276f", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "GetJobNamedPropertyValue" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe9ff30" } ], "repeated": 0, "id": 92 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe5278c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "SetJobNamedProperty" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe55930" } ], "repeated": 0, "id": 93 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe527a9", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "FreePrintPropertyValue" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe9fea0" } ], "repeated": 0, "id": 94 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe527c6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "DeleteJobNamedProperty" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe9f940" } ], "repeated": 0, "id": 95 }, { "timestamp": "2025-11-19 20:24:28,407", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe527e3", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "EnumJobNamedProperties" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe9faf0" } ], "repeated": 0, "id": 96 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe52800", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "FreePrintNamedPropertyArray" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe9fdd0" } ], "repeated": 0, "id": 97 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe5281d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "GetPrintOutputInfo" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffecfe8d0f0" } ], "repeated": 0, "id": 98 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe52838", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "" }, { "name": "Ordinal", "value": "261" }, { "name": "FunctionAddress", "value": "0x7ffecfe8db30" } ], "repeated": 0, "id": 99 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe52853", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "" }, { "name": "Ordinal", "value": "365" }, { "name": "FunctionAddress", "value": "0x7ffecfe8e4c0" } ], "repeated": 0, "id": 100 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe5286e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "" }, { "name": "Ordinal", "value": "367" }, { "name": "FunctionAddress", "value": "0x7ffecfe69030" } ], "repeated": 0, "id": 101 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe52889", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WINSPOOL.DRV" }, { "name": "ModuleHandle", "value": "0x7ffecfe50000" }, { "name": "FunctionName", "value": "" }, { "name": "Ordinal", "value": "368" }, { "name": "FunctionAddress", "value": "0x7ffecfe696e0" } ], "repeated": 0, "id": 102 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffee10cac31", "parentcaller": "0x7ffecfe52889", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\winspool.drv" }, { "name": "BaseAddress", "value": "0x7ffecfe50000" }, { "name": "InitRoutine", "value": "0x7ffecfe61360" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 103 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffee34dc2c7", "parentcaller": "0x7ffee34dc05a", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\userenv" }, { "name": "BaseAddress", "value": "0x7ffee0a80000" }, { "name": "InitRoutine", "value": "0x7ffee0a84f10" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 104 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffee34dc2c7", "parentcaller": "0x7ffee34dc05a", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\dhcpcsvc" }, { "name": "BaseAddress", "value": "0x7ffed9820000" }, { "name": "InitRoutine", "value": "0x7ffed98229b0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 105 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffee34dc2c7", "parentcaller": "0x7ffee34dc05a", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\secur32" }, { "name": "BaseAddress", "value": "0x7ffedc860000" }, { "name": "InitRoutine", "value": "0x7ffedc862560" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 106 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffee352e53f", "parentcaller": "0x7ffee348faf7", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 107 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffee3485157", "parentcaller": "0x7ffee34843ea", "category": "process", "api": "NtOpenSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000001d8" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "bcryptPrimitives.dll" } ], "repeated": 0, "id": 108 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffee3484d42", "parentcaller": "0x7ffee3484aaa", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000001d8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee1390000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00082000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 109 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffee347ffb5", "parentcaller": "0x7ffee347fad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee13f7000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 110 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffee347ffed", "parentcaller": "0x7ffee347fad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee13f7000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 111 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffee3480068", "parentcaller": "0x7ffee347fad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee13f7000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 112 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffee348009c", "parentcaller": "0x7ffee347fad8", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee13f7000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 113 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffee3485082", "parentcaller": "0x7ffee34879d2", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee13f7000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 114 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffee3484485", "parentcaller": "0x7ffee34db2bd", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001d8" } ], "repeated": 0, "id": 115 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffee34b7bac", "parentcaller": "0x7ffee34a288a", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee13f7000" }, { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 116 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffee34b7bac", "parentcaller": "0x7ffee34a288a", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\bcryptPrimitives" }, { "name": "DllBase", "value": "0x7ffee1390000" } ], "repeated": 0, "id": 117 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffee13c9032", "parentcaller": "0x7ffee13a85a4", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000230" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" } ], "repeated": 0, "id": 118 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffee13c9065", "parentcaller": "0x7ffee13a85a4", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000230" }, { "name": "ValueName", "value": "STE" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE" } ], "repeated": 0, "id": 119 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffee13c9099", "parentcaller": "0x7ffee13a85a4", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000230" } ], "repeated": 0, "id": 120 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffee13a8a04", "parentcaller": "0x7ffee13a8885", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000230" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy" } ], "repeated": 0, "id": 121 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffee13a8a42", "parentcaller": "0x7ffee13a8885", "category": "registry", "api": "NtQueryValueKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000230" }, { "name": "ValueName", "value": "Enabled" }, { "name": "Type", "value": "4", "pretty_value": "REG_DWORD" }, { "name": "Information", "value": "0" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled" } ], "repeated": 0, "id": 122 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffee13a8b03", "parentcaller": "0x7ffee13a8885", "category": "registry", "api": "NtOpenKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x00000234" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa" } ], "repeated": 0, "id": 123 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffee13a8b43", "parentcaller": "0x7ffee13a8885", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000234" }, { "name": "ValueName", "value": "FipsAlgorithmPolicy" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy" } ], "repeated": 0, "id": 124 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffee13a8be5", "parentcaller": "0x7ffee13a8885", "category": "registry", "api": "NtQueryValueKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000230" }, { "name": "ValueName", "value": "MDMEnabled" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled" } ], "repeated": 0, "id": 125 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffee13a8c3b", "parentcaller": "0x7ffee13a8885", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000230" } ], "repeated": 0, "id": 126 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffee13a8c51", "parentcaller": "0x7ffee13a8885", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000234" } ], "repeated": 0, "id": 127 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffee13a88f1", "parentcaller": "0x7ffee13a85fd", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\Cryptography\\Configuration" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\Cryptography\\Configuration" } ], "repeated": 0, "id": 128 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffee13af1bc", "parentcaller": "0x7ffee13af0ce", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000234" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "\\Device\\CNG" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 129 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffee1675921", "parentcaller": "0x7ffee13af10d", "category": "device", "api": "DeviceIoControl", "status": true, "return": "0x00000001", "arguments": [ { "name": "DeviceHandle", "value": "0x00000234" }, { "name": "IoControlCode", "value": "0x00390008", "pretty_value": "IOCTL_KSEC_RANDOM_FILL_BUFFER" }, { "name": "InBuffer", "value": "" }, { "name": "OutBuffer", "value": "%>m^d?#\\x99\\xa9f\\xd3\\x00\\xa7\\xc7\\x85\\xd7pb\\xc3\\xa5`\\xdd\\xfc\\x90mw\\xb1\\xa7X\\x88vK\\xdc\\xed\\x12\"\\xc4J\n8\\x14\\x19B^\\xec`3X" } ], "repeated": 0, "id": 130 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffee1675921", "parentcaller": "0x7ffee13af10d", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\bcryptprimitives" }, { "name": "BaseAddress", "value": "0x7ffee1390000" }, { "name": "InitRoutine", "value": "0x7ffee13c8b60" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 131 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffee34b7830", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee345e000" }, { "name": "ModuleName", "value": "RPCRT4.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 132 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffee34b7881", "parentcaller": "0x7ffee34a20f9", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee345e000" }, { "name": "ModuleName", "value": "RPCRT4.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 133 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffed6a73c47", "parentcaller": "0x7ffed6a73b1a", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x7ffed6c69168", "arguments": [ { "name": "Module", "value": "0x7ffed6a30000" }, { "name": "Type", "value": "EMBEDDEDDATA" }, { "name": "Name", "value": "UcdData" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 134 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffed6a73c82", "parentcaller": "0x7ffed6a73b1a", "category": "misc", "api": "LoadResource", "status": true, "return": "0x7ffed6c7ab88", "arguments": [ { "name": "Module", "value": "0x7ffed6a30000" }, { "name": "ResourceInfo", "value": "0x7ffed6c69168" } ], "repeated": 0, "id": 135 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffee10c3a9c", "parentcaller": "0x7ffee10c3529", "category": "misc", "api": "RtlSetCurrentTransaction", "status": true, "return": "0x00000001", "arguments": [ { "name": "TransactionHandle", "value": "0x00000000" } ], "repeated": 1, "id": 136 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffee10c40c4", "parentcaller": "0x7ffee10c3f4b", "category": "registry", "api": "NtQueryKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "KeyHandle", "value": "0x000000c8" }, { "name": "KeyInformation", "value": "\\x00\\x00\\x00\\x00" }, { "name": "KeyInformationClass", "value": "7" } ], "repeated": 0, "id": 137 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffee10c3f76", "parentcaller": "0x7ffee1144fd4", "category": "registry", "api": "NtOpenKeyEx", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00000001", "pretty_value": "KEY_QUERY_VALUE" }, { "name": "ObjectAttributesHandle", "value": "0x000000c8" }, { "name": "ObjectAttributesName", "value": "Software\\Microsoft\\DirectWrite" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\DirectWrite" } ], "repeated": 0, "id": 138 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffed6a73c47", "parentcaller": "0x7ffed6a73be6", "category": "misc", "api": "FindResourceExW", "status": true, "return": "0x7ffed6c69178", "arguments": [ { "name": "Module", "value": "0x7ffed6a30000" }, { "name": "Type", "value": "FONTFALLBACK" }, { "name": "Name", "value": "Fallback" }, { "name": "Language", "value": "0x00000000" } ], "repeated": 0, "id": 139 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffed6a73c6a", "parentcaller": "0x7ffed6a73be6", "category": "misc", "api": "SizeofResource", "status": true, "return": "0x000048ee", "arguments": [ { "name": "ModuleHandle", "value": "0x7ffed6a30000" }, { "name": "ResourceInfo", "value": "0x7ffed6c69178" } ], "repeated": 0, "id": 140 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffed6a73c82", "parentcaller": "0x7ffed6a73be6", "category": "misc", "api": "LoadResource", "status": true, "return": "0x7ffed6ca83c8", "arguments": [ { "name": "Module", "value": "0x7ffed6a30000" }, { "name": "ResourceInfo", "value": "0x7ffed6c69178" } ], "repeated": 0, "id": 141 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffed6a73c82", "parentcaller": "0x7ffed6a73be6", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\DWrite" }, { "name": "BaseAddress", "value": "0x7ffed6a30000" }, { "name": "InitRoutine", "value": "0x7ffed6ac7bb0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 142 }, { "timestamp": "2025-11-19 20:24:28,423", "thread_id": "2480", "caller": "0x7ffee34dc2c7", "parentcaller": "0x7ffee34dc05a", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\dpapi" }, { "name": "BaseAddress", "value": "0x7ffee08b0000" }, { "name": "InitRoutine", "value": "0x7ffee08b1850" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 143 }, { "timestamp": "2025-11-19 20:24:29,454", "thread_id": "2480", "caller": "0x7ffee3489aff", "parentcaller": "0x7ffee3543d4d", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000050", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Temp\\vesktop.exe" }, { "name": "BaseAddress", "value": "0x7ff76d410000" }, { "name": "InitRoutine", "value": "0x7ff76f58e350" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 144 }, { "timestamp": "2025-11-19 20:24:30,454", "thread_id": "2480", "caller": "0x7ffee3489aff", "parentcaller": "0x7ffee3543d4d", "category": "system", "api": "LdrpCallInitRoutine", "status": false, "return": "0x00000000", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Temp\\vesktop.exe" }, { "name": "BaseAddress", "value": "0x7ff76d410000" }, { "name": "InitRoutine", "value": "0x7ff7711db100" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 145 }, { "timestamp": "2025-11-19 20:24:31,454", "thread_id": "2480", "caller": "0x7ffee3489aff", "parentcaller": "0x7ffee3543d4d", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000090", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Temp\\vesktop.exe" }, { "name": "BaseAddress", "value": "0x7ff76d410000" }, { "name": "InitRoutine", "value": "0x7ff7724a6090" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 146 }, { "timestamp": "2025-11-19 20:24:32,470", "thread_id": "2480", "caller": "0x7ffee3489aff", "parentcaller": "0x7ffee3543d4d", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000073", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Temp\\vesktop.exe" }, { "name": "BaseAddress", "value": "0x7ff76d410000" }, { "name": "InitRoutine", "value": "0x7ff76f636570" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 147 }, { "timestamp": "2025-11-19 20:24:33,485", "thread_id": "2480", "caller": "0x7ffee3489aff", "parentcaller": "0x7ffee3543d4d", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000088", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Temp\\vesktop.exe" }, { "name": "BaseAddress", "value": "0x7ff76d410000" }, { "name": "InitRoutine", "value": "0x7ff7724a6110" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 148 }, { "timestamp": "2025-11-19 20:24:34,485", "thread_id": "2480", "caller": "0x7ffee3489aff", "parentcaller": "0x7ffee3543d4d", "category": "system", "api": "LdrpCallInitRoutine", "status": false, "return": "0x00000000", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Temp\\vesktop.exe" }, { "name": "BaseAddress", "value": "0x7ff76d410000" }, { "name": "InitRoutine", "value": "0x7ff76dc25fb0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 149 }, { "timestamp": "2025-11-19 20:24:35,501", "thread_id": "2480", "caller": "0x7ffee3489aff", "parentcaller": "0x7ffee3543d4d", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x000000e0", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Temp\\vesktop.exe" }, { "name": "BaseAddress", "value": "0x7ff76d410000" }, { "name": "InitRoutine", "value": "0x7ff76f5f74e0" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 150 }, { "timestamp": "2025-11-19 20:24:35,501", "thread_id": "2480", "caller": "0x7ffee34e507d", "parentcaller": "0x7ffee34e4c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 151 }, { "timestamp": "2025-11-19 20:24:35,501", "thread_id": "2964", "caller": "0x7ffee34ceb32", "parentcaller": "0x7ffee34877c3", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000038" }, { "name": "Milliseconds", "value": "18446744073709551615" }, { "name": "Status", "value": "Infinite" } ], "repeated": 3, "id": 152 }, { "timestamp": "2025-11-19 20:24:36,766", "thread_id": "3728", "caller": "0x7ff771defb8a", "parentcaller": "0x7ff771e266ff", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "bcryptprimitives.dll" }, { "name": "BaseAddress", "value": "0x7ffee1390000" } ], "repeated": 0, "id": 153 }, { "timestamp": "2025-11-19 20:24:36,766", "thread_id": "3728", "caller": "0x7ff771defb8a", "parentcaller": "0x7ff771e266ff", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffee1390000", "arguments": [ { "name": "lpLibFileName", "value": "bcryptprimitives.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 154 }, { "timestamp": "2025-11-19 20:24:36,766", "thread_id": "3728", "caller": "0x7ff771defb9f", "parentcaller": "0x7ff771e266ff", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1390000" }, { "name": "FunctionName", "value": "ProcessPrng" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee13a5010" } ], "repeated": 0, "id": 155 }, { "timestamp": "2025-11-19 20:24:36,766", "thread_id": "3728", "caller": "0x7ffee34e507d", "parentcaller": "0x7ffee34e4c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 3, "id": 156 }, { "timestamp": "2025-11-19 20:24:37,376", "thread_id": "2480", "caller": "0x7ff7724f6273", "parentcaller": "0x7ff7724f61ba", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "api-ms-win-core-synch-l1-2-0" }, { "name": "BaseAddress", "value": "0x7ffee1090000" } ], "repeated": 0, "id": 157 }, { "timestamp": "2025-11-19 20:24:37,376", "thread_id": "2480", "caller": "0x7ff7724f6273", "parentcaller": "0x7ff7724f61ba", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffee1090000", "arguments": [ { "name": "lpLibFileName", "value": "api-ms-win-core-synch-l1-2-0" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 158 }, { "timestamp": "2025-11-19 20:24:37,376", "thread_id": "2480", "caller": "0x7ff7724f6325", "parentcaller": "0x7ff7724f61ba", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1090000" }, { "name": "FunctionName", "value": "InitializeCriticalSectionEx" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee10fbe60" } ], "repeated": 0, "id": 159 }, { "timestamp": "2025-11-19 20:24:37,376", "thread_id": "2480", "caller": "0x7ff7724f6273", "parentcaller": "0x7ff7724f607d", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "api-ms-win-core-fibers-l1-1-1" }, { "name": "BaseAddress", "value": "0x7ffee1090000" } ], "repeated": 0, "id": 160 }, { "timestamp": "2025-11-19 20:24:37,376", "thread_id": "2480", "caller": "0x7ff7724f6273", "parentcaller": "0x7ff7724f607d", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffee1090000", "arguments": [ { "name": "lpLibFileName", "value": "api-ms-win-core-fibers-l1-1-1" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 161 }, { "timestamp": "2025-11-19 20:24:37,376", "thread_id": "2480", "caller": "0x7ff7724f6325", "parentcaller": "0x7ff7724f607d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1090000" }, { "name": "FunctionName", "value": "FlsAlloc" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee110ac60" } ], "repeated": 0, "id": 162 }, { "timestamp": "2025-11-19 20:24:37,376", "thread_id": "2480", "caller": "0x7ff7724f6325", "parentcaller": "0x7ff7724f615e", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1090000" }, { "name": "FunctionName", "value": "FlsSetValue" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee10db6d0" } ], "repeated": 0, "id": 163 }, { "timestamp": "2025-11-19 20:24:37,376", "thread_id": "2480", "caller": "0x7ff7724e6636", "parentcaller": "0x7ff7724e829a", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff779f7d000" }, { "name": "ModuleName", "value": "vesktop.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000008", "pretty_value": "PAGE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 164 }, { "timestamp": "2025-11-19 20:24:37,391", "thread_id": "2480", "caller": "0x7ff7724e71b3", "parentcaller": "0x7ff7724e7133", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "api-ms-win-core-fibers-l1-1-2" }, { "name": "BaseAddress", "value": "0x7ffee1090000" } ], "repeated": 0, "id": 165 }, { "timestamp": "2025-11-19 20:24:37,391", "thread_id": "2480", "caller": "0x7ff7724e71b3", "parentcaller": "0x7ff7724e7133", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffee1090000", "arguments": [ { "name": "lpLibFileName", "value": "api-ms-win-core-fibers-l1-1-2" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 166 }, { "timestamp": "2025-11-19 20:24:37,391", "thread_id": "2480", "caller": "0x7ff7724e72e4", "parentcaller": "0x7ff7724e7133", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": false, "return": "0xffffffffc0000139", "pretty_return": "ENTRYPOINT_NOT_FOUND", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1090000" }, { "name": "FunctionName", "value": "FlsGetValue2" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x00000000" } ], "repeated": 0, "id": 167 }, { "timestamp": "2025-11-19 20:24:37,391", "thread_id": "2480", "caller": "0x7ff7724e7263", "parentcaller": "0x7ff7724e7133", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff779f7d000" }, { "name": "ModuleName", "value": "vesktop.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 168 }, { "timestamp": "2025-11-19 20:24:37,391", "thread_id": "2480", "caller": "0x7ff7724e7294", "parentcaller": "0x7ff7724e7133", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff779f7d000" }, { "name": "ModuleName", "value": "vesktop.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 169 }, { "timestamp": "2025-11-19 20:24:37,391", "thread_id": "2480", "caller": "0x7ff76f5fb295", "parentcaller": "0x7ff76f5fb31c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "bcryptprimitives.dll" }, { "name": "BaseAddress", "value": "0x7ffee1390000" } ], "repeated": 0, "id": 170 }, { "timestamp": "2025-11-19 20:24:37,391", "thread_id": "2480", "caller": "0x7ff76f5fb295", "parentcaller": "0x7ff76f5fb31c", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffee1390000", "arguments": [ { "name": "lpLibFileName", "value": "bcryptprimitives.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 171 }, { "timestamp": "2025-11-19 20:24:37,391", "thread_id": "2480", "caller": "0x7ff76f5fb2aa", "parentcaller": "0x7ff76f5fb31c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "bcryptPrimitives.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1390000" }, { "name": "FunctionName", "value": "ProcessPrng" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee13a5010" } ], "repeated": 0, "id": 172 }, { "timestamp": "2025-11-19 20:24:37,391", "thread_id": "2480", "caller": "0x7ff76f6038c9", "parentcaller": "0x7ff76f6035ee", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000000000" }, { "name": "RegionSize", "value": "0x800000000" }, { "name": "Protection", "value": "0x00000001", "pretty_value": "PAGE_NOACCESS" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 173 }, { "timestamp": "2025-11-19 20:24:37,407", "thread_id": "2480", "caller": "0x7ff76f60350c", "parentcaller": "0x7ff76f60155e", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000001000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 174 }, { "timestamp": "2025-11-19 20:24:37,407", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000004000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 175 }, { "timestamp": "2025-11-19 20:24:37,407", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000008000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 176 }, { "timestamp": "2025-11-19 20:24:37,407", "thread_id": "2480", "caller": "0x7ff7724e76fa", "parentcaller": "0x7ff7724e829a", "category": "misc", "api": "GetCommandLineA", "status": true, "return": "0x2106ad63a70", "arguments": [ { "name": "CommandLine", "value": "\"C:\\Temp\\vesktop.exe\" " } ], "repeated": 0, "id": 177 }, { "timestamp": "2025-11-19 20:24:37,407", "thread_id": "2480", "caller": "0x7ff7724e7707", "parentcaller": "0x7ff7724e829a", "category": "misc", "api": "GetCommandLineW", "status": true, "return": "0x2106ad62190", "arguments": [ { "name": "CommandLine", "value": "\"C:\\Temp\\vesktop.exe\" " } ], "repeated": 0, "id": 178 }, { "timestamp": "2025-11-19 20:24:37,407", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000018000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 179 }, { "timestamp": "2025-11-19 20:24:37,407", "thread_id": "2480", "caller": "0x7ff7724e71b3", "parentcaller": "0x7ff7724e6c03", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "api-ms-win-core-localization-l1-2-1" }, { "name": "BaseAddress", "value": "0x7ffee1090000" } ], "repeated": 0, "id": 180 }, { "timestamp": "2025-11-19 20:24:37,407", "thread_id": "2480", "caller": "0x7ff7724e71b3", "parentcaller": "0x7ff7724e6c03", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffee1090000", "arguments": [ { "name": "lpLibFileName", "value": "api-ms-win-core-localization-l1-2-1" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 181 }, { "timestamp": "2025-11-19 20:24:37,407", "thread_id": "2480", "caller": "0x7ff7724e72e4", "parentcaller": "0x7ff7724e6c03", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1090000" }, { "name": "FunctionName", "value": "LCMapStringEx" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee10ad3c0" } ], "repeated": 0, "id": 182 }, { "timestamp": "2025-11-19 20:24:37,407", "thread_id": "2480", "caller": "0x7ff7724e7263", "parentcaller": "0x7ff7724e6c03", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff779f7d000" }, { "name": "ModuleName", "value": "vesktop.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 183 }, { "timestamp": "2025-11-19 20:24:37,423", "thread_id": "2480", "caller": "0x7ff7724e7294", "parentcaller": "0x7ff7724e6c03", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff779f7d000" }, { "name": "ModuleName", "value": "vesktop.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 184 }, { "timestamp": "2025-11-19 20:24:37,423", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000028000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 185 }, { "timestamp": "2025-11-19 20:24:37,423", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b900002c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 186 }, { "timestamp": "2025-11-19 20:24:37,423", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000030000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 187 }, { "timestamp": "2025-11-19 20:24:37,423", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b900003c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 188 }, { "timestamp": "2025-11-19 20:24:37,423", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b900004c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 189 }, { "timestamp": "2025-11-19 20:24:37,423", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b900005c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 190 }, { "timestamp": "2025-11-19 20:24:37,438", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b900006c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 191 }, { "timestamp": "2025-11-19 20:24:37,438", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000070000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 192 }, { "timestamp": "2025-11-19 20:24:37,438", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b900007c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 193 }, { "timestamp": "2025-11-19 20:24:37,438", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000080000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 194 }, { "timestamp": "2025-11-19 20:24:37,438", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b900008c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 195 }, { "timestamp": "2025-11-19 20:24:37,438", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b900009c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 196 }, { "timestamp": "2025-11-19 20:24:37,438", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b90000a4000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 197 }, { "timestamp": "2025-11-19 20:24:37,454", "thread_id": "2480", "caller": "0x7ff76f51d9f1", "parentcaller": "0x7ff7724c0256", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "kernel32.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1660000" } ], "repeated": 0, "id": 198 }, { "timestamp": "2025-11-19 20:24:37,454", "thread_id": "2480", "caller": "0x7ff76f51da01", "parentcaller": "0x7ff7724c0256", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ffee1660000" }, { "name": "FunctionName", "value": "GetSystemTimePreciseAsFileTime" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee1685350" } ], "repeated": 0, "id": 199 }, { "timestamp": "2025-11-19 20:24:37,454", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b90000a8000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 200 }, { "timestamp": "2025-11-19 20:24:37,454", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b90000ac000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 201 }, { "timestamp": "2025-11-19 20:24:37,454", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b90000b8000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 202 }, { "timestamp": "2025-11-19 20:24:37,454", "thread_id": "2480", "caller": "0x7ff7724e71b3", "parentcaller": "0x7ff7724e6f80", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "kernel32" }, { "name": "BaseAddress", "value": "0x7ffee1660000" } ], "repeated": 0, "id": 203 }, { "timestamp": "2025-11-19 20:24:37,454", "thread_id": "2480", "caller": "0x7ff7724e71b3", "parentcaller": "0x7ff7724e6f80", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffee1660000", "arguments": [ { "name": "lpLibFileName", "value": "kernel32" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 204 }, { "timestamp": "2025-11-19 20:24:37,454", "thread_id": "2480", "caller": "0x7ff7724e72e4", "parentcaller": "0x7ff7724e6f80", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ffee1660000" }, { "name": "FunctionName", "value": "AreFileApisANSI" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee1680f00" } ], "repeated": 0, "id": 205 }, { "timestamp": "2025-11-19 20:24:37,454", "thread_id": "2480", "caller": "0x7ff7724e7263", "parentcaller": "0x7ff7724e6f80", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff779f7d000" }, { "name": "ModuleName", "value": "vesktop.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 206 }, { "timestamp": "2025-11-19 20:24:37,470", "thread_id": "2480", "caller": "0x7ff7724e7294", "parentcaller": "0x7ff7724e6f80", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff779f7d000" }, { "name": "ModuleName", "value": "vesktop.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 207 }, { "timestamp": "2025-11-19 20:24:37,470", "thread_id": "2480", "caller": "0x7ff7724e71b3", "parentcaller": "0x7ff7724e6f85", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "api-ms-win-core-string-l1-1-0" }, { "name": "BaseAddress", "value": "0x7ffee1090000" } ], "repeated": 0, "id": 208 }, { "timestamp": "2025-11-19 20:24:37,470", "thread_id": "2480", "caller": "0x7ff7724e71b3", "parentcaller": "0x7ff7724e6f85", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffee1090000", "arguments": [ { "name": "lpLibFileName", "value": "api-ms-win-core-string-l1-1-0" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 209 }, { "timestamp": "2025-11-19 20:24:37,470", "thread_id": "2480", "caller": "0x7ff7724e72e4", "parentcaller": "0x7ff7724e6f85", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1090000" }, { "name": "FunctionName", "value": "CompareStringEx" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee10b7130" } ], "repeated": 0, "id": 210 }, { "timestamp": "2025-11-19 20:24:37,470", "thread_id": "2480", "caller": "0x7ff7724e7263", "parentcaller": "0x7ff7724e6f85", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff779f7d000" }, { "name": "ModuleName", "value": "vesktop.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 211 }, { "timestamp": "2025-11-19 20:24:37,470", "thread_id": "2480", "caller": "0x7ff7724e7294", "parentcaller": "0x7ff7724e6f85", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff779f7d000" }, { "name": "ModuleName", "value": "vesktop.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 212 }, { "timestamp": "2025-11-19 20:24:37,470", "thread_id": "2480", "caller": "0x7ff7724e72e4", "parentcaller": "0x7ff7724e6fae", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1090000" }, { "name": "FunctionName", "value": "EnumSystemLocalesEx" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee1117f40" } ], "repeated": 0, "id": 213 }, { "timestamp": "2025-11-19 20:24:37,470", "thread_id": "2480", "caller": "0x7ff7724e7263", "parentcaller": "0x7ff7724e6fae", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff779f7d000" }, { "name": "ModuleName", "value": "vesktop.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 214 }, { "timestamp": "2025-11-19 20:24:37,470", "thread_id": "2480", "caller": "0x7ff7724e7294", "parentcaller": "0x7ff7724e6fae", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff779f7d000" }, { "name": "ModuleName", "value": "vesktop.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 215 }, { "timestamp": "2025-11-19 20:24:37,470", "thread_id": "2480", "caller": "0x7ff7724e71b3", "parentcaller": "0x7ff7724e6fd7", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "api-ms-win-core-datetime-l1-1-1" }, { "name": "BaseAddress", "value": "0x7ffee1090000" } ], "repeated": 0, "id": 216 }, { "timestamp": "2025-11-19 20:24:37,470", "thread_id": "2480", "caller": "0x7ff7724e71b3", "parentcaller": "0x7ff7724e6fd7", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffee1090000", "arguments": [ { "name": "lpLibFileName", "value": "api-ms-win-core-datetime-l1-1-1" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 217 }, { "timestamp": "2025-11-19 20:24:37,470", "thread_id": "2480", "caller": "0x7ff7724e72e4", "parentcaller": "0x7ff7724e6fd7", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1090000" }, { "name": "FunctionName", "value": "GetDateFormatEx" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee11055b0" } ], "repeated": 0, "id": 218 }, { "timestamp": "2025-11-19 20:24:37,485", "thread_id": "2480", "caller": "0x7ff7724e7263", "parentcaller": "0x7ff7724e6fd7", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff779f7d000" }, { "name": "ModuleName", "value": "vesktop.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 219 }, { "timestamp": "2025-11-19 20:24:37,485", "thread_id": "2480", "caller": "0x7ff7724e7294", "parentcaller": "0x7ff7724e6fd7", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff779f7d000" }, { "name": "ModuleName", "value": "vesktop.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 220 }, { "timestamp": "2025-11-19 20:24:37,485", "thread_id": "2480", "caller": "0x7ff7724e72e4", "parentcaller": "0x7ff7724e7000", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1090000" }, { "name": "FunctionName", "value": "GetLocaleInfoEx" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee10b0210" } ], "repeated": 0, "id": 221 }, { "timestamp": "2025-11-19 20:24:37,485", "thread_id": "2480", "caller": "0x7ff7724e7263", "parentcaller": "0x7ff7724e7000", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff779f7d000" }, { "name": "ModuleName", "value": "vesktop.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 222 }, { "timestamp": "2025-11-19 20:24:37,485", "thread_id": "2480", "caller": "0x7ff7724e7294", "parentcaller": "0x7ff7724e7000", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff779f7d000" }, { "name": "ModuleName", "value": "vesktop.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 223 }, { "timestamp": "2025-11-19 20:24:37,485", "thread_id": "2480", "caller": "0x7ff7724e72e4", "parentcaller": "0x7ff7724e7029", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1090000" }, { "name": "FunctionName", "value": "GetTimeFormatEx" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee110d1a0" } ], "repeated": 0, "id": 224 }, { "timestamp": "2025-11-19 20:24:37,485", "thread_id": "2480", "caller": "0x7ff7724e7263", "parentcaller": "0x7ff7724e7029", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff779f7d000" }, { "name": "ModuleName", "value": "vesktop.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 225 }, { "timestamp": "2025-11-19 20:24:37,485", "thread_id": "2480", "caller": "0x7ff7724e7294", "parentcaller": "0x7ff7724e7029", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff779f7d000" }, { "name": "ModuleName", "value": "vesktop.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 226 }, { "timestamp": "2025-11-19 20:24:37,485", "thread_id": "2480", "caller": "0x7ff7724e72e4", "parentcaller": "0x7ff7724e7052", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1090000" }, { "name": "FunctionName", "value": "GetUserDefaultLocaleName" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee10cae80" } ], "repeated": 0, "id": 227 }, { "timestamp": "2025-11-19 20:24:37,485", "thread_id": "2480", "caller": "0x7ff7724e7263", "parentcaller": "0x7ff7724e7052", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff779f7d000" }, { "name": "ModuleName", "value": "vesktop.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 228 }, { "timestamp": "2025-11-19 20:24:37,485", "thread_id": "2480", "caller": "0x7ff7724e7294", "parentcaller": "0x7ff7724e7052", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff779f7d000" }, { "name": "ModuleName", "value": "vesktop.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 229 }, { "timestamp": "2025-11-19 20:24:37,485", "thread_id": "2480", "caller": "0x7ff7724e72e4", "parentcaller": "0x7ff7724e707b", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1090000" }, { "name": "FunctionName", "value": "IsValidLocaleName" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee10aad90" } ], "repeated": 0, "id": 230 }, { "timestamp": "2025-11-19 20:24:37,501", "thread_id": "2480", "caller": "0x7ff7724e7263", "parentcaller": "0x7ff7724e707b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff779f7d000" }, { "name": "ModuleName", "value": "vesktop.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 231 }, { "timestamp": "2025-11-19 20:24:37,501", "thread_id": "2480", "caller": "0x7ff7724e7294", "parentcaller": "0x7ff7724e707b", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff779f7d000" }, { "name": "ModuleName", "value": "vesktop.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 232 }, { "timestamp": "2025-11-19 20:24:37,501", "thread_id": "2480", "caller": "0x7ff7724e71b3", "parentcaller": "0x7ff7724e70cd", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "api-ms-win-core-localization-obsolete-l1-2-0" }, { "name": "BaseAddress", "value": "0x7ffee1090000" } ], "repeated": 0, "id": 233 }, { "timestamp": "2025-11-19 20:24:37,501", "thread_id": "2480", "caller": "0x7ff7724e71b3", "parentcaller": "0x7ff7724e70cd", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffee1090000", "arguments": [ { "name": "lpLibFileName", "value": "api-ms-win-core-localization-obsolete-l1-2-0" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 234 }, { "timestamp": "2025-11-19 20:24:37,501", "thread_id": "2480", "caller": "0x7ff7724e72e4", "parentcaller": "0x7ff7724e70cd", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1090000" }, { "name": "FunctionName", "value": "LCIDToLocaleName" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee10aae60" } ], "repeated": 0, "id": 235 }, { "timestamp": "2025-11-19 20:24:37,501", "thread_id": "2480", "caller": "0x7ff7724e7263", "parentcaller": "0x7ff7724e70cd", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff779f7d000" }, { "name": "ModuleName", "value": "vesktop.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 236 }, { "timestamp": "2025-11-19 20:24:37,501", "thread_id": "2480", "caller": "0x7ff7724e7294", "parentcaller": "0x7ff7724e70cd", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff779f7d000" }, { "name": "ModuleName", "value": "vesktop.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 237 }, { "timestamp": "2025-11-19 20:24:37,501", "thread_id": "2480", "caller": "0x7ff7724e72e4", "parentcaller": "0x7ff7724e70f6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1090000" }, { "name": "FunctionName", "value": "LocaleNameToLCID" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee1100070" } ], "repeated": 0, "id": 238 }, { "timestamp": "2025-11-19 20:24:37,501", "thread_id": "2480", "caller": "0x7ff7724e7263", "parentcaller": "0x7ff7724e70f6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff779f7d000" }, { "name": "ModuleName", "value": "vesktop.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 239 }, { "timestamp": "2025-11-19 20:24:37,501", "thread_id": "2480", "caller": "0x7ff7724e7294", "parentcaller": "0x7ff7724e70f6", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ff779f7d000" }, { "name": "ModuleName", "value": "vesktop.exe" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 240 }, { "timestamp": "2025-11-19 20:24:37,516", "thread_id": "2480", "caller": "0x7ff76f603a80", "parentcaller": "0x7ff76f5ffedb", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000030000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 241 }, { "timestamp": "2025-11-19 20:24:37,516", "thread_id": "2480", "caller": "0x7ff76f603a80", "parentcaller": "0x7ff76f5ffedb", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b90000b8000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 242 }, { "timestamp": "2025-11-19 20:24:37,516", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b90000b8000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 243 }, { "timestamp": "2025-11-19 20:24:37,516", "thread_id": "2480", "caller": "0x7ff7724a77b9", "parentcaller": "0x7ff7724c0256", "category": "hooking", "api": "SetUnhandledExceptionFilter", "status": true, "return": "0x00000001", "arguments": [ { "name": "ExceptionFilter", "value": "0x7ff7724a6ff0" } ], "repeated": 0, "id": 244 }, { "timestamp": "2025-11-19 20:24:37,516", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b90000c0000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 245 }, { "timestamp": "2025-11-19 20:24:37,516", "thread_id": "2480", "caller": "0x7ff76f603a80", "parentcaller": "0x7ff76f5ffedb", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b90000b8000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 246 }, { "timestamp": "2025-11-19 20:24:37,516", "thread_id": "2480", "caller": "0x7ff76f603a80", "parentcaller": "0x7ff76f5ffedb", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b90000c0000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 247 }, { "timestamp": "2025-11-19 20:24:37,532", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b90000c0000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 248 }, { "timestamp": "2025-11-19 20:24:37,532", "thread_id": "2480", "caller": "0x7ff76f603a80", "parentcaller": "0x7ff76f5ffedb", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b90000c0000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 249 }, { "timestamp": "2025-11-19 20:24:37,532", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b90000a5000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 250 }, { "timestamp": "2025-11-19 20:24:37,532", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b90000d0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 251 }, { "timestamp": "2025-11-19 20:24:37,532", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b90000d4000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 252 }, { "timestamp": "2025-11-19 20:24:37,532", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b90000a6000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 253 }, { "timestamp": "2025-11-19 20:24:37,532", "thread_id": "2480", "caller": "0x7ff76f603a80", "parentcaller": "0x7ff76f5ffedb", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000028000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 254 }, { "timestamp": "2025-11-19 20:24:37,532", "thread_id": "2480", "caller": "0x7ff76f603a80", "parentcaller": "0x7ff76f5ffedb", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b90000d0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 255 }, { "timestamp": "2025-11-19 20:24:37,548", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b900007d000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 256 }, { "timestamp": "2025-11-19 20:24:37,548", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b900004d000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 257 }, { "timestamp": "2025-11-19 20:24:37,548", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b900004e000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 258 }, { "timestamp": "2025-11-19 20:24:37,548", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000071000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 259 }, { "timestamp": "2025-11-19 20:24:37,548", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b900004f000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 260 }, { "timestamp": "2025-11-19 20:24:37,548", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000050000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 261 }, { "timestamp": "2025-11-19 20:24:37,548", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000051000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 262 }, { "timestamp": "2025-11-19 20:24:37,563", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b900007e000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 263 }, { "timestamp": "2025-11-19 20:24:37,563", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000052000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 264 }, { "timestamp": "2025-11-19 20:24:37,563", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000053000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 265 }, { "timestamp": "2025-11-19 20:24:37,563", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b90000d0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 266 }, { "timestamp": "2025-11-19 20:24:37,563", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b90000d8000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 267 }, { "timestamp": "2025-11-19 20:24:37,563", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b90000e8000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 268 }, { "timestamp": "2025-11-19 20:24:37,563", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000028000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 269 }, { "timestamp": "2025-11-19 20:24:37,579", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b90000f0000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 270 }, { "timestamp": "2025-11-19 20:24:37,579", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b900005d000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 271 }, { "timestamp": "2025-11-19 20:24:37,579", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b90000fc000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 272 }, { "timestamp": "2025-11-19 20:24:37,579", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000104000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 273 }, { "timestamp": "2025-11-19 20:24:37,579", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b900005e000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 274 }, { "timestamp": "2025-11-19 20:24:37,579", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000072000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 275 }, { "timestamp": "2025-11-19 20:24:37,579", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b900005f000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 276 }, { "timestamp": "2025-11-19 20:24:37,595", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b90000b8000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 277 }, { "timestamp": "2025-11-19 20:24:37,595", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000073000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 278 }, { "timestamp": "2025-11-19 20:24:37,595", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000060000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 279 }, { "timestamp": "2025-11-19 20:24:37,595", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b900002d000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 280 }, { "timestamp": "2025-11-19 20:24:37,595", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000061000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 281 }, { "timestamp": "2025-11-19 20:24:37,595", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000054000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 282 }, { "timestamp": "2025-11-19 20:24:37,595", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000062000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 283 }, { "timestamp": "2025-11-19 20:24:37,595", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b900007f000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 284 }, { "timestamp": "2025-11-19 20:24:37,610", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000063000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 285 }, { "timestamp": "2025-11-19 20:24:37,610", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000074000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 286 }, { "timestamp": "2025-11-19 20:24:37,610", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000110000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 287 }, { "timestamp": "2025-11-19 20:24:37,610", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000064000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 288 }, { "timestamp": "2025-11-19 20:24:37,610", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b900002e000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 289 }, { "timestamp": "2025-11-19 20:24:37,610", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000065000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 290 }, { "timestamp": "2025-11-19 20:24:37,610", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000111000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 291 }, { "timestamp": "2025-11-19 20:24:37,626", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000114000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 292 }, { "timestamp": "2025-11-19 20:24:37,626", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000066000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 293 }, { "timestamp": "2025-11-19 20:24:37,626", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000081000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 294 }, { "timestamp": "2025-11-19 20:24:37,626", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000112000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 295 }, { "timestamp": "2025-11-19 20:24:37,626", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000067000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 296 }, { "timestamp": "2025-11-19 20:24:37,626", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000075000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 297 }, { "timestamp": "2025-11-19 20:24:37,626", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b90000b9000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 298 }, { "timestamp": "2025-11-19 20:24:37,641", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000068000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 299 }, { "timestamp": "2025-11-19 20:24:37,641", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000113000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 300 }, { "timestamp": "2025-11-19 20:24:37,641", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000069000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 301 }, { "timestamp": "2025-11-19 20:24:37,641", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b900002f000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 302 }, { "timestamp": "2025-11-19 20:24:37,641", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000124000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 303 }, { "timestamp": "2025-11-19 20:24:37,641", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b900006a000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 304 }, { "timestamp": "2025-11-19 20:24:37,641", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000128000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 305 }, { "timestamp": "2025-11-19 20:24:37,641", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000130000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 306 }, { "timestamp": "2025-11-19 20:24:37,657", "thread_id": "2480", "caller": "0x7ff770feee73", "parentcaller": "0x7ff77100f38c", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffee3470000" } ], "repeated": 0, "id": 307 }, { "timestamp": "2025-11-19 20:24:37,657", "thread_id": "2480", "caller": "0x7ff770feee92", "parentcaller": "0x7ff77100f38c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffee3470000" }, { "name": "FunctionName", "value": "RtlGetVersion" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee34ae4e0" } ], "repeated": 0, "id": 308 }, { "timestamp": "2025-11-19 20:24:37,657", "thread_id": "2480", "caller": "0x7ff770feeea5", "parentcaller": "0x7ff77100f38c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffee3470000" }, { "name": "FunctionName", "value": "RtlNtStatusToDosError" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee34c0800" } ], "repeated": 0, "id": 309 }, { "timestamp": "2025-11-19 20:24:37,657", "thread_id": "2480", "caller": "0x7ff770feeec5", "parentcaller": "0x7ff77100f38c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffee3470000" }, { "name": "FunctionName", "value": "NtDeviceIoControlFile" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee350d0b0" } ], "repeated": 0, "id": 310 }, { "timestamp": "2025-11-19 20:24:37,657", "thread_id": "2480", "caller": "0x7ff770feeee5", "parentcaller": "0x7ff77100f38c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffee3470000" }, { "name": "FunctionName", "value": "NtQueryInformationFile" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee350d1f0" } ], "repeated": 0, "id": 311 }, { "timestamp": "2025-11-19 20:24:37,657", "thread_id": "2480", "caller": "0x7ff770feef05", "parentcaller": "0x7ff77100f38c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffee3470000" }, { "name": "FunctionName", "value": "NtSetInformationFile" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee350d4b0" } ], "repeated": 0, "id": 312 }, { "timestamp": "2025-11-19 20:24:37,657", "thread_id": "2480", "caller": "0x7ff770feef25", "parentcaller": "0x7ff77100f38c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffee3470000" }, { "name": "FunctionName", "value": "NtQueryVolumeInformationFile" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee350d8f0" } ], "repeated": 0, "id": 313 }, { "timestamp": "2025-11-19 20:24:37,657", "thread_id": "2480", "caller": "0x7ff770feef45", "parentcaller": "0x7ff77100f38c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffee3470000" }, { "name": "FunctionName", "value": "NtQueryDirectoryFile" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee350d670" } ], "repeated": 0, "id": 314 }, { "timestamp": "2025-11-19 20:24:37,673", "thread_id": "2480", "caller": "0x7ff770feef65", "parentcaller": "0x7ff77100f38c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffee3470000" }, { "name": "FunctionName", "value": "NtQuerySystemInformation" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee350d690" } ], "repeated": 0, "id": 315 }, { "timestamp": "2025-11-19 20:24:37,673", "thread_id": "2480", "caller": "0x7ff770feef85", "parentcaller": "0x7ff77100f38c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffee3470000" }, { "name": "FunctionName", "value": "NtQueryInformationProcess" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee350d2f0" } ], "repeated": 0, "id": 316 }, { "timestamp": "2025-11-19 20:24:37,673", "thread_id": "2480", "caller": "0x7ff770feefaa", "parentcaller": "0x7ff77100f38c", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\powrprof" }, { "name": "DllBase", "value": "0x7ffee09f0000" } ], "repeated": 0, "id": 317 }, { "timestamp": "2025-11-19 20:24:37,673", "thread_id": "2480", "caller": "0x7ff770feefaa", "parentcaller": "0x7ff77100f38c", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\UMPDC" }, { "name": "DllBase", "value": "0x7ffee09d0000" } ], "repeated": 0, "id": 318 }, { "timestamp": "2025-11-19 20:24:37,673", "thread_id": "2480", "caller": "0x7ff770feefaa", "parentcaller": "0x7ff77100f38c", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "powrprof.dll" }, { "name": "BaseAddress", "value": "0x7ffee09f0000" } ], "repeated": 0, "id": 319 }, { "timestamp": "2025-11-19 20:24:37,673", "thread_id": "2480", "caller": "0x7ff770feefaa", "parentcaller": "0x7ff77100f38c", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffee09f0000", "arguments": [ { "name": "lpLibFileName", "value": "powrprof.dll" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 320 }, { "timestamp": "2025-11-19 20:24:37,688", "thread_id": "2480", "caller": "0x7ff770feefbf", "parentcaller": "0x7ff77100f38c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "powrprof.dll" }, { "name": "ModuleHandle", "value": "0x7ffee09f0000" }, { "name": "FunctionName", "value": "PowerRegisterSuspendResumeNotification" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee09f29b0" } ], "repeated": 0, "id": 321 }, { "timestamp": "2025-11-19 20:24:37,688", "thread_id": "2480", "caller": "0x7ff770feefd3", "parentcaller": "0x7ff77100f38c", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "user32.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1f70000" } ], "repeated": 0, "id": 322 }, { "timestamp": "2025-11-19 20:24:37,688", "thread_id": "2480", "caller": "0x7ff770feefe8", "parentcaller": "0x7ff77100f38c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1f70000" }, { "name": "FunctionName", "value": "SetWinEventHook" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee1f99460" } ], "repeated": 0, "id": 323 }, { "timestamp": "2025-11-19 20:24:37,688", "thread_id": "2480", "caller": "0x7ff770feeffc", "parentcaller": "0x7ff77100f38c", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "ws2_32.dll" }, { "name": "ModuleHandle", "value": "0x7ffee22c0000" } ], "repeated": 0, "id": 324 }, { "timestamp": "2025-11-19 20:24:37,688", "thread_id": "2480", "caller": "0x7ff770fef011", "parentcaller": "0x7ff77100f38c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "WS2_32.dll" }, { "name": "ModuleHandle", "value": "0x7ffee22c0000" }, { "name": "FunctionName", "value": "GetHostNameW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee22e5b20" } ], "repeated": 0, "id": 325 }, { "timestamp": "2025-11-19 20:24:37,688", "thread_id": "2480", "caller": "0x7ff770fef025", "parentcaller": "0x7ff77100f38c", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "api-ms-win-core-file-l2-1-4.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1090000" } ], "repeated": 0, "id": 326 }, { "timestamp": "2025-11-19 20:24:37,688", "thread_id": "2480", "caller": "0x7ff770fef03a", "parentcaller": "0x7ff77100f38c", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": false, "return": "0xffffffffc0000139", "pretty_return": "ENTRYPOINT_NOT_FOUND", "arguments": [ { "name": "ModuleName", "value": "KERNELBASE.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1090000" }, { "name": "FunctionName", "value": "GetFileInformationByName" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x00000000" } ], "repeated": 0, "id": 327 }, { "timestamp": "2025-11-19 20:24:37,688", "thread_id": "2480", "caller": "0x7ff7724a5bcb", "parentcaller": "0x7ff777829d8f", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "USER32.dll" }, { "name": "BaseAddress", "value": "0x7ffee1f70000" } ], "repeated": 0, "id": 328 }, { "timestamp": "2025-11-19 20:24:37,688", "thread_id": "2480", "caller": "0x7ff7724a5bcb", "parentcaller": "0x7ff777829d8f", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffee1f70000", "arguments": [ { "name": "lpLibFileName", "value": "USER32.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 329 }, { "timestamp": "2025-11-19 20:24:37,688", "thread_id": "2480", "caller": "0x7ff7724a5ca5", "parentcaller": "0x7ff777829d8f", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "USER32.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1f70000" }, { "name": "FunctionName", "value": "GetSystemMetrics" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee1f90f20" } ], "repeated": 0, "id": 330 }, { "timestamp": "2025-11-19 20:24:37,704", "thread_id": "2480", "caller": "0x7ff770ff1e3f", "parentcaller": "0x7ff77100f391", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\uxtheme" }, { "name": "DllBase", "value": "0x7ffede5b0000" } ], "repeated": 0, "id": 331 }, { "timestamp": "2025-11-19 20:24:37,704", "thread_id": "2480", "caller": "0x7ff770ff1e3f", "parentcaller": "0x7ff77100f391", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\uxtheme.dll" }, { "name": "BaseAddress", "value": "0x7ffede5b0000" } ], "repeated": 0, "id": 332 }, { "timestamp": "2025-11-19 20:24:37,704", "thread_id": "2480", "caller": "0x7ff770ff1e87", "parentcaller": "0x7ff77100f391", "category": "network", "api": "WSAStartup", "status": true, "return": "0x00000000", "arguments": [ { "name": "VersionRequested", "value": "0x00000202" } ], "repeated": 0, "id": 333 }, { "timestamp": "2025-11-19 20:24:37,720", "thread_id": "2480", "caller": "0x7ff770ff1eac", "parentcaller": "0x7ff77100f391", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\system32\\mswsock" }, { "name": "DllBase", "value": "0x7ffee0260000" } ], "repeated": 0, "id": 334 }, { "timestamp": "2025-11-19 20:24:37,720", "thread_id": "2480", "caller": "0x7ff770ff1eac", "parentcaller": "0x7ff77100f391", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 2, "id": 335 }, { "timestamp": "2025-11-19 20:24:37,720", "thread_id": "2480", "caller": "0x7ff770ff1eac", "parentcaller": "0x7ff77100f391", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\mswsock.dll" }, { "name": "BaseAddress", "value": "0x7ffee0260000" } ], "repeated": 0, "id": 336 }, { "timestamp": "2025-11-19 20:24:37,720", "thread_id": "2480", "caller": "0x7ff770ff1eac", "parentcaller": "0x7ff77100f391", "category": "network", "api": "socket", "status": true, "return": "0x00000250", "arguments": [ { "name": "af", "value": "2", "pretty_value": "AF_INET" }, { "name": "type", "value": "1", "pretty_value": "SOCK_STREAM" }, { "name": "protocol", "value": "0" }, { "name": "socket", "value": "592" } ], "repeated": 0, "id": 337 }, { "timestamp": "2025-11-19 20:24:37,720", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 338 }, { "timestamp": "2025-11-19 20:24:37,720", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001d4" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 339 }, { "timestamp": "2025-11-19 20:24:37,735", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2106ad9c000" }, { "name": "RegionSize", "value": "0x00002000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 340 }, { "timestamp": "2025-11-19 20:24:37,735", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 341 }, { "timestamp": "2025-11-19 20:24:37,735", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "system", "api": "NtWaitForSingleObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000001d4" }, { "name": "Milliseconds", "value": "0" } ], "repeated": 0, "id": 342 }, { "timestamp": "2025-11-19 20:24:37,735", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffee0260000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\mswsock.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 343 }, { "timestamp": "2025-11-19 20:24:37,735", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU" } ], "repeated": 0, "id": 344 }, { "timestamp": "2025-11-19 20:24:37,735", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000254" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ru-RU\\mswsock.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 345 }, { "timestamp": "2025-11-19 20:24:37,735", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000258" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000254" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ru-RU\\mswsock.dll.mui" } ], "repeated": 0, "id": 346 }, { "timestamp": "2025-11-19 20:24:37,735", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x00000258" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2106cb30000" }, { "name": "SectionOffset", "value": "0x4b56ffda50" }, { "name": "ViewSize", "value": "0x00004000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 347 }, { "timestamp": "2025-11-19 20:24:37,751", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000258" } ], "repeated": 0, "id": 348 }, { "timestamp": "2025-11-19 20:24:37,751", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffee0260000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\mswsock.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 3, "id": 349 }, { "timestamp": "2025-11-19 20:24:37,766", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2106ad9e000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 350 }, { "timestamp": "2025-11-19 20:24:37,766", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffee0260000", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\mswsock.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 351 }, { "timestamp": "2025-11-19 20:24:37,766", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x2106cb40002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\wshqos.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 352 }, { "timestamp": "2025-11-19 20:24:37,766", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU" } ], "repeated": 0, "id": 353 }, { "timestamp": "2025-11-19 20:24:37,766", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000258" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ru-RU\\wshqos.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 354 }, { "timestamp": "2025-11-19 20:24:37,782", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000025c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000258" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ru-RU\\wshqos.dll.mui" } ], "repeated": 0, "id": 355 }, { "timestamp": "2025-11-19 20:24:37,782", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000025c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2106cb50000" }, { "name": "SectionOffset", "value": "0x4b56ffda50" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 356 }, { "timestamp": "2025-11-19 20:24:37,782", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000025c" } ], "repeated": 0, "id": 357 }, { "timestamp": "2025-11-19 20:24:37,782", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2106cb50000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 358 }, { "timestamp": "2025-11-19 20:24:37,782", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000258" } ], "repeated": 0, "id": 359 }, { "timestamp": "2025-11-19 20:24:37,782", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2106cb40000" }, { "name": "RegionSize", "value": "0x0000a000" } ], "repeated": 0, "id": 360 }, { "timestamp": "2025-11-19 20:24:37,782", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x2106cb40002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\wshqos.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 361 }, { "timestamp": "2025-11-19 20:24:37,782", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2106ad9f000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 362 }, { "timestamp": "2025-11-19 20:24:37,782", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU" } ], "repeated": 0, "id": 363 }, { "timestamp": "2025-11-19 20:24:37,798", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000258" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ru-RU\\wshqos.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 364 }, { "timestamp": "2025-11-19 20:24:37,798", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000025c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000258" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ru-RU\\wshqos.dll.mui" } ], "repeated": 0, "id": 365 }, { "timestamp": "2025-11-19 20:24:37,798", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000025c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2106cb50000" }, { "name": "SectionOffset", "value": "0x4b56ffda50" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 366 }, { "timestamp": "2025-11-19 20:24:37,798", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000025c" } ], "repeated": 0, "id": 367 }, { "timestamp": "2025-11-19 20:24:37,798", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2106cb50000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 368 }, { "timestamp": "2025-11-19 20:24:37,798", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000258" } ], "repeated": 0, "id": 369 }, { "timestamp": "2025-11-19 20:24:37,798", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2106cb40000" }, { "name": "RegionSize", "value": "0x0000a000" } ], "repeated": 0, "id": 370 }, { "timestamp": "2025-11-19 20:24:37,813", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x2106cb40002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\wshqos.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 371 }, { "timestamp": "2025-11-19 20:24:37,813", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU" } ], "repeated": 0, "id": 372 }, { "timestamp": "2025-11-19 20:24:37,813", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000258" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ru-RU\\wshqos.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 373 }, { "timestamp": "2025-11-19 20:24:37,813", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000025c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000258" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ru-RU\\wshqos.dll.mui" } ], "repeated": 0, "id": 374 }, { "timestamp": "2025-11-19 20:24:37,813", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000025c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2106cb50000" }, { "name": "SectionOffset", "value": "0x4b56ffda50" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 375 }, { "timestamp": "2025-11-19 20:24:37,813", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000025c" } ], "repeated": 0, "id": 376 }, { "timestamp": "2025-11-19 20:24:37,813", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2106cb50000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 377 }, { "timestamp": "2025-11-19 20:24:37,829", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000258" } ], "repeated": 0, "id": 378 }, { "timestamp": "2025-11-19 20:24:37,829", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2106cb40000" }, { "name": "RegionSize", "value": "0x0000a000" } ], "repeated": 0, "id": 379 }, { "timestamp": "2025-11-19 20:24:37,829", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x2106cb40002", "arguments": [ { "name": "lpLibFileName", "value": "C:\\Windows\\System32\\wshqos.dll" }, { "name": "dwFlags", "value": "0x00000022" } ], "repeated": 0, "id": 380 }, { "timestamp": "2025-11-19 20:24:37,829", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "registry", "api": "NtOpenKey", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "KeyHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x00020019", "pretty_value": "KEY_READ" }, { "name": "ObjectAttributesHandle", "value": "0x00000000" }, { "name": "ObjectAttributesName", "value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU" }, { "name": "ObjectAttributes", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU" } ], "repeated": 0, "id": 381 }, { "timestamp": "2025-11-19 20:24:37,829", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x00000258" }, { "name": "DesiredAccess", "value": "0x00100001", "pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ru-RU\\wshqos.dll.mui" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 382 }, { "timestamp": "2025-11-19 20:24:37,829", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000025c" }, { "name": "DesiredAccess", "value": "0x000f0005", "pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x00000258" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ru-RU\\wshqos.dll.mui" } ], "repeated": 0, "id": 383 }, { "timestamp": "2025-11-19 20:24:37,829", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x0000025c" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2106cb50000" }, { "name": "SectionOffset", "value": "0x4b56ffda50" }, { "name": "ViewSize", "value": "0x00001000" }, { "name": "Win32Protect", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 384 }, { "timestamp": "2025-11-19 20:24:37,829", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x0000025c" } ], "repeated": 0, "id": 385 }, { "timestamp": "2025-11-19 20:24:37,829", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2106cb50000" }, { "name": "RegionSize", "value": "0x00001000" } ], "repeated": 0, "id": 386 }, { "timestamp": "2025-11-19 20:24:37,845", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x00000258" } ], "repeated": 0, "id": 387 }, { "timestamp": "2025-11-19 20:24:37,845", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "process", "api": "NtUnmapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2106cb40000" }, { "name": "RegionSize", "value": "0x0000a000" } ], "repeated": 0, "id": 388 }, { "timestamp": "2025-11-19 20:24:37,845", "thread_id": "2480", "caller": "0x7ff770ff1ede", "parentcaller": "0x7ff77100f391", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2106ada0000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 389 }, { "timestamp": "2025-11-19 20:24:37,845", "thread_id": "2480", "caller": "0x7ff770ff1eef", "parentcaller": "0x7ff77100f391", "category": "network", "api": "closesocket", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "592" } ], "repeated": 0, "id": 390 }, { "timestamp": "2025-11-19 20:24:37,845", "thread_id": "2480", "caller": "0x7ff770ff1f0c", "parentcaller": "0x7ff77100f391", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "C:\\Windows\\System32\\mswsock.dll" }, { "name": "BaseAddress", "value": "0x7ffee0260000" } ], "repeated": 0, "id": 391 }, { "timestamp": "2025-11-19 20:24:37,845", "thread_id": "2480", "caller": "0x7ff770ff1f0c", "parentcaller": "0x7ff77100f391", "category": "network", "api": "socket", "status": true, "return": "0x00000250", "arguments": [ { "name": "af", "value": "23", "pretty_value": "AF_INET6" }, { "name": "type", "value": "1", "pretty_value": "SOCK_STREAM" }, { "name": "protocol", "value": "0" }, { "name": "socket", "value": "592" } ], "repeated": 0, "id": 392 }, { "timestamp": "2025-11-19 20:24:37,845", "thread_id": "2480", "caller": "0x7ff770ff1f4b", "parentcaller": "0x7ff77100f391", "category": "network", "api": "closesocket", "status": true, "return": "0x00000000", "arguments": [ { "name": "socket", "value": "592" } ], "repeated": 0, "id": 393 }, { "timestamp": "2025-11-19 20:24:37,860", "thread_id": "2480", "caller": "0x7ff771005124", "parentcaller": "0x7ff77100f396", "category": "misc", "api": "GetSystemInfo", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 394 }, { "timestamp": "2025-11-19 20:24:37,860", "thread_id": "2480", "caller": "0x7ff770ff4739", "parentcaller": "0x7ff77100f3a0", "category": "filesystem", "api": "NtCreateFile", "status": false, "return": "0xffffffffc0000008", "pretty_return": "INVALID_HANDLE", "arguments": [ { "name": "FileHandle", "value": "0x00000018" }, { "name": "DesiredAccess", "value": "0xc0100080", "pretty_value": "GENERIC_READ|GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\CONOUT$" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "2", "pretty_value": "FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 395 }, { "timestamp": "2025-11-19 20:24:37,860", "thread_id": "2480", "caller": "0x7ff770ff47eb", "parentcaller": "0x7ff77100f3a0", "category": "filesystem", "api": "NtCreateFile", "status": false, "return": "0xffffffffc0000008", "pretty_return": "INVALID_HANDLE", "arguments": [ { "name": "FileHandle", "value": "0x00000018" }, { "name": "DesiredAccess", "value": "0xc0100080", "pretty_value": "GENERIC_READ|GENERIC_WRITE|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "\\??\\CONIN$" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "1", "pretty_value": "FILE_SHARE_READ" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 396 }, { "timestamp": "2025-11-19 20:24:37,860", "thread_id": "2480", "caller": "0x7ff77100ef63", "parentcaller": "0x7ff76f63650d", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2106ada3000" }, { "name": "RegionSize", "value": "0x00003000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 397 }, { "timestamp": "2025-11-19 20:24:37,860", "thread_id": "2480", "caller": "0x7ff770ff1be8", "parentcaller": "0x7ff76db494b7", "category": "system", "api": "GetSystemTimeAsFileTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 398 }, { "timestamp": "2025-11-19 20:24:37,860", "thread_id": "2480", "caller": "0x7ff76d61b171", "parentcaller": "0x7ff7724a78d2", "category": "misc", "api": "GetCommandLineW", "status": true, "return": "0x2106ad62190", "arguments": [ { "name": "CommandLine", "value": "\"C:\\Temp\\vesktop.exe\" " } ], "repeated": 0, "id": 399 }, { "timestamp": "2025-11-19 20:24:37,860", "thread_id": "2480", "caller": "0x7ff7724a5bcb", "parentcaller": "0x7ff777829268", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\System32\\SHELL32" }, { "name": "DllBase", "value": "0x7ffee2330000" } ], "repeated": 0, "id": 400 }, { "timestamp": "2025-11-19 20:24:37,876", "thread_id": "2480", "caller": "0x7ff7724a5bcb", "parentcaller": "0x7ff777829268", "category": "system", "api": "NtQuerySystemTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 3, "id": 401 }, { "timestamp": "2025-11-19 20:24:37,876", "thread_id": "2480", "caller": "0x7ff7724a5bcb", "parentcaller": "0x7ff777829268", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "SHELL32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2330000" } ], "repeated": 0, "id": 402 }, { "timestamp": "2025-11-19 20:24:37,876", "thread_id": "2480", "caller": "0x7ff7724a5bcb", "parentcaller": "0x7ff777829268", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffee2330000", "arguments": [ { "name": "lpLibFileName", "value": "SHELL32.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 403 }, { "timestamp": "2025-11-19 20:24:37,876", "thread_id": "2480", "caller": "0x7ff7724a5ca5", "parentcaller": "0x7ff777829268", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "ModuleHandle", "value": "0x7ffee2330000" }, { "name": "FunctionName", "value": "CommandLineToArgvW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee23de640" } ], "repeated": 0, "id": 404 }, { "timestamp": "2025-11-19 20:24:37,876", "thread_id": "2480", "caller": "0x7ff76d61b17d", "parentcaller": "0x7ff7724a78d2", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee2a57000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 405 }, { "timestamp": "2025-11-19 20:24:37,891", "thread_id": "2480", "caller": "0x7ff76d61b17d", "parentcaller": "0x7ff7724a78d2", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee2a57000" }, { "name": "ModuleName", "value": "SHELL32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 406 }, { "timestamp": "2025-11-19 20:24:37,891", "thread_id": "2480", "caller": "0x7ff76d61b17d", "parentcaller": "0x7ff7724a78d2", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2106ad89e80", "arguments": [ { "name": "CommandLine", "value": "\"C:\\Temp\\vesktop.exe\" " }, { "name": "NumArgs", "value": "1" } ], "repeated": 0, "id": 407 }, { "timestamp": "2025-11-19 20:24:37,891", "thread_id": "2480", "caller": "0x7ff76f5f01b3", "parentcaller": "0x7ff76d61b192", "category": "misc", "api": "GetCommandLineW", "status": true, "return": "0x2106ad62190", "arguments": [ { "name": "CommandLine", "value": "\"C:\\Temp\\vesktop.exe\" " } ], "repeated": 0, "id": 408 }, { "timestamp": "2025-11-19 20:24:37,891", "thread_id": "2480", "caller": "0x7ff76f5f0293", "parentcaller": "0x7ff76f5f01d6", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "api-ms-win-downlevel-shell32-l1-1-0.dll" }, { "name": "BaseAddress", "value": "0x7ffee1880000" } ], "repeated": 0, "id": 409 }, { "timestamp": "2025-11-19 20:24:37,891", "thread_id": "2480", "caller": "0x7ff76f5f0293", "parentcaller": "0x7ff76f5f01d6", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffee1880000", "arguments": [ { "name": "lpLibFileName", "value": "api-ms-win-downlevel-shell32-l1-1-0.dll" }, { "name": "dwFlags", "value": "0x00000800" } ], "repeated": 0, "id": 410 }, { "timestamp": "2025-11-19 20:24:37,891", "thread_id": "2480", "caller": "0x7ff76f5f02b1", "parentcaller": "0x7ff76f5f01d6", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "shcore.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1880000" }, { "name": "FunctionName", "value": "CommandLineToArgvW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee189eb30" } ], "repeated": 0, "id": 411 }, { "timestamp": "2025-11-19 20:24:37,891", "thread_id": "2480", "caller": "0x7ff76f5f02c4", "parentcaller": "0x7ff76f5f01d6", "category": "misc", "api": "CommandLineToArgvW", "status": true, "return": "0x2106ad89dc0", "arguments": [ { "name": "CommandLine", "value": "\"C:\\Temp\\vesktop.exe\" " }, { "name": "NumArgs", "value": "1" } ], "repeated": 0, "id": 412 }, { "timestamp": "2025-11-19 20:24:37,907", "thread_id": "2480", "caller": "0x7ff7724ede03", "parentcaller": "0x7ff7724bfd27", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x2106ada6000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 413 }, { "timestamp": "2025-11-19 20:24:37,907", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000140000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 414 }, { "timestamp": "2025-11-19 20:24:37,907", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000125000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 415 }, { "timestamp": "2025-11-19 20:24:37,907", "thread_id": "2480", "caller": "0x7ff7748619f6", "parentcaller": "0x7ff76d61b24e", "category": "filesystem", "api": "NtCreateFile", "status": false, "return": "0xffffffffc0000008", "pretty_return": "INVALID_HANDLE", "arguments": [ { "name": "FileHandle", "value": "0x7ff7797528f8" }, { "name": "DesiredAccess", "value": "0x0012019f", "pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_WRITE" }, { "name": "FileName", "value": "\\Device\\ConDrv\\Connect" }, { "name": "CreateDisposition", "value": "2", "pretty_value": "FILE_CREATE" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 416 }, { "timestamp": "2025-11-19 20:24:37,907", "thread_id": "2480", "caller": "0x7ff771ded732", "parentcaller": "0x7ff76f561834", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "0", "pretty_value": "FILE_SUPERSEDE" } ], "repeated": 0, "id": 417 }, { "timestamp": "2025-11-19 20:24:37,907", "thread_id": "2480", "caller": "0x7ff771ded732", "parentcaller": "0x7ff76f561834", "category": "misc", "api": "NtQuerySystemInformation", "status": true, "return": "0x00000000", "arguments": [ { "name": "SystemInformationClass", "value": "1", "pretty_value": "FILE_OPEN" } ], "repeated": 0, "id": 418 }, { "timestamp": "2025-11-19 20:24:37,907", "thread_id": "2480", "caller": "0x7ff7724a5bcb", "parentcaller": "0x7ff777828929", "category": "system", "api": "LdrLoadDll", "status": true, "return": "0x00000000", "arguments": [ { "name": "Flags", "value": "0x00000000" }, { "name": "FileName", "value": "ADVAPI32.dll" }, { "name": "BaseAddress", "value": "0x7ffee2b50000" } ], "repeated": 0, "id": 419 }, { "timestamp": "2025-11-19 20:24:37,907", "thread_id": "2480", "caller": "0x7ff7724a5bcb", "parentcaller": "0x7ff777828929", "category": "system", "api": "LoadLibraryExW", "status": true, "return": "0x7ffee2b50000", "arguments": [ { "name": "lpLibFileName", "value": "ADVAPI32.dll" }, { "name": "dwFlags", "value": "0x00000000" } ], "repeated": 0, "id": 420 }, { "timestamp": "2025-11-19 20:24:37,907", "thread_id": "2480", "caller": "0x7ff7724a5ca5", "parentcaller": "0x7ff777828929", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ADVAPI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffee2b50000" }, { "name": "FunctionName", "value": "RegOpenKeyExW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee2b66180" } ], "repeated": 0, "id": 421 }, { "timestamp": "2025-11-19 20:24:37,923", "thread_id": "2480", "caller": "0x7ff76f5600dc", "parentcaller": "0x7ff76f55747b", "category": "registry", "api": "RegOpenKeyExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Registry", "value": "0x80000002", "pretty_value": "HKEY_LOCAL_MACHINE" }, { "name": "SubKey", "value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" }, { "name": "Handle", "value": "0x000002a4" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" } ], "repeated": 0, "id": 422 }, { "timestamp": "2025-11-19 20:24:37,923", "thread_id": "2480", "caller": "0x7ff7724a5ca5", "parentcaller": "0x7ff777828929", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ADVAPI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffee2b50000" }, { "name": "FunctionName", "value": "RegQueryValueExW" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee2b66160" } ], "repeated": 0, "id": 423 }, { "timestamp": "2025-11-19 20:24:37,923", "thread_id": "2480", "caller": "0x7ff76f56063d", "parentcaller": "0x7ff76f5575d0", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a4" }, { "name": "ValueName", "value": "UBR" }, { "name": "Data", "value": "3803" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\UBR" } ], "repeated": 0, "id": 424 }, { "timestamp": "2025-11-19 20:24:37,923", "thread_id": "2480", "caller": "0x7ff76f560705", "parentcaller": "0x7ff76f5575ea", "category": "registry", "api": "RegQueryValueExW", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a4" }, { "name": "ValueName", "value": "DisplayVersion" }, { "name": "Data", "value": "22H2" }, { "name": "FullName", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\DisplayVersion" } ], "repeated": 0, "id": 425 }, { "timestamp": "2025-11-19 20:24:37,923", "thread_id": "2480", "caller": "0x7ff7724a5ca5", "parentcaller": "0x7ff777828929", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ADVAPI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffee2b50000" }, { "name": "FunctionName", "value": "RegCloseKey" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee2b66930" } ], "repeated": 0, "id": 426 }, { "timestamp": "2025-11-19 20:24:37,923", "thread_id": "2480", "caller": "0x7ff76f560146", "parentcaller": "0x7ff76f5574f3", "category": "registry", "api": "RegCloseKey", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a4" } ], "repeated": 0, "id": 427 }, { "timestamp": "2025-11-19 20:24:37,923", "thread_id": "2480", "caller": "0x7ff76f557cce", "parentcaller": "0x7ff76f557560", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "kernel32.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1660000" } ], "repeated": 0, "id": 428 }, { "timestamp": "2025-11-19 20:24:37,923", "thread_id": "2480", "caller": "0x7ff76f557cde", "parentcaller": "0x7ff76f557560", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "KERNEL32.DLL" }, { "name": "ModuleHandle", "value": "0x7ffee1660000" }, { "name": "FunctionName", "value": "IsWow64Process2" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee11070e0" } ], "repeated": 0, "id": 429 }, { "timestamp": "2025-11-19 20:24:37,938", "thread_id": "2480", "caller": "0x7ff76f56d6af", "parentcaller": "0x7ff76f56186c", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\system32\\uxtheme.dll" }, { "name": "ModuleHandle", "value": "0x7ffede5b0000" } ], "repeated": 0, "id": 430 }, { "timestamp": "2025-11-19 20:24:37,938", "thread_id": "2480", "caller": "0x7ff76f56187f", "parentcaller": "0x7ff76f5618dc", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "uxtheme.dll" }, { "name": "ModuleHandle", "value": "0x7ffede5b0000" }, { "name": "FunctionName", "value": "" }, { "name": "Ordinal", "value": "135" }, { "name": "FunctionAddress", "value": "0x7ffede5d53b0" } ], "repeated": 0, "id": 431 }, { "timestamp": "2025-11-19 20:24:37,938", "thread_id": "2480", "caller": "0x7ff76f561899", "parentcaller": "0x7ff76f5618dc", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "uxtheme.dll" }, { "name": "ModuleHandle", "value": "0x7ffede5b0000" }, { "name": "FunctionName", "value": "" }, { "name": "Ordinal", "value": "133" }, { "name": "FunctionAddress", "value": "0x7ffede5d5280" } ], "repeated": 0, "id": 432 }, { "timestamp": "2025-11-19 20:24:37,938", "thread_id": "2480", "caller": "0x7ff7724a5ca5", "parentcaller": "0x7ff777828929", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ADVAPI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffee2b50000" }, { "name": "FunctionName", "value": "OpenProcessToken" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee2b66ac0" } ], "repeated": 0, "id": 433 }, { "timestamp": "2025-11-19 20:24:37,938", "thread_id": "2480", "caller": "0x7ff76f561ba4", "parentcaller": "0x7ff76f6de680", "category": "process", "api": "NtOpenProcessToken", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "DesiredAccess", "value": "0x000a0008" }, { "name": "TokenHandle", "value": "0x000002a4" } ], "repeated": 0, "id": 434 }, { "timestamp": "2025-11-19 20:24:37,938", "thread_id": "2480", "caller": "0x7ff7724a5ca5", "parentcaller": "0x7ff777828929", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ADVAPI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffee2b50000" }, { "name": "FunctionName", "value": "GetSecurityInfo" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee2b671a0" } ], "repeated": 0, "id": 435 }, { "timestamp": "2025-11-19 20:24:37,938", "thread_id": "2480", "caller": "0x7ff76f55e280", "parentcaller": "0x7ff76f6dc5da", "category": "process", "api": "NtSetInformationProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessInformationClass", "value": "93" }, { "name": "ProcessInformation", "value": "\\x7f7\\x9e}" } ], "repeated": 0, "id": 436 }, { "timestamp": "2025-11-19 20:24:37,938", "thread_id": "2480", "caller": "0x7ff76f55e280", "parentcaller": "0x7ff76f6dc5da", "category": "process", "api": "NtOpenSection", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "SectionHandle", "value": "0x00000000" }, { "name": "DesiredAccess", "value": "0x0000000d" }, { "name": "ObjectAttributes", "value": "ntmarta.dll" } ], "repeated": 0, "id": 437 }, { "timestamp": "2025-11-19 20:24:37,954", "thread_id": "2480", "caller": "0x7ff76f55e280", "parentcaller": "0x7ff76f6dc5da", "category": "filesystem", "api": "NtQueryAttributesFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\System32\\ntmarta.dll" } ], "repeated": 0, "id": 438 }, { "timestamp": "2025-11-19 20:24:37,954", "thread_id": "2480", "caller": "0x7ff76f55e280", "parentcaller": "0x7ff76f6dc5da", "category": "filesystem", "api": "NtOpenFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000002a8" }, { "name": "DesiredAccess", "value": "0x00100021", "pretty_value": "FILE_READ_ACCESS|FILE_EXECUTE|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ntmarta.dll" }, { "name": "ShareAccess", "value": "5", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE" } ], "repeated": 0, "id": 439 }, { "timestamp": "2025-11-19 20:24:37,954", "thread_id": "2480", "caller": "0x7ff76f55e280", "parentcaller": "0x7ff76f6dc5da", "category": "process", "api": "NtCreateSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000002ac" }, { "name": "DesiredAccess", "value": "0x0000000d", "pretty_value": "SECTION_QUERY|SECTION_MAP_READ|SECTION_MAP_EXECUTE" }, { "name": "ObjectAttributes", "value": "" }, { "name": "FileHandle", "value": "0x000002a8" }, { "name": "FileName", "value": "C:\\Windows\\System32\\ntmarta.dll" } ], "repeated": 0, "id": 440 }, { "timestamp": "2025-11-19 20:24:37,954", "thread_id": "2480", "caller": "0x7ff76f55e280", "parentcaller": "0x7ff76f6dc5da", "category": "process", "api": "NtMapViewOfSection", "status": true, "return": "0x00000000", "arguments": [ { "name": "SectionHandle", "value": "0x000002ac" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedfcb0000" }, { "name": "SectionOffset", "value": "0x00000000" }, { "name": "ViewSize", "value": "0x00033000" }, { "name": "Win32Protect", "value": "0x00000080", "pretty_value": "PAGE_EXECUTE_WRITECOPY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 441 }, { "timestamp": "2025-11-19 20:24:37,954", "thread_id": "2480", "caller": "0x7ff76f55e280", "parentcaller": "0x7ff76f6dc5da", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedfce0000" }, { "name": "ModuleName", "value": "ntmarta.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 442 }, { "timestamp": "2025-11-19 20:24:37,970", "thread_id": "2480", "caller": "0x7ff76f55e280", "parentcaller": "0x7ff76f6dc5da", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedfcd4000" }, { "name": "ModuleName", "value": "ntmarta.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 443 }, { "timestamp": "2025-11-19 20:24:37,970", "thread_id": "2480", "caller": "0x7ff76f55e280", "parentcaller": "0x7ff76f6dc5da", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedfcd4000" }, { "name": "ModuleName", "value": "ntmarta.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 444 }, { "timestamp": "2025-11-19 20:24:37,970", "thread_id": "2480", "caller": "0x7ff76f55e280", "parentcaller": "0x7ff76f6dc5da", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedfcd4000" }, { "name": "ModuleName", "value": "ntmarta.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 445 }, { "timestamp": "2025-11-19 20:24:37,970", "thread_id": "2480", "caller": "0x7ff76f55e280", "parentcaller": "0x7ff76f6dc5da", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedfcd4000" }, { "name": "ModuleName", "value": "ntmarta.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 446 }, { "timestamp": "2025-11-19 20:24:37,970", "thread_id": "2480", "caller": "0x7ff76f55e280", "parentcaller": "0x7ff76f6dc5da", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedfcd4000" }, { "name": "ModuleName", "value": "ntmarta.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 447 }, { "timestamp": "2025-11-19 20:24:37,970", "thread_id": "2480", "caller": "0x7ff76f55e280", "parentcaller": "0x7ff76f6dc5da", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002ac" } ], "repeated": 0, "id": 448 }, { "timestamp": "2025-11-19 20:24:37,970", "thread_id": "2480", "caller": "0x7ff76f55e280", "parentcaller": "0x7ff76f6dc5da", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a8" } ], "repeated": 0, "id": 449 }, { "timestamp": "2025-11-19 20:24:37,985", "thread_id": "2480", "caller": "0x7ff76f55e280", "parentcaller": "0x7ff76f6dc5da", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffedfcd4000" }, { "name": "ModuleName", "value": "ntmarta.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 450 }, { "timestamp": "2025-11-19 20:24:37,985", "thread_id": "2480", "caller": "0x7ff76f55e280", "parentcaller": "0x7ff76f6dc5da", "category": "system", "api": "DllLoadNotification", "status": true, "return": "0x00000000", "arguments": [ { "name": "NotificationReason", "value": "load" }, { "name": "DllName", "value": "C:\\Windows\\SYSTEM32\\ntmarta" }, { "name": "DllBase", "value": "0x7ffedfcb0000" } ], "repeated": 0, "id": 451 }, { "timestamp": "2025-11-19 20:24:37,985", "thread_id": "2480", "caller": "0x7ff76f55e280", "parentcaller": "0x7ff76f6dc5da", "category": "system", "api": "LdrpCallInitRoutine", "status": true, "return": "0x00000001", "arguments": [ { "name": "MappedPath", "value": "\\Device\\HarddiskVolume2\\Windows\\System32\\ntmarta" }, { "name": "BaseAddress", "value": "0x7ffedfcb0000" }, { "name": "InitRoutine", "value": "0x7ffedfcb6930" }, { "name": "Reason", "value": "1" } ], "repeated": 0, "id": 452 }, { "timestamp": "2025-11-19 20:24:37,985", "thread_id": "2480", "caller": "0x7ff76f55e280", "parentcaller": "0x7ff76f6dc5da", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee2bfb000" }, { "name": "ModuleName", "value": "ADVAPI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "OldAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 453 }, { "timestamp": "2025-11-19 20:24:37,985", "thread_id": "2480", "caller": "0x7ff76f55e280", "parentcaller": "0x7ff76f6dc5da", "category": "process", "api": "NtProtectVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x7ffee2bfb000" }, { "name": "ModuleName", "value": "ADVAPI32.dll" }, { "name": "NumberOfBytesProtected", "value": "0x00001000" }, { "name": "MemoryType", "value": "0x00000000" }, { "name": "NewAccessProtection", "value": "0x00000002", "pretty_value": "PAGE_READONLY" }, { "name": "OldAccessProtection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 454 }, { "timestamp": "2025-11-19 20:24:37,985", "thread_id": "2480", "caller": "0x7ff7724a5ca5", "parentcaller": "0x7ff777828929", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ADVAPI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffee2b50000" }, { "name": "FunctionName", "value": "IsValidSecurityDescriptor" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee2b812b0" } ], "repeated": 0, "id": 455 }, { "timestamp": "2025-11-19 20:24:37,985", "thread_id": "2480", "caller": "0x7ff7724a5ca5", "parentcaller": "0x7ff777828929", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ADVAPI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffee2b50000" }, { "name": "FunctionName", "value": "GetSecurityDescriptorControl" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee2b6bda0" } ], "repeated": 0, "id": 456 }, { "timestamp": "2025-11-19 20:24:37,985", "thread_id": "2480", "caller": "0x7ff7724a5ca5", "parentcaller": "0x7ff777828929", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ADVAPI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffee2b50000" }, { "name": "FunctionName", "value": "GetSecurityDescriptorOwner" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee2b6d3b0" } ], "repeated": 0, "id": 457 }, { "timestamp": "2025-11-19 20:24:37,985", "thread_id": "2480", "caller": "0x7ff7724a5ca5", "parentcaller": "0x7ff777828929", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ADVAPI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffee2b50000" }, { "name": "FunctionName", "value": "GetSecurityDescriptorGroup" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee2b6bec0" } ], "repeated": 0, "id": 458 }, { "timestamp": "2025-11-19 20:24:37,985", "thread_id": "2480", "caller": "0x7ff7724a5ca5", "parentcaller": "0x7ff777828929", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ADVAPI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffee2b50000" }, { "name": "FunctionName", "value": "GetSecurityDescriptorDacl" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee2b67950" } ], "repeated": 0, "id": 459 }, { "timestamp": "2025-11-19 20:24:37,985", "thread_id": "2480", "caller": "0x7ff7724a5ca5", "parentcaller": "0x7ff777828929", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ADVAPI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffee2b50000" }, { "name": "FunctionName", "value": "GetSecurityDescriptorSacl" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee2b6bea0" } ], "repeated": 0, "id": 460 }, { "timestamp": "2025-11-19 20:24:37,985", "thread_id": "2480", "caller": "0x7ff7724a5ca5", "parentcaller": "0x7ff777828929", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ADVAPI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffee2b50000" }, { "name": "FunctionName", "value": "IsValidAcl" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee2b81290" } ], "repeated": 0, "id": 461 }, { "timestamp": "2025-11-19 20:24:37,985", "thread_id": "2480", "caller": "0x7ff7724a5ca5", "parentcaller": "0x7ff777828929", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ADVAPI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffee2b50000" }, { "name": "FunctionName", "value": "GetAce" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee2b6b030" } ], "repeated": 0, "id": 462 }, { "timestamp": "2025-11-19 20:24:37,985", "thread_id": "2480", "caller": "0x7ff7724a5ca5", "parentcaller": "0x7ff777828929", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ADVAPI32.dll" }, { "name": "ModuleHandle", "value": "0x7ffee2b50000" }, { "name": "FunctionName", "value": "SetSecurityInfo" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee2b66f60" } ], "repeated": 0, "id": 463 }, { "timestamp": "2025-11-19 20:24:38,001", "thread_id": "2480", "caller": "0x7ff771ded8c2", "parentcaller": "0x7ff771ded96d", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "vesktop.exe" }, { "name": "ModuleHandle", "value": "0x7ff76d410000" }, { "name": "FunctionName", "value": "GetHandleVerifier" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ff76f55f5a0" } ], "repeated": 0, "id": 464 }, { "timestamp": "2025-11-19 20:24:38,001", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b900014c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 465 }, { "timestamp": "2025-11-19 20:24:38,001", "thread_id": "2480", "caller": "0x7ff771ded93e", "parentcaller": "0x7ff76f561b48", "category": "system", "api": "NtClose", "status": true, "return": "0x00000000", "arguments": [ { "name": "Handle", "value": "0x000002a4" } ], "repeated": 0, "id": 466 }, { "timestamp": "2025-11-19 20:24:38,001", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b900015c000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 467 }, { "timestamp": "2025-11-19 20:24:38,001", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b90000a7000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 468 }, { "timestamp": "2025-11-19 20:24:38,001", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b90000c0000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 469 }, { "timestamp": "2025-11-19 20:24:38,016", "thread_id": "2480", "caller": "0x7ff76f603a80", "parentcaller": "0x7ff76f5ffedb", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b90000d4000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 470 }, { "timestamp": "2025-11-19 20:24:38,016", "thread_id": "2480", "caller": "0x7ff76f603a80", "parentcaller": "0x7ff76f5ffedb", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b90000fc000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 471 }, { "timestamp": "2025-11-19 20:24:38,016", "thread_id": "2480", "caller": "0x7ff76f603a80", "parentcaller": "0x7ff76f5ffedb", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000140000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 472 }, { "timestamp": "2025-11-19 20:24:38,016", "thread_id": "2480", "caller": "0x7ff76f603a80", "parentcaller": "0x7ff76f5ffedb", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b90000c0000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 473 }, { "timestamp": "2025-11-19 20:24:38,016", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b90000c0000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 474 }, { "timestamp": "2025-11-19 20:24:38,016", "thread_id": "2480", "caller": "0x7ff76f603a80", "parentcaller": "0x7ff76f5ffedb", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b90000c0000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 475 }, { "timestamp": "2025-11-19 20:24:38,016", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b90000c0000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 476 }, { "timestamp": "2025-11-19 20:24:38,032", "thread_id": "2480", "caller": "0x7ff76f603a80", "parentcaller": "0x7ff76f5ffedb", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b90000c0000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 477 }, { "timestamp": "2025-11-19 20:24:38,032", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b90000c0000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 478 }, { "timestamp": "2025-11-19 20:24:38,032", "thread_id": "2480", "caller": "0x7ff76f603a80", "parentcaller": "0x7ff76f5ffedb", "category": "process", "api": "NtFreeVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b90000c0000" }, { "name": "RegionSize", "value": "0x00010000" }, { "name": "FreeType", "value": "0x00004000" } ], "repeated": 0, "id": 479 }, { "timestamp": "2025-11-19 20:24:38,032", "thread_id": "2480", "caller": "0x7ff76f56d498", "parentcaller": "0x7ff76f56d3b4", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\system32\\ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffee3470000" } ], "repeated": 0, "id": 480 }, { "timestamp": "2025-11-19 20:24:38,032", "thread_id": "2480", "caller": "0x7ff76f9add18", "parentcaller": "0x7ff76f9ade55", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffee3470000" }, { "name": "FunctionName", "value": "LdrLockLoaderLock" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee34ed110" } ], "repeated": 0, "id": 481 }, { "timestamp": "2025-11-19 20:24:38,048", "thread_id": "2480", "caller": "0x7ff76f9add2e", "parentcaller": "0x7ff76f9ade55", "category": "system", "api": "LdrGetProcedureAddressForCaller", "status": true, "return": "0x00000000", "arguments": [ { "name": "ModuleName", "value": "ntdll.dll" }, { "name": "ModuleHandle", "value": "0x7ffee3470000" }, { "name": "FunctionName", "value": "LdrUnlockLoaderLock" }, { "name": "Ordinal", "value": "0" }, { "name": "FunctionAddress", "value": "0x7ffee34edf80" } ], "repeated": 0, "id": 482 }, { "timestamp": "2025-11-19 20:24:38,048", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b90000fc000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 483 }, { "timestamp": "2025-11-19 20:24:38,095", "thread_id": "2480", "caller": "0x7ff76f564e00", "parentcaller": "0x7ff76f58fa45", "category": "threading", "api": "NtCreateThreadEx", "status": true, "return": "0x00000000", "arguments": [ { "name": "ThreadHandle", "value": "0x000002d8" }, { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartAddress", "value": "0x7ff76f565200" }, { "name": "Parameter", "value": "0x4b90001250a0" }, { "name": "CreateFlags", "value": "0x00000001" }, { "name": "ThreadId", "value": "2596" }, { "name": "ProcessId", "value": "3228" }, { "name": "Module", "value": "vesktop.exe" } ], "repeated": 0, "id": 484 }, { "timestamp": "2025-11-19 20:24:38,095", "thread_id": "2480", "caller": "0x7ff76f564e00", "parentcaller": "0x7ff76f58fa45", "category": "threading", "api": "CreateRemoteThreadEx", "status": true, "return": "0x000002d8", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "StartRoutine", "value": "0x7ff76f565200" }, { "name": "Parameter", "value": "0x4b90001250a0" }, { "name": "CreationFlags", "value": "0x00000000" }, { "name": "ThreadId", "value": "2596" }, { "name": "ProcessId", "value": "3228" } ], "repeated": 0, "id": 485 }, { "timestamp": "2025-11-19 20:24:38,095", "thread_id": "2596", "caller": "0x7ffee34e507d", "parentcaller": "0x7ffee34e4c43", "category": "threading", "api": "NtTestAlert", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 486 }, { "timestamp": "2025-11-19 20:24:38,095", "thread_id": "2596", "caller": "0x7ff76f565286", "parentcaller": "0x00000000", "category": "system", "api": "NtDuplicateObject", "status": true, "return": "0x00000000", "arguments": [ { "name": "SourceProcessHandle", "value": "0xffffffff" }, { "name": "SourceHandle", "value": "0xfffffffe" }, { "name": "TargetProcessHandle", "value": "0xffffffff" }, { "name": "TargetHandle", "value": "0x000002e0" }, { "name": "Options", "value": "0x00000002" } ], "repeated": 0, "id": 487 }, { "timestamp": "2025-11-19 20:24:38,095", "thread_id": "2480", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000168000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 488 }, { "timestamp": "2025-11-19 20:24:38,095", "thread_id": "2596", "caller": "0x7ff76f60350c", "parentcaller": "0x7ff76f60155e", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000201000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 489 }, { "timestamp": "2025-11-19 20:24:38,095", "thread_id": "2480", "caller": "0x7ff76f56d6af", "parentcaller": "0x7ff76f5598ac", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "C:\\Windows\\system32\\user32.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1f70000" } ], "repeated": 0, "id": 490 }, { "timestamp": "2025-11-19 20:24:38,095", "thread_id": "2596", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000204000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 491 }, { "timestamp": "2025-11-19 20:24:38,095", "thread_id": "2596", "caller": "0x7ff76f564cf2", "parentcaller": "0x7ff76f58ff4a", "category": "system", "api": "LdrGetDllHandle", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileName", "value": "Kernel32.dll" }, { "name": "ModuleHandle", "value": "0x7ffee1660000" } ], "repeated": 0, "id": 492 }, { "timestamp": "2025-11-19 20:24:38,110", "thread_id": "2480", "caller": "0x7ff76f574b11", "parentcaller": "0x7ff76f5ebb63", "category": "filesystem", "api": "NtCreateFile", "status": false, "return": "0xffffffffc0000034", "pretty_return": "OBJECT_NAME_NOT_FOUND", "arguments": [ { "name": "FileHandle", "value": "0x4b56ffef90" }, { "name": "DesiredAccess", "value": "0x80100080", "pretty_value": "GENERIC_READ|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Temp\\icudtl.dat" }, { "name": "CreateDisposition", "value": "1", "pretty_value": "FILE_OPEN" }, { "name": "ShareAccess", "value": "7", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE" }, { "name": "FileAttributes", "value": "0x00000000" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 493 }, { "timestamp": "2025-11-19 20:24:38,110", "thread_id": "2480", "caller": "0x7ff76f5e0cf3", "parentcaller": "0x7ff76f5e0b81", "category": "system", "api": "GetLocalTime", "status": true, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 494 }, { "timestamp": "2025-11-19 20:24:38,110", "thread_id": "2596", "caller": "0x7ff76f564c6d", "parentcaller": "0x7ff76f58ff4a", "category": "system", "api": "IsDebuggerPresent", "status": false, "return": "0x00000000", "arguments": [], "repeated": 0, "id": 495 }, { "timestamp": "2025-11-19 20:24:38,110", "thread_id": "2480", "caller": "0x7ff7724c8abe", "parentcaller": "0x7ff7724c8370", "category": "filesystem", "api": "NtWriteFile", "status": false, "return": "0xffffffffc0000008", "pretty_return": "INVALID_HANDLE", "arguments": [ { "name": "FileHandle", "value": "0xfffffffe" }, { "name": "HandleName", "value": "" }, { "name": "Buffer", "value": "" }, { "name": "Length", "value": "0" } ], "repeated": 0, "id": 496 }, { "timestamp": "2025-11-19 20:24:38,110", "thread_id": "2480", "caller": "0x7ff76f5e076a", "parentcaller": "0x7ff76f5e15a0", "category": "filesystem", "api": "NtCreateFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000002e4" }, { "name": "DesiredAccess", "value": "0x00100084", "pretty_value": "FILE_APPEND_DATA|FILE_READ_ATTRIBUTES|SYNCHRONIZE" }, { "name": "FileName", "value": "C:\\Temp\\debug.log" }, { "name": "CreateDisposition", "value": "3", "pretty_value": "FILE_OPEN_IF" }, { "name": "ShareAccess", "value": "3", "pretty_value": "FILE_SHARE_READ|FILE_SHARE_WRITE" }, { "name": "FileAttributes", "value": "0x00000080", "pretty_value": "FILE_ATTRIBUTE_NORMAL" }, { "name": "ExistedBefore", "value": "no" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 497 }, { "timestamp": "2025-11-19 20:24:38,110", "thread_id": "2596", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b9000169000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 498 }, { "timestamp": "2025-11-19 20:24:38,110", "thread_id": "2480", "caller": "0x7ff76f5e15eb", "parentcaller": "0x7ff76f5e106b", "category": "filesystem", "api": "NtWriteFile", "status": true, "return": "0x00000000", "arguments": [ { "name": "FileHandle", "value": "0x000002e4" }, { "name": "HandleName", "value": "C:\\Temp\\debug.log" }, { "name": "Buffer", "value": "[1119/232438.116:ERROR:base\\i18n\\icu_util.cc:223] Invalid file descriptor to ICU data received.\n" }, { "name": "Length", "value": "96" } ], "repeated": 0, "id": 499 }, { "timestamp": "2025-11-19 20:24:38,110", "thread_id": "2596", "caller": "0x7ff76f603a61", "parentcaller": "0x7ff76f600f41", "category": "process", "api": "NtAllocateVirtualMemory", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "BaseAddress", "value": "0x4b900016a000" }, { "name": "RegionSize", "value": "0x00001000" }, { "name": "Protection", "value": "0x00000004", "pretty_value": "PAGE_READWRITE" }, { "name": "StackPivoted", "value": "no" } ], "repeated": 0, "id": 500 }, { "timestamp": "2025-11-19 20:24:38,126", "thread_id": "2480", "caller": "0x7ffee34c26d2", "parentcaller": "0x00000000", "category": "process", "api": "NtTerminateProcess", "status": true, "return": "0x00000000", "arguments": [ { "name": "ProcessHandle", "value": "0xffffffff" }, { "name": "ExitCode", "value": "0x80000003" } ], "repeated": 0, "id": 501 } ], "threads": [ "2480", "2964", "3728", "2596" ], "environ": { "UserName": "Admin", "ComputerName": "HOME-PC", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Temp\\", "CommandLine": "\"C:\\Temp\\vesktop.exe\" ", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "a0c0-2cc3", "SystemVolumeGUID": "2d3f192c-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff76d410000", "MainExeSize": "0x0cce3000", "Bitness": "64-bit" }, "file_activities": { "read_files": [], "write_files": [], "delete_files": [] } } ], "anomaly": [], "processtree": [ { "name": "vesktop.exe", "pid": 3228, "parent_id": 2872, "module_path": "C:\\Temp\\vesktop.exe", "children": [], "threads": [ "2480", "2964", "3728", "2596" ], "environ": { "UserName": "Admin", "ComputerName": "HOME-PC", "WindowsPath": "C:\\Windows", "TempPath": "C:\\Temp\\", "CommandLine": "\"C:\\Temp\\vesktop.exe\" ", "RegisteredOwner": "", "RegisteredOrganization": "", "ProductName": "", "SystemVolumeSerialNumber": "a0c0-2cc3", "SystemVolumeGUID": "2d3f192c-0000-0000-0000-300300000000", "MachineGUID": "", "MainExeBase": "0x7ff76d410000", "MainExeSize": "0x0cce3000", "Bitness": "64-bit" } } ], "summary": { "files": [ "\\Device\\CNG", "C:\\Windows\\System32\\ru-RU\\mswsock.dll.mui", "C:\\Windows\\System32\\ru-RU\\wshqos.dll.mui", "\\??\\CONOUT$", "\\??\\CONIN$", "\\Device\\ConDrv\\Connect", "C:\\Windows\\System32\\ntmarta.dll", "C:\\Temp\\icudtl.dat", "C:\\Temp\\debug.log" ], "read_files": [], "write_files": [ "\\??\\CONOUT$", "\\??\\CONIN$", "\\Device\\ConDrv\\Connect", "C:\\Temp\\debug.log" ], "delete_files": [], "keys": [ "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled", "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\Cryptography\\Configuration", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\DirectWrite", "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\ru-RU", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\UBR", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\DisplayVersion" ], "read_keys": [ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy", "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\UBR", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\DisplayVersion" ], "write_keys": [], "delete_keys": [], "executed_commands": [], "resolved_apis": [], "mutexes": [], "created_services": [], "started_services": [] }, "enhanced": [ { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:24:28,423", "eid": 1, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:24:28,423", "eid": 2, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled", "content": "0" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:24:28,423", "eid": 3, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy", "content": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:24:28,423", "eid": 4, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled", "content": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:36,766", "eid": 5, "data": { "file": "bcryptprimitives.dll", "pathtofile": null, "moduleaddress": "0x7ffee1390000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:36,766", "eid": 6, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:37,376", "eid": 7, "data": { "file": "api-ms-win-core-synch-l1-2-0", "pathtofile": null, "moduleaddress": "0x7ffee1090000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:37,376", "eid": 8, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:37,376", "eid": 9, "data": { "file": "api-ms-win-core-fibers-l1-1-1", "pathtofile": null, "moduleaddress": "0x7ffee1090000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:37,376", "eid": 10, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:37,391", "eid": 11, "data": { "file": "api-ms-win-core-fibers-l1-1-2", "pathtofile": null, "moduleaddress": "0x7ffee1090000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:37,391", "eid": 12, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:37,391", "eid": 13, "data": { "file": "bcryptprimitives.dll", "pathtofile": null, "moduleaddress": "0x7ffee1390000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:37,391", "eid": 14, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:37,407", "eid": 15, "data": { "file": "api-ms-win-core-localization-l1-2-1", "pathtofile": null, "moduleaddress": "0x7ffee1090000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:37,407", "eid": 16, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:37,454", "eid": 17, "data": { "file": "kernel32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:37,454", "eid": 18, "data": { "file": "kernel32", "pathtofile": null, "moduleaddress": "0x7ffee1660000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:37,454", "eid": 19, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:37,470", "eid": 20, "data": { "file": "api-ms-win-core-string-l1-1-0", "pathtofile": null, "moduleaddress": "0x7ffee1090000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:37,470", "eid": 21, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:37,470", "eid": 22, "data": { "file": "api-ms-win-core-datetime-l1-1-1", "pathtofile": null, "moduleaddress": "0x7ffee1090000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:37,470", "eid": 23, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:37,501", "eid": 24, "data": { "file": "api-ms-win-core-localization-obsolete-l1-2-0", "pathtofile": null, "moduleaddress": "0x7ffee1090000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:37,501", "eid": 25, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:37,657", "eid": 26, "data": { "file": "ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:37,673", "eid": 27, "data": { "file": "powrprof.dll", "pathtofile": null, "moduleaddress": "0x7ffee09f0000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:37,673", "eid": 28, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:37,688", "eid": 29, "data": { "file": "user32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:37,688", "eid": 30, "data": { "file": "ws2_32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:37,688", "eid": 31, "data": { "file": "api-ms-win-core-file-l2-1-4.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:37,688", "eid": 32, "data": { "file": "USER32.dll", "pathtofile": null, "moduleaddress": "0x7ffee1f70000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:37,688", "eid": 33, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:37,704", "eid": 34, "data": { "file": "C:\\Windows\\System32\\uxtheme.dll", "pathtofile": null, "moduleaddress": "0x7ffede5b0000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:37,720", "eid": 35, "data": { "file": "C:\\Windows\\System32\\mswsock.dll", "pathtofile": null, "moduleaddress": "0x7ffee0260000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:37,735", "eid": 36, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:37,751", "eid": 37, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:37,766", "eid": 38, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:37,766", "eid": 39, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:37,782", "eid": 40, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:37,813", "eid": 41, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:37,829", "eid": 42, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:37,845", "eid": 43, "data": { "file": "C:\\Windows\\System32\\mswsock.dll", "pathtofile": null, "moduleaddress": "0x7ffee0260000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:37,876", "eid": 44, "data": { "file": "SHELL32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2330000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:37,876", "eid": 45, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:37,891", "eid": 46, "data": { "file": "api-ms-win-downlevel-shell32-l1-1-0.dll", "pathtofile": null, "moduleaddress": "0x7ffee1880000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:37,891", "eid": 47, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:37,907", "eid": 48, "data": { "file": "ADVAPI32.dll", "pathtofile": null, "moduleaddress": "0x7ffee2b50000" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:37,907", "eid": 49, "data": { "file": null, "pathtofile": null, "moduleaddress": null } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:24:37,923", "eid": 50, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\UBR", "content": "3803" } }, { "event": "read", "object": "registry", "timestamp": "2025-11-19 20:24:37,923", "eid": 51, "data": { "regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\DisplayVersion", "content": "22H2" } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:37,923", "eid": 52, "data": { "file": "kernel32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:37,938", "eid": 53, "data": { "file": "C:\\Windows\\system32\\uxtheme.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:38,032", "eid": 54, "data": { "file": "C:\\Windows\\system32\\ntdll.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:38,095", "eid": 55, "data": { "file": "C:\\Windows\\system32\\user32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "load", "object": "library", "timestamp": "2025-11-19 20:24:38,095", "eid": 56, "data": { "file": "Kernel32.dll", "pathtofile": null, "moduleaddress": null } }, { "event": "write", "object": "file", "timestamp": "2025-11-19 20:24:38,110", "eid": 57, "data": { "file": "" } }, { "event": "write", "object": "file", "timestamp": "2025-11-19 20:24:38,110", "eid": 58, "data": { "file": "C:\\Temp\\debug.log" } } ], "encryptedbuffers": [] }, "debug": { "log": "2025-11-20 02:02:23,588 [root] INFO: Date set to: 20251119T23:24:15, timeout set to: 200\n2025-11-19 23:24:15,008 [root] DEBUG: Starting analyzer from: C:\\zyzhoky0\n2025-11-19 23:24:15,009 [root] DEBUG: Storing results at: C:\\whfTNdAnp\n2025-11-19 23:24:15,009 [root] DEBUG: Pipe server name: \\\\.\\PIPE\\qfGRSc\n2025-11-19 23:24:15,009 [root] DEBUG: Python path: C:\\Users\\Admin\\AppData\\Local\\Programs\\Python\\Python313-32\n2025-11-19 23:24:15,009 [root] INFO: analysis running as an admin\n2025-11-19 23:24:15,010 [root] INFO: analysis package specified: \"exe\"\n2025-11-19 23:24:15,010 [root] DEBUG: importing analysis package module: \"modules.packages.exe\"...\n2025-11-19 23:24:15,016 [root] DEBUG: imported analysis package \"exe\"\n2025-11-19 23:24:15,016 [root] DEBUG: initializing analysis package \"exe\"...\n2025-11-19 23:24:15,017 [lib.common.common] INFO: wrapping\n2025-11-19 23:24:15,017 [lib.core.compound] INFO: C:\\Temp already exists, skipping creation\n2025-11-19 23:24:15,018 [root] DEBUG: New location of moved file: C:\\Temp\\vesktop.exe\n2025-11-19 23:24:15,018 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option\n2025-11-19 23:24:15,018 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option\n2025-11-19 23:24:15,019 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option\n2025-11-19 23:24:15,019 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option\n2025-11-19 23:24:15,037 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.browser\"\n2025-11-19 23:24:15,046 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.digisig\"\n2025-11-19 23:24:15,066 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.disguise\"\n2025-11-19 23:24:15,090 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.human\"\n2025-11-19 23:24:15,096 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'\n2025-11-19 23:24:15,147 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'\n2025-11-19 23:24:15,150 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'\n2025-11-19 23:24:15,170 [lib.api.screenshot] INFO: Please upgrade Pillow to >= 5.4.1 for best performance\n2025-11-19 23:24:15,170 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.screenshots\"\n2025-11-19 23:24:15,176 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.tlsdump\"\n2025-11-19 23:24:15,176 [root] DEBUG: Initialized auxiliary module \"Browser\"\n2025-11-19 23:24:15,177 [root] DEBUG: attempting to configure 'Browser' from data\n2025-11-19 23:24:15,179 [root] DEBUG: module Browser does not support data configuration, ignoring\n2025-11-19 23:24:15,179 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.browser\"...\n2025-11-19 23:24:15,180 [root] DEBUG: Started auxiliary module modules.auxiliary.browser\n2025-11-19 23:24:15,180 [root] DEBUG: Initialized auxiliary module \"DigiSig\"\n2025-11-19 23:24:15,181 [root] DEBUG: attempting to configure 'DigiSig' from data\n2025-11-19 23:24:15,182 [root] DEBUG: module DigiSig does not support data configuration, ignoring\n2025-11-19 23:24:15,182 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.digisig\"...\n2025-11-19 23:24:15,182 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature\n2025-11-19 23:24:18,583 [modules.auxiliary.digisig] DEBUG: File is not signed\n2025-11-19 23:24:18,584 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json\n2025-11-19 23:24:18,588 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig\n2025-11-19 23:24:18,588 [root] DEBUG: Initialized auxiliary module \"Disguise\"\n2025-11-19 23:24:18,588 [root] DEBUG: attempting to configure 'Disguise' from data\n2025-11-19 23:24:18,589 [root] DEBUG: module Disguise does not support data configuration, ignoring\n2025-11-19 23:24:18,589 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.disguise\"...\n2025-11-19 23:24:18,589 [modules.auxiliary.disguise] INFO: Disguising GUID to 13286dca-1aec-469e-88f0-9add975f6f99\n2025-11-19 23:24:18,590 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise\n2025-11-19 23:24:18,590 [root] DEBUG: Initialized auxiliary module \"Human\"\n2025-11-19 23:24:18,590 [root] DEBUG: attempting to configure 'Human' from data\n2025-11-19 23:24:18,590 [root] DEBUG: module Human does not support data configuration, ignoring\n2025-11-19 23:24:18,590 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.human\"...\n2025-11-19 23:24:18,592 [root] DEBUG: Started auxiliary module modules.auxiliary.human\n2025-11-19 23:24:18,592 [root] DEBUG: Initialized auxiliary module \"Screenshots\"\n2025-11-19 23:24:18,593 [root] DEBUG: attempting to configure 'Screenshots' from data\n2025-11-19 23:24:18,594 [root] DEBUG: module Screenshots does not support data configuration, ignoring\n2025-11-19 23:24:18,594 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.screenshots\"...\n2025-11-19 23:24:18,595 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots\n2025-11-19 23:24:18,595 [root] DEBUG: Initialized auxiliary module \"TLSDumpMasterSecrets\"\n2025-11-19 23:24:18,595 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data\n2025-11-19 23:24:18,596 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring\n2025-11-19 23:24:18,596 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.tlsdump\"...\n2025-11-19 23:24:18,598 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 608\n2025-11-19 23:24:18,768 [lib.api.process] INFO: Monitor config for : C:\\zyzhoky0\\dll\\608.ini\n2025-11-19 23:24:18,770 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor\n2025-11-19 23:24:18,780 [lib.api.process] INFO: 64-bit DLL to inject is C:\\zyzhoky0\\dll\\qMKFDRL.dll, loader C:\\zyzhoky0\\bin\\BMzKWwqq.exe\n2025-11-19 23:24:18,803 [root] DEBUG: Loader: Injecting process 608 with C:\\zyzhoky0\\dll\\qMKFDRL.dll.\n2025-11-19 23:24:18,826 [root] DEBUG: 608: Python path set to 'C:\\Users\\Admin\\AppData\\Local\\Programs\\Python\\Python313-32'.\n2025-11-19 23:24:18,827 [root] DEBUG: 608: Disabling sleep skipping.\n2025-11-19 23:24:18,828 [root] DEBUG: 608: TLS secret dump mode enabled.\n2025-11-19 23:24:18,863 [root] DEBUG: 608: RtlInsertInvertedFunctionTable 0x00007FFEE348090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEE35DD4F0\n2025-11-19 23:24:18,864 [root] DEBUG: 608: Monitor initialised: 64-bit capemon loaded in process 608 at 0x00007FFEC4460000, thread 3816, image base 0x00007FF60EE30000, stack from 0x000000A5F43A2000-0x000000A5F43B0000\n2025-11-19 23:24:18,865 [root] DEBUG: 608: Commandline: C:\\Windows\\system32\\lsass.exe\n2025-11-19 23:24:18,873 [root] DEBUG: 608: Hooked 5 out of 5 functions\n2025-11-19 23:24:18,875 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.\n2025-11-19 23:24:18,875 [root] DEBUG: Successfully injected DLL C:\\zyzhoky0\\dll\\qMKFDRL.dll.\n2025-11-19 23:24:18,879 [lib.api.process] INFO: Injected into 64-bit \n2025-11-19 23:24:18,879 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump\n2025-11-19 23:24:21,909 [root] INFO: Restarting WMI Service\n2025-11-19 23:24:24,051 [root] DEBUG: package modules.packages.exe does not support configure, ignoring\n2025-11-19 23:24:24,052 [root] WARNING: configuration error for package modules.packages.exe: error importing data.packages.exe: No module named 'data.packages'\n2025-11-19 23:24:24,053 [lib.core.compound] INFO: C:\\Temp already exists, skipping creation\n2025-11-19 23:24:24,139 [lib.api.process] INFO: Successfully executed process from path \"C:\\Temp\\vesktop.exe\" with arguments \"\" with pid 3228\n2025-11-19 23:24:24,140 [lib.api.process] INFO: Monitor config for : C:\\zyzhoky0\\dll\\3228.ini\n2025-11-19 23:24:24,145 [lib.api.process] INFO: 64-bit DLL to inject is C:\\zyzhoky0\\dll\\qMKFDRL.dll, loader C:\\zyzhoky0\\bin\\BMzKWwqq.exe\n2025-11-19 23:24:24,156 [root] DEBUG: Loader: Injecting process 3228 (thread 2480) with C:\\zyzhoky0\\dll\\qMKFDRL.dll.\n2025-11-19 23:24:24,157 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2025-11-19 23:24:24,158 [root] DEBUG: Successfully injected DLL C:\\zyzhoky0\\dll\\qMKFDRL.dll.\n2025-11-19 23:24:24,161 [lib.api.process] INFO: Injected into 64-bit \n2025-11-19 23:24:26,170 [lib.api.process] INFO: Successfully resumed \n2025-11-19 23:24:26,219 [root] DEBUG: 3228: Python path set to 'C:\\Users\\Admin\\AppData\\Local\\Programs\\Python\\Python313-32'.\n2025-11-19 23:24:26,220 [root] DEBUG: 3228: Disabling sleep skipping.\n2025-11-19 23:24:26,222 [root] DEBUG: 3228: Dropped file limit defaulting to 100.\n2025-11-19 23:24:26,249 [root] DEBUG: 3228: YaraInit: Compiled 43 rule files\n2025-11-19 23:24:26,253 [root] DEBUG: 3228: YaraInit: Compiled rules saved to file C:\\zyzhoky0\\data\\yara\\capemon.yac\n2025-11-19 23:24:26,280 [root] DEBUG: 3228: RtlInsertInvertedFunctionTable 0x00007FFEE348090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEE35DD4F0\n2025-11-19 23:24:26,282 [root] DEBUG: 3228: YaraScan: Scanning 0x00007FF76D410000, size 0xcce20da\n2025-11-19 23:24:27,302 [root] DEBUG: 3228: Yara error: Scanning timed out\n2025-11-19 23:24:27,303 [root] DEBUG: 3228: Monitor initialised: 64-bit capemon loaded in process 3228 at 0x00007FFEC4460000, thread 2480, image base 0x00007FF76D410000, stack from 0x0000004B56FF2000-0x0000004B57000000\n2025-11-19 23:24:27,304 [root] DEBUG: 3228: Commandline: \"C:\\Temp\\vesktop.exe\"\n2025-11-19 23:24:27,329 [root] DEBUG: 3228: hook_api: LdrpCallInitRoutine export address 0x00007FFEE34899BC obtained via GetFunctionAddress\n2025-11-19 23:24:27,381 [root] WARNING: b'Unable to place hook on LockResource'\n2025-11-19 23:24:27,382 [root] DEBUG: 3228: set_hooks: Unable to hook LockResource\n2025-11-19 23:24:27,400 [root] DEBUG: 3228: Hooked 619 out of 620 functions\n2025-11-19 23:24:28,405 [root] DEBUG: 3228: Yara error: Scanning timed out\n2025-11-19 23:24:28,406 [root] DEBUG: 3228: Syscall hook installed, syscall logging level 1\n2025-11-19 23:24:28,420 [root] DEBUG: 3228: RestoreHeaders: Restored original import table.\n2025-11-19 23:24:28,421 [root] INFO: Loaded monitor into process with pid 3228\n2025-11-19 23:24:28,439 [root] DEBUG: 3228: DLL loaded at 0x00007FFEE1390000: C:\\Windows\\System32\\bcryptPrimitives (0x82000 bytes).\n2025-11-19 23:24:28,450 [root] DEBUG: 3228: YaraScan: Scanning 0x00007FF76D410000, size 0xcce20da\n2025-11-19 23:24:29,462 [root] DEBUG: 3228: Yara error: Scanning timed out\n2025-11-19 23:24:29,466 [root] DEBUG: 3228: YaraScan: Scanning 0x00007FF76D410000, size 0xcce20da\n2025-11-19 23:24:30,468 [root] DEBUG: 3228: Yara error: Scanning timed out\n2025-11-19 23:24:30,472 [root] DEBUG: 3228: YaraScan: Scanning 0x00007FF76D410000, size 0xcce20da\n2025-11-19 23:24:31,474 [root] DEBUG: 3228: Yara error: Scanning timed out\n2025-11-19 23:24:31,479 [root] DEBUG: 3228: YaraScan: Scanning 0x00007FF76D410000, size 0xcce20da\n2025-11-19 23:24:32,480 [root] DEBUG: 3228: Yara error: Scanning timed out\n2025-11-19 23:24:32,486 [root] DEBUG: 3228: YaraScan: Scanning 0x00007FF76D410000, size 0xcce20da\n2025-11-19 23:24:33,488 [root] DEBUG: 3228: Yara error: Scanning timed out\n2025-11-19 23:24:33,493 [root] DEBUG: 3228: YaraScan: Scanning 0x00007FF76D410000, size 0xcce20da\n2025-11-19 23:24:34,496 [root] DEBUG: 3228: Yara error: Scanning timed out\n2025-11-19 23:24:34,501 [root] DEBUG: 3228: YaraScan: Scanning 0x00007FF76D410000, size 0xcce20da\n2025-11-19 23:24:35,503 [root] DEBUG: 3228: Yara error: Scanning timed out\n2025-11-19 23:24:35,506 [root] DEBUG: 3228: caller_dispatch: Scanning calling region at 0x00007FF76D410000...\n2025-11-19 23:24:35,509 [root] DEBUG: 3228: YaraScan: Scanning 0x00007FF76D410000, size 0xcce20da\n2025-11-19 23:24:36,095 [root] DEBUG: 3228: caller_dispatch: Added region at 0x00007FF76D410000 to tracked regions list (kernel32::LoadLibraryExW returns to 0x00007FF7724F6273, thread 2480).\n2025-11-19 23:24:36,101 [root] DEBUG: 3228: YaraScan: Scanning 0x00007FF76D410000, size 0xcce20da\n2025-11-19 23:24:36,511 [root] DEBUG: 3228: Yara error: Scanning timed out\n2025-11-19 23:24:36,769 [root] DEBUG: 3228: ProcessImageBase: Main module image at 0x00007FF76D410000 unmodified (entropy change 0.000000e+00)\n2025-11-19 23:24:37,137 [root] DEBUG: 3228: Yara error: Scanning timed out\n2025-11-19 23:24:37,384 [root] DEBUG: 3228: ProcessImageBase: Main module image at 0x00007FF76D410000 unmodified (entropy change 1.496326e-07)\n2025-11-19 23:24:37,689 [root] DEBUG: 3228: DLL loaded at 0x00007FFEE09F0000: C:\\Windows\\SYSTEM32\\powrprof (0x4b000 bytes).\n2025-11-19 23:24:37,691 [root] DEBUG: 3228: DLL loaded at 0x00007FFEE09D0000: C:\\Windows\\SYSTEM32\\UMPDC (0x12000 bytes).\n2025-11-19 23:24:37,712 [root] DEBUG: 3228: DLL loaded at 0x00007FFEDE5B0000: C:\\Windows\\system32\\uxtheme (0x9e000 bytes).\n2025-11-19 23:24:37,735 [root] DEBUG: 3228: DLL loaded at 0x00007FFEE0260000: C:\\Windows\\system32\\mswsock (0x6a000 bytes).\n2025-11-19 23:24:37,887 [root] DEBUG: 3228: DLL loaded at 0x00007FFEE2330000: C:\\Windows\\System32\\SHELL32 (0x745000 bytes).\n2025-11-19 23:24:37,993 [root] DEBUG: 3228: DLL loaded at 0x00007FFEDFCB0000: C:\\Windows\\SYSTEM32\\ntmarta (0x33000 bytes).\n2025-11-19 23:24:38,136 [root] INFO: Added new file to list with pid None and path C:\\Temp\\debug.log\n2025-11-19 23:24:38,138 [root] INFO: Process with pid 3228 has terminated\n2025-11-19 23:24:38,139 [root] DEBUG: 3228: NtTerminateProcess hook: Attempting to dump process 3228\n2025-11-19 23:24:38,844 [root] DEBUG: 3228: DoProcessDump: Skipping process dump as code is identical on disk.\n2025-11-19 23:24:43,335 [root] INFO: Process list is empty, terminating analysis\n2025-11-19 23:24:44,345 [root] INFO: Created shutdown mutex\n2025-11-19 23:24:45,346 [root] INFO: Shutting down package\n2025-11-19 23:24:45,347 [root] INFO: Stopping auxiliary modules\n2025-11-19 23:24:45,347 [root] INFO: Stopping auxiliary module: Browser\n2025-11-19 23:24:45,347 [root] INFO: Stopping auxiliary module: Human\n2025-11-19 23:24:45,503 [root] INFO: Stopping auxiliary module: Screenshots\n2025-11-19 23:24:46,012 [root] INFO: Finishing auxiliary modules\n2025-11-19 23:24:46,013 [root] INFO: Shutting down pipe server and dumping dropped files\n2025-11-19 23:24:46,015 [lib.common.results] INFO: Uploading file C:\\Temp\\debug.log to files\\bd9b65a7b3f0e16a2382da580fdc1459544ba5c83f8b6447538a4985b1bf2a45; Size is 96; Max size: 100000000\n2025-11-19 23:24:46,026 [root] WARNING: Folder at path \"C:\\whfTNdAnp\\debugger\" does not exist, skipping\n2025-11-19 23:24:46,026 [root] WARNING: Folder at path \"C:\\whfTNdAnp\\tlsdump\" does not exist, skipping\n2025-11-19 23:24:46,029 [root] INFO: Analysis completed\n", "errors": [] }, "network": { "pcap_sha256": "95dfe9f106fc318001c805ad2e189fa11fad430296a9254b3b334b65ce0de5c2", "hosts": [], "domains": [], "tcp": [], "udp": [ { "src": "192.168.1.2", "sport": 60949, "dst": "1.1.1.1", "dport": 53, "offset": 9114, "time": 0.36284804344177246 }, { "src": "192.168.1.2", "sport": 138, "dst": "192.168.1.255", "dport": 138, "offset": 9312, "time": 0.6540279388427734 } ], "icmp": [], "http": [], "dns": [], "smtp": [], "irc": [], "dead_hosts": [] }, "url_analysis": {}, "procmemory": [], "signatures": [ { "name": "antidebug_setunhandledexceptionfilter", "description": "SetUnhandledExceptionFilter detected (possible anti-debug)", "categories": [ "anti-debug" ], "severity": 1, "weight": 1, "confidence": 40, "references": [], "data": [ { "type": "call", "pid": 3228, "cid": 244 } ], "new_data": [], "alert": false, "families": [] }, { "name": "stealth_timeout", "description": "Possible date expiration check, exits too soon after checking local time", "categories": [ "stealth" ], "severity": 1, "weight": 1, "confidence": 40, "references": [], "data": [ { "process": "vesktop.exe, PID 3228" }, { "type": "call", "pid": 3228, "cid": 501 } ], "new_data": [], "alert": false, "families": [] } ], "malscore": 0.0, "ttps": [], "malstatus": null }